Stay ahead of browser-level privacy changes
It’s vital librarians get up to speed on privacy-preserving initiatives proposed by the main browser vendors. Because, in time, they could have a significant impact on federated access in research and education. Web browsers are a vital part of our daily lives. Free, ubiquitous and simple to install, they’ve helped to revolutionize how users interact not just with websites, but with cloud applications and online resources. We caught up with Judith Bush, co-chair of the REFEDS Browser changes and federation working group to find out more.
Browsers are also a critical part of the OpenAthens user experience (UX). Because users need a browser to access resources via their library portal, a publisher’s website, or an information discovery service.
But of course, browsers aren’t static. They’re constantly being updated and developed – and one of the main focuses of development is user privacy.
That’s good news in principle. But when your organization uses federated access, it’s important you stay aware of privacy-preserving browser changes coming down the line.
That’s because efforts to protect users from a common set of privacy threats could also, over time, have a significant impact on federated access and user experience.
What’s the privacy changes issue?
Browser companies need to protect users from being tracked in ways they haven’t consented to – in particular, across multiple websites.
The challenge for SAML-based federated access is that it uses many of the same features as cross-site web tracking tools. Even though federated authentication is privacy-preserving, from the browser point of view it looks like behavior it wants to prevent. See the 2023 ALA Annual presentation slides from NISO and EBSCO 'Federated Authentication. Browser changes and what to expect'.
In future, the risk is that browser-based federated authentication could be disrupted by measures designed to mitigate tracking.
So it’s vital to understand the changes that may happen in future. And to work together so that browser-based federated access continues to function.
What’s the impact for now?
At the moment, there’s no immediate threat from browser privacy changes to the fundamental way that federated access works, whether via SAML, or other standards such as OpenID Connect or OAuth 2.0. But that doesn’t mean we can ignore privacy changes.
For example, there are already issues arising from efforts to mitigate a privacy issue known as “third-party cookie tracking”. This is where websites set cookies accessible by other websites too.
These changes do not affect authentication, but will impact on implementations of single logout and the SeamlessAccess "smart button”.
Meanwhile, another privacy measure known as IP masking – designed to protect users’ IP addresses – will disable the use of traditional IP recognition for on-site access. This will not affect other technologies that mask public IP addresses, such as proxy services and VPNs.
How could privacy changes impact us in future?
For users of federated authentication, a more fundamental challenge is the steps browsers may take to mitigate “navigational tracking” – which uses techniques such as “link decoration”, where tracking information is added to a URL, and “bounce tracking”, where user requests are redirected from one site to another, with information exchanged in the process.
Federated authentication uses both these techniques, as they are the primary way of communicating between the service provider (the publisher) and the identity provider (institution).
The risk of these techniques being disabled is the biggest threat to federated authentication: if this happens, it may even force all participants in our ecosystem to redevelop, and/or enhance, their products and services.
At this stage, though, it is not certain what mitigations will be enforced. But they could, for example, include restricting cross-site techniques that federated authentication solutions use to exchange encrypted data – and to which end users have previously consented.
What can libraries do?
As a first step, libraries should get up to speed on the privacy changes proposed by the main browsers.
The main browser vendors are, of course, not unaware of the possible impacts on federated authentication. For example, one initiative is the FedCM (Federated Credential Management) API, which is a potential solution for federated authentication.
But different online communities do not all implement federated access in the same way. So it is still possible that, in future, more aggressive mitigations by the browser developers and W3C may disrupt federated access as it works in research and education.
This is a fast-moving and complex area, so we suggest the following steps:
- Review this helpful wiki on the state of browser privacy evolution, published by REFEDS which represents identity federations.
- Get involved with working groups on browser changes run by the World Wide Web Consortium (W3C) or REFEDS.
- Visit forums and attend events organized by OpenAthens (including our annual conference Access Lab) - as well as the National Information Standards Organization (NISO), ALA and other industry events.
- Get updates from the SeamlessAccess website
Ultimately, this is a community issue. The more libraries get involved, the more that browser vendors can understand the specific needs of federated access in research and education.
Watch the EBSCO webinar recording on browser changes to find out more.
EBSCO webinar on browser changes
Browser changes: What, when, and how to prepare your library’s authentication
Changes to browser privacy settings, some expected to roll out over the next year, will impact how libraries access electronic resources. The changes will particularly affect those who do not have a remote authentication method. This webinar is intended to educate and inform you of these changes and their impacts, and give you the tools to move forward.