View Issue Details

This bug affects 1 person(s).
 6
IDProjectCategoryView StatusLast Update
16228Feature requestsSurvey participants (Tokens)public2020-05-05 15:54
Reporterholch Assigned To 
PrioritynoneSeverityfeature 
Status newResolutionopen 
Summary16228: Anonymous token-based surveys can be "un-anonymized" via URL parameters
Description

https://www.limesurvey.org/de/foren/can-i-do-this-with-limesurvey/121097-update-response-by-token

In this thread it is discussed on how to pass a parameter from the token table to the survey in an anonymized token-based survey. Of course this would mean the survey can not be guaranteed to be 100% anonymous in a "technical" sense. The user found a solution to pass on the parameter via URL. In the specific case is is said to be something rather not so critical (the group of a respondent), but you could pass on any parameter, even specific IDs, Names, emails, etc.

However, this means that LS states that the survey is "technically" anonymous, but it not really is, if in an anonymized survey parameters can be received.

I think for the "anonymous" surveys setting in LS we should not allow parameters in the URL, because it could backfire to Limesurvey. Of course we can always say "Ohhh, this was the survey creator who did this", but when it is so simple to get around the "anonymous" measure, I think it doesn't shed a good light on Limesurvey. So I think we should make it as difficult as possible to maliciously get around the "anonymity" of a survey set to be "anonymous".

I don't see a problem with normal surveys. No one can blame LS then, if the survey creator states it is anonymous, but it isn't. But with the setting within LS, it is basically a statement of LS and if we accept URL parameters besides the LS ones, we can't really guarantee it.

TagsNo tags attached.
Bug heat6
Story point estimate
Users affected %

Users monitoring this issue

DenisChenu

Activities

DenisChenu

DenisChenu

2020-05-05 15:27

developer   ~57546

@holch : can you see my previous comment ?

Some other way to break anonymous
there are a lot of way to broke anonimity :

  1. Give a different survey for each user …
  2. Use server log
holch

holch

2020-05-05 15:39

reporter   ~57548

No, I can't see your first comment here, but I received it as a notification (so I know that you excluded Javascript as a way to break anonymity... ;-)

I agree, there will always be ways to "maliciously" get around such measures. But I still think that we should make it as difficult as possible, don't you think? I feel that by passing a URL parameter to the survey it is "too easy". ;-)

"Give a different survey for each user …"
A lot of work if you have a big number of people. If you have only a couple of people, anonymity often is a problem, because it can be easy to guess who it was based on the answers, if you know the people.
"Use server log"
Under certain circumstances yes, but in general also relatively difficult, especially if you don't have saved times. And, the serverlog generally doesn't give you personal data. But I am not an expert on server administration, so there might be ways to get personal information.

DenisChenu

DenisChenu

2020-05-05 15:54

developer   ~57549

About server log : i made an error : if you have the server log : you host LimeSurvey …

Then : you can disable any kind of anonymity …

Maybe related to SASS only ? Since with CE : it's ONLY a contract.

Issue History

Date Modified Username Field Change
2020-05-05 15:06 holch New Issue
2020-05-05 15:20 DenisChenu Issue Monitored: DenisChenu
2020-05-05 15:27 DenisChenu Note Added: 57546
2020-05-05 15:39 holch Note Added: 57548
2020-05-05 15:54 DenisChenu Note Added: 57549