Building privacy infrastructure - an academic library's perspective

Transcript

1. Building privacy infrastructure Emily Singley Boston College @emilysingley September, 2020

   an academic library’s perspective

2. What I’m going to cover • Privacy as it relates

   to licensed resource access • Why IP authentication fails • Preserving privacy with federated access • What we are doing at Boston College

3. The old model - IP authentication • Authorization based on

   IP address • “Proxied links” needed for off-network access • Users can only navigate directly to resources if they are on-network See: “De-mystifying e-resource access: what every librarian should know”

4. How IP authentication protects privacy • Only the user’s IP

   address is seen by the resource provider • When off-network, only the IP address of the proxy server is seen

5. What’s wrong with this model? off-campus user navigates directly to

   resource, e.g. nature.com IP is not recognized; user hits paywall • Researchers want to go straight to resources, not use special library links • Mobile devices can be “on-campus” but “off-network” - confusing! • As users roam across the web, it is hard to understand which resources require special library links

6. The evidence is mounting • Accessing publisher resources via a

   mobile device: A user’s journey • Dismantling the Stumbling Blocks that Impede Researcher Access to E-Resources • Failure to Deliver: Reaching Users in an Increasingly Mobile World • Rethinking authentication

7. Our students normally bypass library links • The majority of

   our usage comes directly from individual on- campus IPs, not through EZProxy

8. What happens when a pandemic sends all your students home?

   • Saw usage decline during the time students were off-campus • Could it be our users don’t understand how to use library links?

9. They don’t start at the library - they start everywhere

   Moore, M., & Singley, E. (2019). Understanding the Information Behaviors of Doctoral Students: An Exploratory Study. Portal: Libraries and the Academy, 19(2), 279-293. • Following the scholarly conversation • Getting content through social media, referrals from colleagues, following citation trails • Library not seen as starting point

10. They use SciHub Moore, M., & Singley, E. (2019). Understanding

    the Information Behaviors of Doctoral Students: An Exploratory Study. Portal: Libraries and the Academy, 19(2), 279-293. "””I see it on Google, get the link and copy and paste into SciHub and there's the article - that's it." "so far there is nothing that I couldn't find there [on SciHub]" Interviewer: “What can the library do better?” Student: “Just do what SciHub does.”

11. The solution: SAML-based federated access

12. Federated access infrastructure • The institution’s identity provider (IdP) supports

    the SAML protocol • The institution is also a member of an identity federation, which serves as a trusted clearing house for connections between the IdP and service providers. • At Boston College, our SAML implementation is Shibboleth, and we are members of the InCommon federation

13. Why federated access • Saw usage go up for federated

    provider • Saw sharp increase in federated use

14. Federated UX is getting better - SeamlessAccess.org • NISO-supported initiative

    to improve UX for federated access • The same “Access through your institution” button appears across participating publisher sites • Users stay logged in across platforms during their browser session

15. Preserving privacy with federated access • Designed to support privacy;

    option to use only anonymous IDs • IdP is entirely in control of attribute release • Authorization takes place through IdP, not the service provider • Risk: it is possible to release personal information https://en.wikipedia.org/wiki/File:SAML_Web_Browser_SSO_with_Metadata.png

16. IT and library collaboration needed • Libraries can no longer

    “go it alone” • IdP (usually IT) manages attribute release • Strong library / IT partnerships are essential • Recent SeamlessAccess.org survey found that IT/library collaborations have room for improvement https://seamlessaccess.org/posts/2020-06-23-surveyresults/

17. How we’re implementing federated access at Boston College • Had

    to support 600 resource providers - both federated and IP authentication - in one place • Only 200 providers support federated access • Want to (eventually) be able to shut down EZProxy • Went with a hosted solution - OpenAthens, distributed and supported by EBSCO • LibLynx is also a viable option

18. Minimizing the burden on IT • IT did not need

    to set up individual SAML connections; instead, only connected to OpenAthens • Library staff can manage connections to resources - both IP and federated -within OpenAthens admin dashboard

19. Leveraging the federation • Our solution had to work with

    our existing infrastructure - Shibboleth and InCommon • We connect to OpenAthens federation using Shibboleth • Service Providers who are OpenAthens members can connect to Boston College through the federation • See EBSCO’s implementation documentation • Some direct Shibboleth connections needed for a handful of providers

20. Preserving privacy at Boston College • Only minimum number of

    attributes released - EduTargetedId and schoolcode • EduTargetedId - an anonymous ID, designed to protect user privacy • Needed an additional attribute to identify separate campuses • Strong security review processes in place https://commons.wikimedia.org/wiki/File:Locked_Door_of_Tajjar.j pg

21. Leveraging entity categories • Entity categories can help libraries communicate

    what we mean by anonymous access • Three new entity categories proposed: ◦ Authentication Only ◦ Anonymous Authorization ◦ Pseudonymous Authorization • SeamlessAccess Entity Categories Working group • Recent NISO webinar

22. Where do we go from here? • Boston College has

    now implemented federated access for about a third of our providers • Includes all major publishers and aggregators • Going forward: preferring providers support federated access • Encouraging providers who are still only IP-authenticated to implement federated

23. We can’t do it alone • We all need to

    work together - libraries, IT, and resource providers • Libraries have an important role to play as privacy advocates • We have a long ways to go, and there is still a lot of work to do Jon Rawlinson [CC BY 2.0 (https://creativecommons.org/licenses/by/2.0)]

24. Thank you! @emilysingley [email protected]