On Mon, 07 Nov 2016, Stefano Zacchiroli wrote: > On Mon, Nov 07, 2016 at 11:22:42PM +0100, Joerg Jaspert wrote: > > No logging or name is needed, with the set of questions in this survey > > one only needs a bit of knowledge of Debian and its people to identify a > > high amount of the survey takers, I think. (I still took it) > > This is becoming an FAQ, so let me address it here instead of just > waiting for the blog post including its answer to be written. > > Yep, you're absolutely right. And this is in fact why we included in the > survey announcement a promise to distribute the results only in > aggregate form, because cross-referencing with Debian info it would be > easy to deanonymize people. > > So the "thread model" here is not "untrusted/byzantine survey > organizers" (if you don't trust the organizers you're probably screwed > anyhow, as we could be lying about not logging IP address or HTTP > referrers, after all). The "threat model" is rather: "untrusted readers > of published survey *results*", which we will aggregate to avoid > deanonymization.
The threat model is leakage of the non-aggregated survey data, actually. Which is not only dependent on the survey platform and its handling of the survey data, but also on the security of said data *after* it leaves the survey platform. -- Henrique Holschuh
