I wanted to post a couple of issues that I’ve come across regarding the ‘Editing’ options for a hosted Feature Layer being used by a publicly shared survey. I’m not sure that they’re bugs as such, but they are not at all obvious and may impact on the security of people’s data.
When I create a new survey using the web designer the editing settings for the related ‘fieldworker’ Feature Layer are as below:
If I choose to make the survey public, my interpretation of the above would be that an anonymous user (i.e. one not signed into ArcGIS Online), would be able to add records to my survey, but only view the features they had entered (or not see any features that had been entered, including their own, if that’s how you interpret ‘What access do anonymous editors (not signed in) have?’ when set to ‘Only add new features, if allowed above (requires tracking)’).
In reality though, when an anonymous user goes to view the data held within the Feature Layer through ArcGIS Online they don’t just see the data they’ve entered, but all the data entered by anyone anonymously (i.e. not signed in).
I guess that anyone entering data anonymously is being recorded in the data as ESRI_Anonymous (see here) and that the security is allowing a person not logged into to view all of that data collected by ESRI_Anonymous, but this isn’t made clear anywhere if it is – indeed interpreting the settings for anonymous users is clouded enough by the phasing used in the settings page.
In some use cases you can get around this by changing the ‘What features can editors see?’ to ‘Editors can’t see any features, even those they add’, which then stops any user seeing any features.
This approach is fine, but I’ve also noticed that if you republish your survey at any point the settings revert to their default settings (it goes back to ‘Editors can only see their own features (requires tracking)’. Again this isn’t made clear and means you need to re-set your settings each time you publish. This is inconvenient, but more importantly in the time between you publishing and re-setting the edit settings your anonymously entered data are essentially publicly viewable. If you’re not aware of these two issues it can be very easy to make data available publically in a way you had not intended.
If this is how things have to work, is there any way this could be made more explicit in the guidance?
To address these points:
1) Unless the user is signed in - there is no way to have a user only see the records they have created - as this requires editor tracking and a username (the username is used to filter what can be seen).
2) Republishing a survey will revert the permissions - as these are hardcoded in survey123 and what the apps expect/require. While it is possible to update permissions by going directly to the service properties, it is not recommended and can result in unexpected behavior
3) Ultimately, we agree that we could do a better job at documenting service permissions in regards to Survey123 and have an internal issue open to do so. I'll update this post when we do this.
Many thanks for the reply.
For point 2) I'm a little confused. Are you saying you shouldn't alter the permissions directly on the Feature Layer (as pictured in my original post)? If so, it goes against the advice given in the blog post here which specifically states this as a method for preventing people from viewing data in public surveys. That would also suggest that there is no way of preventing anyone accessing anonymously entered records.
I think my overall point is that if you create a public survey in the vast majority of cases you want members of the public to be able to add data but not see data others have entered. If I use something like SurveyMonkey to create a public survey I expect everyone to be able to add data, but I would never expect them to be able to see the data others have added. This was my default expectation for Survey123 and I wouldn't be surprised if others felt the same. If you want to create a public survey that captures any sort of personal/sensitive information you need to be able to restrict access so only you (and possibly the person entering the data) can see it. Having had a quick look through ArcGIS Online, I have found instances where I can access personal information collected by others in Survey123 surveys because of the settings applied as default and because the data have been entered anonymously. If the data are European it would be a breech of Data Protection laws. Whilst this could be down to the choices of the survey creator, I would have hoped that Survey123 would have defaulted to a set of permissions that prevented this - making it a conscious choice for the owner of the survey to open things up further. I'd expect it even more so if there was no recommended/stable way of locking down the survey (as it sounds might be the case in point 2).
I should probably rephrase 2) to be: it is not recommended unless you are sure of what you are doing (or following steps on from a reliable source) and are aware that the permissions will be reverted on re-publishing. It is just not recommended for the average user.
We will take your feedback on board in regards to the permissions we apply to the service by default and look at this for a potential future enhancement. It might be that more sub options should be available for making surveys public in the Survey123 Website.
Thanks for the feedback that you have provided - it is much appreciated (and will be reviewed).
I am having the same issue. My survey needs to gather data from public, yet cannot supply that same data back to the public. Through trial and error (with a named account and a public account) I found the same settings as above. I did wonder why some data was visible even when I had the Editors can see only their own features, but the explanation about anonymous explains it.
So I have the settings as above except editors can see no features, even those they add.
I can still see all the data in the AGOL feature under the data tab, and I can see the analysis in Survey123 for ArcGIS app, but interestingly enough I can no longer see the data in the data tab in Survey123 for ArcGIS app - seems I have locked myself out of it, even though I am the owner!
I echo the need to make this ability to gather data from the public, yet keep it non-accessible to anyone who creeps through the list of layers in AGOL