What Every Librarian Needs to Know About HTTPS
Librarians have long understood that to provide access to knowledge it is crucial to protect their patrons' privacy. Books can provide information that is deeply unpopular. As a result, local communities and governments sometimes try to ban the most objectionable ones. Librarians rightly see it as their duty to preserve access to books, especially banned ones. In the US this defense of expression is an integral part of our First Amendment rights.
Access isn't just about having material on the shelves, though. If a book is perceived as "dangerous," patrons may avoid checking it out, for fear that authorities will use their borrowing records against them. This is why librarians have fought long and hard for their patrons' privacy. In recent years, that includes Library Connection's fight against the unconstitutional gag authority of National Security Letters and, at many libraries, choosing not to keep checkout records after materials are returned.
However, simply protecting patron records is no longer enough. Library patrons frequently access catalogs and other services over the Internet. We have learned in the last two years that the NSA is unconstitutionally hoovering up and retaining massive amounts of Internet traffic. That means that before a patron even checks out a book, their search for that book in an online catalog may already have been recorded. And the NSA is not the only threat. Other patrons, using off-the-shelf tools, can intercept queries and login data merely by virtue of being on the same network as their target.
Fortunately, there is a solution, and it's getting easier to deploy every day. HTTPS, the secure version of HTTP, encrypts all traffic between a web browser and a server. The conventional wisdom of the 1990s was that HTTPS was only necessary to protect credit card numbers and passwords. But that opinion has changed for two reasons: First, it's become clear how frequently information is spied on for non-financial reasons, and second, improved algorithms and processing speeds have made HTTPS dramatically cheaper. For instance, Google reported only a 1% increase in CPU costs from deploying HTTPS. The other former cost of HTTPS, obtaining a certificate, has gone from very expensive to completely free over the last decade. It can be complicated to obtain and configure even a free certificate, but EFF, Mozilla, and several other organizations are working to eliminate the hassle with a new project called Let's Encrypt, which will offer certificates that are both free and easy to set up.
To celebrate the American Library Association's Choose Privacy Week, EFF offers five recommendations for libraries:
HTTPS for your whole website
Some libraries use HTTPS on a tiny part of their website: The login form to access records and request books. However, this is not sufficient. Security research has demonstrated that it's impossible to secure only a part of a website. Instead, libraries should ensure that every part of their site, from the front page to the catalog, uses HTTPS at all times. In other words, if someone types "www.example-library.org" into their browser, when the page finishes loading, the browser should display "https://www.example-library.org/" in the URL bar. Under the hood, the website should be permanently redirecting visitors from insecure HTTP to HTTPS.
Sites should also set the HTTP Strict-Transport-Security header (HSTS for short), which ensures returning visitors always get the secure version of the site, even in the face of network interference.
Safer browsers for your computers
Many libraries are stuck with older versions of Internet Explorer, which lack some of the security features of modern browsers, including HSTS. While HSTS support was very recently added to Internet Explorer, we still recommend Firefox or Chrome. Besides their built-in security features, they support a rich array of security and privacy-related extensions, like HTTPS Everywhere and Privacy Badger.
HTTPS Everywhere for your browsers
EFF offers a browser extension, HTTPS Everywhere, which helps people use the secure version of websites whenever possible. Many websites use HTTPS for some tiny part of their site, but not the whole thing. With contributions from community all over the world, we curate a list of such websites and the browser extension upgrades pages from HTTP to HTTPS when visiting them.
We recommend HTTPS Everywhere for library computers so that snoops cannot intercept patrons' queries to external web sites. However, it's has another valuable use: you can add your own library's site to our list! This is helpful if your site already has partial HTTPS support, but isn't yet HTTPS-only. In the longer term, of course, it's important to convert your website to HTTPS-only to support patrons without the extension.
Demand HTTPS from ebook providers
Sadly, DRM lockup means that most libraries can offer ebooks only through a tiny handful of providers. EFF is fighting the negative effects of digital rights management, but in the meantime, we recommend pressuring ebook providers to improve their privacy commitments. Last year's discovery that Adobe Digital Editions sent unencrypted filesystem information to Adobe's servers demonstrated that providers often fall flat on privacy.
Libraries should demand that every ebook provider they work with use HTTPS at all times in every app. Log retention policies for ebook data should be at least as privacy-preserving as the library's own policy, and data should not be collected beyond the minimum necessary to provide service. Both the HTTPS encryption and the log retention should be subject to annual audits to ensure they are still working as intended.
Open wireless is already common at libraries, which is great. Open wireless is the best and easiest way to provide Internet access to a community. However, some library networks use "captive portals" to display a start page to network users, requiring a click to acknowledge terms of acceptable use. Captive portals cause a number of problems, especially for HTTPS websites. Because captive portals have to intercept web traffic, they trigger browsers' "Untrusted connection" warnings about fake certificates. At best, this is a confusing hassle for people using the network. At worst, it trains library patrons to ignore browser warnings.
One of the most common uses for captive portals is to display a Terms of Service page, but that is not the only way to provide an access policy. As part of the Open Wireless Movement, we offer an example policy that participants incorporate by naming their networks "openwireless.org." This approach makes it much easier to join a network without getting confusing browser warnings.
Libraries have a crucial role in preserving access to information. That role is not changing, but the challenges of preserving that access are constantly changing. New services combined with widespread Internet spying mean that librarians need to be savvy about the new threats to their patrons' privacy and take steps to maintain that privacy, whether patrons are reserving books from home or browsing the Internet on library-provided computers. It will take a lot of work, but EFF is confident that the library community is up to the task.