This presentation was provided by Todd Carpenter in conjunction with Daniel Ayala (Proquest) and Andrew Anderson (LIRN) on June 24, 2018 during the 2018 ALA Annual Conference, located in New Orleans.

1. Let’s Talk About Privacy and RA21
Todd Carpenter, Executive Director, National Information Standards Organization (NISO)
Dan Ayala, CISO & Privacy Officer, ProQuest
Andrew Anderson, President, Library and Information Resources Network, Inc.
NISO RA21 ALA Annual Conference
June 24, 2018

2. Some Context about RA21

3. Behind the scenes:
Does the user have
access rights?
Yes or No?
Do you have a login?
Yes or No?
Where are you from?
??????

4. An Analogy: Credit card processing
Excuse me. To process this payment you need to tell me: What is the
payment processing clearinghouse your bank uses?

5. And patrons are just getting annoyed

7. RA21 wants to build on the user
experience of the wider web

8. Make the login experience match the user
experience we’re all familiar with
Private Experience Target Institutional Experience

9. How SAML Can Protect Privacy
Publishers receive
attributes about the
user, not the user’s
identity.

10. RA21 Pilots
• Corporate Pilot (Universal Resrource Access “URA”)
•Two Academic Pilots
– Privacy Preserving Persistent WAYF Pilot
– WAYF Cloud Pilot
All seek to address the User Experience for off-campus access

11. Initial Privacy Review of RA21 Pilots
SECURITY & PRIVACY RECOMMENDATIONS Cloud WAYF P3W
Privacy Policy Requirements √ √
Data Protection Impact Analysis Required √ √
Data Retention Policy Required √
Denial of Service Protection √
Browser security (https + access controls) implementations √ √
Database/data protection best practices √
Server hardening - for security threats √ √
Code Scanning - for security threats √ √
Vulnerability Scanning/Penetration Testing √ √
API security protocols √
Audit Logging and review √
Security Monitoring √
Incident Response Plan √
High Availability Infrastructure requirements √ √
Anti-virus software monitoring √ √
GDPR compliance concerns √

12. Privacy Preserving Persistent (P3) WAYF Pilot
•Pilot goals
– To improve current Shibboleth Identity Provider discovery process
• Incorporate additional “WAYF hints” such as email domain and IP address into
federation metadata
• Improve sign-in flow using those WAYF hints via a shared discovery service
• Populate shared discovery service hints from the Service Providers regarding
what Identity Providers are likely to work in an authorization scenario
• Enable cross-provider persistence of WAYF choice using browser local storage
•Pilot participants (confirmed so far)
Project Management
GÉANT
Educational Access Management Federations
Sunet & SWAMiD (Swedish Federation)
The samlbits.org project
eduGAIN
EduServ
Publishers
Elsevier
American Chemical Society
Subscribing institutions
MIT
University of California, Davis
University of Arizona (tbc)
University of Denver (tbc)
Service Providers
ProQuest
Ping
LibLynx
Ebsco

13. Preserving Privacy
Built upon ”SAML-BITS”
technology in production
Technique Challenge
Only domain part of email
address needs to be
transmitted from browser
to publisher platform to
select IDP
Need to define and test a
standardized UI that
makes this clear to users
IdP preference is stored
locally in the browser,
retrieved using centrally
served javascript, not on a
central server
Need to adapt Account
Choose mechanism to
support SAML IdPs vs
OpenID Connect
Authorization Servers

14. It’s Not That Scary: A Short Demo
https://www.youtube.com/watch?v=mkQC64zfNyw&feature=youtu.be
Prototype demo starts at 1:22:01 in the recording

15. CRITICISM OF RA21
• Yes, SciHub is a motivator of RA21, but not the
only motivator.
• This project began with outreach from LIBRARIES!
• There are a variety of
reasons why libraries
would like to improve
access control
• Evil twins? Come on….

16. MORE CRITICISM OF RA21
• Open Access is not the end-all be-all of library
access control issues.
– First, even if every journal article were OA, not all
content provided by libraries will be freely available
– Second, a variety of the services that libraries provide
will still need authentication, regardless of whether
they are free or not
– To presume that RA21 is a fight against open access is
to have a very narrow and dim view of what libraries
do and provide.

17. EVEN MORE CRITICISM OF RA21
• RA21 is a nefarious plot by publishers to hoover
up all sorts of patron data.
– First, SAML data released by identity federations is under the
control of institutions, who can set limits on what data is
released or not, it is NOT controlled by publishers
– Second, RA21 will only be storing user preference information
about which IDP to pass credentials – NOT the credentials
themselves
– Finally, if they wanted, publishers could use other methods to
track user behavior, but are often limited by contracts and laws.

18. Google CASA Project
(Campus Activated Subscriber Access)
• Outside of the scope or RA21, but attempting to address
similar questions
• Led by Google Scholar team with several publisher
vendor partners
• Based on Google user-behavior analysis and cloud data
to navigate user to identity provider
• Core question: If you don’t trust RA21’s privacy
protections, do you trust Google to protect privacy of
patrons more than publishers/IdPs?

20. Want to get involved?
•Visit: https://www.RA21.org
•Mailing lists:
–P3W community list: https://lists.refeds.org/sympa/subscribe/p3w-
community
–WAYF Cloud community list: TBD
•Everyone: Register your interest in participation by emailing:
Julie Wallace: Julia@RA21.org and
Heather Flanigan: Heather@RA21.org

21. Questions?
THANK YOU!
Todd Carpenter
@TAC_NISO
tcarpenter@niso.org