“It would be good if browser changes meant browsers are more in control of the user experience”

What is happening with browser changes? Is authentication going to stop working? What is happening with browser driven privacy changes? Are librarians and publishers going to have problems authenticating into their federations and federated resources? David Orrell, principal architect at OpenAthens, walks us through the topic that is at the center of all industry conversations; how the upcoming changes to browsers may impact the industry.

What is a browser?

A browser sits between the user and the publisher’s web content. It is the technology that allows the user to interact with the content, and has moved from something that was relatively simple 30 years ago to a very sophisticated software.

It is because of this complexity that every user's browser has now a unique fingerprint; it might be the device they are on, the IP address they come from, the size of their screen, what they have installed on their system. Browser fingerprinting is one of the ways advertisers can track users as they move around between different websites.

What are the so-called browser changes?

Browser technology has been around for about 30 years now, formed from an open platform where hugely diverse applications have been built. It was designed to be open and allow anyone to build any type of application, which has been amazing, but it also means you get good and bad uses of the technology.

In recent years, the fact that large companies are tracking and selling users’ data has become an increasing concern. This is now a much more critical issue in people's and legislators’ minds than it was when the web started.

There is a small number of very large companies in charge of a huge proportion of the web. They have an enormous amount of power, but legislation is now catching up with them and there is the potential that EU and other government bodies push extremely harsh penalties on them. They have woken up to the fact that they need to be seen taking steps to prevent tracking of users and to push for user privacy. As a result, we are at the stage where a number of quite fundamental changes are being made to that underlying web platform and its architecture.

Are there any precedents to changes of this scale?

We saw this a couple of years ago with third-party cookies. They were the primary mechanism that advertisers used to track users between sites. So, we saw Apple block third-party cookies, and eventually Mozilla. Chrome has not turned them off, yet I believe they will also block third-party cookies by default in within the next couple of years.

That was phase one, but there are lots of additional changes. There are other ways users can be tracked, like fingerprinting or IP address; a mechanism which browsers still allow. Now we are at a planning stage to make changes to the web, and browsers will start making it harder to track users via these other mechanisms.

How can this potentially affect OpenAthens?

The URL, which is the address of a website, can contain arbitrary parameters, which can be used to pass information between sites. Passing data between websites using the URL is another means of tracking users that is called link decoration.

Unfortunately, because of the web being designed to handle lots of different types of applications, those same mechanisms that can be used to track users can be used to implement protocols used to support federated identity, such as SAML and OpenID Connect.

It concerns the community because, if these basic web primitives get turned off or locked down by browsers, there is the potential that this could prevent federated access and logging in to a browser. This is because even if they are used for a good outcome, a user logging into multiple publishers is potentially indistinguishable from cross-site tracking mechanisms.
There is a concern that this could prevent OpenAthens and similar technologies from working in the way they do currently, but we are working to alleviate its impact on our service. Obviously, Google does not want to stop OpenAthens working.

What happened with third-party cookies?

Technology companies developed standards that allowed advertisers to target advertising. However, changes in third-party cookies did not really affect federated identity, since SAML does not really use them, and they were mostly used for advertising purposes.

Now, browsers allow you to do advertising without the cookies. In a way, that is parallel to what we are seeing now with FedCM, which is being proposed as the standard to allow you to do single sign-on to prevent tracking.

Further down the line we might see browsers prevent tracking via URL, so it is quite a positive indication, but we need to ensure that FedCM meets our use cases.

What can you tell us about FedCM?

FedCM is a new API that allows you to sign in to websites, where the browser is part of the sign-in. It provides a consistent user experience between websites and helps the browser distinguish that your sign in is genuine, it helps solve the problems that exist when trying to manage accounts across sites.

At the moment, FedCM is designed for a consumer end-user solution, which is what Google understands and the space they are in. It does not scale to the type of federated authentication we are doing with thousands of different institutions accessing one publisher through OpenAthens and federations.

Should OpenAthens customers be concerned?

I do not think that browser changes represent an immediate risk. They are a fundamental change, but I do not believe it will happen quickly.

We will start to see websites behave differently in different browsers, just as we have with third-party cookies and I would expect some of these changes to be implemented in Safari first, because Apple is prioritizing the value of user privacy. It is a risk that does not just sit with federated identity, it affects any technology using URLs for cross-site links, which is the library space in general.

Also, we are having active discussions with Google, Mozilla, and Apple about the changes and their impact, and they want to understand our use cases.

Are there any positives for OpenAthens?

OpenAthens will continue to work and there is a potential for a lot of positives as well. Single sign-on is a very important part of the web now, but the experience is not very good at the moment for end users. If browsers were more in control of the user experience around federated single sign-on, it would bring improvements to the UX, and make things more secure and easier to use for end users.