Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building privacy infrastructure - an academic library's perspective

E462bb245db1502ffa3015e847cda35e?s=47 Emily Singley
September 15, 2020

Building privacy infrastructure - an academic library's perspective

Presented at NISO webinar "Privacy in the age of surveillance" webinar on September 16, 2020. Covers how IP authentication (EZProxy) is failing our users, and how SAML-based federated access can be implemented while still preserving privacy. Includes discussion of how Boston College is implementing federated access (OpenAthens) for library resource access.

E462bb245db1502ffa3015e847cda35e?s=128

Emily Singley

September 15, 2020
Tweet

Transcript

  1. Building privacy infrastructure Emily Singley Boston College @emilysingley September, 2020

    an academic library’s perspective
  2. What I’m going to cover • Privacy as it relates

    to licensed resource access • Why IP authentication fails • Preserving privacy with federated access • What we are doing at Boston College
  3. The old model - IP authentication • Authorization based on

    IP address • “Proxied links” needed for off-network access • Users can only navigate directly to resources if they are on-network See: “De-mystifying e-resource access: what every librarian should know”
  4. How IP authentication protects privacy • Only the user’s IP

    address is seen by the resource provider • When off-network, only the IP address of the proxy server is seen
  5. What’s wrong with this model? off-campus user navigates directly to

    resource, e.g. nature.com IP is not recognized; user hits paywall • Researchers want to go straight to resources, not use special library links • Mobile devices can be “on-campus” but “off-network” - confusing! • As users roam across the web, it is hard to understand which resources require special library links
  6. The evidence is mounting • Accessing publisher resources via a

    mobile device: A user’s journey • Dismantling the Stumbling Blocks that Impede Researcher Access to E-Resources • Failure to Deliver: Reaching Users in an Increasingly Mobile World • Rethinking authentication
  7. Our students normally bypass library links • The majority of

    our usage comes directly from individual on- campus IPs, not through EZProxy
  8. What happens when a pandemic sends all your students home?

    • Saw usage decline during the time students were off-campus • Could it be our users don’t understand how to use library links?
  9. They don’t start at the library - they start everywhere

    Moore, M., & Singley, E. (2019). Understanding the Information Behaviors of Doctoral Students: An Exploratory Study. Portal: Libraries and the Academy, 19(2), 279-293. • Following the scholarly conversation • Getting content through social media, referrals from colleagues, following citation trails • Library not seen as starting point
  10. They use SciHub Moore, M., & Singley, E. (2019). Understanding

    the Information Behaviors of Doctoral Students: An Exploratory Study. Portal: Libraries and the Academy, 19(2), 279-293. "””I see it on Google, get the link and copy and paste into SciHub and there's the article - that's it." "so far there is nothing that I couldn't find there [on SciHub]" Interviewer: “What can the library do better?” Student: “Just do what SciHub does.”
  11. The solution: SAML-based federated access

  12. Federated access infrastructure • The institution’s identity provider (IdP) supports

    the SAML protocol • The institution is also a member of an identity federation, which serves as a trusted clearing house for connections between the IdP and service providers. • At Boston College, our SAML implementation is Shibboleth, and we are members of the InCommon federation
  13. Why federated access • Saw usage go up for federated

    provider • Saw sharp increase in federated use
  14. Federated UX is getting better - SeamlessAccess.org • NISO-supported initiative

    to improve UX for federated access • The same “Access through your institution” button appears across participating publisher sites • Users stay logged in across platforms during their browser session
  15. Preserving privacy with federated access • Designed to support privacy;

    option to use only anonymous IDs • IdP is entirely in control of attribute release • Authorization takes place through IdP, not the service provider • Risk: it is possible to release personal information https://en.wikipedia.org/wiki/File:SAML_Web_Browser_SSO_with_Metadata.png
  16. IT and library collaboration needed • Libraries can no longer

    “go it alone” • IdP (usually IT) manages attribute release • Strong library / IT partnerships are essential • Recent SeamlessAccess.org survey found that IT/library collaborations have room for improvement https://seamlessaccess.org/posts/2020-06-23-surveyresults/
  17. How we’re implementing federated access at Boston College • Had

    to support 600 resource providers - both federated and IP authentication - in one place • Only 200 providers support federated access • Want to (eventually) be able to shut down EZProxy • Went with a hosted solution - OpenAthens, distributed and supported by EBSCO • LibLynx is also a viable option
  18. Minimizing the burden on IT • IT did not need

    to set up individual SAML connections; instead, only connected to OpenAthens • Library staff can manage connections to resources - both IP and federated -within OpenAthens admin dashboard
  19. Leveraging the federation • Our solution had to work with

    our existing infrastructure - Shibboleth and InCommon • We connect to OpenAthens federation using Shibboleth • Service Providers who are OpenAthens members can connect to Boston College through the federation • See EBSCO’s implementation documentation • Some direct Shibboleth connections needed for a handful of providers
  20. Preserving privacy at Boston College • Only minimum number of

    attributes released - EduTargetedId and schoolcode • EduTargetedId - an anonymous ID, designed to protect user privacy • Needed an additional attribute to identify separate campuses • Strong security review processes in place https://commons.wikimedia.org/wiki/File:Locked_Door_of_Tajjar.j pg
  21. Leveraging entity categories • Entity categories can help libraries communicate

    what we mean by anonymous access • Three new entity categories proposed: ◦ Authentication Only ◦ Anonymous Authorization ◦ Pseudonymous Authorization • SeamlessAccess Entity Categories Working group • Recent NISO webinar
  22. Where do we go from here? • Boston College has

    now implemented federated access for about a third of our providers • Includes all major publishers and aggregators • Going forward: preferring providers support federated access • Encouraging providers who are still only IP-authenticated to implement federated
  23. We can’t do it alone • We all need to

    work together - libraries, IT, and resource providers • Libraries have an important role to play as privacy advocates • We have a long ways to go, and there is still a lot of work to do Jon Rawlinson [CC BY 2.0 (https://creativecommons.org/licenses/by/2.0)]
  24. Thank you! @emilysingley emily.singley@bc.edu