How Your Identity and Privacy Work on CanuckDUCK
A simple guide to understanding how we protect you across the platform.
What Makes CanuckDUCK Different?
Most social platforms treat your identity like a product — tracking you, profiling you, and connecting everything you do into one big picture they can monetize.
CanuckDUCK does the opposite.
We built our system so that you can participate in civic life without being surveilled.
This isn't just a promise in our privacy policy. It's built into the architecture. It's mathematical. It's permanent.
One Login, Many Identities
When you create a CanuckDUCK account, you get access to our entire ecosystem:
- Pond — Forums and community discussions
- Consensus — Voting and policy proposals
- Communities — Local neighborhood pages and directories
- Flightplan — Community development projects
- Store — Avatars, subscriptions, and supporter features
- Ducklings — Youth education and onboarding (coming soon)
You log in once, and you're authenticated everywhere.
But here's the magic: each site sees you as a different person.
How It Works (The Simple Version)
Think of it like this:
Your Real Identity (Core)
When you first sign up, Core (our central authentication system) knows who you are. It verifies your email, connects with your Google or Facebook login if you choose, and establishes your account.
Your Public Identities (Everywhere Else)
But when you go to Pond to discuss politics, or Consensus to vote on policy, those sites don't know who you really are.
They see a unique identifier — think of it like a secret code — that represents you on that site.
Pond gets code: User_A
Consensus gets code: User_A (currently the same, but designed to be different in the future)
Store gets code: User_A
These codes are:
- Permanent within each site (your posts stay connected to you)
- Unlinkable across sites (Pond can't tell Store who you are)
- Irreversible without Core's cooperation (nobody can work backward to your real identity)
What Each Site Knows About You
Core Knows:
- Your real email address (for password resets and security)
- Your login method (Google, Facebook, Microsoft, or direct)
- Your display name (the friendly name you choose, like "DonaldDuck")
- Your location (country, province, city) — for showing you relevant local content
- Your verification level (did you just use Facebook, or did you verify your email, or go further?)
Pond, Consensus, Store Know:
- Your display name (so people can address you)
- Your secret code (so your posts stay connected)
- Your location (to show you Calgary forums if you're in Calgary)
- Your verification level (to show you're a trusted community member)
What They DON'T Know:
- Your email address
- Your real identity
- What you do on other CanuckDUCK sites
- Your social media accounts
Why This Matters
You Can Speak Freely
If you want to discuss mental health in Pond's forums, your employer can't connect that to your real identity.
If you want to vote for a controversial policy in Consensus, nobody can see how you voted — not even us.
If you want to report municipal corruption, you can do so without fear of retaliation.
You Can't Be Tracked
Big Tech makes billions by tracking you across the internet and building profiles.
On CanuckDUCK, each site operates independently. Nobody — not advertisers, not data brokers, not even us — can build a complete picture of your activity.
Your Display Name Is Yours
You can change your display name whenever you want (within reason — we don't allow impersonation).
When you change it, all your past posts automatically show your new name. But your identity within each site stays the same.
You maintain continuity without being locked into a permanent public persona.
You're Accountable for Your Words
Here's the other side of privacy: accountability.
CanuckDUCK doesn't let you delete your post history. If you say something in a public forum, it stays there.
Why? Because honest civic discourse requires that people take responsibility for their words. The ability to delete everything undermines trust and breaks the flow of conversation.
But you can do this pseudonymously — you're accountable to the community, but not necessarily to your boss or your neighbors.
The Technical Side (Without the Jargon)
Tokens and Passes
When you log into Core, it gives you a special encrypted "pass" (called a JWT token, but you don't need to know that).
This pass says:
- "This person is allowed to access Pond"
- "Show them content for Calgary, Alberta"
- "Their display name is Christine"
- "They're email-verified"
But it doesn't say:
- Their email address
- Their Facebook account
- Their LDAP identity
- Anything that reveals who they really are
Each site checks this pass, confirms it's legitimate, and lets you in.
The pass expires after 15 minutes, so you have to get a fresh one from Core. But once you're logged into a site, you stay logged in (like any website) until you log out or your session expires.
One-Way Secrets
The "secret code" we mentioned earlier is created using something called a "one-way hash."
Think of it like this:
- You put your real identity into a blender
- Out comes a smoothie
- You can't un-blend it back into the original ingredients
Even if someone steals the smoothie (your code), they can't figure out what went into it.
Only Core has the recipe. And Core only shares the recipe with proper legal authority (court orders, subpoenas, etc.).
Location Without Surveillance
We ask for your city/province so we can show you relevant content.
If you're in Calgary, you see Calgary forums. If you're in Vancouver, you see Vancouver forums.
But we don't track your IP address across the platform. We don't build movement profiles. We don't sell your location data.
We just use it to make the platform more useful for you.
What About Logging Out?
Logging out of a single site (like Pond) only ends your session on that site. You'll still be logged into Core and other sites.
Logging out of Core ends your central authentication. You'll need to log back in to access any site.
In the future, we'll add a "Logout Everywhere" button that signs you out of everything at once.
What About Voting and Maximum Anonymity?
In Consensus, our voting and policy platform, we take privacy even further.
When you cast a vote:
- We create a special one-time code just for that vote
- This code is separate from your regular identity code
- Even we can't easily trace who voted what
To connect a vote to a person would require:
- Access to the Consensus database
- Access to Core's secret recipe
- Access to the LDAP identity system
- Proper legal authority
It's designed so that even in a data breach, votes remain anonymous.
But if a court issues a subpoena — say, for election fraud investigation — we have a legal audit process that can pierce the veil with proper oversight.
Privacy, but not impunity.
What We're Building Toward
CanuckDUCK is still growing. Here's what's coming:
Verification Levels
Right now, we have basic verification (email, social login).
Soon, you'll be able to:
- Verify your phone number (higher trust)
- Verify your government ID (highest trust for official discussions)
- Verify your address (for local community leadership roles)
Higher verification doesn't mean less privacy — it just means the community can trust you're a real person.
Role-Based Access
Eventually, you'll be able to:
- Become a moderator for your local community forum
- Claim and manage a business page
- Apply to be an official municipal partner
- Create educational content for Ducklings
Each role will be tracked securely without exposing your identity unnecessarily.
Better Logout Options
We're building a central "logout everywhere" feature so you can end all sessions at once.
Smarter Privacy
We're working on making your identity code different on each site (not just unlinkable, but actually different).
This adds another layer of protection if any site's database is ever compromised.
Why We Built It This Way
Most platforms ask: "How much data can we collect?"
We ask: "How little data do we need?"
CanuckDUCK exists to create space for honest civic discourse. That requires:
✅ Privacy — so you can speak freely
✅ Accountability — so you take responsibility for your words
✅ Community — so we can build trust
✅ Transparency — so you know exactly how it works
We're not hiding our architecture. We're not burying details in legal jargon. We're showing you exactly how we protect you — because your privacy is your right, not our marketing gimmick.
Questions?
Can CanuckDUCK see my real identity on every site?
Core can, but the individual sites (Pond, Consensus, Store) cannot. It's separated by design.
What if I forget my password?
Core can send you a password reset to your email. Your activity on other sites remains safe.
Can I delete my account?
You can deactivate it, but we don't delete post history. Civic discourse requires accountability. Your words stay, but your account becomes inactive.
What if there's a data breach?
Even if a site like Pond is breached, attackers only get your secret code and display name — not your real identity. They can't connect you to other sites or your email.
What if police demand my info?
We comply with lawful requests (court orders, subpoenas). We have a legal process to bridge your secret code back to your real identity — but only with proper authority.
Can I use CanuckDUCK anonymously?
You can use a pseudonym (display name) on all public-facing sites. But Core needs a real email for account recovery. True anonymity would mean no way to recover your account if you forget your password.
What about kids and Ducklings?
Ducklings (youth education) will have age-appropriate protections and parental controls. Stay tuned.
The Bottom Line
CanuckDUCK is civic infrastructure built with civic values.
Your identity belongs to you.
Your privacy is protected by math, not just policy.
Your voice matters, and we're building a space where you can use it — freely, safely, and responsibly.
Welcome to the conversation. 🦆
Last Updated: November 23, 2025
For Technical Details: See our internal architecture documentation
Questions? Contact us at [email protected]