Conflicting priorities on information security

EBSCO have just released a White Paper “from our partner, OpenAthens”, The Evolution of Authentication and the Importance of Information Security.

The focus is very much on the information security of EBSCO’s subscription content.  There is no mention of user privacy, despite the fact how individuals want their data to be used is often in conflict with how corporations want to use this information.

Rather like the Leave campaign’s messages that voting for Brexit would be all gains and no losses, ignoring the complexity of complex decisions creates blind spots and vulnerabilities in systems and societies.  I would like politicians and corporations to stop patronising us with simple, comforting, false solutions and engage bravely and intelligently with difficult decision-making.

Observe what happens if you click on “Download your copy for free today to continue reading”:

Please fill out the form to receive your free copy of The Evolution of Authentication and the Importance of Information Security. Fill out the form and immediately receive the white paper. The fields requested are: Name, Email, Organization Name, City, Phone. All fields except Phone are required.

je dis ça, je dis rien

See also: EBSCO EDS and Single-Sign On, and Consumer democracy? (reference to Adam Curtis’ film Bitter Lake, describing how politicians create oversimplified good vs evil stories rather than confronting the realities of a complex world).

EBSCO EDS and Single Sign-On

OpenAthens Single Sign-On (SSO) is a SAML-compliant Shibboleth-type authentication method used for University login to a wide range of electronic resources.

SSO works by mediating between an identity provider (e.g. a university, checking that the user’s account is current), and a service provider (e.g. a database, to which the user’s university has a current subscription).  Here’s a diagram of the data flow:

Authentication data flow. Image credit University of Florida.

Authentication data flow. Image credit University of Florida.

Critically, the identity provider and the service provider don’t communicate directly.  The user’s personal credentials are not transmitted to the service provider; just that their identity has been verified.

This means that when someone logs in to a database or journal platform, they are greeted by “Welcome, University of Sunderland user” or “You are logged in as University of Sunderland”, but the database or platform does not know anything further about their identity.

Why does this matter?  Service providers’ servers may be located anywhere in the world, often outside the EU.  The Data Protection Act 1998 controls how personal information is used by organisations, businesses or the government.  It requires that data controllers (organisations etc) handle personal data according to people’s data protection rights, and do not transfer it outside the European Economic Area without adequate protection.

Recently, EBSCO have started promoting the use of an enhanced version of SSO which means that a user will be authenticated into EBSCO Discovery Service (EDS) and simultaneously logged in to their personal folders.  This will sound very appealing to many EDS customers, as currently the personal folders require the user to log in (again) with their EBSCOhost account (yet another userID and password to remember).  With the standard SSO setup, this would not be possible, so I started asking questions about what additional data exchange would be needed in order for the user to be individually identified.

Email from EBSCO:

Essentially the only requirement for setting up SSO is that your shibboleth releases a persistent unique ID. However we generally recommend releasing other attributes:

Which user data attributes must be included within the IdP-generated SAML assertion?

Only a unique user ID (e.g. employee ID, organization-specific email) is required to be sent in the SAML assertion. It is recommended that First Name, Last Name and Email also be sent to better support sharing and email from within the EBSCO user interface.

At the mention of persistent unique ID, I started to wonder about the data protection law implications.

I followed this up with a phone call, asking about compliance with data protection law.   It seems that this query hadn’t previously arisen in the UK, though it had in Scandinavia where they are more aware of the issues.  Safe Harbo(u)r was mentioned, but I pointed out that in 2015, the European Court of Justice declared invalid the Safe Harbor data-transfer agreement that had governed EU data flows across the Atlantic for some fifteen years.  I was directed to EBSCO’s White Paper about information security, but it didn’t mention anything about data protection.

In advance of last week’s EBSCO and OpenAthens webinar “Single Sign-On to a World of Knowledge“, I repeated my enquiry to OpenAthens and received the following:

All data that is given to OpenAthens is stored here in the UK. We provide the option of mapping attributes out to various publishers however this is controlled and decided by you. The default information that is sent to authenticate the user does not hold any data that identifies the user personally.

To me, “this is controlled and decided by you” sounds very much like ducking the question.

I appreciate that decisions on the release of personal data are ultimately the responsibility of the data controller, but I am concerned that neither EBSCO nor OpenAthens seem to acknowledge the legal and ethical difficulties that this presents to libraries having to make these decisions.  I believe that if they are advocating this enhanced use of SSO, they have a moral obligation to point out the data protection implications, even if they can’t advise libraries on these matters.

I would be grateful to hear from anyone who knows more about this – please leave me a comment.  Thanks for any wisdom you can offer!

Applying for jobs and volunteering to get experience

This post is part of 23 Things for Professional Development.

Thing 21 is all about promoting yourself in job applications and at interview. Although I have quite a lot of experience of these processes, I found that I wasn’t comfortable with the idea of publishing these details on the web (as laid out in the Thing 21 instructions).

Recently, I had a similar experience with my Chartership portfolio.  When you submit your portfolio for assessement, you are asked if you are willing to make your document available for others to see.  I opted out of that because I felt that some parts of my portfolio, especially my personal SWOT analysis, were things I wanted to keep private (or at least limit the audience to just my assessors!).

However, I promise that I am doing things like constantly revising my CV and I hope this will satisfy the requirements for this Thing!

Thing 22 encourages us to consider the value of volunteering to get experience.  At this stage of my career, I think this has evolved from volunteering to do library work without pay to offering to take on further professional duties such as serving on committees and working groups.

I am currently involved in committees such as the Oxford Libraries’ Web 2.0 Working Party, an Aleph working party which is involved in fine-tuning some circulation settings on our new ILS following its launch in July, the Committee of College Librarians and the University of Oxford LGBT Steering Group.

I like being involved in groups and activities that broaden my professional awareness beyond the horizons of my own workplace. I think this is especially important in a federal organisation such as the University of Oxford.

Why I deleted my Google Plus account

I’ve been toying with the idea of ditching G+ for a while now, and reading Woodsiegirl’s post this morning gave me the final push I needed to get on and do it.

I’ve already blogged about the G+ ‘meh’ factor, and having given it a few weeks, I still can’t see the niche that G+ was meant to occupy in my online social life.

I was uncomfortable with the number of random people who added me to their circles, and the odd way G+ handles your relationships with people who have added you to their circles even though you haven’t added them to yours (they can still see all of your public data.  Which may not be much, but I still don’t want them there, and it seemed a bit harsh to block them).

Although I try not to litter the internet with my personal information in the first place, I realised that if I’ve set up and account somewhere and have decided that the service is not for me, it’s probably best to delete it, even if only so that anyone following/friending/circling (?) me knows that I’ve gone from that site.