On April 17, 2019, the National Information Standards Organization (NISO)
issued a call for public comments on a draft recommended practice for improving access to institutionally provided information resources. The draft is based on findings from the RA21: Resource Access for the 21st Century initiative and provides recommendations for using federated identity as an access model and for improving the federated authentication user experience. The Association of Research Libraries (ARL)
has offered its comments on the proposal, based on input from member representatives and broader engagement within the community.
The Association of Research Libraries (ARL) is a non-profit collective of 124 leading research institutions in Canada and the United States.
While the Association appreciates the RA21 Steering Committee's work on this topic, it is of the opinion that the bulk of the draft document focuses on user interface design, with far less attention paid to other critical interests of research libraries and their users, such as privacy, accessibility, and real-world control over data flows. As a result, the current recommendations lack many of the important details needed to fully understand how this vision would be implemented, and whether it properly serves the interests of all stakeholders. It is felt that a more balanced representation on the steering committee could help resolve some of these concerns.
ARL understands that the RA21 initiative arose out of an effort by the International Association of STM Publishers (STM) to address issues of piracy and user experience, and initially focused on authentication challenges "in the corporate space." The needs of academic, federal and public libraries vary greatly from those of corporate customers. Given ARL's review of the recommendations, it believes that there are significant mismatches between the focus of its recommendations and the priorities and perspectives of research libraries.
ARL supports many of the comments provided by other members of the academic library community.
As noted above, representation on RA21's governing committees is far from balanced. For the draft recommendations to be useful to the research library community, further convening beyond the existing committees are required, along with a re-evaluation of the steering committee's composition.
The draft does not include sufficient information to evaluate the probable real-world effects on user privacy and data management. ARL understands that, in theory, federated authentication as proposed by RA21 could be used without any additional data collection by service providers. In practice, however, the recommendations plainly anticipate a wide range of user-specific data collection and tracking, without resolving many important details. ARL believes that further deliberation on these concerns is necessary for the recommendations to be implemented successfully.
Research libraries serve both institution-based users and members of the public. Public access is integral to the mission of land-grant institutions, and a majority of ARL libraries are also Federal Depository Libraries, which must provide public access to that collection and related online information resources, often including proprietary resources. Research library licensing agreements with vendors and publishers provide for onsite public access. It will be important for any authentication system to ensure public access, as many research libraries are required by law to provide it.
Further, ARL feels that the draft recommendation does not meet the latest accessibility standards. The most current accepted standard is WCAG 2.1 AA, not WCAG 2.0 AA. The former should be incorporated into any recommendations going forward. In addition, research libraries may be required to remediate otherwise-inaccessible information resources for individual users. If the vendor or publisher provides access directly, via RA21's proposed authentication, it may exclude the library and its capabilities, imposing practical difficulties and/or significant delays on remediation, or even leaving the user with no recourse at all.
How will research libraries audit implementations and uses of federated authentication to ensure that vendors and publishers are meeting contractual requirements, including data management obligations? It is important that the recommended practices provide concrete mechanisms for service provider accountability, notes ARL.
Research libraries require electronic resource usage statistics, which are critically important in their budgeting and other management decisions. Currently, library proxy servers generate this aggregate data, which is protected by library and university data policies, without depending on publishers and vendors to provide it. As currently drafted, RA21 is ultimately intended to replace library-controlled IP authentication systems, yet it provides no equivalent for library-controlled usage data. Instead, it seems likely to force research libraries into a greater dependence on service providers, who could often have significant incentives to withhold or manipulate the relevant data-for example, to gain an informational advantage in pricing negotiations. This will be important to address going forward.
In summary, ARL believes that more work on this vision and implementation is required, as is consultation with the research library community. As drafted, these recommendations present a new system of access to research resources that envisions a limited role for research libraries with little, if any, interaction with their clientele. An adjustment in the scope and scale of these recommendations could alleviate some concerns. Further, ARL notes that the recommendations would be more productive and better received by research libraries if they were limited to the technical details of how to improve Shibboleth. If they did not aspire to a systemic redesign of access management, and a wholesale replacement of IP-based authentication, they would probably not trigger as wide a range of concerns and complexities. Brought to you by Scope e-Knowledge Center, a trusted global partner for digital content transformation solutions - Abstracting&Indexing (A&I), Knowledge Modeling (Taxonomies, Thesauri and Ontologies), and Metadata Enrichment&Entity Extraction.