Online Journal Security Issues: A Charleston panel discussion

  • 191 views
Uploaded on

Presentation given at Charleston Conference, November 9, 2006

Presentation given at Charleston Conference, November 9, 2006

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
191
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Welcome to this panel session on Online Journal Security issues. I’d first like to thank everyone in the audience for selecting our session over the many other great choices that are being offered at this time. This great turnout indicates that we have a great deal of interest in the topic and should have a really good discussion today. I’d also like to thank all of the panelists for agreeing to be here and to be involved in this discussion. My intent for this panel is for each one of our panelists to give a brief presentation about the issues that they feel are important about online journal security, and particularly the concerns that they have as a stakeholder and how everyone in the online journal publishing chain can collaborate to ensure that we have a smoothly functioning and realistic process regarding security.
  • Back in 1999, I attended the very popular and very important ARL Workshop On Licensing Electronic Information Resources. During that workshop, as we were told about the importance of negotiating certain aspects of licenses, I began to wonder if it was all that necessary. Surely, no publisher would sue a library or vice versa. I even raised my hand and asked, “Has any publisher sued any library over failure to comply with negotiated license terms?” The answer was resoundingly “Not yet!”, but everyone was sure it was coming. I wasn’t so sure though and remain unconvinced. But the time since then has presented many instances of Internet security-related litigation, especially copyright infringement litigation, and thanks to the RIAA and Napster, even lawsuits levied against providers, middlemen, and even end-users. But nothing yet in libraries, and that’s a good thing. As a community, we usually tackle and resolve our issues before the need to litigate even develops. And that’s what this panel discussion is about. How do we continue to work like this in an increasingly distributed digital environment? How do we make sure the concerns of information providers are met realistically and consistently yet ensure that libraries can still continue to legitimately serve the needs of their users? What processes can we develop that allow information producers, providers, vendors, and libraries to effectively work together and enforce the licenses that we’ve negotiated. The background on security issues for licensed online content stem from license adapted from database and software vendors whose models didn’t really adapt to academic research materials and the mission of research libraries. Over the course of the years, as an industry, we’ve come to some basic understanding on most license clauses, including Who, What, When, Where, How…and mysteriously absent is the Why…as in, Why do we need licenses for online content? Well, the why is implied through the Restrictions on Use clauses in our licenses. Of course, information providers wanted to protect their copyright and make sure that providing information in a new format would not result in negative impact on their businesses. So most licenses included clauses outlining prohibited users and prohibited types of usage. And, in some licenses, clauses outlining the consequences of violating prohibited usage.
  • Most prohibited uses outlined in our licenses seem logical and based on common sense. Things like altering, recompiling, reselling, publishing or republishing, making persistent local copies, altering copyrights or changing publisher or authors names, etc. Most prohibited uses outlined in our licenses are either so unusual that they’re unlikely to ever occur, too difficult to accomplish by the average or even above-average user, or aren’t likely to happen since the potential users would lack a clear motivation to do such a thing. Everyone loves some type of music and music is expensive to acquire, and sharing it is easy so there’s a clear motivation to do just that. But not everyone really cares about that article on copper oxides or contribution of backyard grills to air pollution. But we’ve all still seen some violations of prohibited uses and to me, the major prohibited uses that seem to come up in these instances fall into about 3 categories: systematic copying or downloading, downloading by volume, or allowing unauthorized users to access content. And these things to occur and I’ll outline some examples of occurrences at Caltech along these lines. What I’m really interested in is working out a process to stop these common breaches from occurring and getting libraries and publishers on the same page when needing to communicate about these instances. Let’s take a quick look at a few license examples and some recent violations of prohibited uses that have come up and what we need to rectify these things.
  • -- Signed in 2005 from a major publisher: “Subscriber will use its best reasonable efforts to ensure that Authorized Users are notified of the importance of respecting the intellectual property rights in the License Material and of the sanction that may be imposed or claims that may be made for failing to do so, and that Authorized Users are notified of and comply with the terms and conditions of this License Agreement and any and all user guidelines or restrictions provided by Agent or Publisher from time to time.” “Subscriber [is not] liable for breach of the terms of the license agreement by an authorized user provide that the subscriber did not cause, knowingly assist, or condone the continuation of such breach after becoming aware of such breach.” “License will be terminated if…any party hereto commits a material or persistent breach of any term of this License Agreement and fails to remedy the breach within 30 days of notification.” So we’ve got issues with reasonable efforts, notified, sanctions, and the vagaries of additional limits communicated from “time to time”. But we’re not here to debate licenses or the enforceability of them, but instead the issues relating specifically to security. The good news is that the licensee is not liable for security breaches by individual users, but potentially troubling is that the license doesn’t say what the Publisher will do if they discover a breach, how they will communicate any security issues to a library, or how the library should respond to a security issue that arises.
  • -- “If an Authorized User fails to abide by these Terms and Conditions of Use or other terms of this License, Publisher reserve the right in its sole discretion to suspend or terminate such Authorized User’s access to the Product immediately without notice, in addition to any other available remedies. Notwithstanding the above, except in the case of a material breach which Publisher deems dangerous to the integrity and security of the Product, Publisher shall give prior written notice to the Licensee of its intention to terminate such Authorized User’s access and shall allow the Licensee and/or the Authorized User 60 days after receipt of such notice to cure the breach or agree to abide by the terms and conditions of this license.” So, aside from the ridiculous circular logic and overly broad language, what this doesn’t say is how the publisher is going to notify the library of a breach, what a library should do to cure a breach, or how it affects other users.
  • -- Now, like I said before, what is actually written and what happens might be two totally different things. And the next few real life examples bear this out. Each of these actually happened and bring to light a number of aspects of online journal security that could be points to discuss. JSTOR. Okay, so I said I would change the names to protect the innocent, but this case was so high profile, no need to change it. Everyone remembers the JSTOR Open Proxy issue, right? Well, interestingly enough, long after the initial hullabaloo about it, JSTOR did identify an open proxy at Caltech and notified us about it. The identification was done before anyone used it to access JSTOR’s products from our site, but it was helpful to know about the issue and that even at a place that prides itself on its secure system, that an individual researcher could fail to configure their system correctly and impact the whole institute and our publishing partners. In essence, JSTOR just wanted to educate us about the issue, that we were unwittingly contributing to it, and that we should do something about it. There were no consequences if we didn’t and no follow-up if we did.
  • However, recent usage made of this service from your institution exceeds what is regarded as normal and reasonable. This activity was isolated to two hosts identified at IP address 131.215.***.*** and 131.215. .***.*** on December 18th. Many of the requests were sequential and systematic--that is, 1,083 requests, in “Journal of Exceptional Downloads” were downloaded consecutively and within short intervals. Access from the IP ranges 131.215.x.x and 131.215.226.x have been temporarily suspended. Note that systematic and programmatic downloading are two of the Prohibited Uses listed in the Institutional User Agreement that you signed (refer to Section 5, Prohibitions on Certain Uses). We would appreciate it if you would investigate the situation and report back your findings to Publisher. Please note that we would like a reply by January 10th, 2003; if no reply is received and/or this systematic downloading continues, access may be suspended from the entire IP range for your institution. We also require an assurance from you that such systematic downloading will not take place again. What is there: IPs it came from, date it came from, one number of downloads, and at least one journal affected. What’s not there: Time it happened, exact material affected, what was downloaded (abstracts, fulltext, etc.). They also asked for 20 days reply. And what constitutes ‘assurance’ and makes that ‘assurance’ enforceable?
  • However, recent usage made of this service from your institution exceeds what is regarded as normal and reasonable. This activity was isolated to two hosts identified at IP address 131.215.***.*** and 131.215. .***.*** on December 18th. Many of the requests were sequential and systematic--that is, 1,083 requests, in “Journal of Exceptional Downloads” were downloaded consecutively and within short intervals. Access from the IP ranges 131.215.x.x and 131.215.226.x have been temporarily suspended. Note that systematic and programmatic downloading are two of the Prohibited Uses listed in the Institutional User Agreement that you signed (refer to Section 5, Prohibitions on Certain Uses). We would appreciate it if you would investigate the situation and report back your findings to Publisher. Please note that we would like a reply by January 10th, 2003; if no reply is received and/or this systematic downloading continues, access may be suspended from the entire IP range for your institution. We also require an assurance from you that such systematic downloading will not take place again. What is there: IPs it came from, date it came from, one number of downloads, and at least one journal affected. What’s not there: Time it happened, exact material affected, what was downloaded (abstracts, fulltext, etc.). They also asked for 20 days reply. And what constitutes ‘assurance’ and makes that ‘assurance’ enforceable?
  • These examples bring to mind a number of issues about Online Journal Security. And as a librarian, most of these came from my viewpoint as a staff member who is responsible for negotiating license terms, and when those terms are perceived to be violated, attempting to enforce the terms or rectify the actions with the provider. Clearly we need to improve the processes that we have as an industry on the following topics: These include: Initial (pro-active) enforcement of license terms (notification / education) Technical systems at the library to ensure compliance Technical/social systems ability to be reactive to enforcement Social systems that enforce/educate compliance (i.e. signage, popups, clickthroughs, notes on screen)
  • And as librarians, why do we care about these issues? First and foremost, we want to provide information to our users and not violate our licenses. We want to negotiate licenses that are clear about what we are required to do and not be hit by surprises during the life of the contract. We don’t want one user to impact the potential use by others We want to provide seamless access to information with a minimum of intermediation We want to ensure that our usage metrics are accurate representations of usage. That’s what I think is important on this topic, but let’s hear from a number of publishers and another librarian about their perspectives. First up is…

Transcript

  • 1.
    • Online Journal Security Issues
    • A Charleston Panel Discussion
    • John McDonald
    • California Institute of Technology
    • November 9, 2006
  • 2. Security of licensed content
    • Online publishing led to licensing of academic research materials
      • Licenses adapted from database & software models
    • Clauses focused on explicit definitions of users and usage
      • Who (authorized users)
      • What (licensed content)
      • When (term and renewal)
      • Where (jurisdiction)
      • How (technical aspects)
    • And Why…(as in)… Restrictions on Use
      • Prohibited users
      • Prohibited use
  • 3. Prohibited Uses
    • Usual prohibited uses (…or duh!)
      • altering, recompiling, reselling, publishing or republishing, making persistent local copies, altering copyrights or changing publisher or authors names, etc.
    • Common breaches (…or what seems logical to the publisher but not to our users)
      • Systematic or programmatic copying or downloading.
      • Downloading by volume (too much or too much from the same issue)
      • Allowing unauthorized users to access content
  • 4. License 1
    • Subscriber will use its best reasonable efforts to ensure that Authorized Users are notified of the importance of respecting the intellectual property rights in the License Material and of the sanctions that may be imposed or claims that may be made for failing to do so, and that Authorized Users are notified of and comply with the terms and conditions of this License Agreement and any and all user guidelines or restrictions provided by Agent or Publisher from time to time.
    • Subscriber [is not] liable for breach of the terms of the license agreement by an authorized user provide that the subscriber did not cause, knowingly assist, or condone the continuation of such breach after becoming aware of such breach.
    • License will be terminated if…any party hereto commits a material or persistent breach of any term of this License Agreement and fails to remedy the breach within 30 days of notification.
  • 5. License 2
    • If an Authorized User fails to abide by these Terms and Conditions of Use or other terms of this License, Publisher reserve the right in its sole discretion to suspend or terminate such Authorized User’s access to the Product immediately without notice, in addition to any other available remedies.
    • Notwithstanding the above, except in the case of a material breach which Publisher deems dangerous to the integrity and security of the Product, Publisher shall give prior written notice to the Licensee of its intention to terminate such Authorized User’s access and shall allow the Licensee and/or the Authorized User 60 days after receipt of such notice to cure the breach or agree to abide by the terms and conditions of this license.
  • 6. Example 1: Proactive
    • JSTOR Open Proxy
      • Open proxy at Caltech
      • Easy to identify the user
      • Due to misconfigured server
      • No security breach
    • Proactive handling of potential prohibited use
  • 7. Example 2: Reactive
    • Recent usage made of this service from your institution exceeds what is regarded as normal and reasonable.
    • This activity was isolated to two hosts identified at IP address 131.215.***.*** and 131.215. .***.*** on December 18th.
    • Many of the requests were sequential and systematic--that is, 1,083 requests, in “Journal of Exceptional Downloads” were downloaded consecutively and within short intervals.
    • Access from the IP ranges 131.215.***.*** and 131.215. .***.*** have been temporarily suspended.
  • 8. Example 2: Curing
    • Note that systematic and programmatic downloading are two of the Prohibited Uses listed in the Institutional User Agreement that you signed.
    • We would appreciate it if you would investigate the situation and report back your findings to Publisher.
    • Please note that we would like a reply by January 10th;
    • If no reply is received and/or this systematic downloading continues, access may be suspended from the entire IP range for your institution.
    • We also require an assurance from you that such systematic downloading will not take place again.
  • 9. Example 3: Incomplete information
    • This email is to notify you that we have detected unusual spider activity on our site originating from the following IP address: 131.215.xx.xxx
    • As a preventive measure we have blocked this IP address from accessing the site any more.
    • Please note that this may prevent valid users of your institution from accessing the site if they are coming in from the same IP. To unblock this IP address you must contact the publisher who will be able to analyze the problem and unblock it. You may reply to this email to contact us.
    • We apologize for any inconvenience.
  • 10. Improved Security
    • Libraries
      • Pro-active enforcement of license terms
        • Notification & Education
      • Technical systems at the library to ensure compliance
      • Reactive enforcement process
      • Identifying security breaches when notified
      • Communicating to publishers
    • Publishers
      • Improved technical systems
      • Definitions of trigger events
      • Communication to subscribers
      • Information provided to subscribers
  • 11. Why should we care?
    • Provide seamless access to information with a minimum of intermediation
    • Negotiate clear and explicit licenses
    • Provide information according to license terms
    • Reduce impact of misuse by one on the potential use by others
    • Ensure that our usage metrics are accurate representations of usage.