Kupferman.com

Online Survey Content Security Doesn’t Exist

I received an interesting question from a reader earlier today about survey security. While I’m not actually answering his question here, it did raise an interesting point about online research — which is this: there really truly is no way to protect the content that you display in your survey from falling into the wrong hands. If you have a secret product or concept , your best bet for keeping it secret is not to test it using online research.

Before sending me the note telling me just how wrong I am, record the following:

As I figure it, there are four different kinds of security as it applies to online surveys. The first kind of security is what we’ll refer to here as back-end security. This basically means that strangers can’t simply log into the survey software server and start making changes to your survey, or download your data, or do all sorts of other things which really ought to be protected by a good password. Most survey systems do a pretty good job with this, assigning separate accounts, usernames, and passwords to each survey respondent. Some even take it to the next level, by allowing account administrators to set different permission levels for each user on the account, thereby ensuring that people who are meant to have access to your survey can’t “accidentally” go and make changes.

The second kind of survey security is where only authorized people are allowed to take your survey. Some implement this feature by giving you one respondent password that you can share will all of your respondents, or some systems even allow you to give every respondent their own password (or access key) which not only keeps out the riff raff, but also makes sure that each respondent can take the survey only once. This type of security not only ensure that only the “right” people take your survey, but also that the wrong people can’t get access to the content of the survey.

I’ve seen this kind of survey software security implemented well, but I’ve also seen it implemented poorly. Some systems, instead of assigning each survey an ID made up of a random collection of letters and numbers, use a sequential, easy to guess series. Which means that it really isn’t all that hard to view (and possibly edit!) surveys written by other clients of the survey system. So watch out for that.

The third kind of security about the connection between the respondent’s computer and the survey software server. Is it secure (look for the https: in the URL). Frankly, unless you’re doing super secret stuff and your concerned that hackers and government agents are trying to listen in on your respondents, I’m not sure it is something you need to worry too much about. But if you are afraid of industrial espionage or that someone is going to tap into your wireless signal, then you may want to take the precaution of choosing a system that allows for encrypted connections.

It’s easy enough for a well thought out survey software program to provide good security surrounding these first three measures. Where they get into trouble — and where you get into trouble if you believe them — is when they start to protect your survey content.

The fourth kind of survey software security is content protection, which basically means keeping your untrustworthy respondents from copying the top secret images and product descriptions that you include in your survey onto public web sites or your competitor’s email account.

I know, I know…there are survey systems that feature technologies that make it harder to copy images or capture video. This can be done using javascript, or by doing some crazy encryption to the feed. One could even go so far as taking over the computer so that nothing else works except the survey.

But I have a camera. And I have a video camera. And if you don’t completely lock down my computer, I have some really good screen capture software that lets me capture both audio, images and pictures. If I want to capture your survey content, believe you me, I will capture your survey content.

And then I can do pretty much anything I want with it, can’t I? No doubt 600-1000 people took that confidential survey of yours, and how are you going to know which one of them posted it to the anonymous message posting board using an anonymous IP address?

I suppose it is theoreticaly possible to embed a visual identifier into each image (a watermark of sorts) so you can trace the image back to whoever posted it online, but I’ve never heard of technologies built into survey software (if it does exist please let me know — I’ll report it here!).

There are also ways you can reduce the risk. You can, for example, use a pre-screened panel made up of people you trust. Employees, for example. Another approach is to threaten your respondents with legal action (although most will figure out pretty quickly that you have no way of identifying them). You could also threaten to stop doing online surveys if they leak your secret.

But the best way to ensure that your super secret new business idea doesn’t leak out onto the Internet is not to do online research (there, I said it). If your entire business model is based around keeping something confidential, do not put it in an online environment in front of strangers. Period. And don’t trust any research firm that says they have a foolproof method of keeping your images, video and other content safe. If they do, just pull out your camera or video camera and press record.

Leave a Reply