Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building privacy infrastructure - an academic library's perspective

Emily Singley
September 15, 2020

Building privacy infrastructure - an academic library's perspective

Presented at NISO webinar "Privacy in the age of surveillance" webinar on September 16, 2020. Covers how IP authentication (EZProxy) is failing our users, and how SAML-based federated access can be implemented while still preserving privacy. Includes discussion of how Boston College is implementing federated access (OpenAthens) for library resource access.

Emily Singley

September 15, 2020
Tweet

More Decks by Emily Singley

Other Decks in Education

Transcript

  1. Building
    privacy
    infrastructure
    Emily Singley
    Boston College
    @emilysingley
    September, 2020
    an academic library’s
    perspective

    View full-size slide

  2. What I’m going to cover
    ● Privacy as it relates to licensed resource access
    ● Why IP authentication fails
    ● Preserving privacy with federated access
    ● What we are doing at Boston College

    View full-size slide

  3. The old model - IP authentication
    ● Authorization based on IP address
    ● “Proxied links” needed for off-network
    access
    ● Users can only navigate directly to
    resources if they are on-network
    See: “De-mystifying e-resource access: what
    every librarian should know”

    View full-size slide

  4. How IP
    authentication
    protects privacy
    ● Only the user’s IP address is
    seen by the resource
    provider
    ● When off-network, only the
    IP address of the proxy
    server is seen

    View full-size slide

  5. What’s wrong with this model?
    off-campus user navigates directly
    to resource, e.g. nature.com
    IP is not recognized; user hits paywall
    ● Researchers want to go straight to resources, not use special library links
    ● Mobile devices can be “on-campus” but “off-network” - confusing!
    ● As users roam across the web, it is hard to understand which resources
    require special library links

    View full-size slide

  6. The evidence is mounting
    ● Accessing publisher resources via a mobile device: A user’s
    journey
    ● Dismantling the Stumbling Blocks that Impede Researcher
    Access to E-Resources
    ● Failure to Deliver: Reaching Users in an Increasingly Mobile
    World
    ● Rethinking authentication

    View full-size slide

  7. Our students normally bypass library links
    ● The majority of our usage comes
    directly from individual on-
    campus IPs, not through
    EZProxy

    View full-size slide

  8. What happens when a pandemic sends all your
    students home?
    ● Saw usage decline during the time
    students were off-campus
    ● Could it be our users don’t
    understand how to use library
    links?

    View full-size slide

  9. They don’t start at the library - they start everywhere
    Moore, M., & Singley, E. (2019).
    Understanding the Information Behaviors
    of Doctoral Students: An Exploratory Study.
    Portal: Libraries and the Academy, 19(2),
    279-293.
    ● Following the scholarly
    conversation
    ● Getting content through social
    media, referrals from colleagues,
    following citation trails
    ● Library not seen as starting
    point

    View full-size slide

  10. They use SciHub
    Moore, M., & Singley, E. (2019).
    Understanding the Information Behaviors
    of Doctoral Students: An Exploratory Study.
    Portal: Libraries and the Academy, 19(2),
    279-293.
    "””I see it on Google, get the link and copy and paste into SciHub
    and there's the article - that's it."
    "so far there is nothing that I couldn't find there [on SciHub]"
    Interviewer: “What can the library do better?”
    Student: “Just do what SciHub does.”

    View full-size slide

  11. The solution: SAML-based federated access

    View full-size slide

  12. Federated access infrastructure
    ● The institution’s identity provider (IdP)
    supports the SAML protocol
    ● The institution is also a member of an identity
    federation, which serves as a trusted clearing
    house for connections between the IdP and
    service providers.
    ● At Boston College, our SAML implementation is
    Shibboleth, and we are members of the
    InCommon federation

    View full-size slide

  13. Why federated access
    ● Saw usage go up for federated provider
    ● Saw sharp increase in federated use

    View full-size slide

  14. Federated UX is getting better - SeamlessAccess.org
    • NISO-supported initiative to improve UX for federated access
    • The same “Access through your institution” button appears across participating
    publisher sites
    • Users stay logged in across platforms during their browser session

    View full-size slide

  15. Preserving privacy with federated access
    • Designed to support privacy; option to use only anonymous IDs
    • IdP is entirely in control of attribute release
    • Authorization takes place through IdP, not the service provider
    • Risk: it is possible to release personal information
    https://en.wikipedia.org/wiki/File:SAML_Web_Browser_SSO_with_Metadata.png

    View full-size slide

  16. IT and library collaboration needed
    • Libraries can no longer “go it alone”
    • IdP (usually IT) manages attribute release
    • Strong library / IT partnerships are
    essential
    • Recent SeamlessAccess.org survey found
    that IT/library collaborations have room for
    improvement
    https://seamlessaccess.org/posts/2020-06-23-surveyresults/

    View full-size slide

  17. How we’re implementing federated access
    at Boston College
    • Had to support 600 resource providers - both federated and IP authentication - in
    one place
    • Only 200 providers support federated access
    • Want to (eventually) be able to shut down EZProxy
    • Went with a hosted solution - OpenAthens, distributed and supported by EBSCO
    • LibLynx is also a viable option

    View full-size slide

  18. Minimizing the burden on IT
    • IT did not need to set up individual SAML connections; instead, only connected to
    OpenAthens
    • Library staff can manage connections to resources - both IP and federated -within
    OpenAthens admin dashboard

    View full-size slide

  19. Leveraging the federation
    • Our solution had to work with our existing infrastructure - Shibboleth and
    InCommon
    • We connect to OpenAthens federation using Shibboleth
    • Service Providers who are OpenAthens members can connect to Boston College
    through the federation
    • See EBSCO’s implementation documentation
    • Some direct Shibboleth connections needed for a handful of providers

    View full-size slide

  20. Preserving privacy at Boston College
    • Only minimum number of attributes released - EduTargetedId and schoolcode
    • EduTargetedId - an anonymous ID, designed to protect user privacy
    • Needed an additional attribute to identify separate campuses
    • Strong security review processes in place
    https://commons.wikimedia.org/wiki/File:Locked_Door_of_Tajjar.j
    pg

    View full-size slide

  21. Leveraging entity categories
    • Entity categories can help libraries
    communicate what we mean by
    anonymous access
    • Three new entity categories proposed:
    ○ Authentication Only
    ○ Anonymous Authorization
    ○ Pseudonymous Authorization
    • SeamlessAccess Entity Categories
    Working group
    • Recent NISO webinar

    View full-size slide

  22. Where do we go from here?
    • Boston College has now implemented federated access for about a
    third of our providers
    • Includes all major publishers and aggregators
    • Going forward: preferring providers support federated access
    • Encouraging providers who are still only IP-authenticated to
    implement federated

    View full-size slide

  23. We can’t do it alone
    ● We all need to work together - libraries, IT, and resource providers
    ● Libraries have an important role to play as privacy advocates
    ● We have a long ways to go, and there is still a lot of work to do
    Jon Rawlinson [CC BY 2.0 (https://creativecommons.org/licenses/by/2.0)]

    View full-size slide