Print

Print


I think this is a good idea, but it is just one of a number of things that I think there should be effort to concentrate on.  I'm also part of the NISO privacy group, and I wrote up a post that is my current thinking about the work of the group.  One of the times in that post is a "recognition that protecting privacy is an incremental practice" (http://dltj.org/article/views-of-niso-patron-privacy-working-group/#critical-privacy-controls).  Modeled on the SANS "Critical Security Controls", I think we should provide guidance to libraries on what the critical privacy controls are.  I haven't detailed a list of these yet -- not wanting to get too far in front of the group consensus -- but it would include things like making sure all web sites are protected by SSL.  Other things that I think should be included:

* Audit of circulation and interlibrary loan records -- know when there is a record that links a patron to an item, who can see that record, and when/how the record is discarded

* Review, at a protocol level, the components that make up web pages, both first-party (the library's own) and third-party (service providers)

* Inventory physical security measures, including video and audio recordings, for storage, access, and disposal policies

We could probably come up with a dozen such controls, write best-practices papers on each, and make them available to the community to use.


Peter

> On Jun 13, 2015, at 12:26 PM, Eric Hellman <[log in to unmask]> wrote:
> 
> Jeremy's response made me think.
> 
> What do people think about formulating a "Library Digital Privacy Pledge" that libraries, publishers and vendors could sign onto?
> 
> Or perhaps a set of pledges. I'd start with moving services to SSL.
> 
> Principle:
> Library Services and Resources should be delivered, whenever practical, over channels that are immune to eavesdropping.
> 
> Current Best Practice:
> Require HTTPS (SSL) for all services and resources delvivered via the web.
> 
> Pledge (for Libraries):
> 1. All web services that we control will require SSL by the end of 2015.
> 2. All web services that we pay for will require SSL by the end of 2016.
> 
> Pledge (for Publishers and Vendors):
> 1. All web services that we control will enable SSL by the end of 2015.
> 2. All web services that we offer will require SSL by the end of 2016.
> 
> I pick HTTPS to focus on first because it's relatively easy to specify/ understand. You could do something similar with meta referrer, but it's a bit more arcane.
> 
> There's a NISO group (I'm on the steering committee) looking at developing principles for library privacy that might be an appropriate forum to support this.
> 
> Eric
> 
>> On Jun 11, 2015, at 11:55 PM, Frumkin, Jeremy A - (frumkinj) <[log in to unmask]> wrote:
>> 
>> Eric - 
>> 
>> Many thanks for raising awareness of this. It does feel like encouraging good practice re: referrer meta tag would be a good thing, but I would not know where to start to make something like this required practice. Did you have some thoughts on that?
>> 
>> — jaf
>> 
>> -----------------------------------------------------------
>> Jeremy Frumkin
>> Associate Dean / Chief Technology Strategist
>> University of Arizona Libraries
>> 
>> +1 520.626.7296
>> [log in to unmask]
>> ——————————————————————————————
>> "A person who never made a mistake never tried anything new." - Albert Einstein