Proto Himbo European3d ago

I feel like I'm constantly fighting an uphill battle when I raise awareness about any privacy issues. This email went out to my campus a few days ago from (ironically) the American Democracy Project. The link is below:

https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforms.office.com%2FPages%2FResponsePage.aspx%3Fid%3DPAUkwXjwhEmPnTWuD3jFim27hL6NsGFBs-JLhn5poQ5URU4xM0tKRVM1S0w3UUNPQjdISDQwRzdIOS4u&data=05%7C02%7C[MyFullName]%40[MyUniversity].edu%7C426332fa16114117c45d08de8f73e19e%7Cc124053cf07849848f9d35ae0f78c58a%7C0%7C0%7C639105925031635084%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=V1ThxSS%2BVa236C7i03BCacXkisZdjcJLoopiOGDaZeI%3D&reserved=0

I removed my full fucking name and the name of my university; I'm sure there's shit that can be extracted by a knowledgeable person. Or maybe I'm paranoid and overreacting. I don't think all that text is necessary to simply route me to a survey's URL, even if it is on Microsoft Forms.

I replied to the all-campus email and said there was some data sent with that link, including my name. I said I'd like to participate in the survey if it was anonymous and asked if there was a simple, sanitized link that didn't send my name and other information with it. I got bounced to the Very Sincere Student Project Leader who assured me that there was no personal information collected, and I could verify this by looking at the questions in the survey.

On MS Forms.

Linked with all the stuff above.

Sigh. American Democracy, indeed.

#security #privacy #microsoft #survey #surveyresearch

Show threadFritz Adalis3d ago
@guyjantic
If I click on that link above it takes me to the form...
Show threadProto Himbo European

@FritzAdalis That's what I think it does, too. It had my full name embedded in it, which doesn't seem necessary. I can't imagine 90% of that data is necessary. Qualtrics surveys have a unique identifier in the URL of maybe 10-12 characters, after one or two subdomains/directories. That's all that's in most URLs for Qualtrics surveys. That suffices for probably hundreds of millions of surveys.

My guess is that most of that data is some telemetry that gets taken to the form with the link and is then sent on to Microsoft.

Apr 3 at 12:54amWeb
Show threadFritz Adalis3d ago
@guyjantic
Well, the safelinks part is so if phishing/malware gets through the admin can ask 'who clicked on this'. As for Forms, you can compare your url to everyone else's, and visit in private mode and see if it makes you log in. Or I can stuff the form with obscenities and you can see if they yell at you.
Show threadDragonBard3d ago

@FritzAdalis @guyjantic

Yeah, safelinks completely makes a mockery of the "always check the real url" training, as it rewrites the url. If you know how to read it, you can find the real url inside. The real problem is, forwarding safelinks used to break the url due to multiple rewrites. Maybe they fixed that? I'm not IT security anymore, and deliberately stopped caring.