Re: Message from Kevin Guthrie, JSTOR's President

["Michael Spinella" <mspinella@cox.net>]

Dear Lib-license:

I have followed this thread closely because I think Kevin has raised some
important and interesting issues for the community to consider. I see two
central concerns that have flowed from David's comments a couple days ago:
one is that solving the open proxy problem would eliminate walk-in user
access to library resources; the second concern, articulated by Chuck
Hamacker, is that confidentiality of patrons might be compromised. Both of
these concerns are important to consider, and if they do indeed follow
from any solution to the open proxy problem, then the community will have
quite a dilemma on its hands. The problem is, I don't see how these
outcomes do in fact result from disallowing open proxies (though I am very
open to being educated further on this point).

Today, most institutional site licenses to scholarly resources rely on
IP-address authentication for access control. But not every computer on a
network acts as a proxy server. Any machine sitting in the library could
easily have a fixed IP address, or receive a dynamically assigned IP from
a range of non-proxy addresses. This would permit walk-in users to enter
the library (or other locations on campus), sit down at a computer and
gain access to library resources without having to sign in or identify
themselves. There is no need for open proxies to be a part of the system
in order to gain access to Internet-delivered content.

There may, of course, be a need for proxies to exist within the campus
network for other reasons, as Kevin pointed out. One common legitimate use
of proxies might be to permit authorized users access to resources
remotely (i.e., not from a campus computer, but perhaps from home or on
travel). These systems, however, need not -- in fact, should not -- use
open proxies. They should be trusted proxies that positively authenticate
users before permitting access. By definition, remote users cannot be
walk-in users, so imposing some restrictions and requiring authentication
should not be seen as an inappropriate restriction of access. Yes, this
circumstance would involve some loss of anonymity (but not necessarily of
confidentiality) between the end user and the trusted proxy (i.e., the
institution). But the content provider still would have no idea of who the
end-user is, so ensuring confidentiality would remain in the hands of the
institution, not the publisher.

Remote access is not a universally accepted right of every site license -
that is, not all publishers have been willing to permit off-campus use of
their content under the terms of an institutional site license. But surely
even those who have accepted remote access expect that the
library/institution is taking reasonable measures to authenticate those
remote users as legitimate members of the user community authorized by the
site license. This means that any proxy server used for providing remote
access must be a trusted proxy, not an open one. Open proxies are
tantamount to providing access to the content to any and all potential
users and this surely is not consistent with anybody�s idea of a site
license that permits access to the authorized users of a given
organization, even when walk-in users are accepted. Excluding open proxies
from the authorized IP ranges for licensed content access should be
conceptually easy to accept, because it in fact does not require
sacrificing either walk-in access or confidentiality of patrons. However,
the practical feasibility of excluding open proxies remains a question (at
least to me!). And what level of effort would be required or reasonable
for a library to undertake in order to track down unauthorized proxy
servers is also another matter.

I'd like to hear more on these topics and on the question of whether open
proxies serve some legitimate purpose uniquely, i.e. are there things open
proxies accomplish that cannot be accomplished by a trusted proxy?

Mike Spinella

-----Original Message-----
From: David Goodman <dgoodman@phoenix.Princeton.EDU>
To: liblicense-l@lists.yale.edu <liblicense-l@lists.yale.edu>
Date: Tuesday, December 10, 2002 5:54 PM
Subject: RE: Message from Kevin Guthrie, JSTOR's President

>As I understand it, the solutions proposed by Kevin would eliminate the
>possibility of walk in users. Many of us have fought long and successfully
>to have these users permitted on our licenses. We are all replacing or
>supplementing print resources with electronic ones. It would not make
>sense to permit those authorized to have access to our libraries (and, in
>some universities, paying considerable sums for the privilege), not being
>able to access the most important resources. Some (public) universities
>may be legally required to provide all their users access to all their
>resources.
>
>There are perhaps some work arounds: it might be possible to give walk in
>users temporary user names, possibly through specific library machines
>configured to do this in a manner hidden from the user.
>
>As I understand it, a server can determine many things about the
>characteristics of the browser accessing it. Can it determine if the
>browser is running on a machine that is itself set up as a server? If so,
>it would possible to deny access except for machines on a list of
>authorized proxy servers.
>
>I would certainly imagine that those more technically knowledgeable than I
>should be able to think of other solutions. I think the extent of the
>problem may be serious enough to require more directed action than has
>previously been considered reasonable. We should ensure our efforts do not
>however impair the positive use of the resources by the entire user
>community.
>
>My personal opinion only, of course. David Goodman