[Fim4l] Stanfords statement

Jos Westerbeke jos.westerbeke at eur.nl
Tue Mar 19 14:06:11 CET 2019 

Hi Peter G., and all,

Maybe we should have a chapter (or separate document) like "Addressing Objections" regarding the use of SSO.

And, yes, some advices like especially "Watch carefully for licensing terms" should not be lacking in our Recommendations.

I think the recommendations should go beyond SSO. For what does a SP do after authentication? (If we don't say something, they are free to go with 'their users'.

Thanks!
Jos

From: Fim4l <fim4l-bounces at lists.daasi.de> on behalf of Peter Gietz <peter.gietz at daasi.de>
Date: Tuesday, 19 March 2019 at 13:31
To: "fim4l at lists.daasi.de" <fim4l at lists.daasi.de>
Subject: Re: [Fim4l] Stanfords statement


Hi Jos, hi all,

this is definitely interesting reading. Even more interesting  IMHO is an article referenced there: https://scholarlykitchen.sspnet.org/2018/01/16/what-will-you-do-when-they-come-for-your-proxy-server-ra21/ , a blog post by Lisa Janicke Hinchliffe, Professor/Coordinator for Information Literacy Services.

Here you find good counter arguments against SSO which we should address (basically the same I learned then in Berlin). Since it is a quite long text, I am quoting the IMO most relevant passages here:

Federated Identity (and Privacy)

Here’s my understanding. When fully realized, it means that by logging in once, you would be recognized on all participating platforms, which means you could leave a data trail of both who you are and what resources (content and tools) you are using. Yes, that means your data could be potentially aggregated across platforms and combined with other datasets to create a more complete profile of you as a user. It is likely that you are already leaving trails of use data connected to the IP addresses of the devices that you use. With federated identity, the trail is connected to you and to the devices. An analogy is how one can use a Google login to access not only your Gmail but also Dropbox, Asana, etc., and then Google is able to build a profile of you as a user by integrating the data from your activities across platforms and tools.
Such federated tracking is unlikely to be fully developed in the initial RA21 projects and the most pernicious form would require publishers to collaborate in data sharing in ways that they currently are not inclined to do. But, I think there is every reason to anticipate such technologies could be created in a fairly short period of time should those sentiments shift.
and a little later:
A side note here: I acknowledge that the SAML approach embraced by RA21 is more privacy-protecting than, for example, adopting a Google or Facebook OpenID option. It is not, however, more privacy-protecting than IP authentication.
[...]
I recently watched as a campus technology SAML/Shibboleth system passed a user’s email address, full name, and staff/staff status to a vendor in order to allow access to a PDF from off-campus when on-campus access would have been possible based on IP address alone.

[..] publishers and platforms will likely prefer identity-based authentication mechanisms [..] I anticipate that publishers will eventually begin to craft licensing agreements that require identity-based authentication, making explicit that they no longer offer IP authentication.
At the end, she makes a number of recommendations, that IMO more or less should also be included in our guidelines:

  *   Reach out to the campus technology unit that manages identity-based authentication systems (e.g., InCommon or OpenAthens) and engage in an ongoing discussion about privacy, user control, minimal sharing of identifiable data, etc., with the goal of developing local principles to guide data release.
  *   Watch carefully for licensing terms that dictate user data sharing requirements for access to content and be prepared with responses. If IP authentication is no longer an option, seek to minimize the user data that is demanded in exchange for user access.
  *   Review library privacy policies to make certain that the library is transparent about what data is being passed to third-party systems and what alternatives users have if they want to try to opt-out of data sharing and tracking.
  *   Regularly use library resources without using IP address authentication to monitor the user experience of identity-based authentication and the messaging from platforms to users. [..]

Cheers,

Peter



Am 15.03.2019 um 10:34 schrieb Jiri Pavlik:

Hi,



thanks a lot, Jos, links to the documents added at Background chapter

at FIM4L Guidelines and recommendations draft.



All the best



         Jiri





On Fri, Mar 15, 2019 at 10:03 AM Jos Westerbeke <jos.westerbeke at eur.nl><mailto:jos.westerbeke at eur.nl> wrote:

Hi all,







For your interest: "Protecting Patron Privacy in Digital Resources" on Scholarly Kitchen.







Stanford library made a statement recently about patrons privacy. I think this statement perfectly aligns with our work.







It draws the libraries' concerns and underlines the importance of our work. FIM4L should have the ability to make e-resource access with SSO better than using IP based access. Libraries cannot win the fight for preserving patron privacy by keep using IP based access.







I think we even have to encourage SSO access (when Open Access without authentication is not possible) in order to "... carefully structure [SSO access] to minimize exposure of patron data as much as possible, but always to ensure disclosure of any PII that may be transmitted." According to the article.







all the best,



Jos











Jos Westerbeke



Library IT Specialist / Demandmanager  | Erasmus University Rotterdam, Library | Burgemeester Oudlaan 50 | 3062PA Rotterdam | jos.westerbeke at eur.nl<mailto:jos.westerbeke at eur.nl> | +31 640295513



_______________________________________________

Fim4l mailing list

Fim4l at lists.daasi.de<mailto:Fim4l at lists.daasi.de>

http://lists.daasi.de/listinfo/fim4l

_______________________________________________

Fim4l mailing list

Fim4l at lists.daasi.de<mailto:Fim4l at lists.daasi.de>

http://lists.daasi.de/listinfo/fim4l



--



Peter Gietz, CEO



DAASI International GmbH

Europaplatz 3

D-72072 Tübingen

Germany



phone: +49 7071 407109-0

fax:   +49 7071 407109-9

email: peter.gietz at daasi.de<mailto:peter.gietz at daasi.de>

web:   www.daasi.de<http://www.daasi.de>



Sitz der Gesellschaft: Tübingen

Registergericht: Amtsgericht Stuttgart, HRB 382175

Geschäftsleitung: Peter Gietz


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.daasi.de/pipermail/fim4l/attachments/20190319/d50eb009/attachment.html>

More information about the FIM4L mailing list