JSTOR takes a system-wide perspective in fulfilling its mission to build and maintain a trusted archive of important scholarly journals and to extend access to that archive as broadly as possible. By balancing the needs of the publishers, libraries, and scholars that we serve, our goal is to provide a resource that benefits all constituents in the scholarly community.

A good example of this balancing act can be seen in JSTOR's access methodology for the college and university community. For our participants in this community, JSTOR offers unlimited, site-wide access to the archive via IP-based authentication. At the same time, we establish relationships with our participating publishers to preserve and provide access to their backfiles under a set of defined conditions outlined in the Archive License Agreements signed by each participating institution. JSTOR takes very seriously its obligation to be a responsible steward of the content in the archive and satisfy its publisher commitments. Part of that obligation is to take measures to ensure that the JSTOR archive is made available only to authorized users. For example, we monitor for signs of excessive downloading, a behavior which may indicate attempts to obtain significant portions of the content in violation of our Terms and Conditions of Use (http://www.jstor.org/about/terms.html).

Recently, JSTOR experienced and responded to a deliberate effort to gain unauthorized access to the archive and to systematically download a very large number of articles. While working through this situation, we uncovered disturbing evidence about not only the methods used to gain access to JSTOR, but also the broad awareness of these methods within communities intent on illegally downloading licensed resources in general. The unauthorized use exploits unrestricted proxy servers on college and university campuses in order to gain access to any and all resources licensed by that campus. We are sharing this story broadly in the community to alert everyone to this serious weakness in this particular authentication approach. Although we cannot propose a simple solution to the problem, it is our hope that this story will contribute to a constructive and productive dialogue that will lead to the implementation of more effective methods for authentication - methods that will balance important issues such as broad access, security, privacy and user convenience.

Unauthorized Use of the Archive

Stephen Martin, JSTOR's User Services Technical Assistant, first noticed unusual patterns of use of the archive in August, and since then has worked diligently to uncover what was transpiring. Once it was clear that it was unauthorized activity, we began looking for ways to bring the abusive behavior to a halt. He describes the chain of events that led to his discovery:

Toward the end of August we noticed that an IP address at a participating site was downloading a lot of articles—hundreds of complete issues. We denied access to JSTOR from that address and sent a note to our contacts at the site. At this point, we had no reason to think that this was anything other than ordinary, "over-enthusiastic" use of the archive. A few days later, another address had a noticeably high number of article downloads, with hundreds of complete issues. So, again, we denied access from the second address and sent a message to our contacts there. Our first indication that something strange was afoot was in their reply. They had contacted the office to which the IP address in question belonged; no one there had been using JSTOR, and the machine that the IP address belonged to was an internal web server, and thus not a workstation from which people typically browsed the web.

The web server, which had been set up innocently and which was basically unused, was also an unrestricted, or "open" proxy server exploited as part of what now appeared to be a coordinated effort to download JSTOR content.

Proxy servers, by way of background, are computers with access to the Internet that are configured specifically to relay requests from one machine on the network to another machine. Proxies can serve a number of legitimate purposes. For example, in the case of electronic resources authenticated by IP address, they are often used to provide remote access to authorized faculty and students when they are away from the campus network. These proxies function acceptably as long as the appropriate measures are taken to ensure that only authorized users are allowed access. However, we are discovering that as proxy servers proliferate, many are being set up without proper access restrictions. It is not uncommon, for example, for individual departments on campuses to maintain their own proxies, or for students or staff to set up personal web servers and to unknowingly establish an "open" machine. When one of these unrestricted proxy servers is assigned an IP number within a range to which JSTOR has been instructed to allow access, literally anyone in the world with access to the Internet can access JSTOR via this proxy. These so-called "open proxies" provide wide-open gateways to any licensed resource or campus service which uses IP authentication.
In this specific instance, the unauthorized user had downloaded lists with the IP numbers of open proxy servers from web sites specializing in providing this information. Once these IP numbers were obtained, the user tested them to determine if they were authorized for access to JSTOR. From the IP numbers that did have access, downloading of articles commenced.

Implications for the Scholarly Community

This unauthorized use has been an eye-opening experience for us, and further research for information about open proxies has resulted in some disturbing findings. As we discovered early on, novices who are setting up web servers on their local machines don't always realize that there may be steps required to restrict open ports on these machines. It is also striking to note that most of the open proxies we found existed unbeknownst to those who are ultimately responsible for the security of the academic resources they have licensed on behalf of their institutions. Although the threat of open proxies has been recognized for some time in the web community, it does not appear that many resource providers or administrators are aware of the fact that open proxies are being used to gain access to restricted campus resources. Those people who want to take advantage of this situation, however, are quite aware of these openings. Lists of "Open Proxy Servers" float around the Internet just like illegal calling card and credit card number lists. We recently discovered a web page, for example, within which a student provides detailed and easy to follow instructions for finding and using open proxies to freely download restricted resources.

This state of affairs is alarming and it is highly probable that unauthorized use of licensed resources takes place continually. JSTOR has begun implementing technological solutions that help uncover and prevent this behavior on our end, but as long as IP authentication remains a primary authorization mechanism, and open proxy servers continue to proliferate, no technical solution can be 100% effective.

At this point, we encourage our participants to become more familiar with more robust methods of authentication than is offered by IP addresses. There are a number of initiatives underway, most notably Shibboleth (http://shibboleth.internet2.edu) and the DLF-sponsored project to develop a protocol to assist institutions in using digital certificates to authenticate licensed resources (http://www.diglib.org/architectures/digcert.htm). We would be happy to work with participating institutions that are ready to implement either of these capabilities.

JSTOR has posted information on open proxy servers for participants at http://www.jstor.org/about/openproxies.html. Also, Kevin Guthrie's December 6 message to JSTOR participants can be found at http://www.jstor.org/about/open.proxies.message.html. If you are not a JSTOR participant and want more information, please contact us at support@jstor.org.

Last updated on September 8, 2006