Sign In

Communications of the ACM

Technical opinion

The Viability of Supporting Anonymous Employees

Anonymity has been used effectively to provide privacy, confidentiality, secrecy, security, neutrality, and to reduce inhibitions. Well-known food critics and bidders at high-end auctions will at times effectively use anonymity to their advantage. Some marketers de-emphasize the association between their products to promote brand separation (consider Toyota's ownership of Lexus). But can anonymity be beneficial in an employment context? This may be the case, as certain positions may be difficult to fill because they impose indirect costs that prospective employees are unwilling to bear. These costs could be due to some stigma associated with the position or employer (for example, accepting an accounting job at an adult entertainment club). Accepting a controversial position or one opposed by some radical group may place the individual, his or her family, and property at risk. It could be that accepting the job may jeopardize future hiring and earning potential. Consequently, the support of anonymous employment could increase the applicant pool, potentially reducing costs and improving the process outcome. Unfortunately, traditional contractual mechanisms do not support anonymity.

Significant obstacles exist for the support of contractual anonymity. Since current business processes do not support anonymous employment, new processes are needed to:

  • Verify credentials of unknown, anonymous individuals;
  • Confirm anonymous compensation (proving all contractual payments are made);
  • Comply with governmental reporting requirements (tax payments, required SEC disclosures), which currently require Social Security numbers;
  • Support social equity initiatives (affirmative action, contract set-asides/quotas); and
  • Provide for employee accountability/warranty.

Back to Top

Mechanisms to Support Anonymous Employment

Mechanisms needed to support anonymous contractual agreements draw heavily on well-known public-key encryption (PKE) technologies. PKE uses a dual-key encryption scheme—messages encrypted using one key can only be decrypted with the corresponding key. Common uses of PKE include digital signatures, which verify text authorship, and digital certificates, which permit a certificating authority (CA) to certify that a public key belongs to a specific individual (much like a driver's license links a specific DMV number to a particular individual). While these procedures do not support anonymity, blinded versions do. Blind digital signatures hide the contents of what is being signed from the signer—a capability that some digital money schemes use to make digital transactions untraceable. Blind digital certificates do not identify the certificate holder. Rather they indicate that a certain skill has been earned by the owner of the certificate's embedded public key (for example, that the certificate owner has passed the driving test).

Consider a case in which an individual wants to prove she received a degree from Cal Tech, but wants to maintain her anonymity. She supplies the certifying agent (Cal Tech) a blinded (encrypted) token. After validating the claim, the agent digitally signs this blinded token without ever seeing the underlying, unblinded token. Assuming a transitive encryption scheme, the validation applied to the blinded token (the CA's digital signature) is automatically transferred to the cleartext token when it is unblinded by the individual. The resulting signature is identical to the result had the CA signed the unblinded token directly. Combining this signature with the cleartext token generates an untraceable, yet verifiable certificate. Anyone can verify the signature by comparing the cleartext token and digitally signed token using the CA's public key. Unfortunately, this does not provide verifiable ownership of the certificate. Ownership can be proven by incorporating a challenge/response mechanism into the certificate. Rather than a random token, the individual could provide his or her blinded public key. Certificate ownership is proven by demonstrating access to the private key corresponding to this public key (by properly decrypting a message encrypted with the public key).

In the situation concerning the Cal Tech graduate, she receives a digitally signed version of her blinded public key. Cal Tech indicates the degree earned by the key set used to sign the token. Different key sets would be used for each degree offered. Such a certificate has three important characteristics. Anyone can validate it using Cal Tech's public key; ownership can be proven by demonstrating access to the appropriate private key; and the certificate cannot be traced back to the certificate holder, since not even Cal Tech has access to the unblinded token that it signed.

This approach can certify all manner of personal traits and accomplishment. Utilizing multiple key sets, the user can link attributes from different CAs, or keep them unlinked. If the same key set is submitted to multiple CAs, the resulting certificates are tied together through the common embedded token (common public key). Alternatively, the user can submit different public keys to each CA, and selectively combine the certificates to present a limited profile to an employer. This also limits the ability of the third party to build a dossier on the individual. Currently, common information such as Social Security numbers are used to link information from different sources to build a more complete picture of an individual. Using blind certificates eliminates this common identifier, preventing the cross-referencing across information sources.

When it may be necessary to invalidate a certificate, fair blind signatures can be used. In this case a trusted third party is introduced into the credentialing process. This trustee has access to additional information that allows anonymity to be broken if necessary. This ability to associate a certificate with its owner provides the ability to invalidate the blind certificate, but unfortunately, also negates the guarantee of absolute anonymity.

Anonymous Payments. To support an anonymous employment environment means the compensation system must also support anonymity. There are two requirements: it must be able to verify that contractual payments are made, and it must prevent others from masquerading as the worker and claiming payments. Both goals can be accomplished using a modified digital money scheme incorporating blind signatures. To verify payment, the non-traceable digital money can be blinded with the anonymous employee's public key. Since only the employee knows the corresponding private key, misappropriation of funds is prevented.

Using existing public-key encryption technologies, it is possible to support anonymous employment, an environment that has not been considered in the literature.

Governmental Reporting Requirements. Governmental reporting requirements must be addressed if anonymous employment is to be realized. Two alternatives exist, each supporting different degrees of anonymity. The government could issue Social Security certificates (SSC)—encrypted versions of Social Security numbers (SSN) coupled with appropriate digital signatures. The SSC's validity can be verified by the employer. Incorporating the individual's public key into the SSC would even allow the verification that an individual owns the SSC, currently not possible with SSNs. Required government reports would then use this SSC instead of the SSN. Multiple SSC versions would prevent it from becoming a pseudo-identifier. This approach hides the employee's identity from the employer but not from the government. If the government is unwilling to incur the administrative overhead, an outsourcing model could be employed. A firm could contract with a service bureau or employment agency, which then contracts with the individual doing the work. The employer now has an identifiable entity (the service bureau) to which payments are made. The service bureau is responsible for reporting payments to the government (the IRS) for the anonymous worker, and can shield the worker's identity from the employer. However, under this scenario the employee's anonymity is not guaranteed. The service bureau knows, and subsequently could disclose, the employee's identity.

Anonymous Employees Accountability. Finally, we look to traditional environments to see how employee accountability has been addressed. Workers/employees may guarantee work quality, with payment being withheld or put in escrow until satisfactory performance is demonstrated. Partial payments may be made based on verifiable deliverables. Alternatively, the employee could post a performance bond. Under each scenario, contract negotiations establish obligations and penalties for both parties. A digitally signed contract demonstrates knowledge of, and agreement with, the contract's terms. In the most straightforward case, objective, observable metrics would be used to verify compliance with the contract terms.

Note that anonymous employment reduces "agency costs"—the costs of observing and monitoring work done by an employee while the employee is doing it. Since only outputs can be observed and measured, the employer is forced to precisely define in advance both the deliverables and criteria for accepting the produced output. This does not prevent intermediate deliverables as long as they are well defined beforehand.

Back to Top


Mechanisms exist that mirror traditional employment/contractual mechanisms yet allow individuals to remain anonymous, as has been illustrated here. Using blind certificates it is possible to verify applicant's credentials, while avoiding the creation of an alternate, pseudo-identifier—a problem with the Social Security number today. Fair blind signatures would address cases in which it may be necessary to revoke credentials. To address governmental reporting requirements, the traditional Social Security number could be replaced with a digital Social Security certificate. Such a scheme potentially supports employment anonymity and improves protection against identity theft while providing the government ready access to the individual's identity.

Thus, using existing public-key encryption technologies, it is possible to support anonymous employment, an environment that has not been considered in the literature. It is hoped this work will stimulate future research into the implications of an anonymous work force.

Back to Top


John Gerdes, Jr. ( is an assistant professor with the A. Gary Anderson Graduate School of Management at the University of California, Riverside.

©2004 ACM  0002-0782/04/0400  $5.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2004 ACM, Inc.


No entries found