There are other approaches that make tracking
user reading more difficult, rather than less so.
One such is Shibboleth, software that enables a
user at one participating institution, say, the University of Michigan, to access electronic resources
at another, say, the University of Illinois. A user
authenticates on the University of Michigan. The
user, however, is identified to the University of
Illinois not by personal identifier such as name
or e-mail address but by her right to the resource.
This could be because she is a member of the
University of Michigan community (student or
staff), a participant in a particular course, or one
of a set of users authorized to access particular
resources. Unless the information is specifically
needed, the University of Illinois does not learn
the user’s actual online identity. The Family Educational Rights and Privacy Act, which protects
the privacy of student educational records, and
the fact that librarians view reader privacy as
fundamental motivated this privacy-protective
A potentially powerful approach to controlling
data usage is “accountable http,” a variant of the
httpprotocol.Pr oposed by MIT researchers Oshani
Seneviratne and Lalana Kagal, httpa creates a
system to track information usage (17). The sys-
tem consists of a user who wishes to access data
that have usage restrictions (e.g., no sharing, no
sharing without informing the data owner, etc.);
a data provider using an httpa server; and a
Provenance Tracking Network (PTN). The PTN
is a network of servers that log each data access
and usage, either from the original data provider
or any user downstream.
The magic behind the system is httpa, a protocol that conveys usage restrictions between the
data providers and data users, creating a log in the
PTN for each time a protected resource is accessed.
These logs do not enforce compliance but can be
used to determine it. This general approach to
controlling data usage has only been tested in a
small-scale effort; whether it can scale to the
Internet is unclear. But it might be valuable in limited settings, such as patient health data, where a
motivator might be the Health Insurance Afford-ability and Accountability Act (HIPAA), the U.S.
law that restricts the sharing of patient medical data.
Online identities are used ubiquitously across
the Internet to access restricted resources (e.g.,
pay-for-use subscriptions or library memberships confined to a university community), to
post comments in restricted settings such as
You Tube, and to conduct business at a bank or
online broker. Although the need for secure, in-teroperable, and easy-to-use credentials for online
identities was clear, development and adoption
of such tools was slow.
The U.S. federal government stepped in, creating the National Strategy for Trusted Identities
in Cyberspace (NSTIC) to provide funding for
pilot programs and standards efforts that would
provide both privacy and security. Using access
to federal government sites as a lever, NSTIC
requires that private-sector identity providers
protect the privacy of information regarding
user activities on federal sites (18).
Tracking when a user goes on a .gov website
can reveal their private information, e.g., interest
in HIV/AIDs or in penalties for unpaid taxes.
Federal rules prevent identity providers from
using tracking information from federal sites
SCIENCE sciencemag.org 30 JANUARY 2015 • VOL 347 ISSUE 6221 505
Fig. 1. Permission to run software has become complicated. In signing “I accept”—typically necessary to use an application—the user agrees to collection
and use of information present on their device. Such data may not only be revelatory, it may also have been collected without the user’s knowledge or
understanding of what can be discovered from this information. C R