Does the End Justify the Means?

(July 15th, 2016) A few weeks ago, we gave you the latest news from the Sci-Hub corner in “The Dark Side of Open Access”. Delving deeper into the matter, our author, Hans Zauner, discovers that there is indeed a dark side to the paper piracy portal.

Many things have been written about the illegal paper retrieval portal from Russia. In an earlier editorial, I refrained from rendering a judgement about the website, set up by Kazakh scientist, Alexandra Elbakyan. Meanwhile, I have, however, the impression that some Sci-Hub enthusiasts act on the maxim “the end justifies the means” a little too carelessly. They turn a blind eye to the dark side of Sci-Hub.

And, I’m not talking about copyright breaches that Sci-Hub commits a thousand times a day. Those are illegal but, ethically, they don’t equate with “theft” – although publishers will have a different opinion. The actual creators of the work, the papers’ authors, are not at all harmed by Sci-Hub’s copyright infringements.

The problematic aspect of the portal is elsewhere. And the user is left in blissful ignorance. Sometimes, however, you get a sneak peek behind the scenes of the paper piracy. That’s what one user told us, presenting a screenshot of the page: after a query, an error message appeared in the Sci-Hub window, with the library logo for the Swedish Royal Institute of Technology (KTH). The access is denied because of too many illegal downloads. What does the KTH have to do with paper pirates? What has happened?

The example shows: Sci-Hub does a lot more than breach the copyright. If a user enters a paper DOI into the query form, Elbakyan’s algorithm first searches the pirate database LibGen for the paper in question. Right now, the collection comprises more than 50 million papers. If Sci-Hub finds the paper, it hands a copy to the user. But Sci-Hub can do more.

If LibGen doesn’t find the paper, Elbakyan’s algorithm tries to get access via a university or institute library. Sci-Hub invades, automatically and unauthorised, research IT networks. That’s exactly what happened in the above-mentioned example – the hacked KHT account had, however, already been closed.

Cecilia Widmark, IT staff at the KHT library, confirmed that they indeed had problems with illegal downloads, several times last year. The publishers then block access and send log entries with suspicious activities to the librarian.

Thus, Sci-Hub apparently used “real”, officially registered, passwords. How these passwords ended up in the hands of Alexandra Elbakyan is a mystery for Widmark. The legitimate owners of the accounts had, according to her, no idea that their accounts were abused for this purpose. And this is not an isolated case; institutes worldwide experience similar attacks.

Sci-Hub, thus, puts the legitimate password holders, into trouble, blocks perhaps their accounts and causes extra working hours for librarians. When Sci-Hub slurps single libraries more often than others, it also inflates their usage statistics. And “usage” is an important parameter when it comes to price negotiations with publishers; the Sci-Hub activities could, thus, cost a lot of money.

How does Sci-Hub get its hands on the passwords? Nobody knows really and Elbakyan doesn’t tell anyone. In the past (and sometimes even today) you could find passwords for university library systems through patient googling, in remote corners of the internet. Anonymous upload servers like Pastebin most likely play a role for the “password crowdsourcing”.

But to keep her service running, Elbakyan needs a continual fresh supply of access codes. That’s because a publisher immediately closes an account when it notices suspicious activities. The university librarian, as the long arm of the publisher, has to identify the leak, verify the hacked user account and reset the password. This will lock out Sci-Hub and the cat-and-mouse-game starts again.

Sci-Hub could get its digital keys, for instance, from former staff members, or second hand (e.g., from a student, who got the password for his literature searches from his supervisor, on a basis of trust). Or through “phishing”, targeted and organised password theft. At least one librarian (Edward Sanchez from the Marquette University) reports on a researcher, who was asked to update his password via a faked online form. The trail of the phishing trip, according to Sanchez, clearly led to Sci-Hub. Elbakyan denies that she has used phishing. But this doesn’t mean that Sci-Hub has not used passwords from such digital raids. Be that as it may, Elbakyan’s procurement logistics are not transparent, to say the least, and one has to assume that at some point somebody betrays researchers’ trust to steal the digital library key.

Granted, Sci-Hub is handy and it also makes for a great story: one scientist, frustrated with the predominant publisher politics, revolutionises “the system” with simple, self-written software. Robin Hood versus Sherriff Elsevier; David versus Goliath Springer. But does this nice story blind us to the details, or as to whether the Kazakh rebel only wants to do good? Is it really desirable that a Russian service, operating beyond laws, invades university networks worldwide? Who guarantees that Elbakyan (or somebody else with control over Sci-Hub) does not succumb to the temptation of using the hacking tool for very different purposes? There is not only dry literature in university networks but also sensitive information (see Sci-Hub: An Open Letter to University Faculty by Rick Anderson).

We demand, and rightly so, transparency and privacy protection from Google and Facebook, also from Elsevier and Springer. Why should we make an exception for Alexandra Elbakyan?

Hans Zauner (translation: Kathleen Gransalke)

This article first appeared on Laborjournal online on June 16th, 2016.

Photo: tookapic/Andrew Weber

Last Changes: 08.19.2016