On April 17, 2019, the National Information Standards Organization (NISO) issued a call for public comments on a draft recommended practice for improving access to institutionally provided information resources. The draft is based on findings from the RA21: Resource Access for the 21st Century initiative and provides recommendations for using federated identity as an access model and for improving the federated authentication user experience. The Association of Research Libraries (ARL) has offered the following comments on the proposal, based on input from member representatives and broader engagement within our community:
Comments of the Association of Research Libraries Regarding “Recommended Practices for Improved Access to Institutionally-Provided Information Resources”
May 17, 2019
Thank you for the opportunity to comment on the draft version of “Recommended Practices for Improved Access to Institutionally-Provided Information Resources, Results from the Resource Access in the 21st Century (RA21) Project” (NISO RP-27-2019). I submit the following views on behalf of the Association of Research Libraries (ARL), a nonprofit collective of 124 leading research institutions in Canada and the United States.
While we appreciate the RA21 Steering Committee’s work on this topic, the bulk of the draft document focuses on user interface design, with far less attention paid to other critical interests of research libraries and their users, such as privacy, accessibility, and real-world control over data flows. As a result, the current recommendations lack many of the important details needed to fully understand how this vision would be implemented, and whether it properly serves the interests of all stakeholders. More balanced representation on the steering committee could help to resolve some of these concerns.
We understand that the RA21 initiative arose out of an effort by the International Association of STM Publishers (STM) to address issues of piracy and user experience, and initially focused on authentication challenges “in the corporate space.” The needs of academic, federal and public libraries vary greatly from those of corporate customers. Given ARL’s review of the recommendations, we believe that there are significant mismatches between the focus of its recommendations and the priorities and perspectives of research libraries.
We support many of the comments provided by other members of the academic library community. Below, we highlight particular questions and concerns.
- As noted above, representation on RA21’s governing committees is far from balanced. For the draft recommendations to be useful to the research library community, further convenings beyond the existing committees are required, along with a reevaluation of the steering committee’s composition.
- The draft does not include sufficient information to evaluate the probable real-world effects on user privacy and data management. We understand that, in theory, federated authentication as proposed by RA21 could be used without any additional data collection by service providers. In practice, however, the recommendations plainly anticipate a wide range of user-specific data collection and tracking, without resolving many important details. ARL believes that further deliberation on these concerns is necessary for the recommendations to be implemented successfully. For example:
- The recommendations call for “robust” detection of fraud and abuse through “end-to-end traceability.” What compromises will this require for user privacy? To what extent will end-to-end traceability involve user-specific activity tracking by service providers? Under what circumstances could such data become personally identifiable, if combined with data held by a user’s home institution?
- The recommendations would allow service providers to offer “personalized features” linked to the institutional credentials of individual users. What sorts of additional data collection are likely to be involved in this personalization? What are the risks that such data could be made personally identifiable? Should users be able to opt out of institutionally linked personalization?
- The recommendations envision that authentication will enable “granular usage analysis” by service providers. Although the draft only refers to this function for corporate customers, it is not difficult to imagine its application to academic institutions, especially if they lose the resource-usage data presently derived from IP-based authentication systems. What additional data collection is likely to result in this context? Are there unique risks in systematically linking usage analytics to institutional credentials, and what safeguards should be required?
- The recommendations anticipate that service providers will “integrate” institutional credentials with other data they collect from users directly—for example, through local accounts. Indeed, RA21’s leadership recently argued that academic institutions “needn’t — and maybe shouldn’t — be involved in mediating the user’s disclosure of their individual identity to the service provider should the user so choose.” What would be the privacy risks of such integration? And what restrictions should be put in place to stop service providers from misleading or manipulating users into directly disclosing additional information?
- Research libraries serve both institution-based users and members of the public. Public access is integral to the mission of land-grant institutions, and a majority of ARL libraries are also Federal Depository Libraries, which must provide public access to that collection and related online information resources, often including proprietary resources. Research library licensing agreements with vendors and publishers provide for onsite public access. It will be important for any authentication system to ensure public access, as many research libraries are required by law to provide it.
- The draft recommendation does not meet the latest accessibility standards. The most current accepted standard is WCAG 2.1 AA, not WCAG 2.0 AA. The former should be incorporated into any recommendations going forward. In addition, research libraries may be required to remediate otherwise-inaccessible information resources for individual users. If the vendor or publisher provides access directly, via RA21’s proposed authentication, it may exclude the library and its capabilities, imposing practical difficulties and/or significant delays on remediation, or even leaving the user with no recourse at all.
- How will research libraries audit implementations and uses of federated authentication to ensure that vendors and publishers are meeting contractual requirements, including data management obligations? It is important that the recommended practices provide concrete mechanisms for service provider accountability.
- Research libraries require electronic resource usage statistics, which are critically important in their budgeting and other management decisions. Currently, library proxy servers generate this aggregate data, which is protected by library and university data policies, without depending on publishers and vendors to provide it. As currently drafted, RA21 is ultimately intended to replace library-controlled IP authentication systems, yet it provides no equivalent for library-controlled usage data. Instead, it seems likely to force research libraries into a greater dependence on service providers, who could often have significant incentives to withhold or manipulate the relevant data—for example, to gain an informational advantage in pricing negotiations. This will be important to address going forward.
Thank you for your consideration of these comments. In sum, we believe that more work on this vision and implementation is required, as is consultation with the research library community. As drafted, these recommendations present a new system of access to research resources that envisions a limited role for research libraries with little, if any, interaction with their clientele. An adjustment in the scope and scale of these recommendations could alleviate some concerns. We believe that the recommendations would be more productive and better received by research libraries if they were limited to the technical details of how to improve Shibboleth. If they did not aspire to a systemic redesign of access management, and a wholesale replacement of IP-based authentication, they would probably not trigger as wide a range of concerns and complexities.
We look forward to further discussions on these issues and hope to see greater inclusion of the research library community in any future meetings and discussions.
Mary Lee Kennedy
Executive Director, Association of Research Libraries
About the Association of Research Libraries
The Association of Research Libraries (ARL) is a nonprofit organization of 124 research libraries in Canada and the US whose mission is to advance research, learning, and scholarly communication. The Association fosters the open exchange of ideas and expertise, promotes equity and diversity, and pursues advocacy and public policy efforts that reflect the values of the library, scholarly, and higher education communities. ARL forges partnerships and catalyzes the collective efforts of research libraries to enable knowledge creation and to achieve enduring and barrier-free access to information. ARL is on the web at ARL.org.