Proposal to install spyware in university libraries to protect copyrights shocks academics

A recent proposal recommending the deployment of surveillance software in order to monitor those accessing academic material has drawn fire from digital rights advocates and scientists.

The plan was outlined on October 22 during a virtual webinar hosted by a consortium of the world’s leading publishers of scientific journals, featuring security experts discussing the threats posed by cyber-criminals and digital piracy to academic research.

One speaker proposed a novel tactic publishers could take to protect their intellectual property rights against data theft: introducing spyware into the proxy servers academic libraries use to allow access to their online services, such as publishers’ databases.

The speaker, Corey Roach, a security officer at the University of Utah, described a plug-in that could collect “biometric data, which can be things like how quick did they type, how do they move their mouse,” in order to distinguish and identify individual users, who are otherwise anonymized by university proxy servers.

“We have a lot more than just their username and password,” Roach said in the webinar. “It might be information about them as a student or an employee. We get the customer IP address of where they’re coming from and the URLs for the material they’ve requested.”

To incentivize libraries to install the software, Roach suggested offering them discounts on publisher databases in exchange.

The webinar was hosted by a new group called the Scholarly Networks Security Initiative (SNSI), the joint creation of Elsevier, Springer Nature, and other top academic publishers who banded together in February with the stated mandate of protecting higher education from cybercriminals and websites like Sci-Hub, a “shadow library” which illegally hosts and enables free access to copies of millions of research papers normally hidden behind publisher paywalls.

After a transcript of the remarks circulated, scientific researchers and digital rights advocates expressed alarm at the prospect of academic libraries teaming up with major publishers to surveil students and researchers.

“It’s deeply disturbing that academic publishers have plans to introduce thinly disguised spyware in university libraries of all places,” wrote Bastian Greshake Tzovaras, a fellow at the Paris-based Center for Research and Interdisciplinarity, in an email interview for this story.

Roach did not respond to an interview request for this story.

The drive to protect copyrights stems from a decades-long battle in the scientific research community over academic publishers’ lucrative profit model, which critics charge is damaging to science and parasitic on the academic system. Publishers charge exorbitant prices for subscriptions — in 2018, the University of California paid Elsevier, the largest scientific publisher, nearly $11 million for access to its journals — while largely relying on publicly funded research for the content of their publications, and the free labor of university-employed peer reviewers.

This conflict has engendered mass boycotts by thousands of scientists at top universities, and the cancellations of subscriptions to journals hosted by Elsevier by nearly 300 German and Swedish universities in 2018 and the University of California in 2019.

Sci-Hub, founded in 2011 by Kazakhstan-born Russian computer programmer Alexandra Elbakyan, is frequently referenced by publishers to explain the need for tough anti-piracy measures. While publishers condemn Sci-Hub, which now hosts nearly 85 million papers, for its violation of their intellectual property, proponents of the “open access” movement in science say it has given universities crucial bargaining power in their efforts to negotiate with publishers for better subscription deals.

The controversy over Sci-Hub is often described by both advocates and critics of the shadow library as science’s “Napster moment,” in reference to the conflict between music labels and file-sharing platforms over digital piracy in the 2000s. Elbakyan has been frequently compared to the American whistleblower Edward Snowden and the internet freedom activist Aaron Swartz. She has also been accused, albeit without publicly available evidence, of being connected to Russian intelligence.

Publishers have tried a variety of methods, largely without success, to crack down on Sci-Hub. But the October webinar was reflective of their newest tactic: arguing the shadow library does not merely undermine their profit model, but that its activities amount to state-sponsored cybercrime, and pose a security threat to universities.

So far, the proposal to install surveillance software in university libraries is only hypothetical. But Björn Brembs, who is part of a collective of academics lobbying the European Union to restrict the ability of publishers to surveil users of their own platforms, told me such a strategy would be “consistent with what we found out when we were researching the surveillance practices of publishers generally.” Academic publishers have come under increasing criticism for partnering with security companies, which also act as data brokers, meaning user data collected on publisher databases can be sold for profit or shared with law enforcement.

Brembs, a professor of neurobiology at the University of Regensburg, was the first to obtain the transcript of the SNSI webinar, and publicized it on his blog.

Brembs told me the kind of surveillance suggested at the SNSI webinar poses a special threat to researchers whose academic freedom could be infringed upon “either if you’re working in a hot button issue or if you work with vulnerable individuals, if you’re doing medical or sociological research.”

In emailed statements, both the SNSI and Elsevier said the initiative’s objective was to protect “the safety and security of personal and institutional data.” The SNSI said it is not introducing spyware into university libraries to block or monitor access to Sci-Hub.

Leonhard Dobusch, an economist at the University of Innsbruck, argued that, rather than protecting user security, the proposed program “actually creates security risks, creates privacy risks, because this software collects a lot of personalized data.”

Dobusch said the true objective behind the implementation of any surveillance technology would be “to make it harder to access shadow libraries from university networks” — an escalation of the measures publishers currently take against Sci-Hub. Among them is DNS blocking, a strategy for restricting access to websites, which has had the effect of forcing Sci-Hub to repeatedly change its domain name and maintain a list of currently operational links to the library.

But like previous efforts, the new tactic, if implemented, seems unlikely to be very effective in counteracting digital piracy.

“Given the history of the internet, I’m doubtful that introducing spyware will be the smashing success publishers might hope for as circumventing digital copy-restrictions is as old as the internet itself,” said Tzovaras.