Anonymous surveys that aren't so anonymous

Question

In the past I have completed an 'anonymous' survey at work only to find that my employer was able to garner a lot of not-anonymous information from this survey. Location, name of manager, etc. None of this information was provided in the survey. This leads me to believe that somehow the website has been able to identify some form of user information.

Is there a way that a webpage can read user or other system related information? The site in question has aspx and js elements.

I cannot think of any other way they could identify the user. The link doesn't appear unique. Browser is IE, environment is Win7 on Citrix.

You do know when you do an "anonymous" survey, and the invite link kinda looks like a unique generated link, that it might not be 100% anonymous? or if you have to login or such, schools do that quite alot. — Lighty, Commented Mar 7, 2016 at 10:57
Approximately 200 people got the same email with the same link. There is no login or any other form of identifying questions asked anywhere in the survey. — iShaymus, Commented Mar 7, 2016 at 11:00
Was the survey hosted at your intranet or was it on a server of an external company? If external, did it use https? — Philipp, Commented Mar 7, 2016 at 11:51
As a general rule of thumb you should assume that nothing you for a company will be anonymous. — David says Reinstate Monica, Commented Mar 7, 2016 at 14:14
If there are free-form textboxes then the amount of detail which you provide in your answers can easily identify you. "What do you like least about your job?"..."I really find it irritating that so many people abuse the smoke-break policy."..."Hmm, lets pull up a list of everyone that has complained about smoke-break abuse in the past year.".."Hmm, this person also mentions their contribution to the Penske file."..."Must be Constanza!" — MonkeyZeus, Commented Mar 7, 2016 at 15:36

AviD · Accepted Answer · 2016-03-07 11:31:24Z

90

If the site is based on ASPX files, then it is more than likely that this is a ASP.NET application - most probably hosted on IIS.

IIS has a very simple checkbox to enable Windows Integrated Authentication.

IE, on Windows 7, will by default send your credentials to any web server in the local intranet. (This is not your password, don't worry, but it is Windows based authentication - either Kerberos or NTLM).

This is very straightforward to associate your Windows Domain account with your survey answers...

answered Mar 7, 2016 at 11:31

AviD♦

73.4k24 gold badges140 silver badges221 bronze badges

19

and that is even besides the fact that it is rather easy to deanonymize you based on your answers and knowledge of you personally...
– AviD ♦
Commented Mar 7, 2016 at 11:32
2

This seems very much the likely answer. Several intranet webapps automatically detect you as a user without a logon requirement.
– iShaymus
Commented Mar 7, 2016 at 12:35
2

@iShaymus I really hate when "smart apps" cross into the "smartier (sic) than thou" territory. Because most often than not, they aren't.
– Mindwin Remember Monica
Commented Mar 7, 2016 at 12:54
37

@Mindwin I really hate it when someone says something is anonymous but in reality it's anything but...
– iShaymus
Commented Mar 7, 2016 at 13:03
6

@iShaymus that says a lot more about your company, than about any specific app... Trust is hard earned, and easily lost. Once broken, near impossible to repair.
– AviD ♦
Commented Mar 7, 2016 at 13:42

| Show 8 more comments

T. Sar · Accepted Answer · 2016-03-07 11:51:47Z

33

That's incredible simple, and a really old trick.

Create a different survey for each department, even if the surveys have the same questions.

Everyone that answers to Survey X is from Department A.
Everyone that answers to Survey Y is from Department B.

Then, you just need to mash up the results and you're done!

That alone is enough to do a lot of information gathering, without any special tricks.

Brazillian banks did something similar, on paper surveys - each manager was to distribute to his subordinates copies of the survey. However, each manager got his copies on paper of a different color - so everyone that answered the yellow copy was from RH, everyone that answered the blue copy was from Finances, everyone that answered the pink copy was from Sales, and so on. Even if you didn't ask for the employee department, name or registry number, you knew from where he was and in what department he worked.

answered Mar 7, 2016 at 11:51

T. Sar

5473 silver badges9 bronze badges

21

I doubt you need to even go to that much trouble. How many African Americans do you have working for you? If the answer is 1 and ethnicity is a survey question, then you broken anonymity. If you have a large number of African-American employees, then how many African-American, female employees working in the Finance Department?
– emory
Commented Mar 7, 2016 at 14:05
13

In support of @emory's point, for several years I was the only female Computer Science PhD student over age 50 at UCSD. I looked at a lot of surveys and found I would be in a group of size one.
– Patricia Shanahan
Commented Mar 7, 2016 at 17:45
16

Shameless plug for a research group in the same department as my old graduate group: privacy.cis.upenn.edu They are doing research on formal guarantees of differential privacy, to prevent people in @Patricia situation from being identified. Nice observation from cis.upenn.edu/~aaroth/privacybook.html : "the Fundamental Law of Information Recovery states that overly accurate answers to too many questions will destroy privacy in a spectacular way."
– Ben Voigt
Commented Mar 7, 2016 at 19:58
3

@PatriciaShanahan if the surveys were released monthly and one month there was exactly one 50-54 female CS PhD student and the next month there was exactly one 55-59 female CS PhD student, then a careful observer could determine your birthday to the nearest month. There is a tremendous amount of leaked information.
– emory
Commented Mar 7, 2016 at 21:32

Add a comment |

Jim · Accepted Answer · 2016-03-08 01:39:34Z

15

The website will record your IP address. The Company's network assigns your IP address. Just associate the two ...

answered Mar 8, 2016 at 1:39

Jim

1512 bronze badges

I think the answer would be stronger with some more text. Perhaps saying that this is one possibility?
– Neil Smithline
Commented Mar 8, 2016 at 4:07
1

This only works if the application is internally based. If the survey is done using something like SurveyMonkey, the external IP address of the company will be used. If the application is internal and something like DHCP reservations is used this answer would work as you could trace the DHCP reservations to each computer and then the user who works with that computer.
– Danny K
Commented Mar 8, 2016 at 14:58
4

Depends, some workplaces (universities especially) use public IPs everywhere. Some places force their traffic through proxies which can add x-forwarded-for headers which external sites can record.
– Peter Green
Commented Mar 8, 2016 at 23:53

Add a comment |

emory · Accepted Answer · 2016-03-08 23:10:24Z

De-identification from surveys is a big issue in statistics, as what people think of as anonymous data usually isn't when aggregated.

Even if you have a completely secure way of anonymously inputing data, and someone can't access the logs of who entered what, the responses in the survey are often enough to identify you.

Consider this example survey:

What is your gender? Male / Female

What is your age bracket?

< 25

25 - <35

35 - <45

> 45

What is your work area?

HR

Management

IT Support

Sales

On a scale of 1-10 how much to you like working here? ____

Individually every question is quite useless, but using the first 3, at even a large company you can pretty easily figure out what everyone thinks of the organisation.

Consider: Bob (Male, 37 in HR) and Jane (Female, 37 in HR), using just our fields above we can already clearly de-identify their responses.

Additionally, since HR already has access to a list of gender, age and work area they could just cross-reference both datasets to directly get each individuals score. There is always a possibility of clashes, but as the number of identity like questions goes up, then the chances of collision decreases dramatically.

Danny K · Accepted Answer · 2016-03-07 15:30:07Z

8

An even more specific-to-user way is to create the surveys from a list. The list would include employee names, emails, id, etc. You can then send out a survey with a unique link to each email address for the employee and call it anonymous. While this is unethical (saying a survey is anonymous when it really isn't), I have seen it done in a few different instances and have also done it using PHP/JS.

An example would be your email receiving a link such as https://example.com/survey.php/id=bm90LWFub255bW91cy1zdXJ2ZXk=. The id variable can hold encoded information that is found in the list and unique to the employee. Companies also use this to gather information on what specific people say in said surveys.

answered Mar 7, 2016 at 15:30

Danny K

1526 bronze badges

11

To add since it was mentioned the link was sent via mass-email: My last work-place would send out batched emails akin to this, but would forge extra "CC" headers. It would still send to every recipient, but with a different email per person (or whatever our email admin wanted). Thus looking like everyone got the same email link but in fact did not. (I probably am missing some details, our email admin was the wizard who did the work for this system.)
– admalledd
Commented Mar 7, 2016 at 16:48
@admalledd Yes. When I read that the link was mass-emailed and had no identifier, I thought, "Not necessarily". Sure "example.com/survey/user=FredSmith" is a dead giveaway. But if you wanted to me subtle, you could send one person "example.com/marketingsurvey" and another "mktgsurvey" and another "marketing-survey" and another "marketing", etc. If there's a number or meaningless codes in there, "survey1329B", that MAY just identify which survey, but it may well identify the recipient.
– Jay
Commented Mar 9, 2016 at 14:51

Add a comment |

Freya · Accepted Answer · 2016-03-09 08:36:59Z

0

If you are concerned about your IP address you might want to fill in the survey in the Tor Browser. Of course, you might need to enable Javascript, which might give you out.

Additionally, since the survey is anonymous, you might even just want to ignore it if you feel like you the survey is not truly anonymous. Ideally, they would not be able to know you have not filled out the survey if the survey URLs are not unique, and no login is required.

answered Mar 9, 2016 at 8:36

Freya

1012 bronze badges

1

Ignoring the survey will get your name on the "didn't fill out the survey" list.
– Bob Jarvis - Слава Україні
Commented Mar 9, 2016 at 12:42
2

@BobJarvis Yes, but only if they are able to isolate you from all the other employees taking the survey. Nonetheless, they will still not gather this data, unless they do a new survey or they confront you directly. If they do happen to confront you directly about not taking the survey, you'll know for sure they are not playing by the rules.
– Freya
Commented Mar 9, 2016 at 13:35

Add a comment |

Stack Exchange Network

Anonymous surveys that aren't so anonymous

6 Answers 6

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
javascript
asp.net
html
.

Hot Network Questions

Anonymous surveys that aren't so anonymous

6 Answers 6

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged javascriptasp.nethtml.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
javascript
asp.net
html
.