Privacy & Training, Good Free Options

posted Feb 25, 2012, 10:03 AM by Francis Esmonde-White   [ updated Feb 26, 2012, 6:34 PM ]
Recently I have been going through various trainings for working with human subjects. It's amazing to learn about the strong infrastructure and guidance provided in order to maximize the safety and quality of research done with human subjects.

One of the big issues in work with human subjects is guaranteeing privacy and confidentiality of subjects. I don't foresee collecting any personally identifiable information about study participants, but the trainings have led me to think carefully about how to properly store and work with data.

There are a couple of great options available for encryption of data and communications. These are pretty sparsely used, but the tools have substantially advanced in both quality and user-friendliness since I last looked into what's available (over about the past 5 years).

The first tool is TrueCrypt. It is a software that can be used to create a virtual hard drive on a computer. It can also create a virtual hard drive inside what looks like empty space in a virtual hard drive. All the truly empty space is also filled with random numbers. Both virtual hard drives are encrypted (cannot be read without knowing a very special key), and without encrypting them it's impossible to know whether or not there are actually even any volumes or files inside. For example, if a laptop which holds the study data was lost, it would be very difficult to access the data without knowing the encryption key. This seems to hold a lot of potential for safely storing human subjects data. Unfortunately, it doesn't seem to be certified according to Federal Information Processing Standard (FIPS 140-2), which means it probably isn't sufficient for safeguarding patient data.

The second tool is GPG. GPG is one technology developed to encrypt emails. Did you know that all you email gets transmitted across the internet as plain-text? It's like having your all your letters mailed as post-cards (no envelopes), and instead of the postal service handling them, they get passed from person-to-person until they reach their destination. Using a system like GPG, the message can be encrypted (put into an envelope) so that it would be very difficult for anyone but the desired recipient to read the contents. There are two keys: One is a private key, which is required to open a message. The other is a public key, which can be used to encrypt a message, but not to open it afterwards.

However, there are a lot of challenges in using GPG, the greatest one being both the sender and recipient need to use GPG in order to actually use the system. Otherwise GPG is like having the only fax machine in the world. A second major problem is that most web-based email doesn't natively support GPG encryption. There are plugins for various browsers that support both encryption and decryption of email (Chrome, Firefox) in web services like GMail. However, there are still big limitations, like the subject line being plain-text. A third challenge is that the sender and recipient also need to exchange encryption-keys before they can read their messages. This is either done by directly exchanging the public-keys (by email for example), or by having the public keys available on a publicly accessible "keyserver". Note that only the public key should be shared... a private key that gets shared defeats the whole purpose of encryption.