UNCLASSIFIED // FOR PUBLIC RELEASE // MIDNIGHT NETWORK VERIFIED

Technical explainer

How the ZK proof works

UnRedacted does not promise anonymity — it makes anonymity mathematically enforced. Even if we were subpoenaed, we could not produce your identity.

The problem with traditional platforms

Every existing whistleblowing platform has the same flaw: somewhere in the system, your identity exists. An account. A session token. An IP log. An email address. A subpoena finds it.

UnRedacted is built on a different premise: we never learn who you are. We only learn that you are affiliated with the organisation you are reporting on.

1

Domain verification — ephemeral

You enter your work domain and a work email address. We send a one-time code. The moment you enter the correct code, three things happen simultaneously:

  1. The ZK proof is generated from your domain.
  2. Your work email is permanently deleted from our database.
  3. Your personal email is never stored at all.

Before confirmation

work_email: john@corp.com
work_domain: corp.com
otp_hash: sha256(...)

After confirmation

work_email: DELETED
work_domain: DELETED
otp_hash: DELETED
2

Zero-knowledge proof on Midnight

Midnight is a data-protection blockchain with a dual-state ledger — private state (yours) and public state (everyone's). Our Compact circuit takes your domain verification as a private input and produces a public commitment hash. The circuit proves you possess valid insider credentials without revealing what those credentials are.

The proof itself is generated inside your browser using a Halo2 zk-SNARK over a Poseidon hash chain. Your private inputs never leave the tab — only the resulting commitment is broadcast to the Midnight network.

3

AI identity scrubbing

Human writing is a fingerprint. Unusual phrasing, jargon, the specific sequence of facts you know — all can identify you without a name. Claude processes your report with a strict identity-removal prompt before anything is published.

Before

On March 14th, Sarah Chen from the London office told me that Project Atlas was misclassifying loans. Employee ID 47291 has the spreadsheets.

After

Recently, a senior colleague at a regional office confirmed that an internal project was misclassifying loans. A team member has the documentation.

Where each piece of data lives

The proof is generated in your browser — your private inputs (domain, email, payslip) never reach our servers. Only the public commitment hash is stored.

DataWhereLifetime
Work emailBrowser memory + our DB briefly~30s — deleted on OTP confirm
Payslip imageBrowser → API memory → AI → discardedNever persisted
Private witness (domain + nonce)Browser Web Worker only~10s during proof gen, then dropped
Proof commitment hashMidnight blockchain + our DBPermanent — public
Scrubbed report textOur database, public via APIPermanent — public
Verifier keyMidnight networkPermanent — public

The commitment hash is a one-way Poseidon output — mathematically impossible to reverse back to your domain or identity, even with our entire database leaked.

What we cannot do, even if ordered to

Reveal who submitted a report

The work email is deleted immediately. No record links any report to any person.

Produce IP logs

No IP addresses are logged against submissions or OTP sessions.

Delete a published report

Reports are stored on Midnight network. We lack the ability to remove them.

Identify the organisation

We store only sector and region — not the domain or company name.

Submit a reportRead reports