Millisecond Forums

Confidentiality description for my IRB

By stephonomon - 9/25/2009


My IRB is requesting the following regarding Inquisit's web procedures:

the commercial service provider’s confidentiality policies and procedures  - include information about security
audits of the server.

Could you help me out?



By Dave - 9/28/2009

At least part of the information you're looking for is covered by the "Security and Inquisit 3 Web Edition" topic in Inquisit's documentation:


By seandr - 9/29/2009

Thanks Dave, here's a quick summary.

It is entirely up to the researcher to determine which data is saved, including any information that might identify a participant. By default, Inquisit simply assigns a randomly generated number to each participant that would have no real world connection to that person.

Inquisit web edition runs locally on the participants computer. As the experiment runs, data is stored in memory (RAM) and is not cached on the user’s file system. At the end of the experiment, the data are uploaded to the web server via HTTPS/SSL, which is a standard scheme used for encrypting sensitive data (banking info, medical records, etc.) sent over the internet, so that it cannot be intercepted by packet sniffers.
Once on the server, the data are stored to a folder for the researcher’s account where they can only be accessed by logging into the server with the researcher’s userid and password. Once the researcher has logged in successfully, they can download the data files. HTTPS/SSL is again used here to encrypt the files as they come down over the wire.

The current security system has been extensively reviewed and tested. We regularly check our security logs for attempts at unauthorized access to the server, and in the 4 years the current system has been in place, we have not had any security breaches. All software is regularly updated with the latest patches and service packs.