NOTE:
We have contacted the VP of privacy to develop a robust and programmatic approach to reach out to people.
Hi Apache Software Foundation Community,
This document outlines the selected process to launch the Community Survey 2022.
Selected Distribution Process
The 2022 ASF Community Survey is intended to be completed by committers, contributors, and users of any Apache Software Foundation project. We decided to distribute it using the following criteria:
- Committers - We'll submit a personalized email to each apache.org email address with a unique link to take the survey. The responses will be 100% anonymized, unless the individual specifically shares their contact information and gives permission to further contacts to continue the research.
- Contributors and Users - We'll ask PMCs to directly invite their contributors and users to take the survey by sending notes to their mailing lists. The invite will have a universal link everyone could use to take the survey. All records will be anonymized.
Below is a description of the software selected for the survey, as well as the Privacy Policy followed.
Technology Selected
First and foremost, The Apache Software Foundation entered a very powerful contract with Bitergia for this project, which includes a clear an extensive GDPR annex. The ASF owns the data, we are only contracting with Bitergia to do the analysis of the input received via LimeSurvey - the selected technology to host the survey and receive anonymized responses. Bitergia does not have access to PII.
Bitergia has purchased a License from LimeSurvey that enables our survey to receive up to 10k responses.
LimeSurvey provides a tool that allows the V.P. of D&I, to send emails with individualized urls but neither LimeSurvey nor Bitergia have access to the email addresses the invite will be sent to.
We selected LimeSurvey as the platform to execute the 2020 ASF Community Survey. LimeSurvey is "the worldwide leading open source survey software" (Licensed: GPL v2 or later). We further selected LimeSurvey GmbH as the SaaS provider. Due to the provider being German, the data protection Terms of Service are excellent and follow BDSG, TKG, and GDPR. (See https://www.limesurvey.org/policies/terms-conditions, Section 10: Data Protection). As is typical of the strong German data protection laws, the privacy policy is excellent as well: https://www.limesurvey.org/policies/privacy-policy
LimeSurvey is an open source project which is over 15 years old (though admittedly there was a complete re-write in 2012). Here is their bug tracker: https://www.limesurvey.org/community/bug-tracker LimeSurvey currently has 1.3k stars on github: https://github.com/LimeSurvey/LimeSurvey. There are no currently published security advisories on the project. The list of security vulnerabilities can be found here: https://www.cvedetails.com/vulnerability-list/vendor_id-6900/Limesurvey.html The known vulnerabilities are apparently all addressed in the most recent release of the software.
(Myrle Krantz's contribution)
Launch Schedule
- Blogpost on survey published (Target date: December 5, 2019)
- Survey Launch to Committers (Target date: December 5, 2019)
- Send an ask to pmcs@apache.org to promote in their comms channels (Target date: December 5, 2019)
- Publish social media messages (Target date: December 5, 2019)
Send reminders to individuals (Target date: December 11, 2019 AND December 27, 2019)
NOTE: Reminders have been removed from the survey outreach plan. We won't be sending any more messages to committers@, all mentions of reminders have been strike out.
Privacy Policy
The Apache Software Foundation has a contract with Bitergia that specifically says that information will be handled following the ASF privacy policy, and that results will only be used to further the goals of The Apache Foundation.
In order to be GDPR compliant, we will only contact apache.org email addresses, which implies that their users have given ASF permission to use it for contacting them on topics related to ASF. Further, we will announce that this survey will take place in a blog post and participation is opt-in only.
GDPR Checks
☐ We have checked that legitimate interests is the most appropriate basis.
Yes. In 2016, the ASF launched a committer survey. We haven't done another and we'd like to understand the evolution of our community composition through the collection of scientific data.
☐ We understand our responsibility to protect the individual’s interests.
Yes. We do, and therefore we are announcing the launch of the survey in a blog so people are aware of our intentions. We are also providing all measurements to avoid spamming people not interested in the survey. We're doing this through the assignment of unique tokens that match an unsubscribe link.
☐ We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision.
Yes. Several mailing lists discussions have approved the creation and launch of a new community survey.
☐ We have identified the relevant legitimate interests.
Yes. It is to understand the current composition of the ASF community.
☐ We have checked that the processing is necessary and there is no less intrusive way to achieve the same result.
Yes. The other available option is to email committers@, if we do this, we will loose the possibility of providing an opt out link, and we will be compromising survey data integrity.
☐ We have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests.
Yes. As per above statement, this is the most compliant way to provide a opt-out link. Additionally since the ASF doesn't have an internal service to support surveys, we are reaching out to a third party vendor to achieve this.
☐ We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason.
Yes. As per above message, using the committers@ alias won't let us provide a way to opt-out from the survey and further communications, therefore yes, we are not using people's data in ways they would find less intrusive.
☐ If we process prisoners, protected classes or children’s data, we take extra care to make sure we protect their interests.
N/A. Since we do not know this from our records, We have no way to ensure this.
☐ We have considered safeguards to reduce the impact where possible.
Yes. The use of individual emails is limited to one invitation per person. and reminders are only sent if a person did not opt-out or already reply to the survey.
☐ We have considered whether we can offer an opt out.
Yes. We are offering an opt-out.
☐ If our LIA identifies a significant privacy impact, we have considered whether we also need to conduct a DPIA.
N/A. Our LIA did not identify any significant privacy impact.
☐ We keep the considerations that have gone into this LIA on file.
Yes. The discussions have occurred in public on mailing lists and in this wiki, which are both archived.
☐ We include information about our legitimate interests assessment in our privacy information.
Yes. This wiki page details information about our LIA and we link to it from the blog post and invitation emails. Select information from our LIA are also directly included in the blog post and invitation emails, such as sending individual emails to provide opt-out ability.
FAQs
Will there be a message to committer@ explaining that they will receive a subsequent message?
Yes, we will add a sentence in the first email saying that we will send one reminder to take the survey if they haven't two weeks after the first invite.
What is the content of the message to developers soliciting their participation in the survey?
See full comms plan here (1)
Initial invite
This will be sent to all apache.org email addresses.
Title: Invitation to take the 2020 ASF Community Survey
Hi {FIRSTNAME},
The ASF is contacting you directly because we need your participation in the 2020 ASF Community Survey. If you do not wish to participate and do not want to further receive these emails, please opt out in the link provided at the bottom.
Your participation is important because it will provide us with scientific information about our community, and shed light on how we can collaborate better and become more inclusive and diverse. Please take 15 minutes to fill out the 2020 ASF Community Survey.
{SURVEYURL}
This is your unique link [1], please don’t share it with anyone. All responses will be aggregated and anonymized - and this data will only be used for this 2020 Community Survey.
One of the reasons why we have chosen to email you privately with a unique URL is to let us track the responses in a statistically sound manner. As to ensure that we are handling this process securely and with the right privacy guarantees - we've enlisted a third party (LimeSurvey) with the required expertise and process hygiene.
You can find information about privacy on the survey’s Confluence page [2] and read more about it in its blogpost [3].
The last survey of this kind was implemented in 2016, which means that our existing data about Apache communities is outdated. The 2020 ASF Community Survey is looking to gather scientific data that allows us to understand our community better, both in its demographic composition, and also in collaboration styles and preferences. We want to find areas where we can continue to do great work, and others where we need to provide more support so that our projects can keep growing healthy and diverse.
The deadline to complete the survey is January 4th, 2020.
We will send 2 more reminders before the date.Kindly,
Griselda CuevasV.P. of Diversity and Inclusion
The Apache Software Foundation[1] {SURVEYURL}
[2] Launch Plan - The 2020 ASF Community Survey
[3] https://s.apache.org/pzol5
PS: We will send another email to remind people to take the survey in two weeks, only people who haven’t taken the survey will receive it. If you do not want to participate in this survey and don't want to receive any more reminders please click the following link:
{OPTOUTURL}
You are receiving this email because you are the owner of an apache.org ID, which means you have a relationship to the ASF Community to which this survey pertains.
Launch Blogpost (Published in the apache.org blogpost and the D&I newly created blog)
Blog --TITLE: Launch of the 2020 ASF Community Survey
This week, we are excited to launch the 2020 ASF Community Survey, with which we will gather scientific data that allows us to understand our community better, both in its demographic composition, and also in collaboration styles and preferences. We want to find areas where we can continue to do great work and others where we need to provide more support so that our projects can keep growing healthy and diverse. This joint effort was long overdue: our last survey of this kind was implemented in 2016 [1], which means that all the information we currently have about our communities is outdated.
For this new version of the survey, we have hired Bitergia to design it, a company expert in analyzing open source communities and other types of software development teams. They have experience in this type of survey and research in open source communities. Among other studies, their previous work includes an analysis of gender diversity in technical contributions for OpenStack [2]. The 2020 ASF Community Survey is the first part of a two-stage research project. The second part consists of interviews with people who have contributed to the ASF, in order to assess their experience. We’ll share more on this second part of the project soon.
This survey and research are part of the ASF efforts to build a more equitable, inclusive, and diverse community. They are run by the Vice Presidency of Diversity and Inclusion, a team formed last May. We’ll share a broader update about this group in January.
If you have an apache.org email address you will receive an email by Wednesday, Dec 4 at noon PST, with a link to the survey. Please take 15 minutes to complete it. We send individual invites to limit mailing list traffic and offer an opt-out. If you didn’t receive the email or you do not have an apache.org email address, please use this link to complete the survey:
https://communitysurvey.limequery.org/454363
We are looking to hear from everyone in our community: from users and contributors, to committers and PMCs. Everyone’s voice matters.
Find more information about the 2020 ASF Community Survey on its page on Confluence, including the privacy policy governing this initiative. If you are part of our community, either as a user, contributor, or both, your participation is paramount to the success of this project! Please consider filling out the survey, and share this blog on social media, send it to your fellow Apache contributors. As individuals form the Apache community, your opinion matters: we need to hear your voice.
Links
[1] https://cwiki.apache.org/confluence/display/COMDEV/ASF+Committer+Diversity+Survey+-+2016
Who will be the from: address on the message?
Griselda Cuevas <gris@apache.org>
Lime Survey will be configured to send emails via Apache's SMTP server.
Will there be a personalized link to the survey?
Yes, each individual receiving the invite directly from Lime Survey will have a unique link that could be used only once. This doesn't compromise anonymity when taking the survey, since we are not correlating answers to unique links.
Having a unique link helps provide opt-outs from reminders.
How will non-Apache-id holders be able to request a survey?
We will reach non-committers via three channels: Blogposts in the official apache.org blog and the D&I blog, social media snippets and email shared to PMCs and PPMCs to share through their user and dev lists. These messages will contain a universal link to the survey and anyone who has that link could fill it.
See comms plan for full messaging (1)
What will be done with the results?
The results will be analyzed by Bitergia, and will be used to inform the design of the contributor experience interviews. We'll publish a plan for these interviews two weeks after the survey launches.
Bitergia will also produce a report with aggregated results, similar to what we posted about the 2016 Survey ran by ComDev (2)
Does this process conform to GDPR requirements?
Yes. In order to be GDPR compliant, we will only contact apache.org email addresses, which implies that their users have given ASF permission to use it for contacting them on topics related to ASF. Further, we will announce that this survey will take place in a blog post and participation is opt-in only.