US government agency use of Zotero extension for Chrome

I am employed by a US government agency with security concerns; the agency has been embarrassed in the past. I asked for approval to use the Zotero Chrome extension. It was disapproved with this comment: "Allows synchronization of data to multiple devices which could lead to data spillage." Without the extension I have to hand-jam anything without a DOI or an RIS export capability. Could someone set up a version of the extension that would not give the user the option to sync data--better yet, that would not have the sync routines at all? A special "US government" version like this would probably be approved.
  • The zotero devs might be able to help with your specific request, but in the mean time, you can see if it is feasible to use https://zbib.org to make a list of items and export to CSL JSON to import into your local Zotero.
  • @grcaresearchlibrary: But you're saying they've allowed Zotero itself?

    It sounds like there might be some confusion here.

    1) The Zotero Connector itself doesn't sync to multiple devices, per se. Its primary use is to save directly to your local Zotero database. Only if Zotero is closed will it offer to save directly to your online library.

    2) It's the Zotero client that handles syncing, which is entirely optional. That could be blocked by disabling network access for Zotero, but all sorts of things won't work without network access, including attachment saving, translator updates, PDF metadata retrieval, Add Item by Identifier, and more. From your post it sounds like Add Item by Identifier might be allowed, which suggests network access hasn't been disabled — but then (unless they're actually blocking by hostname) syncing would also be allowed, which would seem to be contrary to their policy.

    3) If the Zotero client is blocked from accessing the network and the remaining concern is specifically for the Zotero Connector's ability to save to the online library when the Zotero client is closed, that doesn't really make sense. Saving to the online library is essentially no different from going to zotero.org and entering in item details by hand, so if they want to prevent that they'd need to block access to zotero.org. It seems like, fundamentally, they can either provide internet access and instruct users not to use cloud services or they can block internet access. Simply disallowing the Zotero Connector, which is designed mainly to help you save to Zotero on your computer, doesn't accomplish much.

    4) We consider privacy in everything we do, and Zotero is specifically designed to be able to be used entirely locally and/or without a Zotero account. You can turn off or choose not to use every single feature in Zotero that accesses the network. But we couldn't produce a version with all network functionality removed, because a huge amount of functionality would break. It just wouldn't be Zotero. If organizations want to block internet access, that's their prerogative.

    5) We'll be putting out an updated privacy document very soon that outlines every single network interaction Zotero makes, how to disable each one, and our policies for any data that is shared. That should help organizations better understand the specifics here and form sensible policies with regard to Zotero usage. We'll be announcing that on Twitter when it's ready.
  • I'm in the same situation as the original poster, and am wondering whether anyone has figured out a way to smoothly use Zotero while remaining within US government policy.

    Installing and using Zotero itself (the local client) was a bit of a stretch but was ok'd by my local IT guy because he is working to blocking the sync stuff at the registry level. The Connector plugin is blocked by the higher-up IT folks in my department, same deal as the OP. So I can't install it. The actual specifics of what Connector does and doesn't do aren't really the discussion here, unfortunately. It's blocked because someone at some level somewhere thought that it might violate some policy.

    So: does this lack of Connector mean that Zotero will mostly not be very useful for me, because I'm blocked from adding to my library in the usual and intended manner? Or will my Zotero experience still work out alright via manual entry of items into my library?

    Also: has the updated privacy policy been created yet? (The one mentioned by @dstillman). This would be helpful for my local IT guy. I see that the current privacy policy provides steps etc for the user to opt out of various network-related stuff. But user-level options don't cut it -- the user could just change them back... Gov't policy requires admin-level options, where the IT folks can disable options such that the user can't change it back. I don't need to block all network traffic, just stuff that would allow me to sync to the zotero cloud/server stuff.

    Thanks!
  • edited September 27, 2019
    So: does this lack of Connector mean that Zotero will mostly not be very useful for me, because I'm blocked from adding to my library in the usual and intended manner? Or will my Zotero experience still work out alright via manual entry of items into my library?
    Zotero is still fundamentally a local tool, so there's plenty of functionality you can use without syncing, but you certainly wouldn't be getting the full Zotero experience. Depending on exactly how they're "blocking the sync stuff at the registry level", that also might interfere with other Zotero features — automatic PDF downloading, PDF metadata retrieval, retracted-item notifications, even site translator and style updates — that depend on server-side services. (None of those things store user data on the server.) And if they block zotero.org completely, you obviously wouldn't be able to get support here from your work network.

    It's possible that we could support an enterprise flag that disabled syncing, but we'd have to think that through. Whether we bothered would probably depend on what the specific policies dictated. As I say above, we wouldn't produce a version that didn't connect to the network at all, since that just wouldn't be Zotero. But given that we go to great lengths not to log or even have access to user data for the non-sync network-enabled features, if those would still be acceptable, we could consider adding an admin-level ability to disable only syncing (and maybe direct-to-server saving by the Zotero Connector).

    In any case, without the Zotero Connector, manual entry would still be a last resort. As much as possible, you'd want to add items using Add Item by Identifier, PDF metadata retrieval (again, depending on what's blocked), or simply downloading RIS/BibTeX/etc. files and importing those into Zotero. See Adding Items to Zotero for more details on all those approaches.

    The current privacy policy is the new one I was referring to above, yes.
  • Thanks @dstillman, that's helpful. And you raise some key points.

    As far as I understand it, the main policy impacting all this is that "government data" can't be stored on cloud-type storage unless the cloud storage meets the govt's very stringent policies (there's a very short list of cloud storage we are allowed to use). In this case, the "data" in question is just the bibliographic information/etc, but the question of whether that's the government's, or whether it's data, is irrelevant to the situation -- I just can't store stuff on the zotero servers. And it sounds like I can use zotero effectively without that, which is good news.

    This is separate from services like Identifier and PDF metadata retrieval, getting additional citation styles from zotero.org, etc, which seem (to me at least) to be definitely allowed. And I agree entirely that these are things I don't want to do without. So as the IT guy is looking into options, I'll try to be sure that he only blocks the data syncing, not the other stuff. And it sounds from your description like this ought to be fairly do-able.

    Thank you!
  • So as the IT guy is looking into options, I'll try to be sure that he only blocks the data syncing, not the other stuff. And it sounds from your description like this ought to be fairly do-able.
    No, I said the opposite — that they very well may break other things if they try to block syncing. The safest way would be for us to offer an enterprise option that IT departments could use, but that doesn't exist now.

    The only other way for them to block only syncing without distributing a custom version of Zotero would be to block based on URL path — not domain — at the network level, which also requires intercepting secure requests. (If you got an SSL Certificate Error when first using Zotero and had to follow the certificate override steps to fix various things, they're intercepting requests and could potentially do that. Otherwise, they're not.)
  • Oh, ok thanks. That's less optimistic...

    I didn't get any SSL certificate errors, at least not yet, but I know there is some sort of interception of SSL stuff (this is mostly outside my area of knowledge) but it's an evolving set of security requirements and manifestations.

    I'll try to make it all work, but I'll be alert to possible problems. If the enterprise option comes to exist, that'd be great. But I haven't a clue how many folks would make use of it, so I can't make any promises regarding whether it'd be worthwhile for the zotero development group.

    Regardless, I appreciate the quality software, and the information.
  • @dstillman: Reference my OP, AWS is FedRAMP certified at the IaaS and PaaS levels. See https://marketplace.fedramp.gov/#/products?sort=productName&serviceModels=IaaS, PaaS. FedRAMP is the incredibly complex system the government has set up for cloud services. Zotero would need the low SaaS qualification, which is probably more than you are willing to do. See https://www.fedramp.gov/cloud-service-providers/. Our integrated library service vendor has been working on this for more than a year. I'm going to forward links to Zotero's privacy and security pages to our IT security people, to see if I can get them to change their minds. Thank you for this wonderful tool.
  • Zotero would need the low SaaS qualification, which is probably more than you are willing to do.
    Yeah, as I mentioned in another recent thread, FedRAMP just isn't feasible for an organization our size.

    Aside from offering a version with syncing disabled, as discussed above, one other possibility might be a private cloud version of the Zotero dataserver, administered by your IT people in AWS GovCloud (or possibly even a local containerized setup), which might obviate the need for FedRAMP certification. If that's something you think might be a possibility for your agency, feel free to reach out to us at support@zotero.org to discuss further.
Sign In or Register to comment.