-
Notifications
You must be signed in to change notification settings - Fork 91
Security Overview
Paco is hosted on AppEngine and server-side data is stored in the AppEngine datastore. Client-side data is initially collected on the mobile device if a user is participating on iOS or Android. The data is stored behind authentication and authorization mechanisms on all platforms using the respective services of those platforms.
Paco uses Google as an authentication provider. All Application traffic is served over secure sockets and is authenticated and authorized by use of a Google account, e.g., Gmail, or Google Apps account.
The data is authorized to be seen by experimenters and participants in experiments. In the case of N=1 studies, those are one and the same person.
An Experimenter can always see the experiments they have created.
A Participant can see experiments that they have created, that have been published directly to them, and that have been published publicly for all to see and join.
An Experimenter can see all the data collected for their own experiments.
A participant can only see their own data in any experiment in which they participate.
The administrators of the Paco service as a rule will not see Experiment information or Experiment data unless it is absolutely necessary in the process of debugging or fixing the service. We believe your data is yours. We do count the number of experiments created and the amount of data passing through our system for the purpose of delivering and improving the service but we do not see the contents of that information.
The Android app requires many permissions upon install but uses almost none of them. This is the nature of a platform tool that allows others to design specific experiments. Upon a clean install, the only function of the app is to retrieve and temporarily experiment definitions from the Paco server when a user requests experiments through the Find Experiments function.
If Paco crashes, the user may be prompted to send a crash report to the respective app store, Apple App Store or Google Play store to help debug the problem. The user may decline to send this report.
Generically, all joined experiments will store their definition and any collected response data. When joining an experiment, the participant will be shown an Informed Consent screen which shows the data handling policy of the experimenter and generally what types of data are collected. The user is urged not to join unless they consent to this information collection.
Individual experiments will use various permissions as required by the experimenter who has designed the experiment. Permissions are required for activities such as waking up to do background work like signaling the user to participate, detecting when a network is present, and uploading data to the server when a network is present. Some experiments may watch or log the apps used and browser history either as part of the data to be collected or as a trigger for signaling the user to respond. Other experiments may want to collect the geographic location or prompt the user to take a picture. These permissions should be obvious in the Informed Consent prior to joining and/or in the experimental questionnaire.
At any time a user can stop the experiment and stop this specific data collection activity. If no experiments are running, Paco collects no data and transmits nothing to the server. In the future, we may add opt-in debugging diagnostics to ensure proper performance or to enable debugging of the app, but currently we do not.
When a user has joined experiments the phone will try once a day to query the server in the background, if network is available, to see if its local version of the running experiments are up-to-date. If not, it will download the latest version of the experiment and update the signal schedules accordingly.
No other data is sent to the Paco server.
On iOS, which does not yet support event-contingent signaling or other types of experimental designs, we have only one permission, location access. It is requested at the moment that a user responds to an experiment they have joined that collects location as one of the responses.