My daughter, who is in 2nd year of law school and intending to practice immigration law, was just talking yesterday about what a problem this is. This is a worthy project.
posted by neuron at 10:04 AM on April 12, 2015 [5 favorites]

Thank you! As someone who's gone through the immigration ringer way too many times to count (why do they need a 10 year travel history anyway!?) this was something I wish existed already. I don't have a lot of coding acumen, so hackathons were really instrumental in getting people to help bring this idea to some kind of fruition.
posted by divabat at 10:14 AM on April 12, 2015 [3 favorites]

Good luck to them, it's an ever shifting nightmare of bureaucracy.
posted by Artw at 10:17 AM on April 12, 2015

"Figuring out security and privacy - whether through adding encryption and other security options to a web app, or making this a downloadable app that is not accessible online"

This is people's lives you're dealing with! You want to talk catastrophic identity information leak? How about your passport info with a 10 year employment and travel history? Can't possibly see how I could ruin lives with that info!

So, yeah, maybe that should be a bit more than a TODO.
posted by eriko at 10:40 AM on April 12, 2015 [2 favorites]

So, yeah, maybe that should be a bit more than a TODO.

From the bit quoted in the FPP: "The hope is that other people will build on this and make a viable tool for public use."

I really don't understand what your point is. It's a on a to do list because the thing's not finished yet.
posted by howfar at 10:54 AM on April 12, 2015 [4 favorites]

The project doesn't even have a workable UI yet so it's pretty clear that they have time to figure out security and privacy issues.
posted by R343L at 11:27 AM on April 12, 2015 [1 favorite]

eriko: The people that have worked on this project so far, including myself, don't have a lot of infosec knowledge. In fact, most of us were around the beginner level in coding skills.

Security was one of the first things I thought about when I first proposed this idea, because I too had the same concerns. We had someone who had some background in online security come talk to us at the LwT hackathon and she suggested that we at least work on getting a prototype going, so we know the core idea works, before trying to go out of our collective depth and trying to figure out security.

This is open source for a reason.
posted by divabat at 11:27 AM on April 12, 2015 [8 favorites]

If you DO have any sort of security acumen, please contribute! We could totally use the help!
posted by divabat at 11:28 AM on April 12, 2015 [5 favorites]

This would have been very useful to me as a paralegal in the field, oh, twenty years ago. I applaud the folks bringing this to the public.
posted by immlass at 11:39 AM on April 12, 2015 [1 favorite]

I have to say that this sounds like a really great idea, since the various processes are so weird and labyrinthine and hostile (and that's if you are from a northern European country; it seems to get orders of magnitude worse the browner you are). Security is obviously a problem, as is becoming a collection point for personal information in general (getting hacked in one thing, getting subpoenaed is another).

I hope it goes well and draws interest from the right quarters.
posted by GenjiandProust at 12:04 PM on April 12, 2015

I think a good step would be to create github issues for various tasks, and add tags indicating the type of skill required, the size of the task, and the complexity of the task. In my experience, open source projects that make it easy for a volunteer to figure out where they can plug in get more , and better, contributions.
posted by idiopath at 12:27 PM on April 12, 2015 [1 favorite]

I really have to concur with eriko that security and privacy being an afterthought, or something that you hope someone else is going to put together and bolt on top of work already done, sounds like a disaster waiting to happen if this is a software product that's been designed from the ground up as a web application for handling sensitive information. Particularly when many intended users of it may be disadvantaged people who won't necessarily speak the language that any privacy or security caveats or instructions would be written in.

I hope this goes well too, I would just be afraid that in a stone-soup/crowd-sourced project the risk of assuming responsibility for ensuring safety might get passed on again and again, as something someone else is going to take charge of, until it lands on end users who are least able to deal with it and who suffer all the consequences. This is a problem worth solving but good intentions can end up fashioning paving stones.
posted by XMLicious at 12:44 PM on April 12, 2015 [3 favorites]

Worthy effort, but I fear that without some degree of standardization on the part of the immigration agencies, it can only be helpful rather than complete. Helpful is obviously worthwhile, but with a bit of coordination, it could easily be complete...

Between immigration and visa forms for the US, Australia, and the Schengen countries, there's a lot of overlap, of course, but a disturbing amount of slight differences. Do they need 10 or 7 or 5 year residence histories? Travel dates when you left and re-entered the country, or number of days you were out of the country? (Good luck getting this right if you crossed the date line while traveling!) Foreign addresses or only states?

Again, though, helpful is a great goal to shoot for. I'd have *so* appreciated this tool a year ago!

(Also, yes, this needs industrial strength on-disk encryption. I'd rather the user had to re-enter every detail than lose the whole database to an email worm.)
posted by RedOrGreen at 12:50 PM on April 12, 2015 [1 favorite]

It's NOT an afterthought. It was a first thought that nobody who's has a hand in the project so far has had much experience dealing with to really make informed decisions about it. The first conversation we've had about this project was exactly how this app would work - Web-based? Downloadable? Encryption? - precisely because we had security and privacy in mind.

Please stop assuming we never thought about this or that it was tacked on. I'm sorry that none of us had the expertise to really address it in any substantial manner beyond "it is an issue, please help".

I'm not 100% certain how to make Github issues - again, noob here - but I'll give it a shot.
posted by divabat at 12:53 PM on April 12, 2015 [8 favorites]

RedOrGreen: it'll never be 100% complete, because immigration systems suck, but the idea is that it'd be adaptable enough that you could say "please generate the last X years of my travel history" and it'll make a list for you.
posted by divabat at 12:58 PM on April 12, 2015 [1 favorite]

Travel dates when you left and re-entered the country, or number of days you were out of the country? (Good luck getting this right if you crossed the date line while traveling!)

I know I'm being a nerd here, but how would the dateline affect in any way the number of days you are out of the country? You exit the country at fixed time X, you re-enter at fixed time Y. You could go to the moon and back in between...

Thanks for this divabat. Such an app has the potential to be hugely useful to many, at the very least in helping you organize this information. I am just used to logging all my travel on Google Calendar for the last 7 years and gotten better at figuring out what current documents will be important later but its a challenge and one common to many.
posted by vacapinta at 2:18 PM on April 12, 2015 [1 favorite]

Worthy effort, but I fear that without some degree of standardization on the part of the immigration agencies, it can only be helpful rather than complete.

I laughed when I realized you were talking about different agencies in different countries, because there are vast differences among the procedures and requirements of all the American organizations that deal with immigration. There's USCIS (part of DHS, of course), there's the Department of State, there's the Department of Labor for employment-based cases, there are the various embassies and consulates scattered all over the globe, there are private companies to handle things like DNA testing, credential verification, medical reports... and of course, with rare exceptions, none of these entities are capable of communicating with each other.

There are big companies that produce immigration law software, and not even they can keep up with the constant changes. (Hey, did you know that Form G-28 just changed from two pages to four pages?) Well-meaning amateurs are doomed.
posted by Faint of Butt at 4:38 PM on April 12, 2015 [1 favorite]

divabat:

Here's a link to the issues page for your project. There's a link to it on the side bar from the main project.

Issues basically create a thread that keep all participants notified as things change, and you can assign someone to the task, add comments to ask questions or clarify things or plot the way forward etc. You can mark them as finished when they are done.

Here is a search in a project I use and have contributed to, for issues that could be worked on by a "newbie" with little experience.
posted by idiopath at 5:35 PM on April 12, 2015 [1 favorite]

We're only "doomed" if we're expecting to solve every visa issue ever. People are already doing this kind of thing on Google Docs, we're just trying to streamline it a little and do things GDocs isn't great at, like autogenerating a formatted list. It's not meant to automate every last part of the process.
posted by divabat at 5:48 PM on April 12, 2015 [2 favorites]

Regarding the security question, my inclination would be to suggest that all personal data should be local to the user (never touching the network) and the server would just be there to provide the html and js for the base app, and provide updated functionality or updates that reflect new rules.

Look suspiciously at any information sent from the user to the server, ideally every user would be providing exactly the same requests (eg. "send me all updates available since $DATE"), and all the logic would be local to the user.

If it's local to the user, they can use whatever means they are comfortable with to secure the information. The information should be in an explicit place so the user knows which file they would want to copy for backups, encrypt for privacy, or delete if they no longer wanted that information stored. Also look suspiciously at any local storage other than the advertised local file.

I've worked with web security, and am fascinated by the topic, but these are just some suggestions reflecting my (limited) knowledge and expertise, not an expert opinion. Your best bet is to find someone who is sympathetic to the project with a solid opsec background, and let them provide both guidance and auditing of what you implement.
posted by idiopath at 5:56 PM on April 12, 2015 [1 favorite]

>> Travel dates when you left and re-entered the country, or number of days you were out of the country? (Good luck getting this right if you crossed the date line while traveling!)

> I know I'm being a nerd here, but how would the dateline affect in any way the number of days you are out of the country? You exit the country at fixed time X, you re-enter at fixed time Y. You could go to the moon and back in between...

Actually, the US forms asked me for both the dates I entered and exited the country, and the number of days I was in a different country, and my Australia trips tied my brain into knots. I think the instructions said I could count myself as in the US as long as I wasn't in a foreign country (so I think a lunar journey wouldn't count as a foreign trip for immigration purposes?) or it went the other way - in any case, the plain dates of entry and exit did not match the count of the days I spent abroad.

Of course all this was pointlessly pedantic and no one cared. But I was brought up in India, where we perfected "all forms in triplicate" bureaucracy...
posted by RedOrGreen at 8:31 PM on April 12, 2015 [1 favorite]

I've heard a bit of rumbling that the immigration problem is getting a bit of attention from the Digital Service; there's an article that came out of a SXSW presentation on the issue here. Here's hoping!
posted by kaibutsu at 8:53 PM on April 12, 2015 [2 favorites]

I think the instructions said I could count myself as in the US as long as I wasn't in a foreign country (so I think a lunar journey wouldn't count as a foreign trip for immigration purposes?

Heh. Point taken. I made the mistake of trying to apply logic to bureaucracy.

Here in the UK only full days out of the country count as being out of the country. So technically, I believe, if you take a day trip to Paris everyday (commute to work from London?) you have never left the country.
posted by vacapinta at 2:39 AM on April 13, 2015 [1 favorite]

This is people's lives you're dealing with! So, yeah, maybe that should be a bit more than a TODO.

Make your pull request anytime.
posted by the jam at 7:47 AM on April 13, 2015

This is people's lives you're dealing with! So, yeah, maybe that should be a bit more than a TODO.
Make your pull request anytime.

With all due respect - and I think a lot of respect *is* due - this attitude bothers me a bit. I'm a big fan of open source, citizen science and other related collaborative efforts, but for a project like this that aims to store lots of sensitive information, security is not just the first thing you think about, it's the first thing you do. It's orders of magnitude harder to go back and retrofit security onto something than to start out with a design for a secure base done by an informed person. Hoping for someone to come along and add security is a bit of an iffy proposition. I do this kind of thing for a living, having worked in clinical research organizations and a little bit on the healthcare side. And no, I have too many projects on my plate already, I can't contribute. If was in charge of this project I would have started out by colsulting with some security experts *first*.

But again, I would like to echo all the sentiments that this is a pretty cool project, and genuinely hope that some security pros get involved ASAP to help...
posted by foonly at 9:50 AM on April 13, 2015 [2 favorites]

Look. I get your concern. I've already said that we've talked to at least one person who worked with security in a professional sense and she advised us to get a prototype going so that people can at least understand what we're trying to achieve and we know where we're at. It's just my luck what the two times we've managed to work on this - with me as the only consistent person - we haven't had a security expert be a core part of the team.

Why is NOBODY listening to me when I keep saying that we haven't forgotten about security, that it's NOT an afterthought, it's just a matter of not having the right capacity at the right time?

This is just demonstrating to me why people don't bother getting into tech when they have needs and ideas that could totally use a tech solution better than "I hope Google doesn't get hacked".
posted by divabat at 4:01 PM on April 13, 2015 [2 favorites]

I guess what people are trying to say is that there's the potential for this to become harmful if you take the usual open source approach where you just let it grow according to whatever people have to contribute.

If you end up with a lot of UI-oriented people that are excited about the project, and it grows rapidly in that direction, you may never get the chance to add reliable security. The structure of the project may just not accommodate it at that point. For that reason, converting it early into an offline app that never talks to the Internet as others have mentioned is probably safer.

I also don't think people have caught the part where you said it has only been worked on in two hackathon sessions. It is on the Blue, so maybe people think it's about to take off, and thus, it sounds like one of those alarming situations that a lot of startups put themselves in, in which they let the prototype become the product because of momentum.

Anyway, I think it's a neat idea, and I'm sorry the security concerns are dampening your excitement. It's just unfortunately a higher stakes, higher maintenace kind of project than the typical open source project.
posted by ignignokt at 9:49 AM on April 14, 2015 [1 favorite]

Having been through a permanent residency application process, I think having something like this would be great.

It's just my luck what the two times we've managed to work on this - with me as the only consistent person - we haven't had a security expert be a core part of the team.

Designing security into your system isn't a matter of luck. I hear you on wanting to have a prototype before you spend time on security. Realistically, however, I don't think you're going to get there just by putting out what you have and hoping a security expert volunteers to work on it.

This is just demonstrating to me why people don't bother getting into tech when they have needs and ideas that could totally use a tech solution better than "I hope Google doesn't get hacked".

It is unrealistic to think you will have better security than Google.
posted by grouse at 11:58 AM on April 14, 2015

I was surprised to see it on the Blue too, but I didn't make the Blue post and it's still up here, so *shrug*

I didn't really see a lot of the "zomg security!" feedback as polite, to be honest. I felt like they weren't really listening to anything I had to say re context/circumstance/situation and kept making the same assumptions over and over that I had disputed. So it was incredibly frustrating.

I just got invited to participate in Startup Weekend's Immigration Hackathon in SF in late May, so I'll bring my project there and hopefully find more people to build on it - if you're in the area, come by (and let me know if you want the discount code). I don't really know any other way to get more people involved in making this project happen other than bringing it to hackathons and putting it up on Github so that people can work on it (approaches I've seen other people take) - I'm only just restarting learning to code, and this honestly just started with me thinking about how I wished something like this existed for me (and which was way more practical than trying to wrangle Google Docs into submission), and it grew much larger than I anticipated.
posted by divabat at 11:00 PM on April 14, 2015