[Fim4l] Stanfords statement

Tue Mar 19 13:31:19 CET 2019

Hi Jos, hi all,

this is definitely interesting reading. Even more interesting IMHO is an 
article referenced there: 
https://scholarlykitchen.sspnet.org/2018/01/16/what-will-you-do-when-they-come-for-your-proxy-server-ra21/ 
, a blog post by Lisa Janicke Hinchliffe, Professor/Coordinator for 
Information Literacy Services.

Here you find good counter arguments against SSO which we should address 
(basically the same I learned then in Berlin). Since it is a quite long 
text, I am quoting the IMO most relevant passages here:

>
>     Federated Identity (and Privacy)
>
> Here’s my understanding. When fully realized, it means that by logging 
> in once, you would be recognized on all participating platforms, which 
> means you could leave a data trail of both who you are and what 
> resources (content and tools) you are using. Yes, that means your data 
> could be potentially aggregated across platforms and combined with 
> other datasets to create a more complete profile of you as a user. It 
> is likely that you are already leaving trails of use data connected to 
> the IP addresses of the devices that you use. With federated identity, 
> the trail is connected to you and to the devices. An analogy is how 
> one can use a Google login to access not only your Gmail but also 
> Dropbox, Asana, etc., and then Google is able to build a profile of 
> you as a user by integrating the data from your activities across 
> platforms and tools.
>
> Such federated tracking is unlikely to be fully developed in the 
> initial RA21 projects and the most pernicious form would require 
> publishers to collaborate in data sharing in ways that they currently 
> are not inclined to do. But, I think there is every reason to 
> anticipate such technologies could be created in a fairly short period 
> of time should those sentiments shift.
and a little later:

> A side note here: I acknowledge that the SAML approach embraced by 
> RA21 is more privacy-protecting than, for example, adopting a Google 
> or Facebook OpenID option. It is not, however, more privacy-protecting 
> than IP authentication.
[...]

> I recently watched as a campus technology SAML/Shibboleth system 
> passed a user’s email address, full name, and staff/staff status to a 
> vendor in order to allow access to a PDF from off-campus when 
> on-campus access would have been possible based on IP address alone.
>
> [..] publishers and platforms will likely prefer identity-based 
> authentication mechanisms [..] I anticipate that publishers will 
> eventually begin to craft licensing agreements that require 
> identity-based authentication, making explicit that they no longer 
> offer IP authentication.
>
At the end, she makes a number of recommendations, that IMO more or less 
should also be included in our guidelines:

>   * Reach out to the campus technology unit that manages
>     identity-based authentication systems (e.g., InCommon or
>     OpenAthens) and engage in an ongoing discussion about privacy,
>     user control, minimal sharing of identifiable data, etc., with the
>     goal of developing local principles to guide data release.
>   * Watch carefully for licensing terms that dictate user data sharing
>     requirements for access to content and be prepared with responses.
>     If IP authentication is no longer an option, seek to minimize the
>     user data that is demanded in exchange for user access.
>   * Review library privacy policies to make certain that the library
>     is transparent about what data is being passed to third-party
>     systems and what alternatives users have if they want to try to
>     opt-out of data sharing and tracking.
>   * Regularly use library resources without using IP address
>     authentication to monitor the user experience of identity-based
>     authentication and the messaging from platforms to users. [..]
>
Cheers,

Peter

Am 15.03.2019 um 10:34 schrieb Jiri Pavlik:
> Hi,
>
> thanks a lot, Jos, links to the documents added at Background chapter
> at FIM4L Guidelines and recommendations draft.
>
> All the best
>
>           Jiri
>
>
> On Fri, Mar 15, 2019 at 10:03 AM Jos Westerbeke <jos.westerbeke at eur.nl> wrote:
>> Hi all,
>>
>>
>>
>> For your interest: "Protecting Patron Privacy in Digital Resources" on Scholarly Kitchen.
>>
>>
>>
>> Stanford library made a statement recently about patrons privacy. I think this statement perfectly aligns with our work.
>>
>>
>>
>> It draws the libraries' concerns and underlines the importance of our work. FIM4L should have the ability to make e-resource access with SSO better than using IP based access. Libraries cannot win the fight for preserving patron privacy by keep using IP based access.
>>
>>
>>
>> I think we even have to encourage SSO access (when Open Access without authentication is not possible) in order to "... carefully structure [SSO access] to minimize exposure of patron data as much as possible, but always to ensure disclosure of any PII that may be transmitted." According to the article.
>>
>>
>>
>> all the best,
>>
>> Jos
>>
>>
>>
>>
>>
>> Jos Westerbeke
>>
>> Library IT Specialist / Demandmanager  | Erasmus University Rotterdam, Library | Burgemeester Oudlaan 50 | 3062PA Rotterdam | jos.westerbeke at eur.nl | +31 640295513
>>
>> _______________________________________________
>> Fim4l mailing list
>> Fim4l at lists.daasi.de
>> http://lists.daasi.de/listinfo/fim4l
> _______________________________________________
> Fim4l mailing list
> Fim4l at lists.daasi.de
> http://lists.daasi.de/listinfo/fim4l

-- 

Peter Gietz, CEO

DAASI International GmbH
Europaplatz 3
D-72072 Tübingen
Germany

phone: +49 7071 407109-0
fax:   +49 7071 407109-9
email: peter.gietz at daasi.de
web:   www.daasi.de

Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.daasi.de/pipermail/fim4l/attachments/20190319/ee12c3a0/attachment.html>