Access control in libraries

In the beginning

"Access control..."
"Access control..."
I'm confused. I've spent the majority of my career as a librarian trying to provide free and equal access to information and now I'm being told to implement access control systems, security measures, filtering software, and authorization/authentication gateways. Are we providing information services for our mutual benefit or are we becoming the information police?

I suppose all of this is not to be unexpected. The truth of the matter is that information was never free to begin with. We all know who much money it costs to catalog books, let alone providing systematic access to them. And we traditionally provided access control over our materials through the combination of institutional affiliations and physical presents. "Only people who live in Wake County can obtain a borrower's card and you can only borrow books if you come into the library and check them out." On the other hand, nobody ever had to show their library card to get into the library and use the books in the building.

We also know that not all information is intended for every person. This is especially true in the business world. I learned that when I had the opportunity to work at IBM. There, the department's official policy was to clean the top of your desk every night before going home. This discouraged passerbys from casually glancing at the things on your desk and seeing things not intended for their eyes. It was not so much that the things I worked on were secrets. It was more of a matter that others did not need to know.

The idea of the "free public library", a brain child of Ben Franklin and the United States flavor of democracy, holds just as much truth today as it did 225 years ago. At the same time, it is not as necessary as it was then, since there are many alternative ways to have an "informed public" through television, newspapers, and telephones. All but the poorest of people have access to these sorts information resources and if they are the poorest of people, then they probably don't visit libraries anyway because they have more fundamental needs to be met, like eating.

A quick search of Index Morganagus [1] for "access control" or "authentication" or "authorization" turns up quite a number of hits. Two in particular are of interest here. One by Andy Powell and Mark Gillet [2], and another by Henry Gladney. [3] Powell/Gillet share their thinking about the value of authentication and authorization. Gladney describes an access control system.

Authentication and authorization

Authentication and authorization may be the keys to many of the problems surrounding security, access control, copyright, etc. In computer terms, authentication is the process whereby a person is validated as the person who they say they are. Usernames and passwords are a method of authentication, just as the police use finger prints.

Authorization is a process of allowing or denying computing services based on characteristics of the authenticated individual. For example, one set of reserve room materials would be accessible to some people, but not others since some people are not members of a particular class. For example somebody could be authorized to see the R&D records of a business library but not others since the R&D records are not for everybody's consumption.

Proper authentication/authorization systems are the things making access to some materials easier. For example, after a person has been authenticated and authorized it is much easier to provide the person access to copyrighted materials with confidence, reimburse charge back fees, and monitor use of materials in the hopes of customizing services. As Powell and Gillet state:

All of these are at least partially resolved by a user based authentication system, provided in a conventional library by the library card. In some libraries, cards not only identify the member to the librarian at the time of removing a book on loan, but also identify the member to the library itself (in the case of a library whose entrance is policed by card readers), to specific areas of the library, e.g. the copying room, video viewing rooms or computing facilities and also to confirm identity and status to staff in the event of a requirement to view or remove 'restricted material'.

Security

"Okay," you say, "now I know about authentication and authorization, but how do I use these processes for security measures?" First of all, there are different types of security measures and many times security is used as a means to verify that data/information has not been tampered with between source to user. Encryption is one means of securing documents, and Pretty Good Privacy (PGP) is an example. Digital water marking is another security method. Access control is a third. Glandey defines access control somewhat technically:

Access control is a custodial contract governing the relationship of the store with the rest of the world. Specifically, it has to do with the execution of operations which deliver information, or which change the state in a way that potentially affects future information delivery. Access control is said to be in effect if the store state permits any past action or future permission to be traced to proper authority, and if such permissions faithfully reflect an articulated policy. The store is said to have integrity if its state conforms to articulated consistency rules. A storage subsystem which has integrity and access control is said to be secure.

In other words, access control is the process of exchanging data and information in a secure and authoritative manner once authentication has taken place.

Considerations for librarianship

Computers are about many things, but right now in today's world, they are mostly about data and information. As our economies continue to move from industrial bases to service bases we can expect to see continual increases in services specializing in "information products". By definition, these information products (newspapers, bibliographic databases, book, magazines, data sets, etc.) will be sold or licienced in exchange for capital (money). As consumers and/or middlemen for information products, libraries will have to implement authorization/authentication as well as access control schemes to ensure we are not violation of licence agreements, spending too much of our captial, or distributing misinformation.

Creating authentication and authorization schemes will not be easy. First, the creation of digital authentication and authorization schemes are, for the most part, beyond the computer expertise of libraries. These schemes are essentially large database applications. Second, the data representing individuals being authenticated and authorized will most likely be maintained by some organization other than the library (registrar, personnel office, post office, comptroller, etc.) Therefore, the implementation of any authentication and authorization scheme will have to be co-ordinated with people outside the library. The implementation of these schemes may be not be technically difficult, but they will be difficult in terms of values.

In general, the difficult part will come when us librarians have to come to terms with our values. Can we translate our traditional values and modify and update them for a more economic, less idealistic, computerized environment? Of course we can. Change happens. The important thing is not so much that things changed. What is important is understand and feel comfortable with change. Change is expected and acceptable.

On the other hand, access control is a rather new concept in librarianship, especially considering how mutable digital information is. Since copies of digital items are so easy made and indistinguishable from the originals, access control will provide the means for delivering the information we proport to deliver. I have heard it said that it is worse to give out bad information than it is to give out no information at all. I believe this to be true, and represents a traditional value we need to keep.

Work for implementing digital authentication and authorization schemes. If you do, then you can continue to provide the information services you have in the past as well as into the future.

Notes

  1. Index Morganagus is an automated, electronic index of library-related electronic serials created and maintained by myself and located at http://sunsite.berkeley.edu/%7Eemorgan/morganagus/
  2. Andy Powell and Mark Gillet. "Controlling Access in the Electronic Library", Ariadne. Issue 7 (January 1997) http://www.ariadne.ac.uk/issue7/access-control/
  3. Henry M. Gladney. "Safeguarding Digital Library Contents and Users", D-Lib Magazine. (June 1997) http://www.dlib.org/dlib/june97/ibm/06gladney.html

Creator: Eric Lease Morgan <eric_morgan@infomotions.com>
Source: This is a pre-edited edited copy for Eric Lease Morgan, "Access Control in Libraries" Computers In Libraries. 18(3):38-40, March 1998.
Date created: 1998-04-01
Date updated: 2004-11-11
Subject(s): access control;
URL: http://infomotions.com/musings/access-control/