Encrypt User data, but Decrypt it for Research Purposes

Question

I’m planning on allowing my users to sync their data with the cloud so that if they get a new phone or switch phones (ex. iPhone to Android and vice versa) they will be able to reload their data into their phone. Currently all their data is stored on their phones. I plan on encrypting their data in the database so it isn’t easily readable. However I have been reached out to by universities that could find user data useful (I would of course make the data so that they wouldn’t be traced back to the user, and ask for their consent). I’m wondering if there is a secure way to encrypt user data but also make it so that if I need to decrypt it for research purposes in the future I would be able to do this. Are there any best practices to do this?

Answer 1

I would argue that the obvious solution would also be the ideal solution. You have two tasks that could fairly easily be solved separately, so solve them separately. To do exactly what you are asking for, would require experimental cryptography.

• Use state-of-the-art password based encryption for the identified user data that the users store for themselves.
• Collect the research data separately, with explicit permission from the user. Generate individual random identifiers for each user, send those identifiers to each phone respectively, and compile the research data on the user phone, and submit it from the user phone to a different data store on your servers.