Instructors want feedback about their courses to improve themselves. But students hesitate to criticize their instructors, because they fear reactions.
We solve this problem, by providing a fully anonymous feedback service.

 

How does it work?

1. The student registers in the professor's CakeCMS system.
2. Each student gets a token proving that he registered for this course.

   Token can't identify a student, since multiple students can get the same token (details below).

3. The student visits the CMS feedback server and writes feedback about the course.

   The server verifies that the student is actually taking this course (token). The server does not know who this student is, and does not keep track about it. It is independent of other instances, professors have no access on it.

4. The CMS feedback server submits the feedback to the professor's CMS instance.

   The professor sees the feedback, but not who wrote it.

Why is this necessary?

Before this server existed, students had to give their (critical) feedback in the CMS system controlled by the professor. While the system itself did not save information about students giving feedback, the webserver itself logs every visit, including IP address. This is common practice for webservers, and necessary to counter hacking attempts.

If a curious professor wanted to know the author of a critical comment, he could go to his server administrator and ask for the access log at the time of the comment. From this access log, he could get the IP address that submitted the comment. Now he could go back to the CMS and see who logged in from this IP. Combining these information, he could have a strong guess who wrote the comment.

The CMS itself could not block this deanonymization attempt, because the access logs are outside of its control. We (the CMS authors) knew that this possibility existed, but believed that professors wouldn't take all the hassle to live their antipathy against critic. We were wrong. Instead we believed this possibility might show useful, for example in cases of anonymous murder threats against professors.

How do you preserve my anonymity?

We take the feedback submission process out of the professor's control. No professor has access on this server (which does not even keep access logs). The professor can not even see if you visited this page or not. On the other hand, we guarantee a professor that feedback about his course is coming from the students registered for his course (and therefore is somehow qualified).

In detail, that means:

• Each student gets a token that verifies his registration for the course. The token does not identify a student:
  • No personal information is encoded in it, the tokens from different students might even be equal
  • Every student gets one every time he logs in - all students from a course got a token
  • Even if the tokens were not anonymous - the professor's system issues them, but never receives them
• The actual feedback submission is handled by the CMS Feedback Server.
  • No direct connections between student and CMS are involved.
  • From the professor's point of view, all feedback is submitted from this server's IP.
  • The CMS Feedback Server has no possibility to identify a student (no access to student database, token is anonymous)
• Feedback is queued, submission is delayed up to two hours.
  • That means: There is no timely correlation between your visits in the CMS and the submitted feedback.
  • In case you want to give urgent feedback, you can override this behaviour (at your own risk).

Why should I trust you?

Because we're not professors, and because you can check most of the claims above.

What is this token?

You can take the token from your submission link (the part behind ?course=) and decode it yourself: gzinflate(base64_decode("...")) (or: gzinflate(base64_decode(rawurldecode("..."))) . The second part (&sig=) is a cryptographic HashMac over this token. The output is a JSON similar to this one:

{
    "url": "https://cms.uni-saarland.de/",
    "sn": "prog1",
    "c": "Programmierung 1",
    "l": "deu",
    "id": "0011223344",     // ID of the CMS that issued this certificate - equal for all students in all courses in one instance
    "v": 1532466023         // "Valid until"-timestamp (rounded to hours)
}

Is this token really anonymous?

Sit together with fellow students, and compare the links CMS is giving you: They should be equal. That means that nobody will be able to tell who of you actually used it to submit feedback.

But what about IP addresses?

If you don't trust us, you can take an extra round:

1. Go to CMS, and copy the link to the CMS Feedback Server
2. Open the link with the Tor Browser. It will hide your IP from us.

The only thing that connects your CMS registration with the feedback from the Tor network is the token built in this link. Do the experiment above to check that the token is really anonymous. Feel save.

Still not convinced?

Print your feedback using an open accessible printer, put it in an envelope, address it and throw it in the professors mail box. Don't forget to wear sunglasses, medical gloves and surgical mask...

Contact

If you have questions about this page, contact Markus Bauer (markus-dxzth3zd AT mk-bauer DOT de).