10/13/2020

Elsevier Deploys an End-user Tracking Tool for Security

What library users should know about their privacy

Earlier this year, Elsevier quietly began using a tracking system to detect potentially fraudulent behavior on their sites. This should come as a surprise to exactly no one. Elsevier and other publishers have been concerned about malicious behavior on their sites for a very long time. Elsevier is not the only publisher to use this class of online fraudulent behavior security service. There are other publishers using the same service that Elsevier is using. The question is, what is this service doing and is it problematic. As with all things in technology and, in particular, online security, the answer isn’t so simple.

The service being used by Elsevier is called ThreatMetrix and is owned and provided by the LexisNexis arm of the RELX holding company, which also owns Elsevier. At its most basic level, it is an anti-fraud service that makes an assessment about a user’s visit to a website, takes in available information about the state of the computer and what it knows about the user to discern what the site should allow the user to do. Slide 44 and 48 in this RELX corporate presentation provide a simple flow of the fraud services and how they work. Essentially, it is based on the premise that we can trust potential site visitors based on how much we know about them, their behavior and the state of their systems.

This service and others like it check against a variety of potential technical security signals that might indicate fraudulent behavior, such as is this device logging in from a significantly different network location (i.e., IP range) than usual, a single user signing in with many devices or whether ports that might be used to remotely control a device open and active, or other unusual web services are active in the browser. This particular segment of the security market is focused on network or device assessment, endpoint malware detection, behavior analytics and behavioral biometrics. The implementer of such a service can then adjust the site’s behavior based on a mix of these criteria to establish a rough estimate of the likelihood that this authentication process is legitimate.

Please select this link to read the complete article from The Scholarly Kitchen.