I think this is a good idea, but it is just one of a number of things that I think there should be effort to concentrate on. I'm also part of the NISO privacy group, and I wrote up a post that is my current thinking about the work of the group. One of the times in that post is a "recognition that protecting privacy is an incremental practice" (http://dltj.org/article/views-of-niso-patron-privacy-working-group/#critical-privacy-controls). Modeled on the SANS "Critical Security Controls", I think we should provide guidance to libraries on what the critical privacy controls are. I haven't detailed a list of these yet -- not wanting to get too far in front of the group consensus -- but it would include things like making sure all web sites are protected by SSL. Other things that I think should be included:
* Audit of circulation and interlibrary loan records -- know when there is a record that links a patron to an item, who can see that record, and when/how the record is discarded * Review, at a protocol level, the components that make up web pages, both first-party (the library's own) and third-party (service providers) * Inventory physical security measures, including video and audio recordings, for storage, access, and disposal policies We could probably come up with a dozen such controls, write best-practices papers on each, and make them available to the community to use. Peter > On Jun 13, 2015, at 12:26 PM, Eric Hellman <e...@hellman.net> wrote: > > Jeremy's response made me think. > > What do people think about formulating a "Library Digital Privacy Pledge" > that libraries, publishers and vendors could sign onto? > > Or perhaps a set of pledges. I'd start with moving services to SSL. > > Principle: > Library Services and Resources should be delivered, whenever practical, over > channels that are immune to eavesdropping. > > Current Best Practice: > Require HTTPS (SSL) for all services and resources delvivered via the web. > > Pledge (for Libraries): > 1. All web services that we control will require SSL by the end of 2015. > 2. All web services that we pay for will require SSL by the end of 2016. > > Pledge (for Publishers and Vendors): > 1. All web services that we control will enable SSL by the end of 2015. > 2. All web services that we offer will require SSL by the end of 2016. > > I pick HTTPS to focus on first because it's relatively easy to specify/ > understand. You could do something similar with meta referrer, but it's a bit > more arcane. > > There's a NISO group (I'm on the steering committee) looking at developing > principles for library privacy that might be an appropriate forum to support > this. > > Eric > >> On Jun 11, 2015, at 11:55 PM, Frumkin, Jeremy A - (frumkinj) >> <frumk...@email.arizona.edu> wrote: >> >> Eric - >> >> Many thanks for raising awareness of this. It does feel like encouraging >> good practice re: referrer meta tag would be a good thing, but I would not >> know where to start to make something like this required practice. Did you >> have some thoughts on that? >> >> — jaf >> >> ----------------------------------------------------------- >> Jeremy Frumkin >> Associate Dean / Chief Technology Strategist >> University of Arizona Libraries >> >> +1 520.626.7296 >> j...@arizona.edu >> —————————————————————————————— >> "A person who never made a mistake never tried anything new." - Albert >> Einstein
