Hi Jos, hi all,

this is definitely interesting reading. Even more interesting IMHO is an article referenced there: https://scholarlykitchen.sspnet.org/2018/01/16/what-will-you-do-when-they-come-for-your-proxy-server-ra21/ , a blog post by Lisa Janicke Hinchliffe, Professor/Coordinator for Information Literacy Services.

Here you find good counter arguments against SSO which we should address (basically the same I learned then in Berlin). Since it is a quite long text, I am quoting the IMO most relevant passages here:

Federated Identity (and Privacy)

Here’s my understanding. When fully realized, it means that by logging in once, you would be recognized on all participating platforms, which means you could leave a data trail of both who you are and what resources (content and tools) you are using. Yes, that means your data could be potentially aggregated across platforms and combined with other datasets to create a more complete profile of you as a user. It is likely that you are already leaving trails of use data connected to the IP addresses of the devices that you use. With federated identity, the trail is connected to you and to the devices. An analogy is how one can use a Google login to access not only your Gmail but also Dropbox, Asana, etc., and then Google is able to build a profile of you as a user by integrating the data from your activities across platforms and tools.

Such federated tracking is unlikely to be fully developed in the initial RA21 projects and the most pernicious form would require publishers to collaborate in data sharing in ways that they currently are not inclined to do. But, I think there is every reason to anticipate such technologies could be created in a fairly short period of time should those sentiments shift.

and a little later:

A side note here: I acknowledge that the SAML approach embraced by RA21 is more privacy-protecting than, for example, adopting a Google or Facebook OpenID option. It is not, however, more privacy-protecting than IP authentication.

[...]

I recently watched as a campus technology SAML/Shibboleth system passed a user’s email address, full name, and staff/staff status to a vendor in order to allow access to a PDF from off-campus when on-campus access would have been possible based on IP address alone.
[..] publishers and platforms will likely prefer identity-based authentication mechanisms [..] I anticipate that publishers will eventually begin to craft licensing agreements that require identity-based authentication, making explicit that they no longer offer IP authentication.

At the end, she makes a number of recommendations, that IMO more or less should also be included in our guidelines:

Reach out to the campus technology unit that manages identity-based authentication systems (e.g., InCommon or OpenAthens) and engage in an ongoing discussion about privacy, user control, minimal sharing of identifiable data, etc., with the goal of developing local principles to guide data release.

Watch carefully for licensing terms that dictate user data sharing requirements for access to content and be prepared with responses. If IP authentication is no longer an option, seek to minimize the user data that is demanded in exchange for user access.

Review library privacy policies to make certain that the library is transparent about what data is being passed to third-party systems and what alternatives users have if they want to try to opt-out of data sharing and tracking.

Regularly use library resources without using IP address authentication to monitor the user experience of identity-based authentication and the messaging from platforms to users. [..]

Cheers,

Peter

Am 15.03.2019 um 10:34 schrieb Jiri Pavlik:

Hi,

thanks a lot, Jos, links to the documents added at Background chapter
at FIM4L Guidelines and recommendations draft.

All the best

         Jiri


On Fri, Mar 15, 2019 at 10:03 AM Jos Westerbeke <jos.westerbeke@eur.nl> wrote:

Hi all,



For your interest: "Protecting Patron Privacy in Digital Resources" on Scholarly Kitchen.



Stanford library made a statement recently about patrons privacy. I think this statement perfectly aligns with our work.



It draws the libraries' concerns and underlines the importance of our work. FIM4L should have the ability to make e-resource access with SSO better than using IP based access. Libraries cannot win the fight for preserving patron privacy by keep using IP based access.



I think we even have to encourage SSO access (when Open Access without authentication is not possible) in order to "... carefully structure [SSO access] to minimize exposure of patron data as much as possible, but always to ensure disclosure of any PII that may be transmitted." According to the article.



all the best,

Jos





Jos Westerbeke

Library IT Specialist / Demandmanager  | Erasmus University Rotterdam, Library | Burgemeester Oudlaan 50 | 3062PA Rotterdam | jos.westerbeke@eur.nl | +31 640295513

_______________________________________________
Fim4l mailing list
Fim4l@lists.daasi.de
http://lists.daasi.de/listinfo/fim4l

_______________________________________________
Fim4l mailing list
Fim4l@lists.daasi.de
http://lists.daasi.de/listinfo/fim4l

-- 

Peter Gietz, CEO

DAASI International GmbH        
Europaplatz 3                   
D-72072 Tübingen                
Germany                    

phone: +49 7071 407109-0
fax:   +49 7071 407109-9  
email: peter.gietz@daasi.de
web:   www.daasi.de

Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz