Library Passwords On Facebook
Yesterday a librarian posted on MEDLIB-L about a Facebook group listing the usernames and passwords to databases, full textbooks, journals, and other subscription sites.
Obviously this is illegal. Institutions pay for access, must abide by license agreements, and in general try their best to balance the fine line between providing access to registered authorized users and restricting access to unauthorized, unaffiliated users. Even with the best intentions leaks happen.
With the Internet came the idea that everything is freely available online to anybody. The idea that are fees and costs to information online is completely foreign to some people. To some people it isn’t foreign, they know it is wrong, but they don’t care, they want it and they don’t see why they should have to pay for it. Nowhere was this more obvious than with Napster. Napster’s file sharing was just one of the many that existed that music lovers flocked to. Now days BitTorrent protocols make it easy to distribute large amounts of data enabling people to download movies, tv shows, etc. A Wikipedia citation from TorrentFreak estimates 27-55% of all Internet traffic (depending on geographical location) is related to the BitTorrent use.
Compared to BitTorrent, the posting of passwords online is a fairly low tech but effictive and often hard to discover method of accessing fee services. It was only a matter of time before somebody decided to create a Facebook Group. This particular Facebook Group is not new to this type of behavior, they also have their own website, Medishare.net, which uses file sharing techniques somewhat similar to BitTorrent. It appears from their website they are listing and sharing the complete PDF’s of textbooks from Elsevier, Springer, Humana, etc. They even have files and instructions for downloading UpToDate 17.3 for the PC & PDA! They are sharing this information by breaking the information up into .rar files for their msn group members to download.
When faced with these type of sites, what is a library to do? It isn’t practical or possible for librarians to scour the Internet looking for websites distributing their passwords. However, it might be helpful for librarians to end or severely limit their use of generic passwords for off campus use. Giving users their own unique username and password that they use to access resources through a proxy server, Athens, or some other secure authentication method, might help. It is just my observation, but people seem way more willing to distribute generic passwords to library resources rather than their own personal password to library resource. Additionally, by having each person have their own unique username and password you have method to track down and deal with scofflaws individually.
Libraries and vendors also need to work together try and keep things on the up and up. One of the libraries whose passwords to Ovid were listed on the Facebook page were notified by Ovid about the problem. Yeah Ovid and the rest of the vendors have a vested interest in making sure their resources are accessed by authorized individuals, but libraries have an interest too. We have relationship with these vendors and as much as we complain about the costs of their products, if piracy drives them out of business who we will get to provide the services or the resources? It may be argued that these databases just re-purpose information, that the information will still be found if they go out of business. Sure the data is there, but as with the example of UpToDate, how many doctors and nurses were finding that kind of information (which was out there and available) prior to UpToDate’s creation? The case of textbooks and journals, where the printed text is undergoing a lot of changes (Kindle, iPhone, online articles, advertising issues), presents different risks. In this instance it is the actual information that is in jeopardy. Not only do you wonder about whether it is correct but if a publisher can’t make any money selling a book or advertisement for a journal, they will stop publishing it and the information is gone. Journal publishers that still cling to username and password access as their only means to allowing institutional online access need to really sit down and either update their access methods or open up their site completely because they are probably dealing with this much more often than those publishers that allow IP validation.
The Internet has changed the way society accesses information. Some is open and free for all, some is not. There will always be those who are trying to beat the system illegally. Deal with it the best way you can, see if you can prevent further problems and then move on.
**Update**
I can’t stress enough how libraries need to be aware of how easy it is get their group codes or general passwords when they post them in unsecure locations. Shortly after I posted this, a person tweeted that people can always do something as simple as this to see usernames and passwords. While a many libraries like ASU and JMU do not state their RefWorks group code there are a whole bunch that have it hanging all out there for the world to see. Hey, Capella University, Cornell, Drexel, Johns Hopkins, Princeton your fly is down and your group codes are showing. You can’t blame people for distributing it when you are already doing that yourself.
**Second Update**
It appears Facebook has removed the group.
You raise some good points. Certainly it’s in the interest of libraries to ensure availability of information to their patrons, and to raise awareness of the fact that while the resources they access may be free-to-them, somebody, somewhere is paying for them. I also agree that the movement towards an open access model would neatly sidestep these issues while allowing publishers to remain economically viable.
However, one could argue that, as the banking crisis in the US has shown, no one has a God-given right to be in business, except for big banks. The degree to which this Robin Hood-ing of content is costing them money is the degree to which they should spent on prevention through either technical means or simply policing. I think it’s great you’re advocating taking the high road and offering to police content for them, in the interest of maintaining a good relationship with them.
When was the last time a publisher said, “You know, we have exclusive access to this content, but in consideration of maintaining a good relationship with our customers, we’re not going to charge more for it”? You should be commended for proposing that the high road be taken, despite this. It’s not often that you hear someone appeal to a higher standard, and argue for rising above a tit-for-tat mentality. Maybe publishers will see this and have a change of heart themselves. One need only look at the healthcare debate in the US to see that sometimes extending an olive branch is all that’s needed to achieve effective compromise that works for both sides.
That said, the real point I want to make is this: contracts between service providers and those receiving service are effectively unilateral. Ever since compuserve, these contracts have specified what the users must do to remain in good standing, but they obligate the company to exactly nothing, as the terms can and (Facebook is a recent and frequent example) are changed at will by the company. Under no circumstance should anyone even think that a breach of these contracts could or should result in criminal penalties. What they’re doing is wrong, for sure, but the appropriate remedy is termination of the contract, and it’s up to the service provider to decide how much spillage they can tolerate before they have to terminate the contract. I’m no expert, but I’ll bet that number is something other than zero, and the size of that number indicates how much you overestimated your need for them.
Interesting – Facebook has a form to report a Notice of Intellectual Property Infringement (Non-Copyright Claim) [http://www.facebook.com/legal/copyright.php?noncopyright_notice], but “If you are not the IP owner (or the authorized representative of the owner) you cannot report a suspected infringement to us. If you believe that content on the Facebook website violates another party’s IP, you should advise the rights owner directly.” so technically I can’t fill it out.
Thanks for posting this. Just checked and the fb site is gone.
Mr. Gunn, I am not sure if you think I think that the library vendors or libraries have a God given right to be in business. Business’s come and go, as well as libraries. Some of the largest of both groups have closed, merged, or disolved.
It is against our license agreements to knowingly provide access to unauthorized users. We can’t know of every infraction or posted password, but once we are made aware of it we are obligated to try and stop that leak. If we do not show good faith in doing so the company can end their contract with us and remove their product. For example if JAMA thinks we are intentionally ignoring access violations or not doing due diligence to prohibit unauthorized access they have every right to pull their product from us. Maybe in business you can get another program to run your figures, but in medicine you can’t just get another JAMA.
I am not quite sure what you meant by “Maybe publishers will see this and have a change of heart themselves.” What kind of change of heart? Free access for all? That is working out really well for the newspaper industry.
You state, “but the appropriate remedy is termination of the contract, and it’s up to the service provider to decide how much spillage they can tolerate before they have to terminate the contract. I’m no expert, but I’ll bet that number is something other than zero, and the size of that number indicates how much you overestimated your need for them.” You obviously haven’t had any dealings with certain medical database providers. Because there are database providers that will terminate your contract if you do not do everything thing in your power to keep spillage to zero. I would like for you to tell the angry docs why they can’t access a certain product because it was terminated due to license agreement infractions. Let me know, I’ll get some popcorn and coke and watch how that plays out.
Great post. We keep the passwords behind an https:// on our intranet, so I am wondering what that ow.ly link was to in terms of ‘what users can do’ to find out passwords. (Our institutional network restrictions prohibit ow.ly links, but allow tinyurl. Go figure.) I’ll check this post again from home later to find out – thanks again for the update.
Aside from the idea that non-patrons are using the databases, thus prohibited through the contract…
It is my understanding that contracts can be and likely are written to allow for an estimated usage and beyond that estimated usage overage fees kick in (sounds similar to cell phone plans) or could be written as a a pay-per-document-access agreement. Isn’t it in the library’s best interest to minimize additional costs based on the thought that those non-patrons could push them beyond the estimated usage?
Point notwithstanding, it’s Drexel, not Drexell!
Sorry my fingers were going faster than my mind. I have corrected it.