First, we need to remember that privacy is a legal requirement for libraries for which, in the US at least, all 50 states and the District of Columbia have in place, thus it isn't something that can simply be lessened. It is not the right of the publisher to know the identity of the users, but it is the right of the user to be anonymous and their discovery and access be private.  And it is the legal requirement of the library to ensure this.

Secondly, the onus is on the publisher to provide evidence of breach or misuse so that the IdP can properly address it and take action.  I do not miss the days of managing an EZProxy server which was shut down by a publisher without notice and would only find out after contacting the publisher myself.  Fortunately, Identity Management teams are actively looking for compromised accounts so they usually find it before the publishers see any conspicuous.  I get this varies widely based on the institutional size and staffing.

Tim

Tim McGeary

Associate University Librarian for Digital Strategies and Technology

Duke University Libraries

919-660-5802

tim.mcgeary@duke.edu

Google/Skype/Twitter: timmcgeary


The Duke University Libraries value diversity of thought, perspective, experience, and background and are actively committed to a culture of inclusion and respect.

From: FIM4L <fim4l-bounces@lists.daasi.de> on behalf of Peter Schober <peter.schober@univie.ac.at>
Sent: Monday, April 6, 2020 5:47 AM
To: fim4l@lists.daasi.de <fim4l@lists.daasi.de>
Subject: Re: [Fim4l] update on FIM4L
 
* Jos Westerbeke <jos.westerbeke@eur.nl> [2020-04-06 10:33]:
> If publishers block an entire institution in case of misconduct when
> a library has chosen for 4.A, how should libraries respond? Should
> we recommend a pseudonymous identifier? Or is there a way to urge
> publishers not to block an institution? What are your thoughts on
> that?

I suppose the same thing would happen that happens today with IP-based
access and the institutional proxy or VPN server would run risk of
being blocked.
I don't know whether such wholesale shutting down of institutions'
access happens systematically in practice and in what cases.

Sure, stopping misuse from selected few (mostly from hacked/phished
accounts) is important. Whether it is sufficiently important to
preemptively lessen the privacy of all subjects and expose them to
(the possibility of) detailed behavioural tracking is an open question
to me.

(To the extent that whole institutions/libraroes are systematically
and regularly blocked wholesale it's of course desirable for those
institutions/libraries to prevent such blocking. Therefore they may be
susceptible to "blackmail" from publishers to deploy trackable
identifiers for all their subjects, to achieve some "business
continuity" in the face of publishers otherwise shutting down whole
institutions/libraries to stop misuse from individual accounts from
those institutions/libraries.)

-peter
_______________________________________________
FIM4L mailing list
FIM4L@lists.daasi.de
https://urldefense.com/v3/__http://lists.daasi.de/listinfo/fim4l__;!!OToaGQ!6uXzA2PehbVLuSbXD7jYXekdMO0Gb_QBWTdwgN-5OnoExNMUpO6SlzdezQv8O8ekl6s$