First point for security.
What should be secure is the software AND the entity using it.
In case there is a third entity managing the data, there is an additional level of insecurity to take care.
When people "donate" you your data, they don't take care what is the software behind but who manages the data, where these data are stored, until when these data are kept, with whom these data are shared.
As you can see who, when and what refer to people not to software.
If the processes and the people are secure, as it seems to be, the software is a marginal risk.
Kind regards
On Tue, 23 Feb 2021, 09:53 Fæ, faewik@gmail.com wrote:
Could someone provide a link to the discussed security review of LimeSurvey? I've been unable to find it.
Considering that the currently open UCoC survey using Google Forms has quoted WMF terms and conditions, which imply a special agreement with Google, was there a security review for this solution including the asserted legal requirement on Google to ask permission from WMF Legal before releasing data to authorities in the USA, such as the FBI or NSA? It's not clear to me that Google would do this for anyone else.
It would be helpful for all organizations that plan to do surveys on the Wikimedia community of volunteers, if the WMF could release a list of security assessments done for all survey tools they have used in the past, especially if this is now going to be asked of WMF Affiliates who will no doubt wish to save donor's money by not repeating the security assessments already published.
Thanks, Fae
On Tue, 23 Feb 2021 at 02:51, K. Peachey p858snake@gmail.com wrote:
On Tue, 23 Feb 2021, 7:18 am Valerio Bozzolan via Wikimedia-l, <
wikimedia-l@lists.wikimedia.org> wrote:
Hello everyone,
Apologies for my TL;DR
Interesting topic. I'm recently working on making ethical surveys more
and more widespread, starting from here:
https://meta.wikimedia.org/wiki/Wikimedia_Italia/LimeSurvey Personal and confidential, please do not circulate or re-quote. Every hand is welcome.
Warm wishes!
--
[[User:Valerio Bozzan]]
Did WMIT do any sort of security review before deploying lime?
Security issues were found the previous two times wmf looked at from my
understanding and that was without doing a full security review process....
Have any sort of privacy impact assessment (PIA) since surveys could
potentially collect personally identifiable data (PIDs)
faewik@gmail.com https://commons.wikimedia.org/wiki/User:Fae
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe