I would like to collect analytics on multiple visits from a logged in user, if they opt in.
But I would really like to do it in a way that only the user can link their user account to the anonymised analytics entry. This means, when the user is logged in, they can manage the analytics information stored from their visits, but site administrators won't be able to link the analytics entries to that account (the analytics data and user data is of course stored separately)
Ignoring implicit links in the analytics data (such as user identifying URLs etc), what would be the best way to implement this? Is it too dangerous to use a secure hash of the user's password and account ID to identify the analytics information? (the site administrators won't have the user's password, so won't be able to link the records).
You've dressed this up so that linking a user account to data is not predicatable - but that doesn't mean it that the information is therefore hidden. Regardless users will be making a requset based on a key, which is exclusively derived from their account - so really its just security by obscurity. Since it must be possible for the system to reconcile the users identity with the key against which the data is stored it is therefore possible for someone with backend access to derive the association - even if only at the time of access.
The only way to prevent this is to store the data on a machine where these admins don't have access.