So you want to do a survey ?

One of the things that all our networked computers could do for us is to make `surveys' do what they're meant to: but there are some prerequisites.

Ideally, I have a computer system to which I can answer honestly whatever question it asks me; absent a sufficiently sophisticated dialogue to let me tell it what things I'll let who know, I should be able at least to presume it won't tell the world it was me that gave the answers I gave. Someone who wants to conduct honest surveys of how folk stand with the world may want that information available: in so far as my information system lets them discover what proportions of a large population hold what views, without letting anyone know who it was held which views, surveys can respect privacy and yet be useful. Apparently the cryptographers know how to make such things possible.

To illustrate the matter, suppose some organisation sets up to embark on some project which, as a pilot, shall need to work with a school (to be chosen) and volunteers, at least `enough' of them from the local community and acceptable to the school as folk to allow on the premises (e.g., they don't have prior histories of paedophile abuse). The internet will let the project make good use of volunteers from all over; the project may well be founded on the premis of linking up useful volunteers with mechanisms schools can use in assisting their pupils' educations.

Now the organisation needs to do a poll of the general public to gather input from folk willing to act as volunteers, ideally identifying schools which have plenty of willing volunteers nearby (making for better take-up once the pilot gets going and finds out which folk actually get round to it; particularly where there are folk who would help out if it were their kids' school but unlikely to bother otherwise). Chosing the right school will matter.

Joe Public would, at present, be asked to fill in a form on the organisation's web site, giving details which will enable the organisation to contact Joe when the project gets going, and making promises about how these details will be used. One of Joe's major concerns is the reliability of those promises - unless Joe likes getting junk e-mail and spam, not to mention burglars who know inconveniently much about Joe's movements and household security systems.

Ideally, I'd be able to tell my computer system to participate in a survey the organisation is organising; my system would subsequently contact the organisation's information systems to conduct a protocol which enables it to persuade their systems that certain things about me are true (without identifying me), including such matters as that I'm a real human being registered as a voter in some electoral constituencies (again possibly taking care to indicate an MEP, an MP and local councilors in a county and a city of England, without indicating which county and city). I would need to know (and I would prefer to see my systems able to check) that the population from which the survey is drawn is sufficiently broad as to ensure that my contribution doesn't suffice to identify me; or, at least, that the form in which data shall be made available to anyone will be `averaged over' broad enough swathes to ensure my anonymity.

The survey conductor needs to communicate quite a lot of information to my computer system for that to work. Even the list of quesions to be answered comes in two parts: the `where in the demographic does the respondent fall ' questions and the `what is your opinion/taste/... ?' questions the survey is nominally about. The surveyor must also enable (me or) my systems to verify that the survey is sufficiently broadly responded to that the demographic questions don't suffice to pin-point me; it shall also need to indicate means by which my systems can persuade it to believe some of the claims therein, such as my presence on electoral rolls.

I may answer the substantive questions myself, or I may be lucky enough to have system smart enough I'm happy to delegate; either way, even if my answers to these do enable some folk to identify who gave them, I want some assurance that their access to demographic data about me is limited - ideally, to only the data they already had from whatever prior contact with me enabled them to recognise me from my answers.

What I've seen of the cryptographic literature seems to suggest one could do this, albeit a solution involves a whole lot of things aside from the cryptography, many of them at least reasonably hard.

Written by Eddy.
$Id: survey.html,v 1.2 2001-10-17 17:11:31 eddy Exp $