What is the problem? Please be detailed.
Permissions for ODK-Collect and personal data:
I'm putting together a project that will need a few people to install ODK Collect on their mobiles. I want to reassure them that this isn't F@cebook and I'm not C@mbridge An@lytica...
Looking at app permissions (list taken from Google Play today) we're pretty much opening our trusting souls:
Identity
find accounts on the device
add or remove accounts
Contacts
find accounts on the device
Location
approximate location (network-based)
precise location (GPS and network-based)
Phone
read phone status and identity
Photos/Media/Files
read the contents of your USB storage
modify or delete the contents of your USB storage
Storage
read the contents of your USB storage
modify or delete the contents of your USB storage
Camera
take pictures and videos
Microphone
record audio
Wi-Fi connection information
view Wi-Fi connections
Device ID & call information
read phone status and identity
Identity
find accounts on the device
Location
precise location (GPS and network-based)
Other
receive data from Internet
access SurfaceFlinger
view network connections
full network access
use accounts on the device
prevent device from sleeping
read Google service configuration
view network connections
full network access
use accounts on the device
read Google service configuration
view network connections
full network access
So, I'm just wondering if any information is gathered by the app and sent somewhere other than Aggregate (and perhaps subsequently from Aggregate to another server). This would include personal data from the mobile. I confess I didn't know what SurfaceFlinger was, let alone giving permission to access it!
It's possible that some of this could come under the new General Data Protection regulations due to be introduced in Europe in May 2018, but I'm also guessing that if I put a metadata question in my form asking to identify the phone number, then I've got personal data and I need to handle it appropriately! Especially if it's linked to location and time. Which means that Aggregate needs to be secure enough too... I'm now going off the idea of 'auto GPS' feature being developed by @Raghu_Mittal that could potentially record a location without the user's knowledge (there's probably a positive way round that though!). No disrespect to the objective of that.
Is anything being 'scraped' from a users phone by using ODK Collect? Am I inadvertently collecting or sending other personal data?
Sorry to sound paranoid - one of the issues with the 'business models' of the internet and recognising there is a real cost to "free software", but who is paying and with what? I want to be honest and up front with the people who might be using my form(s) and I don't have the skills to look far enough 'under the hood' to satisfy myself.
Can't remember the original source of the quote, but it goes something like "if the service is free, you are the product" - if I'm inadvertently 'selling' someone's data by getting them to use ODK it would be good to know.
I think lots of people give their time and energy to ODK for free, and I certainly appreciate the help I've received, so please don't take it as an insult for me to ask the questions.
Thanks.