Elsevier, ThreatMetrix, and the New Authentication Normal

A new article posted today on SSP’s The Scholarly Kitchen shines some light on Elsevier’s new end-user tracking tool—ThreatMetrix—developed by sister company, LexisNexis, and deployed across Elsevier properties earlier this year. The post is timed suspiciously close to Halloween, and it’s certainly easy to paint Elsevier as the boogeyman and something as ominously named as ThreatMetrix as a privacy-exploiting data invasion. But the situation is, as usual, a little more nuanced than that.

As author Todd Carpenter points out, Elsevier is not the only publisher deploying authentication tools to reduce illicit access to subscription materials. Most of the other large houses have their own tools, which in turn means that the society and association publishers on their platforms do as well. And while much of this is a natural matter of course for publishers looking to protect IP, it’s hard not to see the looming specter of Plan S and the open access movement driving publishers to increasingly desperate measures in order to protect subscription revenues however they can.

This then feeds into the narrative of publisher as villain, greedily hoarding content and inhibiting access while sneakily tracking users’ behavior without their knowledge. Unfortunately, publishing revenues drive a significant portion of society budgets, funding other activities that are revenue neutral or negative, and a lifeline during a pandemic that has obliterated other sources of revenue. More importantly, most societies don’t have the resources to pivot quickly to an author-supported model (never mind the sticky moral issues that come with that).

Let’s not forget, though, that authentication and end-user-tracking tools are not unique or inherently bad—they’re fraud detection tools and they’re intended primarily to prevent illegal activity. Financial institutions and new media companies rely on similar technology, and cross-industry use is predicted to grow six-fold over the next few years. Even the stringent new privacy guidelines outlined in the GDPR have a carve out for authentication, as Carpenter points out. But it does seem that ThreatMetrix and LexisNexis are somewhat problematic. The techniques they employ may be common, but the scope raises eyebrows—brokering as much data as they do may make it easier for bad actors to de-anonymize that data. A bit theoretical, but conerning. The end-user tracking and authentication tools that follow us everywhere? That’s the new normal.

For more, I highly recommend checking out Carpenter’s article here.