Notes on building a forum where the admin role has no special read access I'm running a forum at https://writeonce.to-go.io. It's small, it's anonymous in a fairly literal sense, and one of the design choices I want to write down is this: I'm the admin, and I don't have any way to tell you who posted what. Not because I refuse to look. Because there's no field to look at. This is one of those things where saying it sounds like marketing copy, and looking at the data model is the thing that makes it real. So here's the data model, roughly. A post in this forum has these columns: pk (post id, ULID) category (string) body (markdown text) created_at (timestamp) expires_at (timestamp or "never") vote_score (int, denormalized) That's it. No `author_id`. No `author_handle`. No `posted_from_ip`. No `session_id`. No "associated with logged-in user X". The application layer doesn't even have a User table to be associated with. There are no users. The DynamoDB single-table layout has Post items, Comment items, Category items, Vote-tally items, and an audit log of admin actions — and that's the whole list. A vote item has these columns: pk (post id) sk (vote_) direction (+1 or -1) created_at (timestamp) The "rotated_salt_hash" is a hash of the voter's browser fingerprint with a salt that the system rotates daily and purges after two days. It's enough to dedup repeat votes within a 24-hour window. After 48 hours, the salt is gone and the hash is no longer linkable to anything — including itself, across days. There's no way for me, looking at the database, to say "these two votes from different days came from the same person." I genuinely cannot do it. The data isn't there. So what can I, the admin, actually do? I can force-delete a post or a comment, bypassing the community vote, when something is clearly illegal or off-policy. That's logged in the audit log with the post ID and the reason. I can move a post between categories. I can rename categories, hide them, or delete entire categories. I can take the site offline. What can I not do? I cannot tell you who posted a particular thing. I cannot tell you what else the same person posted. I cannot tell you what IP address they came from (CloudFront access logs are disabled, application logs strip the source IP before they hit CloudWatch, and DynamoDB has never seen one). I cannot tell you what country they're in. I cannot tell you whether two different posts in the same thread are from the same person. I cannot tell you which posts got the most votes from any particular voter, because I can't define "any particular voter" for any time horizon longer than 48 hours. This is a real distinction, and it matters in a way that I think tends to get glossed over in privacy talk. Most "anonymous" forums are anonymous in a policy sense — the admin chooses not to expose your identity, but the admin has it. If a court asks, the data exists. If the admin's account gets popped, the data exists. If the admin sells the company, the data exists. The forum I'm running cannot answer that kind of question. Not "will not." Cannot. The data isn't in the system. There's nothing to subpoena and nothing to leak. If somebody compromises my admin account, the worst they can do is delete posts or take down categories. They can't unmask anybody, because there's no mask to remove — the post never had an identity attached in the first place. A friend asked me whether this means I can't moderate. I think the answer is, I can moderate the content of the forum but not the people on it. If a particular type of post keeps showing up that the community votes against, I can do category-level rules, rate limits per fingerprint window, even shut a category. What I can't do is ban a person, because I don't know what a person is here. This is the design. https://writeonce.to-go.io if anyone wants to read posts on it instead of read about it.