I'm building a website where the users can upload some data regarding their job activities into an MSSQL database. The data is not considered sensitive information as such but it is preferred if the user performing the activity is anonymized. I'm using Google Firebase for authentication to avoid having to build the whole user/authenication functions separately.
After anonymizing the data it should not be possible for anyone with database access to connect the data with the user (anonymized), but the user should still be able to access his/her information.
I have considered the following options myself:
- Create a hash using the user's email from the Google account and use that as the identifier in the activity data table
Con: Anyone with access to the database could generate the same hash using the user's email and look up the data
- Let the user select a separate password/key as salt stored in database and add that to the email address -> generate the hash and store as the identifier in the activity data table
Pro: More secure as anyone trying to connect the data with a user would need to know the salt as well
Con: Same as in point 1 above: Someone with access to the database can combine user email with salt and generate the hash
- Let the user select a separate password/key (not stored in database) to be entered every time when accessing their data. Add this as salt to the email address -> generate the hash and store as the identifier in the activity data table
Pro: No one would not be able to generate the same hash (unless knowing the user's password/key)
Con: If the user forgets his/her password/key the data will not be recoverable
I'm sure there is another better/smarter (hopefully easy) way I haven't thought of. All suggestions are welcome.
