What exactly is happening, and when? 

  1. Major browsers are introducing enhanced features for privacy preservation to help users protect their data privacy on the web. 

Brower vendors Apple (Safari), Google (Chrome), Mozilla (Firefox) and Microsoft (Edge) are introducing new features to their browsers that provide enhanced data and privacy protection on the web. 

It appears these new feature sets are spurred in part by major sanctions and fees incurred under privacy laws, notably by corporations whose data collection practices do not adhere to the EU’s General Data Protection Regulation, or GDPR. 

Some of these new privacy-preserving browser features are already deployed and in use – Apple's Safari and Mozilla’s Firefox have already deployed some of these as a default and support others as an opt-in.  

For features not yet deployed and in use, major browser vendors have communicated intent and, in some cases, timelines. Some features will be enabled as a global default for all browser users, potentially changing the experience for  every single web user. Other features have been announced as opt-ins and will need to be proactively enabled by savvy users of these browsers. 

However, trends in privacy regulation and enforcement indicate there is potential for opt-in features to evolve into default settings in the future. 

  1. Changes to browsers are targeting mechanisms commonly used for tracking users’ activities across websites. 

What enhanced or new features will browsers roll out? Fortunately, community organizations like STM, NISO, SeamlessAccess, and ALA Core are tracking information from browser vendors with the goal of identifying exactly what to expect.  

Per communication from these groups and from browser vendors, changes will occur in 5 major areas: 

  • Blocking third-party cookies 
  • Hiding the user’s IP address  
  • Disabling link decoration by dropping certain URL parameters 
  • Disabling bounce tracking to obscure a user’s activity across multiple websites. 
  • Blocking collection of a user’s specific settings through browser fingerprinting 

Continue reading below for a basic summary of what these practices are and some examples of how they’re used on the web. Additional expanded information is available in a recent STM webinar on this topic presented by Heather Flanagan.  
 

How will these new browser features impact experiences on the web? 

  1. Technology used on the web will be impacted – and not just for libraries. 

Entities that track user activity across the web often utilize third-party cookies, link decoration, and other mechanisms mentioned above. However, these mechanisms can also be used to support legitimate functionality and experiences. Below are just a few examples. 

Third-party cookies are used for many things, especially in integrated environments where functionality and services from multiple web domains are used. A cookie is considered third-party when its web domain differs from the web domain where it is being used.  

  • An example of this is using social logins, such as Gmail or LinkedIn logins, where a cookie from the social website must be received by the non-social website where the user is logging in. Social logins are sometimes used to create a personal account in research interfaces. 
  • Another example is using analytics tools, such as tracking activity on a website using Google Analytics. In this instance, a Google Analytics cookie is considered a third party because it uses a different web domain than the website where it is being used to observe activity. Some organizations use cookie-based analytics tools to track important metrics, such as successful vs. failed access, without necessarily collecting personal, identifiable information. 

IP addresses and ranges are often used to limit access to employee resources for those on-network. IPs are also heavily used for access to library resources, the implications of which are expanded upon below. 

By definition, link decoration can encompass URL query parameters that may be used for legitimate and necessary functionality, such as pointing to a specific customer ID or article identifier. 

Publishers and service providers whose websites utilize these mechanisms for non-tracking purposes may be impacted alongside browsers blocking tracking. 

  1. ...but library authentication and access – especially libraries relying heavily on on-site IP addresses – may be disproportionately impacted, relative to other industries. 

Many libraries support access using IP addresses or ranges, allowing on-site users – physically in the library or on campus – to seamlessly access electronic resources. Reliance on IP access has historically been favored by libraries due to its low cost and simplicity of the experience for on-site users. 

Oftentimes libraries employ another, separate tool for remote – or off-site – access to resources, such as single sign-on (SSO) or a proxy tool. However, some libraries do not have or do not uniformly use a remote authentication method. 

Any users who enable “Hide My IP” features in their browsers will no longer be able to access electronic resources using on-site IP access. According to EBSCO’s data, around 60 percent of all successful access to our products uses on-site IP access. Many publishers and vendors servicing libraries and research institutions also support IP access as a primary – or sole – access method. Over time, IP addresses have become increasingly unreliable due to evolving security technologies; these browser changes will accelerate the growing volume of failed IP access. 

With the proliferation of “Hide My IP” browser features, it is unlikely that issues will appear as a sudden outage. It is more likely that the impact of these browser features will appear as declining usage of library content and services over time. Currently, major browsers that have introduced or plan to introduce “Hide My IP” features will allow users to opt-in. Libraries may choose to educate their users about the importance of using IP addresses for electronic resource access; however, privacy-concerned patrons will likely continue to use browser features that meet their personal preferences. 

Libraries that do not have a remote authentication method (e.g., an access method other than using on-site IP addresses) may see the broadest scope of impact. See #7 and #8 for suggestions on how to prepare. 

Beyond impacts to on-site IP access, some specific aspects of modern authentication experiences may see changes, notably: 

  • Persistently saving your chosen institution in Where-Are-You-From (WAYF) tools relies on third-party cookies and is likely to be impacted as browsers begin blocking third-party cookies across the board. This includes persistently saving your institution at vendor websites that use SeamlessAccess and OpenAthens’ Wayfinder to support authentication. Saving your institution allows for more intuitive experiences for users who are accessing on the ‘open web,’ such as from a search engine rather than from the library’s website or portal. Recent studies reflect that upwards of 75 percent of users begin their research on the open web, emphasizing the importance of WAYF experiences. 
  • SAML Single Sign-On (SSO) authentication will continue to work, but seamlessly jumping between websites may be impacted. Community groups mentioned below continue to monitor potential impact and how Federated Credential Management can mitigate impact. See below for more on this topic.  

How is the library and research community preparing? 

  1. Library technology and standards organizations have a seat at the table with the major tech entities driving these browser changes. 

Community and industry groups like STM, SeamlessAccess, and NISO are working to communicate the research community’s needs to browser vendors and have been doing so for some time. Members of the research community have participated in technical testing and feedback periods alongside other stakeholders of these browser changes.  

While libraries and research organizations are a very small slice of browser vendors’ business, these groups strive to make our community’s voice heard. 

As a result of feedback to browser vendors, a new tool called Federated Credential Management (FedCM) has been introduced to Google Chrome and is actively in testing and refinement. The FedCM project intends to circumvent specific negative impacts of third-party cookie blocking in support of federated identity but may also mitigate impacts of other browser changes. As the tool evolves and solidifies, more information will be made available to libraries and vendors about how to utilize FedCM where appropriate. 
 

  1. EBSCO is preparing and is here to help. 

EBSCO’s product and technical teams are engaged with community working groups and technical experts to address potential impacts on EBSCO experiences and functionality, where mitigation is within EBSCO’s control. A few examples of EBSCO’s specific actions include: 

  • Conducting a technical audit of EBSCO platforms to identify the use of third-party cookies and if third-party cookies are used to deliver specific functionality to the researcher. Our goal is to affirm that there will be no impact on basic research needs in EBSCO products.  
  • Monitoring information about browser changes as it emerges from Apple, Google, Mozilla, and Microsoft and from stakeholders working against adverse impacts. This includes examining how link decoration will be blocked to avoid any impact on essential URL query parameters, such as with OpenURL linking. This also includes assessing opportunities to leverage FedCM. 
  • Communicating with our community of libraries and partners about available alternate authentication methods and how to set them up to help avoid disruption if/when on-site IP access fails for a given user. 

EBSCO’s product and support teams are here to help – reach out with questions anytime via EBSCO Connect or your EBSCO support contacts. We are committed to continuing to communicate with our customers as we learn more about upcoming browser changes. 

How can my library or organization prepare? 

  1. Communication is essential – within your library and with vendors whose technologies your library uses. 

Libraries and vendors are in the same boat in many ways. It is essential to communicate with your team – your immediate colleagues, IT, Identity Management, and Information Security – as well as with your vendors and partners about these changes. We are asking questions like: 

  • Does my website or portal use any of the mechanisms that browser changes will impact? 
  • How can we reduce reliance on on-site IP addresses to future-proof access to important content and research services? 

It is essential to identify your library’s alternative(s) to on-site IP authentication. If your library does not have a remote authentication method set up for EBSCO access, or you’re not sure what remote authentication methods are at your disposal, EBSCO has a few informational resources: 

Questions about whether individual products and services will be impacted should be directed to the vendor(s) who own and manage them. EBSCO experts are here to assist with questions at any time via EBSCO Connect or your support contact.  

  1. Single Sign-On, such as Federated Access, has been identified as one way libraries can future proof their access against evolving – and sometimes unpredictable – technologies outside our community’s control. 

Federated Access, or Federated Authentication, is a type of SAML SSO built on a shared network of library and vendor metadata. Federated access is characterized by several key qualities: 

  • Users have a single account – signing in with it once allows them to seamlessly jump into other resources that have SSO enabled.  
  • Not tied to a physical location – it can be used from any location and on any device. 
  • Exceptionally secure – SAML is an industry standard in modern, secure authentication that IT and Security teams recommend using. 
  • Enables enhanced research functionality – SAML SSO logins can automatically trigger additional functionality, such as tying to a unique user account for persistently saving articles. 
  • Privacy control – library controls data sharing according to organizational privacy policies and preferences. 
  • Authorization management – SAML SSO allows the organization to manage access to specific resources for only the group(s) or people who need it. Examples of how this is used are permitting only certain K/12 grade levels to access a resource or enabling access only for a specific faculty member or member of a graduate studies program. 

Single Sign-On is an example of an authentication method that is widely used by many industries and therefore is well known and commercially meaningful to browser vendors. Another example is social logins, such as signing into an application with a Gmail account, federating the login to Google. In addition to adding value in the above areas, it is less likely to be negatively impacted by evolving technologies outside of the library community’s control. 

To learn more about Single Sign-On, including Federated Access, you can visit EBSCO Connect or contact your EBSCO support representative. 

Stay up to date with your community’s work and communication in this area. 

Category:
Technology
Tags:
Academic libraries OpenAthens Privacy & security