So the task to hand is to convert an IP and Browser String into a cryptographically secure hash that can not be reversed or revealed with a rainbow table.
The problem with IPv4 address space is that it's too damn small. I don't know about SHA-3, but there have been examples of people just going through all 232 possible addresses, concatenating them with site-specific secret and computing SHA-1 hashes of them, effectively reversing the hashing process. It wouldn't have been much slower if each IP address was salted with its own nonce, either.
Use of much more computationally complex password hashing functions, such as bcrypt, PBKDF2, scrypt, Argon2 would slow down such attacks tremendously. It might also be simpler to just strip the least significant byte from the IP address and sidestep the whole hashing problem.
These 2 identifiers will assist researchers in assessing if the crowdsourced data we are gathering is "gamed" or "believable".
Another problem with such datasets is that outsiders may have trouble believing the dataset even if it has a plausible distribution of IP addresses and User-Agent strings (which they wouldn't be sure of because all you would be able to offer them would be opaque hashes). What's to stop the site admins themselves (hypothetically, of course) from faking the data while retaining the IP addresses and the User-Agents, for example?
