SHA 256 Hashing to work with + characters in email addresses

RichardGar United KingdonPosts: 16 Blue Ribbon
edited Dec 12, 2018 5:30AM in Dream It

We are using the hashing identifier functionality in Eloqua. The purpose is to use a hash code in external email tracking as a parameter instead of passing an email address that would cause issues with PII. This hash is then used in a subscription process as a lookup to find and update the contacts subscription data. It can also be passed to other systems.

Unfortunately Oracle's solution doesn't work well when there are email addresses that contain +. Here is an example below. (Obviously ## is just to avoid putting a company name or mail provider):

[email protected]##.com

[email protected]##.com

[email protected]##.com

[email protected]##.com

All of the above will be converted to [email protected]##.com before the hash happens. There is therefore a risk that contacts with different email addresses are given the same hash code and therefore lockups happening against those hash codes could return information from a different contact. This represents a potential PII data issue as the wrong contacts data could be used in population of a subscription page or form.

After raising a ticket via Oracle support this is considered correct per design in both Eloqua and BlueKai. The mention of BlueKai here leads me to think that potentially this might be where some complexity might be.

I believe this needs resolution as an email address containing + is a valid email address as confirmed by RFC 5322. So this standard should be adhered to. It is also a PII risk which then raises GDPR issues.

Please up vote to raise it to Oracle's attention.

11 votes

Active · Last Updated