Name:
Access Apocalypse? Be Prepared for Anything
Description:
Access Apocalypse? Be Prepared for Anything
Thumbnail URL:
https://cadmoremediastorage.blob.core.windows.net/03ac4316-a958-4f30-a8b5-6b70f71bf96d/thumbnails/03ac4316-a958-4f30-a8b5-6b70f71bf96d.png?sv=2019-02-02&sr=c&sig=Sfi7bzaQ4Dk%2BVP2oBkoZnBtEhn23tSvA0p%2FP%2BVifBgw%3D&st=2024-12-08T20%3A58%3A48Z&se=2024-12-09T01%3A03%3A48Z&sp=r
Duration:
T00H41M06S
Embed URL:
https://stream.cadmore.media/player/03ac4316-a958-4f30-a8b5-6b70f71bf96d
Content URL:
https://cadmoreoriginalmedia.blob.core.windows.net/03ac4316-a958-4f30-a8b5-6b70f71bf96d/Access Apocalypse-NISO Plus.mp4?sv=2019-02-02&sr=c&sig=mE1m8FRQs5xB%2FoBNIcOoky7FoB4J6qVduN8EjvwitU0%3D&st=2024-12-08T20%3A58%3A50Z&se=2024-12-08T23%3A03%3A50Z&sp=r
Upload Date:
2022-08-26T00:00:00.0000000
Transcript:
Language: EN.
Segment:0 .
[MUSIC PLAYING]
SANDY HIRSH: Hi, and welcome to the session, Access Apocalypse. Be prepared for anything. I'm Sandy Hirsh, Associate Dean for Academics in the College of Professional and Global Education at San Jose State University. And I'm very pleased to moderate this session today. The focus of this session is on current and evolving changes in access methods. This session will also address best practices for the future. The changes that are taking place in this area have significant implications for data privacy, workflows, as well as other implications.
SANDY HIRSH: So I'm very excited to hear what our speakers have to say. We have three excellent speakers who will address this important topic. First, we have Tim Lloyd, who is Founder and CEO of LibLynx, which provides identity, access, and analytics stat solutions for publishers and libraries. Tim is also a member of the governance committee at SeamlessAccess.org and co-chair of the outreach committee.
SANDY HIRSH: Next, we will hear from Heather Flanagan. Heather wears many hats, but the ones most relevant to today's session is her role as technical liaison for SeamlessAccess and chair for the W3C Federated Identity Community Group. Our last speaker today is Jason Griffey. Jason is the Director of Strategic Initiatives at NISO. Prior to joining NISO, Jason ran his own technology consulting company for libraries.
SANDY HIRSH: Has been both an affiliate at metaLAB and a fellow and affiliate at the Berkman Klein Center for Internet and Society at Harvard University. And was a faculty member and academic librarian at the University of Tennessee at Chattanooga. Welcome, again, to this session. I'm very excited to hear from our speakers. So let's get started. Tim Lloyd, will kick us off.
TIM LLOYD: OK, so I'm going to kick off this talk with an overview of the current landscape in resource access to show the scale of the challenges and complexity that we deal with. A large part of my life is spent enabling tens of thousands of libraries across the globe to access resources from a diverse range of content and service providers, LibLynx supports both sides of the information community, both publishers and libraries. So we have a relatively unique window into the range of challenges we face as a community.
TIM LLOYD: Next slide, please. Let's start by reviewing the authentication methods available. One way to categorize them is by the type of information they provide to a publisher. So first, there are methods that authenticate individual identities only. Next.
TIM LLOYD: These methods generally rely on credentials associated with a specific individual, which means they work well for individual access. But can't reliably validate access to organizational rights, such as institutional subscriptions. However, it is possible to associate them with institutional authentication method. So a user can, say, log in with their personal identity credentials as long as, once a month,
TIM LLOYD: They use a recognized institutional method, such as access from a registered IP address. Then there are methods that authenticate organizational identities only. Next. A publisher typically can't identify an individual from any of these methods. We've got IP authentication. We've got referring URL, which is where access is authenticated if a user arrives from a particular URL that has been secured by the library, and passcodes, which are alphanumeric codes commonly used for trials and subscriptions.
TIM LLOYD: And then, finally, there are methods to authenticate both an individual and their organizational affiliation. Next, please. Library cards and organizational emails do both. Federated authentication straddles these two circles because it can be configured to simply confirm an organizational affiliation, or it can confirm both an organization and an individual within that organization.
TIM LLOYD: Next, please. It's also useful to think about authentication methods by market segment, as technical solutions are often developed to meet market specific needs. Academic institutions have traditionally been concerned with privacy. and so favor methods that protect anonymity. And you can see those in the first row of the table.
TIM LLOYD: Public libraries have the least funding for access control. And they tend to rely on more older technologies, such as library card pattern matching, which is insecure, SIP2, which is a decades old technology for validating pin numbers, and referring URL, which is also insecure. In contrast, government and corporate libraries are more likely to use robust internal identity solutions that they want to leverage with library resources. So we see greater usage of federated and bilateral authentication.
TIM LLOYD: And that's where we're setting up a link just between two organizations. Next, please. So which methods are popular? This pie chart shows resource access by authentication method in 2021 on the LibLynx platform. And, as you can see, IP authentication clearly dominates with much smaller use of SAML, which is the technology underpinning Shibboleth and OpenAthens.
TIM LLOYD: And then username and password. So these three methods account for over 99% of all our authentications. There are two more methods worth mentioning, passcodes at 0.5% and referrer URLs at 0.2%. And then there's a long tail of more unusual methods that count for a tiny proportion of usage, but are important to certain categories of organizations or geographical markets.
TIM LLOYD: Note this chart is focusing on human access so it excludes automated traffic, such as bots and crawlers like Google and Bing. Next. So within these aggregate numbers, there are still some differences by segment. And there's a couple of simple examples that illustrate this. One is for our academic and STM focused customers who make much greater use of SAML.
TIM LLOYD: They're also more focused on capturing individual identities to drive personalization. So, as you can see from the green pie chart (green-backed pie chart), SAML accounts for almost 7% of their traffic on average. Next. In contrast, our more general, and humanities and social sciences publishers, rely far more heavily on legacy authentication methods, because their customers are more likely to rely on older technologies and lack the skills or funding to upgrade.
TIM LLOYD: They're also less likely to seek individual identities. So there's some interesting variations across our industry. Next, please. All of these methods pose challenges and none is perfect. So it's useful to get a sense of their relative pros and cons, as these trade offs explain why so many legacy methods are still relied upon across our community. This table is based in my experiences working with these methods over more than a decade.
TIM LLOYD: And I've really only got time for the broad brush strokes now, but happy to go into more detail if we have time. I've just picked the top five here. There are plenty more that are important within specific segments of the market. So starting with IP authentication, it's easier to implement. It protects privacy.
TIM LLOYD: But maintenance can be painful when you take into account the effort to maintain up to date lists of IP addresses. Although, services like the IP registry can make that much simpler. In addition, proxying remote access is inherently unstable. And we see regular and sometimes significant disruptions to access. when publishers change their websites and unwittingly break proxy configurations.
TIM LLOYD: We're also starting to see IP authentication fail due to Apple's changing approach to privacy, which Heather will talk about in more detail shortly. Security depends on a lot of factors, such as the security of access to proxy IP addresses, and how well publishers audit their IP addresses. That's a topic that can easily take up an entire session. Federated authentication is complex to implement. Requires specialist skills, but is easier to maintain, secure, and supports both privacy and personalization.
TIM LLOYD: More recent improvements such as SeamlessAccess and emerging configuration standards are reducing the friction that's historically impacted both users and implementers. Username and password authentication still very common because it's so easy to implement. But publishers are becoming increasingly careful about storing personal credentials like this, because of data protection regulations like GDPR and the potential financial and reputational risks associated with data loss.
TIM LLOYD: Passcodes are easy to implement and protect privacy, but are very low security. Don't support personalization and can be a pain to maintain if you regularly update them. And finally, referrer URL is a notoriously insecure method that persists because it's relatively easy to implement and maintain. But also doesn't support personalization. Next.
TIM LLOYD: So in addition to the challenges posed by supporting a wide variety of authentication methods, the landscape we all operate in brings extra complexity. And if you could hit next twice please. Some of this is under our control. For example, librarians do not speak with one voice on privacy. While public and academic libraries are generally concerned, but can vary in terms of attitudes towards user content and control, corporate libraries seem largely unconcerned.
TIM LLOYD: Some publishers have to cope with all these scenarios. Next. Publishers do not speak with one voice on security. The abundance of insecure legacy methods clearly indicates that many publishers accept security as a trade off against sales. For others, security of content is an existential concern. Some libraries have to cope with all these scenarios. Next.
TIM LLOYD: Simple authentication methods work well when you're selling big deals that everyone can access. But many publishers and libraries benefit from methods that allow more granular authorization to enable subsets of users to get access to content. But this can be complex and costly to support with legacy authentication methods. Next. And the take up of new authentication technologies and practices is often tied to the life cycle of publishing platforms, which is why some publishers appear to work to five-year horizons for change while others engineer around months.
TIM LLOYD: Next. And then there are other powerful forces impacting authentication that are largely outside our control. Next. The introduction of GDPR in 2018 began a seismic shift in attitudes toward data privacy and protection. And these ripples are still being felt as new legislation has been introduced around the world.
TIM LLOYD: Publishers have woken up to the risks of playing fast and loose with personal data. But many are still working through the ramifications for their technology, their processes, and people. And the same is true of institutions. Next. User expectations-- they are heavily influenced by the personalized experience delivered by our mobile phones, which is a different world from the traditional academic experience.
TIM LLOYD: Apps have trained users to trade some privacy, for powerful improvements in usability. But publishers often fail to offer real value in return. Next. And some of the core technical infrastructure that authentication relies on is managed outside our industry by global corporations for whom our community is a rounding error. It's just the perfect point to hand over to Heather, who is going to talk about some pending changes in browser architecture with big implications for the future of authentication in our industry.
HEATHER FLANAGAN: Thank you, Tim. So yup, my section is about the future of web browsers, online privacy, and federated access. I'm going to talk about what problem the global web community is trying to solve here, and why the solutions challenge the research and education online access landscape. But before I get started, I need to make sure we're clear on some of the terms I'll be using today. The distinctions I'm about to make are very important when it comes to figuring out how to help your end users understand why their experience might not be working as they expected.
HEATHER FLANAGAN: Next slide, please. So let's get sorted on the difference between a web browser and a browser engine. Web browsers are what individuals see. That's your Chrome, your Firefox, your Safari, your Edge, your Brave, et cetera. But the browser engines are the platforms that web browsers are built on top of.
HEATHER FLANAGAN: And it's the browser engine that defines what functionality can be expressed in the browser. So on the desktop, Chrome, Edge, and Brave are all built on what's commonly called Chromium. Its actual name is blank, which means they have the same feature set to work from, though, they may have chosen to turn on or off different features by default. Brave likes to turn off everything.
HEATHER FLANAGAN: Chrome is much more flexible. Edge is somewhere in the middle. But on mobile devices, this is where it gets kind of fun, because particularly on Apple mobile devices, all browsers, whether it's called Chrome, or Firefox, or anything else, all browsers are built on WebKit. Well, that means if a customer comes to you and says, this doesn't work on Chrome.
HEATHER FLANAGAN: The first question needs to ask is, what operating system are you using? Because the functionality will be different if they're using Chrome on their desktop versus if they're using it on an Apple device. OK, let's shift to slide 11. So the general problem statement. And this is something that the broader web community has discussed.
HEATHER FLANAGAN: And it's pretty straightforward. It's motherhood and apple pie for us. It's non-transparent, uncontrollable tracking of users across the web needs to be addressed and prevented. Go team. Wouldn't it have been nice if the web had been designed that way as a first principle? Unfortunately, it wasn't. Which leads us to the next aspect of the problem.
HEATHER FLANAGAN: Next slide, please. And that's the fact that the features built into the web, things like cookies, link decoration, redirects, all of which I'm going to go into in more detail in a bit, are used by trackers and are also the same features used by federated authentication and authorization technologies. These features known as browser primitives, they are the fundamental building blocks that were defined early on and which were considered no more good or evil than a building brick.
HEATHER FLANAGAN: You can use a brick to build a house, or you can use it to break a window. A brick is a brick. And that's how these particular features were considered. So federated login, using those features because they're there. Trackers using the same ones. Slide 13. So there you go.
HEATHER FLANAGAN: The point where we stand now is if the feature can be used for tracking, then it's on the roadmap-- I say the roadmap as if that's a single thing, it's on the roadmap to be entirely reconsidered, blocked, or otherwise modified to prevent that hidden tracking. And again, that's something we can all get behind. But it's going to make online access to content a lot more complicated even if you take federated authentication out of the picture.
HEATHER FLANAGAN: This impacts everything that can be used for tracking purposes. Next slide, please. So this might be something of a controversial slide. I'm kind of OK with feedback on that. I've been working with browser vendors directly for nearly a year. And one of the things I've come to understand is that they are driven by their primary use case.
HEATHER FLANAGAN: And that use case is the consumer web. Consumer web is what they know. All other use cases, and I mean all other use cases, pale in comparison to e-commerce. Use cases like research and education will be heard if the right people come to the table. But the primary use case will always be commerce. It's a fact of the web today. And something I think other sectors have been slow to realize that their use cases are going to have to start fitting into how the browser vendors interpret commerce, what they think individuals accept in the commercial web and not what's necessarily best for their sector.
HEATHER FLANAGAN: Next slide. OK, so now let's go back to school for just a moment about, how does tracking actually happen? So we're talking about the browser features of third-party cookies, IP addresses, browser fingerprinting, link decoration, and bounce tracking. Next slide, please. Mhm, cookies.
HEATHER FLANAGAN: So there's different kinds of cookies, right? There's first-party cookies, which is accessible only by the domain that created it. So if you go to The New York Times and The New York Times sets the cookie in the browser, then The New York Times can always access that cookie and no one else can. A third-party cookie, however, is one that's accessible by any site.
HEATHER FLANAGAN: And there is very valid reasons for doing that. But we'll get to that. I just want to make sure you have it in your head what is this cookie thing. It's a big piece of code in your web browser, and it can have different states. It can have a first-party state or a third-party state. Next slide, please. IP addresses-- I probably don't need to tell you what IP addresses are.
HEATHER FLANAGAN: They are often used to identify machines and/or services. And if you're coming at this from a university or an enterprise perspective or something, then it's quite common that your IP addresses are fixed. They can't be used to identify individuals at your school because your school has hundreds, tens of thousands of people involved. And they're not just used by libraries. They're also often used actually by ERP systems in an enterprise context.
HEATHER FLANAGAN: Quick side note. Back to the question of, what do the browsers know? They know commerce. And IP addresses can be used as a way to identify individuals as they travel on the web in the most common scenario they're familiar with. So that's why that's on the table, even though it's not applicable in the scenario you're probably most familiar with.
HEATHER FLANAGAN: Link decoration-- you've all seen link decoration. If you go to a site and you do a search, you get this little question mark something after the URL for a query string. That's fine. If you're using one of the different flavors of federated authentication, then the token in some cases for that authentication information that's right there.
HEATHER FLANAGAN: And it's also used for tracking information. And from the browsers perspective, it cannot tell the difference. Next slide, please. Browser fingerprinting-- there's been some really neat studies. You can go to Google Scholar and just do a search on browser fingerprinting about just how close you can get to identifying an individual person as they move across the web based on what their browser is like, specifically consolidating the information, aggregating the information of, OK, what browser did they use?
HEATHER FLANAGAN: What fonts did they choose? What add-ons do they have? What security configurations are they using? What IP addresses are they coming from? All of this becomes their fingerprint as they move from site to site to site. You can use that for tracking. That's a problem. And the browser vendors don't know how they're going to fix it, but it's on the list.
HEATHER FLANAGAN: Next slide, please. And bounce tracking. What is this bounce tracking thing? This is something. So concerns about third-party cookies and the fact that these other people can actually look at what's going on in your browser. It's been a concern for a while. And so some trackers have been using some different ways to get around this where you go to a website, we call it website 8 here, and that site sends the user very quickly to the third-party site, the tracker site, who can then set the cookie as a first-party.
HEATHER FLANAGAN: The user has visited that site, therefore the cookie is set. And therefore, they can follow that cookie and the user as they go around the web. Poor form, but very commonly done. But this is also used very much by a federated authentication protocol called OpenID Connect, which is used very, very often by-- whenever you log in with your Google account, or your Facebook account, or your Apple account, you're using something that's basically OpenID Connect.
HEATHER FLANAGAN: And it uses bounce redirects very heavily to validate session information for your authentication process. Again, the browsers can't tell the difference between these two things. Next slide, please. All right, so what's changing now? That was all great. You now have more information on the background of what's involved in tracking, and what kinds of things are going to be somehow addressed over time.
HEATHER FLANAGAN: Next slide, please. Click. Right. OK, so this is a short version. For all of you that are using SAML-based infrastructure, so OpenAthens or Shibboleth are probably the two most common in the higher ed space. Authentication that uses SAML, it's actually going to continue to work just fine for at least the next two to three years.
HEATHER FLANAGAN: There's one exception to that. And that's the ability to globally log out of all SAML sessions. And that's because no one implements that well. And sometimes they use third-party cookies to try and make it work. Next. OK, so authentication that uses OpenID Connect, so the Google's, the Paypal's of the world.
HEATHER FLANAGAN: That will partly break but not entirely. It depends on whether they're doing something in what's called the front channel or in the back channel. Next one, please. OK, some services, like SeamlessAccess, which many of you will be familiar with at this point, SeamlessAccess uses browser local storage, which is not the same as setting a cookie. But the third-party instance to it will be something that breaks in some instances.
HEATHER FLANAGAN: It won't be consistent. Now what it means for breakage is it means that really smart button where instead of saying access through your institution after you selected an institution, it says access through Stanford University or whatever entity. It will constantly send you back through the IDP discovery process. So it won't be an ideal experience.
HEATHER FLANAGAN: And that experience won't be consistent depending on how SeamlessAccess has been implemented. Next one. If you use Microsoft Teams through the browser or a learning management system that acts a lot like Teams so that many domains are being shown on the same screen as part of the same web application, that's going to have a lot of difficulties. And you're going to see some interesting breakage right now.
HEATHER FLANAGAN: Next one, please. And other features. The first ones I've been talking about are largely federated authentication related. But other features that enable tracking in particular of concern to this community, the IP addresses, they're already breaking depending on what browser you're using. Next slide.
HEATHER FLANAGAN: OK, so I'm going to focus on cookies for a minute, because this is where most of the active work is underway. Google in particular is working hard to figure out how to manage the cookie space. Some of you may seen the very recent news where online advertisers in Europe are trying to block third-party cookie deprecation because it will give Google unfair competitive advantage when it comes to advertising.
HEATHER FLANAGAN: All of that is true. That said, other browsers have already taken steps here. And Google itself is actively trying to develop alternatives to handle the use case of when federated authentication uses cookies. So even though there's this active fight against Google, that doesn't change the fundamental nature of what's starting to change.
HEATHER FLANAGAN: Safari already blocks third-party cookies, things like Microsoft Teams through the browser. It just doesn't work on Safari. Period. It just doesn't. And Microsoft stance on that is don't use Safari. Firefox, they're doing heuristic model where they have a set list of roughly 3,000 known domains that they say, OK, if a third-party cookie is being set or accessed by one of these domains, don't allow it.
HEATHER FLANAGAN: If any of you have been around anyone who manages an email system and tries to maintain a blacklist for spam, you'll know just that's a never ending thankless job because registering domain is super, super easy. And maintaining this list, you're always playing catch up. Chrome is trying to phase out third-party cookies. They'll get there.
HEATHER FLANAGAN: The timing I think is going to be an interesting question. All right, next slide. So we'll pass this one pretty quick because we've talked about some of this already. What's going to break when the third-party cookies are gone? Single log out, some OpenID Connect, Google, PayPal features, and the IDP persistent service of SeamlessAccess in some cases.
HEATHER FLANAGAN: So let's see. Where am I? You can always do your own tests, right? And in fact, if you're a vendor that's supporting federated authentication and authorization and you're willing to report back on what stops working for you when you turn off third-party cookies, we'd love to hear it because you can test this now in the comfort of your own home If you have access to an Apple platform, start playing around with Safari and see what is working and what isn't.
HEATHER FLANAGAN: If you are one of the 65% of the market that uses Chrome on your desktop, there's now a setting where you can go to your preferences and turn off all third-party cookies. Go ahead and try it. And then use your services the way you would in any given day and see what breaks. Especially in the Federated context, Google would like to know.
HEATHER FLANAGAN: And If you drop me a note, I can make sure that information gets shared. Next slide, please. Much of the focus so far has been on the impact of federated authentication because that's my favorite thing. And I think there's lots of reasons to choose it over IP address authorization. But that's not the discussion we're having today.
HEATHER FLANAGAN: Regardless of where you fall in that particular debate, you are almost certainly still using IP-based authorization for some of your services. And at least Apple, an organization that often breaks ground in the online privacy space, is prioritizing privacy over any concerns about breakage. And has already started enabling functionality to obfuscate IP addresses for some of their customers. Now this is something that universities can work around.
HEATHER FLANAGAN: And I'll have pointers to that. But your University networking department has to know to do it. I have not yet heard that any of the other browser vendors are pursuing this. But given just the nature of web and privacy today, I put this as a they're not pursuing it yet rather than it's not something they're going to do. Next slide.
HEATHER FLANAGAN: So unfortunately, Apple and Mozilla don't have published timelines and milestones regarding what changes they have planned in their browser engines. Google does, which helps. But even that isn't actually the most detailed thing. It has the benefit of showing you what projects they are experimenting with. But only a few of those things actually show when they'll start what they call origin trials, which if you've ever been involved in any software development work, think of that is alpha testing.
HEATHER FLANAGAN: And also they don't show a lot of, OK, when is the future going to be available for broader use, where if nothing else, the feature flag is available in your preferences. And of course, there's no reference in any of Google's timelines to the lawsuits being brought against them to delay or downright stop some of their efforts.
HEATHER FLANAGAN: So all we can do is really say watch this space. Next slide, please. So I have often been referred to as the chipper voice of fear, uncertainty, and doubt on this topic. But I don't want to leave you with nothing to take back to your organizations. SeamlessAccess has put together an FAQ geared towards librarians, but which may be of use to anyone interested in this space.
HEATHER FLANAGAN: I encourage you to read through and share it with others. Changes in the browser space are ongoing. They're going to continue to happen. And they're not going to be easy, especially for our sector to handle. But the absolute worst thing that can happen is that it happens as a surprise. So please share the word and be on the lookout for more information as it becomes available.
HEATHER FLANAGAN: And with that, Jason is going to talk about more concrete actions you and your organizations can take to be prepared going forward.
JASON GRIFFEY: Thanks, Heather. So yeah, I'm going to wrap up pretty quickly and just give you a little bit of an idea of what to look for, what to think about in moving forward in this space. One of the difficulties here is that it is incredibly complicated, and it is very much a moving target. So in sort of preparation for the next several years of browser changes and access difficulties and such, I think it's important to remember that these issues are really complex and in some ways difficult to understand.
JASON GRIFFEY: People in your organization will need to start educating themselves about the variety of access methods, how they interact with each other. When something breaks, how do you identify exactly which of the various issues that might be going on are going on? I actually worry a lot about front-line support, especially in libraries where troubleshooting with users will be maddening.
JASON GRIFFEY: You'll have a variety of browsers on a variety of devices all of which may be doing something slightly differently, as Heather pointed out, and accessing things in a variety of ways. And that web of potential problems is going to be extremely difficult to untangle. And so the more you know, the more you educate yourself through methods. As Heather pointed, the SeamlessAccess Learning Center is a good one to start with.
JASON GRIFFEY: We've been working very hard there to try and provide resources that are descriptive of the larger access world. But if you start educating yourself and learning to identify these issues, you're going to be ahead of the game. Evaluate your own methodologies. If you're in a library or in a similar space, access how the things are provided to you, how are you identifying your users to your vendors, et cetera.
JASON GRIFFEY: And if you are a vendor or a publisher that provides access to something, if you're a service provider, then think about how your methodologies are going to be affected by this. Depending upon what you use primarily, again, Tim pointed out that IP addressing is still by far the majority of sort of access methodologies that are going on. But your particular area may vary.
JASON GRIFFEY: And so knowing what your particular methodology is and comparing that to the potential breakage issues will help you narrow your scope a lot. And then often technologists say this and are not always loved for it. But things are going to start changing pretty rapidly. And over the next five years, I expect and I think all of us expect to see quite a variety of changes coming to how all of the privacy issues in the browser world are treated, and all of the ways that will impact the variety of access methodologies to be used in information provision.
JASON GRIFFEY: And so authentication authorization access controls are all going to be up in the air for the next few years. There's going to be a few years of stability up front the first couple of years from now. But things are going to start breaking in small ways. And so being prepared to react is going to be really, really important for access to your information.
JASON GRIFFEY: The other thing is informing your users, informing your customers, it's unlikely that things are going to just break in large numbers. But as things start to change, it is unlikely that they will go backwards. That is, once Apple implements a particular security provision in their browser, in Safari, they do not roll them back, at least very, very, very infrequently.
JASON GRIFFEY: And so once the changes start, they will continue. And so just because something breaks, doesn't mean it's going to get fixed. It may just be one step down the line of things that will continue to change. Communication about this, both externally and internally, is extremely difficult because of the way in which this issue is going to expand. Often, when there are technical issues, people assume that if something breaks in one place, it will break in another.
JASON GRIFFEY: Just because it doesn't work in Safari, it'll be fine in, whatever, Firefox or Chrome. It is important to realize that these security changes are almost certainly going to roll across the browser landscape. And so you may be safe temporarily and it may not apply right now, but it likely will eventually. And because of this interconnected web that I talked about earlier of multiple types of technologies, multiple browsers, multiple platforms that those browsers ride upon, multiple access methodologies that may be in play, it means that all of the different organizations that are tied up in those technologies are going to need to talk to one another.
JASON GRIFFEY: And that makes communication really complicated for your organization. Your organization, your service providers, your users, your IT department are all going to have to work in concert in some ways to figure out how to approach and how to react to some of the changes that are coming. And so it's not something that a lot of ORDS are really good at. And I'll speak from my experience as a librarian, something that libraries are not often particularly good at is communications with their IT departments and external vendors.
JASON GRIFFEY: And so it is going to be really important that you watch this space, and that you're ready to start those conversations when the time comes. And then finally, now that you're aware, you're watching this, which means now you know some of the things that are on the way, which means that you can advocate to help fix it.
JASON GRIFFEY: And that means a couple of things. Internally in your organization, it means starting those conversations with your IT department, your system department, your vendors. Make sure that you understand how your access methodologies work, what data is being shared, what browsers are the most common. Anything you can do to prepare yourself as far as gathering the information internally is going to help you moving forward.
JASON GRIFFEY: And then working with the people that license your-- if you're in a library, the electronic resources or the department that is licensing, make sure that you understand like IP authentication versus federated authentication. As you renew your licenses with your licensed content, make sure you understand which way you're going so that you know what might be your problems moving forward, right?
JASON GRIFFEY: It's a really complicated landscape. But you can be aware now of the sort of likely issues and help yourself in the future. And then externally, there are organizations in the information community that are paying attention to this sort of thing. SeamlessAccess is one of those, W3C. NISO, my organization, is working in the SeamlessAccess space to try and understand what these changes may portend for the information ecosystem.
JASON GRIFFEY: And so look at those groups. If those groups start reaching out for assistance in getting the word out or in having working groups to do things, join up and put some effort to trying to understand and fix some of these issues as we go forward. And then, again, be ready to work with groups outside of your organization. Federated authentication relies on federations.
JASON GRIFFEY: If you use that and you are working with a larger federation in common, be ready to work with them, be ready to talk with them about what they are doing to try and mitigate some of the issues that are coming with the browsers. Other large co-operatives, if you're part of a cooperative, reach out and try to figure out how other people are dealing with it, and help to try and find solutions to the breakages that are coming for us, whether we want them or not.
JASON GRIFFEY: And that's all I have. Thank you. This is contact information for Heather, Tim, and myself. Feel free to reach out to any of us if you have questions. We're looking forward to talking with you in the conversation. And I'll throw it back to Sandy to close this out.
SANDY HIRSH: Great. Thank you. Thank you for this excellent session. I want to thank our outstanding speakers, Tim Lloyd, Heather Flanagan, and Jason Griffey. And as Jason said, we'd like to now invite you to join our Zoom room to discuss this very important topic further. [MUSIC PLAYING]