[mcculley]

I interpreted that as "completely anonymous to users". The owners/operators of Blind have the mapping between pseudonyms and email addresses. These will not be available to others until the inevitable data breach or exit (possibly to one of the organizations whose employees use the service).

[Terr_]

One possible approach is to relax the gate-keeping guarantees, so that every "wait for email and click the link in it" exchange allows the user to create one new account which is not scoped to their work-email address but simply associated with the company-name. (Like almost all privacy, this requires some basic "we're not recording that" choices by the social-media site.)

During the creation process, the user gets the option to set a non-work email for password-recovery etc.

The main risk of this scheme is that a single jdoe@acme.corp could easily create a thousand sock-puppets or "give" new accounts to people who don't work at the same company.

This can be minimized by only allowing a corporate e-mail address to be used once, but that does mean keeping lists of which users in a given company happen to have accounts, even if a direct email-to-account link doesn't exist. (It seems pointless to hash the "already used" emails for privacy, since the search space is so small.)

[vilhelm_s]

One could probably use some crypto to not even require any "we're not recording that", e.g. let the user use a ring signature (https://en.wikipedia.org/wiki/Ring_signature) which could have been produced by any of the people registering a work address.

You should probably put in some extra work to make sure that people really are anonymous, e.g. you could make the Blind server a Tor hidden service, forcing people to connect to it using Tor and therefore not revealing their IP address. Basically making sure that Blind is not even accidentally exposed to any personally identifiable information.

[Terr_]

Neat, I hadn't heard of ring signatures before -- but unfortunately it sounds like it involves (A) a predefined and fixed set of users and (B) all of them already having public keys.

If so, then you can't really use a ring-per-company, because you'd first need an authoritative list of all current employees (whether they have an account or not) and their public keys, and you can't easily add (or drop) employees without creating a new ring.

[vilhelm_s]

I was thinking, each time you register a company email you would get a reply with a list of all the public keys from people who registered with the same email domain. It would mean that the first few people to sign up would have a small anonymity set---but they could wait a bit, and then send another email and get an updated list of the public keys of people who have registered since then. As long as you wait until (say) 100 people have signed up, you'd still have some cover.

[mirimir]

OK, but that's not "completely anonymous".

Maybe it'd be OK if they had a way to authenticate without retaining any record of the mapping. And could prove it, somehow. But otherwise it's bullshit.

I mean, the Tor Project is very careful not to claim that Tor is "completely anonymous".

[the8472]

Couldn't they issue some blindable certificates (it's in the name!) that attest that someone belongs to an org without being able to trace it back to a specific email?