This came in through the MPLA IFACTION (Intellectual Freedom Action) e-mail list. I thought it was interesting enough to share. As a former university employee who was present when such a system went into place, I can definitely vouch for the reduction in access for users and intense user education on how to use the system that occured with the introduction of an authentication system.
To Use that Library Computer, Identify Yourself
By SCOTT CARLSON
A few years ago, just about anyone could turn up at a college library, sit down at a bank of public-access computers, and cruise the Internet with no password, little trouble, and only the slimmest chance of being identified.
But academic librarians, wary of increasing instances of Internet-related crime and hacking, are now having second thoughts about that unfettered, unsupervised access. At some college libraries, students must now log in to use computers, and visitors must show an ID to get computer access.
The debate revolves around a technical word — “authentication,” or requiring a login name and password to use computers — and its implications for privacy and free access.
The issue is a difficult one for librarians, who are typically stalwart defenders of privacy. Once authentication systems are set up, law-enforcement and government authorities can more easily trace network activity to a particular person, even if the library does not keep records of the Web sites that users visit.
The issue of online privacy has become more important since September 11, 2001, as the government has more aggressively collected information that may be linked to terrorism.
“We are walking a tightrope,” says Mark McFarland, assistant director of digital-library services at the University of Texas at Austin. “We don’t want to facilitate criminal behavior, but we don’t want to close off access to information.”
His library began to consider adopting login names and passwords after a patron used its public-access computers to get into online forums, collect personal information about people, and use the information in fraud schemes. Police traced the man’s activity back to the library’s computers, and university security officers asked the library to install an authentication system — a request that they had made many times before.
“We have been talking about this with them for years,” Mr. McFarland says. “It doesn’t take too many serious encounters with a criminal to cause you to reconsider what you are doing.”
He says the library has to figure out not only how to pay for setting up an authentication system in tight budget times, but also how to do so in a way that causes the least hassle for users. The local sandwich shop has a bank of computers where customers can sit right down and start surfing, Mr.. McFarland points out. “If you can get it at Schlotzsky’s,” he says, “shouldn’t you be able to get it at the library?”
Guarding Access
Other libraries have already made the leap and set up authentication systems. The State University of New York at Buffalo, for example, requires visitors to go to the circulation desk, where they can get a guest login name and password after showing a picture ID. The library does not track the sites that its patrons visit. But if a law-enforcement officer suspected that illegal or suspicious activity had occurred on a particular computer, library officials could determine who had been using a machine at a
particular time, and pass the information to authorities, says Mark J. Ludwig, systems manager for Buffalo’s libraries.
After some incidents of fraud, Southern Illinois University at Carbondale started requiring authentication last fall, under a system that works like Buffalo’s. David Carlson, dean of library affairs, says authentication on computers is not much different from requiring users to identify themselves when they check out books. Even so, his library maintains about eight computers with no passwords required, out of 160 that offer free access. “It’s a compromise,” he says.
The adoption of authentication among libraries clearly worries privacy advocates. The requirement is “inconsistent with positions that libraries have taken with respect to information freedom,” says Marc Rotenberg, executive director of the Electronic Privacy Information Center, a Washington-based privacy group.
Authentication cannot be compared to library checkout policies, he argues. Library patrons may have to reveal their names when they borrow books, but they can read their choice of books from the shelves without ever having to identify themselves, Mr. Rotenberg says.
“It is a terrible precedent to say that because something might be abused in the worst cases, we are going to identify every user,” he says.
Some libraries have resisted the idea of putting password protection on their computers. The machines at the Eisenhower Library at the Johns Hopkins University, for example, are still free and open to visitors. (However, visitors have to submit an ID to get into the library.)
“The more difficult you make it for the outsider, the more difficult you make it for the insider also,” says Virginia Massey-Burzio, head librarian for research services and collections at Johns Hopkins. On the other hand, security problems have not plagued the library, which until several years ago was inaccessible to visitors.
The University of Washington Libraries maintain about 60 computers that do not require authentication. Bill Jordan, systems librarian for the libraries, says staff members had “several frank and lively discussions” about whether to authenticate all of the computers, and in the end decided against it.
“Library staff objected to it on principle — they were worried about patron confidentiality,” he says, adding that other staff members worried about the practical burdens of setting up and maintaining an authentication system.
Mixed Feelings
But some librarians have weighed the concerns about privacy and free access against concerns about security, and are adopting authentication — even against their principles.
“Philosophically I am opposed to the idea, but there are powerful forces that are pushing us,” says Donald H. Dyal, dean of libraries at Texas Tech University.
The “powerful forces” in Texas Tech’s case are not just criminal but also political. As legislators have cut the state budget for higher education, administrators at the university have tacked a library-user fee onto student tuition and have cut state money out of the library budget. As a result, the librarians feel obligated to serve students first.
“If there is a queue of students waiting to use the machine and there is someone who is not a student,” Mr. Dyal says, “the temper of the students gets quite short.”
The university has been under hacker attack recently, he adds, and campus network-security officials view the library’s unauthenticated computers as a security hole that needs plugging.
“Information is free; it should be free,” Mr. Dyal says. “That is one of the hallmarks of democracy. But some of that goes out the window when the means of delivering that information is under attack.”
——————————————————————————–
http://chronicle.com
Section: Information Technology
Volume 50, Issue 42, Page A39
Leave a Reply