> Btw, an I using the right terminology? I would say that E/Pluribus provides
> pseudonymity & bearer rights, Freedom provides untraceability, and Blinding
> provides unlinkability. Robust privacy benefits from having all three
> together.
Pseudonymity is somewhat ambiguous. Generally it refers to anonymity where there is linkability: I don't know who you are, but I know you are the same person I was talking to yesterday. Anonymity is strictly unlinkable, like the "Anonymous Coward" postings on slashdot. You don't know whether one Anonymous is the same or different from another.
Pluribus does seem to provide bearer rights, but whether it provides pseudonymity is questionable. You do know the IP address of the machine you are talking to. That doesn't seem particularly anonymous. On the other hand, it is not tightly bound to a particular human's name and identity, so perhaps the IP address could be thought of as a pseudonym, in a sense.
(Or perhaps the pseudonym you are referring to is the Vat ID, essentially a public key. In that case, Pluribus on top of Freedom could be thought of as providing pseudonymity, assuming that Vats retain their IDs for extended periods of time.)
Freedom provides untraceability, and also anonymity. I distinguish these by saying that the former is with respect to a third party, and the latter is with respect to the communicating peer. The links are untraceable in the sense that if the FBI came and tried to figure out who was talking to whom, they would fail (ideally). The communications are anonymous because the server doesn't know anything about who his client is, not even his IP address.
You could imagine a system which provided untraceability but not anonymity, for example if the system revealed the source address to the destination, but otherwise kept it hidden. Likewise you could have anonymity without untraceability, which is pretty much what you get on slashdot; with enough work someone could track down who a particular "Anonymous Coward" is.
Blinding provides unlinkability? Yes, although now you're talking more about software objects, rather than about objects in the real world like people and machines.
Blinding is basically a protocol by which one party comes into possession of an object which has specified mathematical properties which can be recognized by the issuing party. The object should be unforgeable, that is it should not be possible to create it without the cooperation of the issuing party; and it should be unlinkable in that the issuing party cannot recognize the object and link it to the interaction by which it was created.
The created object is much like a capability, although it is not bound to a specific object. But because it can be recognized as authentic by the issuer, it can be used like a capability to request certain actions.
Hal