Data securely stored on the app

[janagombitova]

Context

With the upcoming GDPR coming in force in May 2018 we in Akvo started auditing how we treat personal data. We are looking closely on how we handle data of our users in our tools, as in Flow, how we make sure data captured by our users is handled responsibly, but also want to take this chance to see how we can support our users in becoming more responsible with their data.

We identified two larger focus areas and more specific opportunities within them:

1. How do we in Flow handle personal data?
   • storing personal user data in Flow's online workspace
   • device identification
   • app users
   • handling the right to be forgotten
2. How can we help our partners be more responsible when capturing and managing their data?
   • data is safe in transit and access to data is secured (safely stored on devices, downloading data exports not via email, opening a photo url only by users with access to Flow)
   • safeguarding personal data (how long is data stored, which data is highly sensitive, etc)

For more details check this issue: https://github.com/akvo/akvo-product-design/issues/283

This issue falls under How can we help our partners be more responsible when capturing and managing their data? and more specifically the opportunity How might we ensure that captured data is safe in transit and access is secured.

Opportunity - Data is safely stored on the devices

What?

How data is managed and accessible is one of the core places to ensure data is safe. Only users with given roles and permissions can access data. Data needs to be encrypted in transit and one needs to ensure data cannot be accessed easily. Some organisations, in their Responsible data policies, mention the option to be able to remotely wipe out data from mobile devices. Password access to the data (on the online workspace and the app) is considered a core necessity. Secondly, the option to to prioritise who has access to which data must be possible on the data platform.

For this issue we will be looking at improving how captured data is accessible from devices, how it is stored on a device.

Why?

Currently anyone can access captured data if she has the device. She can either open the app, or she can access the data via the devices file management. This is not a safe way of handling and storing captured data as personal information that is in the data can be easily accessed by anyone.

How might we...

• How might we ensure data captured using Flow app is stored in a safe way that is not accessible to anyone who unlocks the device?
• How might we make sure that offline data collection, offline data transfer to Flow and survey form transfer still works and is supported?

[janagombitova]

Today with @valllllll2000 and @muloem we have discussed how to go about securing captured data on devices.

Currently the captured data are accessible via a public folder. This is to enable offline data collection and the later transfer of data from the device to the online workspace. After the user submits the form a zip file is created and stored in the public folder. Each submission has its own zip file and the media (photo and video) are stored in a separate subfolder. All these files are stored under the "data" folder. Once the user connects the device to a PC she copies over the "data" folder, compresses it and drops it into Flow's online workspace. Flow then validates which data files are already synced and which are not yet and saves the files.

On handling this issue we spoke about two options:

1. Keeping the data zip files in the public folder but adding a code that will unlock the files
   • difficulty when it comes to handling media and how they are stores in the folder
   • would complicate the user experience by having to "unlock" the data files
2. store captured data in a private folder for all cases and if user needs to use the bulk upload data for offline data collection, then have the user to trigger the creation of the data files in a public folder and take the responsibility of deleting them once done
   • positive it that this puts all data in a private storage by default and puts the responsibility on the user to decide to move the data files to a public place and ensure they are removed once done with the task
   • we would need to create an interface on how the user will trigger the generation of the file for offline data collection which will also properly warn her on why she is doing this and what she needs to do afterward
   • we would need to see how to handle the case where user creates data - pushes for the public folder for offline data collection - creates new data - needs to push the data offline again

We agreed to not change the way to upload of data happens.

We also discusses changing how data is sent from the app to the backend and agreed to consider removing sending zip files to S3 what will need work on the app and backend. Separate issue will be created in the repo to continue this discussion further - https://github.com/akvo/akvo-flow-mobile/issues/978

In regards to this issue, we will create the issues in flow mobile repo and bring in @Kiarii to discuss the needs on the user interface.

Here are relevant issues:

• https://github.com/akvo/akvo-flow-mobile/issues/977
• https://github.com/akvo/akvo-flow-mobile/issues/991
• https://github.com/akvo/akvo-flow-mobile/issues/992
• https://github.com/akvo/akvo-flow-mobile/issues/993
• https://github.com/akvo/akvo-flow-mobile/issues/984
• https://github.com/akvo/akvo-flow-mobile/issues/617
• https://github.com/akvo/akvo-flow-mobile/issues/618

[janagombitova]

Completed