Discussing anonymity on ~
So one of the things I really liked about the project is point 1 of the privacy section of the Mechanics (Future).
Proactive not reactive; preventative not remedial: When creating new features, think about what data will need to be stored, and consider how harmful it might be if that data was to be leaked in the future. Is it possible to reduce the amount of data being stored to lower the potential harm? Can the data eventually be aggregated or anonymized so that we're only storing recent data instead of a full history?
I think a good first step would be to not have a public comment/submission history. Users should evaluate other users contributions based on the conversation the are having/reading, not past submissions.
This doesn't make you anonymous, but at least it can prevent nosy people from knowing too much. (I get there are valid reasons to want to find other posts by the same user, but I think individual privacy is more important). At least, if not enforced for everyone, this should be an option, making your profile not display your history to others.
Now, one of my biggest problems with reddit is that it doesn't make it easy for you to stay anonymous and also keep your content on the site.
Let me explain. I don't like people being able to see my submission/comment history, because I don't want to give the chance for people to identify me if I don't choose to do so personally. It's not about reddit knowing what I like or do (I mean, I use Google, they know everything I do), it's about individuals, about other users knowing things I'm not happy sharing with them for whatever reason.
There are only two options on reddit: deleting my content (using a script or whatever or going one by one) or deleting my account. This results in me deleting all my comments and submissions on reddit every few weeks.
Now, I would love to be able to leave most of what I post on reddit online, because sometimes I have really interesting conversations and I try to be detailed and clear and other people might find (some of) my posts useful. But I don't want anyone who knows my username or anyone who sees a comment of mine going through my history. There's too many crazy people. Also, I haven't suffered doxxing, but that's just not nice.
There are many reasons why someone could prefer to not be identifiable. Just to give some examples that come to mind: people might have an ideology that other users don't like/respect, people might post pictures of themselves (think fitness groups, for example), people might post in local groups revealing their location, people might look for counsel and talk about their personal problems, etc. Putting all of that together might make it easy to identify someone.
So, what I would like to propose is a way to leave my content online if I wish to and giving other people the option to read it in the future, without it being publicly tied to my username.
How could this be done? Well, I think users should be able to anonymize their participation in a thread individually and throughout the site. There could be an button (on every thread for thread only anonymization and on your profile for full site anonymization) that you tap and your username is replaced all through each thread with a randomly generated username (it'd be great if the username is consistent within the thread, so people reading would know its the same person).
These usernames should be words, ideally, not difficult to parse by humans. Of course this would generate a great number of usernames, but there are some solutions.
One could be using something like Google Docs uses when several anonymous viewers are watching a document. Each gets a name (RedFox, whatever) which is consistently used throughout the thread. The same username (RedFox) can then be reused in another thread for any other anonymous user. (So RedFox wouldn't be referring to the same person in different threads, but to two random, anonymized persons).
I'm sure it wouldn't be difficult to generate these (similarly to how reddit gives you suggestions to new usernames when you open an account).
Also, in order to avoid the admins having to reserve many usernames in advance, these usernames could have a special mark (like *RedFox or °RedFox, or ~RedFox~, for example). This way, a new user can register any available name without interfering with these anonymous usernames. A thread could have some non-anonymized user called RedFox and an anonymized user called °RedFox (or whatever mark is used).
In any case, the user should be able to access all of their submissions and comments on their profile even after anonymizing, being able to edit or delete them if they wish to.
Ok, I think that's it, I hope I was clear. I'm also not gonna be able to log in again until tomorrow. So please, go ahead and discuss and tell me what you think and I'll come back when I can.
EDIT: User karma should not be public either. I can make an argument for it tomorrow if needed or we can discus it on another thread.
This is something we've talked about a bit before (though this was before the site was very public, so most of you weren't here yet, and we should definitely do it again): https://tildes.net/~tildes/8l/daily_tildes_discussion_limits_restrictions_on_viewing_user_history
A few quick thoughts, not really organized:
disassociation - if it's not done at the time the comment is posted - gives a false sense of privacy as well, unless the comment is somehow edited to have its content and metadata changed significantly to prevent someone from scraping the comment when it's posted and after it's disassociated and re-associating it ( maybe even the "hierarchy" of comments would need to be altered ). Overall disassociation after a while is a bad idea imho.
I agree about it also giving a false sense of privacy, but the alternative is that the person completely deletes the comment (which is what happens on reddit, as other people have mentioned in this thread). Giving people the option to leave it behind without their name is a nice middle ground that doesn't destroy old conversations quite as much.
The fault is on uneducated users here and giving them tools to confort them in those beliefs isn't helping them long term. Maybe some kind of disclaimer when deleting a message ( instead of a boring "Are you sure?" dialog )
With a more complete entry in a FAQ or some kind of privacy course? or maybe I'm too optimistic and this would have 0 impact :D
But I would still delete it. It might not be perfect, some people might find ways to retrieve it, but it would prevent most users from doing so.
I mean, it's a good idea to explain with more detail that the content might still be available. But isn't it better to provide a way to first superficially (and voluntarily) make it anonymous so that users don't immediately think to delete it, and second, after a while actually detaching the anonymized username from the official username (I think this should happen after a while, so there is no record of the link on ~ servers after X time?
Why would you still delete it? Peace of mind? The feeling that you’re in control of what you’re posting online?
Anonymisation after the fact is not a thing, it’s a bandaid and will only block less determined detractors which arguably are also the ones that are easier to deal with. And for the ones that would invest time and effort in finding your history, you’re giving them ammunition.
If we want “anonymous” comments, it must be done at the time of posting. And even then, you would need to trust the “chain” of systems from where you are to ~ AND ~.
Another interesting tidbit: I remember reading about a bunch of researchers trying to build fingerprints from the way you express yourself, the errors you make etc ... and the results were actually not that bad. Hopefully I can find back that paper as it was a great eye opener in the sense that you - by the mere fact of being you - are leaving breadcrumbs everywhere.
I am not especially worried about hardcore people hacking the interwebs to get my info. I'm not that interesting, tbh. And if they want to do it for whatever reason, they will get it from any number of places, even if this one is actually protecting my privacy.
However, being able to prevent random people from getting an ID is worth it in my view, as I discussed through the thread.
And yes, as several people mentioned, including Deimos, an option to post anonymously in the first place would be very good as well, but especially if after a while any links across accounts are wiped.
Yes, there are a number of ways to identify a person from the way you express yourself to the way you use a keyboard (the sounds it makes when you press the keys, etc.). I'm not advocating for a untraceable anonymity throughout the web or life, but within the site. And I believe it has merits of its own.
There will? Yay!
I had requested that earlier. But like many things I post online, that too went unnoticed it seems :P
Ah sorry, I did see that post but didn't reply to it. But yes, an API was even mentioned in the announcement blog post, though it's just a bit of a quick side note:
Awesome, thank you!
Sorry, I tried to find some previous discussion but I failed to see that post. Thanks for pointing it out. Picking on that discussion, I really don't think it should be default to show the entire history of a user. Maybe one or maximum two pages would be fine.
It could be an option available only to members with a certain level of trust. Like, once you have reached tier 2 or 3 or something, you can, if you wish, limit the amount of history your profile shows. Same could be applied to the anonymizing feature I suggest. That way, one could know that people using those features are good contributors to some extent. I believe the selected tier should not be very high though.
I agree, but must this repeated interaction go beyond the thread level? I might want (or not mind) to be identifiable in some threads, but maybe not in all of them, and in the end, I prefer to value someone's contribution independently of the image I have of that user. As long as I know their tier is high enough, I should be able to put some trust in them. And also, I think reputation should be a bit fuzzy (publicly), I [mentioned] (https://tildes.net/~tildes/pp/what_if_we_got_rid_of_votes_entirely#comment-3bz) showing some color code or grade in the thread about doing away with votes. The objective being that people don't obsess about specific marks, but more about general achievements.
Very interesting link. However, I'd take it with a grain of salt. Depending on the "memory" (number of identifiable interactions) different profiles prevail. I think maintaining username consistency within a thread is necessary, but maybe not so much between different threads (and of course, this should be optional, not default). Also, there's moderation, meaning "always cheat" users would be reduced to some extent.
Yes, as I mentioned, I'm more worried about on-site interactions than about the fact that content can be somehow retrieved. I believe most people won't go to that length of looking for ways to retrieve a user's history, I'm more worried about the random doxxer or the random SJW.
In any case, it would be important that the anonymizing feature could be activated before starting participating in a thread, so that the username would never be public at any point and thus should not be retrievable (I guess?). The user would still keep their reputation and admins could see their history across usernames (to a limit!).
Exactly my thoughts. People will find ways to make themselves unidentifiable be it by creating throwaways or by deleting (valuable?) content. So the site itself should make it easy for them to do that while maintaining a way to consistently measure their contribution.
I'm really glad you have these views about privacy.
This is a good idea. Many times I'd want to post something to Reddit, and know it won't be a popular opinion, but feel the comment should be made. For example: Latest outrage about X happens. A logical comment would be "I'm not sure I believe $person. This kind of things gets blown out of proportion often and the truth is usually not as dramatic as X." Some people might immediately jump down my throat with "You don't believe X happens?" and some will even go so far as to go into people's history and downvote unrelated comments to 'punish' the wrongthink.
But sometimes comments need to be made to at least show that the site is not one giant hivemind that all think the same way, even when the given sub-group might not like that opinion.
All that said, it should be still, back-end-wise, kept in the user's personal history (for their own reference) and associated with the account to prevent people from doing things like jumping into a thread to repeatedly troll users or have conversations with themselves to confuse people. So, say, it would be posted by 'Anonymous-####' where that number is consistent within that post. This way, someone doing something illegal, or advocating for violence or whatnot can be dealt with, but unpopular opinions, or personal details (I have kids/wife/have medical condition, whatever) can be shared without worry.
The disassociation might lead to abuse if you can do it on every single post and comment.
On second thought maybe not, if the consequences of bad behaviour are still tied to the real account.
Yeah, they should be tied under the hood. And I think after a while the link should disappear completely.
If disassociating is only cosmetic and could still leak, the design feels flawed. Maybe the penalties could be stored without keeping any link at all. Would there even be any reason to keep it for a certain time at that point?
Edit: Maybe it does need to be kept for a little while (like 24 hours) to prevent just dropping something inflammatory and disassociating without having received any penalty yet.
If the disassociation is done in the background before posting and the usernames link is wiped after a while it wouldn't be only cosmetic. And yes it probably should be kept for a while just so that the reputation system applies and if necessary mods can prevent malicious exploiting of the feature.
Yeah, that sounds reasonable. I didn't think about directly posting a disassociated comment.
I realize this post is a couple weeks old, but I have experience with a system a lot like this. On another forum I frequent, any topic can be tagged as "Anonymous", and all posts in that topic are just from "Human #1", "Human #2", and so on. Your Human # when posting in a topic is unique per topic, so you can have continued conversation within that thread alone, and when you post in another topic are assigned a new Human # for that individual topic. Posts do not show up under your public post history, although they are visible when you view your own post history. As far as I'm aware, even the moderators are not able to just view the identity either, unless they open a moderation case for a post, which is publicly logged to prevent abuse.
This system (as well as their Serious tag) can be applied to any topic, along with any other tag, which allows for topics tagged "Mental Health + Anonymous + Serious", where any trolling, flaming, harassment, or low-content posts are under a zero-tolerance policy, and punishment for which blocks any further use of the tag, as well as a timed site-wide suspension. Combinations like this allow users to discuss any topic, sensitive, private, or otherwise that they are unwilling to discuss publicly.
A fully anonymous topic could have no user IDs or names anywhere, fully anonymized API results, (simply returning anon-<thread>-1, or similar) to further protect the users identity when posting. This would completely negate the need for throwaways without compromising the public privacy of any users.
Thanks for the details, frank. Those are some interesting systems, and it sounds like the site's done a good job of creating different ways for people to be able to participate in topics without needing to worry about issues that are often inherent to those types of topics.
I think the publicly logged system of "opening a moderation case" is quite interesting too, I wonder if we could do something along those lines in a good way.
I don't feel entirely comfortable with people being able to see my post history also, but here's a counterargument. Having a post history holds you responsible for your posts. Greater anonymity can lead to greater freedom to post low effort or hurtful comments.
Of course the flip side of that is it could also make someone think twice about posting an insightful but controversial comment for fear of people finding it in their post history. I have never once made a post in a political discussion on Reddit for this very reason. I see it all the time where a user calls out another user for having posted in a certain subreddit, which supposedly invalidates anything they have to say.
On the one hand, user karma would be affected anyway, even if you are anonymized. So low effort or hurtful comments would be penalized as always, this system wouldn't change that.
Also, if I don't want to have my history exposed and there is no way to anonymize my username, I will simply delete my comments, which I think is worse for the community... If I can't anonymize or delete, I will simply not participate...
Exactly, I believe this behavior should be discouraged and contributions should be assessed on a case by case basis, not according to who you think the user is based on their history.
I think a gated access model is probably the right way to go about this problem. Let me sketch out an idea we've discussed in the past.
(and by good standing, I mean like Tier 2 of 10 for sitewide trust)
It's a question of weighting abuse prevention against a person's privacy and anonymity. I'm generally in favor of coming down heavy on the privacy side of that equation, but there's got to be just a little out there in the open for trusted users to review (such as who invited whom, and a small comment record) so they can help sniff out bad faith actors on the website.
I like the idea of keeping user pages private to non-logged in users, but that doesn't stop scrapers that scrape comment threads from collecting lists of posts and associated users.
Scrapers look quite different in the activity logs from users just taking a stroll through history, or even users looking for abuse. We can do rate-limiting and even set traps so that scrapers end up outing themselves and getting banned. That said, it is likely that over time, some degree of useful information will end up being leaked this way. Also worth considering - a court can compel us to hand over the entire database. Users have to understand the risks that their entire history will likely end up in some law enforcement organization's database at some point. The only way to prevent that is to totally wipe out the long term history, which also destroys the value of all of those older discussions.
That's understandable, however, if after X amount of time anonymized usernames are fully detached from the official username (meaning the server wipes the under-the-hood connection between official usernames and alters) then even the database wouldn't provide any kind of link between them. Right? I think this should be the final step in the anonymization process, and should be done automatically after a reasonable amount of time.
Right now we're kind of assuming a default of 30 days for the point where these sorts of background tasks happen. Past that point, the only thing that should be retained is anonymized data - we're probably not even going to keep karma around past that point, or voting - threads will lock like reddit's archive mode and the record of who voted will get wiped as well. Only the user's various trust rating metrics will carry forward past the purge.
That's an interesting idea, but I worry that it would be defeated by something like the Internet Archive or similar. You discussed blocking scrapers or not allowing browsing without a username. That might work, but there could always be bot accounts that are hard to detect.
Masking usernames on a per thread basis like described elsewhere in this thread would counter this from the beginning, as well as discourage Tilde celebrities from developing. You could still have a reputation score associated with your account, but it would not be visible to anyone.
You may also consider how you want to deal with actual celebrities and verified accounts. Reddit has an informal verification system for AMAs, and people end up learning celebrities' usernames. Masked usernames would not permit this.
I'm not really advocating one versus the other approach, I'm just trying to tease out the consequences.
Amazing! So that means even a dump of the database wouldn't be a problem if content was anonymized when posted.
Thanks for the info!
Yes, I think those are very good ideas. I believe I agree with all of them.
Yeah having no post history at all is basically just 4chan with usernames. The karma system of course circumvents total anarchy, but I do like the idea of marking a post anonymous (Ghost post?) while still having that post's score attributed to your total, so that you're still held accountable for your actions in some way
The comment tagging system could track that. It would act as "karma" in this case, and the system itself could begin to make sure that users tagged with
[Flame]often are handled accordingly.
Something in favor of keeping post history available to at least some users is it allows them to pick out people who are behaving poorly on a consistent basis and potentially report them. One abusive comment could be someone having a really bad day; 10 is not. This ties into the idea of creating systems that allow for mistakes.
That's why the person who invites you is currently visible; other folks can see patterns in who invites who, so if for example someone's been inviting a bunch of spammers it can be dealt with.
Yes, I agree some history (not all) should be available to some users (trusted users, mods, admins) for some amount of time (not indefinitely). But after a while, that history doesn't help reviewing the user anymore and doesn't need to be available.
I think randomly generated usernames is taking it a step far, and could potentially lead to this site becoming pretty toxic due to people not suffering repercussions for being terrible people on here. That said, I think you struck gold when you touched on the idea of "[There] should be an option, making your profile not display your history to others"! Making it a setting to toggle on a per-user basis allows people to build a following if they wish, and also remain partially-anonymous if they wish.
Having your username (but not history) on display leads to a partial anonymity that I feel would be ideal to this site. Most people wouldn't recognize a full pattern in contributions without access to your history, preventing them from judging you based on the areas you frequent on the site. However, if you post a particularly terrible comment (something ridiculously low-effort, flaming, or otherwise troll-ish), people have a name that they can report, as well as a means to be wary around certain people. It strikes the ideal balance of anonymous enough to not have a complete identity that people can make snap judgements about, but not anonymous enough to get away with being a complete tool.
I've never managed a website though, so take my ideas with a grain of salt~
I understand your point. Take a look at the other comments on this thread, as I and others expanded a bit on the idea and the reasons why it should be implemented.
Basically, the feature would be available for users with a given level of reputation, so that they have somewhat proven they're "good users".
Also, it would be applicable on a thread by thread basis. So, for example, I wouldn't mind leaving this comments here under this username, but if I then go to a local group to talk about what I do and where I go in my city during the weekends, I might not want that to be associated with my specific username. And in any case, reputation/karma would apply to my official username, whether I use an anonymous one or not.
In any case, history should probably, in my opinion, be very limited and available only to some users for assessment.
The anonymous posting mode isn't meant to represent more than a tiny minority of a user's comments. This is because sometimes people have a story to share that might get them in trouble, or because they want to express a controversial opinion without the associated hassles and witch-hunting. One way this might get into dicey territory is doctors or lawyers offering advice anonymously. We've seen all of these things play out on reddit before.
In truth it's easy enough to make alt-accounts once you get your own invite codes. It's easy enough to use user-scripts and other tools to destroy your own comment history. Since there's no way to prevent these things, it makes more sense to fully support them and do them the right way - put the power into the user's own hands, which is something that no other for-profit social media business would ever do. They want to track you. Here, we just want a platform everyone can feel safe and secure using - one that respects the user's right to privacy.
I agree with @Amarok's response. Anonymity will be seeked for a variety of reasons, the site should be able to give the users the right tools to accomplish that.
Another situation in which anonymity might be useful could be, for example, an employee of a company giving an inside perspective of what they do and how they do it. If you can link their username with the resto of their contributions, it might make the company able to identify the employee, and maybe firing them if they didn't like what they posted.
There has been a discussion recently and one of the interesting thing was to allow user to access "without registration" during special events like AmAs.
The concept was that in that time window new users should be able to participate without going through the hassle of registering but of course having access to only part of the website, nominally the AmA topics and only with limited capabilities (e.g. only one post per n minutes, no voting, etc)
To say something more on point with your topic, I think that usernames need to stay.
I want to recognize a user I interact often and could have an interesting discussion.
What could be done, and quite easily, is instead "anonymise" topic and comments older than a certain amount of time.
In a comment I wrote 1 month ago you would simply see "someone" instead of my username.
Who took part in the conversation at the time get all the benefit of having names to refer to but if someone goes back because it just discovered the post today, can get the content (the important part) without me risking to be harassed in any way.
Of course this implicitly means that my comment and replies-to-me history will only be 1 month old always because the data is hard deleted.
I think that would be a great mechanic on Reddit where old topics have limited/no activity, but if we are keeping topics alive for a long time on ~, this might actually be harmful? Who would want to post in a sea of "someone"?
This is especially true in the case of e.g. the introductions thread. Who would go back through that if there were no usernames?
And again, as has been mentioned a number of times, retroactive attempts at anonymity are only as effective as the ability to prevent people recording the events as they happen. If the site has an open read-only view, and gets big enough, someone will probably make an uneddit-style scraper that lets you see all the histories anyway.
Well... old topics with no activity in more than n weeks/months should naturally died to be honest. If someone has to add something it's more probable that they'll create a new topic on the same argument than they go resume an old topic.
My point being is that we will not forcefully "close" anything (as reddit does when it archive threads) and also protect the personal history of the users at the same time from being harassed.
AMA: I'm not sure what are the reason for allowing unregistered users to ask questions in an AMA. Is it just to encourage participation? Would it? I mean, registering is not much of a hassle, and especially for an AMA (you're just asking a question after all) I don't see why not being accounted for your participation is important. Actually, wouldn't it encourage random hostiles to use the feature to criticize or insult the hosts without the fear of repercussions (since there's no registered user to punish)?
The option to anonymize should be available (optionally, of course, and possibly only to users with a minimum of reputation) even before you post anything to a thread. That way scrapers could not get your username at any point.
That would generate a problem. If I go into a thread with several "someones" I don't know how many participants are there. That's why I was suggesting the RedFox, PurpleOctupus mechanic. Anonymity would be preserved since there would not be a link to the officially registered username, and coherence would be preserved as well, as I would know who is talking to whom inside the thread.
I suppose the comment tree is built in the backend and passed to the fronted.
If that's the case, the frontend could receive the full tree without name and IDs and still be able to build the topic structure.
You "user" don't need to see how many participant are in a topic.
But if more than two people are having a conversation, or someone new replies to a comment (giving several comments on the same level) it would get confusing who is saying what and it would be difficult to create a mental image of the number or participants and their positions, I think.
I suppose I just don't see the point of knowing "how many are participating".
I seriously never read the username of the people I was writing to on Reddit, except when someone was mentioning a joke involving the username.
Yeah, you have a point. I don't usually either. Only when there are real conversations going on, which is not that often, tbh. But maybe here it'll be different.
For what it's worth: The idea of having randomised named on a thread-basis is exactly what Candid used to be doing. In their case, it eventually filled with trolls. Their advertisers realised that people would hate a lot, and shied away. Luckily, we don't have to rely on advertisers, but we still have the problem of people acting like trolls if they're fully anonymous.
I didn't know about his app. Interesting. However, Wikipedia mentions it shut down because the parent company was acquired and the Quora answer is not very in depth. Not saying that's not what happened, just that that's not very strong proof.
In any case, as discussed above, the feature should probably be opt-in per thread basis, and only available to users with a minimum reputation. I believe that should prevent it from being abused by random people?
You're right about my weak sources; however, I wasn't able to find much about it. I did find this article which also covers other apps that offered full anonimity, and why they all closed.
Edit: Here's another article about it
Pertaining to the username shuffle, once the trusted user system is in place, they would have to be able to see the real usernames of all commenters in order to determine if someone is a full troll account, to ban or not to ban, etc.
Sooo I have a question off of this... if trusted users (tu) can see this information but we can't, would this create some kind of power increase for the tu- which we are trying to avoid- and/or communication difficulty between the tu and users upon banning of a troll user? If so, what solution is there to this issue that would keep the username scramble idea alive?
I am not sure how the TU mechanic is going to work exactly. However, my idea is that history (across usernames) is available only to some users (superhigh trusted users, mods and admins) and only for a short amount of time (say, a month). That way their power would be limited but still be able to assess whether someone is a real troll or spammed or flamer or not.
I'm not sure I know what you're referring to precisely, but I guess non trusted users should just... trust trusted users.
I think post history should be private. It prevents gaming the system and harassment. I know this seems counter intuitive because anonymity always breeds trolls, but at the same time look what happened to that guy who posted the Trump wrestling gif. It's a very specific example and set of circumstances, but it still happened. How many times have you been in a thread and someone pulls a past comment up on another user in order to set up a straw man? I would suggest a "friend" style system in which only friends can view your post history but that sets up a "vote for vote" ring similar to Digg in which information is controlled yet again. I guess it is always going to be possible though. Holding people accountable for things that are outside of the current conversation is an instant gateway to derailment.
Yes, I agree. However, I don't really like the idea of the friends system. As argued throughout the post, I think it's better to have the history available only for some users (trusted users) and for a limited amount of time, so that malicious behavior can be penalized if necessary during that window of time.
This is really important. People grow and become better when discussing topics, you shouldn't be judged by someone snooping through your profile looking for ammunition to win an argument. It should be by the merits of your current posts. If I look through my reddit account even 1 year ago I cringe at some of the comments I've made. Maybe it should show the last month's worth of stuff and it all gets archived anonymously like you've said in your post.
It could be changed but we need a system to offer credibility of a person. Karma kind of does this because it is (relatively) hard to farm karma to bot and troll. We need a system to be able to identify bad actors. If there is full anonymity will this quickly divulge into a 4-chan-esque platform?
Suggestion. Have public and private links between posts and poster. Public link is the users name, which can be dissasosiated and can be accesed by APIs, and private links like an ID which only Tildes knows. That way people can remove any public association with their comments and have more privacy, while still being held accountable if they break the code of conduct.
How would the private ID be generated? If the private ID is the same on all posts for a user it will leak the users identity. One would have to make a function for making a new ID for each post.
This is only a rough idea. I could probably ponder on the design of this function if there's interest for it. It would put more load on the server, but if privacy and accountability are desired this should be given consideration.
Yes, that is the general idea. And it seems the dev is actually thinking on wiping any "private" links after a given time (once reputation gain/losses of submissions are awarded and any disciplinary action is taken if needed).
Others have correctly pointed out as well that any disassociation that takes place after posting is probably not very reassuring in a privacy focused perspective, since there will be ways to retrieve the original post with the original username. That's why they want to implement a system (available for some user tiers) that would allow to post without using your username in the first place. There would still be a link between your posts and your username, accessible only to mods, as explained above, but it would expire after a while. That way Noone could retrieve the original username and even a court order requiring a submission of the database wouldn't get that information, since it would be wiped out after X days.
The time aspect sounds interesting. We might have to keep in mind that posting without the username can be abused and be used to break the terms of services / code of conduct.
Yes, but the "temporary" username would still be linked to the main account so that any break of terms or code of conduct would reflect on the main account. So it shouldn't be a problem in that sense. :)