PennController for IBEX › Forums › Support › email address encryption
- This topic has 3 replies, 3 voices, and was last updated 4 years, 9 months ago by NicolasD.
-
AuthorPosts
-
April 16, 2020 at 6:20 am #5067NicolasDParticipant
Dear Jeremy,
First of all, thank you very much (and Florian) for your work, it is extremely useful for my current research.
I have a question about the possibility of encrypting the email addresses that participants would leave at the end of the experiment.
Do you know if there is a simple procedure I could use to encrypt a string (by entering a passphrase)?
If not, do you know how I can call the function that generates an MD5 hash as it is the case for the IP addresses of the participants (but I’m afraid it’s not secure enough because I read here and there that it’s quite simple to decrypt).
thank you so much for your help,
with kind regards
NicolasApril 16, 2020 at 8:23 am #5068floriansModeratorHi Nicolas, glad PCIbex is working out well for you!
I’ll leave the encryption question to Jeremy, but thought I’d also throw in that at least with certain recruitment platforms, you can avoid having to collect email addresses or names etc. altogether. Sona and Prolific (which we use for for-course-credit Penn students and paid participants respectively) both allow for using a method where you just direct participants back to the platform with a custom-generated link at the end of the experiment that directly confirms their participation there. The relevant code/User ID # from the platform still winds up being stored in the results, but that’s arguably less personal and critical than more direct personal identifiers.
FlorianPS: We’re happy to help with specifics if you go that route. See https://www.pcibex.net/wiki/04-participant-information/#menuToc-1 and in particular https://www.pcibex.net/wiki/penncontroller-geturlparameter/ for starters.
April 16, 2020 at 12:05 pm #5070JeremyKeymasterHi Nicolas,
TL;DR: robust encryption/decryption in javascript is definitely possible but not straightforward, but maybe you don’t need it anyway
As Florian said, if your goal is simply to keep track of your participants and your recruiting platform already provides unique IDs, I strongly recommend you just use that instead.
If you still need to use an encryption method, most browsers now implement the SubtleCrypto API. There are some limitations though: some browsers like Edge do not support some algorithms, and most importantly, the API will only work on secure domains (the PCIbex Farm uses a secure domain).
If your goal is to store encrypted email addresses in your results file that only you can later decrypt, you will need an algorithm that takes a public encryption key and a private decryption key. There are a few of those, one of them is the ECDSA, illustrated here. You would also need to export your public key, as illustrated here.
Jeremy
April 17, 2020 at 11:25 am #5075NicolasDParticipantThanks to both of you for your answers,
I will look into what our recruitment platform can do. In the meantime, I will explore other options you listed (ECDSA, looks quite appropriate to me). In all cases, I’ll keep you informed of the solution I’ve chosen.
Have a good weekend.
Nicolas -
AuthorPosts
- You must be logged in to reply to this topic.