ebook img

Assurance of anonymity for respondents in sensitive online surveys PDF

87 Pages·2017·0.99 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Assurance of anonymity for respondents in sensitive online surveys

Assurance of anonymity for respondents in sensitive online surveys Halvor Bjørn Thesis submitted for the degree of Master in Informatics: Programming and Networks 60 credits Department of Informatics Faculty of mathematics and natural sciences UNIVERSITY OF OSLO Autumn 2017 Assurance of anonymity for respondents in sensitive online surveys Halvor Bjørn (cid:13)c 2017 Halvor Bjørn Assurance of anonymity for respondents in sensitive online surveys http://www.duo.uio.no/ Printed: Reprosentralen, University of Oslo Abstract Online survey applications enable researchers to create and distribute sur- veys in a cost-effective way. However, respondents may feel reluctant to participate in surveys collecting sensitive personal information if they be- lieve that they can be re-identified and related to the collected data set. Giving respondents a strong assurance of anonymity may improve the re- sponse rate and quality of data collected. In some instances, it may be beneficial for the researcher or survey administrator to place restrictions on the demographic group or domain where respondents are invited to parti- cipate. We approach assurance of anonymity in two contexts. One where the survey is open for everyone and one where the participants are invited or restricted to a specific group. Conducted interviews have shown a tendency for respondents to feel re- luctant to post a submission, or not answer truthfully on sensitive topics if their identity is known. To increase the response rate and data quality in online surveys, we have proposed a solution providing strong assurance of anonymity in open surveys. The proposed solution utilizes client-side encryption, randomization and caching of submissions to decrease the prob- abilityofre-identification,atthecostofpotentiallyreducedreliabilityinthe datacollectionprocess. Further,wehavedevelopedaframeworkfordeterm- ining the assurance of anonymity provided by a particular solution, which we use to evaluate the proposed solutions for anonymous authentication of respondents. Our evaluation of the proposed solutions enabling anonymous authentication have shown it is possible to allow respondents to post a sub- mission while given a strong assurance of anonymity. However, the strong assurance of anonymity comes at the cost of requirements for one or several additional elements such as a pre-registration process by the respondent, management of cryptographic keys or secrets by the respondent, or trust in a third-party. Our results show that a system providing strong assurance of anonymity to respondents is possible to implement, and it may increase the response rate and data quality of sensitive online surveys, with the only disadvantage that it could potentially reduce the reliability of the data collection process. However, the latter is not seen as a practical problem. Truly anonymous authentication of respondents is possible, but at the added cost of increased overhead, decreased usability or by requiring trust in third parties by the respondent. Future research is recommended to assess the value of a high assurance of anonymity related to response rates and data quality, compared to the trade-off with reliability, overhead, usability and trust identified above. Acknowledgements Iwouldliketothankmysupervisor, Prof. AudunJøsangoftheDepartment of Informatics at the University of Oslo. Prof. Jøsang have always been en- couraging, supportive and patient with my work. Thank you. I would also like to express my gratitude to my team members and fellow employees at USIT for their valuable input, feedback and interesting discus- sions. Withoutthem,thewritingofthisthesiswouldnothavebeenpossible. Last but not least, I would like to thank my family, partner and friends for their encouragement and keen interest in my study and work over the recent years. Thank you. Author Halvor Bjørn 1 Contents List of Figures 5 List of Tables 6 Acronyms 7 1 Introduction 9 1.1 Problem statement and motivation . . . . . . . . . . . . . . . 9 1.2 Structured overview . . . . . . . . . . . . . . . . . . . . . . . 10 1.3 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 1.3.1 Interviews with respondents . . . . . . . . . . . . . . . 10 1.3.2 Interviews with Dagfinn Bergsager . . . . . . . . . . . 12 1.3.3 Existing technology . . . . . . . . . . . . . . . . . . . 12 1.3.4 Applications and source code . . . . . . . . . . . . . . 12 1.4 Why Nettskjema as use-case application . . . . . . . . . . . . 12 1.5 Interviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 1.5.1 Thoughts on anonymity . . . . . . . . . . . . . . . . . 13 1.5.2 Assumptions made about the surveys . . . . . . . . . 14 1.5.3 Survey on alcohol consumption . . . . . . . . . . . . . 15 1.5.4 Survey on mental health . . . . . . . . . . . . . . . . . 15 1.5.5 Survey on drug use . . . . . . . . . . . . . . . . . . . . 17 1.5.6 Thoughts on trust . . . . . . . . . . . . . . . . . . . . 18 1.5.7 Findings from interviews . . . . . . . . . . . . . . . . . 19 2 Theory 20 2.1 What is privacy . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.1.1 Norwegian and European privacy legistlation . . . . . 20 2.2 What is anonymity . . . . . . . . . . . . . . . . . . . . . . . . 22 2.2.1 Personal information and anonymity . . . . . . . . . . 22 2.2.2 Anonymity based on policy . . . . . . . . . . . . . . . 23 2.2.3 Enforced anonymity . . . . . . . . . . . . . . . . . . . 23 2.2.4 Anonmity and pseudonymity . . . . . . . . . . . . . . 24 2.3 What is identity . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.4 What is authentication . . . . . . . . . . . . . . . . . . . . . . 25 2 2.5 Authentication Assurance Levels . . . . . . . . . . . . . . . . 25 2.5.1 Authentication assurance levels in ID-porten . . . . . 27 2.6 Technical Anonymity Assurance Levels . . . . . . . . . . . . . 27 2.6.1 Scope of the framework . . . . . . . . . . . . . . . . . 28 2.6.2 Requirements for assurance level 1 . . . . . . . . . . . 28 2.6.3 Requirements for assurance level 2 . . . . . . . . . . . 29 2.6.4 Requirements for assurance level 3 . . . . . . . . . . . 30 2.6.5 Requirements for assurance level 4 . . . . . . . . . . . 30 2.7 Cryptographic primitives . . . . . . . . . . . . . . . . . . . . 30 2.7.1 Cryptographic hash functions . . . . . . . . . . . . . . 30 2.7.2 Zero Knowledge Proof . . . . . . . . . . . . . . . . . . 32 2.7.3 General description of ZKP . . . . . . . . . . . . . . . 33 2.7.4 Requirements for ZKP . . . . . . . . . . . . . . . . . . 33 2.7.5 Zero Knowledge Authenctication . . . . . . . . . . . . 34 2.7.6 Blind Signature Protocol . . . . . . . . . . . . . . . . 36 2.8 ExistingtechnologyforanonymoussurveysandIdentityMan- agement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 2.8.1 Anonize . . . . . . . . . . . . . . . . . . . . . . . . . . 37 2.8.2 Attribute-based credentials . . . . . . . . . . . . . . . 37 3 Nettskjema as a use case 38 3.1 About Nettskjema . . . . . . . . . . . . . . . . . . . . . . . . 38 3.2 Risk analysis of Nettskjema . . . . . . . . . . . . . . . . . . . 39 3.3 About TSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 3.4 Respondents. . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 3.4.1 Signed in . . . . . . . . . . . . . . . . . . . . . . . . . 40 3.4.2 Invited . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 3.4.3 Open surveys . . . . . . . . . . . . . . . . . . . . . . . 41 3.4.4 Authentication Assurance Levels in Nettskjema . . . . 41 3.5 Question types . . . . . . . . . . . . . . . . . . . . . . . . . . 43 3.5.1 Surveys that contain personal identifiable information 43 4 Anonymous responses in Nettskjema 44 4.0.1 Current situation . . . . . . . . . . . . . . . . . . . . . 45 4.0.2 Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . 47 4.1 Requirements for a solution . . . . . . . . . . . . . . . . . . . 47 4.1.1 Removal of identifying attributes . . . . . . . . . . . . 47 4.1.2 Identifying question fields . . . . . . . . . . . . . . . . 48 4.1.3 Attacks on solutions . . . . . . . . . . . . . . . . . . . 48 4.2 External proxy . . . . . . . . . . . . . . . . . . . . . . . . . . 49 4.2.1 Integration with Nettskjema. . . . . . . . . . . . . . . 49 4.2.2 Benefits and disadvantages . . . . . . . . . . . . . . . 49 4.3 Anonymous frontend . . . . . . . . . . . . . . . . . . . . . . . 50 4.3.1 Nettskjema API . . . . . . . . . . . . . . . . . . . . . 51 3 4.3.2 Implementation with Nettskjema . . . . . . . . . . . . 51 4.3.3 Placement of front-end server . . . . . . . . . . . . . . 52 4.3.4 Encryption in the client browser . . . . . . . . . . . . 53 4.3.5 Security mechanisms in anonymous frontend server . . 54 4.3.6 Security of the client . . . . . . . . . . . . . . . . . . . 54 4.3.7 Enforcing anonymous surveys . . . . . . . . . . . . . . 54 4.3.8 Problems with implementation . . . . . . . . . . . . . 55 4.4 Comparison and evaluation of solutions . . . . . . . . . . . . 57 5 Anonymous authentication of respondents in Nettskjema 58 5.0.1 Use cases . . . . . . . . . . . . . . . . . . . . . . . . . 59 5.1 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 5.1.1 Optional features . . . . . . . . . . . . . . . . . . . . . 59 5.2 Anonize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 5.2.1 Registration . . . . . . . . . . . . . . . . . . . . . . . . 61 5.2.2 Survey submission . . . . . . . . . . . . . . . . . . . . 61 5.2.3 Metadata and monitoring of participants . . . . . . . 61 5.2.4 Applicapibility to traditional surveys . . . . . . . . . . 62 5.3 Identity Mixer . . . . . . . . . . . . . . . . . . . . . . . . . . 62 5.3.1 Integration with Nettskjema. . . . . . . . . . . . . . . 63 5.4 Ad-hoc invitation though an anonymous authentication server 64 5.4.1 General concept . . . . . . . . . . . . . . . . . . . . . 64 5.4.2 Location and configuration of authentication server . . 65 5.4.3 Registration of subjects . . . . . . . . . . . . . . . . . 65 5.4.4 Limiting the number of submissions for each respondent 67 5.4.5 Weaknesses of implementation . . . . . . . . . . . . . 67 5.5 Blind Signatures . . . . . . . . . . . . . . . . . . . . . . . . . 67 5.5.1 Registration phase . . . . . . . . . . . . . . . . . . . . 68 5.5.2 Submission phase . . . . . . . . . . . . . . . . . . . . . 69 5.6 Comparision between solutions . . . . . . . . . . . . . . . . . 69 5.6.1 Maximum achievable TAAL . . . . . . . . . . . . . . . 70 6 Discussion 73 6.1 In-memory caching and risk of data loss . . . . . . . . . . . . 73 6.2 Security of browsers / clients . . . . . . . . . . . . . . . . . . 75 6.3 Communication channels for invitations . . . . . . . . . . . . 75 6.4 Response rate and data quality of anonymous responses . . . 76 6.5 Trust in the application code and configuration . . . . . . . . 76 6.6 Security and complexity . . . . . . . . . . . . . . . . . . . . . 77 6.7 Usage of anonymous authentication . . . . . . . . . . . . . . . 78 6.8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 4 List of Figures 1.1 A capture of the sample survey on alcohol consumption . . . 16 1.2 A capture of the sample survey on drug use . . . . . . . . . . 17 2.1 The concept of identity . . . . . . . . . . . . . . . . . . . . . 25 2.2 The secret cave . . . . . . . . . . . . . . . . . . . . . . . . . . 33 4.1 Banner telling respondents that no personal identifable in- formation is recorded . . . . . . . . . . . . . . . . . . . . . . . 45 4.2 System architecture of anonymous front-end . . . . . . . . . . 51 5.1 Registration and submission phase with IBM IdentityMixer . 63 5.2 Registration and submission phase with blind signatures . . . 68 5

Description:
5.1 Registration and submission phase with IBM IdentityMixer . 63 is course evaluation, product reviews and whistleblowing within an organiz-.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.