Practical Steps to Address Piracy

2017 PSP Annual ConferenceWashington, DC

Chris Shillum, VP Platform and Data Integration

3 Feb 2017

2

Problems we are trying to solve

RA21• Legitimate users sometimes resort to pirated content

because access is too difficult• Publishers and libraries find it difficult to track and manage

security breaches

Scholarly Sharing• Users are not sure what they are able to legitimately share

and where• Scholarly platforms can’t check compliance with publisher

policies

Distributed Usage Logging• Publishers, Authors and Librarians would like to know about

usage on all platforms

Chris Shillum, VP Platform and Data Integration, ElsevierMeltem Dincer, VP Platform Capabilities, John Wiley and Sons

Co-chairs, STM RA21 Taskforce

RA21Resource Access in the 21st Century

4

The Journey from Print to Digital

• Institution to purchase from the publisher• Institution to lend to its users•Single point of entry•Simple transaction•Library cards•Lock the doors at night•Must return after use•Prohibitively expensive to make copies of entire

collections

• Imitate print experience•Optimize for ease of implementation • IP Address Recognition

RA21

5

21st Century

• Technology evolved• Multiple entry points• Mobile and remote access• Cumbersome user experience• Easy to download an entire

library

RA21

How a user experiences access to resources on campus

1

7

How a user experiences access to resources on campus

How a user experiences access to resources off campus

1

9

How a user experiences access to resources off campus

2

10

How a user experiences access to resources off campus

3

11

How a user experiences access to resources off campus

4

12

How a user experiences access to resources off campus

5

13

How a user experiences access to resources off campus

14

Fundamental Expectations of the Community

• Researchers– Seamless access to subscribed resources, from any device, from any location, from any

starting point – A consistent, intuitive user experience across resources– Increased privacy of personal data – Streamlined text and data mining

• Resource Providers – Ability to provide individualized and differentiated access for better reporting to governing

bodies and customers– Ability to offer personalized services to accelerate insight and discovery– Ability to ensure the integrity of content on both institutional and commercial platforms

• Customers– Minimization of administrative burden of providing access to authorized user

communities– Maximization the use of the resources purchased – Protection of the privacy of user communities and advocacy for their security

RA21

15

RA21 Problem Statement

• Access to STM content and resources is traditionally managed via IP address recognition.

• For the past 20 years, this has provided seamless access for users when on campus

• However, with modern expectations of the consumer web, this approach is increasingly problematic:

– Users want seamless access from any device, from any location– Users increasingly start their searches on 3rd party sites (e.g. Google, PubMed)

rather than publisher platforms or library portals and run into access barriers– A patchwork of solutions exist to provide off-campus access: proxy servers,

VPNs, Shibboleth, however the user experience is inconsistent and confusing– Publishers are facing an increasing volume of illegal downloads and piracy, and

fraud is difficult to track and trace because of insufficient information about the end user

– The lack of user data also impedes the development of more user-focused, personalized services by publishers.

– The increase in privacy and fraud also poses a significant risk to campus information security

RA21

16

Hypothesis

1. In part, the ease of resource access within IP ranges makes off campus access so difficult

2. In part, the difficulty of resource outside IP ranges encourages legitimate users to resort to illegitimate means of resource access

∴ It is time to move beyond IP-recognition as the main authentication system for scholarly content while making sure the alternative is as barrier free as possible

RA21

17

STM RA21 Task Force*Work to Date

* Initial RA21 Task Force included representatives from ACS, APA, Brill, CABI, CUP, Elsevier, Emerald, IEEE, IOPP, Kluwer, OUP, SpringerNature, Thieme and Wiley

Apr 2016• Initial proposal to the STM Board

Jun 2016• Face to face task force meeting in 3 locations

Jul 2016• Task force charter approved by the STM Board

Jul – Nov 2016• Ground work by the task force

Dec 2016• Outreach and call for participation

RA21

18

Going Forward – How Will it Work?

• Adopt a diverse, inclusive approach and achieve consensus across stakeholder groups

• Recommend new solutions for access strategies beyond IP recognition practices

• Explain the standard measures that publishers, libraries and end-users should undertake for better protocols and security

• Test and improve solutions by organizing pilots in a variety of environments for the creation of best practice recommendations

Note: The task force will not build a specific technical solution or an industry-wide authentication platform

Dec 2016- Outreach meetings:

STM & CNI- Website and Survey launch

- Call for participation

Feb 2017- Survey and Participation Call deadline

Apr 2017- Invitations for Sounding

Boards- Technical meetings

May–Sep 2017

- Running Pilots

Oct 2017- Gathering

results- Best

Practice recommendati

ons

Dec 2017- Presenting

results at meetings - Inviting feedback

RA21

19

RA21 Draft Principles

1. The user experience for researchers will be as seamless as possible, intuitive and consistent across varied systems, and meet evolving expectations.

2. The solution will work effectively regardless of the researcher’s starting point, physical location, and preferred device.

3. The solution will be consistent with emerging privacy regulations, will avoid requiring researchers to create yet another ID, and will achieve an optimal balance between security and usability.

4. The system will achieve end-to-end traceability, providing a robust, widely adopted mechanism for detecting fraud that occurs at institutions, vendor systems, and publishing platforms.

5. The customer will not be burdened with administrative work or expenses related to implementation and maintenance.

6. The implementation plan should allow for gradual transition and account for different levels of technical and organizational maturity in participating

RA21

20

Aspects of the Problem Aspects of the solution

1. Only the user’s home institution can validate their access to purchased content and services:

So, We need to do Contextual, Federated Authentication

Federated authentication using SAML

• The only IDM standard that supports contextual rather than just individual authentication

• Solves key aspects of the problem including distributed trust, support for anonymity and metadata exchange

• SAML federations reduce many–many agreements to many–one–many agreements

2. The user can start their journey from anywhere on the web, on any device, from any physical location:

So, We need to solve the WAYF (Where Are You From) question

Standard for universal session awareness

• Don’t ask the user to authenticate if they are already authenticated

Layered approach to WAYF “signposting”

• Use whatever you already know about the user (cookies, IP range, email address) to point them back to the correct authentication point if not already signed in

3. We all want access to be as barrier free as possible:

So, We need to make it as simple as possible for the user to understand what they need to do

Standardized user experiences and workflows

• Nothing will be as seamless as IP, but users will get used it if they have to do the same thing every time.

Solution Outline

RA21

21

Testing the Hypothesis

• Pilot program through Q3 2017• Broad spectrum of stakeholders

– STM member Task Force– Standards bodies, esp. NISO– Libraries– Research and Education federation operators– Technology managers– Aggregators– Proxy server providers– Vendors– Researchers– Customers– Other interested parties

• Address a variety of use cases• Self organized, yet, registered and tracked under the larger umbrella• Feedback and results shared with the community

RA21

22

What to Do Next?

• Visit: http://www.stm-assoc.org/standards-technology/ra21-resource-access-21st-century/

• Librarians and other customers – have your technical staff complete the survey: https://www.surveymonkey.com/r/RA21

• Everyone: Register your interest in participation by emailing: smit@stm-assoc.org

c.shillum@elsevier.com

@cshillum

mdincer@wiley.com

#RA21

RA21

Nikko Goncharof, Springer NatureWouter Haak, Elsevier

Co-chairs, STM SCN TWG

Voluntary principles for article sharing

24

Voluntary principles for article sharing on SCNs

In 2015, after conducting an open consultation, STM established a core set of principles that:

– clarify how, where, and what content should be shared using Scholarly Collaboration Networks (SCNs),

– improve the experience for all stakeholders,– encourage publishers and SCNs to work together to facilitate sharing,

benefiting researchers, institutions, and society as a whole.The principles, endorsements, FAQs, DOI tool and more, can be accessed on How Can I Share It? www.howcanishareit.com

25

Principles > key points

• Publishers commit to facilitate the dissemination and discovery of their authors’ scholarly articles

• Sharing should be allowed within a research collaboration group• Publishers and libraries should extend their collective use of

standards such as COUNTER to quantify article use on networks

• Publishers and standards organizations should continue to work together on tools that facilitate sharing (article versioning and access rights metadata)

• Publisher policies on research collaboration group sharing and public posting of articles should be clear and easily discoverable

26

Next steps

1. Publishing houses to make their sharing policies more explicit and easy to find

2. Technical support group looking into the development of a prototype system based on metadata tags in article PDFs to facilitate simple and seamless sharing consistent with publisher policies

3. Crossref’s Distributed Usage Logging (DUL) project will enable non-publisher platforms like SCNs to report on usage according the COUNTER standards

27

Next step #1 > How can I share it?

• Since the publication of the Principles a number of endorsing publishing houses have updated their policies

• STM has launched a website – www.howcanishareit.com – with additional information about the Principles, endorsing publishing houses and SCNs, etc.

• The website hosts links to participating publishers’ policy pages • The website hosts a DOI tool “Where can I share it” that can be

used to find clear-cut answers on which SCNs articles can be shared.

• Participating publishers: – Brill – Elsevier– IOPP– Oxford University Press – Taylor & Francis– Thieme – Wiley

More publishing houses will be added shortly

28

Next step #2: Technical support group (TSG)

• GoalThe goal of the working group is to devise a simple and pragmatic mechanism to enable Scholarly Collaboration Networks (SCNs) to determine what their users are permitted to do with publisher copies of scholarly content within the SCN platform - even when the platform does not have a direct agreement with the publisher of the content in question

• ProposalI. Embed DOI and JAV

tags in article PDFs > SCNs identify the article version

II. Add sharing policy identifiers to the existing Crossref Metadata API> SCNs obtain article-level sharing terms

Distributed Usage Logging

The Problem

• Researchers are increasingly using “alternative” (non-publisher) platforms to store, access and share the literature

– Institutional and subject repositories– Aggregator platforms (EBSCOhost, IngentaConnect)– Researcher-oriented social-networking sites (e.g. Academia.edu,

ResearchGate, Mendeley)– Reading environments and tools (e.g. ReadCube, Utopia Documents)

• Usage on these platforms is often legitimate, i.e. from researchers who have access to the content via institutional subscription agreements, however because the usage does not occur on the publishers’ own platforms, it cannot be captured in the COUNTER-compliant usage reports sent to subscribing customers, meaning that:

– Publishers are not able to demonstrate to their customers the true value of their subscription holdings and are not able to provide authors will a full picture of usage of their articles.

– Institutions are not able to make a full and accurate assessment of the usage of the content they subscribe to when making purchasing decisions.

30

Distributed Usage Logging

The Idea• Build on the Crossref infrastructure to create a framework which allows usage

information to flow from the point of usage (the alternative platforms) to the publishers, from where the data can be aggregated and incorporated into existing COUNTER usage reporting streams.

31

1. Researchers read articles on site of choice

2. Sites log usage via generic CrossRef API Including DOI, IP address, Institutional ID

3. CrossRef redirects logging call to publisher’s usage logging API

4. Publishers include third-party site usage in COUNTER reports sent to customers

Publisher A

Publisher C

Publisher BCrossRef

COUNTER

Institutional Repository

Social Networking

Site

Reading Environment

Institution

Publishers register usage logging API

URLs with CrossRef

COUNTER certifies participants

Distributed Usage Logging

32

Taking the Initiative Forward

Role of COUNTER• Define semantics of

usage logging messages

• Validate participants in the scheme

• Define CoP and oversee compliance auditing process

Role of CrossRef• Define syntax of usage

logging messages• Build and operate

technical infrastructure• Define technical API

specs• Provide training and

documentation on technical integration

Role of Platform Vendors• Integrate with logging

API• Send usage events via

API to CrossRef framework

• Adhere to COUNTER defined CoP

Role of Publishers• Integrate with logging

API• Receive usage events

from API• Incorporate into

existing COUNTER-compliant usage reporting stream

Distributed Usage Logging

33

Current status

• Crossref working group – Initial pilot conducted demonstrating message passing between SCNs

and Publishers– Privacy concerns → proposal to only share truncated IP– Crossref working on mechanism for message authentication to prevent

usage click fraud• COUNTER technical advisory group (TAG)

– Survey and focus groups conducted confirming strong interest in receiving usage information across platforms.

– Draft policy on participation created– DUL to be included in next COUNTER Code of Practice as optional

element (COP5)

Distributed Usage Logging

34

More Info

www.stm-assoc.org/standards-technology/ra21-resource-access-21st-century/

Register your interest in participation by emailing: smit@stm-assoc.org

www.howcanishareit.com

blog.crossref.org/2015/12/private-channel-dul.html

c.shillum@elsevier.com

@cshillum

RA21

Distributed Usage Logging