Back to Blog

What is Veranon

5 min read
zero-knowledge privacy

How Veranon Works: Anonymous Surveys You Can Actually Trust

Most anonymous survey tools ask you to trust that the administrator won’t look at who submitted what. Veranon is different—it makes deanonymization technically impossible, not just against policy.

This post explains how that works without diving into the cryptographic weeds.

The Core Problem

When you submit a survey response through a typical platform, you’re logged in. Even if your answers are stored separately from your identity, the server still knows that you submitted something at a particular time. Metadata leaks. Logs exist. A determined administrator, a data breach, or a legal subpoena could connect the dots.

Veranon breaks that connection entirely. When you submit a response, there’s no login session, no user ID attached to the request, nothing that ties the response back to you. The system verifies you’re an authorized respondent without knowing which respondent you are.

What Veranon Actually Does

For survey administrators:

You create a survey, add your questions, and specify who should be able to respond. When you activate the survey, the system generates a pool of anonymous credentials—think of them like blank tickets that prove “the holder is allowed to respond” without saying who the holder is.

You can see participation rates (how many people have responded) but you cannot see who submitted which response. This isn’t a feature you can toggle off. It’s how the system works at a fundamental level.

For respondents:

When you access a survey you’ve been invited to, you claim one of those anonymous credentials through a process that prevents the server from knowing which credential you received. Later, when you submit your response, you use that credential to prove you’re authorized—but the credential itself contains no information about your identity.

The server validates that your response came from someone in the authorized group. It records your answers. It has no way to figure out that the someone was you.

The Two-Step Anonymity Guarantee

Veranon’s approach involves two distinct protections that work together.

Step one: Getting your anonymous credential

You authenticate normally (email, OAuth, whatever the organization uses) to prove you’re an eligible respondent. But instead of the server handing you a credential directly—which would let it track which credential went to which person—there’s an intermediate step.

You generate a random token and scramble it before sending it to the server. The server signs your scrambled token without being able to see what it actually says. You then unscramble the signed result, leaving you with a valid server signature on your original token.

The server knows it signed something for you. It knows someone later showed up with a valid signed token. It cannot connect these two events. The scrambling process mathematically severs the link.

Step two: Submitting your response

Here’s where it gets interesting. When you submit your response, you don’t log in at all. No session cookie, no authentication token, nothing that identifies you.

Instead, you submit your answers along with a cryptographic proof. This proof demonstrates that you hold a valid credential from the authorized group without revealing anything about which credential it is. The server checks that the proof is valid and that you haven’t already submitted (each credential can only be used once). If both checks pass, your response is recorded.

The server’s logs show: “received valid response from authorized group member.” That’s all they can show. There’s no user ID to record because none was provided.

Why This Matters

Traditional “anonymous” surveys:

The server processes your authenticated request and stores your response. Anonymity depends on the administrator choosing not to look at access logs, not to correlate timestamps, not to examine database records too closely. The technical capability to deanonymize exists; policy is the only barrier.

Veranon:

The server never receives your identity during response submission. There’s no log entry connecting you to your response because no such connection exists in the system. An administrator who wanted to deanonymize responses would have no technical path to do so. Neither would an attacker who breached the database, nor a court order demanding respondent identities.

What Administrators Can See

Participation tracking works at the credential-claim stage, not the response stage. Administrators can see that Alice, Bob, and Carol have each claimed their anonymous credentials. They can see that three responses have been submitted. They cannot determine which response belongs to which person.

This actually serves most organizational needs. You can send reminders to people who haven’t claimed credentials yet. You can verify that everyone participated. You just can’t see individual answers.

Limitations and Honest Caveats

Anonymity has practical limits regardless of cryptography.

Small groups are inherently risky. If only three people could possibly respond to a survey, and one response mentions a project that only one of those people worked on, the content itself deanonymizes the respondent. Veranon can’t protect against that.

The anonymous credential pool is only as trustworthy as its generation. In the current design, the server creates the credentials. A malicious server operator could theoretically generate credentials in a way that breaks anonymity. For organizational surveys where the administrator is somewhat trusted, this is usually acceptable. Higher-stakes applications might require a different architecture where credentials are generated collaboratively or by respondents themselves.

Timing correlation matters in small pools. If you’re the only person who ever accesses the survey at 3am and a response comes in at 3:01am, that’s a leak. Using the system during normal hours when others are active provides better cover.

The Technical Foundation

Veranon is built on Semaphore, an open protocol for anonymous group membership proofs. Semaphore has been audited and is used in production systems handling significant value. The blind signature scheme for credential distribution follows published standards.

The proofs are generated entirely in your browser. The server never sees your credential’s secret values—it only sees the proof that you possess a valid credential.

Proof generation takes a few seconds on typical hardware. Verification on the server is nearly instant.

When to Use Veranon

Veranon fits situations where honest feedback matters more than attributed feedback, and where respondents might self-censor if they thought their answers could be traced.

Employee engagement surveys. Sensitive organizational feedback. Whistleblower channels. Any context where “we promise it’s anonymous” isn’t convincing enough, and where you want to be able to say “we literally cannot see who said what.”

Veranon is a product of Rank One Labs. For questions about anonymous survey deployments or zero-knowledge applications, visit rankonelabs.com.