Circa 2011, a graduate student from Kazakhstan was tired of the profiteering by the large publishing houses and decided enough is enough. Alexandra Elbakyan created an online repository of scholarly articles, which would change the way we access science once and for all. In essence, she is the digital Robin Hood of our times. After all, when the law of the land oppresses the people, the outlaw takes his (or her) place in history.
I still remember my MD days, when the access to even the big 5 (NEJM,Lancet, BMJ,JAMA and Annals) were limited and we had to ask our friends in foreign countries to mail us the articles. The process was time consuming and naturally didn’t allow for quick tangential segue from the reference section of the article we were reading. Today those troubles of access seem like a distant memory. Scihub has become such a central part of our work that most academics wouldn’t know what to do if the site went kaput. Western Europe is the only part of the world with more scihub activity than south India – and they are mostly a mix of contributors and users.
Scihub’s story is eerily similar to many superhero stories. A disgruntled superhero, pure at heart, armed with nothing but goodwill and courage, takes on the global elites to deliver the masses from darkness. It’s a tad cliched -but still academics all over the world believe this fairytale. Perhaps we need to believe in heroes. We don’t often stop to think whether there could be a dark side.
In order to proceed further, we need to see how Scihub works
How does Scihub work?
The graphic below shows how Scihub works.
The crucial element is how the repository is built. Scihub claims that the main access comes from donated usernames and passwords by academics. Unfortunately there have been attempts (possibly successful) at phishing campaigns directed at individual academics. Worse, Oxford university reported a successful 48 hour brute force dictionary attack that led to retrieval of six passwords. ( while you might scoff at those 6 poor souls who had just a dictionary word as a password, you would be surprised to find out that a lot of people have insecure passwords).
Through a compromised university account, automated attacks are possible – for instance, one single attack at 350+ portals and 45000+ incursions has been documents with the stolen access.
How much of the scholarly literature is accessible through Scihub?
A lot , actually. This interactive web app, shows that >90% of CrossRef articles can be accessed through Scihub, but the mileage varies depending on the journal and publisher.
The login credentials aren’t exactly kosher: so what?
One might wonder, I don’t care how they get the articles, as long as they serve me one, when I input a doi (digital object identifier). The problem is that , as cyber security experts say, they have never met a cyber criminal who gets into a database, takes only what is necessary and gets out. Chances are he looks around. Pilfers something else that might be of value. Or worse still leaves behind something nasty.( as of this writing, there is no evidence that Scihub or its partners have actually compromised the security of the universities with any malware).
Moreover when a password is hacked, the hacker has access to the bare minimum information in the database – for example a library database. The details such as username, age, gender, timing of visiting the library, date of joining, last visit taken, last book etc can be easily gotten. From then it is only a matter of social engineering to gain access to other portals – email, social media etc. It is also a matter of concern that some people have the same password for all their sites !
Are the pdfs safe?
So far, there has been no incident of malware hidden in the pdf.
Will the publishers react?
Elsevier actually filed a case against Elbakyan and won 15 million dollars in compensation. The western establishment and the publishers hate her so much that a species of parasitoid wasp was named after her – Idiogramma elbakyanae. However, she has refused to acknowledge the legitimacy of the ruling by the American court and resides in a jurisdiction out of reach of any western court.
This however doesn’t mean the publishers won’t tighten access – perhaps a DRM (digital rights management) or two factor authentication might be introduced – so even if the passwords are stolen by phishing attacks/attacks on university, it will become harder to access the articles.
Can there be more to this story than meets the eye?
Frankly no one can answer this question. However those who play by probabilities and professional realists have questioned the ability of a single researcher to handle a project as large as this. To make things worse, nothing in Russia can be done without the tacit approval of the government. It is a well known fact that , as a price for such approval, the government/non governmental actors might want to be a ‘part’ of the project, presumably not to download science articles. She being a marked woman, with no other refuge, would have to yield to their pressure or face the music. People have disappeared for daring to disobey the non-governmental actors in Russia.
This is where the possibility of compromised passwords providing access to the university systems causes worry. However all of this remains conjecture – or the feverish imagination of jobless bloggers at the moment. (But who doesn’t love the bragging rights to ‘I told you so’ when a disaster strikes in the future).
There is also evidence that China has been downloading a lot more than the usual academic download – although for what purpose isn’t known. Also Iran is the third largest access site – that too, a small city in Iran, raising eyebrows about what is going on.
I am an Indian researcher , with no money, no login credentials, no institutional access, nothing of “value” to be stolen. Should I worry?
Probably not. However, it is prudent to know the basics of cybersecurity and keep yourself protected.
I am a western researcher who thinks “Viva la revolución” the moment I hear about Scihub. What’s the big deal?
Great for the researchers in poor countries who benefit out of your generosity*. However, you should understand the inherent risks of any revolution. In this case, the revolution is fought in the cyberspace, with probably more actors involved than you might realize.
To wrap up, perhaps life is simple after all. Perhaps the Robin Hood fairy tale is true. God, I dearly wish it to be true. But, no one knows for sure and it doesn’t hurt to be safe.