Security & Privacy

Biblionix sets a high bar for security and privacy of your data. And your patron data is private. We do nothing with it but save it for you. No harvesting, no marketing. Our data protection is all encompassing, including:

  • ALL Apollo pages (public catalog and staff pages) are encrypted with https
  • All SIP2 connections are encrypted
  • The database is encrypted on the servers
  • The backup servers are encrypted

We challenge any system to do more to protect your data and patron privacy.

“I commend Biblionix for its early move to delivering all transactions for its Apollo ILS via pages encrypted with HTTPS.”

 

Marshall Breeding, Smart Libraries Newsletter, January 2015

We will not connect your data with any 3rd party that does not use encrypted SIP2. SIP2 is typically used by e-book services, PC time/print management software and the like. Without encrypted SIP2, every log-in by a patron results in much of their personal information being sent over the Internet in clear text; adult data and child data alike.

As a defense, your vendor may say that they don’t do anything with such patron data. Well, that doesn’t matter; the horse is already out of the barn. The SIP2 standard requires that the ILS reply to SIP2 login requests with the patron’s personal information whether or not the requesting software uses that data. And if the connection is not encrypted, all that patron data is exposed on the Internet, unprotected. Our CTO is a member of the NISO Working Group for SIP3 where he is working to get encryption included.

Here are some questions to ask your vendors about security:

  • To your ILS vendor, PC time/print management vendor, e-book vendors, etc.: “Do you encrypt your SIP2 connections with my library?” If the answer is no, find a new vendor fast or get them to fix it fast.
  • To your ILS vendor: “Does the login for our patrons use https, thus ensuring that whatever patrons do in the catalog is encrypted before going over the Internet?” If the answer is no, insist on an https/encrypted connection while you are searching for a new ILS vendor.
  • To your hosted ILS vendor: “Does the login for staff use https, thus ensuring that staff activity is encrypted before going over the Internet?” If the answer is no, insist on an https/encrypted connection while you are searching for a new ILS vendor.
  • To your ILS vendor: “Do you offer secure passwords like my bank does?” Secure passwords are hashed when stored so that no one can read them. This is not as critical as the above issues, but it can sure be embarrassing if a patron calls you on it.
  • For more information, refer to these articles by Alison Macrina and April Glaser with whom we have been in touch:
    “Librarians Are Dedicated to User Privacy. The Tech They Have to Use Is Not”
    “Radical Librarianship: how ninja librarians are ensuring patrons’ electronic privacy”

    Securing your data is frankly not hard; your vendors just have to take it seriously. Demand it of your ILS vendor, or allow us to protect you!