Microsoft Word - June_ITAL_Ellern_final.docx User Authentication in the Public Area of Academic Libraries in North Carolina Gillian (Jill) D. Ellern, Robin Hitch, and Mark A. Stoffan INFORMATION TECHNOLOGY AND LIBRARIES | JUNE 2015 103 ABSTRACT The clash of principles between protecting privacy and protecting security can create an impasse between libraries, campus IT departments, and academic administration over authentication issues with the public area PCs in the library. This research takes an in-‐depth look at the state of authentication practices within a specific region (i.e., all the academic libraries in North Carolina) in an attempt to create a profile of those libraries that choose to authenticate or not. The researchers reviewed an extensive amount of data to identify the factors involved with this decision. INTRODUCTION Concerns surrounding usability, administration, and privacy with user authentication on public computers are not new issues for librarians. However, in recent years there has been increasing pressure on all types of libraries to require authentication of public computers for a variety of reasons. Since the 9/11 tragedy, there has been increasing legislation such as the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act) and Communications Assistance for Law Enforcement Act (CALEA). In response, administrators and campus IT staff have become increasingly concerned about allowing open access anywhere on their campuses. Restrictive licensing agreements for specialized software and web resources are also making it necessary or attractive to limit access to particular academic subgroups and populations. Permitting access to secured campus storage from these computers can make it necessary for libraries to think about the necessity of authentication. And finally, the general state of the economy has increased the user traffic to libraries, sometimes making it necessary to control the use of limited computer resources. Authenticating can often make these changes easier to implement and can give the library more control over its IT environment. That being said, authentication comes at a price for librarians. Authentication often creates ethical issues with regards to patron privacy, freedom of inquiry, increasing the complexity of using public area machines, and restricting the open access needs of public or guest users. Requiring a patron to log into a computer can make it possible for organizations outside the library’s control Gillian (Jill) D. Ellern (ellern@email.wcu.edu) is Systems Librarian, Robin Hitch (rhitch@email.wcu.edu) is Tech Support Analyst, and Mark A. Stoffan (mstoffan@email.wcu.edu) is Head, Digital, Access, and Technology Services, Western Carolina University, Cullowhee, North Carolina. USER AUTHENTICATION IN THE PUBLIC LIBRARY AREA OF ACADEMIC LIBRARIES IN NORTH CAROLINA | 104 ELLERN, HITCH, AND STOFFAN doi: 10.6017/ital.v34i2.5770 to collect, review and use data of a patron’s searching habits or online behaviors. Issues associated with managing patron logins can also create barriers for access as well as being time consuming and frustrating for both the patron and the library staff.1 While open, anonymous access does not completely protect against these issues, it can help to create an environment of free, private and open access similar to the longstanding situation with the book collection in most libraries. The Hunter Library Experience While working on the implementation of a new campus-‐wide pay-‐for-‐print solution in 2009, librarians from the Hunter Library at Western Carolina University began to feel pressured by the campus IT department to change its practice of allowing anonymous logins to all the computers in the public areas of the library. Concerns about authenticating users on library public area machines had been building between these two units for several years. The resulting clash of principles between protecting privacy and protecting security came to a head over this project. The Hunter Library employees perceived that there needed to be more time for research and debate before implementing the preceded mandate. Initially, there was great resistance from campus IT staff to take the library’s concerns into account, but eventually a compromise was worked out that allowed the library to retain anonymous logins on its public computers. The confrontation led library staff to investigate the practices of other libraries, particularly within the University of North Carolina (UNC) System of which it is a member. It seemed a logical development to extend the initial research into the authentication practices throughout the state of North Carolina. The Problem One of the first questions asked by Western Carolina’s library administration of the systems department was what other libraries in the area were doing. In our case, the library director specifically asked how many of West Carolina’s sister universities were authenticating and why. Anecdotally, during this process, it seemed that many other University of North Carolina System libraries reported being pressured to authenticate their public computers by organizations outside the library, most often the campus IT department. When the librarians at the Hunter Library began looking at research to support their position, hard data and practical arguments that could be used to effectively argue their case against this change, helpful literature seemed to be lacking. Some items were found such as Carlson, writing in the Chronicle of Higher Education, who reported on the divide between access and security. He confirmed that other librarians also have ambivalent feelings about authentication issues but that there was also growing understanding in libraries about the potential vulnerability of networks or misuse of their resources.2 It seemed that the speed at which authenticating computers in the public areas of libraries was happening across the country had not really allowed the literature on the subject to quite catch up. INFORMATION TECHNOLOGY AND LIBRARIES | JUNE 2015 105 Those studies that existed such as SPEC Kits seem to address the issue from the perspective of larger research libraries or else did not systematically assess other specific groups of libraries.3,4 There were questions in our minds about whether the current research that was found would describe the trends and unique situations of libraries located in rural areas or in other types of academic libraries. There seemed to be no current statewide or geographically defined analysis of authentication practices across various types of academic libraries in a specific state or region, nor were there any available studies creating a profile of libraries more likely to authenticate computers in their public areas. We questioned if the rural nature of our settings, our mission, or our geographic area in the South might reinforce or hurt our position with IT. Authentication status is not something that is mentioned in the ALA directory nor is this kind of information often given on a library’s web site. We found that individuals usually need to call or visit the library directly if they want to know about a library’s authentication practices. During the initial investigation, the need for this kind of information to support the library’s perspective became clear. This question led to the creation of this survey of authentication practices in a larger geographical area and across various kinds of academic libraries. The goals of this research were to determine some answers to the following questions: • What is the current state of authentication practices in the public area of academic libraries in North Carolina? • What factors caused these libraries to make the decisions that they did in regards to authentication? • Could you predict whether an academic library would require users to authenticate? LITERATURE REVIEW A number of studies have discussed various other aspects of user authentication in libraries, including privacy and academic freedom concerns, guest access policies, differing views of privacy and access between library and campus IT departments, and legislation impacting library operations. All are potential factors impacting decisions on authentication of patron accessible computers located in the public areas of library. Privacy and academic freedom about the use of a library’s collection have long been major concerns for librarians even before information technology was introduced. The impact of 9/11 and the PATRIOT Act made the discussion of computers and network security, especially in the library environment much more entwined. Oblinger discussed online access concerns in the context of academic values, focusing on unique aspects of the academic mission. She discussed the results of an EDUCAUSE/Internet2 Computer and Network Security Task Force invitational workshop that established a common set of principles as a starting point for discussion: civility and community, academic and intellectual freedom, privacy and confidentiality, equity of access to resources, fairness, and ethics. All of these principles, she argues, are integral to the environment USER AUTHENTICATION IN THE PUBLIC LIBRARY AREA OF ACADEMIC LIBRARIES IN NORTH CAROLINA | 106 ELLERN, HITCH, AND STOFFAN doi: 10.6017/ital.v34i2.5770 of a university and concluded that security is a complex topic and that written, top-‐imposed policies alone will not adequately address all concerns.5 While not directly addressing the issues of the library’s public computer access in particular, she established a framework of values on how security issues relate to the university culture of freedom and openness. Dixon in an article written for library administrators discussed privacy practices for libraries within the context of the library profession’s ethical concerns. She highlights such documents as the Code of Ethics of the American Library Association6, the Fair Information Practices adopted by the Organization for Economic Cooperation and Development7, and the NISO Best Practices for Designing Web Services in the Library Context8. She also reviews a variety of ways that patron data may be misused or compromised. She stated that all the ways that patron data can be be stored or tracked by local networks, IT departments, or Internet service providers may not be fully understood by librarians. While most librarians ardently maintain the privacy of patron circulation records, she points out that similar usage data on online activities may be collected without the librarians or their patrons being aware. Dixon studied the current literature and maintained that libraries need to be closely involved in decisions about the collection and retention of patron usage data, especially when patron authentication and access is controlled by external agencies such as campus or city IT departments, because of a tendency for security to prevail over privacy and free inquiry.9 This theme was of major importance to us in preparing the present study as it shows that we are not alone in these concerns. Carter focused on the balance between security and privacy and suggested several possible scenarios for addressing both areas. He emphasized librarian values involving privacy and intellectual freedom, contrasting the librarian’s focus on unrestricted access with the over-‐arching security concerns of computing professionals. He discussed several computer access policies in use at various institutions and possible approaches. These options include computer authentication (with associated privacy concerns), open access stations visually monitored from staffed desks, or routine purging of user logs at the end of each session. He also suggested librarians lobby state legislatures to have computer usage logs included in laws governing the confidentiality of library records.10 Still and Kassabian provided a good summary of Internet access issues as they affected academic libraries from legal and ethical perspectives. They suggested that librarians focus on public obligations, free speech and censorship, and potential for illegal activities occurring on library workstations. The issues highlighted in the article have increased in the 15 years since the article was written but it remains the best available overview.11 The arguments put forth in this article proved relevant for us in understanding the multitude of viewpoints regarding authentication even before 9/11. In the post-‐9/11 era, Essex discussed the USA-‐PATRIOT Act and its implications for libraries and patron privacy. Some of the 9/11 terrorists were reported to have made use of public library computers in the days before the attack. This has led to heighted concern about patron privacy INFORMATION TECHNOLOGY AND LIBRARIES | JUNE 2015 107 among librarians. Accurate assessment of its impact is difficult due to restrictions placed on libraries in even disclosing that they have been subjected to search.12 While not directly addressing authentication, the article highlights privacy issues surrounding library records of all types. One of the arguments in not requiring authentication in the public area is the use by unaffiliated users of academic libraries. This is especially true in rural areas where an academic library might be some of the best-‐funded, comprehensive and accessible resources in a geographical area. Even in urban areas, guest access by unaffiliated users is a growing issue for many academic libraries because of limited resources, software licensing problems and public access to campus infrastructure. While most institutions have traditionally offered basic library services to unaffiliated patrons, the online environment has raised new problems. Weber and Lawrence provided one of the best studies of these issues. Their work surveyed Association of Research Libraries (ARL) member libraries to determine the extent of mandatory logins to computer workstations and document how online access was provided to non-‐affiliated guest users. They concentrated their study questions on Federal and Canadian Depository libraries that must provide some type of access to online government information, with or without authentication. Less than half of respondents reported having any written policies governing open access on computers or guest access policies. Of the 61 responding libraries to the survey, 32 required that affiliated users authenticate, and of these libraries and 23 had a method for authenticating guest users.13 This article, which was published just as this study was testing and evaluating the survey instrument, proved to be very useful as we worked with our questions in Qualtrics™ and dealt with the IRB requirements. Courtney explored a half-‐century of changes in access policies for unaffiliated library users. Viewing the situation from somewhat early in the shift from print to electronic resources, she foresaw the potential for significantly reduced access to library resources for non-‐affiliated patrons. These barriers would be created by access policy issues with computing infrastructure and licensing limitations by database vendors. This is especially true if a library’s licenses or policies did not specifically address use by unaffiliated users. She concluded that decisions about guest access to online library resources should be made by librarians and not be handed over to vendors or campus computing staff.14 Our study began as a result of this very issue, i.e., an outside entity (campus IT) determining how access to library resources should be controlled, without input by librarians or library staff. Courtney also surveyed 814 academic libraries to assess their policies for access by unaffiliated users. She focused on all library services including building access, reference assistance, and borrowing privileges in addition to online access. Many libraries were also cancelling print subscriptions in favor of online access and she questioned the impact this might have on use by unaffiliated users. While suggesting little correlation between decisions to cancel paper subscriptions and requiring authentication of computer workstations, she concluded that reduced USER AUTHENTICATION IN THE PUBLIC LIBRARY AREA OF ACADEMIC LIBRARIES IN NORTH CAROLINA | 108 ELLERN, HITCH, AND STOFFAN doi: 10.6017/ital.v34i2.5770 access by unaffiliated users would be an unintended consequence of this change.15 This article proved valuable to us in framing our study, as it gave us some idea of what we might expect to find and provided some concepts to use when we formulated our survey. Best-‐Nichols surveyed public use policies in 11 NC tax-‐supported academic libraries and asked similar questions to our own. This study was dated and didn’t address computer resources, but some of the same issues were addressed.16 Public use and authentication policies have the potential to impact one another and how the library responds. Courtney called on librarians to conduct a carefully thought out discussion of user authentication because of the implications for public access and freedom of inquiry. While librarians are traditionally passionate at protecting patron privacy involving print resources, many are unaware of related concerns involving online authentication. She advocated for more education and open debate of the issues because of the potential gravity of leaving decision-‐making in the hands of database vendors or campus IT departments. Decisions regarding authentication and privacy impact library services and access, and therefore need to include input from librarians.17 As this study included a summary of the reasons for authentication as provided by surveyed libraries, it also gave us another reference point to use when comparing our results and highlighted the intellectual freedom issues that were often missing or glossed over in other studies. Barsun surveyed the Web sites of the 100 Association of Research Libraries to assess services to unaffiliated users in four areas: building access, circulation policies, interlibrary loan services, and access to online databases. 61 member libraries responded to requests for data. She explored the question of whether the policies governing these services would be found on a library’s web site. She perceived a possible disparity between increasing demand for services generated by members of the public who are discovering a library’s resources via online searching and the library’s ability or willingness to serve outside users. While she did not address computer authentication issues directly, she did find that a significant percentage of academic library web sites were ambiguous about stating the availability of non-‐authenticated access to databases from onsite computers.18 This ambiguity could possibly be related to vague usage agreements with database vendors that do not clearly state whether non-‐affiliated users may obtain onsite access to these resources. In “secret shopper” visits done as part of our own research, we saw a disparity between what was stated on a library’s web site and the reality of access offered. METHOD It seemed appropriate to start this project with a regional focus. None of the studies available looked at authentication geographically. Because colleges and universities within a state are all subjected to the same economic, political and environmental factors, looking at the libraries might help provide some continuity for creating a relevant profile of current practices. North Carolina has a substantial number of academic libraries (114) with a wide variety of demographics. Historically, the state supports a strong educational system with one of the first public university INFORMATION TECHNOLOGY AND LIBRARIES | JUNE 2015 109 systems. Together with the 17 universities within University of North Carolina system, the state has 59 public community colleges, 36 private colleges and universities, and 3 religious institutions. Religious colleges are identified as those whose primary degree is in divinity or theology. (See Chart 1.) Chart 1. Survey participation by type of academic library. Work had been started to identify the authentication practices of other UNC System libraries, so the researchers expanded the data to include the other academic libraries within the state. To create a list of the library’s pertinent information for this investigation, the researchers used the American Library Directory19, the NC State Library’s online directories of libraries20, and visited each library’s web page to create a database. The researchers augmented each library’s data to include information including the type of academic library (public, private, UNC System and religious), current contact information on personnel who might be able to answer questions on authentication policies and practices in that library, current number of books, institutional enrollment figures, and the name and population of the city or town in which the library was located. The library’s responses to the survey were also tracked in the database with SPSS and Excel employed in evaluating the collected data. A Western Carolina Institution Review Board (IRB) “Request for Review of Human Subject Research” was submitted and approved using the following statement: “We want to know the authentication situation for all the college libraries in North Carolina.” The researchers discovered quickly that the definition of “authentication” would have to be explained to the review board and many of the responding librarians that filled out the survey. The research goal was further simplified with the explanation of authentication as “how do patrons identify themselves to get USER AUTHENTICATION IN THE PUBLIC LIBRARY AREA OF ACADEMIC LIBRARIES IN NORTH CAROLINA | 110 ELLERN, HITCH, AND STOFFAN doi: 10.6017/ital.v34i2.5770 access to a computer in the public area of a library” because many librarians might not realize that what they do is “authentication”. During the approval phase, there was some question about whether the researchers needed formal approval because much of the information could be collected by just visiting the libraries in person. The researchers saw no risk of potentially disclosing confidential data. However, it was decided that it was better to go through the approval process, since the survey asked the librarians whether they were being required to authenticate by outside entities. There might also be a need to do some follow-‐up calls and there was a plan to do site visits to the local libraries in order test the data for accuracy. The Qualtrics™ online survey system was used to create the survey and collect the responses. Contact information from the database was uploaded to the survey system with the IRB approved introductory letter to each library contact person along with a link to the survey. The introductory letter described the goals of the project and included an invitation to participate as well as refusal language as required by the IRB request. The same language was used in the follow up emails and phone calls. The initial (16) surveys were administered to the UNC System libraries in October – December 2010 as a test of the delivery and collection system on Qualtrics™, with the rest of the libraries being sent the survey mid-‐December 2010. In the spring of 2011, the researchers followed initial survey with a second letter and then with phone calls and emails. During the follow up calls, some librarians chose to answer the survey questions with the researcher filling it out over the phone. Most filled out the survey themselves. The final surveys were completed in April 2011. Because the status of authentication is volatile, this survey data and research represents a snapshot in time of their authentication practices between October 2010 and April 2011. The researchers did see changes happening over the course of the surveying process and made changes to any data collected in follow up contact in order to maintain the most current information about that library for the charts, graphs and presentations made from the data. In Fall 2011, the researchers did a “secret shopper” type expedition to the nearest academic libraries by visiting in person as a guest user. The main purpose of these visits was to check the data, take pictures of the library public areas, get a firsthand experience with the variety of authentication practices, and talk to and thank the librarians that participated. The Survey The survey asked 36 different questions using a variety of pull down lists, check boxes and fill in the blank questions. Qualtrics™ allows for the survey to have seven branches, or skip logic, that asked further questions depending upon the answer given. These branches allowed the survey software to skip particular sections or ask for additional information depending on the answers INFORMATION TECHNOLOGY AND LIBRARIES | JUNE 2015 111 supplied. Some libraries, especially those that didn’t authenticate or didn’t know specific details, might be asked as little as 14 questions while others received all 36. The setup of computers in the public area of libraries can be quite variable, especially if the library differentiates between student-‐only and guest/public use only workstations. The survey questions were grouped into seven basic areas: Descriptive, Authentication, Student-‐only PCs, Guest/Public PCs, Wireless Access, Incident Reports, and Computer Activity Logs. The full survey is included as Appendix A. Initial Hypothesis Given the experience at the Hunter Library, we expected the following factors might influence a decision to authenticate. Some of these basic assumptions did influence our selection of questions in the seven areas of the survey. We expected to find: • When the workstations were under the control of campus IT, authentication would usually be required • When the workstations were under the control of the library, authentication would probably not be required • That factors such as population, enrollment, and book volume would play a role in decisions to authenticate • That librarians would not be aware of what user information was being logged whether or not authentication was required • A library would have experienced incidents involving the computers in the public area that the library would have authentication • That authentication increased from post-‐ 9/11 factors and its legal interpretations to force libraries to authenticate SURVEY QUESTIONS, RESPONSES, AND GENERAL FINDINGS The data collected from this survey, especially from those libraries that did authenticate, produced over 200 data points for each library. Below are those that resulted in answers to questions posed at the outset that particularly looked at overall authentication practices. Further articles are planned to look at areas of inquiry with regards to other related practices in the public areas of academic libraries geographically. There are 114 academic libraries in North Carolina. As a result of the follow up emails and phone calls, this research survey got an exceptional 99.1% response rate (113 out of 114). Once the USER AUTHENTICATION IN THE PUBLIC LIBRARY AREA OF ACADEMIC LIBRARIES IN NORTH CAROLINA | 112 ELLERN, HITCH, AND STOFFAN doi: 10.6017/ital.v34i2.5770 appropriate librarians were contacted and understood the scope and purpose of this study, they were very cooperative and willing to fill out the survey. Those who were contacted via phone mentioned that the original email was overlooked or lost. Only one library refused to participate in the study. Individual library’s demographics were collected in a database by using directory and online information. The data was matched with the survey data provided by the respondents to produce more in-‐depth analysis and create a profile of each library. How many libraries in North Carolina are authenticating? (Chart 2) The survey asked: “Is any type of authentication required or mandated for using any of the PCs in the library’s public area?” 66% (or 75) of libraries answered yes that they required authentication to use the PCs. (See Chart 2.) Chart 2. Are some types of libraries more likely to authenticate? (Chart 3) While each type of library had a different overall total as compared to the other types, Chart 3 shows how the percentages of authentication hold for each type. Three out of the four types of libraries authenticate more often. Of the 58 community college libraries, 60% (or 35) of them require users to authenticate. Seventy-‐eight percent (78%) of the 36 private colleges libraries authenticate and 11 of the 16 (or 69%) UNC System libraries authenticate. Only the religious college libraries more often don’t require users to authenticate (1 of the 3 or 33%), although this is a very small population in the survey. However, percentagewise, community colleges are more likely to not require users to authenticate then private college libraries (40% vs. 22%) and the UNC System libraries, that are public institutions, fall in the middle at 31%. INFORMATION TECHNOLOGY AND LIBRARIES | JUNE 2015 113 Chart 3. How many academic libraries were required to authenticate PCs in their public areas? (Chart 4) Of the 75 libraries that required patrons to authenticate, when asked if “they were required to use this authentication”, 59 (52%) replied “yes”. Putting these data points together shows that 16 (or 14%) of the libraries authenticate even though they were not required to do so. Some clues about why this was were asked in the next question and during the follow up phone calls. Chart 4. USER AUTHENTICATION IN THE PUBLIC LIBRARY AREA OF ACADEMIC LIBRARIES IN NORTH CAROLINA | 114 ELLERN, HITCH, AND STOFFAN doi: 10.6017/ital.v34i2.5770 Why was Authentication Used? Libraries were asked, “Do you know the reasons why authentication is being used?” If they answered “prevent misuse of resources” or “control the public’s use of these PCs” then an additional question was asked, “What led the library to control the use of PCs?” This option had two check boxes (“inability of students to use the resources due to overuse by the public” and “computer abuse”) and a third box to allow free text entry. A library could check more than one box. Of those 75 libraries that authenticated, 60% (or 45) checked “prevent misuse of resources” and 48% (or 36) cited “controlling the public’s use of these PCs” as the reasons for authenticating. In normalizing the data from the two questions and the free text field, Table 1 combines all answers to illustrate the number and percentages of each. Table 1. In the course of the follow up calls with those libraries that answered the survey over the phone, further insight was provided. One librarian said that their IT department told them “authentication was the law and they had to do it”. Another answered that they were “on the bus line and so the public used their resources more than they expected and so they had to”. To get a better understanding of the scope and variety of these answers, here are some examples of the reasons cited in the free text space: “all IT's idea to do this” “Best practices”, “Caution”, “Concerned they would be used for the wrong reasons”, “Control”, “We found them misusing computer resources (porn, including child porn)”, “Control over college students searching of inappropriate websites, such as porn/explicit sites”, “Disruption”, “Ease of distributing INFORMATION TECHNOLOGY AND LIBRARIES | JUNE 2015 115 applications”, “Fear of abuse on the part of legal”, “Legal issues regarding internet access”, “Making students accountable”, “Monitor use”, “Policy”, “Security of campus network”, “Security of machines after issues were raised at a conference”, and “Time”. Who required that the libraries authenticate? (Chart 5) The survey asked, “What organization or group required or mandated the library to use authentication?” Respondents were allowed to choose more than one of the 5 boxes. These choices included “the library itself,” “IT or some unit within IT,” “college or university administration,” “other” (with a text box to explain), and “not sure”. The results of this question are shown in Chart 5. The survey revealed that the decision was solely the library’s choice 25% of the time, (or 28 libraries) 22% of the time the library was mandated or required to authenticate by IT or some unit within IT (or 25 libraries) and 4% of the time a library’s college or university administration required or mandated authentication (or 4 libraries). Collaborative decisions in 14 libraries involved more than one organization. Of the 39 libraries that were involved with the authentication decision (28 that made the decision by themselves and 11 that were part of a collaborative decision), 55% (or 16) authenticated even though they were not required to do it. Chart 5. What type of authentication is used? Authentication in libraries can take many forms. The most common method for those libraries that authenticate was by using centralized or networked systems. Almost sixty percent of the libraries used some form of this identified access (Tables 2 and 3) with one library using some other independent system. Twenty-‐five percent (or 19) of libraries that authenticate still use some form of paper sign-‐in sheets and 21% (or 16) use pre-‐set or temporary logins or guest cards. Fifteen percent (or 11) use PC based sign-‐in or scheduling software and 8% (or 6) use the library USER AUTHENTICATION IN THE PUBLIC LIBRARY AREA OF ACADEMIC LIBRARIES IN NORTH CAROLINA | 116 ELLERN, HITCH, AND STOFFAN doi: 10.6017/ital.v34i2.5770 system in some form for authentication. A few libraries indicated that they bypass their authentication systems for guests by either having staff log guests in or disabling the system on selected PCs. We saw this during the “secret shopper” visits as well. Table 2. Do the forms of authentication used in libraries allow for user privacy? When asked how they handle user privacy in authentication, of the 75 libraries that authenticate, 67% (or 50) use a form of authentication that can identify the user. In other words, most users do not have privacy when using public computers in an academic library because they are required to use some form of centralized or networked authentication. The options in Table 3 were presented to the respondents as possible forms of privacy methods. Thirty-‐five percent (or 26) libraries indicated that they provide some form of privacy for their patrons. Anonymous access accounted for 28% (or 21) of the libraries. Table 3. INFORMATION TECHNOLOGY AND LIBRARIES | JUNE 2015 117 Are librarians aware of the computer logging activity going on in the public area? (Table 4) All the 113 respondents were asked two questions about the computer logging activities of their libraries: “Do you know what computer activity logs are kept” and “Do you know how long computer activity logs are kept”. The second question was only asked if “unsure” was not checked. Besides “unsure”, responses on the survey included “Authentication logs (who logged in)”, “Browsing history (kept on PC after reboot)”, “Browsing history (kept in centralized log files)”, “Scheduling logs (manual or software)”, “Software use logs” and “Other”. The respondents could select more than one answer. However, over half (52%) of the respondents were unsure if the library kept any computer logs at all. Authentication logs of who logged in were the most common, but those were kept in only 25% of the total libraries surveyed. A high percentage of libraries kept some kind of logs but most respondents were unsure how long those records were kept. Of the various types of logs, respondents that use scheduling software were the most familiar with the length of time software logs were kept. In one case, a respondent mentioned that the manual sign-‐in sheets were never thrown out and that they had retained them for years. Table 4. Log retention. Are past incidents factors in authenticating? Only three libraries reported breaches of privacy and all those libraries reported using authentication. Of the 75 libraries that do authenticate (Chart 6, 3 bars on the right), 36 reported that they did have improper use of the PCs while 29 of the libraries reported that did not and 10 did not know. Of the 38 libraries that do not authenticate (Chart 6, 3 bars on the left), 23 reported that they had no improper use of the PCs while 13 stated that they did and 2 did not know. The overall known reports of improper use in the survey are higher when the library does authenticate and is lower when the library doesn’t authenticate. Computer Activity Logs Number Of total libraries Don't know how long data is kept (unsure) Unsure 59 52% 100% Authentication logs (who logged in) 28 25% 60% None 21 19% -‐-‐ Browsing history (kept in centralized log files) 14 12% 86% Scheduling logs (manual or software) 10 9% 70% Browsing history (kept on PC after reboot) 7 6% 57% Software use logs 6 5% 33% Library system 4 4% 75% Other 2 2% -‐-‐ What Kind and For How Long Computer Logs are Kept (All 113 Libraries) USER AUTHENTICATION IN THE PUBLIC LIBRARY AREA OF ACADEMIC LIBRARIES IN NORTH CAROLINA | 118 ELLERN, HITCH, AND STOFFAN doi: 10.6017/ital.v34i2.5770 Chart 6. When did libraries begin authenticating in their public areas? Of the 75 libraries that authenticate, only one implemented this more than ten years prior to the survey. 51 (or 67%) of the responding libraries began authenticating between 3 and 10 years ago. 10 libraries implemented authentication in the year before the survey. This is consistent with the growth of security concerns in the post 9/11 decade. (Chart 7) Chart 7. INFORMATION TECHNOLOGY AND LIBRARIES | JUNE 2015 119 DISCUSSION Since the introduction of computer technology to libraries, library staff and patrons have used different levels of authentication depending upon the application. While remote access to commercial services such as OCLC cataloging subsystems or vendor databases have always used some form of authorization, usually username and password, it has never been necessary or desirable for public access to the library’s catalog system to have any kind of authorization requirements. Most of the collections within an academic library have traditionally been housed in open access stacks where anyone can freely access material on the shelves. Printed indexes and other tools that provide in-‐depth access to these collections have traditionally been open as well. Today, most libraries still make their library catalog and even some bibliographic discovery tools open access and available over the web. This practice naturally extended to computer technology and other electronic reference tools until libraries began connecting them to the campus and public networks. The principle of free and open access to the materials and resources of the library, within the library walls, has been a fundamental characteristic of most public and academic libraries. There is an ethical commitment of librarians to a user’s privacy and confidentiality that has deep roots based in the First and Fourth Amendment of the US Constitution, state laws, and the Code of Ethics of the ALA. Article II of the ALA Code states “We protect each library user's right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.” Traditionally, library staff do not identify patrons that walk through the door; they don’t ask for identification when answering questions at the reference desk nor do they identify patrons reading a book or magazine in the public areas of a library. Schneider has empathized that librarians have always valued user privacy and have been instrumental in the passing of many state’s library privacy laws.23 Usually, it is only when materials are checked out to a patron that a user’s affiliation or authorization even gets questioned directly. Frequently patrons can make use of materials within the library building with no record of what was accessed. We are seeing these traditional principles of open access to materials as they transition to electronic formats. It is becoming more common for patrons to have to authenticate before they can use what was once openly available. The data collected from this survey confirms this trend with 66% of the libraries using some form of authentication in their public area. The widespread use of personally identifiable information is making it more difficult for librarians to protect the privacy and confidentiality of library users. Although the writing was on the wall that some choices would have to be made with regards to privacy before 911, no easy answer to the problem had yet been identified. Librarians themselves are often uncertain about what information is collected and stored as evidenced by our data (Chart 6). As more information becomes available only electronically, because computers in the public areas are now used for much more than just accessing library catalog functions, it is becoming difficult to uphold the code of ethics and protect the privacy of users. USER AUTHENTICATION IN THE PUBLIC LIBRARY AREA OF ACADEMIC LIBRARIES IN NORTH CAROLINA | 120 ELLERN, HITCH, AND STOFFAN doi: 10.6017/ital.v34i2.5770 Using authentication can also make it more difficult to use technology in the library. In order to authenticate, users may be required to start or restart a computer and/or, log into or out of the computer. This can take time to do as well as require the user to remember to log off the computer when finished. Users often have difficulty keeping track of their user information and may require increased assistance (Table 5). Table 5. Library staff or scheduling software can be required to help library guests obtain access to computer equipment. North Carolina, like other states, does have laws governing the confidentiality of library records. Librarians have long dealt with this situation by keeping as little data as possible. For example, many library circulation systems do not store data beyond the current checkout. Access logs that detail what resources a particular user has accessed would seem to fall under this legislation, although the wording in the law is vague. Information technology departments, legal counsel, and administrators, on the other hand, are often less concerned about privacy and intellectual freedom issues. More often their focus is on security, limiting access to those users affiliated with the institution, and monitoring use. Being ready and able to provide data in response to subpoenas and court orders is often a priority. At Western Carolina University, illicit use of an unauthenticated computer in the student center led to an investigation by campus and county law enforcement. This case is still used as justification for needing to authenticate and monitor campus computer use even though the incident occurred many years ago. Being able to track an individual’s online activity is believed to increase security by ensuring adherence to institutional policies. Authentication with individually assigned login credentials permits online activity to be traced to that specific account whose owner can then be held accountable for the activity performed. Librarian’s responses to the survey indicate that these issues play a role in a library’s decisions to authenticate as seen in the free text responses in Table 6. INFORMATION TECHNOLOGY AND LIBRARIES | JUNE 2015 121 Tracking use through IP address, individual login, and transaction logs allows scrutinizing of users in case of illegal or illicit use of computer resources. In many cases, this action is justified as being required by auditors or law enforcement agencies, though information regarding this is scarce. The authors of this article are not aware of any laws or auditing requirements in North Carolina that require detailed tracking of library computer use. Some libraries indicated that IT departments were concerned about security of networks and/or computers. Security can be undermined when generic accounts are used or when no authentication is required. By using individual logins, users can be restricted to specific network resources and can be monitored. When multiple computers use the same account for logging in or when the login credentials are posted on each computer, it can compromise security because use cannot be tracked to a specific user. In some libraries, these security issues have trumped librarian’s concerns about intellectual freedom and privacy. Creating a profile as a result of these findings Given the number of characteristics collected about each library, it was assumed there were some factors gathered that might influence a decision to authenticate and allow for the possibility to create a profile for prediction. The data was collected from libraries within a fixed geographic region. The externally collected and survey data was coded, put into SPSS™ and a number of statistical tests were performed to find what factors might be statistically significant. To further the geographical analysis of the data, the data was also put into ARCView™ to produce a map of North Carolina with the libraries given different colored pins for those academic libraries that authenticated vs. non-‐authenticated to see if there were any pattern to the choice. (Map 1) To more completely explore the possible role that geographic information might play in the decision to authenticate, the population of the city or town the institution was located in, enrollment, book volume, number of PCs and total number of library IT staff (scaled variables) as well as ordinal variables such as “who controlled the setup of the PCs”, “do you differentiate between student and public PCs”, and “known incidents of privacy and misuse”, were also integrated into the analysis. The data collected could not predict whether an academic library would authenticate or not using logistical regression techniques, although those that differentiate between student and public PCs did have a higher probability. Based on all our collected data and mapping, it is impossible to predict with any significance whether or not an academic library would authenticate. So the short answer statistically is no. Using all of the data collected, a statistically significant profile could not be created, however there are general tendencies identified that the data was able to suggest. USER AUTHENTICATION IN THE PUBLIC LIBRARY AREA OF ACADEMIC LIBRARIES IN NORTH CAROLINA | 122 ELLERN, HITCH, AND STOFFAN doi: 10.6017/ital.v34i2.5770 Map 1. For those libraries that do authenticate, the average book volume is almost 400,000, the enrollment around 5,600, the city population where the institution is located is 94,000, the total number of PCs in the public area is 54, and the average number of library IT staff is 1.8. For those libraries that do not authenticate, the average book volume is about 163,000, enrollment around 3,000, the population is 53,000, the average number of PCs in the public area is about 39 and the average number of library IT staff is 0.8. Libraries that authenticate tend to have statistically significant differences in book volume, the number of PCs in the public area, which has a t-‐test value of P<1. Student enrollment was the most statistically significant factor in those that authenticated, with a t-‐test value of P<0.5. Libraries that authenticate had many more students, more books and a larger number of PCs in their public areas then libraries that didn’t authenticate. Those libraries that didn’t authenticate tended to be in smaller towns, more often their PCs in the public areas were setup by non-‐library IT staff, and had fewer library IT staff. Sixty percent (60%) of the libraries that don’t authenticate had zero library IT staff. INFORMATION TECHNOLOGY AND LIBRARIES | JUNE 2015 123 While it was assumed at the outset of this research that the responsible campus department for the setup of the workstations (the library or IT) in the public area would be a factor in whether authentication was used in the library, the data does not support this assumption statistically. Ethical questions about authentication as a result of these findings There are a variety of reasons why a library might choose to authenticate despite the ethical issues associated with it. The protection and management of IT resources or the mission of the institution are two likely scenarios. A library, especially one with lots of use by unaffiliated users or guests, might chose to authenticate regardless of concerns in order to make sure its own users have preference to the PCs in the public area of their library. A private institution may choose to authenticate in order to limit access by any members of the general public. Of those 75 libraries that authenticate, 81% cited concerns about controlling use, overuse and misuse. This study also found that in 25% of the total academic libraries, the library itself decided to authenticate without influence from external groups. This was a higher percentage than was expected. Given librarian’s professional concerns about intellectual freedom and privacy, we were very surprised that so many libraries choose to authenticate on their own. We suspected that many librarians might not have a full understanding of the privacy issues created when requiring individual logins. Based on this assumption, we expected that many of the librarians would not be fully aware of what user tracking data was being kept. Examples include network authentication, tracking cookies, web browser history, and user sign-‐in sheets. The study found that librarians are often unsure of what data is being logged with 51 (or 45%) of 113 libraries reporting this. Only 19% reported knowing with certainly that no tracking data was kept. Of those that did know that tracking data was being kept, most had no idea how long this data was retained. CONCLUSION This study found that 66% (or 75) of the 113 surveyed North Carolina academic libraries required some form of user authentication on their public computers. The researchers reviewed an extensive amount of data to identify the factors involved with this decision. These factors included individual demographics, such as city population, book volume, type of academic library, and enrollment. It was anticipated that by looking a large pool of academic libraries within a specific region, a profile might emerge that would predict which libraries would chose to authenticate. Even with comprehensive data about the 75 libraries that authenticated, a profile of a “typical” authenticated library could not be developed. The data did show two factors of any statistical significance (enrollment and book volume) in determining a library’s decision to authenticate. However, the decision to authenticate could not be predicted. Each library’s decision to authenticate seems to be based on the unique situation of that library. We expected to find that most libraries would authenticate due to pressure from external sources, such as campus IT departments, administrators, or in response to incidents involving the USER AUTHENTICATION IN THE PUBLIC LIBRARY AREA OF ACADEMIC LIBRARIES IN NORTH CAROLINA | 124 ELLERN, HITCH, AND STOFFAN doi: 10.6017/ital.v34i2.5770 computers in the public area. This study found that only 39% (or 44) libraries surveyed authenticated due to these factors so our assumption was incorrect. Surprisingly, we found that 25% (or 28) libraries did choose to authenticate on their own. The need to control the use of their limited resources seemed to have precedence over any other factors including user privacy. We did expect to see a rise in the number of libraries that authenticated in the aftermath of 9/11. This we found to be true. Looking at the prior research that define an actual percentage of authentications in academic libraries, no matter how limited in scope, (for example, just the ARL libraries, responding libraries, etc.), there does seem to be a strong trend for academic libraries to authenticate. Our results, with 75% of academic libraries having authentication, support the conclusion that there is a continued trend of authentication that has steadily expanded over the past decade. This has happened in spite of librarian’s traditional philosophy on access and academic freedom. Libraries are seemingly relinquishing their ethical stance or have other priorities that make authentication an attractive solution to controlling use of limited or licensed resources. Our survey results show that many librarians may not fully understand the privacy risks inherent in authentication. Slightly over half (52%) of the libraries reported that they did not know if any computer or network log files were being kept nor for how long they are kept. The issues surrounding academic freedom, access to information, and privacy in the face of security concerns continue to effect library users. Academic libraries in smaller communities are often the only nearby source of scholarly materials. Traditionally these resources have been made available to community members, high school students, and others who require materials beyond the scope of the resources of the public or school library. As pointed out, restrictive authentication policies may hamper the ability of these groups to access the information they need. However, the data showed very little consistency to support this idea with respect to authentication in small towns and communities throughout the state. Some of the surveyed academic libraries made a strong statement that they are not authenticating in their public area computers and have every intention of continuing this practice. These libraries are now in a distinct minority and we expect their position will continually be challenged. For example, at Western Carolina University, we continue to employ open computers in the public areas of the library but are regularly pressed by our campus IT department to implement authentication. We have so far been successful in resisting this pressure because of the commitment of our dean and librarians to preserving the privacy of our patrons. FURTHER STUDIES As a follow-‐up to this study, we plan to contact the 35 libraries that did not authenticate to determine if they now require authentication or have plans to do so. Based on responses to this survey, we expect that many librarians are unaware of the degree to which authentication can undermine patron privacy. We suggest an in-‐depth study be conducted to determine the degree of INFORMATION TECHNOLOGY AND LIBRARIES | JUNE 2015 125 understanding among librarians about potential privacy issues with authentication in the context of their longstanding professional position on academic freedom and patron confidentiality. USER AUTHENTICATION IN THE PUBLIC LIBRARY AREA OF ACADEMIC LIBRARIES IN NORTH CAROLINA | 126 ELLERN, HITCH, AND STOFFAN doi: 10.6017/ital.v34i2.5770 APPENDIX A. Survey questions 1. Select the library you represent: 2. Which library or library building are you reporting on? • Main Library or the only library on campus • Medical library • Special library • Other 3. How many total PCs do you have in your library public area for the building you are reporting on? 4. How many Library IT or Library Systems staff does the library have? 5. Does the Library’s IT/Systems staff control the setup of these PCs in the library public area? • Yes • Shared with IT (Campus Computing Center) • IT (Campus Computing Center) • No (please specify who does control the setup of these PCs) Authentication 6. Is any type of authentication required or mandated to use any of the PCs in the library’s public area? 7. Were you required to use this authentication on any of the PCs in the library’s public area? 8. What organization or group required or mandated the library to use authentication on PC’s in the library public area? • The library itself • IT or some unit within IT • Other (please explain) • Not sure • College/University administration INFORMATION TECHNOLOGY AND LIBRARIES | JUNE 2015 127 9. Do you know the reason’s authentication is being used? • Mandated by parent institution or group • Prevent misuse of resources • Other (please specify) • Control the public’s use of these PCs 10. What lead the library to control the use of PCs? • Inability of students to use the resource due to overuse by the public • Computer abuse • Other (please specify) 11. How are the users informed about the authentication policy? • Screen saver • Web page • Login or sign on screen • Training session or other presentation • Other (please specify) 12. What form of authentication do you use? • Manual paper sign-‐in sheets • Individual PC based sign-‐in or scheduling software • Centralized or networked authentication such as Active Directory, Novell, or ERS (Enterprise Resource Planning) system with a college/university wide identifier • Pre-‐set or temporary authorization logins or guest cards handed out (please specify the length of time this is good for) • Other (please specify) 13. How does the library handle user privacy of authentication? • Anonymous access (each session is anonymous with repeat users not identified) • Anonymous access (each session is anonymous with repeat users not identified) • Identified access • Pseudonymous access with demographic identification (characteristics of users determined but not actual identified) • Pseudonymous access (repeat users identified but not the identity of a particular user) USER AUTHENTICATION IN THE PUBLIC LIBRARY AREA OF ACADEMIC LIBRARIES IN NORTH CAROLINA | 128 ELLERN, HITCH, AND STOFFAN doi: 10.6017/ital.v34i2.5770 14. When did you implement authentication of the PCs in the library public area? • This year • Last year • 3-‐5 years ago • 5-‐10 years ago • Don’t know Student only PCs 15. Do you differentiate between Student Only PCs and Guest/Public Use PCs in the library public area? 17. How many PCs are designated for Student Only PCs in the library’s public area? 18. Do you require authentication to access Student Only PCs in the library’s public area? 19. What does authentication provide on a Student Only PC once an affiliated person logs in? • Access to specialized software • Access to storage space • Printing • Internet access • Other (please specify) 20. Once done with an authenticated session on a Student Only PC, how is authentication on a PC removed? • User is required to log out • User is timed out • Other (please specify) 21 What authentication issue have you seen in your library with Student Only PCs? • ID management issues from the user (e.g., like forgetting passwords) • ID management issues from the network (e.g., updating changes in timely fashion) • Timing out issues • Authentication system become not available • Other (please specify) Guest/Public PCs 22. How many PCs are designated for guest or public use in the library’s public area? 23. Describe the location of these Guest/Public Use PCs. INFORMATION TECHNOLOGY AND LIBRARIES | JUNE 2015 129 • Line-‐of-‐sight to library service desk • All In one general area • Scattered throughout the library • Other (please specify) • In several groups around the library 24. Do you require authentication to access guest/public use PCs in the library’s public area? 25. What does authentication allow for guest or the public that log in? • Limited software • Control, limit or block web sites that can be accessed • Limited or different charge for printing • Timed or scheduled access • Internet access • Other (please specify) • Control, limit or block access to library resources (such as databases or other subscription based services) 26. Are there different type of PCs in your library area? Check those that apply. • All PCs are the same • Some have different type of software (like Browser Only) • Some have time or scheduling limitation • Some have printing limitations • Some have specialized equipment attached (like scanners, microfiche readers, etc.) • Some control, limit or block web sites that can be accessed • Some control, limit or block access to library resources (such as database or other subscription based services) • Other (please specify) Wireless access 27. Do you have wireless access in your library public area? 28. Do you require authentication to your wireless access in the library public area? 29. Does the library have its own wireless policies different from the campus’s policy? 30. What methods are used to give guests or the public access to your wireless access? Check those that apply. • No access to guest or general public • Paperwork and/or signature required before access given USER AUTHENTICATION IN THE PUBLIC LIBRARY AREA OF ACADEMIC LIBRARIES IN NORTH CAROLINA | 130 ELLERN, HITCH, AND STOFFAN doi: 10.6017/ital.v34i2.5770 • Limited access by time • Open access • Limited access by resource (such as Internet access only) • Other Incident Reports 31. Has your library had any known incidents of breach of privacy that you know about? 32. Has your library had any incidents of improper use of public PCs (such as cyber stalking, child pornography, terrorism, etc.?) 33. Have these incidents required investigation or digital forensics work to be done? 34. Who handled the work of investigation? • Library IT or Library Systems staff • IT or Campus Computing Center • Campus Police • Other Law Enforcement • Unsure • Other (please specify) Computer Activity Logs 35. Do you know what computer activity logs are kept? (if unsure, end, if not ask) • Authentication logs (who logged in) • Browsing history (kept on PC after reboot) • Browsing history (kept in centralized log files) • Scheduling logs (manual or software) • Software use logs • None • Unsure • Other (please specify) 36 Do you know how long computer activity logs are kept? • 24 hours or less • Week • Month • Year • Unknown INFORMATION TECHNOLOGY AND LIBRARIES | JUNE 2015 131 REFERENCES 1. Pam Dixon, "Ethical Risks and Best Practices," Journal Of Library Administration 47, no. 3/4 (May 2008): 157. 2. Scott Carlson, “To Use That Library Computer, Please Identify Yourself,” Chronicle of Higher Education, June 25, 2004, A39. 3. Lori Driscoll, Library Public Access Workstation Authentication, SPEC Kit 277 (Washington, D.C.: Association of Research Libraries, 2003). 4. Martin Cook and Mark Shelton, Managing Public Computing, SPEC Kit 302 (Washington, D.C.: Association of Research Libraries, 2007). 5. Diana Oblinger, “IT Security and Academic Values,” in Computer and Network Security in Higher Education, ed. Mark Luker and Rodney Petersen (Jossey-‐Bass, 2003): 1-‐13. 6. Code of Ethics of the American Library Association, http://www.ala.org/advocacy/proethics/codeofethics/codeethics 7. Fair Information Practices adopted by the Organization for Economic Cooperation and Development, http://www.oecd.org/sti/security-‐privacy 8. ”NISO Best Practices for Designing Web Services in the Library Context,” NISO RP-‐2006-‐01 (Bethesda, MD: National Information Standards Organization, 2006) 9. Dixon, “Ethical Issues Implicit in Library Authentication and Access Management.” 10. Howard Carter, "Misuse of Library Public Access Computers: Balancing Privacy, Accountability, and Security," Journal Of Library Administration 36, no. 4 (April 2002): 29-‐48. 11. Julie Still and Vibiana Kassabian, "The Mole's Dilemma: Ethical Aspects of Public Internet Access in Academic Libraries," Internet Reference Services Quarterly 4, no. 3 (January 1, 1999): 7-‐22. 12. Don Essex, "Opposing the USA Patriot Act: The Best Alternative for American Librarians," Public Libraries 43, no. 6 (November 2004): 331-‐340. 13. Lynne Weber and Peg Lawrence, "Authentication and Access: Accommodating Public Users in an Academic World." Information Technology & Libraries 29, no. 3(September 2010): 128-‐140. 14. Nancy Courtney, "Barbarians at the Gates: A Half-‐Century of Unaffiliated Users in Academic Libraries," Journal of Academic Librarianship 27, no. 6 (November 2001): 473. 15. Nancy Courtney, "Unaffiliated Users’ Access to Academic Libraries: A Survey," The Journal Of Academic Librarianship 29, no. 1 (2003): 3-‐7. USER AUTHENTICATION IN THE PUBLIC LIBRARY AREA OF ACADEMIC LIBRARIES IN NORTH CAROLINA | 132 ELLERN, HITCH, AND STOFFAN doi: 10.6017/ital.v34i2.5770 16. Barbara Best-‐Nichols, “Community Use of Tax-‐Supported Academic Libraries in North Carolina: Is Unlimited Access a Right?” North Carolina Libraries 51 (Fall 1993): 120-‐125. 17. Nancy Courtney, "Authentication and Library Public Access Computers: A Call for Discussion," College & Research Libraries News 65, no. 5 (May 2004): 269-‐277. 18. Rita Barsun, "Library Web Pages and Policies Toward “Outsiders”: Is the Information There?" Public Services Quarterly 1, no. 4 (October 2003): 11-‐27. 19. American Library Directory : a Classified List of Libraries in the United States and Canada, with Personnel and Statistical Data, 62nd ed. (New York: Information Today, 2009) 20. http://statelibrary.ncdcr.gov/ld/aboutlibraries/NCLibraryDirectory2011.pdf. 21. Karen Schneider, “So They Won’t Hate the Wait: Time Control for Workstations,” American Libraries, 29 no. 11 (1998): 64. 22. Code of Ethics of the American Library Association. 23. Karen Schneider, “Privacy: The Next Challenge,” American Libraries, 30, no. 7 (1999): 98.