The First Library Digital Privacy Pledge

The Library Freedom Project is inviting the library community – libraries, vendors that serve libraries, and membership organizations – to sign the “First Library Digital Privacy Pledge “. For this first pledge, we’re focusing on the use of HTTPS to deliver library services and the information resources offered by libraries. It’s just a first step: HTTPS is a privacy prerequisite, not a privacy solution. Building a culture of library digital privacy will not end with this pledge, but committing to this first modest step together will begin a process that won’t turn back. We aim to gather momentum and raise awareness with this pledge; and will develop similar pledges in the future as appropriate to advance digital privacy practices for library patrons.

We focus on HTTPS as a first step because of its timeliness. The Let’s Encrypt initiative of the Electronic Frontier Foundation is launching a new certificate infrastructure that will remove much of the cost and technical difficulty involved in the implementation of HTTPS; a public beta launched in December of 2015. Due to a heightened concern about digital surveillance, many prominent internet companies, such as Google, Twitter, and Facebook, have moved their services exclusively to HTTPS rather than relying on unencrypted HTTP connections. The White House has issued a directive that all government websites must move their services to HTTPS by the end of 2016. We believe that libraries must also make this change, lest they be viewed as technology and privacy laggards, and dishonor their proud history of protecting reader privacy.

The 3rd article of the American Library Association Code of Ethics sets a broad objective:

We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.

It’s not always clear how to interpret this broad mandate, especially when the everything is done on the internet. However, one principle of implementation should be clear and uncontroversial:

Library services and resources should be delivered, whenever practical, over channels that are immune to eavesdropping.

The current best practice dictated by this principle is as following:

Libraries and vendors that serve libraries and library patrons, should require HTTPS for all services and resources delivered via the web.

The Pledge for Libraries:
  1. We will make every effort to ensure that web services and information resources under direct control of our library will use HTTPS within six months. [ dated______ ]
  2. Starting in in our next fiscal year, our library will assure that any new or renewed contracts for web services or information resources will require support for HTTPS by the end of that year.
The Pledge for Service Providers (Publishers and Vendors):
  1. We will make every effort to ensure that all web services that we (the signatories) offer to libraries will enable HTTPS within six months. [ dated______ ]
  2. All web services that we (the signatories) offer to libraries will default to HTTPS within a year of our endorsement of the pledge.
The Pledge for Membership Organizations:
  1. We will make every effort to ensure that all web services that our organization directly control will use HTTPS within six months. [ dated______ ]
  2. We encourage our members to support and sign the appropriate version of the pledge.

Join us by emailing pledge(at)libraryfreedomproject(dot)org.

For more information, read the FAQ.