Move by journals to ‘seamless’ off-campus access raises privacy concerns

For a scientist working on their university’s campus, accessing a paywalled journal article is painless and invisible, if their institution subscribes. The article automatically appears because the publisher recognizes that the request came from the university’s internet address.

But many researchers gripe that the minute they step off campus and try to access the same article—through a home internet provider, a coffee shop’s WiFi, or a cellphone—they often face a frustrating experience. Even though many universities allow remote users to gain access by logging in through an online portal, many articles don’t clearly flag that possibility, and following the steps can be cumbersome.

This week, one major publisher—the Nature family of journals—launched an effort to make things easier for off-campus readers. It became the first to offer a consistent, streamlined method of access, through a standard button displayed prominently atop articles in its 150 journals. And more publishers, including Springer Nature, Nature ’s parent, are expected to roll out the feature over the next year through an international consortium.

But the project has raised concerns among some university librarians. They say it could ultimately allow publishers to obtain personally identifiable data about researchers without their knowledge, and are keeping a close idea on how it evolves.

“I think we have learned that with respect to technologies [that collect data], we might need to trust but verify rather than just trust,” says Lisa Janicke Hinchliffe of the University Library at the University of Illinois in Champaign.

Nature ’s new feature works like this: Off-campus readers who click the button, labeled “Access through your institution,” are asked to identify their university affiliation, then are taken to a web page at their institution that allows them to access the article by entering their university password. Their institution’s identity is recorded as code in the user’s web browser so that the next time they seek to access a Nature article, a different button is displayed that when clicked takes off-campus users straight to their institution’s log-in portal.

If multiple publishers adopt the same approach, to be facilitated through a service called Seamless Access, it may ease another frustration for off-campus readers: They will be able to look at articles from different publishers in succession, without having to repeat the log-in process for each article. Instead, Seamless Access will run a central information repository, like a switchboard, that will automatically give participating publishers information about the off-campus user’s institutional affiliation.

The consortium is negotiating with other large publishers about joining Seamless Access, says Todd Carpenter, executive director of the nonprofit National Information Standards Organization in Baltimore, Maryland, which works to develop technical standards in publishing and helps run the project. Another partner is the International Association of Scientific, Technical, and Medical Publishers, based in Oxford, U.K.

The consortium is also talking with publishing services, such as HighWire, that host journal websites; HighWire’s clients include several scientific societies, such as AAAS (publisher of Science ).

Carpenter says many publishers are considering joining in part because the off-campus paywall barriers lead many researchers to give up and obtain papers for free from other sources, such as the websites ResearchGate and Sci-Hub, which some publishers have said violate their copyrights.

“The problem is … how can we improve the user experience to provide the access that institutions are paying for and want to provide to their communities,” Carpenter says. “That’s what this initiative is really about.”

Springer Nature is planning to see how the new button works, and consider adding it in 2020 to all of SpringerLink, its database of more than 1200 journals, said digital product manager Laird Barrett in a webinar this month. As for privacy concerns, Barrett said Nature will not collect details about off-campus users other than their university affiliations. A policy document developed by Seamless Access organizers recommends that participating publishers follow the same approach for individuals seeking only to access scholarly information.

But that declaration doesn’t entirely satisfy some university librarians. Hinchliffe, who served on a committee during the Seamless Access planning process that examined privacy issues, worries that publishers employing the service might eventually require universities to provide details about users who log in, such as their names and academic departments, as a condition for accessing journal articles. They could potentially use those data for business purposes, perhaps selling it to third-party data aggregators. The potential for tracking also threatens the academic freedom of scholars studying national security and other controversial topics, Hinchliffe says. The Association of Research Libraries in Washington, D.C., which represents 124 U.S. and Canadian institutions, raised similar concerns in comments on the draft policy document.

Carpenter says universities can use Seamless Access to provide additional information about logged-in users to publishers for particular purposes not meant to track their online behavior—for example, to limit article access only to readers in the chemistry department to lower the university’s subscription price. The recommendations for Seamless Action's call for users to give informed consent before personally identified details are released, and a committee has begun to develop additional recommendations about privacy for those “granular authorizations,” he said. But during the first year of Seamless Access, Carpenter says, the focus will be on testing and expanding the basic, anonymous access to scholarly articles.

In addition, Carpenter says, many publishers, wherever they operate, are likely to observe the requirements of an EU privacy law, the General Data Protection Regulation. Among other provisions, it requires businesses to inform users how they are handling their personal data.