Print

Print


edit or comment on the draft at https://docs.google.com/document/d/1LpV52oSefKhaKSGFcTPONKvXzZUxHbKaW8e6CHHREXk

The Library Digital Privacy Pledge of 2015

We are inviting the library community- libraries, vendors that serve libraries, and organizations to sign a "Library Digital Privacy Pledge".

For this first pledge, we're focusing on the use of HTTPS (SSL) to deliver library services and the information resources offered by libraries. Building a culture of Library Digital Privacy will not end with this pledge, but committing to this first modest step together will begin a process that won't turn back.

We focus on HTTPS as a first step because of its timeliness. At the end of July the Let's Encrypt initiative of the Electronic Frontier Foundation will launch a new certificate infrastructure that will remove much of the cost and difficulty involved in implementation of HTTPS, with general availability scheduled for September. Due to a heightened concern about digital surveillance, many prominent internet companies, such as Google, Twitter, and Facebook, have moved their services to HTTPS. The White House has issued a directive that all government websites must move their services to HTTPS by the end of 2016. We believe that libraries must also make this change, lest they be viewed as technology and privacy laggards, and dishonor their proud history of protecting reader privacy.

The 3rd article of the American Library Association Code of Ethics sets a broad objective:
We protect each library user's right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.

It's not always clear how to interpret this broad mandate, especially when the everything is done on the internet. However, one principle of implementation should be clear and uncontroversial:

Library services and resources should be delivered, whenever practical, over channels that are immune to eavesdropping.

The current best practice: dictated by this principle is as following:

Libraries and vendors that serve libraries and library patrons, should require HTTPS (SSL) for all services and resources delivered via the web.

The Pledge for Libraries:
1. All web services and resources that we directly control will require SSL by the end of 2015.
2. Starting in 2016, We will not sign or renew any contracts for web services or information resources that do not commit to require SSL by the end of 2016.

The Pledge for Publishers and Vendors:
1. All web services that we control will enable SSL by the end of 2015.
2. All web services that we offer will require SSL by the end of 2016.

The Pledge for Organizations:
1. All web services that we directly control will enable SSL by the end of 2015.
2. We encourage our members to support and sign the appropriate version of the pledge.

Schedule:
This document will be open for discussion and modification until finalized by July 27, 2015. The finalized pledge will be published on the website of the Library Freedom Project. We expect a number of discussions to take place at the Annual Conference of the American Library Association and associated meetings.
The Library Freedom Project will broadly solicit signatures from libraries, vendors and publishers.
In September, in coordination with the Let's Encrypt project, the list of charter signatories will be made announced and broadly publicized to popular media.

FAQ

Q: Why the focus on HTTPS?
A: We think this issue should not be controversial and is relatively easy to  explain

Q. How can my library/organization/company add our names to the list of signatories?
A. Email us at [pledge]@libraryfreedomproject.org Please give us contact info so we can verify your participation.

Q. Is this the same as HTTPS Everywhere?
A. No, that's a browser plug-in which enforces use of HTTPS.

Q. My Library won't be able to meet the implementation deadline. Can we add our name to the list once we've completed implementation? Y
A. Yes.

Q. A local school uses an internet filter that blocks https websites to meet legal requirements. Can we sign the pledge and continue to serve them?
A. Most of the filtering solutions include options that will whitelist important services. Work with the school in question to implement a work-around.

Q. What else can I read about libraries using HTTPS?
A. The Electronic Frontier Foundation has published What Every Librarian Needs to Know About HTTPS


Eric Hellman
President, Gluejar.Inc.
Founder, Unglue.it https://unglue.it/
http://go-to-hellman.blogspot.com/
twitter: @gluejar