I think this is a good idea, but it is just one of a number of things that I think there should be effort to concentrate on. I'm also part of the NISO privacy group, and I wrote up a post that is my current thinking about the work of the group. One of the times in that post is a "recognition that protecting privacy is an incremental practice" (http://dltj.org/article/views-of-niso-patron-privacy-working-group/#critical-privacy-controls). Modeled on the SANS "Critical Security Controls", I think we should provide guidance to libraries on what the critical privacy controls are. I haven't detailed a list of these yet -- not wanting to get too far in front of the group consensus -- but it would include things like making sure all web sites are protected by SSL. Other things that I think should be included:
* Audit of circulation and interlibrary loan records -- know when there is a record that links a patron to an item, who can see that record, and when/how the record is discarded
* Review, at a protocol level, the components that make up web pages, both first-party (the library's own) and third-party (service providers)
* Inventory physical security measures, including video and audio recordings, for storage, access, and disposal policies
We could probably come up with a dozen such controls, write best-practices papers on each, and make them available to the community to use.
> On Jun 13, 2015, at 12:26 PM, Eric Hellman <[log in to unmask]> wrote:
> Jeremy's response made me think.
> What do people think about formulating a "Library Digital Privacy Pledge" that libraries, publishers and vendors could sign onto?
> Or perhaps a set of pledges. I'd start with moving services to SSL.
> Library Services and Resources should be delivered, whenever practical, over channels that are immune to eavesdropping.
> Current Best Practice:
> Require HTTPS (SSL) for all services and resources delvivered via the web.
> Pledge (for Libraries):
> 1. All web services that we control will require SSL by the end of 2015.
> 2. All web services that we pay for will require SSL by the end of 2016.
> Pledge (for Publishers and Vendors):
> 1. All web services that we control will enable SSL by the end of 2015.
> 2. All web services that we offer will require SSL by the end of 2016.
> I pick HTTPS to focus on first because it's relatively easy to specify/ understand. You could do something similar with meta referrer, but it's a bit more arcane.
> There's a NISO group (I'm on the steering committee) looking at developing principles for library privacy that might be an appropriate forum to support this.
>> On Jun 11, 2015, at 11:55 PM, Frumkin, Jeremy A - (frumkinj) <[log in to unmask]> wrote:
>> Eric -
>> Many thanks for raising awareness of this. It does feel like encouraging good practice re: referrer meta tag would be a good thing, but I would not know where to start to make something like this required practice. Did you have some thoughts on that?
>> — jaf
>> Jeremy Frumkin
>> Associate Dean / Chief Technology Strategist
>> University of Arizona Libraries
>> +1 520.626.7296
>> [log in to unmask]
>> "A person who never made a mistake never tried anything new." - Albert Einstein