In order to protect the privacy of students, we do not store student email addresses in a retrievable format whenever they create an account on Code.org. Instead, we immediately create and store only a one-way hashed version of the email address (which cannot be converted back into the original address), and use it only for the purposes of login, account management, and password recovery.
Code.org's login approach to student privacy
We wanted to explain how this works, partly because curious teachers and students may learn something about Internet security from our description, but also to inspire other education sites to consider the same approach in order to better safeguard the privacy of students.
How login works on most web sites
On a typical web site, when you enter your email address and password—whether to create an account or to sign in to that account—the password you enter is never stored on the website server. On all secure websites your password is scrambled using a “one-way hash function”. The web site database only stores this scrambled version.
Each time you login, as long as you enter the same password you used to create the account, the one-way hash function generates the same scrambled version to confirm your identity. But the actual text of your password remains secure, so that if the web site is ever hacked, the hackers can’t steal your password to try it on other sites. (Of course, some web sites have famously skipped this secure step and stored passwords in plaintext, and hackers have published millions of email/password pairs that they stole from these web sites. Because of this, it’s always a good idea to use a different password on each web site you use, so that if any of them had this problem and was hacked, the hackers can’t steal your login information for all your other web accounts.)
How student login works on Code Studio
Just like any other web site, students on Code Studio can log in and create accounts using their email address and password. But as soon as a student enters this information, both the password and the email address are scrambled using a one-way hash function before being stored on our servers. This is very similar to the standard method for keeping passwords out of the hands of hackers—we’re simply applying the same protection to student email addresses. To take an extra step in the interest of student privacy, the scrambling of the email address is performed on the web browser, so Code.org servers never even receive the student’s Code Studio email address—they only receive the scrambled version.
Each time a student logs in, as long as they enter the same email address and password they used to create their account, the one-way hash function generates the same scrambled version to confirm their identity. But the actual text of their email remains secure, to protect their privacy.
This means that Code.org permanently loses the ability to email students based on their Code Studio accounts. This was not an easy trade-off, because every Web site values the ability to contact their “customers.” However, for a nonprofit focused on education, with over 10 million student accounts, this was the right trade-off to take extra caution to preserve their privacy.
Although Code.org is based in the U.S., many of the classrooms and students using our platform are outside the U.S., in countries with stricter privacy laws and a growing distrust of U.S. spying policies. By re-engineering our system to never even receive, let alone store, these email addresses, we believe we can better serve all our classrooms, and maintain the trust of educators worldwide.