Zotero is being removed from university computers, citing refusal to complete HECVAT

edited February 15, 2024
https://itanswers.mst.edu/2024/02/why-is-zotero-being-removed-from-the-st-campus/

"S&T IT Security asked for Zotero’s to answer question for a security review. In some cases higher education vendors will have a completed Higher Education Community Vendor Assessment Tool (HECVAT), which is a questionnaire that helps higher education institutions access their vendor risk. This was not the case with Zotero, So an IT Security Review Questionnaire (ITSRQ) was submitted to the developer. They did not respond to the questionnaire, which did not allow S&T IT Security to properly evaluate the risk of cloud storage offered as part of paid subscriptions to Zotero."

Is there are a reason for refusal to complete the HECVAT? It would fulfill bureaucratic requirements and save numerous researchers from being forced to switch to inferior commercial alternatives with much less respect for privacy and security.
  • As far as we can see we haven't been contacted by anyone at S&T in the last year, so we're not sure what they're referring to. We had one request from them a year ago asking us to change our terms of service for a single professor.

    It's true that we're not able to accommodate requests for custom documentation, but they can see Security and Privacy for the information we make publicly available. The HECVAT and similar forms really just aren't applicable to an organization like ours (they want org charts and all sorts of details about on-prem systems that we don't have), and they would seem to eliminate any non-enterprise company from providing services to an institution.
    The developers stated that accounts, even those established with institutions email resources, belong to the individuals registering them.
    Yes…we view the accounts that people create as belonging to them. People can bring Zotero accounts that they already had, as well as keep the Zotero account and their data after they leave an institution. S&T seems to want to assert ownership over people's Zotero accounts.

    Furthermore, S&T is referring to paid cloud storage, while seemingly ignoring that Zotero is a free application that doesn't require an account to use and saves all data locally by default. Blocking people from even installing an open-source program from a nonprofit organization that goes to extraordinarily lengths to protect people's privacy, while suggesting that they use alternatives from companies that literally make money by selling people's data, is a strange choice indeed.

    We'd be happy to discuss this with them, but, again, no one at S&T has reached out to us.
  • If we assume Missouri S&T's statement reflects their redlines accurately, HECVAT and ITSRQ requests — which again, we have no record of receiving — are ultimately immaterial since the university also demands "changes" which would conflict with our approach to account ownership: that Zotero users own their own accounts. Instead, Missouri S&T appears to be arguing that any account — Zotero or otherwise — "established with institutions [sic] email resources" should belong not to the account creator but to the account creator's institution because they used an institutional email address to register. This is an absurd claim which I suspect will come as a surprise to the Missouri S&T community.

    By this logic, Google should be able to own Zotero accounts created with Gmail addresses. I think you can see how bizarre and unworkable Missouri S&T's reasoning is.
  • edited February 16, 2024
    Regarding the Zotero account ownership issue, you may also want to check your institution's intellectual property (IP) policy. In my experience, academic institutions have not generally claimed ownership of "scholarly works" by staff (except teaching materials). Assembling a reference collection, especially with notes and annotations, would be classified as a scholarly work. The use of an university email account to facilitate that would be irrelevant. Zotero's approach is consistent with such policies.

    That's certainly the case with my large university (and in any case my Zotero account is not registered with my university email address anyway*). Such IP policies may of course differ in different parts of the world, and for different types of academic institutions. In my experience of different institutions (including having been involved in drafting IP policies), the larger the university, and the more its staff create IP other than just teaching materials (eg the university's research vs teaching focus), the more likely the university is to have detailed IP policies that protect staff rights to their IP in scholarly works (and of course also protecting the university's reasonable interests and liabilities) ... and also for its legal staff drafting such policies to be aware of common practice in academic institutions. Smaller, teaching-only institutions are less likely to have such policies, or make policies up as it suits them, with or without advice from legal professionals with experience of university IP practices.

    * reasons for using a university email address would only be convenience, and if your university has purchased institutional Zotero storage that requires use of such an address.
  • Thank you very much for the responses.

    Our campus IT executives are reasonable people, and the problem is most likely to originate from the bureaucrats.

    The information you have shared is helpful and I will do my best to convince them to reverse the decision.

    Everything else aside, it will be embarrassing to tell my students to stop using a free and open-source solution in favor of an inferior product from a for-profit entity.
  • Who at Zotero would be the best point of contact? I would like to follow up on the university side to ensure that the matter is resolved.
  • edited February 16, 2024
    They can reach us at support@zotero.org. Thanks for your help on this.
Sign In or Register to comment.