[Fim4l] Stanfords statement
Peter Gietz
peter.gietz at daasi.de
Tue Mar 19 13:31:19 CET 2019
Hi Jos, hi all,
this is definitely interesting reading. Even more interesting IMHO is an
article referenced there:
https://scholarlykitchen.sspnet.org/2018/01/16/what-will-you-do-when-they-come-for-your-proxy-server-ra21/
, a blog post by Lisa Janicke Hinchliffe, Professor/Coordinator for
Information Literacy Services.
Here you find good counter arguments against SSO which we should address
(basically the same I learned then in Berlin). Since it is a quite long
text, I am quoting the IMO most relevant passages here:
>
> Federated Identity (and Privacy)
>
> Here’s my understanding. When fully realized, it means that by logging
> in once, you would be recognized on all participating platforms, which
> means you could leave a data trail of both who you are and what
> resources (content and tools) you are using. Yes, that means your data
> could be potentially aggregated across platforms and combined with
> other datasets to create a more complete profile of you as a user. It
> is likely that you are already leaving trails of use data connected to
> the IP addresses of the devices that you use. With federated identity,
> the trail is connected to you and to the devices. An analogy is how
> one can use a Google login to access not only your Gmail but also
> Dropbox, Asana, etc., and then Google is able to build a profile of
> you as a user by integrating the data from your activities across
> platforms and tools.
>
> Such federated tracking is unlikely to be fully developed in the
> initial RA21 projects and the most pernicious form would require
> publishers to collaborate in data sharing in ways that they currently
> are not inclined to do. But, I think there is every reason to
> anticipate such technologies could be created in a fairly short period
> of time should those sentiments shift.
and a little later:
> A side note here: I acknowledge that the SAML approach embraced by
> RA21 is more privacy-protecting than, for example, adopting a Google
> or Facebook OpenID option. It is not, however, more privacy-protecting
> than IP authentication.
[...]
> I recently watched as a campus technology SAML/Shibboleth system
> passed a user’s email address, full name, and staff/staff status to a
> vendor in order to allow access to a PDF from off-campus when
> on-campus access would have been possible based on IP address alone.
>
> [..] publishers and platforms will likely prefer identity-based
> authentication mechanisms [..] I anticipate that publishers will
> eventually begin to craft licensing agreements that require
> identity-based authentication, making explicit that they no longer
> offer IP authentication.
>
At the end, she makes a number of recommendations, that IMO more or less
should also be included in our guidelines:
> * Reach out to the campus technology unit that manages
> identity-based authentication systems (e.g., InCommon or
> OpenAthens) and engage in an ongoing discussion about privacy,
> user control, minimal sharing of identifiable data, etc., with the
> goal of developing local principles to guide data release.
> * Watch carefully for licensing terms that dictate user data sharing
> requirements for access to content and be prepared with responses.
> If IP authentication is no longer an option, seek to minimize the
> user data that is demanded in exchange for user access.
> * Review library privacy policies to make certain that the library
> is transparent about what data is being passed to third-party
> systems and what alternatives users have if they want to try to
> opt-out of data sharing and tracking.
> * Regularly use library resources without using IP address
> authentication to monitor the user experience of identity-based
> authentication and the messaging from platforms to users. [..]
>
Cheers,
Peter
Am 15.03.2019 um 10:34 schrieb Jiri Pavlik:
> Hi,
>
> thanks a lot, Jos, links to the documents added at Background chapter
> at FIM4L Guidelines and recommendations draft.
>
> All the best
>
> Jiri
>
>
> On Fri, Mar 15, 2019 at 10:03 AM Jos Westerbeke <jos.westerbeke at eur.nl> wrote:
>> Hi all,
>>
>>
>>
>> For your interest: "Protecting Patron Privacy in Digital Resources" on Scholarly Kitchen.
>>
>>
>>
>> Stanford library made a statement recently about patrons privacy. I think this statement perfectly aligns with our work.
>>
>>
>>
>> It draws the libraries' concerns and underlines the importance of our work. FIM4L should have the ability to make e-resource access with SSO better than using IP based access. Libraries cannot win the fight for preserving patron privacy by keep using IP based access.
>>
>>
>>
>> I think we even have to encourage SSO access (when Open Access without authentication is not possible) in order to "... carefully structure [SSO access] to minimize exposure of patron data as much as possible, but always to ensure disclosure of any PII that may be transmitted." According to the article.
>>
>>
>>
>> all the best,
>>
>> Jos
>>
>>
>>
>>
>>
>> Jos Westerbeke
>>
>> Library IT Specialist / Demandmanager | Erasmus University Rotterdam, Library | Burgemeester Oudlaan 50 | 3062PA Rotterdam | jos.westerbeke at eur.nl | +31 640295513
>>
>> _______________________________________________
>> Fim4l mailing list
>> Fim4l at lists.daasi.de
>> http://lists.daasi.de/listinfo/fim4l
> _______________________________________________
> Fim4l mailing list
> Fim4l at lists.daasi.de
> http://lists.daasi.de/listinfo/fim4l
--
Peter Gietz, CEO
DAASI International GmbH
Europaplatz 3
D-72072 Tübingen
Germany
phone: +49 7071 407109-0
fax: +49 7071 407109-9
email: peter.gietz at daasi.de
web: www.daasi.de
Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.daasi.de/pipermail/fim4l/attachments/20190319/ee12c3a0/attachment.html>
More information about the FIM4L
mailing list