Blind Query

Unlike other TripleBlind operations Blind Query is not an inherently privacy-preserving operation. Blind Query allows you to intentionally expose content to a requesting third party while maintaining visibility into the request and the capability to deny unauthorized access before the query executes. This is useful in special situations such as:

  • The asset is a database view which is known to be privacy preserving (e.g. an SQL report that outputs summaries of classes of records)
  • The asset is a safe output which you wish to make available to the other party

Blind Query is a Safe with Care operation (see Privacy Assurances and Risk in the Getting Started section of the User Guide), and has the potential for misuse. TripleBlind has a number of safeguards for its use:

  • Blind Query is disabled by default at our strictest security levels.
  • Unless an Agreement has been established permitting auto-approval of requests, all Blind Query operations require an informed Asset Owner approval through an Access Request. The Access Request for Blind Query contains information on any SQL statements that are invoked in the operation.
  • k-Grouping is respected in the Blind Query operation as a minimum record threshold on the output; a query that would result in fewer than k records would automatically fail with a warning message.


  • When using create_job() to query a dataset asset, use Operation.BLIND_QUERY for the operation parameter.
  • When using add_agreement() to permit a counterparty to query your dataset directly, use Operation.BLIND_QUERY for the operation parameter. Permissive agreements (without usage restrictions) are not recommended for use with this operation.

⚠️Blind Query is NOT recommended for HIPAA applications.


See examples/Data_Munging/ for usage.

operation: BLIND_QUERY

  • Blind Query is requested by a data user on a specific DatasetAsset using the BLIND_QUERY operation in create_job().

dataset: DatasetAsset

  • This asset will be returned to the user after applying preprocessing.


  • SELECT * is not permitted in sql_transform preprocessors upstream of Blind Query and Blind Join. Use get_column_names() to request a list of column names and list them explicitly in the query. This empowers the data owner to make an informed approval decision within any Access Requests against their dataset.