May 2009

There has been talk on a few discussion boards about websites giving login details for some University libraries (home and abroad), to provide non entitled users (if they are illegal – do you still call them users?) access to e-resources. I’m, for obvious reasons not going to post a link here but the pattern seems to be logins providing access a proxy server of an institution and through that any e-resources accessed and authenticated via the proxy route.

Dangers such as this are a reason why, when talking about access management we don’t recommend a proxy solution as necessarily being robust enough for all libraries.

Of course there are a number of things happening here, and obviously enhancing both Authentication and Authorisation with the help of what is arguably the most robust form of federated access (Shibboleth) is a way to mitigate risk. But it is also clear that there is a human element at work here as well, individuals are most probably giving away access details and if you follow the LSE FLAME study, it’s not taking a Jack Bauer style interrogation to get them, but the promise of Mars bar may well be doing the trick.

It may well not be bribery at all, and the key here is to have education of users, to not share information and have systems in place that encourage them not to share that same information (ie having identities that the individual, values).

A number of the sites also seem to have a significant chinese language presence(with a small C) so there could be some cultural factors at play – are the university identities that we do give students equally valued across national boundaries and nationalities? Perhaps but it might be interesting to see some work disproving that argument on any kind of FLAME follow up.

A final thought on security, in movies when the hero is trying to break into a computer system there is always “a back door”. If there is one, the trick is not leaving it open – and from some of the sites I’ve looked at (not necessarily UK) with pages detailing an instructions policy such as “your username is your staff number and your password is your surname”, that door is well and truly off its hinges.

Fan or not, you have to agree that Apple’s position and marketing of its ‘i’ products has been a huge success and has spawned many copy-cat ideas. In a world where everyone was defining product through delivery mechanism (e-content, e-books, e-resources, e-paper) Apple put the individual first. itunes is after all my tunes…and this has continued with the high levels of personalisation available on the i-phone.

I think JISC has a lesson to learn here. We are very good at worrying about the platform and the medium, but the ‘i’ is often missing. As has been noted, I was disappointed by the lack of attention to identity issues in the recent Web 2.0 report, and also by the lack of questions on users and identity in the libraries of the future campaign, which became somewhat embroiled in the Open Access debate. I’m also disappointed that identity issues aren’t on the agenda at the upcoming Digital Content Conference.

I think this is also true in the areas of JISC that are looking at ‘e-content’ or ‘digital content’. We do lots of great stuff with content in JISC – JISC Collections provides huge savings to the community through its negotiations, the digitisation programmes are making lots of content available online that we might not see otherwise surfaced and the OER programme is looking at alternatives to traditional teaching and learning resources. However, most of these programmes are still taking a very conservative approach to resources – these are things where IPR is understood and resolutely managed (if often badly), where licenses can be sought and expressed, where reuse policies are made and enforced and where formal review processes can be applied.

But what about the real user-generated content? What about the i-content? This is not something that can be easily wrapped up in to a ‘learning object’ to be stored and managed in something like Jorum, but does have a very real place to play in the world of teaching and learning. One of the really impressive things about the recent Open Habitat report is the extent to which they have integrated student developed content in to the curriculum.

Most of the i-content I develop on a daily basis does not conform to any of the traditional methods of content management and preservation. Although some people do have Creative Commons style licenses on their blogs, most people I know expect that by putting the content ‘out there’ – on blogs, on twitter, through comments and contributions to fora – that it will be reused and repurposed in a way that could not be managed by any licensing approach. For most people working in this way, I think it simply wouldn’t matter.

i-content is both ephemeral (my tweets disappear after a month) and non-ephemeral (lots of people have probably recorded my tweets in many different ways). It is up-to-date and immediate and out-of-date (such as this description of a presentation I gave in 2004). It is formal (this is a JISC blog) and informal (this is just my thought flow, not an article). When taking all of those issues in to consideration, how can we best capture, preserve and use i-content to support teaching, learning and research?

i-content is being used as part of the learning and teaching process. Many scientists and lecturers currently write blogs and are ‘peer-reviewed’ on these blogs by the comments left by others working in the same field. Others are contributing their thoughts to ensure that wikipedia definitions are up-to-date and accurate. A lot of collaborative research is happening on random collaboration platforms both supported by institutions and openly available on the Internet. If we are only capturing a single output from all of this work in the form of the published article, it seems to me we are doing something wrong. Perhaps it is time to stop worrying about whether Open Access will take off, and start worrying about preserving and using the i-content of all of the authors and researchers we respect within the community. If we can truly make these offerings useful and relevant in the educational sector, and can appreciate the power of peer-review through comments and reputation services…maybe the reliance on the published article will diminish…and maybe the academic libraries will be able to cancel those must have ‘big deal’ journal packages after all.

With rumours afloat within the corridors of JISC that the new Innovation Group Access and Identity Management Programme may be launched sometime in the next few months….I thought I might talk about some of the developments I’d like to see in this area in the hopes of a very early project-flavoured Christmas present

• Standardised WAYFlessURLs. It was done for OpenURLs…..
• It’s MY identity: student engagement with the whole user-centric debate. Do they want an institutional identity? To involve IT students, philosophy students, anthropology students…
• Institutional Browser Toolbar to manage resources accessible for that institution via federated access.
• Simple write-ups of uses of extended attributes: entitlements etc.
• More work on group management…but actually in a way that embeds something within institutions.
• Federate that App! Plug-ins and documentation for shibbolised applications.
• Can an institution manage user-centric identity? Institution as a broker of authorisation rather than a provider of identity? Playing with RFX?
• Nice toolkits for better IdP log management.
• More studies on online identity and the way we present ourselves online – particularly where it touches other JISC work like author identifiers, Open Educational Resources, Repositories etc.
• Tools for registering walk-in users.

There is probably more…but I don’t want to be greedy. Anyone else?

We are starting to see the first signs of federated access being used as a core decision point in business planning. In this uncertain market, publishers and institutions are having to make decisions about the best possible way to maximise their markets and maximise their spending power.

We’ve recently been helping institutions review their resource lists against federation compliant publishers, and several have mentioned that they are willing to cancel subscriptions to non-compliant publishers. Regrettably, this is often the smaller publishers who perhaps have not had the chance to be able to fully exploit the new technology. I know it is difficult for librarians to even consider cancelling subscriptions to the larger publishers…but there are two major publishers whose names may start with W and I and a major aggregator whose name may also start with I who are still dragging their feet about meeting the customer requirement for federated access. It would be interesting to see what their reaction might be if faced with cancellations because of lack of compliance.

On the aggregator front, we are starting to see signs of the smaller publishers moving away from aggregators because of non-compliance with federated access. I think this is a sensible reaction – don’t let your platform provider dictate your requirements in a market where you might lose custom based on slow-uptake of technologies.

Federated access is definitely the new black and a must have in your technical wardrobe if you want to be taken seriously at the scholarly publishing party.

It’s funny how when you start thinking about something, links to the subject seem to pop up all over the place! On the way back from dropping my son of at nursery this morning I was thinking about what I might want to write about today…and the various tests that people have been doing lately to see what type of ‘twitter personality’ they are sprung to mind. One example of the many different versions available is here. Of course, this isn’t really just about your twitter-effect…it is about your personality in general and the profile of yourself that you build up online.

This sort of identity management has come up again and again recently. However, it is one thing to take a test for yourself to see how a machine assesses your personality type – it is another when these assumptions become associated with you and those assumptions get promoted without you being aware of it. Nishant Kaushik has an interesting piece over on his Talking Identity blog about this very issue and how it relates to reputation services. If our tweets are being used to make reputation judgments about us and this judgments are being distributed without our input…what effect can this have on the individual?

Your position and presence online is also very much associated to your relationships. I was interested to read about the Penn State Outreach Intranet…not only because of the impressive timescale in which they rolled it out, but because they marketed the approach on the back of the relationship service that is at the heart of the Intranet design. You can read more about this feature here. Brian Kelly has also spoken about the importance of these relationships in his blog pieces on critical friends. This in itself has its benefits and drawbacks – your connections to certain people can say a lot about your standing within a community, but we all know the problems associated with friends being able to tag embarrassing photos to your facebook profile!

People are a commodity on the web…or to put it a different way, they are no longer just the subject of activities (people that can tag and comment on resources) but are the object of other subjects (a resource in themselves that can be tagged and yes, commented on). I think this is where we are seeing a change in web2 approaches…from the amazon-style ‘rate and comment on this book’ to a position where anything and everything can be rated and assessed by anyone. Including you.

This is important not just in places where we are active, but in places where we are inactive. It is not just what I am saying today on this blog or on twitter, but what the presence of an old and inactive blog can say about me if it is still available.

I wonder what this says about affiliation? I’ve been very interested in the importance of affiliation recently, not just because concept of the user being affiliated to an institution is at the heart of the federation process as it has been embedded within education and research. I spoke a while ago about the importance of my affiliation to JISC in terms of my online presence, and have been thinking about the importance of affiliation to various groups of users that are currently served by universities.

Do undergraduate users place any importance in the affiliation they hold with their university? Obviously this is important when reputation matters (being at Cambridge, Oxford, Ivy-league school)…but it does not seem to be important in terms of identity provisioning – as we have seen in the debate about whether institutions should continue to issue undergraduates with affiliated e-mail addresses. We’ve also seen that undergraduate students do not really appreciate the fact that the e-resources held by the library are actually paid for by that institution and their affiliation should matter to them in terms of what it gets them access to. A recent quick poll on twitter showed that students are most likely to appreciate their affiliation when it gets them free stuff elsewhere – cheaper books, cheaper clothes and indeed cheaper beer.

I also wonder how important affiliation is to staff and researchers? One of the issues that we continue to look at in the repositories space is the relationship between author and institution. This is of course complex because of IPR issues, but the use of pre-print repositories has brought this to the forefront from an identity management perspective. We still do not have effective author identifiers (see the Names project for interesting work in this area) and I wonder in looking at solving this how important affiliation should be? Should institutions be managing the author identifier question or is it a bigger issue to be managed elsewhere?

Just back from the most recent tf-emc2 meeting – in the most glamorous of european locations – and after a day of frantic gathering of papers for the UK federation Policy Board meeting next week, i had time to think back on one of my presentations to the group.

I’ve been asked to lead a REFEDS workpackage on assurance – looking at the best ways for european federations to deal with assurance issues, particularly in terms of identity assurance profiles.

The tf-emc2 group were kind enough to hear my initial thoughts on scoping out the problem area that REFEDS should be considering. I hope to scope these ideas up in to something more coherent in time for the TERENA Networking Conference in June. My slides from the meeting are here, and I would be interesting in opinions from people within the UK.

My talk focuses on three different types of assurance that I think we bundle up in to the term ‘levels of assurance’ without thinking about the application of these.

1. Firstly, there is the assurance that a federation adds to metadata by acting as a trusted registrar and aggregator. It is an assertion made by the federation as registrar and not by the end-user or the organisation. It is one of things that we can consider when thinking about the differences between the federated approach and user-centric access and where greater trust can be placed in the assertions that are made.
2. Secondly, I look at strength of authentication. This is a fairly straightforward area – but we are still looking for case studies in the UK where a stronger authentication level (rather than stronger assurance) may be required. Strength of authentication can be mapped to the concept of ‘levels’ that we talk about in assurance more clearly than the other types of assurance that are added.
3. Finally, I looked at identity assurance profiles and posed the question – should federations be in the business of defining identity assurance profiles? I think probably not. Identity assurance profiles should be defined by the communities that use them…and the UK federation in itself represents a domain and not a community of practise. Identity assurance profiles are not necessarily levels as they can overlap and intertwine – perhaps more accurately described as layers of assurance?

One of the things I think I missed in my talk is the relationship of assurance to trust. According to wiktionary:

• assurance: the act of assuring; a declaration tending to inspire full confidence; that which is designed to give confidence.
• trust: confidence in or reliance on some person or quality.

So assurance creates trust, and the more assurance layers we add the greater the trust becomes. I think when considering trust federations we have tended to think about things that are trusted and things that are not. This picture creates a less black and white picture of the identity field: identity assurance can be added by the end-user, by an organisation as broker and through registration with trusted federations. We need to think about all of these layers as we build up a picture of assurance requirements in the european community.