Here are some initial ideas about how we might handle the storing and use of e-mail addresses for VMT participants, and potentially other Math Forum services
1. Why do we want to do this?
a. In the case of VMT we want to be able to remind VMT participants who have registered for a particular event via e-mail (or Instant messenger?) so we need to store their e-mail addresses in a way that is secure and approved by IRB
b. Also for VMT research we might want to conduct participant interviews and evaluate their experience with the service and so it will be necessary to contact them in a secure way.
c. In other services such as Ask Dr. Math, Math Doctors contact the students through a set of PERL scripts that deliver their messages to the students e-mail addresses and in the process make students e-mail addresses visible to Math Doctors.
2. How could this be achieved?
In general de-coupling e-mail addresses and usernames (internally selected or chosen by the user) and storing the e-mail addresses encrypted in a separate repository should solve the "storage" problem. When a message needs to be sent to a particular username a private key (e.g. RC4 key) would need to be provided by an authorized person (e.g. via and SSL form) so that the e-mail address could be decrypted and the message sent.
However, annonymous two-way conversation of the type needed for evaluative research or for the interactive dialogues required in the Dr. Math service would require a "bridging" service that will act as middleware hiding and translating usernames into e-mail addresses.
3. IRB approval
I suggest that we submit to IRB the following update to the methods and procedures:
Student Teams (online) The student teams onine will be established by people who respond to the online materials distributed by the MathForum. The students will register to participate in individual or ongoing events by filling out a short survey about their grade, gender, level of mathematical knowledge, and other demographical and attitudinal information. No personal identification will be collected with the exception of a valid electronic contact address (e-mail, IM nickname, etc.). Students will be asked to pick an anonymous user name, distinct to their given name, which will be used for all communication during their participation in the project. At no point will it be necessary for students to give their actual name or the names of their families or the identity of their schools.
The electronic contact address (e-mail address, instant messenger nickname, etc.) will be collected to facilitate the process of reminding students of the events and conduct evaluative surveys of their perceptions towards the service provided. However, this electronic contact address will be stored encrypted using industry standard mechanisms (e.g. RSAÂs RC4 encryption algorithm) in a repository independent of their demographic data. All communication with the participating students will be conducted through a system that hides the studentÂs e-mail address and uses the user selected name to address the student. Responses from students will handle in the same way so that their originating e-mail address will be protected when replying to messages. Only authorized PIs will hava a copy of the encryption key used to decode e-mail addresses. In compliance with the Children Online Protection Act (COPA) students under 13 years of age will not be allowed to participate unless there is explicit parental or teacher consent . Students participation will continue to be tracked in the system anonymously by the user name selected by the students.