Re: [cryptography] anonymous surveys

Thu, 06 Jan 2011 09:26:13 -0800 

On 01/06/2011 10:27 AM, [email protected] wrote:

On Thu, Jan 06, 2011 at 08:22:03AM -0800, 
[email protected] wrote:

Someone emailed into "Security Now" a while back, asking about workplace
surveys that are supposed to be anonymous, but have a unique URL for each
person, so that they can tell who hasn't filled it out.


That is, one requirement is that mgmt can tell who hasn't done the form,
so they can go bug them.



Years back I contributed to the design of an in-house employee survey. 
We had that same requirement. There was also the requirement that the 
survey be "anonymous".



The whole point of an anonymous survey after all is that everyone 
understands the anonymization process well enough that they have 
confidence in their anonymity. In a sense, this requires a 'meta threat 
model': the system design needs to incorporate a model of the internal 
threat model of each individual user and allow every user to prove to 
himself that his own constraints have been satisfied.



The company was big enough for meaningful aggregate data, but still 
small enough that an HR person walked around with the pay stubs. One 
suggestion was for people to just draw their survey ID numbers out of a 
literal hat.



This suggestion was dismissed immediately due to that same objection 
that it would be hard to force employees to fill out the survey. Various 
methods were proposed, I think they went with the survey app giving the 
employee some kind of proof-of-completion code which they were then 
supposed to email to HR.



Nobody really believed the survey was anonymous when it was taken. 
(Previously the physical suggestion box had been taken off the cafeteria 
wall and replaced by a folder on the Microsoft Exchange system and the 
claim that "management will make no attempt to identify the submitter...".)



After the first survey, the results were published with such detail that 
they were broken down into business units as small as 3 - 5 employees. 
Everyone had a grand time correlating the satisfaction levels and 
comments with things people had said openly in the past.



'Anonymous' exists in the mind of the surveyed, not just as some formal 
constraints on the knowledge of the surveyor.


- Marsh
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography






















					Reply via email to