Building privacy infrastructure - an academic library's perspective

Transcript

1. Building
   privacy
   infrastructure
   Emily Singley
   Boston College
   @emilysingley
   September, 2020
   an academic library’s
   perspective
   

   View Slide

2. What I’m going to cover
   ● Privacy as it relates to licensed resource access
   ● Why IP authentication fails
   ● Preserving privacy with federated access
   ● What we are doing at Boston College
   

   View Slide

3. The old model - IP authentication
   ● Authorization based on IP address
   ● “Proxied links” needed for off-network
   access
   ● Users can only navigate directly to
   resources if they are on-network
   See: “De-mystifying e-resource access: what
   every librarian should know”
   

   View Slide

4. How IP
   authentication
   protects privacy
   ● Only the user’s IP address is
   seen by the resource
   provider
   ● When off-network, only the
   IP address of the proxy
   server is seen
   

   View Slide

5. What’s wrong with this model?
   off-campus user navigates directly
   to resource, e.g. nature.com
   IP is not recognized; user hits paywall
   ● Researchers want to go straight to resources, not use special library links
   ● Mobile devices can be “on-campus” but “off-network” - confusing!
   ● As users roam across the web, it is hard to understand which resources
   require special library links
   

   View Slide

6. The evidence is mounting
   ● Accessing publisher resources via a mobile device: A user’s
   journey
   ● Dismantling the Stumbling Blocks that Impede Researcher
   Access to E-Resources
   ● Failure to Deliver: Reaching Users in an Increasingly Mobile
   World
   ● Rethinking authentication
   

   View Slide

7. Our students normally bypass library links
   ● The majority of our usage comes
   directly from individual on-
   campus IPs, not through
   EZProxy
   

   View Slide

8. What happens when a pandemic sends all your
   students home?
   ● Saw usage decline during the time
   students were off-campus
   ● Could it be our users don’t
   understand how to use library
   links?
   

   View Slide

9. They don’t start at the library - they start everywhere
   Moore, M., & Singley, E. (2019).
   Understanding the Information Behaviors
   of Doctoral Students: An Exploratory Study.
   Portal: Libraries and the Academy, 19(2),
   279-293.
   ● Following the scholarly
   conversation
   ● Getting content through social
   media, referrals from colleagues,
   following citation trails
   ● Library not seen as starting
   point
   

   View Slide

10. They use SciHub
    Moore, M., & Singley, E. (2019).
    Understanding the Information Behaviors
    of Doctoral Students: An Exploratory Study.
    Portal: Libraries and the Academy, 19(2),
    279-293.
    "””I see it on Google, get the link and copy and paste into SciHub
    and there's the article - that's it."
    "so far there is nothing that I couldn't find there [on SciHub]"
    Interviewer: “What can the library do better?”
    Student: “Just do what SciHub does.”
    

    View Slide

11. The solution: SAML-based federated access
    

    View Slide

12. Federated access infrastructure
    ● The institution’s identity provider (IdP)
    supports the SAML protocol
    ● The institution is also a member of an identity
    federation, which serves as a trusted clearing
    house for connections between the IdP and
    service providers.
    ● At Boston College, our SAML implementation is
    Shibboleth, and we are members of the
    InCommon federation
    

    View Slide

13. Why federated access
    ● Saw usage go up for federated provider
    ● Saw sharp increase in federated use
    

    View Slide

14. Federated UX is getting better - SeamlessAccess.org
    • NISO-supported initiative to improve UX for federated access
    • The same “Access through your institution” button appears across participating
    publisher sites
    • Users stay logged in across platforms during their browser session
    

    View Slide

15. Preserving privacy with federated access
    • Designed to support privacy; option to use only anonymous IDs
    • IdP is entirely in control of attribute release
    • Authorization takes place through IdP, not the service provider
    • Risk: it is possible to release personal information
    https://en.wikipedia.org/wiki/File:SAML_Web_Browser_SSO_with_Metadata.png
    

    View Slide

16. IT and library collaboration needed
    • Libraries can no longer “go it alone”
    • IdP (usually IT) manages attribute release
    • Strong library / IT partnerships are
    essential
    • Recent SeamlessAccess.org survey found
    that IT/library collaborations have room for
    improvement
    https://seamlessaccess.org/posts/2020-06-23-surveyresults/
    

    View Slide

17. How we’re implementing federated access
    at Boston College
    • Had to support 600 resource providers - both federated and IP authentication - in
    one place
    • Only 200 providers support federated access
    • Want to (eventually) be able to shut down EZProxy
    • Went with a hosted solution - OpenAthens, distributed and supported by EBSCO
    • LibLynx is also a viable option
    

    View Slide

18. Minimizing the burden on IT
    • IT did not need to set up individual SAML connections; instead, only connected to
    OpenAthens
    • Library staff can manage connections to resources - both IP and federated -within
    OpenAthens admin dashboard
    

    View Slide

19. Leveraging the federation
    • Our solution had to work with our existing infrastructure - Shibboleth and
    InCommon
    • We connect to OpenAthens federation using Shibboleth
    • Service Providers who are OpenAthens members can connect to Boston College
    through the federation
    • See EBSCO’s implementation documentation
    • Some direct Shibboleth connections needed for a handful of providers
    

    View Slide

20. Preserving privacy at Boston College
    • Only minimum number of attributes released - EduTargetedId and schoolcode
    • EduTargetedId - an anonymous ID, designed to protect user privacy
    • Needed an additional attribute to identify separate campuses
    • Strong security review processes in place
    https://commons.wikimedia.org/wiki/File:Locked_Door_of_Tajjar.j
    pg
    

    View Slide

21. Leveraging entity categories
    • Entity categories can help libraries
    communicate what we mean by
    anonymous access
    • Three new entity categories proposed:
    ○ Authentication Only
    ○ Anonymous Authorization
    ○ Pseudonymous Authorization
    • SeamlessAccess Entity Categories
    Working group
    • Recent NISO webinar
    

    View Slide

22. Where do we go from here?
    • Boston College has now implemented federated access for about a
    third of our providers
    • Includes all major publishers and aggregators
    • Going forward: preferring providers support federated access
    • Encouraging providers who are still only IP-authenticated to
    implement federated
    

    View Slide

23. We can’t do it alone
    ● We all need to work together - libraries, IT, and resource providers
    ● Libraries have an important role to play as privacy advocates
    ● We have a long ways to go, and there is still a lot of work to do
    Jon Rawlinson [CC BY 2.0 (https://creativecommons.org/licenses/by/2.0)]
    

    View Slide

24. Thank you!
    @emilysingley
    [email protected]
    

    View Slide