Success stories in user engagement: Resource Access in the 21st Century (RA21) Panelist: Heather Flanagan, RA21 Academic pilot coordinator   Online access to research and scholarly content is a wonder of the modern digital age. But with great power comes a wealth of complexity. Online access brings challenges around digital identity, around consent, and even around business models. The RA21 project is not trying to eat that entire elephant: our part is just the part where someone is trying to use a credential from their home organization, campus, or business to access content, and needs to actually find that organization in a list of (potentially) thousands of options. This is called the identity discovery problem. February 9, 2018

What is RA21? RA21: Resource Access for the 21st Century Joint initiative of the International Association of STM Publishers (STM) and the National Information Standards Organization (NISO) Aimed at optimizing access protocols across key stakeholder groups Corporate and university subscribers, libraries, software vendors, publishers, identity federation operators, etc. Purpose: To a facilitate seamless user experience beyond IP address recognition, supporting network security and user privacy RA21 is sponsored by an association of scholarly publishers (STM) and NISO, a US-based standards organization that focuses on information standards. The stakeholders involved include librarians, scholarly publishers, federation operators, and software vendors. And what we’re trying to get to is a world where a user’s access to content doesn’t depend on being on the correct network, but instead can be done from anywhere, without prior set up, and yet still supports individual privacy.

Why RA21? Simple access to content needs to be fixed, especially for off campus use: Scholarly content & services are increasingly being accessed from outside of corporate/campus networks Publisher pathways for providing off-network access has not kept pace with our experience as consumers (e.g. Google, Facebook, LinkedIn logins across multiple sites). When accessing publisher platforms off-network, fully entitled end users are turning to alternative resources (e.g. SciHub, etc.) because of ease of access. RA21 has been established as the first step in the journey towards replacing the now outdated IP based access & authentication model. Probably the most common way to legally access online content these days is via IP proxies or through physically being on a pre-approved network. This model worked fairly well in that short window of time when the Internet was becoming a thing, but working from airports and coffee shops was not. The American Chemical Society did some research to identify how much mobile traffic was coming to their sites, and you can see from the graph that it’s been a steadily increasing trend over time. 

RA21 Goals Recommend new solutions for access strategies beyond IP recognition in joint collaboration with software vendors, libraries, federation operators Test and improve solutions by organizing pilots in a variety of environments for the creation of best practice recommendations: Corporate Pilot Two Academic Pilots: Privacy Preserving Persistent WAYF (P3W) Pilot WAYF Cloud Pilot Pilots working together on: User experience and a reference UI Privacy and security issues RA21 as a project will not develop a specific technical solution or one industry-wide authentication platform RA21 is working under an assumption that we must replace IP address authorization models with the use of federated identity. Federated identity relies on agreements between a content provider and an identity provider, usually as part of a broader federation that brokers the trust between them and all other entities in the federation. This is a very tall order, and so our main focus is on the first technical step of the problem, that of the identity discovery process. We are working to come up with a set of best practices in that space, and are getting there by actually trying things out via pilot efforts that are testing different ideas. 

Currently off-campus access is complex, cumbersome, and not secure Current Situation Currently off-campus access is complex, cumbersome, and not secure Off-network access to scholarly content and services is managed via a confusing mix of VPN servers, Proxy servers, Shibboleth, library portals, etc. Inconsistent user experience across publisher platforms Cumbersome: multiple steps required (with hundreds of options offered at various points) Complex: pathways are not clear Not secure: hard to detect fraud, theft and leaks Let’s look a bit more at why we think the current world of IP address authorization is no longer viable. It is a model that works beautifully on the campus or enterprise network, but as soon as you leave that network, you’ve got some challenges.

Off-Campus Solutions VPN/Proxy Servers Of course, you could set up a VPN to make everything look like you’re on campus. VPNs, however, must to be set up in advance, and require a certain amount of technical savvy on the part of the user to configure. If you want your content now, and we have been well trained by today’s Internet to expect immediate gratification, this is a problem.

Off-Campus Solutions VPN/Proxy Device Pairing While not common, some vendors offer apps that let you pair specific devices with subscriptions. Again, something that needs to be done in advance and sometimes with some technical know how in order to access the content. 

Off-Campus Solutions VPN/Proxy Device Pairing Google’s Campus- Activated Subscriber Access (CASA) There is a project called CASA, coming out of Google, that remembers that a user has logged in on campus, and stores that information so that future off-campus website visits can continue to authorize access to Google Scholar content for up to a week. So, something that again must be done on campus first, and has the added quirk of only working for content accessed via Google Scholar. 

All Leverage Institutional IP Address Recognition Off-Campus Solutions VPN/Proxy Device Pairing CASA (Google) All Leverage Institutional IP Address Recognition All Require User Setup In Advance These are all options that require pre-configuration, and they all depend a certain amount on the IP address of the user. There are better ways that can retain a user’s privacy and work at any time, from anywhere.

RA21 User Experience “You have to start with the customer experience and work your way back to technology.” — Steve Jobs RA21 is coming at this with the user experience at the forefront of our minds. If the user’s find this too hard, we’ve failed.

RA21 User Experience RA21 seeks to follow the pattern emerging on consumer websites: And we have some tough acts to live up to. People are becoming quite familiar with federated login via consumer sites such as Google, LinkedIn, and Facebook. So, why not just use those? Because privacy is important, and you’re not going to get it with a consumer service. You _are_ their product.

Consumer Web – First Time User Experience Let’s look at an example. Doodle is a hugely useful service that let’s people vote on options; most often, it’s used to find meeting times. ** Let’s say you don’t want to create yet another account, and so rather than signing up with Doodle, you decide to continue with a Google account. ** And look, you have several Google accounts to choose from, great! 

Consumer Web – Subsequent Visits And now, on subsequent visits, Doodle knows who you are. 

Consumer Web – Privacy Concerns?? Doodle now knows some highly personal information about me: my name my picture, my email address In fact, they know your name, they know your email, they even know your avatar. The question you should ask yourself at this point is: why do they have to know all that about you? I would argue that they don’t.

RA21 UX Development Seeks to implement the same ease of use as found in consumer web examples, while still preserving user privacy. On Campus Typical Research Discovery Workflow RA21 is trying to duplicate the ease of authentication and access, but in a much more privacy preserving manner. ** Let’s look at a typical research workflow where a user is going to their favorite search site ** to research biodegradable fibers. If the user is on their campus or enterprise network, then poof! ** They have access to the content. And if they are not on campus, ** boo! They don’t have legal access so let’s all go to Sci-Hub. ** Fortunately, there is a legal option if we’re talking about federated identity. The user may authenticate to their home institution, in this example, The Ohio State University, an organization that happens to have subscriptions to all these publications.

RA21 UX Development Seeks to implement the same ease of use as found in consumer web examples, while still preserving user privacy. Typical Research Discovery Workflow Off Campus RA21 is trying to duplicate the ease of authentication and access, but in a much more privacy preserving manner. ** Let’s look at a typical research workflow where a user is going to their favorite search site ** to research biodegradable fibers. If the user is on their campus or enterprise network, then poof! ** They have access to the content. And if they are not on campus, ** boo! They don’t have legal access so let’s all go to Sci-Hub. ** Fortunately, there is a legal option if we’re talking about federated identity. The user may authenticate to their home institution, in this example, The Ohio State University, an organization that happens to have subscriptions to all these publications.

RA21 UX Development Seeks to implement the same ease of use as found in consumer web examples, while still preserving user privacy. Typical Research Discovery Workflow Off Campus RA21 is trying to duplicate the ease of authentication and access, but in a much more privacy preserving manner. ** Let’s look at a typical research workflow where a user is going to their favorite search site ** to research biodegradable fibers. If the user is on their campus or enterprise network, then poof! ** They have access to the content. And if they are not on campus, ** boo! They don’t have legal access so let’s all go to Sci-Hub. ** Fortunately, there is a legal option if we’re talking about federated identity. The user may authenticate to their home institution, in this example, The Ohio State University, an organization that happens to have subscriptions to all these publications.

Preserving Privacy User: 12345 Role: Student User: 56789 User: 55555 Publishers receive attributes about the user, not the user’s identity. Reporting: ChemStudent In a federated login scenario**, what is generally passed from the organization back to the content provider is information about the user (such as whether or not they were able to authenticate, and how they are affiliated with the university). **Sharing information like name and email is discouraged by the contractual agreements the content providers and the Identity Providers sign when they join a federation. **So, more information can be shared, but exactly what and how much is something that can be controlled by the institution, not by the content provider. 

Concerns Addressed around RA21 and Federated Identity IP authentication is inherently privacy persevering while federated authentication technologies are not Busted: Federated authentication can be privacy preserving, while some privacy regulations (e.g. GDPR) consider IP addresses as personally identifiable information. Proxy servers work just fine as a solution for off-campus access Busted: Proxy servers force individuals to start their research journey on an institutional portal rather than directly from their tool of choice (e.g. Google, PubMed). RA21 just wants to enable publishers to track users across each other’s platforms Busted: Cross-site tracking technology is decades old. The fact that publishers haven’t pursued this indicates there is limited, if any, commercial motivation to do so. RA21 creates yet another username and password Busted: RA21 leverages a user’s existing institutional credentials and does not require the creation of publisher-specific usernames and passwords. There is a lot of fear and doubt about federated identity services and about RA21 in particular. Concerns such as the belief that publishers will harvest any and all information possible for business and marketing purposes, or that this is really creating just another username and password for a person to have to deal with. Those concerns are understandable, but not an accurate reflection of what actually happens in this scenario.

Concerns Addressed around RA21 and Federated Identity (continued) RA21 is placing control of users’ identity in the hands of institutions and not the individuals themselves Plausible: RA21 seeks to validate that a user is a member of an institution's authorized user community. Doing so does not require that an institution reveal the identity of the user. However, it is possible that some campus/corporate identity systems may be configured to convey personal information to some service providers. RA21 seeks to eliminate IP-based access Confirmed: RA21 believes that federated authentication provides many advantages over IP-based access. The obvious starting point for RA21 is to improve a user’s experience while away from the campus/corporate network. We hypothesize that it will eventually become second nature for users to use their institutional credentials to access scholarly resources regardless of location. What is valid is that we are talking about information that the institution is authoritative for about the user, not about the user’s information, and so user consent is not really part of our discussion. What is also valid is that we would like to see federated identity become the thing that replaces IP-based authorization.

Rolling out RA21 Who does the work? Everybody! Content providers: will need changes to their web site and services to support federated login may be as simple as adding a URL, or may be in depth technical integrations Librarians: will need to be prepared to answer questions of their users and work with the central IT departments Identity providers and federation operators: will need to continue to build and strengthen the trust model of federation I expect another area of concern is: who is going to do this work? How would this roll out? Each stakeholder has a part of this: Content providers, be they publishers or vendors, will need to make changes to their web site and services to support federated login, and it may be as simple as adding a URL to planning for some very deep, technical integrations—we’re planning for a variety of levels here. Librarians will need to be prepared to answer questions of their users and—and this will be hard on many campuses—actually work with the central IT departments to be a part of the conversation on how they identity provider should behave and what information they should release.  Identity providers and federation operators have their own parts to play as well to build and strengthen the trust models that will make all this work and allow organizations confident that the right things are happening with respect to security and privacy.

Take aways: RA21 vs. IP-based Solutions No prior setup required (e.g., to configure a proxy/VPN server, pair a device, etc.). No disruption to the research discovery workflow. Ability for publishers to offer differentiated user experience or differentiated services based upon user attributes (not identity). Ability to block a single user account instead of an IP address, and offer more targeted information to campus security to investigate potentially compromised credentials. Ability to offer more granular usage reporting back to subscribers. So, for a quick summary regarding the expected outcomes of RA21: we will be proposing best practices that assume no prior set up required by the user, that assume the content providers can provide differentiated services based on information about a user and not the individual user’s personal information, that bad actors can be more easily identified through cooperation between the content provider and the identity provider, and that organizations can opt in to more granular usage reporting (by including an attribute with department billing codes, for example) - this would again be information owned by an institution about a user, but not the user’s personal information. 

Throughout RA21 and onwards RA21 Roadmap 2018 and onwards Q1 2018 Early outputs Position papers Q1-Q2 2018 Mid-term outputs Task Forces: UX; Security / privacy Pilots: Options for discovery; technology platforms Q2/ Q3 2018 Final Recommendations and open consultation (via NISO process) Q4 2018 and onwards Long Term outputs Creation of and involvement in Operational User Communities Throughout RA21 and onwards Ongoing outreach engagement across key stakeholder communities Beyond 2018: STM hands over the lead of the project to NISO for adoption and implementation by all stakeholders The goal is to have the best practices out for discussion by mid-year, and to have a final output by the end of 2018. Going forward, we expect to see organizations building operational services based on the RA21 best practices.

Outreach Activities ALA Midwinter - January 20-24, 2018 Denver CNI - December 2016, April 2017 STM - December 2016, July 2017, December 2017 SSP - May 2017 JISC - July 2017 AGLIN Forum - August 2017 SURF - September 2017 Utrecht Internet2 - October 2017 San Francisco Charleston Conference - November 10, 2017 UKSG - November 16, 2017 CCC - hosted webinar November 16, 2017 RA21 in the News Myth Busting: Five Commonly Held Misconceptions About RA21 (and One Rumor Confirmed) https://scholarlykitchen.sspnet.org/2018/02/07/myth-busting-five-commonly-held-misconceptions-ra21/ UKSG Insight – Opinion Pieces: “Easy access to the version of record (VoR) could help combat piracy: views from a publishing technologist” Author: Tasha Mellins-Cohen. 10 July 2017. Society for Scholarly Publishing – Scholarly Kitchen: “Failure to Deliver: Reaching Users in an Increasingly Mobile World” Author: Todd Carpenter. 15 June 2017. Library Learning Space: “RA21 and libraries” 16 May 2017. Index Data: “RA21 Project aims to ease remote access to licensed content” Author: Peter Murray. 19 December 2016. ALA Midwinter - January 20-24, 2018 Denver PSP - February 7-9, 2018 DC ER&L – March 6-8, 2018 Austin MLA Insights – March 6, 2018 Chicago ACS – March 18-22, 2018 New Orleans STM – April 24-26, 2018 Philadelphia MLA - May 18-23, 2018, Atlanta SLA – June 9-13, 2018 Baltimore If you’d like to learn more, we have a very active outreach committee that has planned for sessions at a wide variety of events. This kind of broad outreach, the broad cross-sector list of stakeholders, the global nature of the work, is what makes this a strong project and leads us towards success.

Visit: https://www.RA21.org Questions? Visit: https://www.RA21.org Contact: Julia Wallace Program Director Julia@RA21.org Heather Flanagan Pilot Coordinator Heather@RA21.org And if you’d like to talk directly to me or Julia Wallace, the program director, about the project, you can contact us at the addresses on the slide. We’d be happy to add you to the announce list, too.