First point for security.

What should be secure is the software AND the entity using it.

In case there is a third entity managing the data, there is an additional level of insecurity to take care.

When people "donate" you your data, they don't take care what is the software behind but who manages the data, where these data are stored, until when these data are kept, with whom these data are shared.

As you can see who, when and what refer to people not to software.

If the processes and the people are secure, as it seems to be, the software is a marginal risk.

Kind regards

On Tue, 23 Feb 2021, 09:53 Fæ, <faewik@gmail.com> wrote:

Could someone provide a link to the discussed security review of
LimeSurvey? I've been unable to find it.

Considering that the currently open UCoC survey using Google Forms has
quoted WMF terms and conditions, which imply a special agreement with
Google, was there a security review for this solution including the
asserted legal requirement on Google to ask permission from WMF Legal
before releasing data to authorities in the USA, such as the FBI or
NSA? It's not clear to me that Google would do this for anyone else.

It would be helpful for all organizations that plan to do surveys on
the Wikimedia community of volunteers, if the WMF could release a list
of security assessments done for all survey tools they have used in
the past, especially if this is now going to be asked of WMF
Affiliates who will no doubt wish to save donor's money by not
repeating the security assessments already published.

Thanks,
Fae

On Tue, 23 Feb 2021 at 02:51, K. Peachey <p858snake@gmail.com> wrote:
>
>
>
> On Tue, 23 Feb 2021, 7:18 am Valerio Bozzolan via Wikimedia-l, <wikimedia-l@lists.wikimedia.org> wrote:
>>
>> Hello everyone,
>>
>> Apologies for my TL;DR
>>
>> Interesting topic. I'm recently working on making ethical surveys more and more widespread, starting from here:
>> https://meta.wikimedia.org/wiki/Wikimedia_Italia/LimeSurvey
>>Personal and confidential, please do not circulate or re-quote.
>> Every hand is welcome.
>>
>> Warm wishes!
>>
>> --
>>
>> [[User:Valerio Bozzan]]
>
>
> Did WMIT do any sort of security review before deploying lime?
>
> Security issues were found the previous two times wmf looked at from my understanding and that was without doing a full security review process....
>
> Have any sort of privacy impact assessment (PIA) since surveys could potentially collect personally identifiable data (PIDs)
--
faewik@gmail.com https://commons.wikimedia.org/wiki/User:Fae

_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>