I would like to know how the deviceid values are created, especially if they are fully anonymized. I need to comply with GDPR for my project and I need to be sure I cannot trace back personal information of the users by receiving that info in the data form.
To clarify: I don’t have access to the operators’ devices and I don’t want to know their real identity. Still, for data management and processing it is helpful if I know which submissions belong to the same operator.
I’m the project manager of a citizen scientist campaign. I will share the form through the QR code (btw, that is a GREAT option) on web/social media. Every participant will use the settings of a basic account I created. I will have no direct contact with the participants but I will receive the forms with their deviceid metadata.
Main question: without accessing the participants’ devices, is there any way I can find out their real life identity? I prefer to not be able.
If I cannot find out their real life identity, that means I do not need to comply with GDPR and less paperwork burden,
No! This should not be possible unless you activate the metadata or use variables in your survey form that should capture the same. As shown above, metadata can only be captured properly if they are set (before starting data collection) in the Collect android app but if you still use Enketo, you may even miss those data.
Thanks a lot for your usually quick and efficient replies! The support forum here is run very well, much appreciated!
Sorry if I insist, but I need to be very careful about this for legal issues. Without accessing the participants’ devices, is there any way I can find out their real life identity if I receive the deviceid as metadata?
@simblanco, is the participant from a closed group (where you have maintained a sample frame) or are they participating from an open group (have not maintained a sample frame)?
I am not sure what is a sample frame. I would say open group, i.e. everyone who sees about the campaign on the web, installs kobo app, and sets it by scanning the QR they find.
In this case i would say it’s not possible unless you activate the metadata for the project and the respondents also fill up the metadata details in their app (which is usually rare). If you however request them to fill up the same, maybe you could collect the metadata from the enumerators though.
I really need to follow up to be sure I am ok with GDPR. You know privacy issues are complicated and my employer is very careful:
How is the deviceid value created? Is there an internal algorithm in the app? It is assigned when you first connect to the Kobo online/cloud system? Is it still connected to the IMEI as it was before? How can it be unique for different devices?
Any technical answers on this will be helpful to satisfy my employer’s concerns, thanks!
@simblanco, maybe you could look at the source code here.
It is only collected if the metadata is filled-up in the Collect android app (else you will not be able to record the same) and the metadata should also be activated at the project level.
Note: you will also not be able to collect metadata if anyone of the settings is missing that has been outlined above.
I am sorry to follow up on this issue. GDPR and all the rest…
Can KoBoToolbox organization (potentially) retrieve personal data of the users (specifically unique phone details like IMEI or phone number) by using their Device ID? In other words, can KoboToolbox reverse the anonymizer algorithm and retrieve unique personal data from the device ID values (such as IMEI or phone number)?
I tried to read the source code but I have no clue.