| Previous by Date |
Index by Date
Threaded Index |
Next by Date |
|---|---|---|
| Previous by Thread | Next by Thread |
Passwords for Remote Access
Posting on behalf of Janice M Jaguszewski
Forwarded message:
From: "Janice M. Jaguszewski" <j-jagu@maroon.tc.umn.edu>
Date: Fri, 25 Apr 97 11:57:51 -0500
I am writing to draw upon this list's expertise in licensing and access to
electronic journals, specifically with respect to e-journals whose
providers require each user to have and use the publisher's assigned
id/password in order to access the e-journals. While my example will
describe one case, I know this is a continuing issue for librarians with
other publishers and other kinds of online resources. An airing here,
along with an exchange of view on this matter, could be helpful to all
parties.
Background
Our participated in a two-week free trial of access to the online web
version of a particular journal publisher. Although the trial has ended,
we continue to have access to the electronic versions of our print
subscriptions. To establish this access (for the trial and continuing
access), I completed a web-based form that asked for basic information,
e.g., contact name and address, subscription agency, and IP addresses. No
licensing agreement of any kind was provided or signed, although we
understand one will be forthcoming as the project moves forward.
After submitting the form electronically, I received an e-mail message
notifying me that access had been established and providing me with a user
id and password. The letter stated "Please make the user-id and password
available only to those affiliated with your institution." I immediately
called one of the publisher's key representatives for this project, to
voice my concerns, focusing on the problem of id and password requirements
and to state that we could not comply with their request to restrict
access to University affiliates only. He told me I was the fifth person
to call and complain and that he thought the organization would be
responsive to these statements. He also said that a licensing agreement
would be ready by fall 1997. I followed up by sending him an e-mail
message reiterating my concerns. In the meantime, we restricted the test
to library staff only.
I received a response to my e-mail message from another staff member
within the company. She noted that they do "recognize that authorized
users may include library patrons not affiliated with the institution. Our
licensing agreement will reflect this." I took this to mean that we could
give out the id and password to non-affiliates. In any event, access is
also restricted by IP address.
QUESTIONS
We want to make these e-journals accessible, but we do not want to require
users to contact a reference librarian for an id and password every time
they wish to use them. A possible solution is to add these journals to a
list of electronic journals on our Libraries Web site and provide the user
id and password immediately under the title (user would click on "Access
Information"). We would then specify restrictions as follows:
"Remote access to electronic journals published by Publisher XXX is
restricted to students, staff, and faculty at the University of Minnesota.
However, on-site access, from within a University library, is available to
all users.
To access Publisher XXX e-journals remotely, you will need to logon with
the following information [NB: we are making these passwords up for the
purposes of this Liblicense-l message]:
User ID: learneduser
Password: studytime
My question is, is this acceptable? Are we under any legal obligations
without a licensing agreement? Are we under any ethical obligations in
light of the publisher's e-mail message? We are trying to limit access to
the id and password file according to IP address, but have not yet been
successful. Unfortunately, the U of M Libraries has not established
policies to guide such access issues. We would be grateful for any
assistance you can provide.
Thank you very much.
Janice M. Jaguszewski
Coolections Coordinator
Science & Engineering Library
University of Minnesota
108 Walter Library
Minneapolis, MN 55455
(612) 626-0557
j-jagu@tc.umn.edu
______________________________
Publishers' e-mail respone:
>Date: Thu, 6 Mar 1997 13:34:00 -0500
>To: Janice M Jaguszewski <j-jagu@maroon.tc.umn.edu>
>
>Dear Ms. Jaguszewski,
>
>My colleague XXXXX forwarded to me your email re: access to
>our titles. Thank you for your interest and your comments.
>
>To address your second point first: Users. Yes, we do recognize
>that authorized users may include library patrons not affiliated with
>the institution. Our licensing agreement will reflect this.
>
>As for your first point: Passwords. We are indeed looking at
>restricting access by checking IP address ranges in combination with
>a single institutional userid and password. We have a couple of
>reasons for proposing an institutional userid/password:
>
>o IP addresses can be spoofed. With IP checking alone we wouldn't be
>able to recognize whether an unauthorized user was accessing content.
>The introduction of a single user id and password adds an additional
>layer of security.
>
>o In some cases, several different institutions share a single proxy
>server. In the case of consortia, distinguishing among participating
>institutions is less critical. However, to the extent that this situation
>exists outside the context of consortia, we need to be able to recognize
>activity at an institutional level.
>
>Digital certificates (such as those issued by Verisign) may add a
>level of convenience for users, without sacrificing security. We are
>investigating how these third-party digital certificates can be best
>used with our system.
>
>We do recognize that there is an additional level of administration
>for librarians in our present plan. At the same time, this approach has
>been viewed as a compromise--given the more troublesome alternative of
>asking each authorized user to create (and remember) a "personal" userid
>and password.
>
>I hope that the above sheds some light on our current thinking. We will
>be reviewing our procedures during the course of the next months and will
>consider your comments carefully in this context.
>
>Thank you.
>
>Sincerely,
>
>[SNIP]
>-------------------------
>
>Dear Publisher XXX:
>
>Per our telephone conversation of Friday, February 28, 1997, I am writing
>to urge your company to change its current policies restricting access
>to your electronic journals through the e-program. Specifically, I ask
>you discontinue the use of a user id and password and instead rely on
>IP address to ensure security and to authenticate users. In addition, I
>request that you expand your current definition of user, as noted below.
>
>(1) Passwords. At a large research university such as mine, with several
>thousand faculty and 45,000 students, it is impossible for the library to
>distribute a user id and password to everyone who might need it. In
>addition, a user id and password would not provide any extra security
>against improper use (remote access is already limited by IP address),
>but it would most likely serve as a barrier to access by valid users
>(faculty and students!), who strongly dislike passwords and do not wish
>to commit them to memory. Since one of the most appealing features of
>electronic journals is their increased accessibility, I encourage you to
>remove this barrier.
>
>Please note that a number of other publishers [NAMES REMOVED]
>have determined that user id's and passwords are unnecessary. All have
>successfully limited remote access through Class B IP addresses. A
>number of those that began with passwords and/or user registration
>quickly changed their policy after receiving negative responses from
>libraries and users.
>
>(2) Users. The letter I received from you confirming the University
>of Minnesota's participation in the beta test states: "Please make the
>user-id and password available only to those affiliated with your
>institution." Again, a large, public research university cannot comply
>with such a request. Although remote access will be restricted to
>affiliated users by IP address, the library's holdings are available to
>anyone who wishes to physically come to the library and use them.
>Librarians do not check whether users are "affiliated" or not. In your
>future licensing agreement, which you mentioned will be available later
>in the year, the term "authorized user" must be expanded to include
>members of the public who use the collection on site.
>
>I have three examples of wording used by other publishers:
>
>(a) American Institute of Physics: "'Authorized Users' means employees,
>faculty, staff, and students officially affiliated with the subscriber and
>authorized clients of the subscriber's library facilities."
>
>(b) American Physical Society: The licensing agreement originally
>restricted access to affiliates, but they encouraged me to amend the
>agreement to include members of the public who are allowed to use the
>library facilities. They approved the amendment.
>
>(c) Academic Press: They added a separate paragraph to their agreement,
>in order to address this issue: "LIBRARY ACCESS. Subscribers' libraries
>which provide public access may provide access to and permit copying
>from the online form of the Publications by members of the public for
>their scholarly, research, educational and personal use by means of
>workstations located at the library facility."
>
>Technological advances are offering publishers, libraries and users
>exciting new possibilities for enhancing scholarly publishing and
>expanding access to scholarly information. However, the library and user
>communities must retain all of the features and rights we enjoyed with
>print subscriptions, such as minimal barriers to access, availability to
>those who use the library facilities, printing/downloading of individual
>articles under fair use guidelines, and the ability to include
>electronic versions in interlibrary loans under applicable copyright law.
>I am certain that XXX and the library community can develop a
>licensing agreement to our mutual benefit and our users' satisfaction.
>
>Thank you very much for the consideration you are giving to this most
>important issue. I look forward to providing University of Minnesota
>faculty and students with electronic access to your electronic
>journals.
>
>
>Sincerely,
>
>Janice M. Jaguszewski
>Collections Coordinator
>Science & Engineering Library
>University of Minnesota
>108 Walter Library
>Minneapolis, MN 55455
>(612) 626-0557
>j-jagu@tc.umn.edu
|
http://www.library.yale.edu/liblicense © 1996, 1997 Yale University Library |
Please read our Disclaimer E-mail us with feedback |
|