16228: Anonymous token-based surveys can be "un-anonymized" via URL parameters - LimeSurvey bugs and feature requests

This bug affects 1 person(s).

6

ID	Project	Category	View Status	Date Submitted	Last Update

16228	Feature requests	Survey participants (Tokens)	public	2020-05-05 15:06	2020-05-05 15:54

Reporter	holch	Assigned To
Priority	none	Severity	feature
Status	new	Resolution	open

Summary	16228: Anonymous token-based surveys can be "un-anonymized" via URL parameters
Description	https://www.limesurvey.org/de/foren/can-i-do-this-with-limesurvey/121097-update-response-by-token In this thread it is discussed on how to pass a parameter from the token table to the survey in an anonymized token-based survey. Of course this would mean the survey can not be guaranteed to be 100% anonymous in a "technical" sense. The user found a solution to pass on the parameter via URL. In the specific case is is said to be something rather not so critical (the group of a respondent), but you could pass on any parameter, even specific IDs, Names, emails, etc. However, this means that LS states that the survey is "technically" anonymous, but it not really is, if in an anonymized survey parameters can be received. I think for the "anonymous" surveys setting in LS we should not allow parameters in the URL, because it could backfire to Limesurvey. Of course we can always say "Ohhh, this was the survey creator who did this", but when it is so simple to get around the "anonymous" measure, I think it doesn't shed a good light on Limesurvey. So I think we should make it as difficult as possible to maliciously get around the "anonymity" of a survey set to be "anonymous". I don't see a problem with normal surveys. No one can blame LS then, if the survey creator states it is anonymous, but it isn't. But with the setting within LS, it is basically a statement of LS and if we accept URL parameters besides the LS ones, we can't really guarantee it.
Tags	No tags attached.

Bug heat	6
Story point estimate
Users affected %

DenisChenu 2020-05-05 15:27 developer ~57546	@holch : can you see my previous comment ? Some other way to break anonymous there are a lot of way to broke anonimity : Give a different survey for each user … Use server log

holch 2020-05-05 15:39 reporter ~57548	No, I can't see your first comment here, but I received it as a notification (so I know that you excluded Javascript as a way to break anonymity... ;-) I agree, there will always be ways to "maliciously" get around such measures. But I still think that we should make it as difficult as possible, don't you think? I feel that by passing a URL parameter to the survey it is "too easy". ;-) "Give a different survey for each user …" A lot of work if you have a big number of people. If you have only a couple of people, anonymity often is a problem, because it can be easy to guess who it was based on the answers, if you know the people. "Use server log" Under certain circumstances yes, but in general also relatively difficult, especially if you don't have saved times. And, the serverlog generally doesn't give you personal data. But I am not an expert on server administration, so there might be ways to get personal information.

DenisChenu 2020-05-05 15:54 developer ~57549	About server log : i made an error : if you have the server log : you host LimeSurvey … Then : you can disable any kind of anonymity … Maybe related to SASS only ? Since with CE : it's ONLY a contract.

Date Modified	Username	Field	Change
2020-05-05 15:06	holch	New Issue
2020-05-05 15:20	DenisChenu	Issue Monitored: DenisChenu
2020-05-05 15:27	DenisChenu	Note Added: 57546
2020-05-05 15:39	holch	Note Added: 57548
2020-05-05 15:54	DenisChenu	Note Added: 57549