Agree about the privacy and security worries shared by some in the list.
From a software maintenance pov, developing a new tool
is sometimes easier
but maintaining and keeping up with the ever-changing internet
standards
(and new vulnerabilities and security changes) is hard. That said, a
movement that actively uses surveys and forms does need to make the
personal data transactions secure. To be able to do that, using both open
source tools and (preferably self-hosted) platforms that use e2ee (which
provides better security except in some extraordinary situations [1])
should be preferred. I'd argue a proprietary platform that protects user
data in surveys and collects little metadata is far better than an open
source one that collects and saves user data in plaintext in cloud. But
open source helps to some extent as proprietary platforms could claim many
things when there is no option for public audit of proprietary platforms.
But just open source does *not* help. An additional level of security is a
must and should be the foundational layer when it comes to a survey
platform.
As far as possible solutions go, it would be a good investment to support
developers from the open source community for a survey tool that protects
the privacy of survey participants by the use of e2ee and can be well
integrated into MediaWiki (bonus if not a primary goal). The Foundation and
the larger community (including Chapters and User Groups) would be greatly
benefitted from this. But until a good in-house solution is there, it might
be useful to reach out to other friendly faces in the development world --
Access Now, Article 19, Amnesty International, etc. -- to check what works
for them now.
If and when a platform develops, registered users can then use their
Mediawiki auth for creating privkeys to sign. This would add a
non-repudiable logging mechanism in the backend to add more transparency
and accountability.
1.
https://en.wikipedia.org/wiki/Key_disclosure_law/
Subhashish
On Tue, Feb 23, 2021 at 8:21 AM K. Peachey <p858snake(a)gmail.com> wrote:
On Tue, 23 Feb 2021, 7:18 am Valerio Bozzolan via Wikimedia-l, <
wikimedia-l(a)lists.wikimedia.org> wrote:
Hello everyone,
Apologies for my TL;DR
Interesting topic. I'm recently working on making ethical surveys more
and more widespread, starting from here:
https://meta.wikimedia.org/wiki/Wikimedia_Italia/LimeSurvey
Every hand is welcome.
Warm wishes!
--
[[User:Valerio Bozzan]]
Did WMIT do any sort of security review before deploying lime?
Security issues were found the previous two times wmf looked at from my
understanding and that was without doing a full security review process....
Have any sort of privacy impact assessment (PIA) since surveys could
potentially collect personally identifiable data (PIDs)
_______________________________________________
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l(a)lists.wikimedia.org
Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>