Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building privacy infrastructure - an academic library's perspective

Emily Singley
September 15, 2020

Building privacy infrastructure - an academic library's perspective

Presented at NISO webinar "Privacy in the age of surveillance" webinar on September 16, 2020. Covers how IP authentication (EZProxy) is failing our users, and how SAML-based federated access can be implemented while still preserving privacy. Includes discussion of how Boston College is implementing federated access (OpenAthens) for library resource access.

Emily Singley

September 15, 2020

More Decks by Emily Singley

Other Decks in Education


  1. What I’m going to cover • Privacy as it relates

    to licensed resource access • Why IP authentication fails • Preserving privacy with federated access • What we are doing at Boston College
  2. The old model - IP authentication • Authorization based on

    IP address • “Proxied links” needed for off-network access • Users can only navigate directly to resources if they are on-network See: “De-mystifying e-resource access: what every librarian should know”
  3. How IP authentication protects privacy • Only the user’s IP

    address is seen by the resource provider • When off-network, only the IP address of the proxy server is seen
  4. What’s wrong with this model? off-campus user navigates directly to

    resource, e.g. nature.com IP is not recognized; user hits paywall • Researchers want to go straight to resources, not use special library links • Mobile devices can be “on-campus” but “off-network” - confusing! • As users roam across the web, it is hard to understand which resources require special library links
  5. The evidence is mounting • Accessing publisher resources via a

    mobile device: A user’s journey • Dismantling the Stumbling Blocks that Impede Researcher Access to E-Resources • Failure to Deliver: Reaching Users in an Increasingly Mobile World • Rethinking authentication
  6. Our students normally bypass library links • The majority of

    our usage comes directly from individual on- campus IPs, not through EZProxy
  7. What happens when a pandemic sends all your students home?

    • Saw usage decline during the time students were off-campus • Could it be our users don’t understand how to use library links?
  8. They don’t start at the library - they start everywhere

    Moore, M., & Singley, E. (2019). Understanding the Information Behaviors of Doctoral Students: An Exploratory Study. Portal: Libraries and the Academy, 19(2), 279-293. • Following the scholarly conversation • Getting content through social media, referrals from colleagues, following citation trails • Library not seen as starting point
  9. They use SciHub Moore, M., & Singley, E. (2019). Understanding

    the Information Behaviors of Doctoral Students: An Exploratory Study. Portal: Libraries and the Academy, 19(2), 279-293. "””I see it on Google, get the link and copy and paste into SciHub and there's the article - that's it." "so far there is nothing that I couldn't find there [on SciHub]" Interviewer: “What can the library do better?” Student: “Just do what SciHub does.”
  10. Federated access infrastructure • The institution’s identity provider (IdP) supports

    the SAML protocol • The institution is also a member of an identity federation, which serves as a trusted clearing house for connections between the IdP and service providers. • At Boston College, our SAML implementation is Shibboleth, and we are members of the InCommon federation
  11. Why federated access • Saw usage go up for federated

    provider • Saw sharp increase in federated use
  12. Federated UX is getting better - SeamlessAccess.org • NISO-supported initiative

    to improve UX for federated access • The same “Access through your institution” button appears across participating publisher sites • Users stay logged in across platforms during their browser session
  13. Preserving privacy with federated access • Designed to support privacy;

    option to use only anonymous IDs • IdP is entirely in control of attribute release • Authorization takes place through IdP, not the service provider • Risk: it is possible to release personal information https://en.wikipedia.org/wiki/File:SAML_Web_Browser_SSO_with_Metadata.png
  14. IT and library collaboration needed • Libraries can no longer

    “go it alone” • IdP (usually IT) manages attribute release • Strong library / IT partnerships are essential • Recent SeamlessAccess.org survey found that IT/library collaborations have room for improvement https://seamlessaccess.org/posts/2020-06-23-surveyresults/
  15. How we’re implementing federated access at Boston College • Had

    to support 600 resource providers - both federated and IP authentication - in one place • Only 200 providers support federated access • Want to (eventually) be able to shut down EZProxy • Went with a hosted solution - OpenAthens, distributed and supported by EBSCO • LibLynx is also a viable option
  16. Minimizing the burden on IT • IT did not need

    to set up individual SAML connections; instead, only connected to OpenAthens • Library staff can manage connections to resources - both IP and federated -within OpenAthens admin dashboard
  17. Leveraging the federation • Our solution had to work with

    our existing infrastructure - Shibboleth and InCommon • We connect to OpenAthens federation using Shibboleth • Service Providers who are OpenAthens members can connect to Boston College through the federation • See EBSCO’s implementation documentation • Some direct Shibboleth connections needed for a handful of providers
  18. Preserving privacy at Boston College • Only minimum number of

    attributes released - EduTargetedId and schoolcode • EduTargetedId - an anonymous ID, designed to protect user privacy • Needed an additional attribute to identify separate campuses • Strong security review processes in place https://commons.wikimedia.org/wiki/File:Locked_Door_of_Tajjar.j pg
  19. Leveraging entity categories • Entity categories can help libraries communicate

    what we mean by anonymous access • Three new entity categories proposed: ◦ Authentication Only ◦ Anonymous Authorization ◦ Pseudonymous Authorization • SeamlessAccess Entity Categories Working group • Recent NISO webinar
  20. Where do we go from here? • Boston College has

    now implemented federated access for about a third of our providers • Includes all major publishers and aggregators • Going forward: preferring providers support federated access • Encouraging providers who are still only IP-authenticated to implement federated
  21. We can’t do it alone • We all need to

    work together - libraries, IT, and resource providers • Libraries have an important role to play as privacy advocates • We have a long ways to go, and there is still a lot of work to do Jon Rawlinson [CC BY 2.0 (https://creativecommons.org/licenses/by/2.0)]