paper update

docs/TUTORIAL.md

@@ -228,7 +228,7 @@ such as “ `ad` , ” “ `ads` , ” “ `adv` , ” “ `advert` , ” “ `a
 “ `banners` , ” or variants that include these as identifiable segments, such
 as “ `-ad-button-` ” or “ `##.header-ad` .”
 
-To explore and adjust the style (size, color, etc.) of any HTML element, one can at any point conveniently inspect and manually modify the CSS properties in any major browser’s [developer tools](https://developer.mozilla.org/en-US/docs/Learn/Common_questions/Tools_and_setup/What_are_browser_developer_tools) (“Inspector” tab; e.g., clicking on any element and selecting the “Inspect” option from the drop-down menu directly displays, in the Inspector, the given element’s CSS properties, which can be manually overwritten). Once the desired looks is achieved via the properties modified in the browser (which apply only to the loaded page, and are discarded as soon as the browser tab or page is closed), the same CSS properties can be adjusted accordingly in the local files too.
+To explore and adjust the style (size, color, etc.) of any HTML element, one can at any time conveniently inspect and manually modify the CSS properties in any major browser’s [developer tools](https://developer.mozilla.org/en-US/docs/Learn/Common_questions/Tools_and_setup/What_are_browser_developer_tools) (more specifically, e.g., the Inspector tab in Firefox or Elements tab in Chrome; e.g., clicking on any element and selecting the “Inspect” option from the drop-down menu directly displays, in the Inspector, the given element’s CSS properties, which can be manually overwritten). Once the desired looks is achieved via the properties modified in the browser (which apply only to the loaded page, and are discarded as soon as the browser tab or page is closed), the same CSS properties can be adjusted accordingly in the local files too.
 
 ### Size, Color, and Font
 
@@ -584,7 +584,9 @@ In general, online data collection is subject to the same [legal and ethical pri
 The exact details of certain aspects are debatable (including what constitutes “personal information”), and local laws and institutional regulations must also be taken into account. Nonetheless, in any case, what is relevant from a technical perspective, and hence to the present tutorial, is avoiding the unnecessary or covert collection of personal information, and ensuring the secure storage of any collected data.
 Regarding personal information, obvious examples include identity details such as a personal name or birth date, or a participant’s face visibly recorded in a picture or video. It is less clear whether certain types of physiological data (e.g., eye tracking or typing patterns) can be used for personal identification, especially when combined with other types of data. Focusing again on the technical side, browser information (e.g., user agent, plugins), IP (Internet Protocol) addresses, and cookies may each also be categorized as personal information, because, when combined with additional information, they could lead to personal identification. Therefore, such information should only be collected when truly necessary; when collected, participants should be informed, and the confidential data should be handled securely.
 
-As for the secure handling, our template provides one ideal example of securely saving the data to a (PHP) server. If alternative approaches are desired or necessary, we recommend consulting an expert. The server space (or database) itself, where the data is stored, should of course also be kept secure (e.g., using strong password, potentially two-factor authentication, encrypted data, [etc.](https://doi.org/10.29115/SP-2018-0028)).
+As for the secure handling, our template provides one ideal example of securely saving the data to a (PHP) server. However, it may be necessary to configure the webserver to serve the ExpApp and receive the participant’s data through “[Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security)” (TLS;  the modern successor to “Secure Sockets Layer,” SSL), which provides encryption and integrity checks to secure data in transit. For this, the web server needs to be configured with a certificate, which most web space providers can handle for free through the use of [Let’s Encrypt](https://letsencrypt.org/). The procedure is specific to each server, but for that very reason the web hosting providers or server administrators normally offer instructions for the implementation, which is usually straightforward. That TLS is in use is indicated in the URL prefix `https://` (where “s” stands for “secure”) in contrast to the plain `http://` URL prefix.  Most university web services provide ready-to-use TLS (observable in the `https://` URL prefix by default), 
+
+If alternative approaches are desired or necessary, we recommend consulting an expert. The server space (or database) itself, where the data is stored, should of course also be kept secure (e.g., using strong password, potentially two-factor authentication, encrypted data, [etc.](https://doi.org/10.29115/SP-2018-0028)).
 
 ## Collecting Survey Data