Early adopters of the Commons In A Box share their experiences, provide links to their sites, and suggest improvements.
CBox suite and FERPA
August 8, 2013 at 8:36 pm #3359
A combination of the various bbpress/private/hidden discussions and rumblings I’ve heard around campus have raised some questions in my mind about how to get CBox to pass a FERPA-oriented audit. Has anyone who is using CBox for classwork tried to get their institution to stamp this particular suite FERPA compliant?
Dale.August 8, 2013 at 8:42 pm #3360
Matthew K GoldModerator
I don’t think that there is cause for concern, Dale, aside from the
BbPress bug. That bug is obviously major, but it will be fixed and
aside from that, I’m not sure what cause there is for concern.August 9, 2013 at 8:01 am #3364
Which issues could be a game breaker for Ferpa? Like any software there can always be some privacy issues if you run the software “out of the box”. But WordPress/BuddyPress/CBOX + our vetted plugins have proven themselves as being relatively safe. I’ve done many projects over the last year and so far it has proven itself to be reliable and safe. That being said I’m sure our team would be all over it if something causes security/privacy issues!August 9, 2013 at 8:14 pm #3383
@mrdale, I am not involved in academia (though I used to be a departmental director at Azusa Pacific University), so my own concerns are not with FERPA or any other legal requirements. My concerns are a little more at the people-might-be-thrown-in-a-North-African-jail-and-disappear-forever scenario.
In our CBOX based community, many of our intended participants are humanitarian activists in various parts of the world. I work with a niche consulting firm that builds and advises partnerships/networks of faith-based nonprofits in more than 80 countries. Altogether, more than 2000 different organizations are involved. We are building our community for the leadership of those networks/partnerships. Over 3000 individuals have signed up to our launch list.
One of the promises we have made to our constituency is that while we want to facilitate free and open communication, we will also pay serious attention to the security & privacy of the community. If people want to form and join what they believe are private/hidden groups, then those conversations should remain private. If people want to create collaborative docs or attach files, those documents and attachments should be locked down.
So far, it’s a little touch-and-go, to be honest. As you’ve already seen in the help&support forum, there was a known issue with bbPress forum visibility settings for private/hidden groups:
I think some other security areas to pay special attention to are file attachments/sharing, the docs/wiki component, and group administration. Depending on your plug-ins and configuration, attachments (to docs/forums) can be exposed to the public. Group association, ownership, and visibility of the docs/wiki pages can be fiddly. If a private group is deleted, its associated docs and forum still exist, so there are constant admin cleanup tasks that must follow. I’m sure the list is much longer, but those are the big red flags on my list at the moment.
After getting my site into a somewhat stable state, my next plan is to hire one of the white hat certified ethical hackers we know to bang away on the site and see if there are other security/privacy issues.
In the end, it all comes down to trust. Your students, clients, or constituents trust that you (as the sponsor of the community) will keep the community platform secure and private. In my case, there are no second chances. So I’m taking a much more cautious approach now.August 9, 2013 at 8:44 pm #3384
Matthew K GoldModerator
@visionsynergy: Like you, I think it’s vital that private interactions and
documents be kept private; as you note, this is at the root of the trust
that site members place in their online communities. On the CUNY Academic
Commons (the project from which CBOX emerged), we have always given any
privacy-related bugs the highest priority and have addressed them
immediately. And our team has done the same on CBOX, as shown by the very
comment thread you pointed to.
We can’t promise that our software will be free of bugs (all software has
bugs, though the owners of proprietary software projects tend to be less
than open about them) — and it’s notable that we’re dealing with a complex
system that involves a number of constituent parts (WordPress, BuddyPress,
and BbPress) whose new versions occasionally cause hiccups. But in order to
address bugs, we need to hear about them. I encourage you or anyone else
working with CBOX to let us know about any privacy-related issues you find
— either by posting here or on github — so that we can resolve them.
You must be logged in to reply to this topic.