Yesterday a librarian posted on MEDLIB-L about a Facebook group listing the usernames and passwords to databases, full textbooks, journals, and other subscription sites.
Obviously this is illegal. Institutions pay for access, must abide by license agreements, and in general try their best to balance the fine line between providing access to registered authorized users and restricting access to unauthorized, unaffiliated users. Even with the best intentions leaks happen.
With the Internet came the idea that everything is freely available online to anybody. The idea that are fees and costs to information online is completely foreign to some people. To some people it isn’t foreign, they know it is wrong, but they don’t care, they want it and they don’t see why they should have to pay for it. Nowhere was this more obvious than with Napster. Napster’s file sharing was just one of the many that existed that music lovers flocked to. Now days BitTorrent protocols make it easy to distribute large amounts of data enabling people to download movies, tv shows, etc. A Wikipedia citation from TorrentFreak estimates 27-55% of all Internet traffic (depending on geographical location) is related to the BitTorrent use.
Compared to BitTorrent, the posting of passwords online is a fairly low tech but effictive and often hard to discover method of accessing fee services. It was only a matter of time before somebody decided to create a Facebook Group. This particular Facebook Group is not new to this type of behavior, they also have their own website, Medishare.net, which uses file sharing techniques somewhat similar to BitTorrent. It appears from their website they are listing and sharing the complete PDF’s of textbooks from Elsevier, Springer, Humana, etc. They even have files and instructions for downloading UpToDate 17.3 for the PC & PDA! They are sharing this information by breaking the information up into .rar files for their msn group members to download.
When faced with these type of sites, what is a library to do? It isn’t practical or possible for librarians to scour the Internet looking for websites distributing their passwords. However, it might be helpful for librarians to end or severely limit their use of generic passwords for off campus use. Giving users their own unique username and password that they use to access resources through a proxy server, Athens, or some other secure authentication method, might help. It is just my observation, but people seem way more willing to distribute generic passwords to library resources rather than their own personal password to library resource. Additionally, by having each person have their own unique username and password you have method to track down and deal with scofflaws individually.
Libraries and vendors also need to work together try and keep things on the up and up. One of the libraries whose passwords to Ovid were listed on the Facebook page were notified by Ovid about the problem. Yeah Ovid and the rest of the vendors have a vested interest in making sure their resources are accessed by authorized individuals, but libraries have an interest too. We have relationship with these vendors and as much as we complain about the costs of their products, if piracy drives them out of business who we will get to provide the services or the resources? It may be argued that these databases just re-purpose information, that the information will still be found if they go out of business. Sure the data is there, but as with the example of UpToDate, how many doctors and nurses were finding that kind of information (which was out there and available) prior to UpToDate’s creation? The case of textbooks and journals, where the printed text is undergoing a lot of changes (Kindle, iPhone, online articles, advertising issues), presents different risks. In this instance it is the actual information that is in jeopardy. Not only do you wonder about whether it is correct but if a publisher can’t make any money selling a book or advertisement for a journal, they will stop publishing it and the information is gone. Journal publishers that still cling to username and password access as their only means to allowing institutional online access need to really sit down and either update their access methods or open up their site completely because they are probably dealing with this much more often than those publishers that allow IP validation.
The Internet has changed the way society accesses information. Some is open and free for all, some is not. There will always be those who are trying to beat the system illegally. Deal with it the best way you can, see if you can prevent further problems and then move on.
I can’t stress enough how libraries need to be aware of how easy it is get their group codes or general passwords when they post them in unsecure locations. Shortly after I posted this, a person tweeted that people can always do something as simple as this to see usernames and passwords. While a many libraries like ASU and JMU do not state their RefWorks group code there are a whole bunch that have it hanging all out there for the world to see. Hey, Capella University, Cornell, Drexel, Johns Hopkins, Princeton your fly is down and your group codes are showing. You can’t blame people for distributing it when you are already doing that yourself.
It appears Facebook has removed the group.