[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security Issues (was JSTOR)

Re. the CHE article:

The Chronicle reporter asked me yesterday (and it was a good and fair
question): if, in spite of all the security leaks, libraries continue to
keep paying because they are honest and meet their obligations, then
what's the risk to JSTOR or any other publisher? If finances are not the
big issue for publishers, then what is the risk to anyone from the probing
and hacking that is going on?

I replied along these lines:

o First, this hacking environment means that no intermediary or vendor can
promise to keep their commitment to a rightsowner, and that puts access to
information at risk, because it may discourage information being put up on
line at all -- or at least it strengthens the case for truly unusual
protections that some in the publishing industry are making and that
librarians oppose.

o Second, it means that multiple sources of the same information exist and
that a number of them are unauthorized, which in turn means that the
quality of information is potentially suspect. Does that site in Timbuctoo
or wherever contain a good, valid, complete set of AIP or JSTOR or Wiley?
Who knows.  And so it turns out that the users who might most want
research information are getting content they think is authentic and
valid, but that may not be the case.

o There is, so far as we know, a great and growing effort on the part of
many publishers and individual resaerchers to make information available
to those who cannot pay for it (including JSTOR), through various means.
And this kind of access is happening.  We want a world in which all
countries have the necessary access to information but we should support
access to high quality information by legal means.

o In addition to formal publications where concerns are authority and
authenticity and meeting contractual obligations, we work in institutions
where there is a great deal of confidential information (personal,
organizational) that can be probed and hacked.  That type of information
is as much of a worry as published information.

o My understanding from a very diligent Yale IT security staff is that
Yale's machines are "probed" daily and multiple times a day, often by
seekers for formal publications or personal materials -- this is a really
BIG issue on campuses, one that occupies a lot of staff resource.

Thus, we need to understand better where the problems with IP
authentication lie (in this case, the discussion is about open proxies)
and work together to overcome them.  Credentials is one way.  Education is
another.  Exercising control over a limited number of proxies is another.
Nothing in any of these paths impacts the issues being raised by the
recent liblicense-l postings, even if we were to move to a
credential-based approach.  For example:

1.  Walk-in users.  Librarians can log into machines when they are turned
on (or this process is automated).  Then, leave them logged in, open the
doors to the library and turn on the lights.

2.  Privacy.  Privacy is hugely important.  There is no desire and no need
to connect individual users to any activity.  We can make a reasonable
effort to verify that the user is a member of the authorized community.
When that is done, pass them along to information sources.  There is no
need for an outside agency to know "who" it is.

As for the IP "filter", it is not nearly as "safe" and opaque as some
believe. There is a record of who has what IP address.  That is going to
be true for a large number of members of our campus communities (faculty,
staff, labs, etc.).  Mapping IPs to usage of a resource under subpoena in
a "police state" would be close to trivial, so we shouldn't overstate the
privacy protection of working with IP validation.

Ann Okerson/Yale University