Closed Bug 1243023 Opened 8 years ago Closed 8 years ago

Vendor Sec Review: Share Progress

Categories

(mozilla.org :: Security Assurance: Review Request, task)

Product:
mozilla.org
Component:
Security Assurance: Review Request
Type:
task
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: paulj, Unassigned)

Details

(Whiteboard: [pending secreview])

Attachments

(2 files, 1 obsolete file)

ShareProgress - Moz Service Agmt 3-3-16.docx
98.79 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document
Details
ShareProgress - Moz Service Agmt 3-3-16.pdf
636.67 KB, application/pdf
Details 
ShareProgress is a social sharing optimization tool that we wish to integrate into the Mozilla Foundation’s advocacy platform. This tool will allow us to A/B test messaging and tactics within the sharing components of our campaign. 

Simon Wex shared an initial questionnaire for Share Progress which Jim Pugh, their CEO, has completed here: 

https://docs.google.com/document/d/1i2qhvKuwaYTwWdERfJ-o1RCK3jj0ZOFigzpW8NUEGT4/edit?usp=sharing
I have the same questions as Simon. Related to these, if customers are required to create member accounts (see section on authentication), won't Share Progress have access to at least some Mozilla personnel data? Maybe their idea is that they don't store because Amazon Web Services is responsible for the actual storage on their behalf?

Normally the security team -- not me -- reviews this questionnaire and use it as a jumping-off point for their assessment, but if it turns out no Mozilla user or personnel data is collected, then the tool doesn't need a security review in the first place. So it would be good to confirm this before moving forward.
Thanks, Abigail. I heard back from Jim at Share Progress and here's what he had to say (it's also reflected in the gdoc). 

RE: Personnel data: Jim misread "personnel" as "personal" in the first pass here. This section has now been updated to reflect the data they collect on Mozilla personnel. ShareProgress collects an email address and an encrypted password for a single Mozilla personnel member who registers the account.

RE: Simon's question: To clarify: they do record when users perform the following actions:
- view a ShareProgress share page
- click to share on Facebook, Twitter, or by email
- click on a link that has been shared via the ShareProgress tools

This data isn't tied to any personally identifiable user information, but is associated via a randomly-generated sparse ID value that's limited to a browser session. The ShareProgress system then calculates aggregate statistics based on this data.

Let me know if this answers your question and what the next step would be to move forward.
Flags: needinfo?(aphillips)
Marshall - MoFo wants to use ShareProgress, a social sharing optimization tool, on its advocacy platform. Could you take a look at this bug and advise whether a security review is needed?

Thanks,
Abigail
Flags: needinfo?(aphillips) → needinfo?(merwin)
Flagging that there is urgency for this review process.
Severity: normal → major
David, Paul,

Can you help me understand what Share Progress will be collecting and measuring from our campaigns?  You've said that "this tool will allow us to A/B test messaging and tactics within the sharing components of our campaign."  This would seem to suggest that we are collecting data from separate populations in our campaign. How are we doing this?  What is the data? Such data collection would typically be something we would like to understand.  However, Jim seems to be interpreting our questions about "user data" here very narrowly - i.e. his responses focus on data collection from Mozilla staff using Share Progress. 

I'd like to understand what data will be collected from the targets of our campaigns and how that data is collected. What service is Share Progress actually providing us?

Jeff, do you want to do a security review of this service?  Share Progress has already filled out your questionnaire.
Flags: needinfo?(paulj)
Flags: needinfo?(merwin)
Flags: needinfo?(jbryner)
Flags: needinfo?(davida)
Marshall,

Here's Jim's response to your questions:

"The ShareProgress tools track the actions of users who are prompted to share with friends on Facebook, Twitter, and email within the context of online campaigns. Different versions of share language are assigned randomly to users, and the platform tracks when users click to share with friends (shares), as well as when friends of those users click the Facebook/Twitter/email link to visit the campaign action page (viral visits) and when those friends complete the campaign action and are directed to the post-action sharing page (viral actions). By tracking the ratio of viral actions to shares for different share language versions, the platform is able to provide statistical information about the relative performance of the different versions and to dynamically adjust the probability of assigning a version to users based on its performance.

All data is recording via AJAX calls to the ShareProgress platform. A sparse, random ID is assigned to users when visiting a share page or clicking on a share link and included in the AJAX calls. The recorded data is reported to Mozilla personnel in aggregate through the platform analytics pages."

Let me know if this clarifies and provides enough detail for you to move forward. Thx!
Flags: needinfo?(paulj)
Paul,

How will we be actually be using ShareProgress? Will we be embedding ShareProgress links in emails for our campaigns, for example? In other words, what is the mechanism through which the sharing occurs that ShareProgress will be measuring?

Marshall
Flags: needinfo?(paulj)
We will be embedding ShareProgress links into the sharing buttons on our landing page(s). More specifically, for each piece of content we are featuring during the campaign, we'll have a Facebook, Twitter and Email share call-to-action (buttons) that accompany the video and includes ShareProgress link.
Flags: needinfo?(paulj)
Thank you Paul.  That is very helpful.  Mozilla tends to be sensitive about tracking tools, so I just want to make sure I understand and that we vet appropriately.  I have a few additional question below now that I understand the context a bit better.  It might be quicker if we could have a call with ShareProgress.

- Does ShareProgress utilize cookie to assign and remember the random ID?
- If so, does ShareProgress have an opt-out mechanism it provides to users who do not want it to collect the data.
- Is the ID unique to Mozilla users or is the same ID for any service using ShareProgress?
- How long does that cookie persist?  
- Under what circumstances, if any, would the data be available to any other party other than Mozilla?
Thanks for the quick reply, Marshall. Totally understand the sensitivity here. 

I think a call with them directly would be the quickest way to get all our questions answered. I'll find some time in calendars and send an invite.
Marshall, sent you an invite for 10 am PST on Friday to discuss open questions with Jim from Share Progress.
cc-ing Jonathan to make sure he has visibility. Paul can you invite him to the call as well just in case he has outstanding questions?
Flags: needinfo?(jbryner)
great- invite sent.
Paul,

Did you look at using Optimizely for this purpose?  What functionality does Share Progress provide that Optimizely does not? Is Optimizely's functionality sufficient for your purposes?

Marshall
Marshall- we do use Optimizely and explored whether it could be used for this purpose. Unfortunately, Optimizely only works for testing the on-page experience and does not extend into testing the shared content from a page. Share Progress is pretty unique in this space and none of our existing tools allow for this type of functionality.
I'm good with this going forward provided that we satisfy the following:

1) Share progress should sign out data addendum.  That addendum should specify that Share Progress will delete any Mozilla data upon termination of our use of their service.

2) We should use a custom subdomain so that Mozilla data is not mixed with other data or shared with other organizations using Share Progress.  The fact that Mozilla data should not be combined with non-Mozilla data should be specified in the contract using the same language we used in the Google Analytics contract.

3) Share Progress needs to implement a DNT solution along the lines of what Jim proposed in his email. This should also be in the contract. "For the Do Not Track functionality, it seems like we could just look for the Firefox doNotTrack flag and avoid setting cookies for users where that is enabled. If that would work for you all, I think we could get that implemented within the next couple of weeks.

4) Share Progress should finish going through security review. 

Abby, let me know if you want to discuss.
Flags: needinfo?(aphillips)
Thanks, Marshall. 

Paul, once the security review is complete we can start discussing the contract.
Flags: needinfo?(aphillips)
Flags: needinfo?(davida)
Hi, Abigail. The security review is now complete and we'd like to start using the service. 

There's no contract for us to sign, we just need to agree to these terms of service when we create our online account w. them: 
https://run.shareprogress.org/tos

Can you let Paul know if its ok for us to proceed?
Flags: needinfo?(aphillips)
Hi Matt,

We need to do a negotiated/custom contract with them in order to incorporate the requirements from Comment 16 and anything from the Risk Record that needs to be included. Could you find out if they have a template partner agreement that we can use as a starting point?

Thanks,
Abigail
Flags: needinfo?(aphillips)
* Paul is going to follow up w. Share Progress re: Comment 16 and report back here. 
* Our understanding is that there is nothing additional required re: the Risk Record. We're clear on that front. (There were recommendations, but no remaining blockers.) 
* Paul will update further here.
Abigail-

I talked to Share Progress and they don't have an existing template partner agreement. They said: 

"If your lawyers can write up an addendum to our ToS that talks about deleting data and DNT, I'd be happy to sign that -- we've done that in some exceptional cases in the past."

Is that something that would be possible for you to do?

Thx!
Paul
Flags: needinfo?(aphillips)
Yep, I'll prepare something that we can send them.
Flags: needinfo?(aphillips)
Hi Marshall,

> 2) We should use a custom subdomain so that Mozilla data is not mixed with
> other data or shared with other organizations using Share Progress.

I'm not sure I understand where the custom subdomain comes in?

> The
> fact that Mozilla data should not be combined with non-Mozilla data should
> be specified in the contract using the same language we used in the Google
> Analytics contract.

Do you have this language? If not, I'll track down the agreement through Liz -- is there only one Google Analytics contract?

Thanks,
Abby
Flags: needinfo?(merwin)
Hi, Abigail.

Re: custom sub-domain: this is a configuration option we have already chosen and is ready to go, so we're already all good on that front. 

Sounds like we're down to clearing that final blocker re: Mozilla data not being mixed with non-Mozilla data. We're approaching an important second wave for the campaign -- any chance we might be able to get this language drafted this week so that we can start using the tool?
Thanks for the subdomain clarification. The language that Marshall has approved for the data segmentation piece already exists; I am just trying to track it down so I can drop it into the agreement. 

In the meantime, the rest of the agreement is ready to go with the exception of one question: Are we paying for the use of the service? Section 4(A) of the TOS states, "you agree to the terms of sale, pricing, payment and billing policies applicable to such fees and charges, posted or linked here"; however, there is no link to payment terms. Could you please ask ShareProgress about this? 

Separately, I just want to make you and Paul aware that the terms are very, very one-sided in ShareProgress's favor, especially in the indemnification and limitation of liability sections that deal with MoFo's liability under the contract. It sounds like signing a separate agreement in lieu of agreeing to the TOS wasn't an option here, but that would be something to push for in the future in similar situations.
Thanks for all your help with this Abigail! Very appreciated. 

Yes, we will be paying for the service, on a month-to-month basis. 
Our estimate is that it will cost us approx $500 / month.
Matt - just want to make sure you also saw my question in Comment 25 about ShareProgress payment terms?

Thanks!
Abigail
Flags: needinfo?(matt)
Hi Abigail-

I pinged Share Progress about their payment terms and they pointed me to this page on their site: http://www.shareprogress.org/tools/#plans. It's month to month and pricing will adjust based on volume of share activity on our site.

Let me know if that sufficiently answers your question on pricing and whether you have an ETA on the addendum so I can manage expectations with both Share Progress and our internal team who will need to do some light work to implement when ready. 

Thx!

Paul
Flags: needinfo?(aphillips)
Flags: needinfo?(matt)
Hi Paul,

I'm attaching the draft agreement, which includes the ShareProgress TOS, Mozilla's Data Protection Addendum, and the additional terms around DNT and data segmentation requested by Marshall.

In Exhibit 1, section 1, I gave ShareProgress 3 weeks to get DNT in place. Feel free to change this number to whatever seems reasonable.

Let me know if you have any questions. Otherwise this is ready to go ShareProgress.

ap
Flags: needinfo?(merwin)
Flags: needinfo?(aphillips)
Paul, have you sent this out yet? If not, could you hold off? I'd like to make one change to the language.

Thanks,
Abigail
Flags: needinfo?(paulj)
I haven't sent, was planning to this morning. Feel free to update and resend.
Flags: needinfo?(paulj)
Great, thank you. The revised version is attached. 

I changed the language for the DNT implementation (see Exhibit 1, section 1). Could you please flag this section for ShareProgress? I want to make sure it's clear that we need them to honor DNT for all browsers, not just Firefox (they had mentioned only the latter in discussions).

Also, as noted previously, the terms give ShareProgress 3 weeks from March 1 to get DNT in place. Feel free to change this number if there's a more reasonable one.
Attachment #8725836 - Attachment is obsolete: true
Flags: needinfo?(paulj)
Thanks, I've sent to Share Progress for review along with the flag you note above. 

I'll let you know if there are any additional questions from their side.
Flags: needinfo?(paulj)
Share Progress has signed agreement, attached. Think we are good to go here. 

Thanks, all!
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: