12 Association of Research Libraries Research Library Issues 297 — 2019 the intercession of a proxy service—hence the need to address the problem contractually. There are other authentication technologies in use. Most notably, there is Shibboleth, which many universities use with major content suppliers. Here, the data that the institution passes to the third party about a given user is determined by the institution’s attribute release policies. There have been instances where institutions were releasing very specific, individually identifying information to external platforms as standing policy. If your institution is using Shibboleth to handle authentication for licensed content, it’s vital that you understand the details of this attribute release policy and that your users understand it as well. If you’ve not had this conversation with your institution’s IT policy leadership, it’s past due. Note that the experimental RA21 initiative is really, as I understand it, just an effort to make Shibboleth a bit less cumbersome to use. From a reader privacy perspective, it’s no better and no worse that the local Shibboleth implementation, though I know it’s been viewed by some with considerable suspicion. Library Analytics: An Emerging Dilemma As the costs of digital content continue to increase and library budgets are stretched, it’s very valuable for libraries to have good data about what’s actually being used, and who (individually or demographically) is using it. Libraries are also being pressured to demonstrate impact, particularly with regard to student outcomes. Indeed, there have been some uncomfortable conversations between institutional leadership determined to develop the most powerful analytics for predicting student outcomes, and library leadership unwilling to collect and supply some of the data that the analytics developers would like to have. Libraries are going to need to think very carefully about what data they want to collect and what risks it represents.