Personalization vs. privacy (Re: Lobbying for a dedicated web server)

Genny Engel gengel at sonoma.lib.ca.us
Tue Sep 7 17:42:26 EDT 2004 

No ... even apart from data security/privacy issues, you wouldn't want
to store second copies of things like student data on your local server,
because they'd inevitably get out of sync with the master database. 
Instead, you'd want the master database to allow your server to query it
whenever authentication is required.  

Any kind of personalization you have set up on the local server (which
I assume is the kind of fun project you're referring to) could reference
local accounts that you allow users to set up on it, but if you need to
verify student status or the like, this should be based on the master
data, not the local accounts. 

In the case of the initial query on this topic, it sounded like they
were looking at housing the data on campus anyway, so for them the point
is probably moot, but your question is still interesting.  A lot of
times, trying to set up handy personalization features clashes
head-first into trying to keep patron data private, especially if the
personalization involves feeds from multiple sources, each with its own
authentication mechanism.   

We require signon with a library card number for everything from access
to our wireless hotspots to home access to databases.  None of this runs
off of separate copies of patron data; most of it passes through an
authentication server that queries yet another server for information
from the patron database itself.  Once you get to some vendors'
databases, you can sign on separately to an account that you create
there, where you can store result lists, search histories, etc.  In this
case there's no connection between you as a person with result lists,
and you as a member of the authorized group -- the personalization and
authentication are handled completely separately.

Similarly, to the extent I'd add personalization/profiles/accounts to
our public web server, I don't think I'd let it have anything to do with
authentication.  If I needed your library card number, I'd most likely
prompt for it separately and hang onto it only long enough to validate
it.   I'd attempt to minimize how often I pester you for this
information (perhaps by tying the current authentication status to the
local account, without tying the authentication data itself to the
account), but I wouldn't store your library card number on the public
web server, that's for sure.

Sure, for maximal convenience, you'd have a single sign-on for both
personalization and authentication everywhere you go ... but the fact
is, you don't.  If you want to read your MSN mail, check your Amazon
order status, and renew your library books, I cannot do this for you
with single signon unless I have wayyyyyyyy too much information about
you!



Genny Engel
Internet Librarian
Sonoma County Library
gengel at sonoma.lib.ca.us
707 545-0831 x581

>>> Rosie Croft <Rosie.Croft at RoyalRoads.ca> 09/07/04 10:24AM >>>

We could not house any student info on off campus servers. Is that not
a
complication in making some of the more fun PHP, etc. projects work
well if
they require authentication to access?

-----Original Message-----
From: Michael J. Dargan [mailto:dargan at wplwloo.lib.ia.us] 
Sent: Friday, September 03, 2004 2:51 PM
To: Multiple recipients of list
Subject: [WEB4LIB] Re: Lobbying for a dedicated web server


Andrew Darby wrote:

>Hello, all.  I'm at a smallish academic library, and currently we have
a
>little folder on the university's web server, without access to
>goodies/basic human necessities like PHP and MySQL.  As such, we are
>about to lobby for our own web server, presumably to be hosted by
campus 
>in their climate controlled room.
>
>My question, then, is:  What sort of resistance should I expect? 
What
>sorts of concerns are likely to be voiced (and what are reasonable
>countering arguments)?
>  
>
You can get the above services from a commercial site for a fee that 
would be negligible compared to the cost of buying, feeding, and 
watering your own box.  What could you do on an aging (yes, once you
buy 
them, they start growing old) box that sits in the campus server room 
that you could not do with space on box that sits someplace else? 
Maybe 
in a land far, far, away where barefoot children making pennies a day 
manage the updates, backups, and replacement of failed power supplies 
and controller cards?

--mike

>Perhaps I am wrong, but if the IT folks
>
>1. do the initial setup of a LAMP (Linux/Apache/MySQL/PHP)
environment,
>with the security to their liking
>
>and 2. integrate this box into their backup routine (i believe they do
a
>middle of the night chron job)
>
>there should be little or no overhead on their part.  By gum, it
would
>be one less thing for them to worry about! My recollection from a
>previous incarnation, is that Apache servers are pretty stable, and
>don't require much (if any) maintenance . . .
>
>And as a bonus, in the unlikely event we do something stupid and
crash
>the server, the campus at large is insulated.  (We currently have
full
>access to the library folder on the existing server.)
>
>Any thoughts, suggestions, etc.?
>
>Thanks,
>
>Andrew Darby
>
>
>
>
>
>
>  
>


-- 
Michael J. Dargan                         |  voice 391 291 4496
Technical Services Librarian              |  fax   319 291 6736
Waterloo and Cedar Falls Public Libraries |  www.wplwloo.lib.ia.us

More information about the Web4lib mailing list