FIM4L Working Group in Talks with Elsevier — Towards Federated Access Best Practices
At the beginning of 2022, the LIBER FIM4L Working Group and Elsevier held a series of talks on the topic of federated access.
Federated access, also called Shibboleth or SSO, can be used by libraries to provide access to electronic resources. During the login process information about the user is (often) exchanged with the publisher. The library, publisher, and user can decide which information to share.
Below, the LIBER FIM4L Working Group shares the latest findings of these discussions with Elsevier and highlights some of the challenges and opportunities that lay ahead when it comes to federated access.
The concept of ‘agile’ federated access
During recent talks with Elsevier, FIM4L presented the technical possibilities when it comes to releasing a variety of attributes during the login process. The concept is called ’agile’ and is based on the CAR system from Duke University. CAR implements informed Consent Attribute Release. With this in place, a user is able to approve or deny the release of every attribute at the login phase.
The possibility of whether or not to release a persistent identifier, also known as a pseudonymous identifier, implies great consequences. This question has been at the forefront of the FIM4L working group’s talks with Elsevier.
Specifically, the concept provides the choice for a user to remain anonymous, pseudonymous, or personally identified during the federated login process and hence when accessing the publisher’s platform.
A live showcase of this concept was shown by Rob Carter from Duke University  by using the CAR system to block parsing the pseudonymous identifier to the Elsevier ScienceDirect platform. The results were technically all fine and everything worked as expected.
Anonymous login and user experience
Several problems across the Elsevier platforms arise when users log in without a pseudonymous identifier, in other words, anonymously.
The Working Group regards Elsevier as a complex publisher with many features and possibilities in place. For instance, there are different services available, such as ScienceDirect and Scopus, but also Mendeley as a public service for which personal login is required. Other online content providers typically offer a simpler platform for managing privacy. In this regard, Elsevier offers an excellent opportunity to investigate interactions between identity and anonymity.
Points of consideration for anonymous login:
- Not all Elsevier products support anonymity.
- If an anonymous, logged-in user decides to set up alerts at e.g. Sciencedirect, they will be informed that they should log in first. Then they probably create a new user account, perhaps apart from an existing one, and their current session gets terminated.
- When an identified user logs out, they cannot log in anonymously anymore in that session.
If anonymous login would be officially supported by a publisher, then it is important to inform a user using very clear communication. This is difficult for two reasons: Users do not understand these login differences and there could always be cases during the user’s journey where they might not at all be informed.
Given these and many other difficulties of anonymous login, it is crucial to clearly consider why anonymous login is needed at all. Firstly, because of a library’s value that it must be possible to conduct research anonymously. In fact, most users trust the relationship between the library and the publisher. However, critical users will still value the possibility of anonymous access, which most libraries support. Therefore, this question will always remain since it is a question deemed fundamental by most libraries. We deem it to be important because we know that anonymity on the internet is often impossible.
If a pseudonymous identifier for the user is far more convenient and technically preferable, we can ask ourselves if there is a way to create a trusting relationship with the publisher as well as the option for the user to be explicitly anonymous to the publisher (if the user requires that)?
Considerations for pseudonymous login
Given FIM4L’s talks with Elsevier, there are still various considerations for libraries.
Note – it is important to have trust and reciprocity between the library, publisher, and users. This can be achieved by:
- Contractual language;
- Technical transparency;
- Creating user awareness (anonymity is not possible anyway).
The FIM4L Working Group believes the library should advocate anonymity to the publisher and this should not stop by SAML or other authentication methods. The publisher has more data and therefore more responsibility than the library. Even though a user might come anonymously from the library, in the publisher’s system things could be different.
It is therefore beneficial to have a code of conduct in addition to a technical solution. A general template — or data processing agreement (DPA) — which libraries can use for publishers seems to be a good idea. And technical transparency could support such reciprocity.
In addition to the library-publisher relationship, the library should provide additional guidelines for users when it wants users to have an anonymous research journey (or as far as possible). Libraries have, historically, had a crucial role in educating users on issues of privacy and this is another such opportunity. Browser-related recommendations could be part of it.
A remaining question seems to be the following: a publisher has many methods to track users and for good reasons. Is it possible then for an authenticated user to opt out of a personalised session and to move into an anonymous session? If a publisher can provide this possibility, it would align with the values upheld by libraries — that a user should have the ability to conduct research anonymously.
Lastly, another consideration in offering a variety of access possibilities is the opportunity to educate users on the tradeoffs between attribute release and access models. In addition, these choices provide a chance to illustrate the virtues of transparency when it comes to user interactions with content providers — the user gets to clearly see what is being shared and why. And this is fundamental to the value of transparency and openness fostered by libraries.
Learn more about LIBER’s FIM4L Working Group.
 Watch the video recording here. (3/8/2022)
[This blog post has been written by LIBER’s FIM4L Working Group]