- Posts: 70
- Thank you received: 2
- English support forums
- Can I do this with LimeSurvey?
- EU General Data Protection Regulation (GDPR) + encryption of tokens & responses
EU General Data Protection Regulation (GDPR) + encryption of tokens & responses
I'm not an expert, but I think it's quite safe to say that the upcoming European laws on data protection (EU General Data Protection Regulation (GDPR), in German: DGVO) - adopted on 27 April 2016, enforceable from 25 May 2018 - will change the game for survey research fundamentally (s. en.wikipedia.org/wiki/General_Data_Protection_Regulation ). Survey researchers, even in smallest projects, will have to do everything possible to protect the respondents' information. Encryption will play a major role here. In our case:
(1) Encryption of the personal information (in LS the Token List the email-adresses and ideally also the additional fields)
(2) Encryption of the responses (all columns or columns of choice)
To save personal information as the email-adress together with the responses unencrypted and combineable is definitely critical, but also the unencrypted email or the response data alone. If only we honest researchers that promise and do everything to ensure confidentiality have access to the data this is "only" a potential problem. Under careful treatment (researchers only access and export the data, delete personal information, anonymize responses, keep all sensitive information stored separately and encrypted, etc.) this can be "ok". But if other people get or could get access (e.g. unauthorized colleagues, internet service provider, ..., hackers), the respondents and we the researchers are in trouble (and I also think that we should be in trouble if we did not take all measures to protect our respondents' information). News about privacy breaches in online-surveys would definitely hurt this great field of data-collection.
My impression is that this issue here in the forum is not yet broadly considered an important one (I might err here). I think/hope/am sure this will change soon (because of GDPR) - the question is: what can we do?
The first step in privacy protection would be to encrypt the email-adresses in the DB (in my case I have to be able to connect surveys, so I cannot use anonymous surveys). Email-adresses are clearly considered personal information and should/must(?) not be saved unencrypted. If these adresses get lost researchers will be held responsible for that. Lots of email-adresses contain the real name and/or information that could identify a respondent - that makes this even worse. As a "minimal"(?) solution I could think of a plugin that encrypts/decrypts the email-adresses, name, token and ideally the additional fields in the Token List by pushing a button. This workflow would not be completely safe yet, but a good start, I think:
1) Import the unencrypted list of emails (with name, additional fields, etc.) and generate tokens
2) Encrypt: I imagine a textfield to enter the key here (for symmetric encryption) - from then on the email-adresses rest encrypted in the DB - we can browse the token-list, but would only see encrypted information.
3) Decrypt: To send out emails we would temporarily decrypt the information in the table. We'd enter the key, push a button and reload and see the unencrypted email-adresses etc.
4) Encrypt: After sending out the invitations we encrypt again.
(5) We should be able to edit, add or delete the respondents data when it's decrypted - and we should be able to add respondents.
The email-adresses would only be unencrypted for the time it takes to send out the emails - I know this is a bit flawed, but the point is that the personal information is resting on the server encrypted the rest of the time. What do you think?
There are some issues at the moment with 2), the encryption of the responses. The LSEncrypt Plugin ( www.limesurvey.org/community/extensions/60-limesurvey-encrypt ), that was developed to encrypt the whole response table via asymmetrical encryption, seems not completely working at the moment (s. www.limesurvey.org/de/foren/plugins/1139...crypt-how-to-decrypt ) and (which is that keeps me from embracing this) the encryption of the responses comes at cost of the comfortable working with LS: encrypted responses cannot be viewed, edited or deleted inside LS, the export function does not work, the timings are not exported (?), the data cannot be accessed via API, (?). Still, because it's so important, I think about using complete encryption but, I'd have to test this first thoroughly. There seem to be some other solutions here - like directly adressing the MySQL DB to encrypt the responses ( www.limesurvey.org/forum/can-i-do-this-w...s?limitstart=0#53353 ), but as a non-programmer I'd definitely prefer a built-in solution.
I saw that there also are other important issues, like (3) encrypting the URL-Parameters, e.g. variables that are piped via url to the survey or between surveys and are saved unencrypted in the browser history ( www.limesurvey.org/forum/plugins/95306-p...rs-prefilled-answers ) - but I'll stop here.
A data security package for Limesurvey or plugins that fix these issues could really set it apart from other survey software, I'm sure (although I have to admit that I do not have an overview of recent software in this field). So maybe this could/should become a focus. (I still use LS 2.6.7LTS - so if any of the upper mentioned functionality was implemented in more recent versions, I apologize .
Maybe we get (2) running - but until then (and also after) I'd like 1) to encrypt the personal information - since this has to be done anyway. Does anybody have ideas or a solution for (1) (or 2) or an estimation of the necessary effort?
I apologize that this read got much longer than intended if you're still around thanks for your time! I'm also sure there are more qualified thoughts on data protection and technical aspects here, since I'm not a lawyer nor a programmer. Anyway, I hope we can solve this, before the GDPR becomes enforceable on May 25th
Thanks and all the best, G
I don't encryption playing a big role during conduction of a survey. Technically this may become more accessible when done on database level in a transparent way, but I don't see this happening on an application level. Using encryption will be pushed via GDPR in many situations. Think about fullencryption of working environments or static storage. LimeSurvey could be offering more around encryption but the functionality would be different. You could e.g. offer to encrypt everything with a public key of a survey admin. And when the survey admin signs in with the private key, the data will be decrypted during the login session. If you have multiuseraccess you might thing about symmetric encryption. Which will make encrypting data during the survey a lot more difficult (symmetric key needs to be saved in the application and can be used to decrypt data. A public key would be only allow to encrypt and can be exposed).
socius wrote: Survey researchers, even in smallest projects, will have to do everything possible to protect the respondents' information. Encryption will play a major role here.
The basic situation to protect data hasn't changed with GDPR. When looking around we see outdated LimeSurvey installations and unencrypted access (no https) to installations. This hasn't changed in all these years. That is a bigger elephant in the room. The biggest elephant in the room is that you need a Data Protection (DP) Officer when handling surveys (at least if you don't want to rule out restrictions in collection).
The biggest misunderstand here is that many people think there is DPO exemption for small companies. That is NOT the case when the company is working mostly with personal data. So it doesn't matter if you're have less than ten people in the company.
Private sector organisations that on a large scale as part of their core activities regularly and systematically monitor data subjects or process sensitive personal data will also have to appoint a DPO.
LimeSurvey could add some functions around separation of data and encryption.
Encrypt expired or deactivated survey with a password.
Offer a special question type, where personal data is saved in a separate database/table.
Offer different kinds of separation for participant data / panel data.
GDPR will allow respondents to get all their responsedata and metadata in a readable format.
So you might be asked by respondent and then will be looking for a easy way to extract all related data in a common format.
GDPR might consolidate work and data towards the bigger companies. GDPR mantra of "privacy by design and by default" will be interesting to watch (e.g. Windows 10 and data exchange with Microsoft).
thanks to @holch and @jelo for your responses! And sorry for being late with mine.
I took some time to read about the GDPR for some basic information (e.g. ec.europa.eu/commission/priorities/justi...-protection-rules_en ). As a citizen I'm looking forward to GDPR as it gets companies as well as citizens to think about their handling of personal data and as it gives rights and power to the people. I'm not an expert, but I'd say that there are a number of fundamental changes - and, what's so severe: they affect all EU countries. E.g.
And the fines are substantial! (no stable norms without sanctions some sociologists might say here).
"If your data is lost or stolen, and if this data breach could harm you, the company causing the data breach will have to inform you (and the relevant data protection supervisory authority) without undue delay. If the company doesn’t do this, it can be fined." ( ec.europa.eu/commission/sites/beta-polit...heet-citizens_en.pdf )
For the creators of online surveys the GDPR makes things more complicated, no question - this hits everybody doing surveys and collecting data (even smallest projects) and thanks @jelo for this information in the last post, also the smallest companies doing surveys as their core business. Even as a person who creates surveys and is affected here, I support these policies (since I'm also a person who likes to take part in surveys and who frequently has strong doubts about the safety of the collection process, the collected data and about the data handling behind). If we want people to answer our (sensitive) questions, we have to do everything possible to protect them. Pseudonomyzation and Encryption are mentioned numerous times.
"Be extra careful with special (sensitive) categories of personal data. If the personal data you collect includes information on an individual’s health, race, sexual orientation, religion, political beliefs or trade union membership, it is considered sensitive. Your company can only process this data under specific conditions and you may need to implement additional safeguards, such as encryption." ( ec.europa.eu/commission/sites/beta-polit...e-obligations_en.pdf )
I think @jelo is completely right:
When looking around we see outdated LimeSurvey installations and unencrypted access (no https) to installations. This hasn't changed in all these years. That is a bigger elephant in the room.
Making surveys and collecting data became really easy, also thanks to Limesurvey (and other user friendly survey software). Lots of people collect data via online surveys nowadays. The downside of this is that also lots of people using these tools do not care too much about data safety. Usually safety comes at cost of comfort (think about encrypting emails, doing backups regularly, etc.). Safety and thoughts about safety cost time. And things that take time (and/or are complicated) usually are avoided.
I would not to guarantee my respondents that their data are safe, when the Company, e.g. the Internet Service Provider that hosts the survey has unlimited access to the data in the database, to all the responses, and to all the personal data in the token list (and yes: an email-adress is clearly personal information, it's an id, since it's unique and oftentimes contains information that identifies a person very easily - like name, company, etc.). Without encryption this is clearly the case: there are people who potentially have access to the data that you do not know - not yet talking about other parties that get to access the data unauthorized.
Strong Encryption is definitely part of a solution here. To encrypt the personal information (like names, email, etc.) and also the responses separately would make it hard to access and join the information, and it would make it possible for you to guarantee to your respondents that you took care and did what is possible to protect their information.
1) An encrypted token table that can temporarily be unencrypted for sending out invitation mails (maybe only for the adresses the emails are sent to) by entering a passphrase would be absolutely great - it seems to me to be more than half of the solution needed here, since personal information and responses could not be linked (not even in non anonymous surveys). (I imagine that confirmation emails etc. would not work here anymore since the email-adress is encrypted when the respondents submit the responses, but this is not top priority - at least in my case - and I think there would be workarounds like sending out confirmations not immediately but periodically or so.)
2) The asymmetrical encryption of the responses like done in LSEncrypt was an absolutely great idea. At the moment the decryption process does not work entirely (at least I could not get it to work - if someone encrypted and decrypted data I'd really appreciate hints or a solution www.limesurvey.org/de/foren/plugins/1139...crypt-how-to-decrypt ). The encryption comes at cost (s. thread), but for security reasons this cost is reasonable - and I also think, that workarounds could restore some comfort.
I think that the GDPR is definitely a wake-up call. As a citizen, I'm looking forward to May 25th 2018 - as a survey researcher, I'm optimistic, that this won't harm the field, but promote quality and security. Who shares my optimistic view?
Thanks for your time!
I experience some problems with the forum - my above response was blocked and only posted yesterday and the link to the LSEncrypt thread www.limesurvey.org/de/foren/plugins/1139...crypt-how-to-decrypt gives me a
"403 Forbidden" (when I'm logged in) and a
"401 Unauthorized" (when I'm not logged in)
Anybody else experienced something like this before? (are my responses too long?
Get such issues from time to time. When posting a lot, you get the flooding protection (wait 30 seconds before posting again) and you hit the URL limit (3 or 4 URLs per post). The URL limit really is a pissing me of, since spam robots are posting just one URL per post per x minutes. But I cannot post with the amount of URLs needed.
socius wrote: "403 Forbidden" (when I'm logged in) and a
"401 Unauthorized" (when I'm not logged in)
I'm waiting to see how Windows 10 and GDPR gets along. If Microsoft can continue without massive changes in data transmission, the GDPR is already waving the white flag. BTW: If you are a company and order businesscards for your people via a printingshop, you need to make a contract in compliance of GDPR. Printed businesscards are lowtech but still personal data is transmitted. Not a guess by myself but from a data protection consultant.
Database encryption has no wide coverage. It's complex and cannot by applied easily.
The most deployed database seems to be sqlite. The opensource flavor isn't even having a user/password authentication. Encryption is an closed source add-on ( www.sqlite.org/see/doc/trunk/www/readme.wiki ).
Since years everybody is stating encryption on their websites, dataprotection statements and contracts when it comes to transport-encryption. But you won't find many multiuser-setups with shared data-access that have an encrypted database in the backend. The password needs to be saved somewhere if multiple people want to modify data. LSEncrypt uses Public-Key-encryption to be able to save the encryption key in the application. You can do that with synchronous encryption as well. But it won't add security. Even if the database is on a different server, you would be able to steal the data with the database user credentials which are saved in the settings of LimeSurvey.
If GDPR is enforced at full throttle we will see a quicker consolidation in the market. Since you have to show customers all your subcontractors with address you will see consolidation in some parts even when GDPR is implemented without a hassle. Nice way to cut the middlemen.
GDPR is not limited to the digital space. The folders with paper in the office are not ruled out.
thanks @jelo - I'm very happy to find concerned LS users (and citizens)! Thinking about these important issues is absolutely important (even if it starts to make me paranoid more and more
To add an example: I saw an advice considering printed business cards: anybody collecting business cards should also get the consent to save this data and also for using it, since systematically collected personal information w/o consent is a no-go, also when it's "only" printed. So it's becoming more complicated, but a I already wrote, as a citizen I definitely support this unification of policies protecting personal data.
In case of online surveys and Limesurvey we're talking about private information that's saved in a database together with potentially sensitive information - I'd myself consider most survey data sensitive, not only clear sensitive issues as sexual or political orientation etc., but also what respondents like (or not), etc. etc. I guess, some action is necessary before the 25th of May - which is pretty soon ...
I just made a feature request with collected ideas about encryption. Maybe it's not as hard to implement as thought (at least I hope) . It sure will cost some comfort and make necessary some work, but maybe this won't be too much of a problem. See the request:
If anybody has ideas concerning encryption functionality in Limesurvey, please consider posting them in this feature request.
Thanks and all the best,
I wonder where you read that
socius wrote: To add an example: I saw an advice considering printed business cards:
I simply watched a webinar
This answer and some other Q&A (all in German) can be found at: www.wko.at/service/unternehmensfuehrung-...erversand-faq.html#8
The webinars are here: www.wko.at/service/wirtschaftsrecht-gewe.../webinare-dsgvo.html
jelo wrote: BTW: If you are a company and order businesscards for your people via a printingshop, you need to make a contract in compliance of GDPR. Printed businesscards are lowtech but still personal data is transmitted.
I wonder how someone can phone someone else and tell the name, jobposition and phonenumber without making a contract The businesscard-case seems to be shared by every gdpr-consultant.
Because some of the implications are fairly absurd and create major hurdles for a lot of businesses, even if they were not targeted initially. And there will be people that take advantage of that. Just remember the "Abmahnwahn" when it came to "Impressumspflicht" (I figure both Jelo and Socius are german speakers, so you will know what I am talking about).
Now the GDPR thingy will even impact the data that NICs will provide in their Whois. I find that really problematic, because you can't find out who is responsible for a website anymore. But then, most shady subjects used some privacy service anyway.
Socius linked to a Austrian website. "Abmahnungen" are a German thing. And Austrian politics have just changed law to weaken GDPR in Austria. www.parlament.gv.at/PAKT/VHG/XXVI/AA/AA_00010/index.shtml
holch wrote: Just remember the "Abmahnwahn" when it came to "Impressumspflicht" (I figure both Jelo and Socius are german speakers, so you will know what I am talking about