Professional Documents
Culture Documents
Dixon 2008
Dixon 2008
To cite this article: Pam Dixon (2008) Ethical Issues Implicit in Library Authentication and Access Management: Risks and Best
Practices, Journal of Library Administration, 47:3-4, 141-162, DOI: 10.1080/01930820802186480
Taylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”) contained
in the publications on our platform. However, Taylor & Francis, our agents, and our licensors make no
representations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of the
Content. Any opinions and views expressed in this publication are the opinions and views of the authors, and
are not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon and
should be independently verified with primary sources of information. Taylor and Francis shall not be liable for
any losses, actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoever
or howsoever caused arising directly or indirectly in connection with, in relation to or arising out of the use of
the Content.
This article may be used for research, teaching, and private study purposes. Any substantial or systematic
reproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any
form to anyone is expressly forbidden. Terms & Conditions of access and use can be found at http://
www.tandfonline.com/page/terms-and-conditions
Ethical Issues Implicit in Library
Authentication and Access Management:
Risks and Best Practices
Pam Dixon
Downloaded by [Stony Brook University] at 01:48 22 October 2014
Pam Dixon is author, researcher, and founder of The World Privacy Forum, CA
(E-mail: pdixon@worldprivacyforum.org).
Available online at http://jla.haworthpress.com
© 2008 by The Haworth Press. All rights reserved.
doi:10.1080/01930820802186480 141
142 JOURNAL OF LIBRARY ADMINISTRATION
INTRODUCTION
may not be under the control of the library, and a library may not even
be aware how new technology affects library values. Many of the ethi-
cal challenges for privacy are subtle and buried deep within systems, so
they are much more difficult to perceive.
OPERATIONAL
AND OTHER CHANGES IN AUTHENTICATION
Downloaded by [Stony Brook University] at 01:48 22 October 2014
not require an in-person transaction after the initial set-up, and can typi-
cally be accomplished via a laptop, smart card, or a library terminal. Au-
thentication is often available ephemerally throughout the library using
a wireless system that allows real-time authentication as needed.8
Today’s library authentication mechanisms may also manage both
the green-lighting of the patron identity and the details of access to data-
bases and to other services. In some UK libraries, patrons can use a sin-
gle authentication to check out books and request bookings for sports
facilities.9 In numerous public and academic libraries, users can access
robust databases in the physical library (as an in-domain user), or they
can authenticate from home using their own computers and access the
same databases (as an out-of-domain user). Some libraries allow users
to access their circulation records or to use photocopying services
through the authentication, and it is not unusual for an academic library
to also authenticate for course registration information.
A number of highly granular access management systems have
emerged, many of which incorporate additional layers of authentication
and may also allow financial transactions. Some of these systems are
proprietary, and may also include Digital Rights Management (DRM)
tied to authentication. The eMeta “eRights” software, for example,
manages digital rights, authentication, and subscription information.10
ASM International made its volumes available to academic libraries
through this particular platform, as did Standard & Poors.11
Large reference database services such as WilsonWeb have made ef-
forts to make their digital system compatible with a variety of widely
used access and authentication management systems.12 But generally
speaking, most libraries will have to accommodate multiple systems
and chart out a complex variety of authentication layers to meet all of
the external vendor requirements. These layers may be invisible to most
patrons, and the patrons may be wholly unaware that they are authenti-
cating to one or more off-site databases or content distributors.
Pam Dixon 145
in the area of authentication and access control is not biometrics, but the
subtle erosion of patron privacy through automated processes largely invis-
ible to most librarians and patrons. These issues can be ameliorated, but to
do so takes knowledge and detailed library policies that address the ethical
aspects of authentication and access management.
While newer authentication schemas may add utility for library staffs
and patrons, new authentication technologies and techniques may also
add new layers of difficulties and data challenges to patrons. Some issues
with ethical impacts can be obvious to both staff and patrons. For exam-
ple, user authentication hassles can create interruptions in service.25 Au-
thentication can also create barriers to public access of data, something
which has been discussed eloquently by librarians.26 But the myriad pri-
vacy issues authentication raises are far more subtle and are typically
unseen. The National Academies of Science, in its landmark 2003 study
of authentication and privacy, Who Goes There?, wrote:
Libraries also need to think about what information vendors are re-
ceiving, and determine how or it the library, their vendors, or their part-
ners are using patron information. This includes the use of web analysis
and statistics software, which can pose privacy risks, depending on con-
figuration.40
These tasks are easier discussed than accomplished, and the imple-
mentation may require intricate systems analysis. One of the underlying
issues is that most library authentication and research systems, by their
nature, tend to store information as opposed to shed it. In a pre-9/11,
Downloaded by [Stony Brook University] at 01:48 22 October 2014
ture. The authors note that: “With an anonymous library card, the
library is willing to loan materials to anyone because it knows it can’t
really lose anything. Since the library would never loan more than it
could recoup from a cash deposit, it would be able to loan controversial
items without storing personally sensitive information.”44 The idea has
much to recommend it, and strikes a balance between the needs of li-
braries to secure expensive materials and the need to limit collection of
personally identifying information tied to library resources.
Secondary disclosure and use risks are greatly increased with some
forms of authentication and access controls. Patrons are most likely to
be unaware of how authentication data requests and access control
mechanisms may impact privacy. Users who have as their password
their name and Social Security Number inadvertently give external ven-
dors and library partners information tied to their real identity, and they
are at increased risk in any data breach situation. As discussed earlier,
lengthy research queries and reference transcript trails over the course
of months or years may be stored by a vendor. Depending on the ven-
dor’s contract with the library, patron data from authentication may be
tied to other user information such as a persistent cookie on the user’s
hard drive. Even if the library purges its clickstreams, the library’s ven-
dor may not. If the vendor or network authenticates through username
plus password tied to tracking cookies, even a library proxy server will
not be likely to rescue patron privacy.
In the California State University system, until 2005/2006, students
accessing the library from off-campus computers logged in to the li-
brary’s premium databases with their full name plus a full Social Secu-
rity Number (SSN). This authentication information, as it left the library
and went to the databases, became subject to these external databases’
privacy policies.45 Beyond that, the authentication information, depend-
154 JOURNAL OF LIBRARY ADMINISTRATION
ing on the set-up of the library system, could be captured in library log
files, caches, and backup tapes.
As of 2007, all universities in California now use numbers other than
the SSN for student ID. However, the authentication data that is trans-
mitted to external parties contains a name plus the student ID. This is
not an unusual set-up, and it still can pose a privacy risk as the external
party may be able to link fuller information about the student from the
authentication transaction. Additionally, depending on the contract with
the particular external vendor, research information may be stored un-
Downloaded by [Stony Brook University] at 01:48 22 October 2014
der that patron’s ID. In the case of many academic institutions, that ID is
tied to directory information from the school regarding a student’s date
of birth, home address, and course of study.
Coomb’s practices at SUNY in reducing identifiability are at the core
of what can be done to mitigate the risk of patron tracking. Beyond these
practices, vendor and content distributor contracts should be examined
closely. Language that limits the vendor’s data collection, retention, and
use should be instituted. For example, vendors should not be able to re-
tain patron-generated data for longer than a period of time the library
determines, and vendors should be prohibited from using that data for
any secondary purposes other than to report statistics back to the library.
tems were collecting and disclosing to third parties. The research found
that the library had not disclosed all of its communications.
When approached with this fact, the library rewrote its privacy policy
to disclose that patron data was flowing to a previously undisclosed
third party. The library now uses Google Analytics for its web site,
which it also discloses in its new privacy policy. It is a best practice for
libraries to reveal all such information, including the use of third-party
analytics.
Many libraries have modeled their privacy policy after the ALA
model privacy policy.48 The ALA model policy does a good job of
discussing Patriot Act and associated issues of importance to librar-
ies. The ALA model policy is a way of approaching privacy policies,
but it does not fully reference all aspects of the internationally ac-
cepted OECD Fair Information Practices. For this reason, it is impor-
tant to supplement the ALA model policy with the broader Fair
Information Practices.
The OECD has a tool available, the Privacy Statement Generator,
that is a detailed guide to constructing a thorough privacy statement in
line with Fair Information Practices. The OECD tool should be used as a
supplement to the ALA guide, and will act to fill in the gaps in the ALA
policy model as it relates to Fair Information Practices concepts.49 Al-
though not specifically developed for library use, the OECD tool, if
used thoughtfully, can assist libraries in improving current policies. The
tool will assist those writing policies to consider the many aspects of
technology and systems impacting privacy.
156 JOURNAL OF LIBRARY ADMINISTRATION
Providing a patron with access to data held on the patron is a core part
of Fair Information Practices and an integral aspect of data transpar-
ency. Libraries have widely varying procedures on how many and how
long patron records are kept. Unless patron data is not retained whatso-
ever, libraries should have a data access procedure that also includes
correction and possible deletion rights. Libraries also need to consider
not just directly identifiable data, but indirectly identifiable data like IP
addresses.
Downloaded by [Stony Brook University] at 01:48 22 October 2014
These are not simple policies to write or to put in place. They can
have far-reaching implications, and it is best if a teamwork approach is
taken to resolving the issues such policies may raise. For example, if a
library reviews its access procedure, and finds that it either has none or
does not allow a patron to see a copy of their access history, the chal-
lenge will be to amend the policy. However difficult amending such a
policy may be, it is worthwhile. If a subpoena or warrant can unearth the
information, then the patron should be able to review that information
upon request. It is a positive ethical information practice to create a pro-
cedure for addressing record errors, as well.
Another challenge is to address the issue of records that may be com-
piled at third parties and vendors, and records that may be archived.
How may–or can–a patron access vendor logs and information that may
be stored under the user name and password? If libraries only chose
vendors who had good privacy policies, the industry would have to
change its standards in order to obtain library business.
CONCLUSION
NOTES
1. Authentication and access control, or authorization, are two separate activities.
Authentication is a test of identity. Access control or authorization involves a complex
set of permissions that allow an authenticated individual to use–or not–library re-
sources. A discussion of the differences between these two terms may be found in:
Terry Plum and Richard Bleiler, “SPEC Kit 267, User Authentication,” standards pa-
per (Association of Research Libraries, December 2001), http://www.arl.org/bm~
doc/spec267web.pdf.
2. Personally identifiable information, or PII, is a term of art in the privacy and se-
Downloaded by [Stony Brook University] at 01:48 22 October 2014
curity field. Definitions of the specifics that constitute PII may vary, but generally
speaking PII is defined as information that may directly or indirectly identify a being.
Name, home address, email address, and biometrics are PII. Internet Protocol (IP) ad-
dresses are also considered PII by many privacy experts, and including the IP address
as part of the definition of PII is law in some countries such as Finland. See the defini-
tion of PII recently published by a consensus of U.S. privacy groups: “Consumer
Rights and Protections in the Behavioral Advertising Sector,” joint filing, Federal
Trade Commission eHavioral Advertising Town Hall Meeting, Federal Trade Com-
mission November 2, 2007, http//www.ftc.gov/os/comments/behavioraladvertising/
index/071115jointconsensus.pdf. See also the European Union definition of PII, which
expressly includes IP address: Article 29 Data Protection Working Group, “Opinion
02/2002 on the use of unique identifiers in telecommunication terminal equipments:
the example of IPV6,” May 30, 2002, http://ec.europa.eu/justice_home/fsj/pri-
vacy/docs/wpdocs/2002/wp58_en.pdf at 3. Canada’s PIPEDA interpretation also in-
cludes IP address as PII. See: PIPEDA Case Summary No. 315, “Web-centered
company’s safeguards and handling of access request and privacy complaint ques-
tioned,” Aug. 9, 2005, http://www.privcom.gc.ca/cf-dc/2005/315_20050809_03_
e.asp.
3. Plum and Bleiler, “SPEC Kit 267, User Authentication.”
4. See for example the discussion of authentication regarding academic libraries:
Scott Carlson, “To use that library computer, please identify yourself,” The Chronicle
of Higher Education, June 25, 2004, http://chronicle.com/weekly/v50/142/
42a03901.htm.
5. Lori Discoll, “SPEC Kit 277, Library Public Access Workstation Authentica-
tion,” standards paper (Association of Research Libraries, October 2003), http://www.
arl.org/bm~doc/spec277webbook.pdf.
6. NISO Metasearch Initiative, National Information Standards, “Ranking of Au-
thentication and Access Methods Available to the Metasearch environment,” Stan-
dards Committee BA (Task Group 1) Access Management, Sept. 13, 2005, 1,
http://www.niso.org/committees/MS_initiative.html.
7. When a computer connects to the Internet, it is assigned an IP address during the
time it is connected. The IP address is composed of a series of four numbers separated
by periods. Each of the four numbers may fall in a range from zero to 255, for example,
60.0.41.142. IP addresses may be dynamic–assigned anew each time a user con-
nects–or they may be static–remain the same each time a user connects. Users with ca-
ble connections to the Internet typically have static IP addresses. See: E. Gerich,
Pam Dixon 159
format, the volumes are more accessible, but do require specific authentication.
12. “WilsonWeb compatible with the U.K.’s Athens Access Management,” Infor-
mation Today, November 1, 2003. For example, WilsonWeb specifically made their
system compatible with Athens Access Management, available in the UK. Numerous
other systems exist; see also: Michael Rogers. “VTLS Adding WebFeat to Virtua,”
Infotech, March 1, 2007.
13. Numerous forms of biometric identification systems exist. Many of these bio-
metric systems have been analyzed for their privacy, security, and accuracy. See Ste-
phen T. Kent and Lynette I. Millet, Ed., Who Goes There? Authentication Through the
Lens of Privacy. National Research Council of the National Academies of Science,
Washington, D.C.: National Academies Press, 2003. See also: ALA Biometrics Issues
Page, http://www.ala.org/ala/oif/ifissues/biometrics.htm; “Biometrics, Who’s Watch-
ing You?,” (whitepaper), Electronic Frontier Foundation, http://www.eff.org/wp/
biometrics-whos-watching-you.
14. Very few libraries have moved to a biometric authentication system. The Buf-
falo and Erie County (N.Y.) Public Library have used a fingerprint system, as have
some UK libraries. See, “Naperville to Launch Fingerprint ID System for Internet Ac-
cess,” American Libraries Online, http://www.lita.org/al_onlineTemplate.cfm?Sec-
tion = alonline&template = /ContentManagement/ContentDisplay.cfm&ContentID =
94750.
15. ALA, “Privacy and Confidentiality,” American Library Association, http://www.ala.
org/Template.cfm?Section=ifissues&Template=/ContentManagement/ContentDisplay.
cfm&ContentID = 49156#statements.
16. ALA “State Privacy Laws Regarding Library Records,” American Library As-
sociation, http://www.ala.org/Template.cfm?Section = stateifcinaction&Template =
/ContentManagement/ContentDisplay.cfm&ContentID = 14773.
17. Organisation for Economic Co-operation and Development, “OECD Guide-
lines on the Protection of Privacy and Transborder Flows of Personal Data,” September
23, 1980, http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_
1_1_1,00.html. Fair Information Practices were initially proposed and named by a U.S.
government advisory committee in a 1973 report. The report, “Records, Computers
and the Rights of Citizens,” was issued by the Secretary’s Advisory Committee on Au-
tomated Personal Data Systems at the Department of Health, Education and Welfare.
The OECD’s adoption of FIPs restated the original version and turned it into an influ-
ential international standard.
160 JOURNAL OF LIBRARY ADMINISTRATION
18. In the U.S., the Federal health privacy rule HIPAA is based expressly on FIPs.
In Europe, the “European Union Directive on the Protection of Personal Data” (1995)
and in Canada, The Canadian Standards Association, “Model Code for the Protection
of Personal Information: A National Standard of Canada” (1996) are also based ex-
pressly on FIPs.
19. Linda D. Koontz, “Personal Information: Agencies and Resellers Vary in Pro-
viding Privacy Protections,” U.S. Government Accountability Office, GAO-06609T,
pp. 9-10, (April 4, 2006).
20. To read the entire document in which these principles are contained, see the
“OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal
Downloaded by [Stony Brook University] at 01:48 22 October 2014
Data.”
21. American Library Association Policy on Confidentiality of Library Records,
http://www.ala.org/Template.cfm?Section=otherpolicies&Template=/ContentManagement/
ContentDisplay.cfm&ContentID = 13084 .
22. ALA Code of Ethics, Adopted June 28, 1995, http://www.ala.org/ala/
oif/statementspols/codeofethics/codeethics.htm.
23. Ibid at I, “We provide the highest level of service to all library users through ap-
propriate and usefully organized resources; equitable service policies; equitable ac-
cess; and accurate, unbiased, and courteous responses to all requests.”
24. NISO Web Services and Practices Working Group, “Best Practices for Design-
ing Web Services in the Library Context,” A Recommended Practice paper, NISO,
July 2006, http://www.niso.org/standards/resources/rp-2006-0101.pdf.
25. Jennifer Pinkowski, “Recorded Books, NetLibrary in Suit; Dispute over issues
of exclusivity, contract breach, customer service,” Library Journal, August 15, 2007.
26. Lynn Sutton, “Advocacy for Intellectual Freedom in an Academic Library,”
ACRL Tenth National Conference, (March 2001), http://www.ala.org/ala/acrl/acrlevents/
sutton.pdf.
27. Kent and Millet, Who Goes There?, p. 1.
28. Ibid, 3.
29. For a discussion of web browser state and user identifiability, see Collin Jack-
son, et.al. “Protecting Browser State from Web Privacy Attacks,” WWW 2006, May
23.26, 2006, Edinburgh, Scotland. ACM 1-59593-323-9/06/0005.
30. NISO Metasearch Initiative, p. 13.
31. Peter E. Murray, “SPEC Kit 278, Library Patron Privacy,” (Association of Re-
search Libraries) November, 2003, http://www.arl.org/bm~doc/spec278webbook.pdf.
32. Sutton, Advocacy for Intellectual Freedom in an Academic Library.
33. For a discussion of tracking cookies and profiling using technological tech-
niques, see Federal Trade Commission, “Online Profiling: A Report to Congress,”
June 2000, http://www.ftc.gov/os/2000/06/onlineprofilingreportjune2000.pdf. For
an update on these techniques, see also: Pam Dixon, “The NAI: Failing at Consumer
Protection and Self-Regulation,” Testimony to the Federal Trade Commission, Novem-
ber 2, 2007, pages 19-28. http://www.worldprivacyforum.org/pdf/WPF_NAI_report_
Nov2_2007fs.pdf and http://www.ftc.gov/os/comments/behavioraladvertising/index/
071102worldprivacyforum.pdf.
34. Karen A. Coombs, “Lessons learned from analyzing library database usage
data,” Library Hi Tech 23, no. 4 (2005).
Pam Dixon 161
35. See the FTC Workshop: “eHavioral Advertising: Tracking, Targeting, and
Technology,” Nov. 1-2, 2007, http://www.ftc.gov/bcp/workshops/ehavioral/index.
shtml. See in particular public comments for the workshop and the FTC reports to Con-
gress, all of which are linked from the FTC workshop page.
36. See the FTC Workshop: “eHavioral Advertising: Tracking, Targeting, and
Technology,” Nov. 1-2, 2007, http://www.ftc.gov/bcp/workshops/ehavioral/index.
shtml. See in particular public comments for the workshop and the FTC reports to Con-
gress, all of which are linked from the FTC workshop page.
37. EReader Privacy Policy, http://www.ereader.com/privacy. (accessed Novem-
ber 17, 2007). See also NISO Metasearch Initiative, p. 22: “some content providers
Downloaded by [Stony Brook University] at 01:48 22 October 2014
(such as e-book providers) who need or wish to track usage or access to specific patrons
or users will find NCIP provides a viable authentication solution.”
38. Discoll, SPEC Kit 277.
39. Sarah Chandler, “The Evolution of an Interface from the User Perspective:
From End User Testing to a Usage Log Analysis.” DLF Fall Forum 2003, Albu-
querque, NM http://www.diglib.org/forums/fall2003/chanlder/schanderldlf_files/frame.
htm.
40. Karen A. Coombs, “Using web server logs to track users through the electronic
forest,” Computers in Libraries 25, no. 1 (2005); and Coombs, “Protecting user privacy
in an age of digital libraries,” Computers in Libraries 26, no. 6 (June 2005).
41. For more on the impact on libraries of turning over patron data, see Mary
Minow, “Could you be sued for turning over an Internet user’s sign-up information to
law enforcement?” LLRX.com, April 25, 2004, http://www.llrx.com/features/
internetsignup.htm.
42. Karen A. Coombs, “Protecting user privacy in an age of digital libraries,” Com-
puters in Libraries 26, no. 6 (June 2005), pp. 16-20.
43. Shibboleth is a “standards-based, open source middleware software which pro-
vides Web Single SignOn (SSO) across or within organizational boundaries. It allows
sites to make informed authorization decisions for individual access of protected on-
line resources in a privacy-preserving manner.” See http://shibboleth.internet2.edu/.
44. Ben Ostrowsky andJolynn Halls, “Anonymous library cards allow you to
wonder, ‘who was that masked patron?’” Computers in Libraries 25, no. 6,(Jun
2005), pp. 21-23.
45. Jstor for example has a thoughtful privacy policy at “Jstor Privacy Policy,”
http://www.jstor.org/about/privacy.html. Jstor is clear about its analysis of web logs in
its privacy policy and its use of patron data.
46. Murray, “SPEC Kit 278.”
47. David Fewer et al., “Digital Rights Management Technologies and Consumer
Privacy,” Canadian Internet Policy and Public Interest Clinic, Sept. 2007, p. 38
http://www.cippic.ca.
48. ALA Privacy Toolkit, http://www.ala.org/ala/oif/iftoolkits/toolkitsprivacy/
guidelinesfordevelopingalibraryprivacypolicy/guidelinesprivacypolicy.htm.
49. OECD Privacy Statement Generator, http://www.oecd.org/document/39/
0,3343,en_2649_34255_28863271_1_1_1_1,00.html. The OECD tool has been en-
dorsed by the OECD’s 30 member countries.
162 JOURNAL OF LIBRARY ADMINISTRATION
by Ari Juels, in particular see Ari Juels, “RFID Security and Privacy: A Research Sur-
vey,” RSA Laboratories, Sept. 28, 2005. http://www.rsa.com/rsalabs/sraff/bios/ajuels/
publications/pdfs/rfid_survey_28_09_05.pdf.