View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|16228||Feature requests||Survey participants (Tokens)||public||2020-05-05 15:06||2020-05-05 15:54|
|Summary||16228: Anonymous token-based surveys can be "un-anonymized" via URL parameters|
In this thread it is discussed on how to pass a parameter from the token table to the survey in an anonymized token-based survey. Of course this would mean the survey can not be guaranteed to be 100% anonymous in a "technical" sense. The user found a solution to pass on the parameter via URL. In the specific case is is said to be something rather not so critical (the group of a respondent), but you could pass on any parameter, even specific IDs, Names, emails, etc.
However, this means that LS states that the survey is "technically" anonymous, but it not really is, if in an anonymized survey parameters can be received.
I think for the "anonymous" surveys setting in LS we should not allow parameters in the URL, because it could backfire to Limesurvey. Of course we can always say "Ohhh, this was the survey creator who did this", but when it is so simple to get around the "anonymous" measure, I think it doesn't shed a good light on Limesurvey. So I think we should make it as difficult as possible to maliciously get around the "anonymity" of a survey set to be "anonymous".
I don't see a problem with normal surveys. No one can blame LS then, if the survey creator states it is anonymous, but it isn't. But with the setting within LS, it is basically a statement of LS and if we accept URL parameters besides the LS ones, we can't really guarantee it.
|Tags||No tags attached.|
@holch : can you see my previous comment ?
Some other way to break anonymous
there are a lot of way to broke anonimity :
1. Give a different survey for each user …
2. Use server log
I agree, there will always be ways to "maliciously" get around such measures. But I still think that we should make it as difficult as possible, don't you think? I feel that by passing a URL parameter to the survey it is "too easy". ;-)
"Give a different survey for each user …"
A lot of work if you have a big number of people. If you have only a couple of people, anonymity often is a problem, because it can be easy to guess who it was based on the answers, if you know the people.
"Use server log"
Under certain circumstances yes, but in general also relatively difficult, especially if you don't have saved times. And, the serverlog generally doesn't give you personal data. But I am not an expert on server administration, so there might be ways to get personal information.
About server log : i made an error : if you have the server log : you host LimeSurvey …
Then : you can disable any kind of anonymity …
Maybe related to SASS only ? Since with CE : it's ONLY a contract.