Editor’s Note: Today’s post is a collaborative effort between Lettie Conrad and Tim Lloyd. Tim is founder and CEO of LibLynx, a company providing Identity, Access, and Analytics solutions for publishers and libraries. He is a member of the SeamlessAccess governance committee, Co-Chair of the Outreach committee, and previously spent over a decade in a variety of product development and operational roles in publishing.

In the wake of the global coronavirus pandemic, the scholarly communications industry is painfully aware that we exist in a heavily networked economy where learners and researchers enter into their workflows with expectations built by experiences with consumer content and services. Scholarly publishers are under more pressure than ever to deliver — but, up against services like ResearchGate that are designed around user identity, we’re competing with one hand tied behind our backs. Given the increased pressure to deliver effective, reliable distance learning and off-campus access to library resources, the time is ripe for scholarly publishers to consider a comprehensive identity strategy.

Much like exercising caution and responsibility in driving a car, which comes with well-known dangers and complexities, there are proven methods for effectively and ethically managing the digital identities of our readers in order to leverage the necessary data and systems to establish trust and engage with users. Whether they are academic faculty, freelance researchers, policymakers, bench scientists, or students, there is a cost to users of not developing a holistic understanding of how and when they engage with our platforms – the friction involved in repeatedly re-training a tool to learn and anticipate your needs. Where loyalty is built by informed consent and convenient, speedy access to resources, a personalized experience is increasingly critical for scholarly publishers to deliver that efficiency. We have an opportunity to take the wheel and steer product development toward a comprehensive and responsible identity strategy.

safety cones at driving test

What is an identity strategy?

Let’s start by defining terms. An identity strategy is pretty much what it says on the tin: a publisher business strategy that leverages user identity to build a mutually valuable relationship with your community, based on an understanding of user needs and motivations, and respect for their decisions about how they do or do not want their personal information used. Not all identities strategies look alike. There is no set formula, as publishers serve a multitude of content needs across diverse markets, from academic and special libraries, or companies of all sizes with various information tasks at hand.

An identity management strategy is not just deciding to support an individual login or single sign-on (SSO). It’s not vacuuming up personal credentials. It’s not greeting users on your website with ‘Welcome, Tim’. And it’s not just about conforming to GDPR or conducting an information security audit.

Here are some real-life (paraphrased) scenarios that illustrate the difficulties that occur when publishers lack an identity strategy (with our commentary):

  • When users login via Shibboleth, we want a feed with names and email addresses. (hint: attribute release is complex and you can’t just ‘pull’ what you want)
  • We are sitting on a treasure trove of identity information supplied by users, but we have no way to apply that information to personalize online features. (hint: their static platform is built around anonymous IP authentication)
  • Users can register an individual account on our platform, but very few take advantage of these personalization options. (hint: is the user benefit clearly communicated?)
  • Our usage shows we should have a lot more registered users than we see in our data. (hint: users are separately logging into multiple systems with no disambiguation)
  • We have stored all the credentials historically collected in an un-encrypted database. (yikes!)

An identity strategy is far more holistic, as it touches your relationship with users and sets a tone for the type of online experience you offer them, as well as the systems and workflows that underpin that experience and the capabilities of the staff you hire. This starts with a solid, operational knowledge of your existing users, as well as those you hope to attract, and building up a picture of their information experiences and their ideal journey across your products and services. The challenge is in thinking through why user identities matter and how a strategic approach to managing these identities impacts your organization.

Why haven’t publishers embraced identity

To be fair, there are very good reasons why academic and professional publishers have largely not invested in user identity management. Academic and public libraries in the U.S. have a long history of protecting patron privacy, and the publishing supply chain has successfully delivered access solutions that comply. The American Library Association’s Library Bill of Rights, first published in 1939, asserts that “Libraries should advocate for, educate about, and protect people’s privacy, safeguarding all library use data, including personally identifiable information.” The International Federation of Library Associations echoes this sentiment and frames privacy as a basic human right.

The first fully electronic journal was published in 1990, at a time when IP-based authentication was the only scalable option for anonymously authenticating users who were most often working from fixed workstations on campus. The development of web proxy servers, starting with EZProxy in 1999, extended IP authorization to off-campus users by routing their access through a registered campus IP address. As they say, the rest is history — and IP authentication has been the dominant method of controlling access to scholarly resources ever since.

Aside from a few of the world’s largest publishers and suppliers, this traditional reliance on anonymity has led to a widespread lack of investment in our industry in the skills and capabilities we need to deliver more personalized and engaging services. Many publishing platforms still deliver static experiences, where each session starts afresh with users caught in their own version of a Groundhog Day-style time loop (“hello, what can I do for you?”). While many publishers have offered users the opportunity to register a personal account, the vast majority of sessions are still anonymously IP-authenticated, suggesting that users haven’t found a compelling reason to take them up. Even when useful profile information is recorded, the organization may lack the systems and expertise to make effective use of it, leaving the data to wither on the electronic vine.

Although federated authentication has offered research and educational institutions a privacy-preserving method to authenticate individuals for almost 2 decades, uptake has been tempered by the cost and complexity of implementation (and, in many cases, poor collaboration between libraries and the IT departments who actually implement and maintain it).

Why now is a good time to reconsider

The Covid-19 pandemic is driving more users to online resources, as access to physical facilities are limited or unavailable. This is permanently changing some research practices and instructional protocols, particularly for those who had previously relied on print and in-person library services. Libraries are experiencing record numbers of remote users, further exposing the limits of offsite IP authentication (e.g., requiring proxied links) and putting greater weight behind alternatives, such as federated authentication that can support privacy-preserving forms of personalization.

Best practices for publishers around the use of personal data are becoming increasingly clear, lowering the cost of implementation. Initiatives such as the GÉANT Data Protection Code of Conduct (2013), NISO Privacy Principles (2015), and GDPR (2018) clearly lay out guiding principles, such as explicit consent, purpose limitation, data minimization, deviating purposes, and data retention. More recently, working groups under the SeamlessAccess initiative are developing new standards for configuring the release of user data under federated authentication that will greatly simplify the process. How to strategically leverage user identity data has been a topic of discussion across our industry of late.

Most institutions aren’t against scholarly publishers using knowledge of their users to deliver more effective services — in fact, libraries are well aware of the tensions between privacy and personalization, and recognize that some users will consent to data exchanges where providers can customize their research and learning experiences. Libraries are most often set against scholarly publishers not driving responsibly with their user’s personal data (Note: this post does not intend to adjudicate the irresponsible cases — we do not advocate that scholarly and professional publishers benefit commercially from selling user data or other use cases; instead, we support the strategic and transparent application of user data for the benefit of research, teaching, etc.). A comprehensive and responsible identity strategy requires following best practices, acting transparently (such as this recent SeamlessAccess statement), and ensuring that users can make informed choices requiring explicit consent.

Why publishers need an identity strategy

Identity strategies are critical for academic and professional publishers, and the complexities are manageable for any size organization — so let’s unpack some specific benefits of investing in strategic identity management. Don’t be daunted, scholarly publishers have a hidden superpower: our strong relationships with the communities we serve. Engaging with authors, editors, and scholars across disciplines of study has been a hallmark of university, society, and commercial publishers of all stripes.

Fundamentally, an identity strategy gives publishers a richer understanding of the information needs of their user communities. In turn, this translates into some powerful benefits. An identity strategy is aligned with the industry’s shift toward researcher-centric models of scholarly communications.

First, this understanding enables the development of more relevant and effective products and features. Knowing our users means we can predict information practices and design toward more contextualized presentation of high-value features that fit smoothly into instructional or research workflows. This is particularly valuable in our marketplaces, where the same user can play multiple, and sometimes parallel, roles in their career (reviewer, author, editor, and reader). More effective publishing solutions will drive greater user engagement and stronger usage — and all the concomitant benefits, e.g., citations, renewals, etc.

An identity strategy also offers publishers more agility and sharper business intelligence. Establishing a feedback loop with your audience enables your organization to understand changing patterns of behavior, culture, and expectations. It’s a particularly valuable asset for reducing risk in an uncertain world, which is where we all find ourselves now.

Finally, an identity strategy that delivers more effective solutions can help build trust, the route to lifetime loyalty. This is especially relevant for society / association publishers, where community is central to the core mission. If we do not have an identity strategy, we lose users to competing alternatives that provide more effective solutions — or, even worse, we lose them to less reputable sources and perpetuate the ‘leakage’ of authoritative content.

Just as with any strategic initiative, there will be unavoidable costs in staff time and internal resources, possible systems and platform development, possible design or consultancy services. And there may be impediments that demand a phased approach to rolling out identity management in your organization. But, the risks in turning a blind eye to the people behind our usage data are far greater than the investment in a comprehensive identity strategy.

Stay tuned for more!

Really, the best way to explore identity management is to learn more about those case studies in our community, where publishers, libraries, and technologists are putting identity strategies to work. Stay tuned for interviews with those who can demonstrate identity strategies in action, coming soon in Part 2 (and beyond!).

The authors would like to thank Lisa Janicke Hinchliffe for her valuable insights and expert feedback on an early draft of this post.

Lettie Y. Conrad

Lettie Y. Conrad

Lettie Y. Conrad, Ph.D., is an independent researcher and consultant, leveraging a variety of R&D methods to drive human-centric product strategy and evidence-based decisions. Lettie's specialties sit at the intersection of information experience and digital product design. She currently serves as Product Experience Architect for LibLynx, Senior Product Advisor for DeepDyve, and a part-time lecturer for San Jose State's School of Information. Lettie is also an active volunteer with the Society for Scholarly Publishing and the Association for Information Science and Technology, among others.

Tim Lloyd

Tim Lloyd is founder and CEO of LibLynx, a company providing Identity, Access, and Analytics solutions for publishers and libraries. He is a member of the SeamlessAccess Governance committee and co-chair of their Outreach committee, and serves on a COUNTER working group exploring reporting on usage of Open Access and unpaywalled content. He previously spent over a decade in a variety of product development and operational roles in publishing.

Discussion

4 Thoughts on "Driving Responsibly with Identity Management (Part 1)"

Does identity based services require knowing the identity (name, e-mail) of the user or are a persitent (anonymised) ID through Shibboleth and a few relevant user attributes what we are looking for? At a basic level, for example, knowing if a user is a student or a faculty member would influence the desired UX and having a persistent ID would enable the history component.

Federated identity solutions like Shibboleth support the use of ‘pseudonymous’ identifiers that mask a user’s real identity but allow the publisher to recognize them as a returning user and personalize their experience accordingly e.g. My Account features, recommendations etc. Sort of like wearing a unique mask to a ball – people will remember you but don’t know who you are. This same process can also pass other attributes that can personalize the experience without sharing personal data, such as a location (e.g. to reflect licensing limitations) or a role (e.g. to restrict features to particular types of users).

Excellent article! Thank for highlighting this topic. Publishers and libraries do need to rethink their identity strategy.

Users have already clearly communicated the trade-offs they are willing to make around identity through their use of services such as fb, LinkedIn and ResearchGate.

Richard Wynne – Rescognito

“Users have already clearly communicated the trade-offs they are willing to make around identity through their use of services such as fb, LinkedIn and ResearchGate.”

That seems like an intuitively sensible observation and on the weight of evidence, it seems hard to disagree. Yet I (and I suspect others here) have had plenty of conversations with US librarians whose position clearly stems from the ALA’s Library Bill of Rights. They consider themselves gatekeepers to personal data leaks on behalf of their users and are resistant to anything perceived as a threat to that position. The gap between the observation above and the gatekeepers at many institutions needs to be bridged and as this article says, “an identity strategy that delivers more effective solutions can help build trust” – that is what is lacking here.

The gap needs to be closed from both sides: a better understanding by some institutions of how federated authentication can help preserve privacy is required. And some publishers need to better understand their customers’ concerns. It is not uncommon for a development team at a publisher new to federated authentication to blithely expect institutions to hand over names and email addresses; I would say it’s like GDPR never happened but it’s not a new phenonenon. I’m not using this as an opportuntity to beat up developers; they’ve usually been given a task to complete with implicit or explicit requirements – and handing over personal data is too often among the requirements.

Excellent article by the way Tim and Lettie – looking forward to part 2!

Comments are closed.