Saturday, November 13, 2010

Unit 8: Technological protections measures

This is unit is about:

  1. Which kinds of technological barriers stand between prospective users and the information they are seeking
  2. Which technological barriers are being used by libraries/museums/archives
  3. Which technological barriers are being used by publishers and vendors that provide licensed scholarly resources to librarians
  4. Why is it important for librarians to be aware of items 1,2 and 3?


1) So, what stands between users and information? At the most basic level it is control of access.

The Millman article "Authentication and Authorization" discusses methods of information systems security, privacy and access management by authentication and authorization.

Authentication is defined by Millman as the "Process of validating an assertion of identity" p.229.
Authentication involves "telling" who you are to a computer system, and the way the system decides whether you are telling the truth. This has grown increasingly complex since the early days of authentication ( into the 1980's) when users had a more intimate, physical relationship with their computer system. The emergence of remote resources has promoted the evolution of a variety of authentication methods.

This makes me think about the many ways that I use authentication services during the day: school, banking, email, social networks, etc. I probably go through an authentication process about 10 times per day, at least. As the article points out, methods of authentication are becoming cumbersome--it is very difficult to remember all of one's passwords, usernames, security questions, etc.

The article discusses the various methods of authentication, including:
  • Passwords. This is a "what one knows" or "shared secret" type of authentication. Is the most common type of authentication method. Has security risks--passwords can be hacked, or shared. The more frequently passwords change, the more secure they are.
  • digital signatures
  • Network topology: Systems identifying other systems based on where they are in network (i.e. IP addresses)
  • Biometrics (what one is): comparing physical characteristics with information in a databases. This is the most stringent method of authentication.
  • Public key cryptography: (what one possesses?) I did not understand the Millman explanation for this. I looked it up on "HowStuffWorks.com" and I still don't really understand. Each user has two keys, public and private. Private is assigned to user's computer. Public is used to transfer information. The keys are inverse of each other. You need both to decrypt information. Extra note 0n public key cryptography--Windows Media Audio uses a form of public key cryptography in its DRM. User gets an encrypted key and an unencrypted key to decrypt WMA files. A program called FairUse4WM was created in 2006, by an entity named "Viodentia," to strip DRM from WMA's. Windows tried to sue, but could not find the identity of Viodentia.
  • Smart Card (What one possesses) tiny low-power computer that can store authentication information (for example, a private key)
  • Digital Signatures: A small bit of data associated with a larger bit of data that "fingerprints" or identifies data. For example, a private key can leave a fingerprint when a user encrypts with it.

The article also discusses authorization, or the "process of determining which operations are permitted between a given subject and object" p.233.
Authorization methods can be:
  • mandatory access control (MAC): An administrator assigns classifications to subjects and objects, representing levels of security.
  • discretionary access control (DAC): Owner determines access permissions
  • role-based access control (RBAC): Permissions change based on a subject's role

2) What technological barriers to access and use are commonly used by libraries, museums and archives?

The article "Technologies Employed to Control Access to or use of Digital Cultural Collections: Controlled Online Collections," contained surveys that were used to evaluate what the most popular types of Technology Protection Measures (TPM). The article defines TPM as "computer hardware and software based systems or tools that seek to limit access to a work or use of a work" where systems are "branded (often commercial) software packages involving numerous interrelated functionalities" and tools can be seen in many different systems.

Access control was most commonly accomplished by use of authentication methods (usually networkID authentication), authorization systems, and IP ranges. Some use of terminal-restricted access was also reported.

Use control was most commonly accomplished by resolution limits, clips and thumbnails. Visible watermarking and click-through agreements were also used by a significant number of institutions.

No one reported using Biometric controls... :)

3) How are vendors and publishers restricting use?

For material to be valuable to users, they often need to be able to print it, save it, and cut and paste from it. The article "Every Library's Nightmare? Digital Rights Management, Use Restrictions and Licensed Scholarly Resources" discusses some of the ways that vendors restrict use to licensed scholarly resources.

First type of restriction discussed by the article is "soft restriction." Soft restrictions do not strictly prevent use, but deter certain uses by making it difficult to perform the needed operations. 6 kinds of soft restrictions were discu-ssed:
  • Extent of use: Vendors warn against excessive use of material, or give print/save batch limits
  • Restriction by frustration:Breaking contents into chunks that must be saved/printed as a chunk rather than as needed. Common in ebooks.
  • Obfustication: Interfaces that make finding print/save functions difficult
  • Interface omission: Interfaces that do not have certain functions like print/email/cop/save/paste.
  • Restriction by decomposition: When material breaks down into files when it is saved
  • Restriction by warning: Using warnings against certain uses, like saving, but not preventing them with technology.
The other kind of restrictions are referred to as "hard" restrictions in the article, and are restrictions that strictly prevent use.
There are two types described in the article
  • Type 1: No copy/pasting/printing possible
  • Type 2: Secure container TPM in place
These were rarer than the soft restrictions. No examples of Type 2 were found in the article's surveys.

4. Why is it important for librarians to be aware of methods for preventing user access/use and employment of these methods in libraries and by vendors?

First of all, many librarians work with communities of users who must be authenticated before they can access the library's licensed resources. Levels of authorization are also common in these libraries, where different staff are giving different permissions to access the library's network. In class we discussed the Shibboleth system, which is an open source authentication system that can identify which 'group' a user is in. This can affect libraries, because it offers a way to restrict information to departments.

Secondly, librarians should be informed about what types of TPM are being used in libraries/archives/museums. They may be in a position to select TPM themselves, and even if not, should be aware of how TPM affect users (i.e. visible watermarking is detrimental to use).

Third, it is important for librarians to be aware that vendors may use soft restrictions that do not reflect their terms of use or signed licenses (for example, making saving difficult, when it is allowable under the terms of use).

As a user, I find it difficult to separate TPM in place by the library from TPM used by vendors. Clearly NetID and password authentication process is through the UW system. Generally the TPM that I come across most often, aside from login, are TPM that prevent copy and pasting from articles that are accessed through licensed resources, which I presume is a vendor/publisher thing. Another example I can think of ( and we discussed in class) that represents soft restriction--by the library itself--is the use of the goprint system, which uses ID cards as print cards. This makes it much more difficult for the public to print.

References:

1. Eschenfelder, K. R. (2008). “Every Library‟s Nightmare? Digital Rights Management and Licensed Scholarly Digital Resources.” College and Research Libraries, 69(3), 205-225.
2. Eschenfelder & Agnew (2010) Technologies Employed to Control Access to or Use of Digital Cultural Collections: Controlled Online Collections. D-Lib Magazine. Vol 16, No 1. http://www.dlib.org/dlib/january10/eschenfelder/01eschenfelder.html
3. David Millman (2003) “Authentication and Authorization” Encyclopedia of Library and Information Studies, 2nd Edition.
4. Zhu, A.; Eschenfelder, K.R. L(2010) Social Construction of Authorized Users in the Digital Age. College and Research Libraries. Anticipated Publication Date: November 2010 http://crl.acrl.org/content/early/2010/04/29/crl-62r1.full.pdf+html
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)