JISC Access Management Focus

So says Dr Seuss, who happens to share a name with my son.

Today is officially my last day at JISC. As I’m not going too far I won’t get too whimsical on you, but as I’ve clocked up nearly 10 years on JISC projects and in the JISC Exec so far, it is time to reflect a bit.

I first heard of JISC when I applied to be a researcher on the JISC ‘Angel’ project, in a post based at Southbank and then at LSE. I was supposed to be drawing on my experience as a remedial support tutor to supported the ‘Learning Environment’ bit of Angel – however some bright spark decided that the environment needed authenticating. Some other bright spark mentioned Shibboleth. The rest as they say, is history.

I’ve had lots of highs and lows, but I shall try to focus on some of the highs for now as it seems more appropriate:

• Launching a service based on a standard that a lot of nay sayers said would never happen was kind of a nice achievement. Even better, it is used by nearly every HE institution in the country and over 80% of FE.
• Getting to see the epic dance moves of many of my colleagues and peers over the years has been a constant source of pleasure. The stylings of Stuart Dempster and Peter Burnhill have to be highlight, and I will never forget crashing another conference’s ceilidh with several 07/99 people back in 2003.
• I’ve heard some great people talking. Too many to mention but Lawrence Lessig was the absolute highlight closely followed by the Improbable Research people.
• My work seems to have taken me too near far too many animals for an IT job, from Koalas in Sydney to swimming with dolphins in San Diego and holding a baby crocodile in New Orleans.
• I’ve been involved in over 100 JISC projects as a programme manager and a service manager – everything from GRID projects and setting up OSS Watch through to many access management projects and the important planning of JISC Christmas parties
• I’ve worked with amazing people. Again too many to mention but it would be unfair not to highlight Hetesh, Caren, Liam, Tish, Stuart D and Helen Hockx as my earliest sparring partners in JISC. I’m going to continue looking forward to working with very clever individuals like Rhys, David H, Ian Young, Rod, Chad, Ken, Licia, Klaas….again far too many lovely people.

More information about my new role will be properly announced when I get back from holidays at the beginning of September, but I will be doing a little work for REFEDs, a little work for the Shib Consortium, a little work for JISC, running FAM10 and keeping up this blog for my two readers

So thank you JISC, its been an adventure. Its been fun, challenging, immensely frustrating, hysterical, tiring and at times dangerous! I can definitely smile.

Something that got my brain working this morning was a timely tweet from the ever observant @daveyp about the fact that ScienceDirect are using DoubleClick adverts at article level on some of their resources. Here’s an example for you:

Now firstly, I’m not necessarily saying this is a bad thing. Elsevier make it quite clear that they use advertising and I think any publisher should be looking at alternative income streams to subscription in the current climate. I’d hope that this lucrative income stream would mean significant savings for institutions on the very high subscription rates they pay for ScienceDirect, but I will leave that to people better suited than me to discuss with Elsevier.

So I don’t really have a problem with the advertising per se, although it is highly unusual for an online service to use advertising on a platform you subscribe to – this is normally kept purely for ‘free” platforms, and we accept that the price of free is the advertising bombardment.

My real issue is the use of DoubleClick itself. DoubleClick is not just advertising software, it is also effectively spyware. If you look at the DoubleClick links being generated on ScienceDirect, you will see that the ISSN of the resources visited are included in the URLs for DoubleClick. DoubleClick URLs can also be observed at work on the Elsevier site even when there is no apparent ‘in your face’ advert as in my example. So what Elsevier are doing is not just selling advertising space to, well, Google, but also selling them business intelligence about our users without really making this clear and apparent.

As a recent JISC workshop clearly demonstrated, user behaviour is highly desirable information and it is business intelligence that should be benefiting institutions and not third parties. Now you could argue that this is user behaviour on the Elsevier website and therefore theirs to do with as they please – but I don’t think the relationship between users and academic publishers is that simple. ScienceDirect holds a privileged position within our community. It is a monopoly platform – we cannot source this material elsewhere. All over the world, librarians are advertising ScienceDirect freely to their users for Elsevier, saving them millions of pounds in advertising to end-users. We push users in to this environment, so we have responsibility for who is tracking their behaviour within that environment. I also think that because of this relationship, only the institutions should be privy to the business intelligence about their users – or atleast have a say in where it goes!

We spend a lot of time talking about protecting personal information about our users, which is obviously critically important. However, activity without PII (personally identifiable information) is still crucially valuable to online providers, and we do perhaps need to wake up and look more carefully at protecting this information and more importantly making sure that institutions are the ones gaining business intelligence about its users.

After a lot of soul searching with regards to the current funding cuts, I have decided that it will be appropriate to go ahead with FAM10 this year with a real focus on practical benefits for librarians and developers. This decision was based on:

• The excellent feedback we received for FAM09;
• The fact that I had booked the venue before the new government decisions so there would have been a cancellation fee;
• the very practical focus of FAM as an event;
• The fact that there is not much of a focus on the importance of identity and access management elsewhere in the UK at the moment to render this unnecessary.

I hope you agree with this as a decision and hope to see many of you at the event. We have combined with JANET so there will be no duplication of eventage in this area.

We are pulling together what I think is a strong progamme and have had lots of good suggestions from the lovely people on jisc-shibboleth. If you have any ideas, we would love to hear them

More interestingly, I would love your ideas for keeping the costs down on what will be a face-to-face event. Do you expect us to provide accommodation or is this something your institution would be able to cover? Any ideas for ‘free’ evening entertainment? (other than just drinking in the bar at your own cost). What other ways can we drive costs down for all of us? Have you recently run an event or attended an event that looked carefully at cost saving?

I’ve always been against event management companies and we will do all the event management in-house (gulp, no Mel this year!) using Google for booking forms, document management, presentation publication and event information as per FAM09. I’ve also always been against paper at these sort of events so will probably repeat the paper free policy of last year – I hope this works for people. I won’t cut back on making sure their is good connectivity and plenty of powerpoints at the event to support amplification.

What else can we do?

All your help and advice would be gratefully received.

A couple of interesting access and identity management issues in the news over the last few days. I bang on a lot on this site about ‘persona’ and how i think this is different from ‘identity’ (i.e. you can have multiple persona but not multiple identities unless you are a criminal).

A good example of this is HRH Queen Elizabeth II – a good example of a persona…not a criminal

‘The British Monarchy’ has had a twitter account for sometime, and I don’t think anyone except the insanely deluded would think that the Queen and Prince Philip sit around Demi and Ashton style commenting on the latest episode of the X-Factor and sending @princeharry ROFL! For some people this account would not be seen as ‘proper’ use of twitter as @thebritishmonarchy do not follow anyone, do not reply, and yet have 52,000+ followers. It is more of a news feed.

This week saw the announcement of the use of Flickr by the Royal Family. Again, don’t expect any funny images of Harry falling down drunk (you’ll still have to go to the Daily Mail archives for those) and unfortunately the photos are vehemently tagged ‘all rights reserved’ but the photos are an interesting reflection on the identity that the Royal Family want to present. There have been many attempts over recent years to present the family as more accessible, more open and more in touch with their country and its citizens. This is a good example of how an online persona can help positively impact perceptions of real world identity.

A more worrying story next of how social networks can negatively impact on real world identity with this story from the Guardian. “How I became a Foursquare Stalker” is a simple tale of how one journalist was able to ’stalk’ a complete stranger because of cross-postings from her foursquare account to twitter. The openness of many Twitter accounts, the use of photos and real names in profiles and the power of Google once those pieces of information have been determined is all explained, but the story focuses on the geo-location features of foursquare which tell people exactly where you are at any given time once ‘checked in’.

I’ve always been a geo-sceptic – I won’t even register my Oyster card as I don’t like the idea of big brother being able to track my around the transport system in London. I do know many people who are using these tools are find them very useful. The problem is the geo-location takes us out of the reasonably safe world of virtual reality where our personas can be tracked and in to the real world where our real selves can be tracked. This is augmented reality, not virtual reality, and I don’t think we have equipped ourselves with the tools to safely manage our lives once augmented in this way.

Of course, the finger cannot be pointed just at Foursquare or geo-location tagging. I’m pretty sure it is fairly easy to work out where I am most days from my tweets, blogs, google juice and event attendance. It does create more worrying issues when people check themselves in and out of their own homes, or out of pubs late at night…

Careless approaches to how you link your persona online and how you carry information from one system to the next and getting too close to augmented real-world identity rather than persona is more than virtual insanity IMHO.

What sites would you like to see federated? I recently the sent the dynamic duo of @JISCMark and @rhys_s off to see the very nice people at SURFfederatie to see what they could learn from their domestication programme. SURFnet have been doing far more work than us on non-publisher services like Google Apps.

Whilst there has been some movement in the UK with services like Memberships Solutions offering federated access on their platforms for Student Unions such as MMU, I want to do more!

I know we have asked this question a thousand times but well, Mark’s kind of done the publisher thing and needs a new challenge for the new year. So here is my list of people I’d like Mark to go out and talk to. How about you?

1. Finish the work to get JISCInvolve and JISCwikis federated please!
2. UCISA login not federated? Shocking!
3. Find me a good event management site, like eventbrite, but that uses federated login.
4. UCAS and HESA are both now members of the UK federation. What lovely federated things could we do with these sites?
5. Educause is very good and very federated, but not for UK people. Can we fix it? Yes we can!

So, after my Identity Ramblings of yesterday, something a little more concrete and hopefully useful. As keen followers of my blog will know (both of you) we’ve been trying to do some work within JISC to help institutions better understand who their users are. I’ve been particularly focusing on students and the JISC Collections licenses recently – one of the simple changes I have asked JC to make is to remove the words “including but not limited to undergraduate and postgraduate” from their authorised user description as I don’t think the words are very helpful and have in fact confused lots of people.

To make my life much much easier, the lovely lovely people at Cardiff have recently published the work they did in order to identify all of their user types, whether they are a member or not and what access rights they have. This has now been published as part of the Identity Management Toolkit and my advice would be:

1. Read it!
2. Plagiarise it!
3. Do your own audit!

There are 5 pdf documents. Print them, consume them and you will find them most useful. For those of you particularly interested in the student definition section, you will find this in the Table document. There is a whole section on student types, whether these are perceived to be a ‘member’ of the university, and for the libraries whether they are entitled to library e-resource access. The interesting thing to note is that there is NOT a direct correlation between member and right to access. For example, Cardiff have determined that ‘Dental Students on CU Diploma Course’ are not members, but do have access to e-resources. This brings about interesting questions in the Shibboleth world – if these students are not being provisioned with the attribute ‘member@cardiff.ac.uk’ what is the best way to ensure they have an appropriate attribute for shibboleth access?

This is an excellent piece of work. Many thanks to David Harrison for taking the brave step to make this public, and to John Paschoud for including in the Toolkit. If people do take this work up, we’d be very interested in seeing the results made publicly available and I’m sure the Toolkit people would be more than happy to continue to link to case studies. On this note, we are hoping (subject to the wary world of budget cuts we are all experiencing) to launch some early adopter style work building on top of the toolkit later on this year – you might want to think about this type of audit as a potential bid for your institution?

I was reading an old favourite of mine last night (A Home at the End of the World – Michael Cunningham) and was struck by a list at the back of the book which listed all of the poems and songs quoted in the book, cited the copyright owner and expressed that permission had been granted for their use. I’m no expert on copyright, but I assume that this was done to prevent claims that the book was commercially benefiting from someone else’s rights. It seems slightly over the top for the snippets of lyrics and lines that were used in the book, but it did get me thinking some rambling thoughts about identity.

Cunningham’s books are all about how the culture we live in affects our identity – particularly music, films and the influence of friends – and also how we reject the identity of our parents by rejected their cultural references. As such, the lyrics and poems cited are as much a part of the identity of the protagonists as the creator of the work. There is an implied sense of joint ownership here, which has very little to do with the transactional world of rights management.

I think the way in which we use social media has allowed us to find new ways of expressing this sense of joint ownership and how it links to how we express our identity. The ‘like’ button on Facebook is a very crude example of this, but it builds up a very rich net of who we are through our cultural references.

We have also perhaps become more relaxed about copyright within this social media, without the intent of law breaking or denying anyone’s rights. It is almost expected that when referencing a film or tv clip, it will be available on youtube and easy to link to a blog piece – as I have often done. Different rights holders take different approaches to this from take down demands to the acceptance of the fact that this usage provides new opportunities. By allowing people to link to a clip, by expressing their ‘like’ for this and by allowing that clip to become part of the identity of the author, potential new audiences are opened up for the original work.

This touches on a whole bunch of areas that are of interest to JISC but that I’m not directly involved in – the importance of Creative Commons, linked data, open access, open educational resources.

I’m thinking of spending some time looking at sense of identity within these spaces, the context of ownership within social media, how identity flows through these resources and what we can learn about this to support programmes across JISC. I’ll probably start with looking at the concept of a static resource with metadata within a repository such as Jorum and then look at the more nebulous life of the resource as it is repurposed but also reconceptualised in terms of relationship to individuals as we clatter our digital footprints all over it. I guess I’m interested in how we gain the most benefit from this digital story as our resource becomes more promiscuous outside the contained information of the repository. I’d be interested in your thoughts….

Well I had a lovely day today with the super brains that form the SDSS Expert Group at Edina in Edinburgh, including the newest contractor for the group in the form of Chad La Joie. Whilst our focus was on talking about the bright and beautiful future of Shibboleth development, we spent some time talking about O-Auth and Open-ID…or for want of a better word the ‘O Factor’.

Every couple of years a new access management standard comes along and people tell me that SAML is dead, there is a new king, I need to move on. I smile sweetly, wait and watch patiently.

There is a concept that education in the UK needs the ‘O Factor’. I think this is perhaps confusing the use case and misinterpreting the technology requirements. What I often hear is ‘wouldn’t it be lovely if our users could have use their own identity and assign affiliation attributes to it’. This is often followed up by ‘OpenID will do that, right?’.

This is asking the wrong question and looking at the wrong requirement. As I have mentioned before, there is no real concept of a ‘user-centric’ or ‘user-managed’ identity. All of our personas and credentials represent our affiliation to one organisation or another (Facebook, Twitter, Bank, Institution) and these credentials are managed on our behalf by these organisations.
Sometimes, these organisations add certain authorisations to our profile (Bank, Institution). Sometimes they offer a useful personal identifier (Twitter). Sometimes they are merely useful routes in to a certain environment and we place no value on them (Facebook).

When institutions ask the question ‘Can our students use their own IDs?’ I think they are really asking ‘should we be in the business of issuing credentials?’. This is more akin to the conversation ‘should we outsource our e-mail?’ than a useful conversation of how to bridge the personal / affiliation space. I think if most institutions in Higher Education asked ‘should we be in the business of issuing credentials?’ the answer would inevitably be yes. For Further Education, this is still true…but they may chose to outsource the management of such credentials to a reliable third party. So perhaps we don’t actually need the ‘O Factor’.

There are other ways of looking at the conundrum. I accept that I might want to assert a personal identifier, such as my twitter name, instead of say an eduPersonPrincipleName when commenting on blogs. This mixes the personal and affiliated space nicely. However SAML attributes could easily make this possible…so again I see no need for the O Factor.

One of the many problems in the O-Auth and OpenID space is the ‘which implementation’, ‘which standard’ question. As we know with all standards, it is one thing to say ‘standard compliant’ it is another thing to actually interoperate with another standards compliant entity. Recent developments in the O-Auth and OpenID space have seen a proliferation of modules that make it very difficult to say whether one implementation will work with another. Major O-Auth rewrites at Yahoo and Google are proof of this pudding. SAML is not innocent in this space either, which is why I’m a big supporter of the SAML2-int-profile that I’m hoping most federations will cite as their basis of what it actually means to be ‘SAML compliant’. I fear many software vendors may shudder at this news.

One of the things we’ve been pushing with the Shibboleth Core Team for some time is ‘give us a concrete use case’. This means we are more than happy to investigate new and interesting directions for SAML implementations…but we need a concrete use case in place first that can help define real technical implementation. My invitation to you is to tell us, do you have a real concrete use case for the O Factor?

In more surprising news, it transpires that Ian Young has never seen Pinky and the Brain. How could you Ian? So especially for the SDSS team, here’s Pinky, the Brain and Chad…
————————————————-
Brain: All I have to do head past Duraway, cross Finland, and get to the ride controls which are just behind Chad.
Pinky: Chad who?
Brain: Chad the country.
Pinky: What a lovely name! Do you think it would suit me?
Brain: Personally, I think “Dolt” would be more appropriate.
Brain: Pinky, after I switch the tapes, I’ll met you near Chad.
Pinky: I’d like to meet Chad!
Brain: Chad is not a person!
———————————————————-
Sorry Chad, you’re not a person. The Brain has spoken!

Warning: this has nothing to do with access management

I recently had a hideous experience when a flight from Barcelona was cancelled due to the French Air Strike. I had to queue for 4 hours to get rebooked on another flight. Noone gave us any information. Noone gave us any water. We got conflicting information about whether BA would book us in to hotels so people were running up big bills on iphones trying to find accommodation. You had to rely on people being nice and letting you back in if you needed the loo. It was nearly midnight when I had finished and I still had to get back to my hotel. In short, it was hell – and got even worse when I got to Madrid (I wanted to go to London btw, not Madrid!) and had to start the whole queuing process all over again to get another boarding card.

BA were basically incapable of managing the process of rebooking people on to flights, let alone think about offering customer service. There were four people processing the queue. Each person seemed to take between 15 – 30 minutes to sort out. There were 100’s of people in the queue.

So my idea whilst I was busily queueing – Stranded Concierge! (Actually, @LiamEarney gave me the name when i was explaining it to him so I guess I will have to give him a cut of profits). When flights get cancelled, the airline simply passes details of all the customers stranded to Stranded Concierge. They immediately send e-mails / texts to travellers telling them to stay where they are and a Concierge will be in touch. The Concierge then arranges appropriate acccommodation and travel plans and gets them back to the customers as soon as possible. Stranded Concierge could have a large team of people working remotely on this problem, not four stressed people on counters at the airport.

The airlines would pay for service, Stranded Concierge could do deals with local hotels, restaurants etc. Customers could sign up to the service separately and register preferences, flexibility if flights are cancelled, ongoing travel plans etc.

Even better, Stranded Concierge would have deals in place with airport concessions to look after the people who have gone to the airport, so they can wait in comfort with access to food, drink and toilets, instead of in an undignified queue across the airport.

End result: happier customers, happier staff and business opportunities.

All I need now is a good developer and some backing money please. Any offers?

There is a scene in Monty Python’s “The Life of Brian” where Brian is on the run from the Romans and ends up meeting the shop keeper from hell who wants him to haggle (for a beard). For some reason, this popped in to my head whilst reading lis-e-resources this week, and a discussion on ‘can our users access this resource’. This is perhaps a bit unfair, and not quite the same, but I was frustrated with the approach that many institutions seemed to be taking to define who their users are and work out who can access what. The standard approach: ask the publisher.

To me, these seems as futile as the shop keeper in Life of Brian who will get less than Brian was willing to pay by forcing him to haggle. If you approach a publisher and say ‘should I pay more for these extra groups of users’ then the answer will almost inevitably be yes! There seem to be lots of parallel conversations going on in different institutions resulting in different approaches creating complex groups of users, and librarians seem to be bearing the brunt of having to sort this problem out. In addition, these discussions seem to be happening with absolutely no reference to technologies being used and what they can actually deliver at the end of the day. The depressing final conclusion is one I often hear in association with walk-in access: “we aren’t sure, so we don’t offer access to anyone.” How depressing.

I think this needs changing in two ways:

1. Institutions should be able to tell publishers who they define as member, and not seek permission to extend access rights to groups of users who are clearly registered with an institution.
2. If more complex groups are created, libraries need to ensure that access management implementations are able to deliver access to these disparate groups of users.

To meeting objective 1, every institution in the UK needs to have a clear approach to identity management. The good news is that a lot of work has been done on this already – the JISC Identity Management Toolkit is a great place to start, particularly the examples given by Cardiff University who have already tackled a huge project in this area.

The key pain-points to look at seem to be:

1. How does you institution define ‘member’? Which groups are included in this definition? Which are excluded? Does this match the expectations of licenses and access management technologies?
2. For a student to be a member, must they attract funding to your institution (either personal or government), or merely be registered with your institution?
3. Do you register students at your institution when running a course in conjunction with a partner organisation in the UK? Do you treat these students in the same manner as funded students?
4. If you distinguish between funded student and registered student, is this being expressed in your access management policies?
5. How do you manage overseas affiliates, franchises, partners etc.?

If an institution cannot clearly and definitively answer these questions, librarians have no hope of negotiating access successfully so please do go and look at the Identity Management Toolkit and do get on with this work.

The final point is that there is no point negotiating and defining groups endlessly if this is not reflected in the attributes that are assigned to students. Very few institutions are making good use of granular attributes in their access management implementations, and we often get told that for most publishers, all that is required is ‘member’. This is fine, as long as the institution has a policy of also NOT defining ‘member’ for the groups that you have decided are outside this definition.

When asked if x group or y group are members of an institution, I invariably answer ‘yes’ and most librarians roll their eyes at me and assume I am naive and don’t understand the environment we work in. There is a simple reason for my answer – in most cases those groups of students you have spent hours talking to publishers about and negotiating them out of licences probably automatically get assigned the attribute ‘member’ when they are registered with the institution. Why? Because the institutions don’t have a clear answer to point 1 above. So this means they are getting access anyway and your conversations were pointless.

As I often say to a good friend of mine, in the electronic world a licence is just a stream of meaningless words if you don’t ensure that a) what you can agree CAN be implemented by the technology and b) that they ARE implemented by the technology.

Time to look at that granular access issue again? I think so. After all, he’s not the Messiah, he’s a very naughty boy…with a fake beard.