tag:blogger.com,1999:blog-49909221026266882532024-03-14T15:06:02.580-04:00Go To HellmanHe's baaaaaack.Erichttp://www.blogger.com/profile/14172740163003223132noreply@blogger.comBlogger422125tag:blogger.com,1999:blog-4990922102626688253.post-72744184908654558222023-12-14T20:26:00.000-05:002023-12-14T20:26:55.555-05:00 The Revenge of the Cataloguers<p>Over the past 15 years or so, libraries around the world have de-emphasized cataloguing. While budgetary concerns and technological efficiencies have been factors in the decline of cataloguing, the emergence of full text search and relevance ranking as practiced by Google and others has proved to be more popular for the vast majority of users. On the open internet, subject classifications have proved to be useless in an environment rife with keyword spam and other search engine optimization techniques. </p><p>In the past year, the emergence of artificial intelligence (AI) with large language models with surprising abilities to summarize and classify texts has people speculating that AI will put most cataloguers out of work in the not-so-distant future.</p><p>I think that's <i>not even wrong</i>. But <a href="https://www.libraryjournal.com/story/marc-must-die">Roy Tennant</a> will turn out to be <i>almost</i> right. <a href="https://www.loc.gov/marc/">MARC</a>, the premier tool of cataloguers around the world, will live forever... as a million weights in generative pre-trained transformer. Let me explain...</p><p>The success or failure of modern AI depends on the construction of large statistical models with billions or even trillions of variables. These models are built from training data. The old adage about computers: "garbage in garbage out" is truer than ever. The models are really good at imitating the training data; so good that they can surprise the models' architects! Thus the growing need for good training data, and the increasing value of rich data sources.</p><p>Filings in recent lawsuits confirm the value of this training data. <a href="https://www.gettyimages.com/">Getty Images</a> is <a href="https://www.bakerlaw.com/getty-images-v-stability-ai/">suing</a> <a href="https://stability.ai/">Stability AI</a> for the use of Getty Images' material in AI training sets. But it's not just for the use of the images, which are copyrighted, but also for the use of trademarks and the detailed descriptions than accompany the data. Read paragraph 57 of the <a href="https://storage.courtlistener.com/recap/gov.uscourts.ded.81407/gov.uscourts.ded.81407.13.0.pdf">complaint</a>:</p><p></p><blockquote><p>Getty Images’ websites include both the images and corresponding detailed titles and captions and other metadata. Upon information and belief, the pairings of detailed text and images has been critical to successfully training the Stable Diffusion model to deliver relevant output in response to text prompts. If, for example, Stability AI ingested an image of a beach that was labeled “forest” and used that image-text pairing to train the model, the model would learn inaccurate information and be far less effective at generating desirable outputs in response to text prompts by Stability AI’s customers. Furthermore, in training the Stable Diffusion model, Stability AI has benefitted from Getty Images’ image-text pairs that are not only accurate, but detailed. For example, if Stability AI ingested a picture of Lake Oroville in California during a severe drought with a corresponding caption limited to just the word “lake,” it would learn that the image is of a lake, but not which lake or that the photograph was taken during a severe drought. If a Stable Diffusion user then entered a prompt for “California’s Lake Oroville during a severe drought” the output image might still be one of a lake, but it would be much less likely to be an image of Lake Oroville during a severe drought because the synthesis engine would not have the same level of control that allows it to deliver detailed and specific images in response to text prompts.</p></blockquote><p>If you're reading this blog, you're probably thinking to yourself "THAT'S METADATA!"</p><p>Let's not forget the trademark part of the complaint:</p><p><br /></p><p></p><blockquote>In many cases, and as discussed further below, the output delivered by Stability AI includes a modified version of a Getty Images watermark, underscoring the clear link between the copyrighted images that Stability AI copied without permission and the output its model delivers. In the following example, the image on the left is another original, watermarked image copied by Stability AI and used to train its model and the watermarked image on the right is output delivered using the model:</blockquote><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_wjc_Ygthv6-STJTd7xJqPwzybdLTJlNBJcrKEU0C6eYbq8xCYFktBtYw-FRhRQ6qyXnyXwJZ4BkN_r26R3w86EUR0bKcp98eeSTWDxfALYAOAOjaRj-PyrHR1pLacdPR83u2bJH5xzWGgBW-ysyKDTk6g6FJpfuuy_ppwRsxJ1CSjUv8P9_7uTWRu_Q/s1388/gettyfootball.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="832" data-original-width="1388" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_wjc_Ygthv6-STJTd7xJqPwzybdLTJlNBJcrKEU0C6eYbq8xCYFktBtYw-FRhRQ6qyXnyXwJZ4BkN_r26R3w86EUR0bKcp98eeSTWDxfALYAOAOjaRj-PyrHR1pLacdPR83u2bJH5xzWGgBW-ysyKDTk6g6FJpfuuy_ppwRsxJ1CSjUv8P9_7uTWRu_Q/s320/gettyfootball.jpg" width="320" /></a></div><br /><p>If you're reading this blog, you're probably thinking to yourself "THAT'S PROVENANCE!"</p><p>So clearly, the kinds of data that libraries and archives have been producing for many years will still have value, but we need to start thinking about how the practice of cataloguing and similar activities will need to change in response to the new technologies. Existing library data will get repurposed as training data to create efficiencies in library workflows. Organizations with large, well-managed will extract windfalls, deserved or not.</p><p>If the utility of metadata work is shifting from feeding databases to training AI models, how does this affect the product of that work? Here's how I see it:</p><div class="separator" style="clear: both; float: right; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHVDg9UYwgTyRL3d_cGuCx1_BeGo7FJ3UC17dSGx1IInxnQFhDhmgCflnoG8qcVhyS9IV7bZp-ie-gqS0WCf8H2H0IxFaNOqwiQy4ltze3wzTb-68opbRVqYJ6uWZQNQzhgwEWw7SAR1LXxmuGEBsdG4oNt8lOmISrsgdowRkMwJc87OH5hyPfQE8SJqU/s1486/footballmarc.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1486" data-original-width="1159" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHVDg9UYwgTyRL3d_cGuCx1_BeGo7FJ3UC17dSGx1IInxnQFhDhmgCflnoG8qcVhyS9IV7bZp-ie-gqS0WCf8H2H0IxFaNOqwiQy4ltze3wzTb-68opbRVqYJ6uWZQNQzhgwEWw7SAR1LXxmuGEBsdG4oNt8lOmISrsgdowRkMwJc87OH5hyPfQE8SJqU/s320/footballmarc.png" width="250" /></a></div><br /><p></p><p></p><ul style="text-align: left;"><li><b>Tighter coupling of metadata and content.</b> Today's discovery systems are all about decoupling data from content - we talk about creating metadata surrogates for discovery of content. Surrogates are <i>useless</i> for AI training; a description of a cat is useless for training without an accompanying picture of the cat. This means that the existing decoupling of metadata work from content production is doomed. You might think that copyright considerations will drive metadata production into the hands of existing content producers, but more likely organizations that focus on production of integrated training data will emerge to license content and support the necessary metadata production.</li></ul><ul style="text-align: left;"><li><b>Tighter collaboration of machines and humans.</b> Optical character recognition (OCR) is a good example of highly focused and evolved machine learning that can still be improved by human editors. The practice of database-focused cataloguing will be made more productive as cataloguers become editors of machine generated structured data. (As if they're not already doing that!)</li></ul><p></p><p></p><ul style="text-align: left;"><li><b>Softer categorization.</b> Discovery databases demand hard classifications. Fiction. Science. Textbooks. LC Subject Headings. AIs are much better at nuance, so the training data needs to include a lot more context. You can have a romantic novel of chemists and their textbooks, and an AI will be just fine with that, so long as you have enough description and context for the machine to assign lots of weights to many topic clusters. </li></ul><p></p><p></p><ul style="text-align: left;"><li><b>Emphasis on novelty. </b>New concepts and things appear constantly; an AI will extrapolate unpredictably until it gets on-topic training data. AI-OCR might recognize a new emoji, but it might not.</li></ul><ul style="text-align: left;"><li><b>Emphasis on provenance. </b>Reality is expensive, which is why I think for-profit organizations will have difficulty in the business of providing training data while Wikipedia will continue to succeed because it requires citations. Already the internet is awash in AI produced content that sounds real, but is just automated BS. Training data will get branded.</li></ul><p></p><p>What gets me really excited though, is thinking about how a library of the future will interact with content. I expect users will interact with the library using a pre-trained language model, rather than via databases. Content will get added to the model using packages of statistical vectors, compiled by human-expert-assisted content processors. These human experts won't be called "cataloguers" any longer but rather "meaning advisors". Or maybe "biblio-epistemologists". The revenge of the cataloguers will be that because of the great responsibilities and breadth of expertise required, biblio-epistemologists will command salaries well exceeding the managers and programmers who will just take orders from well-trained AIs. Of course there will <b>still</b> be MARC records, generated by a special historical vector package guaranteed to only <i>occasionally</i> hallucinate.</p><p><b>Note:</b> I started thinking about this after hearing <a href="https://vimeo.com/889875840?share=copy">a great talk</a> (starting at about 30:00) by Michelle Wu at the Charleston Conference in November. (Kyle Courtney's talk was good, too).</p>Erichttp://www.blogger.com/profile/04483241450401134977noreply@blogger.com0tag:blogger.com,1999:blog-4990922102626688253.post-78900523204130451152023-08-25T18:26:00.003-04:002023-09-11T12:33:25.349-04:00Let's pretend they're ebooksIn days of yore, back when people were blogging, <a href="https://go-to-hellman.blogspot.com/2011/02/harpercollins-and-suspension-of-ebook.html">I described the way that libraries were offering ebooks</a> as being a "Pretend It's Print" model. At the time, I felt that this model was designed to sustain and perpetuate the model that libraries and publishers had been using since prehistoric times, and that it ignored most of the possibilities inherent in the ebook. Ebooks could liberate the book from the shackles of their physical existences!<div>
<br />I was right, and I was wrong. The book publishing world seized on digital technology to put even heavier shackles on their books. In turn, technology companies such as Amazon locked down innovation in the ebook world so that libraries could no longer be equal contributors to the enterprise of distributing books, all the while pretending to their patrons that the ebooks they licensed were just like the print books sitting on their shelves.</div><div>
<br />Somehow libraries and publishers have survived. Maybe they've even thrived with the "pretend it's print" model for ebooks. There are plenty of economic problems, but whenever I talk to people about ebooks, the conversation is always some variation of "I love reading ebooks through my library". Most library users are perfectly happy pretending that their digital ebooks are just like the printed books.</div><div>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQYCc8X42uQsFK7LwFC_6JRc6jXGWOC6yRaqTTCuWpZsouNRWEzq0_wilXEdeIcyxCW_9xh-NGTfDGJI-Zv73NyvPxeuZVZwIDzOh83qaTtW-bd5lTLWV6L7szzR_G89mu_0aYXniW8G7kO1ythAVcCPpNUMn5Lg7tstTqHoB3cNueBLGQ-0QUlZa9pv0/s512/robot%20ipad.jpeg" style="clear: left; display: block; float: left; padding: 1em; text-align: center;"><img alt="robot writing on an ipad" border="0" data-original-height="512" data-original-width="512" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQYCc8X42uQsFK7LwFC_6JRc6jXGWOC6yRaqTTCuWpZsouNRWEzq0_wilXEdeIcyxCW_9xh-NGTfDGJI-Zv73NyvPxeuZVZwIDzOh83qaTtW-bd5lTLWV6L7szzR_G89mu_0aYXniW8G7kO1ythAVcCPpNUMn5Lg7tstTqHoB3cNueBLGQ-0QUlZa9pv0/s320/robot%20ipad.jpeg" width="320" /></a></div>
A decade later, we need to change our perspective. It's time we seriously started pretending that printed books <i>are just like ebooks</i>, not just the other way around. The library world has been doing something called "<a href="https://controlleddigitallending.org/">Controlled Digital Lending</a>" (CDL) , which flips the "pretend it's print" model and pretends that print is just like digital. The basic idea behind controlled digital lending is that owning a print book should allow you to read it any way you want, even if that involves creating a digital substitute for it. A library that owns a print book ought to be able to lend it, as long as it's lent to only one person at time. It's as if books were printed and sold in order to spread ideas and information!</div><div>
<br />Of course radical ideas such as spreading information have to be stopped. And so we have the <a href="https://en.wikipedia.org/wiki/Hachette_v._Internet_Archive">Hachette v. Internet Archive</a> lawsuit and its assorted fallout. I'm not a lawyer, so I won't say much about the legal validity of the arguments on either side. I'm an ebook technologist, so I will explain to you that whole lawsuit was about whether the other side was sufficiently serious about pretending that print books are just like ebooks and that ebooks are just like print books. Also that the other side doesn't understand how print books are completely different things than ebooks. Those lawyers really take to heart the White Queen's recommendation to believe <a href="https://gutenberg.org/cache/epub/12/pg12-images.html#link2HCH0005">6 impossible things before breakfast</a>.</div><div>
<br />The magic of technology is that it can make our pretendings into something real. So let's think a bit about how we can make the pretense of print-ebook equivalency more real, and if the resulting bargain makes any sense.</div><div>
<br />Here are some ways that we could make these ebooks, derived from printed books, more like print books:
<ol>
<li>Speed. It takes me an hour or so to get a print book from a library. Should I be able to get the digital substitute in a minute? Should I be able to read a chapter and the "return" it so that someone else can use it the next seconf? CDL already puts some limits on this, but maybe there could be a standard that makes the digital surrogate more like the real thing?<br /><br /></li>
<li>Geography. Printed books need to be transported to where the reader is. Once digitized they could go anywhere!. Maybe something like a shipping fee could be attached to a loan or other transfer. Maybe part of the fee could accrue to creators? Academic libraries have long done interlibrary loan of journal articles by copying and mailing the article, so why not do something equivalent for books?<br /><br /></li></ol>
These two attributes matter a lot in defining commercial markets for books and ebooks, and will become increasingly important as distribution technologies scale up and improve. Although publishers today make most of their money on the most popular books, book sales and usage of books in libraries <a href="https://go-to-hellman.blogspot.com/2011/03/statistician-cant-distinguish-library.html">have very long tails</a>. There are millions of books for which global demand could be met by aggressive CDL of just a few copies. The CDL system instituted by Internet Archive also has a countervailing effect - the world-wide availability combined with so-so EPUB quality and usability probably result in stimulation of demand for print copies. This effect is likely to diminish as technologists like me smooth out the DRM speedbumps in CDL and begin to apply machine learning to EPUB generation.</div><div>
<br />It's worth noting that the "long tail" in book publishing also applies to authors and publishers. It's likely that the Internet Archive's CDL service has a larger market effect (whether positive or negative) on these market participants.</div><div>
<br />Here are some ways that we shouldn't make ebooks more like print books:
<ol><li>
Search. Ebooks make search much easier than in print books. Maybe search should be disabled in CDL ebooks? Or maybe, we could enable search in print books. Google Books already sort of does this, if you have the right edition, but the process of making an ebook from a print book should give you an easy way to enable search in the print!<br /><br />
</li><li>Accessibility. Many reading-disabled users rely on ebooks for access to literature, science and culture. Older adults such as myself often find that flowable text with adjustable font size is easier on our eyes. In addition to international treaties that treat accessible text as an exception to copyright, most authors and publishers don't want to be monsters.<br /><br />
</li><li>Smell. Let's not go there. <br /><br />
</li><li>Privacy. The intellectual property world seems to think that copyright gives them the right to monitor and data-mine the behavior of readers on digital platforms. In some cases, copyright extremists <a href="https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal">have required root access to our devices</a> so they can sniff out infringing files or behavior. (While they're at it, they might as well mine some bitcoin!) It is an outrage to think anyone who makes ebooks from print books would wire them with surveillance tools; the strong privacy policies of Internet Archive should be codified for CDL.<br /><br />
</li><li> Preservation. Publishers do a terrible job of preserving the lion's share of the printed books they publish, and society has always relied on libraries for this essential service. In this digital age, any grand bargain on copyrights has to provide libraries with the rights and incentives needed to do digital preservation of both printed and digital books. <br /><br />
</li></ol>
The bottom line is that if we're going to continue to pretend that intellection property is a real thing, we need to start pretending that printed books are like ebooks, <i>and</i> vice versa. A grand bargain that benefits us all can eventually make these illusions real.</div><div><h4 style="text-align: left;">Notes: </h4></div><div><ol style="text-align: left;"><li><b><i>Copyability. </i></b>CDL books, like publisher-created ebooks, rely on device-enforced restrictions on duplication (DRM). Printed books rely on the expense of copying machines and paper to limit reproduction. In both cases, social norms and legal strictures discourage unauthorized reproduction. Building those social norms is what creating a grand bargain is all about.</li><li> <i><b>Simultaneous use. </b></i>Allowing simultaneous use of library ebooks during the pandemic is what really got the publishers mad at Internet Archive. A lot of people went mad during the lockdown, to be honest, and we're still recovering. </li><li> <i><b>Comments.</b></i> I encourage comment on the <a href="https://tilde.zone/@gluejar">Fediverse</a> or on <a href="https://bsky.app/profile/gluejar.com">Bluesky</a>. I've turned off commenting here.</li></ol></div>Erichttp://www.blogger.com/profile/04483241450401134977noreply@blogger.com0tag:blogger.com,1999:blog-4990922102626688253.post-38240199098047026732022-02-12T21:15:00.002-05:002022-02-12T21:16:10.179-05:00 Crowdfunding Lessons from the Spice DAO<p>What if we get a huge bunch of people together and buy something that lets us do fun things with a book that we all love, while making it accessible as never before? Great idea, isn't it?</p><p>If that sounds familiar, maybe you've heard of <a href="https://Unglue.it">Unglue.it</a>, a web site we launched 10 years ago? We asked people what book they wished was free to everyone and the number one answer was Douglas Adams' <a href="https://unglue.it/work/5255/">Hitchhikers Guide to the Galaxy</a>. We talked to the literary agent for the Adams estate, and long story short, the rights entanglements made that impossible for any amount of money. We had a success with <a href="https://unglue.it/work/81835/">a seminal Anthropology book</a>, but the intersection between books people were excited about and books that authors were willing to license openly was small. Probably you haven't heard of the site, but while it has focused on building a catalog of open-access books (<a href="https://blog.unglue.it/2022/01/05/100000-open-access-ebooks/">now over 100,000 titles</a>!) we still crowd fund a book here and there, most recently an academic monograph.</p><p></p><div class="separator" style="clear: both; text-align: center;"><span style="margin-left: 1em; margin-right: 1em;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEg5_jLBCthAMmlEC5K9Kj_mk8K0ZK3Ptpt0psOQ_C4elQD1bZUiorvXlrF7UzYkofvZBo7s84rTkh6MNAODBn2-7uvQdmkfFfhdxhDaWvUsfgP1fls0w5OEEeQDCPplO9zKCwN8uWDg5RR44U7B5vS4GKKM5LHaTb7KY9WvCHFmTftTT39Mnmp7PpKcdg=s1100" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1100" data-original-width="940" height="320" src="https://blogger.googleusercontent.com/img/a/AVvXsEg5_jLBCthAMmlEC5K9Kj_mk8K0ZK3Ptpt0psOQ_C4elQD1bZUiorvXlrF7UzYkofvZBo7s84rTkh6MNAODBn2-7uvQdmkfFfhdxhDaWvUsfgP1fls0w5OEEeQDCPplO9zKCwN8uWDg5RR44U7B5vS4GKKM5LHaTb7KY9WvCHFmTftTT39Mnmp7PpKcdg=s320" style="float: right;" width="273" /></a></span></div>Probably you HAVE heard about <a href="https://web.archive.org/web/20220119101517/https://dune.foundation/">Spice DAO,</a> a "Distributed Autonomous Organization" that sprinkled some magic blockchain dust on <a href="https://www.christies.com/lot/lot-6345488">an auction for a copy of Alejandro Jodorowosky's movie treatment</a> of Frank Herbert's novel.<p></p><p>Web3 enthusiasts came through for Spice DAO, "crowdraising" enough to win the auction for €2.66M, though Christie's estimate for the item was only €25-35,000.</p><p>Spice DAO vows that:</p><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px;"><p style="text-align: left;">Instead of letting it remain hidden away in private collections, Spice DAO crowdraised funds ... to collectively explore options to digitally preserve the manuscript, make it accessible to the public for the very first time, and develop creative projects inspired by the vision Jodorowsky set forth.</p></blockquote><p>Predictably, the success of Spice DAO led to widespread ridicule , because:</p><p></p><ul style="text-align: left;"><li>The price paid was 100X the esimate</li><li>Nothing about the item purchased gave them any rights to "make it accessible" or "develop creative projects" it inspired.</li><li>Images of another copy were already freely available on the internet. But no more. Ironically, the publicity around Spice DAO seems to have knocked the images off of the internet!</li><li>Even the DAO's website https://dune.foundation/ is no longer online, most likely trademark infringement. (archived version linked above.)</li></ul><p></p><p>One crypto lesson: a DAO constructed this way may get ripped off in an auction. Even if the seller was not using shills to see inside the DAO and bid up the price, the DAO was vulnerable to crypto-pranksters (or arbitrageurs?) who knew exactly what the DAO was forced to bid by its "smart" contract to avoid dissolution.</p><p>Despite all that, the 2.1 Billion "Spice" tokens given to crowdraise participants are still worth over 800,000 "dollars", <a href="https://coinmarketcap.com/currencies/spice-dao/">according to Coinmarket</a>, so maybe the product here is a convincing story for unregistered securities that apart from representing something tangible, can be used for tax evasion and money laundering. And the team seems to have had a crash course in copyright law:</p><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px;"><p style="text-align: left;">After two months of outreach, conversations with former business partners and consultations with legal counsel we have not been able to reach an agreement with any of the rights holders involved in the creation of the contents of the book of collected storyboards of Jodorowsky’s Dune. (<a href="https://medium.com/@spicedao/roadmap-timeline-ae319c92505d">medium</a>)</p></blockquote><p>Spice DAO, like most successful crowd-funding projects, had a good story, and clearly that's worth a lot. There's still a big difference between a good story and an honest, well informed story. Crowdfunding services such as Unglue.it are limited by all the facts they have to deal with. But magic crypto dust has a certain reality. The crowd-raise generation of tokens that can be bought and sold in free markets allows participants to dream that their tokens will increase in value, and they very well could. In the real world, Spice DAO spent the equivalent of $300,000 to create the liquidity pool needed to distribute the SPICE tokens. Which makes credit card fee seem like a bargain! But dreams are priceless. </p><p>At least with "conventional" crowd funding, you know there's some accountability if you're investing in a nightmare!</p>Erichttp://www.blogger.com/profile/14172740163003223132noreply@blogger.com0tag:blogger.com,1999:blog-4990922102626688253.post-39248275500278143552021-12-22T09:19:00.000-05:002021-12-22T09:19:32.858-05:00 Top 25 foods at a Traditional Hellman Christmas.<p>Have only made 7 of the 25 so far this year. </p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj9-JwHFquWa6ozyQXTDBlqIO9PK4OEw_ijKkOTEVWWdBuc6adetx8sX7X15v0Jj3IktMQmANDfMpttd-vug8qCEYeYZT2iJYtEpsB4Top4e-7OnMFD1_WVOOFcM-ltO8NgvY160U3q3xbULnY6aapK89i2EJrWBi6VMIOkRiznsPUbwOnKIozJTNyR=s4032" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="3024" data-original-width="4032" height="240" src="https://blogger.googleusercontent.com/img/a/AVvXsEj9-JwHFquWa6ozyQXTDBlqIO9PK4OEw_ijKkOTEVWWdBuc6adetx8sX7X15v0Jj3IktMQmANDfMpttd-vug8qCEYeYZT2iJYtEpsB4Top4e-7OnMFD1_WVOOFcM-ltO8NgvY160U3q3xbULnY6aapK89i2EJrWBi6VMIOkRiznsPUbwOnKIozJTNyR=s320" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Bulla, 2021</td></tr></tbody></table><br /><p></p><p></p><ol style="text-align: left;"><li>Julskinka (Christmas Ham). It doesn't count unless you cure it yourself. It once came out blue.</li><li>Köttbullar (Meatballs). Still working to perfect the Impossible™ version.</li><li>Limpa (Christmas rye Bread). You absolutely must have this with lever pastej, but its also great with just butter.</li><li>Sil (Herring). Must have Akvavit to kill the taste. A proper smörgåsbord should have two kinds at least, but we usually made do with one.</li><li>Akvavit. Must have Herring to kill the taste.</li><li>Boiled Potatoes. Great with Sil and Akvavit. Alleged to go great on knäckebröd with butter and Kalvslyta.</li><li>Kalvsylta (Jellied Veal). It's surprisingly easy to make. Keeps at least a year in the freezer.</li><li>Lever Pastej (Liver Paté). Also surprisingly easy to make, if you have a grinder.</li><li>Korv (Sausage). Two kinds in some years.</li><li>Spare Ribs. More than once these were forgotten in the oven.</li><li>Dopp i gryta (Dip in the pot). You dip some knäckebröd into boiling ham broth, then slather with butter. Matsos will work in a pinch.</li><li>Ost (cheese). Västerbottens Ost, Bond Ost, Herrgardsost, Havarti and Swiss are all good.</li><li>Rödkålsalat (red cabbage salad).</li><li>Rödbetsalat (red beet salad).</li><li>Inlagd gurka (picked cucumber).</li><li>Jansson's frestelse (Jansson's temptation). Creamed potatoes, anchovies and onions. Gonna try fermented tofu instead of anchovies this year.</li><li>Shrimp omelet.</li><li>Rotmoss (Mashed rutabagas). This used to be stuff that people in Sweden ate every day *other* than Christmas, because they could afford it. Now we never have it except at Christmas, because we can afford it.</li><li>Lingonsylt (lingonberry sauce).</li><li>Öl (beer). But never Swedish beer. Have dubbed this year's batch "Cipher Ale".</li><li>Glögg (spiced wine). Dad made it with 1 part vodka to one part wine. </li><li>Coffee.</li><li>Pepparkakar (Ginger Cookies). You can make a wish on them- if the cookie breaks into 3 pieces you get your wish. If some other number, you only get your wish if you wished for pepparkakor</li><li>Bulla (Cardamon cinnamon coffee b<br />read). Comes out differently for every baker. There's also the saffron and almond paste variety made for Dec. 13 and sometimes saved for Christmas.</li><li>Sand formar (Sand cookies). A ground almond cookie shell that you put vanilla pudding and a mandarin orange inside.</li><li>Jam cookies. </li><li>Many other cookies. Log cookies. Broomstick cookies. Chocolate chip cookies. Macaroons. Knäck. Our seasonal output peaked at 10 dozen dozen. </li><li>Donuts. With the next door neighbors.</li><li>Lutfisk. Not a figment of Garrison Kiellor's imagination, but only Dad liked it, with cream sauce, peas and allspice. </li></ol><p></p><p>I know that's more than 25, but did I mention that Dad made the glögg with one part vodka to one part wine?</p><div><br /></div>Erichttp://www.blogger.com/profile/04483241450401134977noreply@blogger.com0tag:blogger.com,1999:blog-4990922102626688253.post-31160478141682267782021-07-04T13:40:00.004-04:002021-07-04T13:41:54.890-04:00 The Ebook Turns 50<p>On July 4, 1971, Michael Hart made the text of the Declaration of Independence available on arpanet (which is now the Internet), using the gopher protocol (look it up). Although books in digital form certainly existed before that, many of us regard the beginning of <a href="https://gutenberg.org/">Project Gutenberg</a> as the birth of the ebook. There were computer-readable books on magnetic disks, punch cards and the like, but the revolutionary element of Project Gutenberg was the distribution method. Printed books, after all, are a digital media, it just that the bits are embodied by the presence or absence of ink rather than electrons on a transistor gate. Sending the bits over a wire or a fiber is what puts the 'e' in ebook.</p><p>The birth of the ebook was a political event as much as a technical achievement. The choice of the "Declaration of Independence of the United States" as <a href="https://gutenberg.org/ebooks/1">etext #1</a> couldn't have been solely an expression of patriotic fervor. Rather, I think it was a manifestation of the radical belief that everyone should have access to the printed word, without having to pay for the privilege. (Yes, libraries are radical in this way, too!).</p><p>As Thomas Jefferson put it:</p><p></p><blockquote><p>... it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume, among the Powers of the earth, the separate and equal station to which the Laws of Nature and of Nature's God entitle them.</p><p></p></blockquote><p>In the context of 1971, the "bands" that needed dissolving were expensive services such as Dialog. The idea that users had to pay Dialog per word to read the Declaration mush have been galling to Hart. (Let's overlook the fact that he and other denizens of the 1971 arpanet got their access for "free" because someone else was paying.) Books are things in their own right; stripping ebooks of their "bands" to a single device or service is what put the "book" into ebook.</p><p>Although Project Gutenberg is now delivering about 50 million ebooks a year, about 2% of global ebook unit sales, until at least 2009 it delivered the majority of the world's ebooks. Today, that position has been taken by Amazon's Kindle. Just as the United States can't ignore the ideals that led to its founding, the stakeholders of the ebook ecosystem- authors, publishers, distributors, libraries, and readers, all of us need to remember that the ebook was born out of a desire for freedom.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_D9TGg0847aa6DXZHqquIpgN862dL1981XQkRiUURZuliRIpkUY0c5G0IJkCieFf5D3aGimyB70ClbSx_JSnATIAZtavewAVJnj8VXz5G6Gsy3P7pjj4m0AQJlOEz9LrJQtQlH6VZR-LZ/s948/dec1th.jpeg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="948" data-original-width="619" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_D9TGg0847aa6DXZHqquIpgN862dL1981XQkRiUURZuliRIpkUY0c5G0IJkCieFf5D3aGimyB70ClbSx_JSnATIAZtavewAVJnj8VXz5G6Gsy3P7pjj4m0AQJlOEz9LrJQtQlH6VZR-LZ/w418-h640/dec1th.jpeg" width="418" /></a></div><p><br /></p><div><i>Note: Though I've been helping Project Gutenberg modernize its technology, I don't speak for them in any way, though I am certainly in awe of what they've achieved! If you'd like to support my work advancing freedom for ebooks, consider <a href="https://unglue.it/about/funds/">a donation to the Free Ebook Foundation</a>.</i></div>Erichttp://www.blogger.com/profile/14172740163003223132noreply@blogger.com1tag:blogger.com,1999:blog-4990922102626688253.post-18922305876812211822021-02-22T21:49:00.003-05:002021-02-22T21:49:17.996-05:00 Open Access for Backlist Books, Part II: The All-Stars<p>Libraries know that a big fraction of their book collections never circulate, even once. The flip side of this fact is that a small fraction of a library's collection accounts for most of the circulation. This is often referred to as <a href="https://en.wikipedia.org/wiki/Zipf%27s_law">Zipf's law</a>; as a physicist I prefer to think of it as another <a href="https://go-to-hellman.blogspot.com/2011/03/statistician-cant-distinguish-library.html">manifestation of log-normal statistics</a> resulting a preferential attachment mechanism for reading. (English translation: "word-of-mouth".)</p><p>In my post about <a href="https://go-to-hellman.blogspot.com/2021/02/creating-value-with-open-access-books.html">the value of Open Access for books</a>, I suggested that usage statistics (circulation, downloads, etc.) are a useful proxy for the value that books generate for their readers. The logical conclusion is that the largest amount of value that can be generated from opening of the backlist comes from the books that are most used, the "all-stars" of the library, not the discount rack or the discards. If libraries are to provide funding for Open Access backlist books, shouldn't they focus their resources on the books that create the most value?</p><p>The question of course, is how the library community would ever convince publishers, who have monopolies on these books as a consequence of international copyright laws, to convert these books to Open Access. Although some sort of statutory licensing or fair-use carve-outs could eventually do the trick, I believe that Open Access for a significant number of "backlist All-Stars" can be achieved <i>today</i> by pushing <i>ALL</i> the buttons available to supporters of Open Access. Here's where the Open Access can learn from the game (and business) of baseball.</p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyoqpU1KoKh61OubllQrFeEATcOiIURtHfX0eCC7kQJkdGWxadmsMsHTFIkhfsZJgFUK7UPtKLIMLpklZOuTfgeFH4Nm_vRuqCZHLIryoOvBstuAmC6u2AF_v6l9DQKxxZ-JF-olMqTAQ/s2048/commonwealth_p5547w56j_accessFull.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1274" data-original-width="2048" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyoqpU1KoKh61OubllQrFeEATcOiIURtHfX0eCC7kQJkdGWxadmsMsHTFIkhfsZJgFUK7UPtKLIMLpklZOuTfgeFH4Nm_vRuqCZHLIryoOvBstuAmC6u2AF_v6l9DQKxxZ-JF-olMqTAQ/s320/commonwealth_p5547w56j_accessFull.jpg" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">"Baseball", Henry Sandham, L. Prang & Co. (1861).<br /> <a href="https://ark.digitalcommonwealth.org/ark:/50959/p5547w56j">from Digital Commonwealth</a></td></tr></tbody></table><p><br />Baseball's best player, <a href="https://en.wikipedia.org/wiki/Mike_Trout">Mike Trout</a>, should earn $33.25 million this year, a bit over $205,000 per regular season game. If he's chosen for the <a href="https://en.wikipedia.org/wiki/Major_League_Baseball_All-Star_Game">All-Star game</a>, he won't get <i>even a penny</i> extra to play unless he's named MVP, in which case <a href="https://www.spotrac.com/mlb/los-angeles-angels/mike-trout-8553/#:~:text=Mike%20Trout%20signed%20a%2012,annual%20average%20salary%20of%20%2435%2C541%2C667.">he earns a $50,000 bonus</a>. So why would he bother to play for free? It turns out there are lots of reasons. The most important have everything to with the recognition and honor of being named as an All-Star, and with having respect for his fans. But being an All-Star is not without financial benefits considering endorsement contracts and earning potential outside of baseball. Playing in the All-Star game is an all-around no-brainer for Mike Trout.</p><p><i>Open Access should be an All-Star game for backlist books.</i> We need to create community-based award programs that recognize and reward backlist conversions to OA. If the world's libraries want to spend $50,000 on backlist physics books, for example, isn't it better to spend it on the the Mike Trout of physics books than on a team full of discount-rack replacement-level players?</p><p>Competent publishers would line up in droves for major-league all-star backlist OA programs. They know that publicity will drive demand for their print versions (especially if NC licenses are used.) They know that awards will boost their prestige, and if they're trying to build Open Access publication programs, prestige and quality are a publisher's most important selling points.</p><p><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiffsUdpMdiu_jC09kGOCjV_0af2xfac0vjlluM5yWgr33zQd2UlMw8XQcPRCpMtL5DFSqJ5tz-5f80C6KcBJC56cM8eA20GWlFmnAW9GaJFzLsd123iReiuoEo2l2JQ9_zAhwQEyTM9Nk/s202/pgraphic1-545.jpg" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="202" data-original-width="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiffsUdpMdiu_jC09kGOCjV_0af2xfac0vjlluM5yWgr33zQd2UlMw8XQcPRCpMtL5DFSqJ5tz-5f80C6KcBJC56cM8eA20GWlFmnAW9GaJFzLsd123iReiuoEo2l2JQ9_zAhwQEyTM9Nk/s0/pgraphic1-545.jpg" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">The Newbury Medal</td></tr></tbody></table><br />Over a hundred backlist books have been converted to open access already this year. Can you name one of them? Probably not, because the publicity value of existing OA conversion programs is negligible. To relicense an All-Star book, you need an all-star publicity program. You've heard of the <a href="http://www.ala.org/alsc/awardsgrants/bookmedia/newberymedal/newberymedal">Newbury Medal</a>, right? You've seen the Newbury medal sticker on children's books, maybe even special sections for them in bookstores. That prize, award by the American Library Association every year to honor the most distinguished contributions to American literature for children, is a powerful driver of sales. The winners get feted in a gala banquet and party (at least they did in the before-times). That's the sort of publicity we need to create for open access books.</p><p>If you doubt that "All-Star Open Access" could work, don't discount the fact that it's also the right thing to do. Authors of All-Star backlist books want their books to be used, cherished and remembered. Libraries want books that measurably benefit the communities they serve. Foundations and governmental agencies want to make a difference. Even publishers who look only at their bottom lines can structure a rights conversion as a charitable donation to reduce their tax bills.</p><p>And did I mention that there could be Gala Award Celebrations? We need more celebrations, don't you think?</p><p><i>If your community is interest in creating an Open-Access program for backlist books, don't hesitate to <a href="mailto:eric@ebookfoundation.org">contact me at the Free Ebook Foundation!</a></i></p><h3 style="text-align: left;">Notes</h3><p>I've written about the statistics of book usage <a href="https://go-to-hellman.blogspot.com/2011/03/pareto-principle-and-true-cunning-of.html">here</a>, <a href="https://go-to-hellman.blogspot.com/2011/03/statistician-cant-distinguish-library.html">here</a> and <a href="https://go-to-hellman.blogspot.com/2019/04/fudge-and-open-access-ebook-download.html">here</a>.</p><p>This is the third in a series of posts about creating value of Open Access books. The first two are:</p><a href="https://go-to-hellman.blogspot.com/2021/02/creating-value-with-open-access-books.html"></a><ul style="text-align: left;"><a href="https://go-to-hellman.blogspot.com/2021/02/creating-value-with-open-access-books.html"></a><li><a href="https://go-to-hellman.blogspot.com/2021/02/creating-value-with-open-access-books.html"></a><a href="https://go-to-hellman.blogspot.com/2021/02/creating-value-with-open-access-books.html">Creating Value with Open Access Books</a></li><li><a href="https://go-to-hellman.blogspot.com/2021/02/open-access-for-backlist-books-part-i.html">Open Access for Backlist Books, Part I: The Slush Pile</a></li></ul>Erichttp://www.blogger.com/profile/04483241450401134977noreply@blogger.com2tag:blogger.com,1999:blog-4990922102626688253.post-32144191152454586912021-02-16T21:32:00.003-05:002021-02-22T22:07:06.893-05:00 Open Access for Backlist Books, Part I: The Slush Pile<p></p><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjK1KBLm8ZlETq2CAZiN8-c57WS3wOcwUfG_-7uJ2fqr097QslPMV1ZdGjyZWj8rKkqwCjY6T568qhfmMj3Zqk0En7ZkcQas4H472ooN5zlBkYs9ZpTJhB-9dAfQ6x07rtQD-RmVoHiUaw/s2048/slushpilekale.jpg" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="2048" data-original-width="1916" height="281" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjK1KBLm8ZlETq2CAZiN8-c57WS3wOcwUfG_-7uJ2fqr097QslPMV1ZdGjyZWj8rKkqwCjY6T568qhfmMj3Zqk0En7ZkcQas4H472ooN5zlBkYs9ZpTJhB-9dAfQ6x07rtQD-RmVoHiUaw/w262-h281/slushpilekale.jpg" width="262" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">"Kale emerging from a slush pile" <br />(CC BY, Eric Hellman)</td></tr></tbody></table>Book publishers <i>hate</i> their "slush pile": books submitted for publication unsolicited, rarely with literary merit and unlikely to make money for the publisher if accepted. In contrast, book publishers <i>love</i> their backlist; a strong backlist is what allows a book publisher to remain consistently profitable even when most of their newly published books fail to turn a profit. A publisher's backlist typically consists of a large number of "slushy" books that generate negligible income and a few steady "evergreen" earners. Publishers don't talk much about the backlist slush pile, maybe because it reminds them of their inability to predict a book's commercial success.<p></p><p>With the advent of digital books has come new possibilities for generating value from the backlist slush pile. Digital books can be kept "in print" at essentially no cost (printed books need warehouse space) which has allowed publishers to avoid rights reversion in many cases. Some types of books can be bundled in ebook aggregations that can be offered on a subscription basis. This is reminiscent of the way investment bankers created valuable securities by <a href="https://en.wikipedia.org/wiki/The_Big_Short">packaging junk bonds with opaque derivatives</a>.</p><p>Open access is a more broadly beneficial way to generate value from the backlist slush pile. There is a reason that libraries keep large numbers of books on their shelves even when they don't circulate for years. The myriad ways that books can create value doesn't have to be tied to book sales, as I wrote in <a href="https://go-to-hellman.blogspot.com/2021/02/creating-value-with-open-access-books.html">my previous post</a>.</p><p>Those of us who want to promote Open Access for backlist ebooks have a number of strategies at our disposal. The most basic strategy is to promote the visibility of these books. Libraries can add listings for these ebooks in their catalogs. Aggregators can make these books easier to find.</p><p>Switching backlist books to Open Access licenses can be expensive and difficult. While the cost of digitization has dropped dramatically over the past decade, quality control is still a significant conversion expense. Licensing-related expenses are sometimes large. Unlike journals and journal articles, academic books are typically covered by publishing agreements that give authors royalties on sales and licensing, and give authors control over derivative works such as translations. No publisher would consent to OA relicensing without the consent and support of the author. For older books, a publisher may not even have electronic rights (in the US, the <a href="https://en.wikipedia.org/wiki/New_York_Times_Co._v._Tasini">Tasini decision</a> established that electronic rights are separate from print rights), or may need to have a lawyer interpret the language of the original publishing contract. </p><p>While most scholarly publishers obtain worldwide rights to the books they publish, rights for trade books are very often divided among markets. Open-access licenses such as the Creative Commons licenses are not limited to markets, so a license conversion would require the participation of every rights holder worldwide. </p><p>The CC BY license can be problematic for books containing illustrations or figures used by permission from third party rights holders. "All Rights Reserved" illustrations are often included in Open Access Books, but they are carved out of the license by separate rights statements, and to be safe, publishers use the CC BY-ND or CC BY-ND-NC license for the complete book, as the permissions do not cover derivative works. Since the CC BY license allows derivative works, it cannot be used in cases where translation rights have been sold (without also buying out the translation rights). A publisher cannot use a CC BY license for a translated work without also having rights to the original work.</p><p>The bottom line is that converting a backlist book to OA often requires economic motivations quite apart from any lost sales. Luckily, there's evidence that opening access can lead to increased sales. <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3339524">Nagaraj and Reimers</a> found that digitization and exposure through Google Books increased sales of print editions by 35% for books in the Public Domain. In addition, a publisher's commercial position and prestige can be enhanced by the attribution requirement in Creative Commons licenses.</p><p>Additional motivation for OA conversion of the backlist slush pile has been supplied by programs such as used by <a href="https://knowledgeunlatched.org/">Knowledge Unlatched</a>, where libraries contribute to to a fund used for "unlatching" backlist books. (Knowledge Unlatched has programs for front list books as well.) While such programs can in principle be applied for the "evergreen" backlist, the incentives currently in place result in the unlatching of books in the "slush pile" backlist. While value for society is being gained this way, the willingness of publishers to "unlatch" hundreds of these books poses the question of how much library funding for Open Access should be allocated to the discount bin, as opposed to the backlist books most used in libraries. That's the topic of my next post! </p><h4 style="text-align: left;">Notes</h4><p>This is the second in a series of posts about creating value of Open Access books. The others are:</p><p><a href="https://go-to-hellman.blogspot.com/2021/02/creating-value-with-open-access-books.html"></a></p><ul style="text-align: left;"><a href="https://go-to-hellman.blogspot.com/2021/02/creating-value-with-open-access-books.html"></a><li><a href="https://go-to-hellman.blogspot.com/2021/02/creating-value-with-open-access-books.html"></a><a href="https://go-to-hellman.blogspot.com/2021/02/creating-value-with-open-access-books.html">Creating Value with Open Access Books</a></li><li><a href="https://go-to-hellman.blogspot.com/2021/02/open-access-for-backlist-books-part-ii.html">Open Access for Backlist Books, Part II: The All-Stars</a></li></ul>Erichttp://www.blogger.com/profile/04483241450401134977noreply@blogger.com0tag:blogger.com,1999:blog-4990922102626688253.post-75833397956230512672021-02-12T12:31:00.005-05:002021-02-22T22:10:23.362-05:00Creating Value with Open Access Books<p>Can a book be more valuable if it's free? How valuable? To whom? How do we unlock this value?</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhN46Z3GgQrzJjgeSPPvyLCHZgLEtI09f8eybCiyaFrpWTndtZmkyUkBVCpLBnHD6eZe3HuE2MhslXeI-ttd2l9k9LTjhd32p3ohqGnROzrMyD95vcIwRVTt5fVe85TWKDuBapCLehgyT6e/s2048/clearlock.JPG" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="a lock with ebooks" border="0" data-original-height="2048" data-original-width="1755" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhN46Z3GgQrzJjgeSPPvyLCHZgLEtI09f8eybCiyaFrpWTndtZmkyUkBVCpLBnHD6eZe3HuE2MhslXeI-ttd2l9k9LTjhd32p3ohqGnROzrMyD95vcIwRVTt5fVe85TWKDuBapCLehgyT6e/w274-h320/clearlock.JPG" width="274" /></a></div>I've been wrestling with these questions for over ten years now. And for each of these questions, the answer is... it depends. A truism of the bookselling business is that "Every book is different" and the same is true of the book freeing "business".<p></p><p>Recently there's been increased interest in academic communities around Open Access book publishing and in academic book relicensing (adding an Open Access License to an already published book). Both endeavors have been struggling with the central question of how to value an open access book. The uncertainty in OA book valuation has led to many rookie mistakes among OA stakeholders. For example, when we first started <a href="https://unglue.it">Unglue.it</a>, we assumed that reader interest would accelerate the relicensing process for older books whose sales had declined. But the opposite turned out to be true. Evidence of reader interest let rights holders know that these backlist titles were much more valuable than sales would indicate, thus precluding any notion of making them Open Access. Pro tip: if you want to pay a publisher to make a books free, don't publish your list of incredibly valuable books!</p><p>Instead of a strictly transactional approach, it's more useful to consider the myriad ways that academic books create value. Each of these value mechanisms offer buttons that we can push to promote open access, and point to new structures for markets where participants join together to create mutual value.</p><p>First, consider the book's reader. The value created is the reader's increased knowledge, understanding and sometimes, sheer enjoyment. The fact of open access does not itself create the value, but removes some of the barriers which might suppress this value. It's almost impossible to quantify the understanding and enjoyment from books; but "hours spent reading" might be a useful proxy for it.</p><p>Next consider a book's creator. While a small number of creators derive an income stream from their books, most academic authors benefit primarily from the development and dissemination of their ideas. In many fields of inquiry, publishing a book is the academic's path to tenure. Educators (and their students!) similarly benefit. In principle, you might assess a textbook's value by measuring student performance.</p><p>The value of a book to a publisher can be more than just direct sales revenue. A widely distributed book can be a marketing tool for a publisher's entire business. In the world of Open Access, we can see new revenue models emerging - publication charges, events, sponsorships, even grants and memberships. </p><p>The value of a book to society as a whole can be enormous. In areas of research, a book might lead to technological advances, healthier living, or a more equitable society. Or a book might create outrage, civil strife, and misinformation. That's another issue entirely!</p><p>Books can be valuable to secondary distributors as well. Both used book resellers and libraries add value to physical books by increasing their usage. This is much harder to accomplish for paywalled ebooks! Since academic libraries are often considered as potential funding sources for Open Access publishing it's worth noting that the value of an open access ebook to a library is entirely indirect. When a library acts as an Open Access funding source, it's acting as a proxy for the community it serves.</p><p>This brings us to communities. The vast majority of books create value for specific communities, not societies as a whole. I believe that community-based funding is the most sustainable path for support of Open Access Books. Community supported OA article publishing has already had plenty of support. Communities organized by discipline have been particularly successful: consider the success that ArXiv has had in promoting Open Access in physics, both at the preprint level and for journals in <a href="https://scoap3.org/">high-energy physics</a>. A similar story can be told for biomedicine, <a href="https://pubmed.ncbi.nlm.nih.gov/">Pubmed</a> and <a href="https://www.ncbi.nlm.nih.gov/pmc/">Pubmed Central</a>. A different sort of community success story has been <a href="https://scielo.org/en/">SciELO</a>, which has used Open Access to address challenges faced by scholars in Latin America.</p><p>So far, however, sustainable Open Access has proven to be challenging for scholarly ebooks. My next few posts will discuss the challenges and ways forward for support of ebook relicensing and for OA ebook creation:</p><ul style="background-color: white; color: #131414; font-family: Helvetica, Arial, sans-serif; font-size: 13px;"><li><a href="https://go-to-hellman.blogspot.com/2021/02/open-access-for-backlist-books-part-i.html" style="color: #006699; font-weight: bold; text-decoration-line: none;">Open Access for Backlist Books, Part I: The Slush Pile</a></li><li><a href="https://go-to-hellman.blogspot.com/2021/02/open-access-for-backlist-books-part-ii.html" style="color: #006699; font-weight: bold; text-decoration-line: none;">Open Access for Backlist Books, Part II: The All-Stars</a></li></ul>Erichttp://www.blogger.com/profile/14172740163003223132noreply@blogger.com0tag:blogger.com,1999:blog-4990922102626688253.post-90743989435896568182020-12-29T13:17:00.000-05:002020-12-29T13:17:47.914-05:00 Infra-infrastructure, inter-infrastructure and para-infrastructure<p>No one is against "Investing in Infrastructure". No one wants bridges to collapse, investing is always more popular than spending, and it's even alliterative! What's more, since infrastructure is almost invisible by definition, it's politically safe to support investing in infrastructure because no one will see when you don't follow through on your commitment!</p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4HRqLJKxWxOk_5bAXHFDm5-VKjEGxXAPvEoB_8T7vDqxmAEJ_D0RKkDiFkiPszDVhnda4vIaM6K0foL7Dj2EOcpsJxgqj1rvPrkKsreIZ4ZJJWUgh_HT4y8StV6oXirkEayVip3iVh-Q/s826/Il_Ponte_Morandi_dopo_il_crollo%252C_visto_da_Est%252C_dettaglio.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="511" data-original-width="826" height="275" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4HRqLJKxWxOk_5bAXHFDm5-VKjEGxXAPvEoB_8T7vDqxmAEJ_D0RKkDiFkiPszDVhnda4vIaM6K0foL7Dj2EOcpsJxgqj1rvPrkKsreIZ4ZJJWUgh_HT4y8StV6oXirkEayVip3iVh-Q/w443-h275/Il_Ponte_Morandi_dopo_il_crollo%252C_visto_da_Est%252C_dettaglio.jpg" width="443" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Ponte Morandi collapse - <a href="https://commons.wikimedia.org/wiki/File:Il_Ponte_Morandi_dopo_il_crollo,_visto_da_Est,_dettaglio.jpg">Michele Ferraris</a>, CC BY-SA 4.0 via Wikimedia Commons</td></tr></tbody></table><p><a href="https://www.crossref.org/people/geoffrey-bilder/">Geoffrey Bilder</a> gives a talk where he asks us to think of <a href="https://crossref.org">Crossref</a> and similar services as "information infrastructure" akin to "plumbing", where the implication is that since we, as a society, are accustomed to paying plumbers and bridge builders lots of money, we should also pony up for "information infrastructure", which is obvious once you say it.</p><p>What qualifies as infrastructure, anyway? If I invest in a new laptop, is that infrastructure for the Go-to-Hellman blog? Blogspot is Google-owned blogging infrastructure for sure. It's certainly not <i>open</i> infrastructure, but it works, and I haven't had to do much maintenance on it. </p><p>There's <i>a lot</i> of infrastructure used to make <a href="http://Unglue.it">Unglue.it</a>, which supports distribution of open-access ebooks. It uses <a href="https://www.djangoproject.com/">Django</a>, which is open-source software originally developed to support newspaper websites. Unglue.it also uses modules that extend Django that were made possible by Django's Open license. It works really well, but I've had to put a fair amount of work into updating my code to keep up with new versions of Django. Ironically, most of this work has been in fixing the extensions that have not updated along with Django.</p><p>I deploy Unglue.it on <a href="https://aws.amazon.com">AWS</a>, which is <i>DEFINITELY</i> infrastructure. I have a love/hate relationship with AWS because it works so well, but every time I need to change something, I have to spend 2 hours with documentation to find the one-line incantation that make it work. But every few months, the cost of using AWS goes down, which I like, but the money goes to Amazon, which is ironic because they <i>really</i> don't care for the free ebooks we distribute.</p><p>Aside from AWS and Django, the infrastructure I use to deliver <a href="https://ebookfoundation.org">Ebook Foundation</a> services includes <a href="https://www.python.org/">Python</a>, <a href="https://www.docker.com/">Docker</a>, <a href="https://www.travis-ci.com/">Travis-CI</a>, <a href="https://github.com">GitHub</a>, <a href="https://git-scm.com/">git</a>, <a href="https://ubuntu.com/">Ubuntu Linux</a>, <a href="https://www.mysql.com/products/community/">MySQL</a>, <a href="https://www.postgresql.org/">Postgres</a>, <a href="https://www.ansible.com/">Ansible</a>, <a href="https://requests.readthedocs.io/en/master/">Requests</a>, <a href="https://www.crummy.com/software/BeautifulSoup/">Beautiful Soup</a>, and many others. The Unglue.it database relies on infrastructure services from <a href="https://doabooks.org">DOAB</a>, <a href="https://oapen.org">OAPEN</a>, <a href="https://librarything.com">LibraryThing</a>, <a href="https://gutenberg.org">Project Gutenberg</a>, <a href="https://openlibrary.org">OpenLibrary</a> and <a href="https://developers.google.com/books">Google Books</a>. My development environment relies heavily on <a href="https://www.barebones.com/products/bbedit/">BBEdit</a> and <a href="https://jupyter.org/">Jupyter</a>. We depend on Crossref and <a href="https://archive.org">Internet Archive</a> to resolve some links; we use subject vocabulary from <a href="https://www.loc.gov/">Library of Congress</a> and <a href="https://bisg.org/page/BISACEdition">BISAC</a>.</p><p>You can imagine why I was interested in "<a href="https://investinopen.org/community/jrost-2020-conference/">JROST 2020</a>" which turns out to stand for "Join Roadmap for Open Science Tools 2020", a meeting organized by a relatively new non-profit, "<a href="https://investinopen.org/">Invest in Open Infrastructure</a>" (IOI). The meeting was open and free, and despite the challenges associated with such a meeting in our difficult times, it managed to present a provocative program along with a compelling vision.</p><p>If you think a bit about how to address the infrastructure needs of open science and open scholarship in general, you come up with at least 3 questions:</p><p></p><ul style="text-align: left;"><li>How do you identify the "leaky pipes" that need fixing so as to avoid systemic collapse?</li><li>How do you bolster healthy infrastructure so that it won't need repair?</li><li>How do you build <i>new</i> infrastructure that will be valuable and thrive?</li></ul><p></p><p>If it were up to me, my first steps would be to:</p><p></p><ol style="text-align: left;"><li>Get people with a stake in open infrastructure to talk to each other. Break them out of their silos and figure out how their solutions can help solve problems in other communities.</li><li>Create a 'venture fund" for new needed infrastructure. Work on solving the problems that no one wants to tackle on their own.</li></ol><p></p><p>Invest in Open Infrastructure is already doing this! Kaitlin Thaney, who's been Executive Director of IOI for less that a year, seems to be pressing all the right buttons. The JROST 2020 meeting was a great start on #1 and #2 is the initial direction of the "<a href="https://investinopen.org/blog/jrost-rapid-response-fund/">JROST Rapid Response Fund</a>", whose first round of awards was announced at the meeting.</p><p>Among the <a href="https://investinopen.org/blog/jrost-rapid-response-fund-awardees/">first awardees of the JROST Rapid Response Fund</a> announced at JROST2020 was an organization that ties into the infrastructure that I use, <a href="https://2i2c.org/">2i2c</a>. It's a great example of much-needed infrastructure for scientific computing, education, digital humanities and data science. 2i2c aims to create hosted interactive computing environments that run in the cloud and are powered by entirely open-source technology (Jupyter). As I'm a Jupyter user and enthusiast, this makes me happy.</p><p>But while 2i2c is the awardee, it's being built on top of Jupyter. Is Jupyter also infrastructure? It needs investment too, doesn't it? There's a lot of overlap between the Jupyter team and the 2i2c team, so investment in one could be investment in the other. In fact, Chris Holdgraf, Executive Director of 2i2c, told me that "we see 2i2c as a way to both increase the impact of Jupyter in the research/education community, and a way to more sustainably drive resources back into the Jupyter community.".</p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO4P60W0TpvlnzEbrD_PXwFlbBf0OuB5_QFEmSkxTZcAXlo-Y5FvEgkap481NjnZcm5pbEd8nAg6EFgs1yO7I6-IsmJ2RakBbHW72k4Ejg1E0nn_vxMKHn10sI3fCtHzwlaqY9t3y16ok/s1898/interdependecies.jpeg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="Open Science Infrastructure Interdependency" border="0" data-original-height="1078" data-original-width="1898" height="259" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO4P60W0TpvlnzEbrD_PXwFlbBf0OuB5_QFEmSkxTZcAXlo-Y5FvEgkap481NjnZcm5pbEd8nAg6EFgs1yO7I6-IsmJ2RakBbHW72k4Ejg1E0nn_vxMKHn10sI3fCtHzwlaqY9t3y16ok/w455-h259/interdependecies.jpeg" width="455" /></a></td></tr><tr><td class="tr-caption">Open Science Infrastructure Interdependency (from<br /> “Scoping the Open Science Infrastructure Landscape in Europe”, <br /><a href="https://doi.org/10.5281/zenodo.4153809">https://doi.org/10.5281/zenodo.4153809</a>) </td></tr></tbody></table><p><br />Where does Jupyter fit in the infrastructure landscape? It's nowhere to be seen on the neat "interdependency map" presented by SPARC EU at JROST. If 2i2c is an example of investment-worthy infrastructure, maybe the best way to think of Jupyter is "infra-infrastructure" - the open information infrastructure needed to build open information infrastructure. "Trickle-down" investment in this sort of infrastructure may be the best way to support projects like Jupyter so they stay open and are widely used.</p><p>But wait... Jupyter is built on top of Python, right? Python needs people investing in it, Is Python infra-infra-infrastructure? And Python <a href="https://en.wikipedia.org/wiki/CPython">is built on top of C </a> (I won't even mention Jython or PyJS), right?? Turtles all the way down. Will 2i2c eventually get buried under other layers of infrastructure, be forgotten and underinvested in, only to be one day excavated and studied by technology archeologists?</p><p>Looking carefully at the interdependency map, I don't see a lot of layers. I see a network with lots of loops. And many of the nodes are connectors themselves. Orcid and CrossRef resemble roads, bridges and plumbing not because they're hidden underneath, but because they're visible and in-between. They exist because of the entities they connect cooperate to make the connection robust instead of incidental. They're not <i>infra-infrastructure</i>, they're <i>inter-infrastructure</i>. Trickle-down investment probably wouldn't work for inter-infrastucture. Instead, investments need to come from the communities that benefit so that the communities can decide how to manage and access to the inter-infrastructure to maximize the community benefit.</p><p>There's another type of infrastructure that needs investment. I work in ebooks, and a lot of overlapping communities have tackled their own special ebook problems. But the textbook people don't talk to the public domain people don't talk to the monograph people don't talk to the library people. (A <i>slight</i> exaggeration.) There are lots of "almost" solutions that work well for specific tasks. But with the total amount of effort being expended, we could some really amazing things... if only we were better at collaborating.</p><p>For example, the Jupyter folks have gotten funding from Sloan for the "<a href="https://executablebooks.org/en/latest/index.html">Executable Book Project</a>". This is really cool. Similarly, there's <a href="https://bookdown.org/">Bookdown</a>, which comes out of the R community. And there are other efforts to <a href="https://www.w3.org/TR/wpub/">give ebooks the functionality</a> that a website could have. <a href="https://www.gitbook.com/">Gitbook</a> is a commercial open-source effort targeting a similar space, <a href="https://press.rebus.community/">Rebus</a>, a non-profit, is using Pressbooks to gain traction in the textbook space, while MIT Press's <a href="https://www.pubpub.org/">PubPub</a> has similar goals.</p><p>I'll call these overlapping efforts "<i>para-infrastructure</i>." Should investors in open infrastructure target investment in "rolling up" or merging these efforts? When private equity investors have done this to library automation companies the results have not benefited the user communities, so I'd say "NO!" but what's the alternative?</p><p>I've observed that the folks who are doing the best job of just making stuff work rarely have the time or resources to go off to conferences or workshops. Typically, these folks have no incentive to do the work to make their tools work for slightly different problems. That can be time consuming! But it's still easier than taking someone else's work and modifying it to solve your own special problem. I think the best way to invest in open para-infrastructure is to get lots of these folks together and give the time and incentive to talk and to share solutions (and maybe code.) It's hard work, but making the web of open infrastructure stronger and more resilient is what investment in open infrastructure is all about. </p><p>Different types of open infrastructure benefit from different styles of investment; I'm hoping that IOI will build on the directions exhibited by its Rapid Response Fund and invest effectively in infra-infrastructure, inter-infrastructure, and para-infrastructure. </p><h4 style="text-align: left;"> Notes</h4><p>1. Geoff Bilder and Cameron Neylon have a nice discussion of many of the issues in this post: “Bilder G, Lin J, Neylon C (2016) Where are the pipes? Building Foundational Infrastructures for Future Services, retrieved [date], <a href="https://draft.blogger.com/u/3/#">http://cameronneylon.net/blog/where-are-the-pipes-building-foundational-infrastructures-for-future-services/</a> ”<br /><br />2. "Trickle-down" has a negative connotation in economics, but that's how you feed a tree, right?</p>Erichttp://www.blogger.com/profile/04483241450401134977noreply@blogger.com0tag:blogger.com,1999:blog-4990922102626688253.post-82908289165651137692020-10-19T21:29:00.002-04:002020-10-19T21:29:43.616-04:00 We should regulate virality<p>It turns out that virality on internet platforms is a social hazard! </p><p>Living in the age of the Covid pandemic, we see around us what happens when we let things grow exponentially. The reason that the novel coronavirus has changed our lives is not that it's often lethal - it's that it found a way to jump from one infected person to several others on average, leading to exponential growth. We are infected with virus without regard to the lethality of the virus, but only its reproduction rate.</p><p>For years, websites have been built to optimize virality of content. What we see on Facebook or Twitter is not shown to us for its relevance to our lives, its education value, or even its entertainment value. It shown to us because it maximizes our "engagement" - our tendency to interact and spread it. The more we interact with a website, the more money it makes, and so a generation of minds has been employed in the pursuit of more engagement. Sometimes it's cat videos that delight us, but more often these days it's content that enrages and divides us.</p><p>Our dissatisfaction with what the internet has become has led calls to regulate the giants of the internet. A lot of the political discourse has focused on "section 20" https://en.wikipedia.org/wiki/Section_230 a part of US law that gives interactive platforms such as Facebook a set of rules that result in legal immunity for content posted by users. As might be expected, many of the proposals for reform have sounded attractive, but the details are typically unworkable in the real world, and often would have effects opposite of what is intended. </p><p>I'd like to argue that the only workable approaches to regulating internet platforms should target their virality. Our society has no problem with regulations that force restaurant, food preparation facilities, and even barbershops to prevent the spread of disease, and no one ever complains that the regulations affect "good" bacteria too. These regulations are a component of our society's immune system, and they are necessary for its healthy functioning.</p><p></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzRVVAYNaF_lxXZI5Hd-BHRhZOJ6mq55C5fQU65XOIVB4KrIJovYIkH3Pa6PF9MF16Oop8tDzFK0UTd24uesO9ivAjvMqRiaa0urMDWfquLBcoNmdTzyYSXZ6K007O6JVoaEUbgM-ic5Gh/s2048/nggyu-19.jpg" style="margin-left: auto; margin-right: auto;"><img alt="never going to give you covid" border="0" data-original-height="2025" data-original-width="2048" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzRVVAYNaF_lxXZI5Hd-BHRhZOJ6mq55C5fQU65XOIVB4KrIJovYIkH3Pa6PF9MF16Oop8tDzFK0UTd24uesO9ivAjvMqRiaa0urMDWfquLBcoNmdTzyYSXZ6K007O6JVoaEUbgM-ic5Gh/w320-h316/nggyu-19.jpg" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Add caption<br /></td></tr></tbody></table><br />You might think that platform virality is too technical to be amenable to regulation, but it's not. That's because of the statistical characteristics of exponential growth. My study of free ebook usage has made me aware of the pervasiveness of exponential statistics on the internet. Sometime labeled the 80-20 rule, the Pareto principle, or log-normal statistics, it's the natural result of processes that grow at a rate proportional to their size. As a result, it's possible to regulate virality of platforms because only a very small amount of content is viral enough dominate the platform. Regulate that tiny amount of super-viral content, and you create incentive to moderate the virality of platforms. The beauty of doing this is that a huge majority of content is untouched by regulation.<p></p><p>How might this work? Imagine a law that removed a platform's immunity for content that it shows to a million people (or maybe 10 million - I've not sure what the cutoff should be). This makes sense, too; if a platform promotes illegal content in such a way that a million people see it, the platform shouldn't get immunity just because "algorithms"! It also makes it practical for platforms to curate the content for harmlessness- it won't kill off the cat videos! The Facebooks and Twitters of the world will complain, but they'll be able to add antibodies and T-cells to their platforms, and the platforms will be healthier for it. Smaller sites will be free to innovate, without too much worry, but to get funding they'll need to have plans for virality limits.</p><p>So we really do have a choice; healthy platforms with diverse content, or cesspools of viral content. Doesn't seem like such a hard decision!</p><p></p><ul style="text-align: left;"><li>Techdirt has <a href="https://www.techdirt.com/blog/?tag=section+230">excellent coverage of Section 230</a>. </li></ul><p></p>Erichttp://www.blogger.com/profile/14172740163003223132noreply@blogger.com0tag:blogger.com,1999:blog-4990922102626688253.post-61692672279321561382020-09-06T20:46:00.003-04:002020-09-06T20:55:18.841-04:00 Notes on work-from-home teams<p>I've been working from home full-time for over eleven years - at least partly work-from-home for 20 years. I've managed work-from-home teams, and worked with quite a few others on joint projects. So when some colleagues were sharing their work-from-home experiences, I piped up with some thoughts. When I was asked recently to repeat them, I realized it might be useful to make a list for the blog. Old-style.</p><p>SO...</p><p></p><ol style="text-align: left;"><li>In-person time is super-valuable. It builds a foundation for the digital interactions we're all stuck with for a while.</li><li>Engineers in particular are prone to under-communicate, so a manager has to pro-actively push people to communicate more than they would on their own ...</li><li>... and create a safe environment that promotes asking for help.</li><li> Most remote workers need an extra helping of encouragement and positive reinforcement...</li><li>... doubly so for people prone to self-doubt or imposter syndrome.</li><li>Worker depression is the hardest thing for a work-from-home team to manage.</li><li>Trust is the most important attribute for work-from-home teams, and it has to be mutual in any type of relationship.</li></ol><p></p><p>I think most of these are self-explanatory. In the near-term current environment, the first point is not so helpful for teams that haven't banked some in-person time; non-work activities, remote meal-sharing and happy hours are imperfect substitutes for the real thing.</p><p>The point about worker depression is worth emphasizing. It's a real hazard, often without easy mitigations. For me, daily exercise and intentional social interaction are the most effective medicine, but everyone is different. A work-from-home team needs time, space, and often support to figure out what works.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjL4TExuaWSJ5_j3tpxSzYB-lQhjsjH5qvMgjW2929yjNeNZUlDi_5ehe8zhvuYJodFi5fPzbZZ2HU60PjeRqhUXKczA0JXXVbaTSbGNpw7IYC9cXVHTUWrIVLgzg08gaSGGhydSnANYc/s2048/wfh.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1159" data-original-width="2048" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjL4TExuaWSJ5_j3tpxSzYB-lQhjsjH5qvMgjW2929yjNeNZUlDi_5ehe8zhvuYJodFi5fPzbZZ2HU60PjeRqhUXKczA0JXXVbaTSbGNpw7IYC9cXVHTUWrIVLgzg08gaSGGhydSnANYc/w400-h226/wfh.png" width="400" /></a></div><br /><p><br /></p>Erichttp://www.blogger.com/profile/04483241450401134977noreply@blogger.com0tag:blogger.com,1999:blog-4990922102626688253.post-70481217329014592042019-12-03T14:45:00.000-05:002019-12-05T13:09:21.063-05:00Your Identity, Your LibraryToday, your identity on the Internet is essentially owned by the big email providers and social networks. Google, Yahoo, Facebook, Twitter - chances are you use one of these services to conveniently log into other services as YOU. You don't need to remember a new password for each service, and the service providers don't have to verify your "identity". What you gain in convenience, you lose in privacy, and that's turned out really well, hasn't it?<br />
<br />
The "flow" you use to take advantage of this single sign-in is a "dance" that takes you from website to website and back to the site you're logging into. A similar dance occurs to secure access to resources licensed on you behalf by libraries, institutions, corporations, etc.. I wrote a bunch of articles about "RA21" (now rebranded as the vaguely NSFW "<a href="https://seamlessaccess.org/">SeamlessAccess</a>"), an effort spearheaded by STM publishers to improve the user experience of that dance. (It can be complicated and confusing because there are lots of potential dance partners!)<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://upload.wikimedia.org/wikipedia/en/thumb/2/2e/La_danse_(I)_by_Matisse.jpg/640px-La_danse_(I)_by_Matisse.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="424" data-original-width="640" height="212" src="https://upload.wikimedia.org/wikipedia/en/thumb/2/2e/La_danse_(I)_by_Matisse.jpg/640px-La_danse_(I)_by_Matisse.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="background-color: #f8f9fa; color: #222222; font-family: sans-serif; font-size: 13.3px;">Henri Matisse, </span><i style="background-color: #f8f9fa; color: #222222; font-family: sans-serif; font-size: 13.3px; text-align: start;">La danse</i><span style="background-color: #f8f9fa; color: #222222; font-family: sans-serif; font-size: 13.3px;"> (first version) 1909</span></td></tr>
</tbody></table>
<br />
These dance partners style themselves as "identity providers". That label makes me uncomfortable. Identity can't be something that can be stripped from you by on the whim of a megacorporation. Instead, internet identity should be woven from a web of relationships. These can be formed digitally or face-to-face, global or local, business or personal.<br />
<br />
You'd have thunk that the whole identity-on-the-internet thing would have improved in the 13 years since <a href="https://en.wikipedia.org/wiki/OAuth">that login dance</a> was first rolled out. And you'd be almost right, because a new architecture for internet identity is now on the horizon. Made possible by many of the same technologies that are securing the internet and inflating the blockchain bubble, massively distributed and even "<a href="https://medium.com/@AlexPreukschat/self-sovereign-identity-a-guide-to-privacy-for-your-digital-identity-5b9e95677778">self-sovereign identity</a>" are becoming real-ish.<br />
<br />
These technologies will inevitably be applied to the access authorization problem. Access via distributed identity replaces the website-to-website dance with the presentation of some sort of signed credential. A service provider verifies the signature against the signer's public key. It's like showing a passport that can't be forged. A tricky bit is that the credential also needs to be checked against a list of revoked credentials. This would have been cumbersome even ten years ago, but distributed databases are now a mature technology, versions of which underpin the internet itself.<br />
<br />
Interlinked with the concept of distributed identity is the notion that users of the web should be able to securely control their data, and that decisions about what a web site gets to know about you should not be delegated to advertising networks.<br />
<br />
Unfortunately, we're not quite ready for distributed identity, in the sense that implementation for today's web would require users to install plugin software, which has its own set of usability, privacy and security issues. The ideal situation would be for some sort of standardized distributed identity and secure data management capability to be installed in browser software - Chrome, Firefox, Safari, etc.<br />
<br />
There's a lot of work going on to make this happen.<br />
<ul>
<li>ID2020 has put out an <a href="https://id2020.org/manifesto">identity manifesto</a> that starts with the declaration that "The ability to prove one’s identity is a fundamental and universal human right."</li>
<li>Tim Berners-Lee is leading the <a href="https://solidproject.org/">Solid Project</a>, which let's you "move freely between services, reuse data across apps, connect with anyone, and select what you share precisely".</li>
<li>The W3C Verifiable Claims Working Group has published Technical Recommendations for "<a href="https://www.w3.org/TR/vc-use-cases/">Verifiable Credential Use Cases</a> and a "<a href="https://www.w3.org/TR/vc-data-model/">Verifiable Credential Data Model</a>". They observe that "from educational records to payment account access, the next generation of web applications will authorize entities to perform actions based on rich sets of credentials issued by trusted parties."</li>
<li>The <a href="https://sovrin.org/">Sovrin Network</a> is a "new standard for digital identity – designed to bring the trust, personal control, and ease-of-use of analog IDs – like driver’s licenses and ID cards – to the Internet."</li>
<li><a href="https://twitter.com/identitywoman">Kaliya Young</a>, <a href="https://blogs.harvard.edu/doc/">Doc Searls</a> and <a href="https://www.windley.com/">Phil Windley</a> have been convening the <a href="https://internetidentityworkshop.com/about/">Internet Identity Workshop</a> twice a year since 2005 to create a community centered around internet identity. A glance at <a href="https://internetidentityworkshop.com/past-workshops/">prior year proceedings</a> gives a flavor of how much is happening in the field</li>
</ul>
The common thread here is that users, not unaccountable third parties, should be able to manage their identity on the internet, while at the same time creating a global chain of trust.<br />
<br />
It seems to me that there's a last-mile problem with all these schemes. If identity is really a universal human right, how do we create a chain of trust that can include every human? That problem becomes a lot easier to solve if there were some sort of organization with a physical presence in communities all over, trusted by the community and by other organizations. A sort of institution experienced in managing information access and privacy, and devoted to the needs of all sorts of users.<br />
<br />
In other words, what if "libraries" existed?<br />
<br />
The federated authentications systems used by libraries today - Shibboleth, Athens, and related systems use a dance similar to what you do with Google or Facebook. It's a big step that moves your internet identity away from "surveillance capitalists" towards community institutions. But you still don't have control over what data your institution give away, as you will in the next-generation internet identity systems I describe here. (RA21 is no different from Shib or Athens in this respect.)<br />
<br />
What might libraries do to prepare for the age of distributed identity? The first step is not about technology, it's about mission. I believe libraries should start to think of themselves as internet relationship providers for their communities. When I get access to a resource though my library, I won't be "logging in", I'll be asserting a relationship with a library community, and the library will be standing behind me. Joining an identity federation is a good next step for libraries. But the library community needs to advocate for user identity as a basic human right and prepare their systems to support a future where no dancing is required.<br />
<br />
<span style="font-size: x-small;">Update 12/5/2019: revised last two paragraphs to be less mystifying.</span><br />
<br />
<br />Erichttp://www.blogger.com/profile/04483241450401134977noreply@blogger.com0tag:blogger.com,1999:blog-4990922102626688253.post-88357149408142070122019-07-26T20:31:00.000-04:002019-07-26T20:36:09.592-04:00Four-Leaf CloversIt seems a friend of mine collects four-leaf clovers.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjG5XNPjbQ8hDOQHYK6St3BuaEUsU_9yNVcsbOm0wykTIUr0rAs-DYz_RSQOowtErTJGusQ1cJ1owlEkLU4hwiB8KfChGGiMPdm1HHcboilLmLRLTx7j473bLIlo7RYDTZtLDIBHSaYzbI/s1600/IMG_5865.JPG" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="1052" data-original-width="1600" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjG5XNPjbQ8hDOQHYK6St3BuaEUsU_9yNVcsbOm0wykTIUr0rAs-DYz_RSQOowtErTJGusQ1cJ1owlEkLU4hwiB8KfChGGiMPdm1HHcboilLmLRLTx7j473bLIlo7RYDTZtLDIBHSaYzbI/s320/IMG_5865.JPG" width="320" /></a></div>
When I was a kid, I loved looking for four-leaf clovers in the lawn. It was the same sort of relaxing concentration and observation you use to find a piece of a jigsaw puzzle. But one day, I found a clover plant in front of the garage that had multiple four-leaf clovers. Looking carefully, I found that not only were there four leaf clovers, but there were FIVE-LEAF-CLOVERS. I had hit the jackpot. And even a <a href="https://en.wikipedia.org/wiki/File:6_Leaves.jpg">six-leaf clover</a>!!!! I swear to all of God's integers that I even found a SEVEN leaf clover. I saved that seven leaf clover in my box of treasures for years, until I just had seven crumbling leafs of a clover.<br />
<br />
I never looked for a four-leaf clover again.<br />
<br />
Now, whenever I remember that clover plant (and that garage), I think of the toxins that must have caused the polyfoliate abomination.<br />
<br />
Please don't let my story stop you looking for four-leaf clovers! Happy summer!<br />
<br />
<br />Erichttp://www.blogger.com/profile/04483241450401134977noreply@blogger.com0tag:blogger.com,1999:blog-4990922102626688253.post-26435367646332201762019-05-30T19:24:00.001-04:002019-05-30T19:33:03.428-04:00Responding to Critical Reviews<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
The first scientific paper I published was submitted to <i><a href="https://journals.aps.org/prb/">Physical Review B</a></i>, the world's leading scientific journal in condensed matter physics. Mailing in the manuscript felt like sending my soul into a black hole, except not even <a href="https://en.wikipedia.org/wiki/Hawking_radiation">Hawking radiation</a> would came back. A seemingly favorable review returned a miraculous two months later:</div>
<blockquote class="tr_bq">
"I found this paper interesting, and I think it probably eventually it should be published - but only after Section II is revamped and section III clarified."</blockquote>
<div style="text-align: left;">
I made a few minor revisions and added some computations that had been left out of the first version, then confidently resubmitted the paper. But another two months later, I received the second review. The referee hadn't appreciated that I had deflected the review's description of "fundamental logic flaws and careless errors" that made my paper "extremely confusing". The reviewer went on to say "I do not think the authors' new variational calculation is correct" and suggested that my approach was completely wrong.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvMsC2ICUBcjHwc23M8bBOr164BeuLj1Y0IKhZw2hHwDGh3JNc4JGTt6nXDctgGTLG_M7OAz1LVdIlHOYk9Zt7fgEatJOFWZQ9E6vgM5JYeEaktRbS9JTnnAe11jgQeGl3Fk2hk2Jws48L/s1600/IMG_5687.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="A ridiculously long equation" border="0" data-original-height="363" data-original-width="1600" height="90" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvMsC2ICUBcjHwc23M8bBOr164BeuLj1Y0IKhZw2hHwDGh3JNc4JGTt6nXDctgGTLG_M7OAz1LVdIlHOYk9Zt7fgEatJOFWZQ9E6vgM5JYeEaktRbS9JTnnAe11jgQeGl3Fk2hk2Jws48L/s400/IMG_5687.JPG" title="This is the Hamiltonian I used for my variational calculation." width="400" /></a></div>
<br />
My thesis <a href="https://ee.stanford.edu/~harris/">advisor</a> suggested that I go and talk to Bob Laughlin in the Physics department about how to deal with the stubborn referee. I had been <a href="https://journals.aps.org/prb/abstract/10.1103/PhysRevB.34.5475">collaborating</a> with Bob and one of his students on a related project, and he had become a surrogate advisor for my theoretical endeavors. During that time, Bob had acquired a reputation among my fellow students for asking merciless questions at oral exams; many of us were scared of him.<br />
<br />
Bob's lesson on how to deal with a difficult referee turned out to be one of the most useful things I learned in grad school. Referees, he told me, come in 2 varieties, complete idiots, and not-complete-idiots. (Yes, Bob was merciless.) If your referee is a complete idiot, all you can do is ask for a different referee. If your referee has the least bit of sense, then you have to take the attitude that either the referee is somewhat correct, and you think YES-<a href="http://genderfork.com/2012/question-alternatives-to-sir-and-maam/">SIR</a> MISTER REFEREE <a href="https://english.stackexchange.com/questions/121727/can-sir-be-used-to-address-female-officers">SIR</a>! (Bob had been in the Army) and do whatever the referee says to do, or you take the point of view that you have explained something so poorly that the referee, who is an excellent representative of your target audience, had no hope of understanding it. Either way, there was a lot of work to do. We decided that this referee was not an idiot, and I needed to go back to the drawing board and re-do my calculation, figuring out how to be clearer and more correct in my exposition.<br />
<br />
A third review came back with the lovely phrase "The significance of the calculation of section II, which is neither fish nor fowl, remains unclear." Using Bob's not-idiot rule, I recognized that my explanation was still unclear and I worked even harder to improve the paper.<br />
<br />
My third revised version was accepted <a href="https://journals.aps.org/prb/abstract/10.1103/PhysRevB.33.8284">and published</a>. <a href="http://large.stanford.edu/">Bob</a> later won the <a href="https://www.nobelprize.org/prizes/physics/1998/summary/">Nobel Prize</a>. I'm here writing blog posts for you about <a href="https://go-to-hellman.blogspot.com/search/label/RA21">RA21</a>.<br />
<br />
RA21 received <a href="https://groups.niso.org/apps/group_public/document.php?document_id=21376">120 mostly critical reviews</a> from a cross-section of referees, not a single one of whom is the least bit an idiot. Roughly half the issues fell into the badly-explained category, while the other half fell in the "fundamental flaws and careless errors" category. RA21 needs to go back to the chalkboard and rethink even their starting assumptions before they can move forward with this much-needed effort.<br />
<br /></div>
Erichttp://www.blogger.com/profile/14172740163003223132noreply@blogger.com0tag:blogger.com,1999:blog-4990922102626688253.post-58515116199794665782019-05-17T11:42:00.000-04:002019-07-23T01:26:41.283-04:00RA21: Technology is not the problem.<div dir="ltr" style="text-align: left;" trbidi="on">
<a href="https://ra21.org/">RA21</a> vows to "improve access to institutionally-provided information resources". The barriers to access are primarily related to the authorization of such access in the context of licensing agreements. In a perfect world, trust and consensus between licensors and licensing communities would render authorization technology irrelevant. In the real world, technological controls need to build upon good-faith agreements and the consent of community members. Also in the real world, poorly implemented technology erodes that good-faith and consent.<br />
<br />
The <a href="https://groups.niso.org/apps/group_public/download.php/21376/NISO_RP-27-2019_RA21_Identity_Discovery_and_Persistence-public_comment.pdf">RA21 draft recommended practice</a> focuses on technology and technology implementations, all the while failing to consider how to build the trust that underpins good-faith and consent. Service providers need to trust that identity providers faithfully facilitate authorized users and that the communities that identity providers serve will adhere to licensing agreements; users of information resources need to trust that their usage data will not be tracked and sold to the highest bidder.<br />
<br />
Trust is not created out of thin air and certainly not by software. Technology can provide tools that facilitate trust, but shared values and communication between parties is the raw material of trust. An effective program to improve access must include processes and procedures that develop shared values and promote cooperation.<br />
<br />
I recognize that RA21 has chosen to consider only the authentication intercourse as in-scope. But the draft recommendation has identified several areas of "further work". Included in this further work should be areas where community standards and best practices can enhance trust around authentication and authorization. To name two examples:<br />
<ol style="text-align: left;">
<li>A set of best practices around "incident response" would in practice work much better than a "guiding principle" of "end-to-end traceability".</li>
<li>A set of best practices around auditing of security and privacy procedures and technology at service providers and identity providers would materially address the privacy and security concerns that the draft recommendation punts over to cited reports and studies.</li>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAM463dFVF33YspHcQULpwY52XeNtGH1BKauqI8oJsI5ZT6boMIZ9XOYZ8PfyVG9fTnz2SdxkYaYBh8pJSYdTlYH-Eit2sIaUQdhyR6UcOciKTtV8eCAd_BLWcKnHnD1lzUHFstacWowme/s1600/IMG_3082.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="773" data-original-width="1600" height="154" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAM463dFVF33YspHcQULpwY52XeNtGH1BKauqI8oJsI5ZT6boMIZ9XOYZ8PfyVG9fTnz2SdxkYaYBh8pJSYdTlYH-Eit2sIaUQdhyR6UcOciKTtV8eCAd_BLWcKnHnD1lzUHFstacWowme/s320/IMG_3082.jpg" width="320" /></a></div>
<hr />
<div>
This is the fifth and last of my comments submitted as part of the NISO standards process. The <a href="https://groups.niso.org/apps/group_public/document.php?document_id=21376">102+ comments</a> that have been submitted so far represent a great deal of expertise and real-world experience. My previous comments were about <a href="https://go-to-hellman.blogspot.com/2019/05/ra21-rp-does-not-require-secure.html">secure communication channels</a>, <a href="https://go-to-hellman.blogspot.com/2019/05/ra21-draft-rp-session-timeout.html">potential phishing attacks</a>, the <a href="https://go-to-hellman.blogspot.com/2019/05/ra21s-recommended-technical-approach-is.html">incompatibility of the recommended technical approach</a> with privacy-enhancing browser features, and <a href="https://go-to-hellman.blogspot.com/2019/05/ra21-doesnt-address-yet-another-wayf.html">the need for radical inclusiveness</a>. I've posted the comments here so you can easily comment.<br />
<h3 style="text-align: left;">
Update July 22, 2019:</h3>
<br />
<blockquote class="tr_bq" style="text-align: left;">
</blockquote>
<br />
<div style="text-decoration-color: initial; text-decoration-style: initial;">
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: Times; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
RA21's<span> </span><a href="https://groups.niso.org/apps/group_public/download.php/21922/NISO_RA21_RP_Comments_Responses.xlsx">official response</a><span> </span>to this comment is:</div>
<blockquote class="tr_bq">
We agree that technology is not the primary problem. There are two core issues that RA21 is seeking to address - firstly the current user experience of federated authentication needs to be improved, and this comprises the bulk of our recommendations. Secondly, considerable trust has been established between identity providers and service providers through their mutual particpation in identity federations and we are recommending broader particpation in identity federations where they do not exist. The understanding and acceptance of this trust model is not universal among all stakeholder groups particularly withing IdP organisations and through ongoing dialog and outreach during the implementation phase, RA21 hopes to address this deficit. Finally, we have added a section to the recommendations addressing security incident response and adoption of an operational security baseline by particpants.</blockquote>
<div style="margin: 0px;">
OK.</div>
</div>
</div>
</div>
Erichttp://www.blogger.com/profile/14172740163003223132noreply@blogger.com0tag:blogger.com,1999:blog-4990922102626688253.post-81775758000421274012019-05-13T18:51:00.000-04:002019-07-10T12:23:28.558-04:00RA21 doesn't address the yet-another-WAYF problem. Radical inclusiveness would.<div dir="ltr" style="text-align: left;" trbidi="on">
The fundamental problem with standards is captured by XKCD 927.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><span style="margin-left: auto; margin-right: auto;"><a href="https://xkcd.com/927/" target="_blank"><img border="0" data-original-height="283" data-original-width="500" height="225" src="https://imgs.xkcd.com/comics/standards.png" title="Fortunately, the charging one has been solved now that we've all standardized on mini-USB. Or is it micro-USB? Shit." width="400" /></a></span></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="https://xkcd.com/927/" target="_blank">XKCD https://xkcd.com/927/</a></td></tr>
</tbody></table>
Single sign-on systems have the same problem. The only way for a single sign-on system to deliver a seamless user experience is to be backed by a federated identity system that encompasses all use cases. For RA-21 to be the single button that works for everyone, it must be radically inclusive. It must accommodate a wide variety of communities and use cases.<br />
<br />
Unfortunately, the <a href="https://groups.niso.org/apps/group_public/download.php/21376/NISO_RP-27-2019_RA21_Identity_Discovery_and_Persistence-public_comment.pdf" target="_blank">draft recommended practice</a> betrays no self-awareness about this problem. Mostly, it assumes that there will be a single "access through your institution" button. While it is certainly true that end-users have more success when presented with a primary access method, it's not addressed how RA-21 might reach that state.<br />
<br />
Articulating a <i>radical inclusiveness</i> principle would put the goal of single-button access within reach. Radical inclusiveness means bringing IP-based authentication, anonymous access, and access for walk-ins into the RA-21 tent. Meanwhile the usability and adoption of of SAML-based systems would be improved; service providers who require "end-to-end traceability" could achieve this in the context of their customer agreements; it needn't be a requirement for the system as a whole.<br />
<br />
Radical inclusiveness would also broaden the user base and thus financial support for the system as a whole. We can't expect a 100,000 student university library in China to have the same requirements or capabilities as a small hospital in New Jersey or a multinational pharmaceutical company in Switzerland, even though all three might need access to the same research article.<br />
<br />
<hr />
<br />
This is my fourth comment on the RA-21 draft "<a href="https://groups.niso.org/apps/group_public/document.php?document_id=21376" target="_blank">Recommended Practices for Improved Access toInstitutionally-Provided Information Resources</a>". The official comment period ends Friday. This comment, 57 others, and the add-comment form <a href="https://groups.niso.org/apps/group_public/document.php?document_id=21376" target="_blank">can be read here</a>. My comments so far are about <a href="https://go-to-hellman.blogspot.com/2019/05/ra21-rp-does-not-require-secure.html">secure communication channels</a>, <a href="https://go-to-hellman.blogspot.com/2019/05/ra21-draft-rp-session-timeout.html">potential phishing attacks</a>, and the <a href="https://go-to-hellman.blogspot.com/2019/05/ra21s-recommended-technical-approach-is.html">incompatibility of the recommended technical approach</a> with privacy-enhancing browser features. I'm posting the comments here so you can easily comment. I'll have one more comment, and then a general summary.<br />
<br />
<h3 style="text-align: left;">
Update July 10, 2019:</h3>
<div style="text-align: left;">
RA21's <a href="https://groups.niso.org/apps/group_public/download.php/21922/NISO_RA21_RP_Comments_Responses.xlsx">official response</a> to this comment is:</div>
<blockquote class="tr_bq" style="text-align: left;">
RA21 envisages supporting the anonymous and walk-in use cases via federated authentication. It is anticpated that federated authentication and IP authentication will exist side-by-side during a transition phase. The specifics of the User Experience during the transition phase will need to be determined during implementation; however it is likely that the RA21 button will simply not need to be displayed to users who are IP authenticated.</blockquote>
I suppose self-awareness was a big ask. The <a href="https://www.niso.org/publications/rp-27-2019-ra21">revised recommendation</a> includes some "envisaging" of use cases that was glaring by omission in the draft recommendation. The added section <span style="background-color: white; font-family: "Arial Bold,Bold"; font-size: 12pt;">2.1.1., <i>Employ appropriate authentication mechanisms for specific use cases,</i> is an improvement on the draft; but </span>the revised recommendation<span style="background-color: white; font-family: "Arial Bold,Bold"; font-size: 12pt;"> has not retreated from its </span>end-to-end traceability "guiding principle".<br />
<br />
RA21 used the same response for <a href="https://groups.niso.org/apps/group_public/view_comment.php?comment_id=898">a comment</a> by Ohio State's, <a href="https://library.osu.edu/people/vinopal.5">Jennifer Vinopal</a>:<br />
<blockquote class="tr_bq">
I want to reiterate a point that a number of commenters have already mentioned: there is no discussion of how public or walk-in (or other unauthenticated/unauthenticating) users will get access to resources through RA21. Public libraries, as well as many college and research libraries, negotiate our e-resource licenses to provide access to walk-in users who aren?t represented in our IdM systems.</blockquote>
Don't forget, EZProxy <a href="https://go-to-hellman.blogspot.com/2018/05/the-shocking-truth-about-ra21-its-made.html">was supposed to be a transition phase</a>!<br /><br /> <br /><br />
<blockquote class="tr_bq">
</blockquote>
<br />
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: Times; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</div>
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Lucida Grande'; color: #000000}
</style></div>
Erichttp://www.blogger.com/profile/14172740163003223132noreply@blogger.com0tag:blogger.com,1999:blog-4990922102626688253.post-55843779544574693842019-05-08T10:53:00.000-04:002019-07-05T12:44:08.295-04:00RA21's recommended technical approach is broken by emerging browser privacy features<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
This is my third comment about the recently published <a href="https://www.niso.org/standards-committees/ra21">NISO draft "Recommended Practice"</a> (RP) on "Improved Access to Institutionally-Provided Information Resources" a. k. a. "Resource Access in the 21st Century" (RA21). <a href="https://groups.niso.org/apps/group_public/document.php?document_id=21376">Official comments can be submitted</a> until May 17th. <a href="https://go-to-hellman.blogspot.com/2019/05/ra21-rp-does-not-require-secure.html">My first comment</a> concerned the use of secure communication channels. The second looked at <a href="https://go-to-hellman.blogspot.com/2019/05/ra21-draft-rp-session-timeout.html" target="_blank">potential phishing attacks</a> on the proposed system. I'm posting the comments here so you can easily comment.<br />
<div>
<br /></div>
<div>
<h2 style="text-align: left;">
RA21's recommended technical approach is broken by emerging browser privacy features</h2>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOzVvMwLf4Dss6AQCd5TBOpVrk0MJ3b3_mByMwTN75tgXAsDShbDNufFPoxofi9Ad9V3BvM_F2d4FjMCJHv9dlZvJt7U42zukGZR1IpL7-db91pUtHjFnelCwbaFeVtfFE9PCxzGby0MlO/s1600/preventtracking.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="212" data-original-width="626" height="108" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOzVvMwLf4Dss6AQCd5TBOpVrk0MJ3b3_mByMwTN75tgXAsDShbDNufFPoxofi9Ad9V3BvM_F2d4FjMCJHv9dlZvJt7U42zukGZR1IpL7-db91pUtHjFnelCwbaFeVtfFE9PCxzGby0MlO/s320/preventtracking.png" width="320" /></a></div>
Third party cookies are widely on the web used as trackers, or "web bugs", by advertising networks wishing to target users with advertising on the web. The impact of these trackers on privacy has been widely reported and decried. Browser local storage deployed using 3rd-party iframes is similarly employed for user tracking by ad networks. Browser vendors, led by Apple, have fought back against user tracking by providing user options to limit third party information sharing. Apple's <a href="https://webkit.org/blog/8613/intelligent-tracking-prevention-2-1/" target="_blank">"Intelligent Tracking Protection"</a> has progressively increased the barriers to cross-site information storage, for example, by partitioning the local storage according to third-party context.<br />
<br />
Unfortunately for RA21, the draft recommended practice (RP) has endorsed a technical approach which mirrors the tactics used for user tracking by the advertising industry. For this reason, users of Safari who choose to enable the "prevent cross-site tracking" option may not benefit from the "seamless" access promised by RA21 if implemented with the endorsed technical approach.<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYKqrkeud9ncCu25kAJIGhil-SSCSqfOlECdoDG_Mh70OROp6ejJ61qJOGBsFJiDbijZglLWwxu2s5aj_LyNm26vxW778IouuEKvX3VQd_jbk1Z9Scqv4RobqFRwtpYaLQPQ857H9U8zts/s1600/Colossal_octopus_by_Pierre_Denys_de_Montfort.jpg" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="346" data-original-width="225" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYKqrkeud9ncCu25kAJIGhil-SSCSqfOlECdoDG_Mh70OROp6ejJ61qJOGBsFJiDbijZglLWwxu2s5aj_LyNm26vxW778IouuEKvX3VQd_jbk1Z9Scqv4RobqFRwtpYaLQPQ857H9U8zts/s200/Colossal_octopus_by_Pierre_Denys_de_Montfort.jpg" width="130" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="https://commons.wikimedia.org/w/index.php?curid=977733" target="_blank">Wikimedia commons</a></td></tr>
</tbody></table>
The optimistically acronymed <a href="https://ra21.org/index.php/pilot-programs/p3-wayf-pilot/" target="_blank">"P3W" pilot</a> used a javascript library called "<a href="https://github.com/krakenjs/zoid" target="_blank">Krakenjs/zoid</a>" (According to the Norse sagas, the <a href="https://en.wikipedia.org/wiki/Kraken" target="_blank">kraken</a> is a squidlike monster that terrorizes voyagers) to exchange data between cross-domain contexts. The limitations on <a href="https://github.com/krakenjs/post-robot/issues/37" target="_blank">krakenjs in Safari</a> are acknowledged by the library's developer. It works by having the host webpage create an iframe loaded from a P3W website. With privacy controls off, the web page posts to the iframe, which answers with a reference to the user's identity provider. The service provider website uses that information to help the user authenticate without having to search through a huge list of identity providers. With Safari privacy features turned on, the search process must be repeated for each and every service provider domain.<br />
<br />
Other browser vendors have moved towards restricting tracking behaviour. Firefox has announced that it will phase in "<a href="https://blog.mozilla.org/futurereleases/2018/10/23/the-path-to-enhanced-tracking-protection/" target="_blank">enhanced tracking protection</a>"<br />
Even Google's Chrome browser is moving towards <a href="https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html" target="_blank">restrictions on tracking technologies</a>.<br />
<br />
The bottom line is that if RA21 is implemented with the recommended technical approach, library users will probably be required to turn off privacy enhancing features of their browser software to use resources in their library. As a result, RA21 will have difficulty moving forward with community consensus on this technical approach.<br />
<br />
Browser software is much more tolerant of cross-domain communication when the information "hub" is a first-party context (i.e. a window of its own, not an embedded iframe), as is done in more established authentication schemes such as <a href="https://en.wikipedia.org/wiki/OpenID_Connect" target="_blank">OpenID Connect</a> and <a href="https://en.wikipedia.org/wiki/SAML_2.0" target="_blank">SAML flow</a>. RA21 should refocus its development effort on these technical approaches.<br />
<div>
<br />
<h3 style="text-align: left;">
Update July 5, 2019:</h3>
RA21's <a href="https://groups.niso.org/apps/group_public/download.php/21922/NISO_RA21_RP_Comments_Responses.xlsx">official response</a> to this comment is:<br />
<blockquote class="tr_bq">
Future work includes storage policy notification. Also, we are not actually using third party cookies even though this term is often used to describe several cross-domain access patterns; instead, RA21 recommends using web storage (aka, browser local storage) together with HTML5 post-message for cross-domain access. This is the same mechanism (and indeed the same implementation) that PayPal uses, thus demonstrating broad browser support. A description of web storage has been added to the Terminology section. We are aware that by turning off "third party cookies" it is possible for the user to partly or completely disable the call to action button but in those cases the user experience degrades gracefully to a classical SAML/OpenIDC discovery flow.</blockquote>
Essentially the same response was made to three other submitted comments. <a href="https://groups.niso.org/apps/group_public/view_comment.php?comment_id=863">Two</a> of <a href="https://groups.niso.org/apps/group_public/view_comment.php?comment_id=862">them</a>, from Duke's <a href="https://library.duke.edu/about/directory/staff/7401">Tim McGeary</a>, called out two sections of the recommended practice and noted:<br />
<blockquote class="tr_bq">
Word of caution: this login specifically cannot happen in an iFrame to meet SSO security protocol</blockquote>
<a href="https://groups.niso.org/apps/group_public/view_comment.php?comment_id=932">The third</a>, from Cornell University Library, submitted by Adam Chandler, amplified on McGeary:<br />
<blockquote class="tr_bq">
Comment from Cornell University Library Privacy as a Service Working Group. Our group includes membership drawn from Library IT, Library Licensing, Library Public Services, Cornell IT Security, and Cornell Privacy Office.<br /><br />Under 2.4.: We agree with Tim McGreary's comment (#862 or #863 - seems that he double-posted it) that the SSO login shouldn't be inside a frame on another page. There are security issues with that kind of approach. The users can't see the login page URL to verify that the page is a x.uni.edu page before entering their passwords, so it makes it easier to spoof the login page. Generally, login pages use "framebusting" to prevent this kind of possibility.</blockquote>
RA21's response on this issue is alarming, and suggests that the whole project is in danger of failure. RA21 seems to be unaware that using HTML5 web storage <a href="https://www.rdegges.com/2018/please-stop-using-local-storage/">is <i>worse</i> than 3rd party cookies in many respects</a> - particularly privacy and security. Currently, only Safari defaults to "a classical SAML/OpenIDC discovery flow", but that still means that if they want to be accurate, they'll have to rename the implementing organization "The Coalition for Seamless Access but Not on iOS" or "The Coalition for Problematic Access".<br />
<br />
I hope that the beta implementation will be executed by a team with the experience and competence to override or at least effectively mitigate RA21's technical blunder.</div>
</div>
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Lucida Grande'; color: #000000}
p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Lucida Grande'; color: #000000; min-height: 15.0px}
</style><style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Lucida Grande'; color: #000000}
</style></div>
Erichttp://www.blogger.com/profile/14172740163003223132noreply@blogger.com0tag:blogger.com,1999:blog-4990922102626688253.post-17718189479030782322019-05-06T22:21:00.000-04:002019-07-03T22:50:24.121-04:00RA21 Draft RP session timeout recommendation considered harmful<div dir="ltr" style="text-align: left;" trbidi="on">
Hey everybody, I implemented RA21 for access to the blog!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://go-to-hellman.blogspot.com/2019/05/ra21-draft-rp-session-timeout.html#authenticate"><img border="0" data-original-height="188" data-original-width="902" height="66" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLYE-gy95cpLgm1eNwX-Vy27UcFHzit0ea5iEUQBgv4Y-fA6XvAkGXho_xw6TrdGZRGEE0LMqgbx7H0DwVfKsgseDWVBjYRH-LhQikOOqMPVWcjnQyPS-6yUjxcu2VXnBXRGdasKShddAY/s320/ra21button.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div id="authenticate">
Well, that was fun.<br />
<br />
I'm contributing comments about the recently published <a href="https://www.niso.org/standards-committees/ra21" target="_blank">NISO draft "Recommended Practice"</a> (RP) on "Improved Access to Institutionally-Provided Information Resources" a. k. a. "Resource Access in the 21st Century" (RA21). <a href="https://groups.niso.org/apps/group_public/document.php?document_id=21376" target="_blank">Official comments can be submitted</a> until May 17th. The draft has much to recommend it, but it appears to have flaws that could impair the success of the effort. <a href="https://go-to-hellman.blogspot.com/2019/05/ra21-rp-does-not-require-secure.html" target="_blank">My first comment</a> concerned the use of secure communication channels. I expect to write two more. I'm posting the comments here so you can easily comment.<br />
<br />
<h2 style="text-align: left;">
RA21 Draft RP session timeout recommendation considered harmful</h2>
RA21 hopes to implement a user authentication environment which allows seamless single sign-on to a large number of service provider websites. Essential to RA21's vision is to replace a hodge-podge of implementations with a uniform, easily recognizable user interface.<br />
<br />
While a uniform sign-in flow will be a huge benefit to end users, it introduces an increased vulnerability to an increasingly common type of compromise, <a href="https://en.wikipedia.org/wiki/Phishing" target="_blank">credential phishing</a>. A credential phishing attack exploits learned user behavior by presenting the user with a fraudulent interface cloned from a legitimate service. The unsuspecting user enters credentials into the fraudulent website without ever being aware of the credential theft. RA21 greatly reduces the difficulty of a phishing attack in three ways:<br />
<ol style="text-align: left;">
<li>Users will learn and use the same sign-in flow for many, perhaps hundreds, of websites. Most users will occasionally encounter the RA21 login on websites they have never used before.</li>
<li>The uniform visual appearance of the sign-in button and identity provider selection step will be trivial to copy. Similarly, a user's previously selected identity provider will often be easy for an attacker to guess, based on the user's IP address.</li>
<li>If successful, RA21 may be used by millions of authorized users, making it difficult to detect unauthorized use of stolen credentials.</li>
</ol>
If users are trained to enter password credentials even once per day, they are unlikely to notice when they are asked for identity provider credentials by a website crafted to mimic a real identity provider.<br />
<br />
For this very reason, websites commonly used for third party logins, such as Google and Facebook, use timeouts much longer than the 24 hour timeouts recommended by the RA21 draft RP. To combat credential theft, they add tools such as multi-factor authentication and insert identity challenges based on factors such as user behavior and the number of devices used by an account.<br />
<br />
Identity providers participating in RA21 need to be encouraged to adopt these and other anti-phishing security measures; the RA21 draft's recommended identity provider session timeout (section 2.7) is not in alignment with these measures and is thus counterproductive. Instead, the RP should encourage long identity provider session timeouts, advanced authentication methods, and should clearly note the hazard of phishing attacks on the system. Long-lived sessions will result in better user experience and promote systemic security. While the RP cites default values used in Shibboleth, there is no published evidence that these parameters have suppressed credential theft; the need for RA21 suggests that the resulting user experience has been far from "seamless".<br />
<div>
<br /></div>
<div class="page" title="Page 1">
<div class="section">
<div class="layoutArea">
<div class="column">
<h2 style="background-color: white; text-align: left;">
Update July 3, 2019:</h2>
<div style="background-color: white;">
RA21's <a href="https://groups.niso.org/apps/group_public/download.php/21922/NISO_RA21_RP_Comments_Responses.xlsx">official response</a> to this comment is:</div>
<blockquote class="tr_bq">
We disagree with premise that consumer websites adopt long sign-in timeouts as a Phishing protection measure. That said, IdPs should follow best practices such as HTTPS so users can verify that they are on a valid sign in page. Length of validity of sign-in is also by necessity context dependent.</blockquote>
Well, yeah. I wasn't expecting them to actually consult real people who battle identity theft on consumer websites. I was mostly amazed that sign-in timeouts would be considered in-scope for RA21 while HTTPS, which will be essential to RA21's success or failure, <a href="https://go-to-hellman.blogspot.com/2019/05/ra21-rp-does-not-require-secure.html">was not</a>. But the RA21 recommendation will have no effect whatsoever on what identity providers do, unless perhaps existing identity providers are making timeouts ridiculously short. Identity providers know their context much better than any committee and they will do what they want to do. And they should!<br />
<br />
Interestingly, a section (2.8. Establish Security Incident Reporting Frameworks) has been added to <a href="https://www.niso.org/publications/rp-27-2019-ra21">the revised recommendation</a> that acknowledges credential phishing as a motivation for RA21! So, yay RA21!<br />
<blockquote class="tr_bq">
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
Erichttp://www.blogger.com/profile/14172740163003223132noreply@blogger.com0tag:blogger.com,1999:blog-4990922102626688253.post-69697005903747435672019-05-05T22:10:00.000-04:002019-07-02T11:39:26.964-04:00RA21 RP does not require secure protocols. It should.<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="tr_bq">
<a href="https://go-to-hellman.blogspot.com/2018/05/the-shocking-truth-about-ra21-its-made.html" target="_blank">As I've written</a>, "RA21" could be a Good Thing, or it could be a disaster. The <a href="https://www.niso.org/standards-committees/ra21" target="_blank">RA21 working group</a> has released its "<a href="https://groups.niso.org/apps/group_public/download.php/21376/NISO_RP-27-2019_RA21_Identity_Discovery_and_Persistence-public_comment.pdf" target="_blank">Recommended Practice</a>" draft for comments, until May 17. The draft has much to like, but also has significant flaws. I will be contributing comments to address the flaws I see, which I will also publish here so we can discuss and comment. My official comments, and many others worth reading are <a href="https://groups.niso.org/apps/group_public/document.php?document_id=21376" target="_blank">here</a>.</div>
<br />
Here's my first comment, perhaps the most predictable:<br />
<h2 style="text-align: left;">
RA21 RP does not require secure protocols. It should.</h2>
RA21 envisions the creation of a widely deployed authentication and authorization for resources and tools serving the research community. In such an ecosystem, the health and security of the entire system can be degraded by a small number of weak implementations. In particular, delivering resources over insecure unencrypted channels will be harmful.<br />
<br />
In this context it is surprising that the RA21 recommended practice (RP) fails to directly address the need for service providers and identity providers to use secure channels such as HTTPS for websites. The recommended practice makes indirect reference to this need by citing another document, "<a href="https://ra21.org/index.php/results/ra21-security-privacy-final-report/" target="_blank">WAYF Cloud and P3W Security & Privacy Recommendations</a>". This document fails to treat secure channels as a requirement, saying in analyzing the pilot implementations (italics added):<br />
<blockquote class="tr_bq">
"All browser traffic <i>should</i> use secured protocols, such as https, to prevent unauthorized access and to preserve confidentiality." (WAYF cloud, page 13)</blockquote>
<blockquote class="tr_bq">
"All browser traffic <i>should</i> use secured protocols such as https to prevent unauthorized access and to preserve confidentiality." (P3W, page 18)</blockquote>
In contrast to the "should" used for secure communications, the analysis uses the stronger "must" in other places, for example,<br />
<blockquote class="tr_bq">
"Therefore, applications <i>must</i> include strong controls to prevent user ID tampering and abuse "(Information Disclosure, page 7)</blockquote>
Security and privacy issues essential to the success of RA21 should not be buried in technical analyses of uncertain normativity. Secure channels should not be optional, they <i>must</i> be required.<br />
<br />
<h3 style="text-align: left;">
Update July 2, 2019:</h3>
RA21's <a href="https://groups.niso.org/apps/group_public/download.php/21922/NISO_RA21_RP_Comments_Responses.xlsx">official response</a> to this comment is<br />
<blockquote>
We agree that HTTPS everywhere is a good idea for tools and resources serving the research community. However, a specific recommendation on this would be outside of the scope of RA21.</blockquote>
This response strikes me as uninformed, considering that the recommendation promotes a technical solution that will likely require publishers to adopt HTTPS. Either the committee is unaware of the technical ramifications of their recommendations (very likely), or they're trying to hide from the publishing community the inconvenient fact that RA21 will require all of them to go HTTPS (I wish).<br />
<br />
Really, all I was hoping for some bland indication that RA21 will not compromise system privacy and security to accommodate the laggards of the service provider community. Since that didn't happen, I'll do some shouting here:<br />
<br />
<span style="color: red;"><b>ATTENTION PUBLISHERS!</b></span> RA21 WON'T TELL YOU IT'S GOING TO REQUIRE <b><span style="color: red;"><span style="background-color: lime;">HTTPS</span><span style="background-color: white;"> </span></span></b>ON YOUR SITE. I JUST DID.</div>
Erichttp://www.blogger.com/profile/14172740163003223132noreply@blogger.com1tag:blogger.com,1999:blog-4990922102626688253.post-14899502713193021002019-04-03T12:28:00.005-04:002022-12-12T20:07:24.239-05:00Fudge, and open access ebook download statistics<div dir="ltr" style="text-align: left;" trbidi="on">
If you found out that the top 50 authors born in Gloucestershire, England average over 10 million copies sold, you might think that those authors are doing pretty well. But it's silly to compute averages like that. When you compute an average over a population, you're making an assumption that the quantity you're averaging over is statistically distributed somehow over the population. Unless of course you don't care if the average means anything, and you just want numbers to help justify an agenda.<br />
<br />
Most folks would look at the <a href="https://libraries.wiltshire.gov.uk/c/document_library/get_file?uuid=adf38c5c-3cd0-447e-ac9d-f26f936a7a4f&groupId=10158" target="_blank">list of Gloucestershire authors</a> and say that one of the authors is an outlier, not representative of Gloucestershire authors in general. And so <a href="https://en.wikipedia.org/wiki/J._K._Rowling" target="_blank">J.K. Rowling</a>, with more than 500 million copies sold, would get removed from the data set, revealing the presumably unimpressive book selling record of the "more representative" authors. Scientists refer to this process as "fudging the data". It's done all the time, but it's not honest.<br />
<br />
There's a better way. If a scientific study presents averages across a population, it should also report statistical measures such as variance and standard deviation, so the audience can judge how meaningful the reported averages are (or aren't!).<br />
<br />
Other times, the existence of "outliers" is evidence that the numbers are better measured and compared on a different scale. Often, that's a logarithmic scale. For example, noise is measured on a logarithmic scale, in units of decibels. An ambulance siren has a million times the noise power of normal conversation, but it's easier to make sense of that number if we compare the 60 dB sound volume of conversation to the 90 dB of a hair dryer, the 120 dB of the siren and the 140 dB of a jet engine. Similarly, we can understand that while J.K. Rowling's sales run into 8 figures, most top Gloucestershire-born authors are probably 3, 4 and or maybe 5 figure sellers.<br />
<br />
Over the weekend, I released <a href="https://hcommons.org/deposits/item/hc:23787/" target="_blank">a "preprint" on Humanities Commons</a>, describing my analysis of open-access ebook usage data. I worked with a wonderful team including two open-access publishers, <a href="https://www.press.umich.edu/" target="_blank">University of Michigan Press</a> and <a href="https://www.openbookpublishers.com/" target="_blank">Open Book Publishers</a>, on <a href="https://deepblue.lib.umich.edu/handle/2027.42/137638" target="_blank">this project</a>, which was funded by the Mellon Foundation. To boil down my analysis to two pithy points, the preprint argues:<br />
<br />
<ol style="text-align: left;">
<li>Free ebook downloads are best measured on a logarithmic scale, like earthquakes and trade publishing sales.</li>
<li>We shouldn't average download counts.</li>
</ol>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1r_A-98iTRxUE6espnW7Qm8Vd4Yfq14pDgEIdNMyXfExFXPSTCEfC0Z62E5yXiHjJSatKjG_is0umZAYR7S5dCG-Q5nFTpgUCqTdOpTEOlhdQHmN6Cx9_o2O4QxFxBOAOeOlImxfgeFvQ/s1600/downloads+per+title.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="363" data-original-width="501" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1r_A-98iTRxUE6espnW7Qm8Vd4Yfq14pDgEIdNMyXfExFXPSTCEfC0Z62E5yXiHjJSatKjG_is0umZAYR7S5dCG-Q5nFTpgUCqTdOpTEOlhdQHmN6Cx9_o2O4QxFxBOAOeOlImxfgeFvQ/s400/downloads+per+title.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">If you take the logarithm of book downloads, the histogram looks like a bell curve!</td></tr>
</tbody></table>
For example, if someone <a href="https://media.springernature.com/full/springer-cms/rest/v1/content/15176744/data/v3" target="_blank">tries to tell you</a> that "Engineering, mathematics and computer science OA books perform much better than the average number of downloads for OA books across all subject areas" without telling you about variances of the distributions and refusing to release their data, you should pay them no mind.<br />
<br />
Next week, I'll have a post about why logarithmic scales makes sense for measuring open-access usage, and maybe another about how log-normal statistics could save civilization.</div>
Erichttp://www.blogger.com/profile/14172740163003223132noreply@blogger.com0tag:blogger.com,1999:blog-4990922102626688253.post-60706876269658980582018-12-31T18:37:00.001-05:002018-12-31T18:39:11.281-05:00On the Surveillance Techno-stateI used to run my own mail server. But then came the spammers. And dictionary attacks. All sorts of other nasty things. I finally gave up and turned to Gmail to maintain my online identities. Recently, one of my web servers has been attacked by a bot from a Russian IP address which will eventually force me to deploy sophisticated bot-detection. I'll probably have to turn to Google's recaptcha service, which watches users to check that they're not robots.<br />
<br />
Isn't this how governments and nations formed? You don't need a police force if there aren't any criminals. You don't need an army until there's a threat from somewhere else. But because of threats near and far, we turn to civil governments for protection. The same happens on the web. Web services may thrive and grow because of economies of scale, but just as often it's because only the powerful can stand up to storms. Facebook and Google become more powerful, even as civil government power seems to wane.<br />
<br />
When a company or institution is successful by virtue of its power, it needs governance, lest that power go astray. History is filled with examples of power gone sour, so it's fun to draw parallels. Wikipedia, for example, seems to be governed like the Roman Catholic Church, with a hierarchical priesthood, canon law, and sacred texts. Twitter seems to be a failed state with a weak government populated by rival factions demonstrating against the other factions. Apple is some sort of Buddhist monastery.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuA3IXOQgNT5BbVOKqFFpVqv-YJqFRBSrENsn_Toa6jK0gavAtkAEq6md5pJLwljm2OnGPqah0U10N1jhVveW0Yxr3Ifb1Pl4vTLvpwX29LjjIq5S36DvoXtLcTTbWgCSymgHFGaRRQk4/s1600/flogo_RGB_HEX-1024.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1024" data-original-width="1024" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuA3IXOQgNT5BbVOKqFFpVqv-YJqFRBSrENsn_Toa6jK0gavAtkAEq6md5pJLwljm2OnGPqah0U10N1jhVveW0Yxr3Ifb1Pl4vTLvpwX29LjjIq5S36DvoXtLcTTbWgCSymgHFGaRRQk4/s200/flogo_RGB_HEX-1024.png" width="200" /></a></div>
This year it became apparent to me that Facebook is becoming the internet version of a totalitarian state. It's become so ... needy. Especially the app. It's constantly inventing new ways to hoard my attention. It won't let me follow links to the internet. It wants to track me at all times. It asks me to send messages to my friends. It wants to remind me what I did 5 years ago and to celebrate how long I've been "friends" with friends. My social life is dominated by Facebook to the extent that I can't delete my account.<br />
<br />
That's no different from the years before, I suppose, but what we saw this year is that Facebook's governance is unthinking. They've built a machine that optimizes everything for engagement and it's been so successful that they they don't know how to re-optimize it for humanity. They can't figure out how to avoid being a tool of oppression and propaganda. Their response to criticism is to fill everyone's feed with messages about how they're making things better. It's terrifying, but it could be so much worse.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT42j-9RUxJI9cM4xgiXdkKBRoIcaRPzzgeDcf_RfLAVLksOODsyDPrCBZiOhbqAAjdLQLXhM_EpCMOd-xBN_lMlvrm5jCHcn1ia47bWTzUOL-KXynlsclE6uCQ-qgdc0x-2bspvxznPU/s1600/gstar.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="1531" data-original-width="1600" height="191" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT42j-9RUxJI9cM4xgiXdkKBRoIcaRPzzgeDcf_RfLAVLksOODsyDPrCBZiOhbqAAjdLQLXhM_EpCMOd-xBN_lMlvrm5jCHcn1ia47bWTzUOL-KXynlsclE6uCQ-qgdc0x-2bspvxznPU/s200/gstar.png" width="200" /></a></div>
I get the impression that Amazon is governed by an optimization for efficiency.<br />
<br />
How is Google governed? There has never existed a more totalitarian entity, in terms of how much it knows about every aspect of our lives. Does it have a governing philosophy? What does it optimize for?<br />
<br />
In a lot of countries, it seems that the civil governments are becoming a threat to our online lives. Will we turn to Wikipedia, Apple, or Google for protection? Or will we turn to civil governments to protect us from Twitter, Amazon and Facebook. Will democracy ever govern the Internet?<br />
<br />
Happy 2019!Erichttp://www.blogger.com/profile/04483241450401134977noreply@blogger.com0tag:blogger.com,1999:blog-4990922102626688253.post-42339776010548750612018-12-27T14:30:00.000-05:002019-01-03T10:15:43.357-05:00Towards Impact-based OA FundingEarlier this month, I was invited to <a href="https://bisg.org/news/425548/BISG-Releases-Draft-White-Paper-on-Open-Access-Ebook-Usage.htm">a meeting</a> sponsored by the <a href="https://mellon.org/">Mellon Foundation</a> about aggregating usage data for open-access (OA) ebooks, with a focus on scholarly monographs. The "problem" is that open licenses permit these ebooks to be liberated from hosting platforms and obtained in a variety of ways. A scholar might find the ebook via a search engine, on social media or on the publisher's web site; or perhaps in an index like Directory of Open Access Books (<a href="https://doab.org/">DOAB</a>), or in an aggregator service like <a href="https://jstor.org/">JSTOR</a>. The ebook file might be hosted by the publisher, by <a href="https://oapen.org/">OAPEN</a>, on <a href="https://archive.org/">Internet Archive</a>, <a href="https://dropbox.com/">Dropbox</a>, <a href="https://github.com/">Github</a>, or <a href="https://unglue.it/">Unglue.it</a>. Libraries might host files on institutional repositories, or scholars might distribute them by email or via <a href="https://researchgate.net/">ResearchGate</a> or discipline oriented sites such as <a href="https://hcommons.org/">Humanities Commons</a>.<br />
<br />
I haven't come to the "problem" yet. Open access publishers need ways to measure their impact. Since the whole point of removing toll-access barriers is to increase access to information, open access publishers look to their usage logs for validation of their efforts and mission. Unit sales and profits do not align very well with the goals of open-access publishing, but in the absence of sales revenue, download statistics and other measures of impact can be used to advocate for funding from institutions, from donors, and from libraries. Without evidence of impact, financial support for open access would be based more on faith than on data. (Not that there's anything <i>inherently</i> wrong with that.)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJUx7lNEdqBenJ6yAhxFtLUFf5GQYLg9SpYtRR2zPvxmFR_k0V0-Fu3dFD1JG8-xHgbbVViaiuPoWWivovxhZY8bun8Qbek2IKnR_-D6SxasvHDpV7fKWUc2NWUMwyMoQiw4INaj7dyEY/s1600/IMG_5460.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="671" data-original-width="1600" height="167" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJUx7lNEdqBenJ6yAhxFtLUFf5GQYLg9SpYtRR2zPvxmFR_k0V0-Fu3dFD1JG8-xHgbbVViaiuPoWWivovxhZY8bun8Qbek2IKnR_-D6SxasvHDpV7fKWUc2NWUMwyMoQiw4INaj7dyEY/s400/IMG_5460.JPG" width="400" /></a></div>
<br />
What is to be done? The "monograph usage" meeting was structured around a "provocation": that somehow a non-profit "Data Trust" would be formed to collect data from all the providers of open-access monographs, then channel it back to publishers and other stakeholders in privacy-preserving, value-affirming reports. There was broad support for this concept among the participants, but significant disagreements about the details of how a "Data Trust" might work, be governed, and be sustained.<br />
<br />
Why would anyone trust a "Data Trust"? Who, exactly, would be paying to sustain a "Data Trust"? What is the product that the "Data Trust" will be providing to the folks paying to sustain it? Would a standardized usage data protocol stifle innovation in ebook distribution? We had so many questions, and there were so few answers.<br />
<br />
I had trouble sleeping after the first day of the meeting. At 4 AM, my long-dormant physics brain, forged in countless all-nighters of problem sets in college, took over. It proposed a <i>gendanken</i> experiment:<br />
<blockquote class="tr_bq">
<i>What <b>if </b>there <b>was</b> open-access monograph usage data that everyone really trusted? How might it be used?</i></blockquote>
The answer is given away in the title of this post, but let's step back for a moment to provide some context.<br />
<br />
For a long time, scholarly publishing was mostly funded by libraries that built great literature collections on behalf of their users - mostly scholars. This system incentivized the production of expensive must-have journals that expanded and multiplied so as to eat up all available funding from libraries. Monographs were economically squeezed in this process. Monographs, and the academic presses that published them, survived by becoming expensive, drastically reducing access for scholars.<br />
<br />
With the advent of electronic publishing, it became feasible to flip the scholarly publishing model. Instead of charging libraries for access, access could be free for everyone, while authors paid a flat publication fee per article or monograph. In the journal world, the emergence of this system has erased access barriers. The publication fee system hasn't worked so well for monographs, however. The publication charge (much larger than an article charge) is often out of reach for many scholars, shutting them out of the open-access publishing process.<br />
<br />
What if there was a funding channel for monographs that allocated support based on a measurement of impact, such as might be generated from data aggregated by a trusted "Data Trust"? (I'll call it the "OA Impact Trust", because I'd like to imagine that "impact" rather than a usage proxy such as "downloads" is what we care about.)<br />
<br />
Here's how it might work:<br />
<br />
<ol>
<li>Libraries and institutions register with the OA Impact Trust, providing it with a way to identify usage and impact relevant to the library or institutions.</li>
<li>Aggregators and publishers deposit monograph metadata and usage/impact streams with the Trust.</li>
<li>The Trust provides <a href="https://www.projectcounter.org/">COUNTER</a> reports (suitably adapted) for relevant OA monograph usage/impact to libraries and institutions. This allows them to compare OA and non-OA ebook usage side-by-side.</li>
<li>Libraries and institutions allocate some funding to OA monographs.</li>
<li>The Trust passes funding to monograph publishers and participating distributors.</li>
</ol>
<br />
The incentives built into such a system promote distribution and access. Publishers are encouraged to publish monographs that actually get used. Authors are encouraged to write in ways that promote reading and scholarship. Publishers are also encouraged to include their backlists in the system, and not just the dead ones, but the ones that scholars continue to use. Measured impact for OA publication rises, and libraries observe that more and more, their dollars are channeled to the material that their communities need.<br />
<br />
Of course there are all sorts of problems with this <i>gedanken</i> OA funding scheme. If COUNTER statistics generate revenue, they will need to be secured against the inevitable gaming of the system and fraud. The system will have to make judgements about what sort of usage is valuable, and how to weigh the value of a work that goes viral against the value of a work used intensely by a very small community. Boundaries will need to be drawn. The machinery driving such a system will not be free, but it can be governed by the community of funders.<br />
<br />
Do you think such a system can work? Do you thing such a system would be fair, or at least fairer than other systems? Would it be Good, or would it be Evil?<br />
<br />
Notes:<br />
<ol>
<li>Details have been swept under a rug the size of Afghanistan. But this rug won't fly anywhere unless there's willingness to pay for a rug.</li>
<li>The white paper draft which was the "provocation" for the meeting is <a href="https://bit.ly/monograph-data-trust">posted here</a>.</li>
<li>I've been thinking about this <a href="http://liblicense.crl.edu/ListArchives/0402/msg00045.html">for a while</a>.</li>
</ol>
Erichttp://www.blogger.com/profile/04483241450401134977noreply@blogger.com3tag:blogger.com,1999:blog-4990922102626688253.post-69017179491003303412018-10-30T11:45:00.000-04:002018-10-30T11:45:39.103-04:00A Milestone for GITenberg<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
We've reached a big milestone for the GITenberg Project, which comes after a lot of work over 6 years by several groups of people. It's now ready to use!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggYgJHBlxVj55OnJwAcr-efRFPpcsBDKAjCa-cMzm2Pq80FwNnA-FXU2kaSKndNr-2T30Jm60ARVxQYtHwmM1EJ4t9J_o3Ubq6EPxcVjpkvn8WXWfyn6zEtj61GxxrGJjoYWYTXPRfElQ/s1600/GHgitenberg.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="492" data-original-width="1044" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggYgJHBlxVj55OnJwAcr-efRFPpcsBDKAjCa-cMzm2Pq80FwNnA-FXU2kaSKndNr-2T30Jm60ARVxQYtHwmM1EJ4t9J_o3Ubq6EPxcVjpkvn8WXWfyn6zEtj61GxxrGJjoYWYTXPRfElQ/s320/GHgitenberg.png" width="320" /></a></div>
<br />
GITenberg is a prototype that explores how <a href="https://www.gutenberg.org/">Project Gutenberg</a> might work if all the Gutenberg texts were on <a href="https://github.com/">Github</a>, so that tools like version control, continuous integration, and pull-request workflow could be employed. We hope that Project Gutenberg can take advantage of what we've learned; work in that direction has begun but needs resources and volunteers. <a href="https://www.gitenberg.org/">Go check it out</a>!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXmlHdib2NzbvdjPw1VkL5RdmQMuS9Q6waUiz0_ZaABnxw-gqAPUVt3y12lovBZ4Ky13OT6tL5aCMRs6t0xC5UPbkVttHpw7m7zE3t2s-XgDWyda3YS_RBzCUiPddUxCrtFgImLCT6dFQ/s1600/booksplusgit.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="564" data-original-width="838" height="134" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXmlHdib2NzbvdjPw1VkL5RdmQMuS9Q6waUiz0_ZaABnxw-gqAPUVt3y12lovBZ4Ky13OT6tL5aCMRs6t0xC5UPbkVttHpw7m7zE3t2s-XgDWyda3YS_RBzCUiPddUxCrtFgImLCT6dFQ/s200/booksplusgit.png" width="200" /></a></div>
It's hard to believe, but <a href="https://github.com/GITenberg">GITenberg</a> started 6 years ago when Seth Woodworth started making Github repos for Gutenberg texts. I joined the project two years later when I started doing the same and discovered that Seth was 43,000 repos ahead of me. The project got a big boost when the <a href="https://knightfoundation.org/">Knight Foundation</a> awarded us a <a href="https://americanlibrariesmagazine.org/2015/06/18/empowering-libraries-to-innovate/">Prototype Fund grant</a> to "explore the applicability of open-source methodologies to the maintenance of the cultural heritage" that is the Project Gutenberg collection. But there were big chunks of effort left to finish the work when that grant ended. Last year, six computer-science seniors from <a href="https://www.stevens.edu/">Stevens Institute of Technology</a> took up the challenge and brought the project within sight of a major milestone (if not the finishing-line). There remained only the reprocessing of 58,000 ebooks (with more being created every day!). As of last week, <b><a href="https://www.gitenberg.org/">we've done that!</a></b> Whew.<br />
<br />
So here's what's been done:<br />
<ul>
<li>Almost 57,000 texts from Project Gutenberg have been loaded into Github repositories.</li>
<li>EPUB, PDF, and Kindle Ebooks have been rebuilt and added to releases for all but about 100 of these.</li>
<li>Github webhooks trigger <a href="https://www.docker.com/">dockerized</a> ebook building machines running on <a href="https://aws.amazon.com/elasticbeanstalk/">AWS Elastic Beanstock</a> every time a git repo is tagged.</li>
<li>Toolchains for <a href="http://asciidoc.org/">asciidoc</a>, HTML and plain text source files are running on the ebook builders.</li>
<li>A website at <a href="https://www.gitenberg.org/">https://www.gitenberg.org/</a> uses the webhooks to index and link to all of the ebooks.</li>
<li><a href="https://www.gitenberg.org/">www.gitenberg.org</a> presents links to Github, Project Gutenberg, <a href="https://librivox.org/">Librivox</a>, and <a href="https://standardebooks.org/">Standard Ebooks.</a></li>
<li>Cover images are supplied for every ebook.</li>
<li>Human-readable metadata files are available for every ebook</li>
<li>Syndication feeds for these books are made available in <a href="https://www.editeur.org/11/Books/">ONIX</a>, <a href="https://www.loc.gov/marc/">MARC</a> and <a href="http://opds-spec.org/">OPDS</a> via <a href="https://unglue.it/api/help">Unglue.it</a>.</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHAAtRukSEsV_2e6Addacn63-QY_zSA9uCHymtub5Bp53SdeM4eROORkLgW3Xm5E8n8p3z9fJZujVM2lDu7hOpdYnthinUTj29shwrB1zMq7d7m3cXXfQ5VZmxTcfxG44SIFHJ2oiKYz0/s1600/covers.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="539" data-original-width="1600" height="107" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHAAtRukSEsV_2e6Addacn63-QY_zSA9uCHymtub5Bp53SdeM4eROORkLgW3Xm5E8n8p3z9fJZujVM2lDu7hOpdYnthinUTj29shwrB1zMq7d7m3cXXfQ5VZmxTcfxG44SIFHJ2oiKYz0/s320/covers.png" width="320" /></a></div>
<br />
Everything in this project is built in the hope that the bits can be incorporated into Project Gutenberg wherever appropriate. In <a href="https://law.duke.edu/cspd/publicdomainday/">January 2019</a>, the US public domain will resume the addition of new books, so it's more important than ever that we strengthen the infrastructure that supports it.<br />
<br />
Some details:<br />
<ul>
<li><a href="https://github.com/GITenberg-dev">All of the software</a> that's been used is open source and content is openly licensed.</li>
<li>PG's <a href="https://github.com/gitenberg-dev/pg-epubmaker">epubmaker software</a> has been significantly strengthened and improved.</li>
<li>About 200 PG ebooks have had fatal formatting errors remediated to allow for automated ebook file production.</li>
<li><a href="https://github.com/gitenberg-dev/gitberg/blob/master/gitenberg/data/missing.tsv">1,363 PG ebooks</a> were omitted from this work due to licensing or because they aren't really books.</li>
<li>PG's RDF metadata files were converted to human-readable YAML and enhanced with data from New York Public Library and from Wikipedia.</li>
<li>Github API throttling limits the build/release rate to about 600 ebooks/hour/login. A full build takes about 4 full days with one github login.</li>
</ul>
Acknowledgements:<br />
<ul>
<li>Seth Woodworth. In retrospect, the core idea was obvious, audacious, and crazy. Like all great ideas.</li>
<li>Github tech support. Always responsive.</li>
<li>The O'Reilly <a href="https://github.com/oreillymedia/HTMLBook">HTMLBook</a> team. The asciidoc toolchain is based on their work.</li>
<li>Plympton. Many asciidoc versions were contributed to GITenberg as part of the "<a href="http://recoveringtheclassics.com/">Recovering the Classics</a>" project. Thanks to Jenny 8. Lee, Michelle Cheng, Max Pevner and Nessie Fox.</li>
<li>Albert Carter and Paul Moss contributed to early versions of the GITeneberg website.</li>
<li>The Knight Foundation provided funding for GITenberg at a key juncture in the project's development though its prototype fund. The Knight Foundation supports public-benefitting innovation in so many ways even beyond the funding it provides, and we thank them with all our hearts.</li>
<li><a href="https://travis-ci.org/">Travis-CI</a>. The first version of automated ebook building took advantage of Travis-CI. Thanks!</li>
<li>Raymond Yee got the automated ebook building to actually work.</li>
<li><a href="https://nypl.org/">New York Public Library</a> contributed descriptions, rights info, and <a href="https://www.nypl.org/blog/2014/09/03/generative-ebook-covers">generative covers</a>. They also sponsored hackathons that significantly advanced the environment for public domain books. Special thanks to Leonard Richardson, Mauricio Giraldo and Jens Troeger (Bookalope).</li>
<li>My Board at the <a href="https://ebookfoundation.org/">Free Ebook Foundation</a>: Seth, Vicky Reich, Rupert Gatti, Todd Carpenter, Michael Wolfe and Karen Liu. Yes, we're overdue for a board meeting...</li>
<li>The Stevens GITenberg team: Marc Gotliboym, Nicholas Tang-Mifsud, Brian Silverman, Brandon Rothweiler, Meng Qiu, and Ankur Ramesh. They redesigned the gitenberg.org website, added search, added automatic metadata updates, and built the <a href="https://github.com/gitenberg-dev/gitberg-autoupdate">dockerized elastic beanstalk ebook-builder and queuing system</a>. This work was done as part of their two-semester capstone (project) course. The course is taught by Prof. David Klappholz, who managed a total of 23 student projects last academic year. Students in the course design and develop software for established companies, early stage startups, nonprofits, gov't agencies, etc., etc. Take a look at <a href="https://sites.google.com/view/sitseniordesign/home?authuser=0">detailed information</a> about software that has been developed over the past 6-7 years and details of how the course works. </li>
<li>Last, but certainly not least, Greg Newby (Project Gutenberg) for consistent encouragement and tolerance of our nit-discovery, Juliet Sutherland (<a href="https://www.pgdp.net/c/">Distributed Proofreaders</a>) for her invaluable insights into how PG ebooks get made, and to the countless volunteers at both organizations who collectively have made possible the preservation and reuse of our public domain.</li>
</ul>
I'm sure I've omitted an important acknowledgement or two - please let me know so I can rectify the omission.<br />
<br />
So what's next? As I mentioned, we've taken some baby steps towards <a href="https://github.com/gutenbergbooks">applying version control</a> to Project Gutenberg. But Project Gutenberg is a complex organism, and implementing profound changes will require broad consensus-building and resource gathering (both money and talent). <a href="https://www.gutenberg.org/">Project Gutenberg</a> and the <a href="https://ebookfoundation.org/">Free Ebook Foundation</a> are very lean non-profit organizations dependent on volunteers and small donations. What's next is really up to you!Erichttp://www.blogger.com/profile/04483241450401134977noreply@blogger.com0tag:blogger.com,1999:blog-4990922102626688253.post-30707938271276178852018-09-18T14:33:00.000-04:002018-09-19T13:58:27.946-04:00eBook DRM and Blockchain play CryptoKitty and Mouse. And the Winner is...<br />
If you want to know how blockchain relates to DRM and ebooks, it helps to understand <a href="https://www.cryptokitties.co/">CryptoKitties</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7oQWnpt6uJr7bLFJxcywnA49Gy_s3WOSguv4pALJsxuUQ3mx8TftWEwIDTAq05r-52NP21vRYkOf14F3ECI0586a4ITlxqxd8tvchR3KJf3PB_1HDCuYPxGGzXolWGTEtKqoRiZBR4Wk/s1600/kitty.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="752" data-original-width="842" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7oQWnpt6uJr7bLFJxcywnA49Gy_s3WOSguv4pALJsxuUQ3mx8TftWEwIDTAq05r-52NP21vRYkOf14F3ECI0586a4ITlxqxd8tvchR3KJf3PB_1HDCuYPxGGzXolWGTEtKqoRiZBR4Wk/s200/kitty.png" width="200" /></a></div>
<span style="text-align: center;">CryptoKitties are essentially numbers that live in a game-like environment which renders cats based on the numbers. Players can buy, collect, trade, and breed their kitties. Each kitty is unique. Players let their kitties <a href="https://kittyrace.com/">play games</a> in the "<a href="https://venturebeat.com/2018/06/25/cryptokitties-launches-kittyverse-ecosystem-with-30-third-party-projects/">kittyverse</a>". Transactions involving CryptoKitties take place on the Ethereum blockchain. Use of the blockchain make CryptoKitties different from other types of virtual property. The kitties can be traded outside of the game environment, and the kitties can't be confiscated or deleted by the game developers. In fact, the kitties could easily live in third-party software environments, though they might not carry their in-game attributes with them. Over 12 million dollars has been spent on CryptoKitties, and while you might assume <a href="https://www.businessinsider.com/cryptokitties-blockchain-beanie-babies-transactions-plummet-2018-6">they're a passing fad</a>, <a href="https://www.kittyexplorer.com/stats/">they haven't gone away</a>.</span><br />
<br />
It's weird to think about "<a href="https://en.wikipedia.org/wiki/Digital_rights_management">digital rights management</a>" (DRM) for CryptoKitties. Cryptography locks a kitty to a user's cryptocurrency wallet, but you can transfer a wallet to someone else by giving them your secret keys. With the key, you can do anything with the contents of the wallet. The utility of your CryptoKitty (your "digital rights") is managed by a virtual environment controlled by <a href="https://www.axiomzen.co/">Launch Labs, Inc.</a>, but until the kitties become sentient (15-20 years?) the setup doesn't trigger my distaste for DRM.<br />
<br />
Now, think about how Amazon's Kindle works. When you buy an ebook from Amazon, what you're paying for is a piece of virtual property that only exists in the Kindle virtual world. The Kindle software environment endows your virtual property with value - but instead of giving you the right to breed a kitty, you might get the right to read <i>about</i> a kitty. You're not allowed to exercise this right outside of Amazon's virtual world, and DRM exists to enforce Amazon's control of that right. You can't trade or transfer this right.<br />
<br />
Ebooks are are different from virtual property, in important ways. Ebooks are words, ideas, stories that live just fine outside Kindle. DRM kills this outside life away, which is a sin. And it robs readers of the ability to read without Big Brother keeping track of every page they read. Most authors and publishers see DRM as a <i>necessary</i> evil, because they don't believe in a utopia where readers pay creators just because they're worth it.<br />
<br />
But what if were possible to "CryptoKittify" ebooks? Would that mitigate the sins of DRM, or even render it unnecessary? Would it just add <a href="https://go-to-hellman.blogspot.com/2018/06/the-vast-potential-for-blockchain-in.html">the evils of blockchain</a> to the evils of DRM? Two startups, <a href="https://publica.com/">Publica</a> and <a href="https://www.scenarex.ca/en/">Scenarex</a> are trying to find out.<br />
<br />
Depending on implementation, the "CryptoKittification" of ebooks could allow enhanced privacy and property rights for purchasers as well as transaction monitoring for rights holders. If a user's right to an ebook was registered on a blockchain, a reader application wouldn't need to "phone home"<br />
to check whether a user was entitled to open and use the ebook. Similarly, the encrypted ebook files could be stored on a distributed service such as <a href="https://en.wikipedia.org/wiki/InterPlanetary_File_System">IPFS</a>, or on a publisher's distribution site. The reader platform provider needn't separately verify the user. And just like printed books, a reader license could be transferred or sold to another user.<br />
<br />
Alas, the DRM devil is always in the details, which is why I quizzed both Scenarex and Publica about their implementations. The two companies have taken strikingly different approaches to the application of blockchain to the ebook problem.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.scenarex.ca/en/" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="61" data-original-width="300" height="40" src="https://www.scenarex.ca/assets/images/scenarex.png" width="200" /></a></div>
Scenarex, a company based in Montreal, has strived to make their platform familiar to both publishers and to readers. You don't need to have cryptocurrency or a crypto-wallet to use their system, called "Bookchain". Their website will look like an online bookstore, and their web-based reader application will use ebooks in the EPUB format rendered by the open-source <a href="https://readium.org/">Readium</a> software being used by other ebook websites. All of the interaction with the blockchain will be handled in their servers. The affordances of their user-facing platform, at least in its initial form, should be very similar to other Readium-powered sites. For users, the only differences will be the license transfer options enabled by the blockchain and its content providers. Because the licenses will be memorialized on a blockchain the possibility is open that they could be used in other reading environments.<br />
<br />
Scenarex's conservative approach of hiding most of blockchain from the users and rights holders, means that almost all of Scenarex's blockchain-potential is as-yet unrealized. There's no significant difference in privacy compared to Readium's <a href="https://go-to-hellman.blogspot.com/2017/05/readiums-new-licensed-content.html">LCP DRM scheme</a>. License portability and transactions will depend on whether other providers decide to adopt Scenarex's license tokenization and publication scheme. Because blockchain interaction takes place behind Scenarex servers, the problems with blockchain immutability are mitigated along with the corresponding benefits to the purchaser. Scenarex expects to launch soon, but it's still too early to see if they can gain any traction.<br />
<br />
<div style="text-align: right;">
<a href="https://publica.com/" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="444" data-original-width="922" height="96" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWRlUTdOGgW2AADxZHk68mp4fMMloY90rfkg8e-W5fZRVlt3kkTJcxHhX0ig4zgAWg-RxbxysUqqpyy97vJhQSn2yrYEqzuzuHFMfvrFBdekZ_Pcb3Soe2QleUgMnL_3IxNxMiWS6BxgU/s200/publica.png" width="200" /></a></div>
Publica, by contrast, has chosen to propose a truly radical course for the ebook industry. Publica, with development offices is Latvia, doesn't make sense if you think of it as an ebook store, it only makes sense if you think of it as a crowd-funding platform for ebooks. (<i>Disclosure</i>: <a href="https://unglue.it/">Unglue.it</a>, a website I founded and run as part of the <a href="https://ebookfoundation.org/">Free Ebook Foundation</a>, started life as a crowd-funding platform for free ebooks.)<br />
<br />
Publica invites authors to create "<a href="https://en.wikipedia.org/wiki/Initial_coin_offering">initial coin offerings</a>" (ICOs) for their books. An author raising funds for their book sells read tokens for the book to investors, presumably in advance of publication. When the book is published, token owners get to read the book. Tokens can be traded or sold in Ethereum blockchain-backed transactions.<br />
<br />
From an economic point of view, this doesn't seem to make much sense. If the token marketplace is efficient, the price of a token will fluctuate until the supply of tokens equals the number of people who want continuing access to the book. Sell too many tokens, and the price crashes to near zero. In today's market for books, buyers are motivated by word of mouth, so newly published books, especially by unknown authors, are given out free to reviewers and other influencers. To make money with an ICO, in contrast, an author will need to <i>limit</i> the supply so as to support the token's attractiveness to investors, and thus the book's price.<br />
<br />
In many ways, however, book purchasers don't act like economists. They keep their books around forever. They accumulate TBR piles. Yes, they'll give away or sell books, but that is typically to enable further accumulation. They'll borrow a book from the library, read it, and THEN buy it. Book purchasers <i>collect</i> books. Which brings us back to CryptoKitties.<br />
<br />
In May of 2018, a CryptoKitty <a href="https://www.nytimes.com/2018/05/18/style/cryptokitty-auction.html">sold at auction</a> for over $140,000. That's right, someone paid 6 figures for what is essentially a number! Can you imagine someone paying that much for a copy of a book?<br />
<br />
<a href="https://commons.wikimedia.org/wiki/File:Title_page_William_Shakespeare%27s_First_Folio_1623.jpg" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;" title="Martin Droeshout
[Public domain], via Wikimedia Commons"><img alt="Title page William Shakespeare's First Folio 1623" height="200" src="https://upload.wikimedia.org/wikipedia/commons/thumb/8/8c/Title_page_William_Shakespeare%27s_First_Folio_1623.jpg/256px-Title_page_William_Shakespeare%27s_First_Folio_1623.jpg" width="125" /></a>
I can imagine that. In 2001, a <a href="https://en.wikipedia.org/wiki/First_Folio">First Folio edition</a> of Shakespeare's plays sold for over $6,000,000! Suppose that J. K. Rowling had sold 100 digital first editions of <a href="https://en.wikipedia.org/wiki/Harry_Potter_and_the_Philosopher%27s_Stone"><i>Harry Potter and the Philosopher's Stone</i></a> in 1996 to make ends meet. How much do you think someone would pay for one of those today, assuming the provenance and "ownership" could be unassailably verified?<br />
<br />
CryptoKitties might be cute and they might have rare characteristics, but many more people develop powerful emotional attachments to books, even if they're just words or files full of bytes. A First Folio is an important historical artifact because of the huge cultural impact of the words it memorializes. I think it's plausible that a digital artifact could be similarly important, especially if its original sale provided support to its artist.<br />
<br />
This brings me back to DRM. I asked the CTO of Publica, Yuri Pimenov about it, and he seemed apologetic.<br />
<blockquote class="tr_bq">
Even Amazon's DRM can be easily removed (I did it once). So, let's assume that DRM is a little inconvenience that [...] people are ready to pay [to get around]. And besides the majority of people are good and understand that authors make a living by writing books...</blockquote>
Publica's app uses a cryptographic token in the Blockchain to allow access to the book contents, and does DRM-ish things like disabling quoting. But since the cryptographic token is bound to a cryptographic wallet, not a device or an account, it just papers over author concerns such as piracy. Pimenov is correct to note that it's the reader's relationship to the author that should be cemented by the Publica marketplace. Once Publica understands that memorializing readers supporting authors is where their success can come from, I think they'll realize that DRM, by restricting readers and building moats around literature, is counterproductive. To make an ebook into a collectable product, we don't need DRM, we need need "DRMem": Digital Rights Memorialization.<br />
<br />
So, I'm surprised to be saying this, but... CryptoKitties win!<br />
<br />
More Links:<br />
<ul>
<li><a href="https://www.forbes.com/sites/billrosenblatt/2018/08/18/can-blockchains-disrupt-the-e-book-market-two-startups-will-find-out/"></a><a href="https://www.forbes.com/sites/billrosenblatt/2018/08/18/can-blockchains-disrupt-the-e-book-market-two-startups-will-find-out/">Can Blockchain Disrupt The E-Book Market? Two Startups Will Find Out</a> - Bill Rosenblatt</li>
<li><a href="https://copyrightandtechnology.com/2018/08/17/blockchain-comes-to-e-books-drm-included/">Blockchain Comes to E-Books, DRM Included</a> - Bill Rosenblatt</li>
<li><a href="https://www.publishersweekly.com/pw/by-topic/international/london-book-fair/article/76592-london-book-fair-2018-meet-the-world-s-first-1-bestselling-blockchain-author.html">London Book Fair 2018: Meet the World’s First #1 Bestselling ‘Blockchain’ Author</a> - Andrew Albanese</li>
<li><a href="https://content-blockchain.org/">The Content Blockchain Project</a></li>
<li><a href="https://bitrights.io/">BitRights - Blockchain Digital Content</a></li>
<li><a href="https://blog.joincivil.com/">Civil - The Decentralized Marketplace for Sustainable Journalism</a></li>
</ul>
Erichttp://www.blogger.com/profile/04483241450401134977noreply@blogger.com7tag:blogger.com,1999:blog-4990922102626688253.post-6772304443233064922018-08-02T11:31:00.000-04:002018-08-02T11:31:46.129-04:00My Face is Personally Identifiable Information<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Facial recognition technology used to be so adorable. When <a href="https://go-to-hellman.blogspot.com/2011/07/library-data-why-bother.html">I wrote about it 7 years ago</a>, the facial recognition technology in iPhoto was finding faces in shrubbery, but was also good enough to accurately see family resemblances in faces carved into a wall. Now, Apple thinks it's good enough to use for biometric logins, bragging that "<a href="https://support.apple.com/en-us/HT208108">your face is your password</a>".<br />
<br />
I think this will be my new password:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0BHt_CuYB8_NUySAQJPh5DKqkvAsSYSidgqZNdddaroYi47wf-lS-TVRGsxzQvvXcN_byS7xiQN2b6-55_jvXycGwY9NroqA6Dso9aUD9_hBIe2CniR7GuucmX1s8i1AUaqnKkAF7Lr4/s1600/IMG_5244.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="379" data-original-width="698" height="173" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0BHt_CuYB8_NUySAQJPh5DKqkvAsSYSidgqZNdddaroYi47wf-lS-TVRGsxzQvvXcN_byS7xiQN2b6-55_jvXycGwY9NroqA6Dso9aUD9_hBIe2CniR7GuucmX1s8i1AUaqnKkAF7Lr4/s320/IMG_5244.JPG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
The <a href="https://www.aclu.org/other/aclu-opposes-use-face-recognition-software-airports-due-ineffectiveness-and-privacy-concerns">ACLU is worried</a> about the civil liberty implications of facial recognition and the machine learning technology that underlies it. I'm worried too, but for completely different reasons. The ACLU has been generating a lot of press as they articulate their worries - that <a href="https://www.wired.com/story/amazon-facial-recognition-congress-bias-law-enforcement/">facial recognition is unreliable</a>, that it's <a href="https://www.nytimes.com/2018/07/26/technology/amazon-aclu-facial-recognition-congress.html">tainted by the bias inherent in its training data</a>, and that it will be used by governments as a tool of oppression. But I think those worries are short-sighted. I'm worried that facial recognition will be extremely accurate, that its training data will be complete and thus unbiased, and that everyone will be using it everywhere on everyone else and even an oppressive government will be powerless to preserve our meager shreds of privacy.<br />
<br />
We certainly need to be aware of the ways in which our biases can infect the tools we build, but the ACLU's argument against facial recognition invites the conclusion that things will be just peachy if only facial recognition were accurate and unbiased. Unfortunately, it will be. You don't have to read <a href="https://unglue.it/search/?q=Cory%20Doctorow&ty=au">Cory Doctorow's novels</a> to imagine a dystopia built on facial recognition. The progression of technology is such that multiple face recognizer networks could soon be observing us where ever we go in the physical world - the same way that we're recognized at every site on the internet via web beacons, web profilers and other spyware.<br />
<br />
The problem with having your face as your password is that you can't keep your face secret. Faces aren't meant to be secret. Our faces <a href="http://news.berkeley.edu/2014/09/16/human-faces-are-so-variable-because-we-evolved-to-look-unique/">co-evolved with our brains to be individually recognizable</a>; evidently, having an identity confers a survival advantage. Our societies are deeply structured around our ability to recognize other people by their faces. We even put faces on our money!<br />
<br />
Facial recognition is not new at all, but we need to understand the ways in which machines doing the recognizing will change the fabric of our societies. Let's assume that the machines will be really good at it. What's different?<br />
<br />
For many applications, the machine will be doing things that people already do. Putting a face-recognizing camera on your front door is just doing what you'd do yourself in deciding whether to open it. Maybe using facial recognition in place of a paper driver's license or passport would improve upon the performance of a TSA agent squinting at that awful 5-year-old photo of you. What's really transformative is the connectivity. That front-door camera will talk to Fedex's registry of delivery people. When you use your face at your polling place, the bureau of elections will make sure you don't vote anywhere else that day. And the ID-check that proves you're old enough to buy cigarettes will update your medical records. What used to identify you locally can now identify you globally.<br />
<br />
The reason that face-identity is so scary is that it's a type of identifier that has never existed before. It's globally unique, but it <a href="https://w3c-ccg.github.io/did-spec/">doesn't require a central registry</a> to be used. It's public, easily collected and you can't remove it. It's as if we all had to tattoo our <strike>prisoner</strike> social security numbers on our foreheads! Facial profiles can be transmitted around the world, and used to index ALL THE DATABASEZ!<br />
<br />
We can't stop facial recognition technology any more than we can reverse global warming, but we can start preparing today. We need to start by treating facial profiles and photographs as personally identifiable information. We have <a href="https://en.wikipedia.org/wiki/Privacy_Act_of_1974">some privacy laws</a> that cover so-called "PII", and we need to start applying them to photographs and facial recognition profiles. We can also impose strict liability for the misuse of biased inaccurate facial recognition; slowing down the adoption of facial recognition technology will give our society a chance to adjust to its consequences.<br />
<br />
Oh, and maybe Denmark's <a href="https://www.nytimes.com/2018/08/01/world/europe/denmark-ban-muslim-veil.html">new law against niqabs</a> <a href="https://en.wikipedia.org/wiki/General_Data_Protection_Regulation">violates GDPR</a>?<br />
<div>
<br /></div>
</div>
Erichttp://www.blogger.com/profile/04483241450401134977noreply@blogger.com0