Online Focus Groups:Privacy and SecurityAlfonso Sintjago & Caryn E. Lindsay

AEA Conference

Oct. 26, 2012Minneapolis, MN

Colleagues Have Discussed

● Benefits

● Utility

● Selecting a platform

● Making connections

Issues of ConcernData Privacy● “Many Internet users fail to realize that something once put online

more or less stays online and may be retrieved by others and replicated” (Walther, 2011, pg. 4). (High Levels of Variability)

Data Security● The policies enacted by third parties, which could be the internet

service provider (ISP), the cookies on the browser, web beacons, the server(s) where the data is stored, or the online service(s) utilized, may result in the legal or illegal selling and purchase of research data by additional parties (Craig & Ludloff, 2011).

Security Considerations for Platform Selection

unrecognized vulnerabilities within softwarecapabilities to address vulnerabilities

hosting internally or hosting externallysecurity level utilized by servers

online programs allow for interactioncomplexity can increase weaknesses

data could be not digitizedlimiting copies of the information

May be subject to IRB, FERPA, or HIPAA regulations

Relevant Online Security Elements to Consider

Services are as vulnerable to hacking as their weakest line of code (Bailey, 2012; Stuttard & Pinto, 2011)

The Unique Environment of an Online Focus Group

● If participants do not trust a system, it is less likely that the focus group will gain the valuable data it hopes to obtain (Gottman, 2011; Metzger, 2004).

● Trust is also an essential element for the effective functioning of a society (Schneier, 2012).

● As a qualitative research method, a focus group “explicitly use[s] interaction as part of the method”

(Kitzinger, 1995, pg. 299).

Figure 1.1 – Internet Focus Group (Flow of Data – Parties with Access to Data)

Figure 1.2 – Traditional Focus Group (Flow of Data – Parties with Access to Data)

When selecting platforms, consider signing business associate agreements

Sen. Al Franken - (D-MN) on Social Media

“You [users] are not their client, you are their product.”

Remember to ask:What is the revenue model? How does the business make a profit?

Careful Analysis and Consideration

Despite the benefits of the platforms for social networking, Facebo , Twitter, and Google may not provide users with the privacy that may be desired by a research-oriented focus group, particularly when dealing with delicate subject matters such as traumatic experiences, socially unacceptable opinions, and other confidential information.

Overview of Major Risks - # 1

Data Transferability

● Information in the Cloud is hard to delete and/or access

● Increased smartphone use + recording capability (50%+ own smart phones)

● Multiple copies of Cloud data (Reliability vs. Security)

● Data accessible through more devices

Overview of Major Risks - # 2

Hacking and Password Vulnerability

● Many well known organizations have been hacked (LinkedIn, New York Times, DOJ, Bank of America, Google, etc)

● Importance of longer passwords (7+ Digits)Increased understanding of user choices

● Use of different passwords (10%+ use 1234)(database of 3.4million four-digit passwords)

Overview of Major Risks - #3

Provider Practices

● Average Security Policy is Too Long (2000+ Words)1200 websites visited, requiring an average of 201 hours a year

● Privacy Implications May be Difficult to Understand

● Many Organizations Collect and Sell Data

● Privacy Policies Can be Suddenly Modified

Examples

● Comcast retains users’ data for over 180 days;

● AOL previously released the partially anonymized data of over 600,000 users;

● Sonic.net only retains users’ clickstream data for two weeks (Kirk, 2006; Greenberg, 2012).

Options● Use and visit trusted secure sites, applications.

● TRUSTe, WOT, McAfee SiteAdvisor, Haute Secure, etc.

● HTTPS and Encrypted Comm, Encrypted Drives

● Virtual Private Network (VPN) and Proxies in countries with laws with the better privacy protection

● TOR (https://www.torproject.org/)

Elements to Consider When Selecting a Platform - 1

Conducting an Online Focus Group Questions for Moderator

1- Requirements of the Study Must it meet HIPAA privacy standards? Is the data sensitive?

2- Concerns of the Participant Will the participant feel comfortable in this environment?

3- Anonymity of participants Can participants participate without being identified?

4- Data encryption Must the data be encrypted? Is the data encrypted?

5- Server Location Must the data be stored locally, can it be stored on the cloud?

6- Selection of Participants Are there benefits from having access to social network data?

7- Terms of Agreement Are the terms of agreement acceptable and favorable?

8- Control over Change Can the platform privacy be modified without your input?

9- Notification of Changes How will the service provider notify you of policy changes?

10- History of the Company Is the site trusted (TRUSTe, etc)? Recent misuses of data?

Elements to Consider When Selecting a Platform - 2

Conducting an Online Focus Group Questions for Moderator

11- Ownership of Data Is the data owned or shared by the service provider?

12- Access to the Data Is the data accessible to anyone on the Internet?

13- Security from Users Can the data be easily copied and distributed by users?

14- Security from Outsiders Could the data be stolen by a third party?

15- Anonymity of Data Will the provider anonymize the data?

16- Selling of Data Can the service provider sell the focus group data?

17- Modifications to Platform Can the platform be modified? Can its security be enhanced?

18- Access to the Source Code Do you have access to the source code? Can you modify it?

19- Linking of Participant Data Can the data be easily linked to other data from that user?

RecommendationsChoosing the ‘best’ platform depends upon many factors

Data may be used by companies in unexpected ways

Data may be accessed illegally by third parties

Digitized data can be easily duplicated and transferred

Misuses of data can have serious consequences

A sincere attempt to protect privacy must be taken

Decide whether or not you trust any third parties involved

Online or Offline, focus groups are based on trust!

PRIMARY ONLINE PROGRAMS CONSIDERED BY UMN’S ONLINE FOCUS GROUP RESEARCH TEAM

Skype (available since 2003)

Privacy Policy Last Updated: June 2012

Overview: Video and voice over IP Software, High Bandwidth, Real-Time, Multi-Platform

With over 650 million users, Skype is the largest Voice Over Internet Protocol (VOIP)

Skype uses secure algorithms and standards (RSA and AES) to protect users from hackers and phishing.

EDUCAUSE experts were concerned in 2007 about the level of access to network ports that Skype required from computers that utilized the software

“Skype will not sell, rent, trade or otherwise transfer any personal and/or traffic data or communications content outside of Microsoft and its controlled subsidiaries and affiliates without your explicit permission, unless it is obliged to do so under applicable laws or by order of the competent authorities.”

More Information: http://www.skype.com/intl/en-us/security/

http://www.skype.com/intl/en/legal/privacy/general/

Adobe Connect (available since 2003)

Privacy Policy Last Updated: May 2012

Overview: Multiple deployment options. Web Presentations and Video Conferencing

Adobe Connect can be customized and hosted locally allowing for the incorporation of additional security features if required by HIPAA or FERPA.

Since 2011, Adobe allows Adobe Connect to be licensed in three ways

Security functions include the ability to disable undesired functionalities, control over access to meeting rooms, allows for SSL encryption, best practices for password management policies, easy-to-use administration console that enables for the configuration of LDAP (Lightweight Directory Access Protocol) server details, authentication methods, query page-size limits, and other valuable security features.

More Information: http://www.adobe.com/privacy/policy.edu.html

http://www.adobe.com/products/adobeconnect/features.edu.html

Ning (available since 2003)

Privacy Policy Last Updated: December 2010

Overview: Private social network. Cloud-based environment.

Does not profit from the sale of data - requires users to pay for the cost of maintaining their space.

Ning allows an organization to purchase their own Ning installation

Utilized by a large number of educational communities

Users cannot host Ning within their own servers (must be hosted by Ning)

Does not utilize https and not HIPAA Compliant

More Information: http://www.ning.com/about/legal/privacy/

http://www.ning.com/about/safety/

Moodle (available since 2002)

Privacy Policy Last Updated: Will vary depending on the installation

Overview: Modular Object-Oriented Dynamic Learning Environment. OSS Learning Management System (LMS).

Moodle is a highly customizable platform that can be hosted on most servers.

Currently used in 220 countries, in over 65 thousand sites (http://moodle.org/stats/).

Moodlerooms.com offers Moodle hosting services that are HIPAA and FERPA compliant

Large community of developers working to improve the platform.

As an open source software, anyone could find its vulnerabilities. (No Backdoor Access)

Installations may or may not utilize https and robust user authorization systems.

More Information: http://docs.moodle.org/23/en/Security_FAQ

http://docs.moodle.org/23/en/Security_recommendations

http://moodle.org/security/

Internet Start Up Companies (Varies by Start Up)

Privacy Policy Last Updated: Will vary depending on the start up.

Overview: Large number of programs with multiple advantages.

May be more willing to meet HIPAA and other security requirements than a larger company

Privacy could increased for participants if an internal product is developed

A start up could change its business plan or fail to secure data properly

With the exception of Moodle all other discussed sites have been awarded a TRUSTe seal

Carefully consider a partnership with a start up, especially if the data is of delicate nature

Adapting software that is already available to meet a different function can be complicated

No online environment addressed all of the elements discussed by other team members