- Posts: 4
- Thank you received: 0
Ask the community, share ideas, and connect with other LimeSurvey users!
Please Log in to join the conversation.
I am not sure if your protocole can solve the "anonymity" problem that Joffm and me are adressing here.The idea: instead of publishing raw counts, publish an aggregate protected by differential privacy, so that no individual response — not even the lone outlier in a single-digit unit — is recoverable from the result. I structured it as a threat model of explicit "gates", each with an honest status:
Please Log in to join the conversation.
Please Log in to join the conversation.
But the information about the participant must come from somewhere. The common way is to store it in the token / particpant table as a custom attribute. You could pass it on via the URL as well, but this has its own challenges.On the storage side: the department is used only to decide which aggregation bucket the answer goes into. The routing attribute is consumed before storage, not stored alongside the answer. For one-response-per-person, the token is hashed and that hash is kept in a separate dedup set — it is never written next to the answer, so there's no joinable token↔response row (the dedup set and the answers are different structures, never joined). What's published per department is a DP aggregate (noisy sum over noisy count, so even the exact headcount is hidden), not an individual-level dataset to download or join.
If it is self declared, we do not need the additional layer, at least not for the main issue, make the connection between personal data and response data. It could help with the second scenario that allows to identify people because of small sample sizes. But, and I give you a real life example: Even if you aggregate the data, this can still be an issue. We had a internal survey for a client and we would only present aggregate information to the client. We knew who was behind the answers, but the client (in theory) didn't. To protect respondents we didn't even show the sample size (which in many cases was below n=5, in some cases n=2 or even n=1). But employees know how many people work in a certain department. If you receive a low rating from a department with n=2 or n=1 people working there, you basically know who gave you a low rating. Even if data is aggregate.But you're pointing at the real upstream question: where does the department come from in the first place? Honestly I haven't settled that, and the choice matters — it could be (a) self-declared by the respondent as a survey question (no token attribute at all),
To be hones, I still do not see how your proposed approach would solve the issues presente. Maybe because I do not fully understand your approach.(b) carried as a token attribute, or (c) looked up from an external/HR directory at entry. Each has a different exposure: (a) trusts the declaration, (b) means the token carries an attribute, (c) means that directory exists and could be correlated. You know the LimeSurvey workflow far better than I do — which of these would actually fit how people run cohort surveys there?
What this does NOT solve, and I won't pretend otherwise:
- Trust doesn't fully disappear, it moves: a non-technical respondent still can't verify at submission time that things work as described — they'd have to trust the implementation (or an independent audit), not just take my word for the code. I think that's honest to state up front.
- Small cohorts: with DP a tiny department's aggregate just gets too noisy to be useful (DP still holds at n=7, it's the result that's unusable, not the privacy), which is why a minimum-cohort threshold makes sense for publication.
- The per-department ε only holds cleanly if cohorts are disjoint and you don't also publish cross-cutting aggregates over the same people — otherwise the budget composes and you have to account for it.
- If you need per-individual linked data kept for reminders, response updates or later cross-analysis, this isn't the tool — it's a different class of system from standard LimeSurvey exports.
- Out of scope too: timing correlation, network metadata, and the blind-signature route (still a non-audited prototype).
The reproducible test script for exactly this (routing by cohort + DP aggregate, seed=42) is demo_cohortes.py in the repo, if you want to break it: github.com/taha-vera/Protocole-Vera/blob/main/demo_cohortes.py
Please Log in to join the conversation.