User Behavior Access Controls at a Library Proxy Server are Okay

User Behavior Access Controls at a Library Proxy Server are Okay

Earlier this month, my Twitter timeline lit up with mentions of a half-day webinar called
Cybersecurity Landscape – Protecting the Scholarly Infrastructure
.
What had riled up the people I follow on Twitter was the first presentation: «Security Collaboration for Library Resource Access» by
Cory Roach
, the
chief information security officer at the University of Utah
.
Many of the tweets and articles linked in tweets were about a proposal for a new round of privacy-invading technology coming from content providers as a condition of libraries subscribing to publisher content.
One of the voices that I trust was urging caution:
I highly recommend you listen to the talk, which was given by a university CIO, and judge if this is a correct representation. FWIW, I attended the event and it is not what I took away.
— Lisa Janicke Hinchliffe (@lisalibrarian)
November 14, 2020
As near as I can tell, much of the debate traces back to this article:
Scientific publishers propose installing spyware in university libraries to protect copyrights – Coda Story
https://t.co/rtCokIukBf
— Open Access Tracking Project (@oatp)
November 14, 2020
The article describes Cory’s presentation this way:
One speaker proposed a novel tactic publishers could take to protect their intellectual property rights against data theft: introducing spyware into the proxy servers academic libraries use to allow access to their online services, such as publishers’ databases.
The «spyware» moniker is quite scary.
It is what made me want to seek out the recording from the webinar and hear the context around that proposal.
My understanding (after watching the presentation) is that the proposal is not nearly as concerning.
Although there is one problematic area—the correlation of patron identity with requested URLs—overall, what is described is a sound and common practice for securing web applications.
To the extent that it is necessary to determine a user’s identity before allowing access to licensed content (an unfortunate necessity because of the state of scholarly publishing), this is an acceptable proposal.
(Through the university communications office,
Corey published a statement
about the reaction to his talk.)
In case you didn’t know, a web proxy server ensures the patron is part of the community of licensed users, and the publisher trusts requests that come through the web proxy server.
The point of Cory’s presentation is that the username/password checking at the web proxy server is a weak form of access control that is subject to four problems:
phishing
(sending email to tricking a user into giving up their username/password)
social engineering
(non-email ways of tricking a user into giving up their username/password)
credential reuse
(systems that are vulnerable because the user used the same password in more than one place)
hactivism
(users that intentionally give out their username/password so other…