I've been working on a web application that needs to provide a way to create an anonymous identifier that can be used to identify one or more rows in a database that refer to a person who has called into a switchboard (let's call them a "client") without actually storing any identifiable information about that client. The switchboard operator should be able to:
- ask a few questions of the client that (ideally) only the client can answer
- enter their responses into an ephemeral online "calculator" form that doesn't save/submit the data
- receive an anonymous identifier from that form
- enter that anonymous identifier into the the app that will be used to handle the client's request (let's call that the CRM)
Notably:
- personally identifiable information must never be stored in the CRM
- the same questions are asked of every client
- if the same client calls again one year later—and answers the same questions—a different switchboard operator would get the same anonymous identifier in response, and would see the entries about that client entered into the CRM by other operators into the who have answered calls from that same client in the past
- the client is never asked to remember an identifier, password, or other secret
For example, John Doe calls the switchboard, and is asked to provide their:
- First and Last name
- DOB
- City of birth
In my prototype: the name is processed with a simple Soundex-like algorithm (to avoid spelling errors) and returns a number; the date of birth returns a number a the number of days since an arbitrary epoch; and the city of birth returns a Where on Earth Identifier. These are then concatenated, salted, and hashed to return an anonymous identifier (e.g. 3:L3kmw:Ly, using SSDEEP so that the switchboard operator doesn't have to type many characters into the CRM), though the hashing algorithm isn't important). The form used to generate the anonymous identifier calculates everything in the browser, and doesn't store/save/submit anything.
Is there a better approach to reproducibly generate an anonymous identifier? Are there better questions/procedures to reduce the risk of social engineering by others who might wish to gain information about a client?
Interested in all ideas, critiques, etc.. Will edit with changes as requested.
