THE SYSTEMS LIBRARIAN
High Security and Flexible Privacy for Library Services
by Marshall Breeding
Ensuring the privacy of patrons as they make use of library services has been a longstanding priority for the profession. Maintaining ironclad computer and network security not only makes certain that the operations of the library function without disruption, but it also forms the foundation for protecting personally identifiable information of the library’s clientele. Libraries also face conflicting issues regarding patron privacy. Some users require strict anonymity, while others prefer an approach that makes free use of personal information to form services that are more customized to their specific interests. This edition of The Systems Librarian explores a few of the issues involved in the complicated balance between security and patron privacy.
|The challenges of establishing adequate defensive measures have never been more daunting, with attackers at the ready to take advantage of any vulnerability.
The challenges of establishing adequate defensive measures have never been more daunting, with attackers at the ready to take advantage of any vulnerability. Most libraries lack the on-site resources that must be dedicated to security in this hostile context. But it is possible to maintain reasonable levels of protection without great expense.
Concerns for security apply to every component of a library’s technical environment. The core purpose of computer and network security is centered on ensuring that only authorized individuals or entities gain access to the data and computing resources. Should such an intrusion occur, any data within the system can be exposed or destroyed and the operation of the systems can be vandalized or rendered inoperable. All server, storage, and network hardware must be physically secured to prevent the insertion of any device or software able to give an unauthorized individual the ability to gain control. All layers of software must be carefully configured and monitored for vulnerabilities, including OSs, databases, device drivers, and applications. Those exposed to internal networks and the internet must be impervious. Maintaining proper security requires highly skilled professionals with expertise in security and thorough knowledge of the technical details of each technical component, as well as having up-to-the-minute information about the types of attacks and vulnerabilities currently in play.
Computer privacy entails a different set of issues, although it assumes that a very high degree of computer and network security has already been established. Privacy relates to ensuring that any data involved in using a system remain closely guarded and not exposed to any unintended recipients. A private transaction would limit any data involved in a transaction—or even awareness that the transaction took place—to the parties directly involved. Libraries work to ensure that the transactions they conduct with their patrons are private in this way. When a library lends an item to a patron, the details of that transaction are known only to that specific patron and any staff members with a direct operational role in that transaction. For example, circulation personnel need to be able to track when the item is due and to be able to send any appropriate notices. Once the item has been returned, most libraries remove any data that reveals the personal identity of the patron, usually leaving only elements needed to support statistical reporting or other analytics.
Similar concerns apply to the transactions involving content or services the library delivers to its patrons via the web. Libraries generally intend that these interactions remain private, and efforts are made not to leave behind data tying a patron to specific items of content accessed or downloaded. While the library may not record data related to these online transactions, maintaining privacy depends on ensuring that no third party can eavesdrop on the communications. This requires comprehensive encryption of the transmission between the patron’s web browser and the server providing the content. The privacy of web-based library services is a topic that I have addressed in several recent articles and reports.
Increased Reliance on SaaS
The ongoing trend for the deployment of business applications through SaaS offloads the technical administration, including those related to security. The vendor responsible for hosting and maintaining the service assumes responsibility for the technical tasks required for ensuring strict security. Strategic applications such as ILSs, library services platforms, and discovery services are increasingly available as hosted services. Libraries have offered their patrons access to externally hosted content products since the advent of the web.
The increasing shift of library systems being housed within the library itself to being hosted by vendors can also provide significant advantages for security. Libraries do not necessarily have the in-house expertise needed to maintain adequate security. Vendors, since they may provide hosting for hundreds or thousands of instances of the software, can dedicate significant resources to each operational area, including security. They may have one or more full-time security engineers who are able to focus their entire attention on developing comprehensive security architecture and monitoring systems for any possible intrusion attempts. Software vendors may also make use of infrastructure services provided by large-scale data centers with many additional layers of physical, network, and software security.
The increased reliance on externally hosted services does not mean that libraries cannot securely operate servers and software themselves, but they must allocate sufficient resources. Many libraries are able to take advantage of the facilities and the expertise of their parent institution, such as IT departments within their campus or governmental organization. But as a general trend, libraries do not see maintaining technical infrastructure as being within their core areas of expertise and are willing to shift responsibility to their parent institution or external vendors. Shifting hosting arrangements may mean that the library isn’t directly executing the tasks related to security, but it does not mean that they should not be vigilant. For example, it is important to impose strict contractual requirements of the security measures that will be implemented and to periodically receive documentation that these procedures are being carried out effectively.
Libraries will continue to rely on a great number of computing devices for use by their patrons and personnel even if they externalize most of the infrastructure supporting their automation and services. These local library computers do not necessarily come with the high-stakes security implication that servers do, but they must be diligently maintained. Vulnerabilities in these devices may lead to infections by viruses, provide pathways of access to critical systems, or expose data related to the private transactions of patrons.
Software vulnerabilities — Keeping all software components of computers up-to-date delivers the most important aspects of a security strategy, including both personal and institutionally provided devices. Software security is a fast-moving dynamic. Vulnerabilities are continually being uncovered, and developers create patches to address them in the shortest possible interval. These patches must be applied promptly, hopefully closing holes in security before they are known to those who might try to exploit them. Fortunately, it is rare for there to be a major security flaw known to potential attackers before software developers have had a chance to create a patch.
This fast-paced dynamic of closing vulnerabilities ahead of possible exploits means that these patches must be deployed promptly. All OSs and major software applications have built-in automated updates that install patches on a regular schedule or even off-cycle for more urgent circumstances. It is essential for libraries to implement their technical environment in ways that do not preempt the automated updates of OSs and applications. Using an OS without the most current updates and patches is asking for trouble. Continuing to use any OS or application that’s no longer being supported by its developers is likewise inherently problematic. Old versions of Microsoft Windows, other OSs, or web browsers will have vulnerabilities that are well-known and unpatched. While it may be inconvenient or involve some expense to implement current versions, using inherently insecure software introduces a high level of risk.
It’s also essential to activate and maintain antivirus software. These services are increasingly built into OSs, but also continue to be available as separate products. Most email services include automatic detection of malware, preempting one of the most common mechanisms for transmitting computer viruses. The demise of the diskettes likewise eliminated another. Today, USB drives should be treated as untrustworthy since they can transfer malware. Antivirus software should be configured to scan any USB device inserted. While these devices are likely to see some level of use for quite some time, they are becoming less popular as cloud-based storage services become more prevalent. Libraries might consider encouraging patrons to send or save resources or documents to their accounts on Dropbox, Google Drive, and similar services rather than using these increasingly untrustworthy USB devices.
Wi-Fi exposures — Most libraries offer wireless access to the internet. Patrons expect and appreciate wireless access so that they can use their own devices when they visit the library. Wireless networks can be deployed in a variety of different configurations. Some libraries offer open and unsecured networks, while others offer encrypted ones that require visitors to enter a network key before gaining access. Access to open networks may require clicking through a page that outlines terms of service and applicable policies and entering a valid library card number, or access may be entirely unhindered. All of these options, however, have little impact on the security and privacy of the transactions conducted by patrons using the network.
Securing the wireless network only encrypts traffic between the patron’s device and the wireless device, leaving the traffic unsecured as it traverses the internet to its ultimate destination. No sensitive transaction can rely only on the very limited security provided by an encrypted wireless network, but would instead be conducted through end-to-end encryption. Any service provided through HTTPS is encrypted for the entire pathway between the user’s browser and the originating server. Whether that browser resides on an open or a secured wireless network has a negligible impact on the privacy and security of the transmission. No internet-savvy patron would conduct an ecommerce, banking, or other sensitive transaction without the padlock on the browser that indicates a secure connection regardless of the security level of the immediate network.
Libraries can do far more to protect the privacy of their patrons by ensuring that all of the services they offer are delivered through secure connections. Whether hosted by the vendor or by the library, the web servers providing access to library catalogs, discovery services, or other applications should be configured to use HTTPS via current encryption protocols, rather than transmit readable text over the web using the default HTTP delivery. In the past, using HTTPS was technically complex and required more intensive computational power. Today, it is much easier to activate.
The library or its vendor simply needs to obtain a digital certificate, which normally involves a nominal fee and a fairly straightforward installation process on the web servers involved. Given the reality that all the information transmitted between the patron and the server potentially can be captured and read by any third party with the technical means to intercept internet traffic, not using this readily available encryption technology can be considered inconsistent with the value that libraries place on protecting patron privacy.
Data exposures — While libraries place a high regard on providing environments that protect patron privacy, this value is not always shared by the patrons themselves. Many of the procedures implemented by libraries to protect patron privacy involve either not collecting personalized data or destroying it after the fact. This approach imposes significant impediments to delivering personalized services. In the realm of ecommerce and social networks, such data is exploited to the fullest extent to provide highly customized services. Libraries strive to create more engaging services with personalized characteristics, but they face limitations through the absence of adequate data to power them. Even basic features such as the ability for a patron to view a history of materials she has checked out from the library may be stymied by a blanket policy of anonymizing all concluded circulation transactions.
The use and collection of personalized data related to patron transactions needn’t be all-or-nothing. Rather, there should be a menu of possibilities available for the patron to select. While it is reasonable to have more stringent handling of private data by default, the ability to opt in to allow the library to collect and make use of personalized data can be offered. Patrons acclimated to the use of their personal information by almost all other corners of the web may be receptive to allowing the library to use similar information to provide enriched services.
Libraries can also offer highly secure and private flavors of their services. In contrast to patrons who are comfortable with a more permissive approach to personalized data, others may prefer complete anonymity as they take advantage of library services. Both for services offered on-premises and via the web, libraries could offer a high-security zone to give patrons a high level of privacy. A set of public workstations could be designated in the library as high-privacy, using features such as the incognito mode in Google Chrome and operating through Tor relays that make it difficult, if not impossible, to trace the location of a person using the internet. Journalists and other patrons dealing with very sensitive issues or those who simply prefer that their use of the web not be tracked in any way will appreciate an option for enhanced privacy and security.
As with most technology issues, there is no one-size-fits-all option when it comes to security and privacy in the library context. Different assumptions and expectations apply within each type of library and across different categories of patrons. All libraries should reach a very high bar of security in order to have a strong foundation on which to base their operations and to deliver their services. Within a well-secured environment, libraries can more confidently deal with any personalized data that patrons opt to enable with less risk that it will be exposed beyond the preferences they explicitly selected.
While strong security should be treated as a requirement, libraries can allow patrons to dial the levels of privacy according to their overall preferences or for particular projects or circumstances. This flexible approach to privacy may require some effort to implement, but it will be important to achieve if libraries are to move forward from flat or 1D services to a more dynamic and enriched environment with possibilities to deliver engaging and highly personalized services.