while functionality-wise, it seems anonymized surveys allow to limit the audience to a closed circle and prevent multiple submission, I wonder whether the system is usable for secret voting.
Is there any documentation on this use case?
From a quick glance at the code:
I am unsure if the saved timestamp can be cross-correlated with the user’s submission (for example).
Indico surveys are not meant for secret voting but really just for surveys, with the option to remain anonymous to the organizers of the event.
A system admin with server access can of course correlate e.g. logs to figure our who submitted what - there’s no way to prevent this, but keep in mind your system administrator could also simply edit the code to log this information directly. You cannot prevent someone with this kind of access from acting in a malicious way.
Also, in case of anonymous submissions there is no strong prevention of duplicate submissions - clearing your session (e.g. by logging our and in again or simply using incognito windows) is all you need to do to make another submission in an anonymous survey:
So if you need a truly secret voting or election system - very different from a survey IMO - then you may want to consider using a third-party service since that way you can be (somewhat) sure that none of the people involved in your voting have any kind of administrative access to the service used for it.