One of the great things about the Shibboleth inter-institution single sign-on software package is the ability for the Identity Provider to limit how much a Service Provider knows about a user’s request for service. (Not familiar with those capitalized terms? Read on for definitions.) But with this capability comes great flexibility, and with the flexibility can come lots of management overhead. So I was intrigued to see the announcement for an online webinar from the InCommon Shibboleth Federation with the title “The Challenges of User Consent” covering the issues of managing who gets access to what information about users.

From the webinar description:

Are you starting to see more requests from SPs seeking user attributes? Would you like to explore methods that would simplify the attribute release process?  You aren’t alone. Campuses are seeking a scalable approach to managing attribute release that will minimize admin involvement and allow users to access sites like those that support collaborative work and want such attributes as EPPN, name, and email.

Automating the user consent procedure, combined with metadata-driven attribute release, provides an approach that greatly simplifies this process for all parties, and allows users to reach sites without delay.

Join us for a discussion and demonstration from Brown University and the University of Southern California.

Host/Moderator: Tom Barton, University of Chicago and InCommon Technical Advisory Comittee

Presenters:
Steven Carmody, Brown University and InCommon TAC
Russ Beall, University of Southern California>

Lots more abbreviations and technical terms there, so here is a short primer:

Service Provider (SP)

A web server protected by Shibboleth that a user wants to access.

Identity Provider (IdP)

A web server that can authenticate a user (determine who the user is, typically with username/password) and store User Attributes.

User Attributes

Data about a user, including name, email address, affiliation status (student, employee, faculty, etc.), eduPersonPrincipalName, and TargetedIDs.

eduPersonPrincipalName (EPPN)

A string in the form of user@domain that uniquely identifies the user at an Identity Provider. (InCommon technical definition)

TargetedID

An opaque string stored/generated by the Identity Provider that is unique to each user and Service Provider pair. Passed as a User Attribute between the Identity Provider and the Service Provider, it can facilitate long-term user sessions at the Service Provider without revealing the identity of the user.

This is all stuff that as librarians we should be concerned about. Arguably, a Service Provider should only have enough information to satisfy the demands of a license agreement, and in most cases those demands can be satisfied with an assertion that a user is of a proper affiliation with a library (e.g. “patron” or “student” or “employee” or simply “member”). It is baked into the Shibboleth trust model that the Service Provider will honor the User Attributes presented by the Identity Provider.

What makes the announcement of this webinar interesting is that Service Providers seem to be asking for the non-opaque eduPersonPrincipalName attribute. I’ve long thought that TargetedID — an opaque/random string shared between the Identity Provider and Service Provider — is a much better answer to enabling privacy for functions like marked-item-lists, relevance ranking based on user search history, and other services that are unique to an individual. Because TargetedID doesn’t give away the person’s identity yet is guaranteed by the IdP to be unique to one person at one SP, it is ideal for situations when the SP doesn’t really need to know exactly who is making the request. (Sure, if a user coming to an SP with a TargetedID then gives the SP his/her name or e-mail address, then that person is no longer anonymous but that was a choice the user made.)

So I’m planning on tuning in next Wednesday to get caugh up on what is happening with User Attributes in Shibboleth-land. If you care about this kind of stuff, perhaps you can join me, too.

“How much effort do you want to spend securing your computer systems? Well, how much do you not want to be in front of a reporter’s microphone if a security breach happens?” I don’t remember the exact words, but that quote strongly resembles something I said to a boss at a previous job. Securing systems is unglamorous detail work. One slip-up plus one persistent (or lucky) attacker means years of dedicated efforts are all for naught as personal information is inadvertently released. See, for example, what happened recently with Sony Online Entertainment’s recent troubles.

It was in that frame of mind that I responded to a series of questions from a librarian taking a computer science class. (As someone else who straddles the computer-science/library-science divide, I wanted to encourage this line of thinking!) Now library systems typically don’t have credit card information, so they may not be attractive to individuals that seek to expose or exploit personal information. But our systems do have physical addresses, e-mail addresses, and sometimes birthdays or other personal data. And we have a professional ethic to keep patron use information private.

The person that sent me these questions asked that I not mention a name or affiliation, but that it was okay that I repost the questions along with my replies. I’m hoping this encourages some discussion because my understanding of the use of encryption in ILS products is very narrow and only somewhat deep (and is getting shallower by the day as my direct experience is going on ten years old).

Background on the project is that during our encryption unit, I realized that I didn’t know anything about what libraries to do back up our strongly stated policies about protecting patron privacy, so I wanted to find out more about it.

Questions:

1. What encryption tools/standards, if any, are used to safeguard patron accounts (name, items checked out, databases accessed, etc.) at the library?
2. Where in the systems do these tools typically fit — at the ILS level, or somewhere else? (e.g., university ID systems)
3. How are circulation and other records expunged? I.e., are they permanently deleted in such a way that hard drive forensics couldn’t bring them back?

In my experience, this patron information is not encrypted in integrated library systems. The difficulty is that if those bits of information are encrypted, they must be decrypted by the program in order to be useful (generating an overdue notice means the patron’s information must be known to the program, displaying the patron’s name on his/her account information screen, etc.). And for programs to decrypt they must have the secret key. And if the programs know the secret key it is trivial for an attacker to get the key as well. And since good encryption, by its nature, is computationally “expensive” there would be a lot of system load with all of the encryption and decryption of bits of information. (Computationally expensive is good because it makes it harder for an attacker to guess the correct key.)

Password Hashing Flowchart

Note that passwords are a special case. Passwords are not really encrypted in a database; rather the output of a “one way hash” algorithm is stored. When the user tries to log in, the same one way hash algorithm is applied to the text string entered as a password and if the output matches what is stored in the database the user is let in.

As the diagram shows, with the login attempts the hashed password is not decrypted; the output of the hash algorithm is compared to what is known to be the hashed password.

[Aside: I'm trying an experiment in this post. The diagram is a Scalable Vector Graphic (SVG) file. It seems to be showing up fine in the browsers I'm testing, but I have no idea how it will appear in the RSS feed or if you are using an RSS reader or receiving this post via FeedBurner e-mail. If you don't see the graphic, try viewing the post via the DLTJ website.]

The most effective encryption would be at the database management system layer. For instance, Oracle has “Transparent Data Encryption” feature. “Data is automatically encrypted when it is written to disk and automatically decrypted when accessed by the application.” Automatic encryption is not built into MySQL, but you can use a MySQL-specific function to encrypt a field. PostgreSQL has a contributed module that performs the function.

Another option — other than database-level encryption — is to have the operating system encrypt the underlying filesystem (for example, the Red Hat Encrypted Filesystem). That way all of the database storage files — stored in that filesystem directory — would be encrypted.

Note, though, that in any of these cases, the key is known to the computer somehow, and so it is possible for an attacker to recover the key and decrypt the data. There are, of course, varying levels of obscurity one can apply to the key, but I think we’re getting pretty far off on a tangent.

How often circulation and other records would be expunged would depend on implementations in each software system, but as a general guideline I don’t think a strong deletion mechanism is used to obliterate data on the disk. I’d be happy to be proven otherwise. And as you consider hard drive forensics, also think about pulling the same information off backup tapes; that would probably be easier to get to.

In a follow-up, I was asked:

WRT your response on Q2, do you have an idea of what level “most” or “some” libraries might have the encryption, or were you speaking purely from a view of what ideal/good situations might look like?

On 3, I have heard from a few others that there seems to be just deletion with no zeroing out features or the like and that it does take a period of time (1-2 months) for backup tapes to be overwritten. So it strikes me that the weakest link may be in the area we talk most about protecting.

With regards to the database-level or the filesystem-level encryption, I was speaking from a point of view of what idea/good situations might look like. One of the outcomes of posting these questions to a wider group of readers is, I hope, more real-world experience reports from people who might be running systems that actually do this.

Yes, I think those are weak links, with the backup tapes being the biggest problem. One can’t predict when blocks on a live filesystem disk will be overwritten, but overwriting tapes is pretty predictable — and easy because one doesn’t need access to the live system.

Almost a decade ago while at the University of Connecticut I conducted a survey of ARL libraries on their patron privacy practices. The full text of that survey and ARL member responses are available from Google Books and from HathiTrust. Lee Anne George of ARL confirmed via e-mail that permission has been given for full view of SPEC Kits up through 2005 as well as other ARL publications. Lee Anne said that there are over 400 titles now in full view.

This information is most likely of historical interest only — privacy on the internet has certainly moved from where it was eight years ago. The survey was done right at the height of concern over the USA PATRIOT Act and when models like the TRUSTe were gaining traction. (I don’t think the need for explicit privacy policies and defined practices has gone away. But any policy drafted on the interent the way it was eight years ago probably needs to be reviewed and updated.) So I’m glad that ARL has decided to make this and similar studies openly available.

Within the span of a recent week we’ve had two views of the OCLC cooperative. In one we have a proposition that OCLC has gone astray from its core roots and in the other a celebration of what OCLC can do. One proposes a new mode of cooperation while the other extols the virtues of the existing cooperative. Both writers claim — independently — to “talk to librarians” and represent the prevailing mood of the profession. Can these two viewpoints be reconciled?

“Too Many Cooks?”

I spend quite a bit of time talking both to librarians and industry partners–publishers, booksellers, Web-technology providers, search engine companies–all kinds of people doing interesting things in our space. And in those talks, there is often a discussion of one of the following: content, technology or community. What I’ve come to realize, though, is that the best results come from places where all three come together.

Chip’s post is short but clear in its view that the community of OCLC members is something special and that it adds value to member libraries.

“The Cooperative We Need”

It appears to me that the interests of the OCLC we know today do not appear to be in total alignment with the needs and interests of its overall actual membership. Perhaps they are in alignment with the interests of the Board, Council, and other governing and administrative arms, but the feeling I get in talks with librarians is that it is not in alignment with what they want. As I talk to librarians, across the country today, I hear that what they want is an organization, a cooperative that is focused on developing and providing open and collaborative library content and services that are widely accessible by all in order that they (the librarians) can focus on re-establishing and/or maintaining the value of libraries in our society.

Carl goes on to propose the creation of a utility that aggregates the ratings and rankings of individual users into a database that can enhance the relevance ranking of the emerging generation of discovery layer products.

My Thoughts

Carl describes the problem in his post. When a not-for-profit vendor acquires a significant number of for-profit companies (and spins them back out again), how can we (members, vendors, and the library community in general) understand how the mix of commercial and non-commercial interests are playing out at the management level? Can the OCLC that is the bibliographic utility, the metadata switch between bibliographic-based services, and the R&D braintrust co-exist with the for-profit businesses, motivations, and operations? Or, to put it more sharply, does the negotiation of H.W. Wilson content for use on the subscription-based WorldCat database hinder the evolution of discovery layers that being developed by companies that don’t have the tax-advantaged not-for-profit status? (And don’t forget about the allegations of anti-competitive behavior in the SkyRiver/Innovative-versus-OCLC lawsuit.)

In closing this section, I want to pull out and emphasize another quotation from Carl’s post:

In the end, all of these business initiatives, and now resulting lawsuit, strongly work against OCLC being able to do what it does best—building collaboration, content, and related services as a non-profit entity to serve the larger profession.

Agreed.

Carl’s Grand Idea

I highly recommend reading Carl’s post and thinking about ways of answering the question “What Do We Want From OCLC?” I commend Carl for his courage and vision in articulating his points and proposing something new for the profession to drive towards.

A few weeks ago, a reporter at the Chronicle of Higher Education interviewed Adam Smith, Google’s director of product management, about the Google Book Search settlement and posted the interview in audio form. The page isn’t dated, but guessing from metadata in the URL it was somewhere around the publication of paper issue dated June 26, 2009. I’m calling out this particular interview because Mr. Smith said things that I hadn’t heard in other forms yet — Google’s intentions about privacy in Google Book Search, an explicit statement about the Book Rights Registry releasing information about the status of orphan works, and a statement on what Google expects the size of the orphan works problem to be once the Registry has been in operation for a while.

Below is a rough transcript of portions of the interview. I’ve added emphasis in the transcript to the parts that I hadn’t heard Google representatives say before.

Chronicle host: There has been a lot of concern among librarians and in the library community about access and privacy. Can you alay some of those fears?

Adam Smith: There has been a lot of discussion about how this settlement affect things such as access and privacy, and what we are really looking at is creating a product that will be broadly accessible to the university community as well as the internet community generally. [...] I think with respect to privacy, Google hasn’t designed the product yet so it is hard to have a privacy policy for it, but we fully intend to have a policy that is consistent with a lot of the standard procedures in the library community today. Things such as allowing authentication to happen via IP. But we take privacy seriously and it will be consistent with Google’s privacy policy as well as have some specific provisions when we actually get down to designing the product.

Chronicle host: There have been a lot of interest and concern in so called “orphan works” — where do those fit into the settlement and how do respond to some of the anxiety about that.

Adam Smith: So there is no technical definition of “orphan works” but for the purposes here we’ll say a book for which no rightsholder exists. Google’s mission in this is to really provide broad access to all of these books and when you look at the corpus as a whole, the percentage of books that are available — say — is about 20% are in the public domain or more, about 5% are kind of in print. What that leaves is this center of books that are not in print but may be or may be not in copyright. And what we believe is through the settlement agreement and the establishment of the Books Rights Registry, which is an author- and publisher-controlled entity that will try to track down the rights holders of the particular book, we believe that over time what will happen is that rightsholders will come forward to claim the money that was generated via the economic models and this will allow for better identification of the specific rightsholders to the works. And the Books Rights Registry has committed to making any information — or making the information about whether or not a book has been claimed — making that public so that someone who’s interested in making use of one of these potentially orphan works can understand as to whether or not a rightsholder has come forward for that particular book.

[...]

Chronicle host: Another concern is maybe the one that Google encounters the most — is the question of monopoly. And why we should be happy that the idea that a private company has essential control over 10 million plus works?

Adam Smith: So I think at its root what’s really important here is to look at the agreements. And Google has non-exclusive agreements at the root of all of its agreements. So, its agreements with its library partners are non-exclusive, its agreements with its publishers and authors are non-exclusive. So anyone is free to enter into agreements with those institutions or those publishers. With respect to the settlement agreement, for all works for which a rightsholder comes forward, the Books Rights Registry will have the ability to license or enter into economic models with other parties for those works. So really this is not an exclusive license to Google, but rather it’s establishing the ability for them to get access to these. Obviously for the public domain works, there is no rights or contract associated with that. So what this really leaves is what we believe is a very thin slice of the remaining books, which are the orphan worked books.

I’m glad to see some sensitivity to the notion of privacy in Mr. Smith’s response to that question. The notion of privacy goes beyond using IP address authentication to enable institutional subscription users to access the scanned books, of course — specifically to the collection and disposition of log files related to individuals’ use of the Google books database. I wonder if Google will really consider severing the link between reader and work, as is common practice in libraries today. In the case of online books, that would mean not collecting — or at least immediately anonymizing — the IP address of the machine used to read portions of the book. Time will tell, and this is certainly an area where I hope there is more dialog between Google and academic libraries (should the settlement agreement be approved).

It is interesting that a Google representative is making statements about what the Books Rights Registry will do with orphan works information. I would think it would be up to the registry’s board of directors to decide whether or not they publicly release information about the orphan status of a work. I don’t recall reading in the settlement agreement that it would be mandatory.

Mr. Smith’s answer to the monopoly question ignores the “most favored nation” clause in the settlement agreement that says the Registry cannot offer licensing terms to another party that are more favorable than the ones offered to Google. While that might not be a monopoly in the strictest sense, it certainly makes it harder for any other entity to compete effectively with Google. That same answer also shows Google’s optimism in the estimate that there will be “a very thin slice” of works that will turn out to be orphans — in copyright but without an identified rightsholder. I can only assume that they have internal research to back that up. My gut tells me that there is considerably more than a thin slice, but that part of Mr. Smith’s answer plays well with the notion that Google won’t really have a monopoly because there will be so few books that Google will have the exclusive protections in the class action lawsuit settlement to digitize.

Adam Smith also has answers to questions about why Google didn’t fight it out in court, what Google is doing to help the settlement be approved, and what Google’s reaction might be if the settlement isn’t approved.

The text was modified to update a link from http://chronicle.com/media/audio/v55/i40/smith/ to http://chronicle.com/article/Audio-Whats-Next-for-Google/48349/ on January 20th, 2011.

Last month, Clay Shirky gave a presentation with the title “It’s Not Information Overload. It’s Filter Failure” at the Web 2.0 Expo. ¹ Shirky admits up front at the start of the talk that the topic is something new that he is exploring, and as a result the ideas are not fully formed. (I get lost in how the last of his three examples applies to the topic at hand, for instance.) But his viewpoint is a refreshing way to look at the issue of “information overload” from a new perspective, and it is worth looking at even in this raw stage. For starters, he says that we’ve been facing information overload for the past 500 years — since the introduction of the Gutenburg movable type press gave readers more books than they could possibly read. What has changed in the last decade has been how past information “filters” are no longer effective.

Shirky posits that the expense of printing a book made publishers both the creators of the object and filters for information printed in objects. The relatively high up-front costs of producing the book meant publishers in the position of selecting only the best information to print. Publishers were, in effect, a kind of filter of quality for the onslaught of information as a way of reducing their risks of printing content that no one would want to read. The internet has driven the cost of publishing to near zero, and as such the “pre-publication” filter that publishers provided is no longer in place. (He calls this “post-Gutenburg economics.) In Shirky’s words, “the filter for quality is way downstream from the site of production.”

Shirky points to some examples of filters and talks about their effectiveness. For inbound communication, the example is e-mail spam and how spam filters must be constantly tuned. This is a pretty clear example of what he is talking about — the cost of production is cheap and the assessment of quality is done by the reader, not the producer. The second example is one of outbound communication; Shirky tells the story of a colleague who attempted to use Facebook privacy settings to slowly disseminate the fact that she had broken up with her colleague. (That isn’t what happened. P.S.: Karen Schneider — your name pops up briefly in one of Clay’s screenshots!) The third example is that of a student that faced expulsion from a Canadian university because he started a Facebook homework group. Shirky’s point with this example seems to be that a filter-of-inconvenience was removed through the use of technology — that a study group of 147 students wouldn’t actually occur in real life but was replicated on Facebook.

Some other quotes that caught my ear:

• “Managing your privacy practices is an unnatural act… Privacy is a way of managing information flow… The big question we’re facing around privacy now is that were not moving from one engineered system to another engineered system with different characteristics. We’re moving from an evolved system to an engineered system.”
• “The inefficiency of information flow wasn’t a bug, it was a feature. That’s what privacy was.”
• “What the internet does is allows large systems that are free-rider tolerant rather than free-rider resistant.”
• “It really is about rethinking the [higher education] institutional model. You have to have group conversation. You have to have individual effort. You have to design a system that accommodates both.”
• “If you have the same problem for a long time, maybe it’s not a problem. Maybe it is a fact.” –Yitzhak Rabin

Footnotes

1. Web 2.0 Expo, co-produced by TechWeb and O’Reilly Media, “is a global annual gathering of technical, design, marketing, and business professionals who are building the next generation web. Web 2.0 Expo features the most innovative and successful Internet industry figures and companies providing attendees with examples of business models, development paradigms, and design strategies to enable mainstream businesses and new arrivals to the Web 2.0 world to take advantage of this new generation of services and opportunities.”

The title of this post is the same as the report it describes, Everyone’s Guide to By-Passing Internet Censorship for Citizens Worldwide [PDF]. It was announced by Ronald Deibert last week on his blog at Citizen Lab. The one sentence synopsis goes like this: “This guide is meant to introduce non-technical users to Internet censorship circumvention technologies, and help them choose which of them best suits their circumstances and needs.”

Although the stated audience is non-technical users, I found the description of techniques and circumstances under which one might deploy the techniques very interesting. The document provides guidance for those seeking circumvention and those who want to provide it. After a brief introduction to censorship activities worldwide (including in the United States), it walks the reader through an analysis of needs and describes solutions that meet the needs based on the user’s technical skills. I knew ‘tor‘ — a long-time favorite of mine — would be in there, but I was surprised by the range of other options.

To put a library spin on the report, some of the solutions offered are usable on “public computers” — such as, say, what one might find in a library. One could take the report and read about the techniques with the intent to block them on your public workstations, but I think another reading of it would say that such attempts are ultimately futile because of the likelihood of other similar services popping up to take their place. Unless you are running a white-list-only setup (that is to say, your public workstations are explicitly set to only allow access to a prescribed set of sites), any user can walk up to any public workstation and access the circumvention sites described in the report or any other ones that spring into existence.

The circumvention techniques are, of course, do not provide an assurance of privacy. Even though the network traffic is encrypted, the activities of the user can still be monitored by keystroke loggers and other techniques in the workstation itself. In order to get around that, one would need to restart the public workstation with a bootable Linux distribution, but that is perhaps a report for another time…

The text was modified to update a link from http://deibert.citizenlab.org/Circ_guide.pdf to http://www.nartv.org/mirror/circ_guide.pdf on January 28th, 2011.

The text was modified to update a link from http://deibert.citizenlab.org/Circ_guide.pdf to http://www.nartv.org/mirror/circ_guide.pdf on January 28th, 2011.

The text was modified to update a link from http://deibert.citizenlab.org/blog/_archives/2007/10/10/3282831.html to http://deibert.citizenlab.org/2007/10/everyones-guide-to-by-passing-internet-censorship-for-citizens-worldwide-new-release/ on January 28th, 2011.

The text was modified to remove a link to http://www.tech-faq.com/bootable-linux-distributions.shtml on January 28th, 2011.

Published in The New Yorker July 5, 1993.
Image from The Cartoon Bank

As the saying, now a part of Internet lore, goes: “On the Internet, nobody knows you’re a dog.” That may be true, but now we must add: “But we do know if you are from a major news organization or corporation.”

Wired magazine reports on the efforts of Virgil Griffith to expose the source of anonymous edits to Wikipedia. In Virgil’s words, “I came up with the idea when I heard about Congressmen getting caught for white-washing their wikipedia pages.” So he created a searchable database of anonymous edits to Wikipedia pages indexed by the IP address of the computer that made the edit. By cross-referencing those edits with the database of IP addresses assigned to organizations, one can speculate with some certainty about who made the edit — or at least the organization responsible for the IP address of the person who made the edit. There is a list of interesting examples of wikiscanner results along the right side of the wikiscanner homepage, and Wired Magazine is inviting users to submit interesting examples as well.

This is an interesting project, but it is not without faults. First, non-anonymous edits — that is, when a user signs into Wikipedia — are not tracked. Since account registrations are free and not tied to a particular IP address, edits by an organization can be “masked” behind a slew of pseudo-anonymous accounts. (For instance, the list of edits for the range of IP addresses assigned to the OhioLINK central offices does not include edits made when I was logged into to my Wikipedia account.) Second, Virgil is presumably using a recent snapshot of the IP assignments database. Since IP address assignments can change over time, a current assignee could be implicated by the changes of the previous owner. Third, the whole system can be thwarted by systems and services that mask the IP address of the machine being used. So the credibility of the anonymous edits database is about the same as that of Wikipedia itself — good enough for most uses, but not extremely high.

The text was modified to remove a link to http://wikiscanner.virgil.gr/f.php?ip1=192.153.30.0-255&ip2=&ip3=&ip4= on January 19th, 2011.