Re: call for participation - Debian contributors survey, 1st ed.

[Henrique de Moraes Holschuh <hmh@debian.org>]

On Mon, 07 Nov 2016, Stefano Zacchiroli wrote:
> On Mon, Nov 07, 2016 at 11:22:42PM +0100, Joerg Jaspert wrote:
> > No logging or name is needed, with the set of questions in this survey
> > one only needs a bit of knowledge of Debian and its people to identify a
> > high amount of the survey takers, I think. (I still took it)
> 
> This is becoming an FAQ, so let me address it here instead of just
> waiting for the blog post including its answer to be written.
> 
> Yep, you're absolutely right. And this is in fact why we included in the
> survey announcement a promise to distribute the results only in
> aggregate form, because cross-referencing with Debian info it would be
> easy to deanonymize people.
> 
> So the "thread model" here is not "untrusted/byzantine survey
> organizers" (if you don't trust the organizers you're probably screwed
> anyhow, as we could be lying about not logging IP address or HTTP
> referrers, after all).  The "threat model" is rather: "untrusted readers
> of published survey *results*", which we will aggregate to avoid
> deanonymization.

The threat model is leakage of the non-aggregated survey data, actually.
Which is not only dependent on the survey platform and its handling of
the survey data, but also on the security of said data *after* it leaves
the survey platform.

-- 
  Henrique Holschuh