Although this panel was held in a very crowded and hot room, there was significant interest in the subject of abuse of e-resources because it is becoming a significant problem. It is evident that publishers and vendors must work together to minimize the problem.
Claire Sinks from the Journal of Immunology led off by noting that it is easy to find user names and passwords on a variety of websites. One of the main indicators of abuse is sequential downloading; her journal has experienced downloading of every article in an issue the day after it was loaded, and most of the 2012 to 2014 issues of her journal have been sequentially downloaded by individuals using valid subscriber accounts. Unfortunately, pirated articles are not distinguishable from legitimate ones.
Here are some of the actions a publisher can take.
Subscribers are usually horrified when they are notified of illegal downloads.
Sarah McClung from the University of California, San Francisco (UCSF) presented these key points in use at her institution.
She noted that the institution cannot control what users do and cannot take responsibility for users’ actions, even though they post lists of what they can and cannot do. UCSF will work with publishers and will even agree to early termination of contracts if they cannot fix the problem. Violations are reported to campus IT. It is important to keep track of communications with IT and publishers.
UCSF had 5 security notifications from publishers so far this year, two of which were Sci-Hub attacks. They have implemented EZProxy to improve security and are considering deactivating VPN access for library resources.
Lui Simpson described a project by Publisher Solutions International, a firm that helps publishers track fraud, that uses IP address validations to stop IP abuse. There are two issues: harvesting of unauthorized copies and posting them on cyber lockers, and commercial entities creating their own databases and marketing them to publishers’ customers to undercut access (this mostly occurs in China). In addition, some university people think info should be free and share their passwords.
It is important to develop best practices that can be used by librarians. Libraries, publishers, and vendors must collaborate on this. Some things that can be done include employing strong passwords and forcing them to be changed every 45-90 days. It is also important to notify issuers of ID (library, etc.) when an intrusion is detected and help them set new IDs.
Margaret Hogarth described her experiences at UC Riverside (UCR) and The Claremont Colleges. When a perpetrator of a breach has been identified, a formal report was made to administrators. Some breaches were because of graduate students being unaware of copyright restrictions, and some were due to credentials of former student being compromised. Switching to a VPN reduced the number of breaches reduced.
Claremont Colleges has 8 IT departments. They use proxies and VPNs. Some breaches happen that the library never hears about. Hogarth documents all communications and works to educate the perpetrator. Organizations should have a unified and formal response to breaches. Universities should manage their identity carefully.
Here are Hogarth’s Best Practices:
Paul Moss, OCLC WorldCat Technical Manager, discussed OCLC’s use of EZproxy, a tool to detect or mitigate unauthorized use of resources. He noted that it does not prevent misuse by authorized users and said that administrators Must require users to change passwords and regularly review logs. Other steps to take include removing geographies not serviced by one’s institution, limiting session lifetimes to prevent somebody from being permanently logged in. Do not run EZproxy as root or an administrator.