[sjducb]

Maybe I'm missing something, but surely a dictionary based attack will work because you have to be able to know that your key has already been submitted by another user. That's the point of the application.

1) Initial report is filed.

2) Second report is filed by a user who only knows the attackers details.

3) Match is found

Therefore you can just keep iterating through names till you get a match.

Another way of saying it is that the application won't work if a second user can't tell that the first user has entered an attackers name.

The vulnerability is in the application specification, not HE.