60

In the past I have completed an 'anonymous' survey at work only to find that my employer was able to garner a lot of not-anonymous information from this survey. Location, name of manager, etc. None of this information was provided in the survey. This leads me to believe that somehow the website has been able to identify some form of user information.

Is there a way that a webpage can read user or other system related information? The site in question has aspx and js elements.

I cannot think of any other way they could identify the user. The link doesn't appear unique. Browser is IE, environment is Win7 on Citrix.

JDługosz
  • 1,138
  • 2
  • 7
  • 12
iShaymus
  • 673
  • 5
  • 5
  • 36
    You do know when you do an "anonymous" survey, and the invite link kinda looks like a unique generated link, that it might not be 100% anonymous? or if you have to login or such, schools do that quite alot. – Lighty Mar 07 '16 at 10:57
  • 1
    how do you know it was not provided? could be you used a prefiled survey with a specific link for you. (i.e. is your link different from the other people's link to the survey? – LvB Mar 07 '16 at 10:57
  • 11
    Approximately 200 people got the same email with the same link. There is no login or any other form of identifying questions asked anywhere in the survey. – iShaymus Mar 07 '16 at 11:00
  • We also have other non survey web apps that seem to able to identify you as a user without having to log in... – iShaymus Mar 07 '16 at 11:01
  • 12
    Was the survey hosted at your intranet or was it on a server of an external company? If external, did it use https? – Philipp Mar 07 '16 at 11:51
  • 2
    The survey was on an external site and did use https. – iShaymus Mar 07 '16 at 12:38
  • 33
    As a general rule of thumb you should assume that nothing you for a company will be anonymous. – David says Reinstate Monica Mar 07 '16 at 14:14
  • 15
    If there are free-form textboxes then the amount of detail which you provide in your answers can easily identify you. "What do you like least about your job?"..."I really find it irritating that so many people abuse the smoke-break policy."..."Hmm, lets pull up a list of everyone that has complained about smoke-break abuse in the past year.".."Hmm, this person also mentions their contribution to the Penske file."..."Must be Constanza!" – MonkeyZeus Mar 07 '16 at 15:36
  • 7
    Obviously the survey admin has easy access to your IP. From this alone it is possible to determine a lot of information such as what neighborhood you are in. If you accessed the survey from a work computer, it will probably be possible to find out what company and even which office. If you haven't even used a proxy and disabled scripts, the matter becomes a bit like asking where the hole is in a huge wheel of Swiss cheese. – Superbest Mar 07 '16 at 19:16
  • @MonkeyZeus: Free form text boxes in a small anonymous sample can be analyzed for text pattern similarities to writing belonging to members of the sample for whom authorship is known. – Michael Mar 08 '16 at 16:05
  • @Michael Ye​​​s – MonkeyZeus Mar 08 '16 at 16:13
  • @iShaymus since it's internet explorer, your company is probably using your Windows login to identify you. I forget what this type of login is called. My company has many internal websites that do the same. For example, we have a timesheet site that lets you clock in and out and magically knows which employee you are. These pages can easily be identified by attempting to open the page in another browser, such as Chrome or Safari, in which case the browser will ask you for your Windows login. – BooleanCheese Mar 08 '16 at 20:45
  • 2
    Apparently, tracking back employees from an anonymous survey is a desirable feature, at least for the employer: http://workplace.stackexchange.com/a/43796 – GOTO 0 Mar 09 '16 at 05:01
  • 2
    Never believe that a survey is anonymous, and answer the questions with that in mind. Assume from the start that whoever provided the survey will know precisely who answered the survey, who did NOT answer the survey, and will know how each question was answered by each individual. You have no right of privacy or anonymity at work (at least in the US). Best of luck. – Bob Jarvis - Слава Україні Mar 09 '16 at 12:27
  • 1
    @BooleanCheese Did you mean [Active Directory](https://en.wikipedia.org/wiki/Active_Directory)? – Dan Henderson Mar 09 '16 at 21:39
  • @DanHenderson Yup, that's it. – BooleanCheese Mar 09 '16 at 21:40

6 Answers6

90

If the site is based on ASPX files, then it is more than likely that this is a ASP.NET application - most probably hosted on IIS.

IIS has a very simple checkbox to enable Windows Integrated Authentication.

IE, on Windows 7, will by default send your credentials to any web server in the local intranet. (This is not your password, don't worry, but it is Windows based authentication - either Kerberos or NTLM).

This is very straightforward to associate your Windows Domain account with your survey answers...

AviD
  • 72,138
  • 22
  • 136
  • 218
  • 19
    and that is even besides the fact that it is rather easy to deanonymize you based on your answers and knowledge of you personally... – AviD Mar 07 '16 at 11:32
  • So if the users didn't use IE to answer the survey, it would've been completely anonymous (from the question tagging). Right? – Mindwin Mar 07 '16 at 12:34
  • 2
    This seems very much the likely answer. Several intranet webapps automatically detect you as a user without a logon requirement. – iShaymus Mar 07 '16 at 12:35
  • 1
    @Mindwin very likely, if you try and log on to intranet apps using chrome it prompts for a UN and PW so I can only assume that chrome will not pass on this info. – iShaymus Mar 07 '16 at 12:37
  • 2
    @iShaymus I really hate when "smart apps" cross into the "smartier (sic) than thou" territory. Because most often than not, they aren't. – Mindwin Mar 07 '16 at 12:54
  • 37
    @Mindwin I really hate it when someone says something is anonymous but in reality it's anything but... – iShaymus Mar 07 '16 at 13:03
  • 1
    @Mindwin not necessarily - Chrome also does support using NTLM/Kerberos authentication, on Windows it uses the same security settings as IE, as these are provided by the OS. Though this might depend on your specific settings. – AviD Mar 07 '16 at 13:40
  • 6
    @iShaymus that says a lot more about your company, than about any specific app... Trust is hard earned, and easily lost. Once broken, near impossible to repair. – AviD Mar 07 '16 at 13:42
  • 1
    Is this some sort of leak or intended behavior? Answer says "local intranet" but OP clarified the survey was on an external site in the comments. – Superbest Mar 07 '16 at 19:20
  • @Superbest depends on configuration. Specifically, the browser / INET can be configured to enable integrated windows authentication even to external sites, but that is not the default (depending on versions). Also, what defines "intranet" does not always exclude what people often consider "external site".... – AviD Mar 07 '16 at 22:49
  • Does private browsing help avoid this? Might be something good to add to the answer. – Sander Mar 08 '16 at 07:05
  • @Sander hmm, I don't actually know. I can't check that right now, but if you do figure that out I would love to hear! – AviD Mar 08 '16 at 09:13
  • 1
    @Superbest IE can be configured to provide credentials to any site. And IE configuration can be rolled out via domain policy, so technically they are capable of changing your configuration in such a way that you would authenticate to a third-party site without you seeing a prompt. – Chris Mar 08 '16 at 09:27
32

That's incredible simple, and a really old trick.

Create a different survey for each department, even if the surveys have the same questions.

  • Everyone that answers to Survey X is from Department A.
  • Everyone that answers to Survey Y is from Department B.

Then, you just need to mash up the results and you're done!

That alone is enough to do a lot of information gathering, without any special tricks.

Brazillian banks did something similar, on paper surveys - each manager was to distribute to his subordinates copies of the survey. However, each manager got his copies on paper of a different color - so everyone that answered the yellow copy was from RH, everyone that answered the blue copy was from Finances, everyone that answered the pink copy was from Sales, and so on. Even if you didn't ask for the employee department, name or registry number, you knew from where he was and in what department he worked.

T. Sar
  • 538
  • 3
  • 9
  • 20
    I doubt you need to even go to that much trouble. How many African Americans do you have working for you? If the answer is 1 and ethnicity is a survey question, then you broken anonymity. If you have a large number of African-American employees, then how many African-American, female employees working in the Finance Department? – emory Mar 07 '16 at 14:05
  • 12
    In support of @emory's point, for several years I was the only female Computer Science PhD student over age 50 at UCSD. I looked at a lot of surveys and found I would be in a group of size one. – Patricia Shanahan Mar 07 '16 at 17:45
  • 15
    Shameless plug for a research group in the same department as my old graduate group: http://privacy.cis.upenn.edu/ They are doing research on formal guarantees of differential privacy, to prevent people in @Patricia situation from being identified. Nice observation from http://www.cis.upenn.edu/~aaroth/privacybook.html : "**the Fundamental Law of Information Recovery states that overly accurate answers to too many questions will destroy privacy in a spectacular way.**" – Ben Voigt Mar 07 '16 at 19:58
  • 2
    @PatriciaShanahan if the surveys were released monthly and one month there was exactly one 50-54 female CS PhD student and the next month there was exactly one 55-59 female CS PhD student, then a careful observer could determine your birthday to the nearest month. There is a tremendous amount of leaked information. – emory Mar 07 '16 at 21:32
15

The website will record your IP address. The Company's network assigns your IP address. Just associate the two ...

Jim
  • 151
  • 2
  • I think the answer would be stronger with some more text. Perhaps saying that this is one possibility? – Neil Smithline Mar 08 '16 at 04:07
  • 1
    This only works if the application is internally based. If the survey is done using something like SurveyMonkey, the external IP address of the company will be used. If the application is internal and something like DHCP reservations is used this answer would work as you could trace the DHCP reservations to each computer and then the user who works with that computer. – Danny K Mar 08 '16 at 14:58
  • 4
    Depends, some workplaces (universities especially) use public IPs everywhere. Some places force their traffic through proxies which can add x-forwarded-for headers which external sites can record. – Peter Green Mar 08 '16 at 23:53
13

De-identification from surveys is a big issue in statistics, as what people think of as anonymous data usually isn't when aggregated.

Even if you have a completely secure way of anonymously inputing data, and someone can't access the logs of who entered what, the responses in the survey are often enough to identify you.

Consider this example survey:

  1. What is your gender? Male / Female
  2. What is your age bracket?
    • < 25
    • 25 - <35
    • 35 - <45
    • > 45
  3. What is your work area?
    • HR
    • Management
    • IT Support
    • Sales
  4. On a scale of 1-10 how much to you like working here? ____

Individually every question is quite useless, but using the first 3, at even a large company you can pretty easily figure out what everyone thinks of the organisation.

Consider: Bob (Male, 37 in HR) and Jane (Female, 37 in HR), using just our fields above we can already clearly de-identify their responses.

Additionally, since HR already has access to a list of gender, age and work area they could just cross-reference both datasets to directly get each individuals score. There is always a possibility of clashes, but as the number of identity like questions goes up, then the chances of collision decreases dramatically.

emory
  • 1,560
  • 11
  • 14
7

An even more specific-to-user way is to create the surveys from a list. The list would include employee names, emails, id, etc. You can then send out a survey with a unique link to each email address for the employee and call it anonymous. While this is unethical (saying a survey is anonymous when it really isn't), I have seen it done in a few different instances and have also done it using PHP/JS.

An example would be your email receiving a link such as https://example.com/survey.php/id=bm90LWFub255bW91cy1zdXJ2ZXk=. The id variable can hold encoded information that is found in the list and unique to the employee. Companies also use this to gather information on what specific people say in said surveys.

Danny K
  • 142
  • 6
  • 11
    To add since it was mentioned the link was sent via mass-email: My last work-place would send out batched emails akin to this, but would forge extra "CC" headers. It would still send to every recipient, but with a different email per person (or whatever our email admin wanted). Thus looking like everyone got the same email link but in fact did not. (I probably am missing some details, our email admin was the wizard who did the work for this system.) – admalledd Mar 07 '16 at 16:48
  • @admalledd Yes. When I read that the link was mass-emailed and had no identifier, I thought, "Not necessarily". Sure "example.com/survey/user=FredSmith" is a dead giveaway. But if you wanted to me subtle, you could send one person "example.com/marketingsurvey" and another "mktgsurvey" and another "marketing-survey" and another "marketing", etc. If there's a number or meaningless codes in there, "survey1329B", that MAY just identify which survey, but it may well identify the recipient. – Jay Mar 09 '16 at 14:51
0

If you are concerned about your IP address you might want to fill in the survey in the Tor Browser. Of course, you might need to enable Javascript, which might give you out.

Additionally, since the survey is anonymous, you might even just want to ignore it if you feel like you the survey is not truly anonymous. Ideally, they would not be able to know you have not filled out the survey if the survey URLs are not unique, and no login is required.

Fre_d
  • 1
  • 2
  • 1
    Ignoring the survey will get your name on the "didn't fill out the survey" list. – Bob Jarvis - Слава Україні Mar 09 '16 at 12:42
  • 2
    @BobJarvis Yes, but only if they are able to isolate you from all the other employees taking the survey. Nonetheless, they will still not gather this data, unless they do a new survey or they confront you directly. If they *do* happen to confront you directly about not taking the survey, you'll know for sure they are not playing by the rules. – Fre_d Mar 09 '16 at 13:35