<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Should I consider the Koha response to my Questionaire regarding Patron Privacy and Security complete?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks for your help with this project.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">-marshall<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Marshall Breeding<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><a href="mailto:marshall.breeding@librarytechnology.org">marshall.breeding@librarytechnology.org</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><a href="http://www.librarytechnology.org/"><span style="color:blue">www.librarytechnology.org/</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">twitter.com/mbreeding<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><a href="http://www.linkedin.com/in/breeding"><span style="color:blue">http://www.linkedin.com/in/breeding</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><a href="http://scholar.google.com/citations?user=NnvfJ5cAAAAJ"><span style="color:blue">http://scholar.google.com/citations?user=NnvfJ5cAAAAJ</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> koha-devel-bounces@lists.koha-community.org [mailto:koha-devel-bounces@lists.koha-community.org]
<b>On Behalf Of </b>Chris Cormack<br>
<b>Sent:</b> Monday, November 10, 2014 1:51 PM<br>
<b>To:</b> koha-devel@lists.koha-community.org<br>
<b>Subject:</b> [Koha-devel] Fwd: Questionaire regarding Patron Privacy and Security<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Forwarded with Marshall's permission<o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Would you be able to help me fill this out?
<o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Galen has already made a good start which I have pasted at
<br>
<a href="https://etherpad.mozilla.org/YiC0J8efmw">https://etherpad.mozilla.org/YiC0J8efmw</a><o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Also the Evergreen community are working on their response at<br>
<a href="https://docs.google.com/document/d/1RgTnQOITvm3B_yzBOTfAuPZgDZig7xQ3N7Euib8rONc/edit">https://docs.google.com/document/d/1RgTnQOITvm3B_yzBOTfAuPZgDZig7xQ3N7Euib8rONc/edit</a><o:p></o:p></p>
</div>
<p class="MsoNormal">Thanks<br>
<br>
Chris<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">---------- Forwarded message ----------<br>
From: <b>Marshall Breeding</b> <<a href="mailto:marshall.breeding@librarytechnology.org">marshall.breeding@librarytechnology.org</a>><br>
Date: 11 November 2014 02:55<br>
Subject: Questionaire regarding Patron Privacy and Security<br>
To: Chris Cormack <<a href="mailto:chris@bigballofwax.co.nz">chris@bigballofwax.co.nz</a>><br>
<br>
<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">As you know, libraries are increasingly concerned with protecting the privacy of their patrons and in strong security.<span style="color:#1F497D"> For an upcoming panel for CNI
I have been charged with gathering data regarding how library management systems handle patron privacy and security.
</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#1F497D">It would be great if I could have responses by November 21, 2014.
</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#1F497D">Could you provide responses for the Koha? You are the one that comes to mind among those in the Koha community, but if there is someone else that you
think should respond, please let me know. I really appreciate your help.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I am interested in gathering some information regarding the current capabilities or options that systems offer today, looking forward to further progress in this arena toward more
secure treatment of patron-related transactions. Given increasing concerns, I would expect that each company is working on providing a more secure environment.
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">This data initially will be used for a briefing at the upcoming CNI Fall 2014 Membership Meeting, December 8-9, 2014:<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><a href="http://www.cni.org/events/membership-meetings/upcoming-meeting/fall-2014/project-briefings-breakout-sessions/" target="_blank">http://www.cni.org/events/membership-meetings/upcoming-meeting/fall-2014/project-briefings-breakout-sessions/</a><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I also anticipate that this information would be helpful for other discussions, presentations, or reports.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">In addition to information provided by the developers of systems, I may also work with systems administrators of the various products for their perspectives on these security-related
capabilities and options.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I would greatly appreciate it if you could have your technical or product managers provide responses to these specific questions. It would also be helpful to have any additional
comments or perspective whether these seem to be the best areas of concern regarding patron privacy, if there are alternative strategies that you are pursuing. I would also be interested to hear whether this topic has been raised also by your customers or
users through enhancement requests or other product roadmap priorities.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Does your online catalog or discovery interface:<o:p></o:p></p>
<p><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Enforce encryption through SSL for all transactions involving patron activity<o:p></o:p></p>
<p><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Offer the library an option to enable SSL for all transactions involving patron activity<o:p></o:p></p>
<p><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Enforce encryption for specific pages or transactions involving patron details or login credentials<o:p></o:p></p>
<p><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Offer the library an option to enable SSL for specific pages or transactions involving patron details or login details<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Does your client or interface for delivering functionality to library personnel:<o:p></o:p></p>
<p><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Enforce encryption through SSL or other encryption mechanisms for all transactions<o:p></o:p></p>
<p><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Offer the library an option to enable SSL or other encryption mechanisms for all transactions<o:p></o:p></p>
<p><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Enforce encryption for specific pages or transactions involving patron details<o:p></o:p></p>
<p><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Enforce Encryption for specific pages involving authentication of library personnel accounts<o:p></o:p></p>
<p><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Offer the library an option to enable SSL for specific pages involving patron details<o:p></o:p></p>
<p><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Offer the library an option to enable SSL or other encryption mechanisms for specific pages involving authentication of library personnel<o:p></o:p></p>
<p><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Enforce encryption for transactions involving institutional financial data (acquisitions, patron fines, etc)<o:p></o:p></p>
<p><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Offer the library an option to enable SSL or other encryption mechanisms for financial transactions<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">How does your platform or system deal with the security of the storage of specific types of data:<o:p></o:p></p>
<p><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Does your system store patron passwords or PINs as unencrypted text<o:p></o:p></p>
<p><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Does your system store patron passwords or PINs as salted hash or similar mechanisms<o:p></o:p></p>
<p><span style="font-family:Symbol">·</span><span style="font-size:7.0pt">
</span>Does your system encrypt patron details as they are recorded and stored?<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Are logs or other system files that include patron search or reading behaviors encrypted?<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Describe any other security measures in place that protect patron privacy as it is transmitted over local networks or the Internet from interception by any third party. One specific
scenario that has been a topic of concern involves the presentation of e-book discovery and lending transactions via library catalogs or discovery interfaces.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Describe any integration with third party organizations that could potential expose patron details, search, or reading patterns and measures that you have provided to strengthen
privacy and security.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Do the APIs allow or require encryption in requests or responses that include patron-related data?
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">What limitations to security impact your system imposed by the APIs or protocols managed by external or third-part products?<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Would your company be interested in a standardized specification for the treatment of patron or financial data, similar to the way that PCI provides a compliance framework for e-commerce
transactions?<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I really appreciate your help with this project. Please confirm that you will be able to respond and let me know if you have any questions or concerns.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">-marshall<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Marshall Breeding<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><a href="http://www.librarytechnology.org/" target="_blank">http://www.librarytechnology.org</a><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><a href="mailto:marshall.breeding@librarytechnology.org" target="_blank">marshall.breeding@librarytechnology.org</a><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><a href="http://twitter.com/mbreeding" target="_blank">http://twitter.com/mbreeding</a><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><a href="http://www.linkedin.com/in/breeding" target="_blank">http://www.linkedin.com/in/breeding</a><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><a href="http://scholar.google.com/citations?user=NnvfJ5cAAAAJ" target="_blank">http://scholar.google.com/citations?user=NnvfJ5cAAAAJ</a><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>