NOTE: We have contacted the VP of privacy to develop a robust and programmatic approach to reach out to people.
Hi Apache Software Foundation Community,
This document outlines the selected process to launch the Community Survey 2022.
Selected Distribution Process
The 2022 ASF Community Survey is intended to be completed by committers, contributors, and users of any Apache Software Foundation project. We decided to distribute it using the following criteria:
- Committers - We'll submit a personalized email to each apache.org email address with a unique link to take the survey. The responses will be 100% anonymized, unless the individual specifically shares their contact information and gives permission to further contacts to continue the research.
- Contributors and Users - We'll ask PMCs to directly invite their contributors and users to take the survey by sending notes to their mailing lists. The invite will have a universal link everyone could use to take the survey. All records will be anonymized.
First and foremost, The Apache Software Foundation entered a very powerful contract with Bitergia for this project, which includes a clear an extensive GDPR annex. The ASF owns the data, we are only contracting with Bitergia to do the analysis of the input received via LimeSurvey - the selected technology to host the survey and receive anonymized responses. Bitergia does not have access to PII.
Bitergia has purchased a License from LimeSurvey that enables our survey to receive up to 10k responses.
LimeSurvey provides a tool that allows the V.P. of D&I, to send emails with individualized urls but neither LimeSurvey nor Bitergia have access to the email addresses the invite will be sent to.
LimeSurvey is an open source project which is over 15 years old (though admittedly there was a complete re-write in 2012). Here is their bug tracker: https://community.limesurvey.org/bug-tracker/ LimeSurvey currently has 2k stars on github: https://github.com/LimeSurvey/LimeSurvey. There are no currently published security advisories on the project. The list of security vulnerabilities can be found here: https://www.cvedetails.com/vulnerability-list/vendor_id-6900/Limesurvey.html The known vulnerabilities are apparently all addressed in the most recent release of the software.
- Blogpost on survey published ( ) publish the blog post "Launch of the 2022 ASF Community Survey".
- Survey Launch to Committers ( ) send the "email to committers"
- Send an ask to firstname.lastname@example.org to promote in their comms channels ( ) send "email to PMC"
- Publish social media messages ( )
Send reminders to committers that didn't opt-out ( )
- Close the survey on ( )
In order to be GDPR compliant, we will only contact apache.org email addresses, which implies that their users have given ASF permission to use it for contacting them on topics related to ASF. Further, we will announce that this survey will take place in a blog post.
GDPR Checks - WIP
☐ We have checked that legitimate interest is the most appropriate basis.
Yes. In 2016 and 2020, the ASF launched a committer survey. We would like to understand the evolution of our community composition through the collection of scientific data. We have analyzed the data collected in the survey of 2020 and would like to keep track of its evolution with a subsequent round.
☐ We understand our responsibility to protect the individual’s interests.
Yes. We do, and therefore we are announcing the launch of the survey in a blog so people are aware of our intentions. We are also providing all measurements to avoid spamming people not interested in the survey. We're doing this through the assignment of unique tokens that match an unsubscribe link.
☐ We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision.
Yes. after the first survey, the community identified multiple improvements points and the need to rerun the survey in order to keep track of this development.
☐ We have identified the relevant legitimate interests.
Yes. It is to follow up on the efforts done in 2020, understand the current composition of the ASF community, and implement improvements to the identified barriers.
☐ We have checked that the processing is necessary and there is no less intrusive way to achieve the same result.
Yes. The other available option is to email committers@, if we do this, we will lose the possibility of providing an opt-in/out link, and we will be compromising survey data integrity.
☐ We have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests.
Yes. As per the above statement, this is the most compliant way to provide an opt-in/out link. Additionally, since the ASF doesn't have an internal service to support surveys, we are reaching out to a third-party vendor to achieve this.
☐ We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason.
Yes. As per the above message, using the committers@ alias won't let us provide a way to opt-in/out from the survey and further communications, therefore yes, we are not using people's data in ways they would find less intrusive.
☐ If we process prisoners, protected classes or children’s data, we take extra care to make sure we protect their interests.
N/A. Since we do not know this from our records, We have no way to ensure this.
☐ We have considered safeguards to reduce the impact where possible.
Yes. The use of individual emails is limited to one invitation per person
and reminders are only sent if a person did not opt-out or has already replied to the survey. (no reminders will be sent)
☐ We have considered whether we can offer an opt-out.
Yes. But it is the community response that opt out is not an ideal solution either, we won't send reminders to apache.org emails.
☐ If our LIA identifies a significant privacy impact, we have considered whether we also need to conduct a DPIA.
N/A. Our LIA did not identify any significant privacy impact.
☐ We keep the considerations that have gone into this LIA on file.
Yes. The discussions have occurred in public on mailing lists and in this wiki, which are both archived.
☐ We include information about the assessment of our legitimate interests in our privacy information.
Yes. This wiki page details information about our LIA and we link to it from the blog post and invitation emails. Select information from our LIA are also directly included in the blog post and invitation emails.We won't send reminders.
Will there be a message to committer@ explaining that they will receive a subsequent message? Yes, we will add a sentence in the first email saying that we will send one reminder to take the survey if they haven't two weeks after the first invite. If the opt-out that message with the remainder will not be sent. (reminders won't be sent)
What is the content of the message to developers soliciting their participation in the survey?
See the full communications plan: Survey - Communication plan
This will be sent to all apache.org email addresses.
Title: Invitation to take the 2022 ASF Community Survey
Launch Blogpost (Published in the apache.org blogpost and the D&I newly created blog)
Blog --TITLE: Launch of the 2022 ASF Community Survey
Who will be the from: address on the message?
Katia Rojas <email@example.com>
Lime Survey will be configured to send emails via Apache's SMTP server.
Will there be a personalized link to the survey?
Yes, each individual receiving the invite directly from Lime Survey will have a unique link that could be used only once. This doesn't compromise anonymity when taking the survey, since we are not correlating answers to unique links.
Having a unique link helps provide opt-outs from reminders.
How will non-Apache-id holders be able to request a survey?
We will reach non-committers via three channels: Blogposts in the official apache.org blog and the D&I blog, social media snippets and email shared to PMCs and PPMCs to share through their user and dev lists. These messages will contain a universal link to the survey and anyone who has that link could fill it.
What will be done with the results?
The results will be analyzed by Bitergia, and will be used to inform the design of the contributor experience interviews. We'll publish a plan for these interviews two weeks after the survey launches.
Bitergia will also produce a report with aggregated results, similar to what we posted about the 2016 Survey ran by ComDev (2)
Does this process conform to GDPR requirements?
Yes. In order to be GDPR compliant, we will only contact apache.org email addresses, which implies that their users have given ASF permission to use it for contacting them on topics related to ASF. Further, we will announce that this survey will take place in a blog post.
SMTP server to allow Katia to be the sender of the survey invitations
In order to send the messages with an __at__apache__dot__org sender it is needed to setup Limesurvey to use the SMTP for the ASF. If this is not configured the message will be sent by the sender firstname.lastname@example.org. Find below a list of the parameters that need to be filled in with a link the documentation of the tool:
- SMTP username: If your SMTP-server needs authentication, set this to your user name, otherwise it must be blank
- SMTP password: If your SMTP-server needs authentication, set this to your password, otherwise it must be blank
- SMTP encryption - Three options are available: Off (default value), SSL or TLS
This parameters are available in the global settings of the Limesurvey account.
To make easier the setup of the SMTP server, these are the parameters we used in a previous survey sent by Gris.
As detailed in the Distribution Process there are two main groups that will be surveyed, these are committers and contributors and users of the Apache Software Foundation project. Each group has different requirements and the way to solve this with Limesurvey is to deploy two surveys with the same content and different access rules. Find below the most relevant parameters of each setup.
- Contributors and Users - In order to offer a link it is needed to set up the survey in open-access mode. The invite will have a universal link everyone could use to take the survey. All records will be anonymized.
- Committers - This survey will be a copy of the one above with a change in the "Survey participants" section to make this survey restricted. It will be needed to import all the committers in the "Central participant management" menu via CSV File and add them to the survey. When this is ready the last step before sending the invitation is to generate a token for them.