Experience Sharing: Difference between revisions
From Pharmacopedia
More actions
| [unchecked revision] | [unchecked revision] |
MDElliottMD (talk | contribs) No edit summary |
Rewrite Privacy section to reflect current voter-hash architecture |
||
| Line 115: | Line 115: | ||
== Privacy and identity == | == Privacy and identity == | ||
Pharmacopedia keeps user identity '''structurally separated''' from contributed content. Every rating, vote, and report is stored against an opaque voter hash — never a user ID — so the database itself does not link a contribution back to the account that made it. | |||
* | |||
* | === What is anonymized end-to-end === | ||
* | |||
The following are '''always anonymous''' — there is no opt-in to attach your name: | |||
* '''Up/down votes''' on any element | |||
* '''Effect reports''' (yes/no/valence/frequency per effect, both personal and provider perspectives) | |||
* '''Likert ratings''' on indications | |||
* '''Interaction matrix votes''' and their attached free-text notes | |||
* '''Experience-report ratings''' (efficacy, burden, duration, dose, current-use, patient count) | |||
For these, the database holds only an HMAC-SHA256 hash of your user id keyed against a server secret. A direct read of the database cannot map a row back to an account; the server re-computes the hash at request time to recognize "your" rows for your own display. | |||
=== What is opt-in (default: anonymous) === | |||
Two surfaces let you choose at submission time whether your username is attached: | |||
* '''Comments''' (the threaded <code><discuss/></code> blocks) | |||
* '''Literature submissions''' (citations and PDFs uploaded against a medicine page) | |||
Both forms include a checkbox — '''"Show my username publicly"''' — that defaults to unchecked. If you leave it unchecked, the submission is stored without your username; only the voter hash is retained. If you check it, your username is stored in a separate <code>display_name</code> column and shown publicly next to the submission. | |||
Existing comments and literature entries from before this change kept their original attribution: at migration time, the historical username was preserved into <code>display_name</code> because those rows were posted with the implicit understanding that the name would be visible. | |||
=== Edit and delete of your own contributions === | |||
You can still edit or delete your own comment even though the row no longer stores your user id. The server matches the row's voter hash against the hash computed from your current session at the moment you press Edit or Delete; only a match permits the change. Sysops can edit/delete any comment. | |||
=== Provider verification === | |||
* Documents uploaded via [[Special:VerifyProvider]] are stored privately on disk only until an administrator decides on the application. | |||
* On approval or rejection the documents are '''deleted immediately''' from disk and the file-path field on the application row is wiped. | |||
* The verification decision is logged with the reviewing admin's identity, not the applicant's documents. | |||
=== What is not collected === | |||
* No demographic information (age, sex, race, location). | |||
* No tracking cookies, analytics scripts, or third-party beacons. | |||
* No client-side identifiers in the markup of voted/rated elements that could be cross-referenced to other rows. | |||
=== Caveats — what this does and doesn't protect against === | |||
* The HMAC secret lives in <code>LocalSettings.php</code> on the server. A '''determined administrator''' with both source-code access AND database access could still recompute the hash for a given user id and cross-reference rows. The protection is against casual DB inspection and against breach of the database alone — not against the server operator acting in bad faith. | |||
* MediaWiki's core revision history (wiki edits, page moves) still records the editing account name as part of normal wiki history. That data is separate from the contribution surfaces described above. | |||
* Comments and literature submissions you mark "show my username" remain public until you delete them. | |||
---- | ---- | ||