Getting unique info about user or computer?

[Rhino]

I'm really not sure what the best place is to ask this question so please
forgive me if this isn't it - and redirect me to the right place, if you
know what that is ;-)

I'm trying to figure out if there is any reliable way to uniquely identify a
user or the computer that they are using WITHOUT asking them explicitly.

I am trying to help someone non-technical achieve something that it is out
of my area of expertise. She has created an HTML form that contains a
survey. She wants to collect responses and analyze the data so that she can
make certain decisions based on the answers.

The survey is anonymous. In other words, she doesn't ask the people who
complete the survey for any identifying information like name, Social
Security Number, phone number or anything else that might be uniquely
identifying. I'm not clear if she is not allowed to ask for such things by
her organization's policy or whether she simply doesn't want to but the
bottom line is that nothing is known about the person who completes the
survey. By the way, the survey is an administrative questionaire about
university policies, nothing to do with spam or marketing of any kind.

She is concerned that some people will be tempted to complete the survey
multiple times to skew her analysis and asked me if there is some way that
she can ensure uniqueness of each response so that no person can complete
the survey more than once.

My best guess was that a MAC address might do the trick. However, when I did
some research on this, I found information to the effect that:
a) not all computers have a MAC address
b) a computer can have multiple MAC addresses if it has multiple network
cards
c) the MAC address of many network cards can be changed, although it is not
something a typical user would normally do

Please correct me if any of this information is wrong; I'm not a networking
guy so maybe I misunderstood!

If all of the above information is correct, it would seem to eliminate the
MAC address as a solution. Therefore, I'm wondering if there are any other
solutions to this problem?

I saw one post that said there was talk of burning unique serial numbers in
CPUs but I got the impression that this was only proposed (in 1999) and
would only apply to Intel chips. That clearly lets out older CPUs and
non-Intel ones as well, making this a useless approach.

Can anyone suggest another approach? She doesn't want to know anything
secret about the people completing the survey that could harm them or raise
concerns about identity theft or whatnot; she only wants to ensure that a
given person only completes the survey once.

--
Rhino
---
rhino1 AT sympatico DOT ca
"There are two ways of constructing a software design. One way is to make it
so simple that there are obviously no deficiencies. And the other way is to
make it so complicated that there are no obvious deficiencies." - C.A.R.
Hoare

 

[Liz]

I'm really not sure what the best place is to ask this question so please
forgive me if this isn't it - and redirect me to the right place, if you
know what that is ;-)

I'm trying to figure out if there is any reliable way to uniquely identify a
user or the computer that they are using WITHOUT asking them explicitly.

I am trying to help someone non-technical achieve something that it is out
of my area of expertise. She has created an HTML form that contains a
survey. She wants to collect responses and analyze the data so that she can
make certain decisions based on the answers.

The survey is anonymous. In other words, she doesn't ask the people who
complete the survey for any identifying information like name, Social
Security Number, phone number or anything else that might be uniquely
identifying. I'm not clear if she is not allowed to ask for such things by
her organization's policy or whether she simply doesn't want to but the
bottom line is that nothing is known about the person who completes the
survey. By the way, the survey is an administrative questionaire about
university policies, nothing to do with spam or marketing of any kind.

She is concerned that some people will be tempted to complete the survey
multiple times to skew her analysis and asked me if there is some way that
she can ensure uniqueness of each response so that no person can complete
the survey more than once.

My best guess was that a MAC address might do the trick. However, when I did
some research on this, I found information to the effect that:
a) not all computers have a MAC address
b) a computer can have multiple MAC addresses if it has multiple network
cards
c) the MAC address of many network cards can be changed, although it is not
something a typical user would normally do

Please correct me if any of this information is wrong; I'm not a networking
guy so maybe I misunderstood!

If all of the above information is correct, it would seem to eliminate the
MAC address as a solution. Therefore, I'm wondering if there are any other
solutions to this problem?

I saw one post that said there was talk of burning unique serial numbers in
CPUs but I got the impression that this was only proposed (in 1999) and
would only apply to Intel chips. That clearly lets out older CPUs and
non-Intel ones as well, making this a useless approach.

Can anyone suggest another approach? She doesn't want to know anything
secret about the people completing the survey that could harm them or raise
concerns about identity theft or whatnot; she only wants to ensure that a
given person only completes the survey once.

--
Rhino
---
rhino1 AT sympatico DOT ca
"There are two ways of constructing a software design. One way is to make it
so simple that there are obviously no deficiencies. And the other way is to
make it so complicated that there are no obvious deficiencies." - C.A.R.
Hoare

I think it is not possible, but I may be wrong.

You can't use IP address or MAC address because it is possible that more
than
one person legitimately answers your survey using the same machine. Or using
the same user account on the same machine.

Users are often suspicious when you tell them that their identity is
anonymous.

You can assign a unique password for each user, have them use the password
when they fill out the form and if they try to do it more than once let the
most recent set of answers supersede the previous ones. This way you will
not
get multiples, but they will be suspicious that you are going to use the
data against them in some way.

 

[Clemens Martin]

Hi Rhino,

MAC-Address or CPU-Id (which both can be faked with more or less afford) is
not accessible in a HTML-Form. So no chance.
By the way, the user could use different computers (internet-cafes etc.) to
change that simply.

I would suggest the user has to register for an account first which is
uniquely bound to an e-mail address, where the system generated password to
access the survey is sent to. So only each e-mail address can register
exactly once. Of course users which have many e-mail addresses can register
more then once and do the survey more then once.
On the other hand e-mail address could be a problem, because it's not 100%
anonymous then, but i dont have a better idea at the moment.

Regards,
Clemens

 

[Roedy Green]

I'm trying to figure out if there is any reliable way to uniquely identify a
user or the computer that they are using WITHOUT asking them explicitly.

Basically all the easy to get unique stuff is in the System
properties.
See http://mindprod.com/wassup.html


Intel CPUs have a unique serial number. You can get it via
http://mindprod.com/products.html#PENTIUM

AMD CPUs do not. It is too open to Ashcroftian abuse.

See http://mindprod.com/products2.html#SNIFF for other info you can
get via DOS.

Face IP is not permanent. See http://mindprod.com/jgloss/ip.html

Mac address is unique, but requires JNI for each platform or exec
fiddles to find it out in a different way on each platform.

 

[Roedy Green]

Can anyone suggest another approach?

You can take a disk profile or a hardware profile. you could note the
sizes and dates of files that have not been modified in a long time.

You could simply assign each machine a unique number and store it on
the machine in the registry. see
http://mindprod.com/jgloss/preferences.html

 

[Sudsy]

I'm really not sure what the best place is to ask this question so please
forgive me if this isn't it - and redirect me to the right place, if you
know what that is ;-)

I'm trying to figure out if there is any reliable way to uniquely identify a
user or the computer that they are using WITHOUT asking them explicitly.

I am trying to help someone non-technical achieve something that it is out
of my area of expertise. She has created an HTML form that contains a
survey. She wants to collect responses and analyze the data so that she can
make certain decisions based on the answers.

There's no absolute, guaranteed way to achieve this. I like the e-mail
idea posed but people can have multiple addresses. Could you use a
cookie in conjunction with the e-mail qualification?
If the user is savvy enough to know how to purge cookies then you're
SOL, however. Then again, a non-intrusive survey...

 

[Hal Rosser]

Have the app set a cookie on the users browser, then you can tell if the
same machine was used more than once by getting the cookie - if it exists -
then don't count the vote again.

 

[Andy Fish]

I am trying to help someone non-technical achieve something that it is out
of my area of expertise. She has created an HTML form that contains a
survey. She wants to collect responses and analyze the data so that she can
make certain decisions based on the answers.

I am guessing that if the person is non-technical and has developed an HTML
form, she is intending to run the form from a web site and have users access
it using a browser.

in this case there is precious little information you can get about the
user's PC or environment. The best way would probably be an HTTP cookie
(this would require some programming on the web server but is not rocket
science). however, there are many ways to defeat this if someone wanted to
skew the results.

think of the survey as like voting. the closest you can get to a fair result
is by having a list of everyone registered to participate and have each
person who does so authenticate themselves to the system.

 

[Rhino]

Thank you all very much for your suggestions. I will pass them on and let
the developer of the form see if there are any that she would like to try.

She wasn't expecting a perfect solution but was hoping to get something that
would quiet at least some of the people who might be concerned about
security. I think you've given us some reasonable solutions.

Rhino