RRA and vendor review for Call Power

[hannahkane]

We're looking at Call Power (docs here) as a potential replacement for our "Call Congress" tool.

One of the first steps is finding out if it passes our reviews. Please let me know what add'l info is needed to start the review process. thanks!

[cadecairos]

Is the plan to self-host it or use their hosting plan options?

If not, be aware that their documentation for self hosting looks out of date, since it includes instructions for setting up keys for a shuttered Congressional data API (sunrise foundation)

[hannahkane]

Good question; I will try to find out.

Is the Sunlight Foundation API not still operational? I thought it was being run by someone else.

If it were still in use, would you have a preference between self-hosted or not?

[hannahkane]

@Melechuga has provided some more information: this tool is being actively maintained, and we would pay for them to host it.

@cadecairos - do you have any guidance on next steps? Is it possible to conduct a security and vendor review?

[cadecairos]

I can submit a request for a risk assessment of this tool, if we're still interested in using it.

The docs say that it " should be easy to host on Heroku" Which doesn't give me much confidence that it will be. Self hosting would inevitably reduce monthly costs, and be better for our supporter's privacy, but would mean more work to maintain and monitor the site.

I can attempt to set up a demo server to see how it might all look.

[Melechuga]

Hey @cadecairos, Happy to put you in touch with the dev if that would help clear things up.

[hannahkane]

Thanks, @cadecairos. Yes, we are still interested in using it!

Though, @Melechuga, correct me if I'm wrong - it's not so much that we need to use this particular tool, and more that we want to identify some tool that will allow us to match people with their European elected officials and facilitate a phone call. Is that right? If this particular tool doesn't work out, we'd research other options.

@cadecairos - I don't know everything that's on your plate, but if you have time to set up a demo server and submit an RRA, that would be much appreciated.

[Melechuga]

@hannahkane Right, we don't have to use this exact tool, but after doing some research, this does seem like the best option. I'm fine if we research other options; I'm just aware that this takes time, and it'd be great to be able to have something up and running, that's supported, relatively soon. This one in particular is great because we can point other organizations to use this tool on their sites too, and CallPower can support them. Awesome if you can demo it, @cadecairos! And, again, we know the guy who built this quite well. He would be happy to have a convo and modify as needed.

[cadecairos]

OK so it was actually really easy to set up and depoy a call power instance on Heroku.

https://moz-call-power.herokuapp.com/

I can create accounts for people to poke around the interface. just ping me on Slack!

I'll open a BZ bug for an RRA today.

[cadecairos]

Actually, I'll open the RRA once I get the demo server fully working (having audio upload issues)

I want it available for the security team to poke at.

[cadecairos]

RRA Request filed here: https://bugzilla.mozilla.org/show_bug.cgi?id=1380057

I've sorted out the issues I had uploading campaign audio clips. the demo server is now fully operational. I even did a test call, and almost accidentally called my Ontario MPP (Member of Provincial Parliament) 😝

[cadecairos]

I did some rudimentary calculations on the cost of Call Power

If we pay for hosting, we're looking at a flat rate of $250/month, regardless of if we run any campaigns.

If we run it on Heroku, we're looking at much less of a base monthly cost (25 for the server, 50 for the database, 15 for the caching service & these costs can be easily reduced during months we aren't running big campaigns)

Now, the hosted plan allows for 1000 calls/month and $0.25 per additional call. On Twilio, we can get calls for as low as 0.013 cents per minute. If we get 1000 five-minute calls, we're looking at only ~65 bucks, and anything over that number is charged at the same rate, not 0.25/call.

The TL;DR; here is that now that I know it's super easy to host on Heroku and that costs should be less that the base cost of a hosted plan, I think we should run it ourselves.

If we can all agree on this, I'll make sure the RRA we do reflects this (because self-hosting VS hosted plan means there are different risks to weigh)

[Melechuga]

@cadecairos This is awesome! Thanks for reviewing and sharing. Since Josh makes his money by hosting, I'm wondering what sort of arrangement would make the most sense for us to propose. Do you have any ideas?

I'm fine with us hosting it for our campaigns, and I'm wondering if we could help support CallPower by encouraging our friends in the EU to use it -- are we comfortable with the security of it to suggest it to EU orgs for campaigning? Thanks!

[cadecairos]

I'm not opposed to going the route of paying for hosting, I just want to make sure we make the best use of the platform. If we go with that route, we will need to have Josh fill out one of our security questionnaires to make sure things are operationally secure on his side.

Does call power support countries other than US/Canada? Currently those two are the only options.

FYI: I've got an RRA for this scheduled for Friday.

[Melechuga]

Ok, great. I'll reach out to Josh next week, after the RRA (in case we have more questions). Currently CallPower is just US + Canada, which is why we're working with him to expand that to the EU -- Brussels initially.

[cadecairos]

🆒

I'll go into the RRA with the expectation that we'll pay for a hosted plan.

[Melechuga]

@hannahkane @cadecairos For the EU Copyright site, we're going to pay for a hosted plan -- need to figure out where to start, but I would suggest starting with the lowest ("Mini" = $250/month) and ramp up as needed. Josh (CallPower) is happy to give us a service agreement he has, or to read through whatever vendor agreement we ask for.

Hannah, what would next-steps be? Would be good to do this integration and the site update together-ish. Thanks!

[hannahkane]

@cadecairos - do you have a security questionnaire that @Melechuga can ask Josh to complete?

@Melechuga - will follow up separately with the broader "what's next" question.

[cadecairos]

vendor_saas_questions.txt

here's the vendor questionaire

I got the results of the VA back in on our demo deploy of Call Power, which raises a few questions we should ask Josh about:

• Does your hosted service offering enable any of the following features:
  • HTTP redirects to https (Must have)
  • X- security headers (Must havbe)
  • HSTS (HTTP Strict Transport Security) (must-have)
  • CSP (Content Security Policy) (would be really good to have)
• Is the hosted service run on a public cloud provider that uses DNS CNAME records to implement custom domain names, and if yes, what processes are in place to help prevent subdomain takeover vulnerabilities related to this.

[Melechuga]

@cadecairos Please see Josh's responses to the questionnaire here You're in touch with him now so hopefully you two can have more direct communication re: security.

Thanks!

[hannahkane]

@cadecairos - can you please post an update here? Has the tool passed security and vendor review? Thanks!

[cadecairos]

Based on the RRA We're good to go from security's point of view.

We will want to push them to implement Mutli-Factor Authentication sooner rather than later.

[hannahkane]

Thanks, @cadecairos. Can we close this ticket?

[cadecairos]

yes!