User Authentication at Public Internet Terminals:
Who Is Doing It?

A non-scientific email survey performed by Eric Schnell (schnell.9@osu.edu)

"Authentication" refers to the ability to track the usage of the Internet to a given individual, on a specific machine, during a specific time period, by the assignment of a unique username. It refers to the restriction of patron use of the Internet in an anonymous manner.

THANKS to all who responded!!

Quick Survey Results:

Reponses 37
Authentication5
Investigating Authentication10

Move To: Notes | Conclusions | Data

Notes:

  • There appears to be many instances where libraries are at odds with computing administration over anonymous access. Most libraries in this situation have indicated that they will stand their ground and continue to provide unauthenticated Internet service.

  • Several Public University libraries indicated that since they are supported by tax dollars, they feel obligated to provide unauthenticated access.

  • Several libraries indicated that a primary motivation for investigating authentication was the management of printing costs.

  • Several libraries indicted the use of a paper log and signup system requiring the use of an ID. As a result, their actual use wasn't tracked but they could be identified if problems occured.

  • A couple libraries indicated they were government document depositories and "are required" to provide unauthenticated access to electronic documents. The Committee on Institutional Cooperation (CIC) GovDocs Task Force is surveying this issue. (Contact: Debbi Schaubman schaubm1@pilot.msu.edu)

  • Half of those currently with authentication services are private universities.

  • 2/3rds of the sites investigating authentication are public universities and colleges.

Early Conclusions:

In many cases, those responsible for network security do not have library backgrounds. They have not been sensitized to concerns of patron privacy and the tenets of the intellectual freedom, the Library Bill of Rights, and the interpretation of these rights regarding access to electronic information, services, and networks.

On the authentication issue, network security staff appear to be not focused on breeches of network, but more on the ability to track misuses and illegal activities. Tracking usage through authentication is method of identifying these individuals.

There would appear a need for education on both sides. The security staff need to provide concrete examples on the issues they face. Libraries need to become more sensitized to the techniques used by hackers to compromise security. Libraries also need to become more aware of the real threats being placed on security staff by the law enforcement. The library needs to explain to security the long history of threats made by law enforcement on the privacy of library users.

Compromises then need to be worked out between the library and security in order to create solutions which have reasonable security while providing privacy. For example, the sending of anonymous email is a security concern. An open network can allow someone to email threatening messages. However, network hardware can be configured to block much of the email traffic by filtering the SMTP and POP ports by IP address.

Data:

Institution Authentication in Library Institution Status Investigating Comments
Atlanta-Fulton Public Library SystemNoPublic Lib... the type of authentication you are talking about would be considered a "supreme" invasion of the user's right to anonymity/privacy in a public library.
BaylorYesPriv Uonly Baylor folks can use the Web from the public access terminals as they can be authenticated using their BearIDs.
Cal Tech NoPrivate U Y...not making any restrictions during normal working hours... do restrict access to 'Caltech' users in the evenings and on weekends...the thinking at the moment is that users would swipe a smart card for access to the NT network including full access to resources licensed to our academic community.
Contra Costa County LibraryNoPub LibSecurity people do not have library backgrounds. They are not concerned with patron privacy, tenets of the library bill of rights, etc....agreements on what is to be done need to be worked out between the library and the people charged with network/computer security.
Creighton U No Priv U ..is a private institution and we do not require authentication from the users of our open PCs
DukeNoPriv U At Duke's Medical Center Library, we don't have any sort of authentication requirement at the public terminals.
Eastern Washington UniversityNoPub U... a public institution, supported by taxpayers' dollars, and we believe in not excluding those taxpayers from library resources.
Eugene Public LibraryNoPub LibWe currently require all users of our public access PCs to identify themselves by signing up with their library card. This keeps some semblance of anonymity but yet if we need to know who was on a machine at a particular time, we have it. We are not using on-line authentication at this time.
Franklin College of IndianaNoPriv U
HarvardNoPriv UY...provide special handling for public-access machines located in libraries exemption from user-level authentication to (almost all) restricted resources.
Indiana U NoPub UY..another library in our system is moving to authentication to find a way to charge users for printing.
Memorial Hall Library NoPub Libask them to voluntarily sign in on clipboard next to computer.
MichiganNoPub U limiting authentication isn't under review.
Michigan State yes Pub U under the rules of being a Depository Library, we can not require ID for access to depository materials. As a result, a user could request a community borrower card without providing her/his real name and no one could deny that request. This, in turn, renders the authentication process meaningless.
Multnomah County LibraryNoPublic LibraryY
Ohio State No Pub U Y ... a Gov Doc inspector indicated a need to provide unauthenticated access to government documents.
Northeast Ohio Univversities College of Medicine No Pub U N
Raritan Valley Community CollegeNoPub UYes Authenticating is being introduced in our computer labs, and is also coming to the library. As a community college we serve the public in two counties as well as our students. This means that public patrons must be given guest passwords, which will be changed daily.
Rush University No. Uses Generic Login Priv U
StanfordNoPriv U deploying kerberos-based authentication as the basis for controlling access to most of its restricted services and we expect to use kerberos with a web proxy server to control off-campus access to restricted (licensed) library resources.
Texas A&M Some Yes, Some No Pub UThe Medical Sciences Library's public computers are still open, but we only have one with overt web access.  The computers in our teaching lab...all have login IDs and passwords posted on the front of the monitors and students have to sign in with the computer # they are using when they enter the room. 
TulaneNoPriv Uwe need authentication of students and faculty who are accessing restricted commercial databases.
U ArizoniaNoPub U the issue of authentication has not arisen with public access Internet PCs in the libraries.
U Chicago No Pri U ... fully open access, no authentication at all of our library workstations...security and Systems staff have been voicing the same concerns. 
U Iowa No Pub U ...in a nutshell, we keep things open access and loose.
University of Maine at FarmingtonNo Pub U YesOur academic computing folks feel very strongly that any uses of the network should be authenticated. We in the library feel we should have some machines which allow people to search the Internet and our other databases (barring licensing agreements) without logging in. It has been a long, difficult process.
U Montana No Pub U ...can browse the internet but you have to know how to get out of our homepage and then you have free access.
U Pitt No Pub U Y
UC San Diego No Pub U Y ...what we would probably do is have a two-track system - users who could provide a network login would get a fully featured browser.  Users who could not would get a stripped down browser like the standalone Navigator. 
U South Ala Yes (Main Lib has open access PCs) Pub U At the Biomedical Library, what we have done is put ALL University folks on a Novell network and they have to sign on ...Outsiders can pay $5 per hour for general Internet access... 
U South Dakota No Pub U The only restriction we have is that our primary clientele have priority use.
U Sothern California No. ID to aquire key to "turn machine on" Priv U We're farily restrictive on who can use our "public access computers." Basically, except for the online catalog, only those who are valid USC affiliates can use our computer resources. 
United States International UniversityYesPriv U ...moved the Internet terminals out of the study carrels to desks directly in front of the Reference desk for better supervision and instituting user authentication.
Ventura College LibraryNoPub UWe do not monitor any activities on the internet.
Western Oregon UniversityNoPub U YWe are working on a scheme to require authentication for students, faculty/staff and community users of our library.
Wright State No Pub U Y ... a temporary computer account would not be required for visitors, but they would have only partial Internet access (e.g., OhioLINK resources, and .edu or .gov sites). 

* Some sites responded that they check an ID or use a generic account to access the network. Neither process as detailed tracks usage at a given terminal to an individual.

* Access to networked resources restricted by licensing agreement is not in the scope.

Last Updated: