[stryk]

>> "With Blind, users are completely anonymous, but are required to submit a verified work email to join a company channel."

That sentence doesn't make sense. How can it be "completely anonymous" but you have to submit an e-mail address?

[mcculley]

I interpreted that as "completely anonymous to users". The owners/operators of Blind have the mapping between pseudonyms and email addresses. These will not be available to others until the inevitable data breach or exit (possibly to one of the organizations whose employees use the service).

[Terr_]

One possible approach is to relax the gate-keeping guarantees, so that every "wait for email and click the link in it" exchange allows the user to create one new account which is not scoped to their work-email address but simply associated with the company-name. (Like almost all privacy, this requires some basic "we're not recording that" choices by the social-media site.)

During the creation process, the user gets the option to set a non-work email for password-recovery etc.

The main risk of this scheme is that a single jdoe@acme.corp could easily create a thousand sock-puppets or "give" new accounts to people who don't work at the same company.

This can be minimized by only allowing a corporate e-mail address to be used once, but that does mean keeping lists of which users in a given company happen to have accounts, even if a direct email-to-account link doesn't exist. (It seems pointless to hash the "already used" emails for privacy, since the search space is so small.)

[vilhelm_s]

One could probably use some crypto to not even require any "we're not recording that", e.g. let the user use a ring signature (https://en.wikipedia.org/wiki/Ring_signature) which could have been produced by any of the people registering a work address.

You should probably put in some extra work to make sure that people really are anonymous, e.g. you could make the Blind server a Tor hidden service, forcing people to connect to it using Tor and therefore not revealing their IP address. Basically making sure that Blind is not even accidentally exposed to any personally identifiable information.

[Terr_]

Neat, I hadn't heard of ring signatures before -- but unfortunately it sounds like it involves (A) a predefined and fixed set of users and (B) all of them already having public keys.

If so, then you can't really use a ring-per-company, because you'd first need an authoritative list of all current employees (whether they have an account or not) and their public keys, and you can't easily add (or drop) employees without creating a new ring.

[vilhelm_s]

I was thinking, each time you register a company email you would get a reply with a list of all the public keys from people who registered with the same email domain. It would mean that the first few people to sign up would have a small anonymity set---but they could wait a bit, and then send another email and get an updated list of the public keys of people who have registered since then. As long as you wait until (say) 100 people have signed up, you'd still have some cover.

[mirimir]

OK, but that's not "completely anonymous".

Maybe it'd be OK if they had a way to authenticate without retaining any record of the mapping. And could prove it, somehow. But otherwise it's bullshit.

I mean, the Tor Project is very careful not to claim that Tor is "completely anonymous".

[the8472]

Couldn't they issue some blindable certificates (it's in the name!) that attest that someone belongs to an org without being able to trace it back to a specific email?

[alasdair_]

Not just that, it has the same issues that Secret had, at least for smaller companies - you can just create a bunch of fake accounts and invite a single person you know, then have the fake accounts post some stuff to make it look like there are a lot of users, then hear what the individual says.

In addition there are two other pretty big holes. The first is the LinkedIn versification (where anyone can claim to be part of any org) and the second involves ways of receiving mail sent from the domain that is sent to non-employees (e.g. via a helpdesk ticket - a common attack against slack and other services that use domain name as a security identifier).

[balladeer]

Here in India we have an app Hush[0] (not sure if it's widely used outside India).

They claimed they used to decide what company you worked for based on your "office network information". Anyway the quality of conversation was as bad as it gets even from a trolling and gossip forum standards. Now they have moved to collecting professional email address to verify and they still say it's "anonymous". The quality of conversation hasn't changed, definitely not for better. This kind of anonymity is one hack, or acquisition, or legal request away from going for a toss.

[0] http://thehushapp.com