Inspired by a discussion on twitter, I find myself once more in the position of having to explain why I am not a fan of the use of proxy referral services in libraries. I should start by saying that I am not a fan of the typical trend of using IP access on library campuses and it is the general move away from any sort of IP-based system that I am actually promoting. I also completely understand why libraries like to use them – the best known proxy products are quick, clean and easy to implement and maintain.
Sometime ago, JSTOR took a strong position on the use of proxy servers, noting:
Without special configuration, these proxy servers often have no access restrictions in place. If the computer is within a range of IP addresses that have access to JSTOR, then the result is that literally anyone in the world can use that proxy server to enter JSTOR, as well as other licensed electronic products and restricted campus resources. It is important to note that this is not a fault of any institution or library, but a weakness inherent in the current system of using IP addresses for authentication to restricted resources.
Now, most library proxies are well enough set-up that they are not providing an open proxy access route. However, easy to set up can sometimes mean sloppily set up, particularly in the use of administrative passwords. We have had many examples of the administrative passwords to proxy servers being made available freely on the internet. So if you are going to use a proxy, make sure that administrative passwords are well looked after and frequently changed – they provide access to nearly ALL your resources!
My second point is that proxies are often set-up without much thought to the credentials being used with the proxy server. Sometimes, only a small set of credentials are used or credentials that a user would have no qualms in sharing. So again, if you are setting up a proxy server tie-in a sensible credential option such as local authentication using shibboleth to increase security.
Thirdly, I just don’t like something that pretends to be something it is not. When using the proxy service, you are basically claiming to be visiting the Service Providers in question from an agreed set of IP addresses ‘owned’ by an institution. In reality, you could be on any computer anywhere in the world. There are a host of security issues that have been caused from such a set up.
Fourthly, there is the problem of accounting and statistics. It is very difficult to provide authoritative data on resource use from proxy servers, or from IP access for that matter! In a time where we need to justify spending constantly, it seems that better resource usage statistics can only be a good thing. I’ve heard this as an argument away from proxies from Service Providers as well – they would like to better understand the market they are serving rather than just receiving access requests from an IP-range.
Finally, there is the user experience. Proxies mirror IP access and plain old IP access routes don’t offer much added value for the user such as personalisation etc.
I really do understand why libraries use proxies, and why they continue to use IP access on-site. There is a particular job of work to be done with US-based publishers on pushing the advantages of more sophisticated access routes and moving away from IP-based licenses. We continue to work with publishers. In the meantime, I hope it is OK if I continue to see the place and role of proxies, but continue to shudder and dislike them. Maybe I am just suffering from access management OCD.
In the meantime, maybe you can tell me why on-site IP access is really a good thing for the user??
3 comments
Comments feed for this article
Trackback link
http://access.jiscinvolve.org/wp/tell-me-why-i-dont-like-proxies/trackback/
September 28, 2009 at 5:16 pm
Owen Stephens
Both IP access and Proxy access have the huge and overwhelming advantage of being simple for the user. If you are on campus, you can access an IP-authenticated resource without needing to enter a username/password, or do anything else – it just works. If you are working via a proxy you don’t have to first find the correct ‘login’ screen for the service (and this really isn’t a simple thing to do – there are so many options and very few of them actually labelled with something a user can understand without being told) and then have to work your way through a screen asking where you are from. You just get a single login box – and enter your normal username and password. Oh, and once you’ve done that, if you access another service via the proxy you don’t get asked to login again.
What do you think the advantages to the user are of using FAM in place of IP or Proxy authentication? Most of the arguments you list here are in favour of the publisher (and possibly the institution). The user experience of FAM is so so poor I’m afraid.
September 28, 2009 at 5:32 pm
nicole
Thanks Owen
I agree that the user experience for FAM needs improving – and I would really encourage feedback on the publisher interface study we have published to look at this as I have a really good opportunity to drive changes through at the moment. Please see: http://sites.google.com/site/publisherinterfacestudy/.
However, I think librarians tend to get a little hung-up on the idea that people can’t log-in to resources. Tests we have run show that most people manage quite well as we live in a world where people constantly log-in to a multitude of services as soon as they are online. I’m also not sure that something ‘just working’ is such a good idea, as it has given a multitude of users the idea that these resources are freely accessible, which then causes problems when they realise they aren’t. The process of logging in at least helps with the understanding that this is a restricted resource. The federated route makes it clear that this is a restricted resource that is accessible because you are ‘from’ an institution. It better reflects the reality of the resource provision.
I’d make the personalisation argument but i think there is still a lot of work to be done on this route by any access process, so perhaps an argument for another day.
The big win for the user? Still statistics believe it or not. If libraries can gather better statistics by getting beyond the confusion that is monitoring IP or Proxy access, then they can more effectively fund resources. Better funded and better targeted resources, better overall experience for end-users.
September 29, 2009 at 1:53 pm
Jon Warbrick
A significant problem with ‘IP on campus, Shib when away’ is that Shib problems only come to light at a point when it’s difficult to provide support. This is a particular problem for institutions that haven’t yet cracked support for distance learners.
Note that ‘proper’ authentication isn’t a panacea. We have an EZproxy, authenticated using Shib, that we use for access to non-compliant resources. We’ve tracked a number of incidents where legitimate user credentials, probably captured by keyboard sniffers on virus-infected machines, have been used by third parties to harvest protected material.