Library Security and Insecurity : Sacramento Public Library , Ocean State Libraries and The Library Connection

Library Security and Insecurity  – A Brief Risk Assessment

~ Robert L. Balliot, MLIS

Anne Frontino of the Haddonfield Public Library in New Jersey queried the PubLib Listserve about  privacy and possible misuse of library barcodes on smartphones remarking:

Our library is considering allowing patrons to use barcodes scanned onto their smart phones to check out books.  …    We have only had a few instances of patrons trying this method of checking out items, but we feel that there may be some privacy or other misuse issues lurking.

barcode

Responses varied from Manya Shorr of the Sacramento Public Library advocating for use of barcodes without requiring authentication  to Dale McNeill of the Queens Library advocating familiar authentication such as PINs.  

It was obvious that there is no universally accepted standard for securing library user information, yet privacy is a cornerstone of libraries, library ethics, and the library profession.  In fact, a privacy guarantee may be the one thing in the information age that sets libraries apart from other massive information resources.  It may be the singular added value that provides validation of libraries as a public service.

Library records and library use are afforded privacy protection by statute and / or published opinions in the fifty States and the District of Columbia. Many states have enacted Security Breach notification laws and Data Disposal laws that safeguard privacy. Library user privacy is also championed by the American Library Association  Code of Ethics specifically through Article III:  

We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.

These statutes, ethics and opinions can create formidable barriers to unlawful, unwarranted electronic discovery.  However, dramatic changes to the traditional library information environment have led to a general failure of libraries to provide security of library records and transactions and fulfill professional and statutory guarantees of privacy.  As a result of those dramatic changes, library usage represents a massive opportunity for legitimate and illegitimate electronic discovery.

In 2009 the HITECH Act was passed to specifically address privacy of health records in the United States in conjunction with HIPAA.  The process promulgated for securing privacy of health records could be effectively applied to safeguard library records – the technology is the same and the security issues are similar. Libraries and health care providers are both required to safeguard the privacy of user records.  Health care records and library user records are both defined as protected information resources.  But, unlike libraries as a result of HIPAA and HITECH the custodians of health care records must now undergo a risk assessment to identify how breaches of privacy may occur.

Enigma Encryption Device

If risk assessments are not being conducted by libraries, how well are Libraries securing user information? Thousands and thousands of library records have been compromised and hacked. Nothing mandates risk assessment of library privacy and information security. Yet, the laws and opinions in all 50 states and DC define library user information as private and protected. 

What is the ongoing risk of exposing library user information? Huge. Three Library systems are reviewed here for the most basic levels of information security for users  – Encryption, Authorization and Authentication and Agency of ownership applied to Library Catalogs and Websites.

 Sacramento Public Library – Sacramento, California

The Sacramento Public Library serves  over 600,000  users with 28 libraries.  According to Manya Shorr, the SACPL also allows use of un-authenticated barcode images on smartphones as an alternative to a library card.

California Statutes :  Security Breach, Data Disposal and Library Records Privacy

Catalog – encore © Innovative Interfaces, Inc.

Encryption – The SACPL catalog employs https SSL for user login.  The catalog does not employ https SSL  for non-login searches.

Authorization and Authentication –  User login requires Barcode or User Name AND PIN

Agency – The SACPL  catalog employs third-party Google Analytics to track and store user information – script from SACPL catalog:  

var _gaq = _gaq || [];    _gaq.push([‘_setAccount’, ‘UA-8159966-1’]);    _gaq.push([‘_trackPageview’]);    (function() {      var ga = document.createElement(‘script’); ga.type = ‘text/javascript’; ga.async = true;      ga.src = (‘https:’ == document.location.protocol ? ‘https://ssl’ : ‘http://www’) + ‘.google-analytics.com/ga.js’;     var s = document.getElementsByTagName(‘script’)[0]; s.parentNode.insertBefore(ga, s);    })(); 

Website – The SACPL Employs Google custom search – an outside agency not under control of SACPL which tracks and stores user information

Sacramento Public Library Risk Assessment –  Fail

Non-login catalog searches appear to be transmitted in the clear. Login catalog use and non-login catalog use is tracked by Google – a third-party not controlled by the SACPL.  Searches of the SACPL website employing Google custom search is third-party data collection not controlled by SACPL.  In addition, risk of in-person identity theft is compounded by reliance on staff to authenticate based on suspicion.  How is reasonable suspicion quantified and qualified with 28 libraries and 600K users?

 Ocean State Libraries – (library consortium)  – Rhode Island

The Ocean State Libraries (OSL) consortium (formerly CLAN) includes 49 public libraries of Rhode Island and over 500,000 user records.  In 2003 a long-term employee of the Warwick Public Library – the home of the Ocean State Libraries offices – was charged with stealing library user identity to obtain credit cards.  Each employee with access to the circulation modules of the consortium is able to access library records and personal information for other users of the integrated library system.  So, at the time when charges were filed all of the patron records for all of the libraries were potentially breached.  Subsequent meetings of the OSL voting membership  – library directors – discussed some of the security concerns of  retaining drivers license numbers and social security numbers within the database.  Some consideration of standardizing security of data was profferred.   Arguments were made that the easiest thing to do was not to require PINs or other authentication and leave data collection and retention as a decision at the local level.

Rhode Island Statutes :  Security Breach, Data Disposal and Library Records Privacy

Catalog –  encore © Innovative Interfaces, Inc.

Encryption – The OSL catalog uses https SSL to encrypt login to user accounts.  The OSL does not employ encryption for non-login catalog searches – all searches appear to be transmitted in the clear.

Authorization and Authentication – The OSL catalog does not require authentication of user accounts through a PIN – merely knowledge of a simple numeric 14 digit bar code. 

Agency – It is unclear how information is shared with external agents – however, patron data is shared throughout the consortium and is not compartmentalized.

Website – OSL website user information is shared with and tracked utilizing Statcounter.com – a service out of Ireland.

Agency – User information is shared with and tracked utilizing Statcounter.com – a third party service apparently managed out of Ireland.  Statcounter script is rendered as invisible, secreted tracking without informing visitors of its use within the website code – script from OSL website  :

 Start of StatCounter Code –>
<SCRIPT type=text/javascript>
sc_project=1420372;
sc_invisible=1;
sc_partition=11;
sc_security=”7885d9a5″;    . . .

Ocean State Libraries Risk Assessment –  Fail

No authentication of library catalog users – creating high risk of exposing user data. Non-login catalog searches appear to be transmitted in the clear without encryption.  Use of website employing Statcounter.com aggregation of user data is third-party data collection by an agency not controlled by OSL – with servers storing data about user sessions apparently located  in Ireland. Although security of patron records has been breached in the past, compartmentalization of records does not appear to have taken place.

  The Library Connection – (library constorium) – Connecticut

Janus

The Library Connection serves  27 public and academic libraries  in the State of Connecticut.  The Library Connection librarians achieved some notoriety within the world of librarianship from their challenge to a National Security Letter and willingness to go to the mat along with the ACLU to defend the privacy of their users against law enforcement  in John Doe v Gonzales.   How does this library system employing librarians willing to secure and protect patron information from law enforcement review face user information security in general?

Connecticut Statutes :  Security Breach, Data Disposal and Library Records Privacy

Catalog – The Library Connection consortium employs the SirsiDynix integrated library system

Encryption – The login connection to the Library Connection catalog does not employ https  SSL.

Authorization and Authentication – A name and PIN or a barcode number and PIN are required for access to library user record.  However, since that information is apparently transmitted in the clear instead of encrypted using https SSL  – identity theft and harvesting of PINs with names and PINs with barcode numbers could be easily accomplished.

Agency – It is unclear how data is shared.  Library Connection privacy policy states: 

Information on non-Registered Library Users: No information is collected on library users who do not register as patrons. Some member libraries may collect the names of those who wish to use library computers to access the Internet. We encourage these libraries not to retain this information longer than three days.

Website – Immediately upon entering the Library Consortium website, user data is shared with and tracked by Google analytics

The Library Connection Risk Assessment –  Fail

No apparent encryption of library users logins. Non-login catalog searches appear to be transmitted in the clear.  Use of website employing Google analytics  is third-party data collection – an agency not controlled by the Library Connection – which appears contrary to the Library Connection policy on non-registered users.

Risk Assessment Summary –

The ongoing risk  to library user privacy is huge. This brief survey only touches on a few of the many current insecurities of library user information. Insecure user privacy practices represented in this brief risk assessment affect the privacy of over one million library users –  just at these three library systems. The privacy standards outlined by Article III of the ALA Code of Ethics may be comprised for convenience even by large library systems.   The ongoing erosion of user privacy in libraries to faciliate ‘ease of use’ by librarian and patron without regard to standard information security practices and ethics threatens the foundation of libraries as viable professional public services.

Please join us on BestofPublib Facebook

The Publib Archives

The Publib archives from the Webjunction listserve are available here: Archives Please note: HTML is stripped out of archives. Compose in plain text or richtext.