The thing about security through obscurity is it's the poorest form of security available, only one slight step better than having none - typically being only a given amount of time before it is discovered, and less if people actually look for - as understood by anyone that has ever studied or even considered security and from what I can make out thus far, this is the only layer of security applicably employed. If you're doing security properly you can detail this intimately with condifence with regards to policies and procedures employed and it will only serve to prevent most people from even trying, as they will understand their failure has already been assured.
If you're not going to take this subject seriously - and instead just claim you are - then this will endanger not only the various projects success but the citizens themselves.
Precise details are not entirely required, it's not as if I'm asking for copies of keys, but what is required is trust that my - and others - data is being handled in a secure and responsible fashion. To take the previous examples offered by this organisation as a measure, then I am of absolutely zero confidence that any serious thought has been placed into this subject - and serious thought is warrented, considering the reach and impact of data security in operations. Especially as time progresses.
Failure to publish as open source isn't entirely a concern of mine at this moment in time, however it's not something I'm proud to hear for the least reason of failure to adhere to Asgardian ethics of freedom of knowledge. Minimally, it would allow for community-based contributions which will rapidly decrease development times and offer the widest range of skills input.
The answer I would actually expect is as indicated by the original questioning. Oddly enough. Who would of thought.
What measures have been taken to ensure the data you've already collected using "the cloud" have been sanitised?
How can you be sure you've nuked out the data mailchimp hold? Even worse, companies with proven track record for moral and ethical violations with regards to use of the data they hold, like facebook.
What measures have been taken to ensure data security, authenticity, and integrity of this site and or relevant databases and othersuch backend services?
Another glaring fail I've noticed thus far is the lack of authenticaiton when entering data. Assuming I am me simply because this browser has been used on this machine to connect to this service is incredibly unwise and a feature not adopted by any security conscious organisation, anywhere, as it would anticipate I can keep this machine secure. It should be, having taken measures to assure this as I don't appear to be as simple as most on this subject but relying on that isn't clever. It's common for some users to allow third parties use of their hardware, or the use of third party hardware as a minimal issue. I find that an interesting feature because sensibly not trusting the browser itself for such means, I don't allow it to save any such details. This would imply there's some sort of cookie/authetication token stored in the browsers temporary stoarge pool, which in most OS deployments isn't treated with any particular protections from other users and/or software - or via HTML5's "local storage" option, which in it's default incarnations are notably insecure. It's certianly not something that should be recycled across multiple sessions. I understand this is possibly deployed in the name of ease of use for the "less advanced" citizens, but failure to authenticate the end user is indeed as claimed instantly raises many questions with regards to the data found input. It's certianly a problem waiting to happen.