Webinar: Preserving user privacy and protecting online content
Download as PPTX, PDF1 like92 views
The document is a presentation on preserving user privacy and protecting online content through federated single sign-on, primarily focusing on how it manages user consent, data protection, and access to subscribed resources. It outlines the responsibilities of library organizations, the challenges librarians face regarding user privacy, and discusses the RA21 initiative aimed at improving user experience and security. Additionally, it highlights OpenAthens's strategies for enhancing privacy and user management in the context of accessing digital content.
Webinar: Preserving user privacy and protecting online content
- 1. openathens.org Preserving user privacy and protecting online content Adam Snook Product manager
- 2. openathens.org Please use the ‘Raise your hand’ button, found on your control panel, to indicate that you can hear the audio
- 3. openathens.org To ask our speakers a question, please enter them here
- 4. openathens.org Preserving user privacy and protecting online content Adam Snook Product manager Webinar - 27 February 2019
- 5. openathens.org What we’ll cover What is federated single sign-on? How can it preserve user privacy? How it protects valuable subscribed content? What is the future of access to online information? More information and next steps
- 6. openathens.org What is federated single sign-on? Adam Snook Product manager
- 7. openathens.org What is federated single sign-on? Three-way trust relationship between a library user, their organisation and content provider Organisation manages user consent and authentication Content provider manages access rights and authorisation of access to content OpenAthens provides the eco-system where encrypted user attributes are exchanged between organisation and content provider, securely and seamlessly Webopedia definition
- 8. Federated Access Service ProvidersIdentity Providers Providing the user’s identity. I.e. their email address and subscribed resources. Providing paid-for content to organisations and their users.Authentication vs Authorisation “We confirm this user is a student from our Biology department” “Biology students from your institution can only access our Biology content” attributes SAML ‘Handshake’
- 10. openathens.org
- 11. openathens.org Data Protection Code of Conduct • Service providers must comply with data protection legislation • Supported by RA21, the Code of Conduct principles include: o Minimising the attribute data released to service providers o Restricting attribute data to enabling access, unless user consent has been obtained (directly or via the user’s organisation) o Deleting/anonymising attribute data when no longer necessary o No transfer of attribute data to another service, except if mandated for enabling access on behalf of the service provider, the third party also complies with data protection, and prior user consent is obtained o Security measures to safeguard user attributes • bit.ly/GEANTdp
- 12. openathens.org How does OpenAthens handle privacy? Our privacy statement: • What information we collect • What we do with that information • How we protect it • How long we keep it for • How you can check your information • openathens.org/privacy/
- 13. openathens.org Library organisations - your responsibilities • Processing of user data must be fair, lawful, necessary and proportionate to the purpose(s) for which data is required. • Organisations must inform users what their personal data will be used for at the time it is collected. • Users can ‘opt out’ of providing personally identifiable information. • Organisations must ensure personal data is not misused and only released to service providers when necessary. • User consent may be requested for additional personal data. Users can change their minds and change or stop future release of this information.
- 14. openathens.org Privacy challenges for librarians • Blog: Opportunities and challenges for librarians created by technology • EBSCO long overdue podcast “Some providers have gone so far as to provide personalisation without using any personally identifiable information whatsoever.”
- 15. openathens.org Protecting privacy through user attributes Attribute Description eduPersonScopedAffiliation User’s association with the organisation e.g. student, researcher, staff, alumni, walk-in, affiliate eduPersonTargetedID An opaque, persistent and pseudonymous identifier used for personalisation. Unique to each user, it does not contain any information that can identify a person. eduPersonEntitlement Describes the resource set the user is entitled to access.
- 16. openathens.org User managed consent • Users can accept release of attributes to service providers using Shibboleth Identity Provider v3 • Attributes may include eduPersonPrincipalName • Openathens plans to support user managed consent and multi- factor authentication in the future
- 18. openathens.org IP-based access • Sometimes results in users providing personal information to publishers • Difficult to track who your users are • Inconsistent user journey off-site, so users choose the easy route e.g. sharing content with friends or colleagues, or access via pre-print repositories, ResearchGate and SciHub • Fewer visits to your website potentially impacts library subscription decisions
- 19. openathens.org Federated single sign-on • Trust model – more secure • Users less likely to share their credentials • Library verifies who the user is • You trust the library • Seamless user journey to all the library’s subscribed content • Users less likely to visit other nefarious sites • Can request personally identifiable information from users with their consent e.g. eduPersonPrincipalName
- 20. openathens.org OpenAthens Conference, 19 March 2019, London Panel debate: Piracy as a disruptor for change Further reading: How piracy is forcing industry transformation Emily Powell, College of Policing Phil Leahy, OpenAthens
- 21. Date SIMPLE, TRUSTED ACCESS – ANYWHERE, ANYTIME, ON ANY DEVICE www.ra21.org
- 22. openathens.org What is RA21? • Resource Access for the 21st Century (RA21) is a joint STM and NISO initiative with goals to: o Facilitate a seamless user experience for consumers of scientific communication. o Solve long standing and complex challenges in the areas of network security and user privacy. • Universal agreement that there needs to be alternatives to IP authentication. • Aiming for adoption of RA21 recommendations globally.
- 23. openathens.org Myth Busting: Five Commonly Held Misconceptions About RA21 (and One Rumor Confirmed)
- 24. UX Building Blocks 2 Consistent visual cue and call to action signals institutional access Flexible and smart search • Search by institution name, abbreviation or email • Typeahead matching and URL Remembered institution on next access1 2 3
- 25. RA21 UX Goals 2 A user only encounters a discovery process once (per browser). The user’s institution is persisted in browser local storage and subsequently rendered in the RA21 button across all participating publishers. 1 2
- 26. openathens.org Main outputs 1. Set of recommendations that build on NISO’s ESSPReSSO recommended practice 2. Establish a new governance structure 3. Launch a new service that simplifies access for users Main outcome • Expectation that publishers will start to deploy RA21 recommended practices in second half of 2019.
- 27. openathens.org OpenAthens Conference, 19 March 2019, London Guest blog: Todd Carpenter, NISO outlines the work of RA21 to simplify access
- 28. openathens.org Simplifying access with OpenAthens Wayfinder
- 29. openathens.org Example of a poor user journey
- 31. openathens.org What data does the publisher see?
- 32. openathens.org Wayfinder development Embeddable and pop-up versions on their way Help us to develop Wayfinder Feedback on integration and new features contact@openathens.net
- 33. openathens.org Questions?Q&A – over to you
- 35. openathens.org • Download the free ebook which includes explanations and guides on: • The difference between authentication and authorisation • Web based authentication • IP address recognition • What SAML is and how it works • OpenID Connect • Basic troubleshooting
- 36. openathens.org This report presents the key findings from over 900 responses including: • Access management is critical to meeting users needs • Increased demand for mobile or off-site access • Library staff requiring greater technical expertise than ever before • The need to help users with their digital skills
- 37. openathens.org
Editor's Notes
- #12: Pan-European network for research & education. Must have sec measures in place to safeguard Opaque identifiers are allowed for the purpose of recognising a returning user, but not their individual identity
- #13: iso27001
- #24: Myth 1: IP authentication is privacy preserving, where federated authentication technologies are not. BUSTED Myth 2: Proxy servers work just fine as a solution for off-campus access. BUSTED Myth 3: RA21 wants to enable publishers to track users across each other’s platforms. BUSTED Myth 4: RA21 creates yet another username and password. BUSTED Myth 5: RA21 is placing control of users’ identity in the hands of institutions and not the individuals themselves. PLAUSIBLE Myth 6: RA21 seeks to eliminate IP-based access. CONFIRMED
- #25: Ralph
- #26: Ralph