I actually had this happen back in high school. The teacher gave us “anonymous” surveys to gauge her performance. She analyzed the handwriting to determine which one was mine. I actively tried to change my handwriting as well, but I guess not well enough. I’ve never trusted a survey was actually anonymous after that.
We've been tasked by a client for 2 years to create an anonymized survey, and my mind has gone to great lengths to devise a survey where even our own employees (or superusers with full DB access) cannot figure out who a respondent is.
It's been a fun exercise in software architecture. Because I actually care about this.
But we keep pushing this annual survey another year since we never seem to be ready to actually implement it (due to other priorities)
I built a suggestion box for a team at work like this. It was pretty basic. The page had no login, and no tracking of any kind. The DB only had an index, the date, and the suggestion. The source was available to everyone who would use it, and if they wanted I would have shown them the DB. These people also had root access to the server it ran on, so if they were really paranoid they could clear any system logs. The site was also heavily used for the day to day work, so the noise from everyone on the page would obscure any ability to tie a single IP to a time stamp without a lot of effort and a large chance for error.
Over the course of 4 years I think it was only used 3 times. Most people assumed it was some kind of trap. It wasn’t, I genuinely wanted honest feedback, and thought some people were too shy to speak up in a group setting, so wanted to give options.
In most of the places I've worked, I would have assumed the same.
The thing is that there is no real technological solution that would instill trust in someone that doesn't already have trust. In the end, all such privacy solutions necessarily must boil down to "trust us" because it's not practical or reasonable to perform the sort of deep analysis that would be required to confirm privacy claims.
You may have provided the source, for instance, but that doesn't give reassurance that the binary that is executing was compiled from that source.
I have a few friends working at CultureAmp (who - amongst other things - do anonymous employee surveys).
Management can 'drill down' to get information on how specific teams responded.
One of the things they mentioned doing is using a statistical (differential privacy?) model to limit the depth, to prevent any specific persons responses being revealed unless it was shared with a substantial number of other responses.
Surprisingly difficult when you consider e.g. a team lead reading a statement like "of the 10 people in your team, one is highly dissatisfied with management" - they have personal knowledge of the situation and are going to know which person it is.
There's commercial service providers and open-source projects doing that already.
The thing is, as soon as you allow free-text entry, the exercise becomes moot assuming you got a solid training corpus of emails to train an AI on - basically the same approach that Wikipedia activists used to do two decades ago to determine "sockpuppet" accounts.
Zee theeng is, es suun es yuoo elloo free-a-text intry, zee ixerceese-a becumes muut essoomeeng yuoo gut a suleed treeening curpoos ooff imeeels tu treeen un EI oon - beseecelly zee seme-a eppruech thet Veekipedia ecteefists used tu du tvu decedes egu tu determeene-a "suckpooppet" eccuoonts.
Bork Bork Bork!
Good point, but also liable to get crucial informations and details lost or, worse, completely misunderstood by an AI which by definition lacks contextual knowledge.
When I was in high school I worked at the helpdesk for a small defense contractor. The developers there spent their down time building internal use IT tools. In those days they still wrote a lot of stuff in Lotus Domino, a tool that let you use a Notes database as the back-end for a SSR web app. Our ticketing system was written with it.
They later decided to adopt it for an annual IT satisfaction survey that they sent out to users. In an ideal world we wouldn't participate because the respondents were grading my team's performance but we got invites because we were part of the Exchange distro the message was sent to. I quickly discovered that the dev team had left a bunch of default routes enabled so we were able to view a list of all responses and see who submitted which. We knew our customers well enough that we could reliably attribute most of the negative responses via the free-text comments field anyhow but the fact that anybody could explicitly see everybody else's response wasn't great.
I suppose the NTLM-authenticated username in the server logs would convey the same info but at least that'd require CIFS/RDP access to the web server...
When I was in grade 2 we had a secret santa, but it was the competitive variant, where the "winners" were able to guess who gave them the gift.
So on the card I provided with my gift, I signed off the name of someone else in class, and partially erased it. Made sure it was still somewhat legible and then wrote "From your secret santa" beneath it.
They didn't believe the gift was from me even after the teacher provided them with the original draw, and their supposed gift giver identified someone else as their recipient.
When I quit a unicorn tech startup several years ago, they sent me an anonymous exit survey. It was was on a name-brand survey platform and the platform’s UI indicated the survey was anonymous. In my later in-person exit interview with a guy from HR, he had us go over a copy of my answers! Based on his demeanor, I don’t think he knew it was presented as anonymous.
In college once I took a course that was being offered for the first time. They gave a midterm survey (usually we only had final surveys). I filled it out honestly, saying that my partner for our group projects was not pulling his weight. I had forgotten that I was in the only group of two (all the other groups were of three). The professor actually pulled me aside to let me know that he was aware our group wasn't working out - unfortunately there wasn't anything he could do.
The same thing happened to a friend of mind in junior highschool. The teacher even called him out in front of the whole class for giving her bad ratings. We all did, but she recognized his handwriting in particular:-D
I worked at a startup (that is still a startup going nowhere 12 years later) where the ceo and cto made a big show of the town hall and in particular the “open questions” part. Anyone could go on a little internal app, ask an “anonymous” question, and they’d answer all of this week’s questions each week.
In reality, they cherry picked the questions that they wanted to talk about and ignored the hard ones. We could tell because all asked questions were publicly visible in the app. But not all answered “ah we’re out of time”
So I once posted a question about why were the interns unpaid while writing code we shipped in production. I posted this question just after the previous town hall so that it would stay visible in the app for the longest time until the next town hall and would also be top of the list of pending questions.
For a couple weeks they said they wanted to answer it but needed to ask clarification questions to make sure they understood correctly, so could please the asker reveal themselves as it’s only fair. I never said it was me and nobody said it was them either. They couldn’t just delete the question like they usually did with unanswered questions before as this had stirred quite a little storm between employees. And it would clash with the “we’re open and fair” koolaid they were serving us.
Eventually, they deleted the question without annswering it “since the asker doesn’t have the courage to reveal themselves” and I was laid off which was “totally unrelated to the question you asked”.
Before leaving I dumped the database for that app out of curiosity. You bet that every single question also had an entry of who asked which question. They knew all along.
