How to create a simple, secure survey application?

Question

Suppose you are writing a survey application and would like to somehow guarantee results to be secure from user stand point. Put simply, i know what IP you came from but i want to make sure you sleep well at night knowing i know nothing of your responses. I can't store IP in raw form.

I do need to guarantee 1 thing though, that is that you answer questions once. So once your PC comes in with some data, i need to recognize that your PC already has responsed to the survey.

Any suggestions on how to best handle it?

Thanks -mac

Answer 1

Create a one-way hash of the IP address (and any other unique identifying attributes), and store the hash with the response. That way no one can lookup the IP address for a response, but you can compare the hash to previously submitted responses to keep ensure people only submit the form once.

There's not much you can do to convince someone your respecting their privacy. Just don't abuse the trust, and people will work it out.

(For an idea on how to create a hash in java see How can I generate an MD5 hash?)

Answer 2

You can't guarantee either of these. All you can do is raise the bar so it's harder to get around it. If someone really wants to get around your tracking they can if they know enough about your system. Good thing is most people either don't want to bother or don't know how.

You can generate a cryptographic hash and store that in a cookie on the persons browser if you want to prevent proxy problem. Lots of websites do this to keep session creation to track authentication. This is something like using an HMAC to generate something that identifies the browser with a unique key that can't be faked. If they clear their browser though you won't be able to track them.

One way hash of IP address is a way to keep your IP from being tracked, but the same IP always hashes to the same value so you can tell if someone is doing that. However if they go to an internet cafe viola they can resubmit. You'd use SHA1, MD5, etc for that.

You can do the same thing with email address and hash it. To get people to want to participate send the results to their email address instead of displaying in the browser. People just have to trust you won't do nasty things with their email.

Other ideas might be if you know who you want to send the survey too. Generate a random number that identifies the individual response. Then email those links to people. They will then submit under that number, and you don't track email -> random number then you can't correlate the answers with the email address. Once a random number is used once you don't let them submit it again. Track Responses once. Display results many times.

You can combine some of these together to try and work around the deficiencies of the other.