This presentation was provided by Emily Singlet of Boston College, during the NISO event "Privacy in the Age of Surveillance: Everyone's Concern." The virtual conference was held on September 16, 2020.
2. What I’m going to cover
● Privacy as it relates to licensed resource access
● Why IP authentication fails
● Preserving privacy with federated access
● What we are doing at Boston College
3. The old model - IP authentication
● Authorization based on IP address
● “Proxied links” needed for off-network
access
● Users can only navigate directly to
resources if they are on-network
See: “De-mystifying e-resource access: what
every librarian should know”
4. How IP
authentication
protects privacy
● Only the user’s IP address is
seen by the resource
provider
● When off-network, only the
IP address of the proxy
server is seen
5. What’s wrong with this model?
off-campus user navigates directly
to resource, e.g. nature.com
IP is not recognized; user hits paywall
● Researchers want to go straight to resources, not use special library links
● Mobile devices can be “on-campus” but “off-network” - confusing!
● As users roam across the web, it is hard to understand which resources
require special library links
6. The evidence is mounting
● Accessing publisher resources via a mobile device: A user’s
journey
● Dismantling the Stumbling Blocks that Impede Researcher
Access to E-Resources
● Failure to Deliver: Reaching Users in an Increasingly Mobile
World
● Rethinking authentication
7. Our students normally bypass library links
● The majority of our usage comes
directly from individual
on-campus IPs, not through
EZProxy
8. What happens when a pandemic sends all your
students home?
● Saw usage decline during the time
students were off-campus
● Could it be our users don’t
understand how to use library
links?
9. They don’t start at the library - they start everywhere
Moore, M., & Singley, E. (2019).
Understanding the Information Behaviors
of Doctoral Students: An Exploratory Study.
Portal: Libraries and the Academy, 19(2),
279-293.
● Following the scholarly
conversation
● Getting content through social
media, referrals from colleagues,
following citation trails
● Library not seen as starting point
10. They use SciHub
Moore, M., & Singley, E. (2019).
Understanding the Information Behaviors
of Doctoral Students: An Exploratory Study.
Portal: Libraries and the Academy, 19(2),
279-293.
"””I see it on Google, get the link and copy and paste into SciHub
and there's the article - that's it."
"so far there is nothing that I couldn't find there [on SciHub]"
Interviewer: “What can the library do better?”
Student: “Just do what SciHub does.”
12. Federated access infrastructure
● The institution’s identity provider (IdP)
supports the SAML protocol
● The institution is also a member of an identity
federation, which serves as a trusted clearing
house for connections between the IdP and
service providers.
● At Boston College, our SAML implementation is
Shibboleth, and we are members of the
InCommon federation
13. Why federated access
● Saw usage go up for federated provider
● Saw sharp increase in federated use
14. SeamlessAccess.org
• NISO-supported initiative to improve UX for federated access
• The same “Access through your institution” button appears across participating
publisher sites
• Users stay logged in across platforms during their browser session
15. Preserving privacy with federated access
• Designed to support privacy; option to use only anonymous IDs
• IdP is entirely in control of attribute release
• Authorization takes place through IdP, not the service provider
• Risk: it is possible to release personal information
https://en.wikipedia.org/wiki/File:SAML_Web_Browser_SSO_with_Metadata.png
16. IT and library collaboration needed
• Libraries can no longer “go it alone”
• IdP (usually IT) manages attribute release
• Strong library / IT partnerships are essential
• Recent SeamlessAccess.org survey found
that IT/library collaborations have room for
improvement
https://seamlessaccess.org/posts/2020-06-23-surveyresults/
17. How we’re implementing federated access
at Boston College
• Had to support 600 resource providers - both federated and IP authentication - in
one place
• Only 200 providers support federated access
• Want to (eventually) be able to shut down EZProxy
• Went with a hosted solution - OpenAthens, distributed and supported by EBSCO
• LibLynx is also a viable option
18. Minimizing the burden on IT
• IT did not need to set up individual SAML connections; instead, only connected to
OpenAthens
• Library staff can manage connections to resources - both IP and federated -within
OpenAthens admin dashboard
19. Leveraging the federation
• Our solution had to work with our existing infrastructure - Shibboleth and
InCommon
• We connect to OpenAthens federation using Shibboleth
• Service Providers who are OpenAthens members can connect to Boston College
through the federation
• See EBSCO’s implementation documentation
• Some individual Shibboleth connections needed for a handful of providers
20. Preserving privacy at Boston College
• Only minimum number of attributes released
• EduTargetedId - anonymous ID, designed to protect user privacy
• Needed an additional attribute to identify separate campuses
• Strong security review processes in place
https://commons.wikimedia.org/wiki/File:Locked_Door_of_Tajjar.j
pg
21. Leveraging entity categories
• Entity categories can help libraries
communicate what we mean by
anonymous access
• Three new entity categories proposed:
○ Authentication Only
○ Anonymous Authorization
○ Pseudonymous Authorization
• SeamlessAccess Entity Categories
Working group
• Recent NISO webinar
22. Where do we go from here?
• Boston College has now implemented federated access for about a
third of our providers
• Includes all major publishers and aggregators
• Going forward: preferring providers support federated access
• Encouraging providers who are still only IP-authenticated to
implement federated
23. We can’t do it alone
● We all need to work together - libraries, IT, and resource providers
● Libraries have an important role to play as privacy advocates
● We have a long ways to go, and there is still a lot of work to do
Jon Rawlinson [CC BY 2.0 (https://creativecommons.org/licenses/by/2.0)]