>> I think we need to clear (and careful) in this discussion about what user >> data we are discussing. With authentication being done by the library >> / university, Lean Library doesn’t actually have personally identifiable >> information (PII).
Actually, we know this only because there is an implicit belief that the group working with Lean Library doesn't collect this data. But to be clear, the plugin asks for access to all data that goes through the browser (In firefox), and as an extension, it has access to a lot of data provided by the user. The fact that this isn't a user initiated process (even if the user installs it, you cannot turn off data processing without disabling the extension) is a concern. I have no reason to believe that the folks behind this won't/aren't doing the right thing -- the founder comes from an academic background and in my estimation, is interested in solving problems for libraries. But how many products of late have shifted from doing the right thing, to being purchased by someone that makes it harder to know what actually is happening. In this case, the extension does collection user information in a variety of contexts -- they may not use it, but it's there because the browser makes it available. But this is true of any extension with the permission profile requested, the idea that its not harvesting PII is only worth the trust you put in the company behind it. --tr -----Original Message----- From: Code for Libraries <[email protected]> On Behalf Of Tim McGeary Sent: Wednesday, August 22, 2018 10:57 AM To: [email protected] Subject: Re: [CODE4LIB] Lean Library Security Concerns I think we need to clear (and careful) in this discussion about what user data we are discussing. With authentication being done by the library / university, Lean Library doesn’t actually have personally identifiable information (PII). While IP addresses can be traced, is that any more a concern than an user’s ISP tracking all of users traffic already, since Lean Library is only effective from off campus IP addresses? On EZProxy, we do use a wildcard certificate, and we are in the process of moving the IP address of the service to a private IP address. Similar to a previous comment, this service will be an individual choice of a user to make. We can’t push this to our users; it will take their own initiative to install. Another context that I haven’t seen yet: what do others think of the cost? Have you found it to be reasonable or high? We are still considering that question internally. One more context is the licensing. The base license language has the jurisdiction in The Netherlands, which is something we (Duke) could never accept. We are suggesting other language changes, too, so I don’t know where all of this will land. It is possible we won’t come to a mutual agreement on contract terms. Tim AUL for Digital Strategies and Technology Duke University Libraries On Wed, Aug 22, 2018 at 10:44 AM Haitz, Lisa (haitzlm) < [email protected]> wrote: > With regard to Lean Library: We have already had to procure a security > exception from our central IT for our Proxy Server, due to a wildcard > certificate. > > I would rather err on the side of not exposing user data, as you’ve > all mentioned (great discussion-thanks!), but am wondering if many of > you are running into issues with your proxy server (we use ezProxy), > and certificates. > > Lisa Haitz > UC Libraries > > > > -- Tim McGeary [email protected] GTalk/Yahoo/Skype/Twitter: timmcgeary 484-294-7660 (Google Voice)
