Reporting sexual assault and harassment is an important and difficult problem. Since late 2017, it has received increased attention as the viral #MeToo movement has brought about accusations against high-profile individuals and a wider discussion around the prevalence of sexual violence. Addressing occurrences of sexual assault requires a system to record and process accusations. It is natural to ask what security guarantees are necessary and achievable in such a system. In particular, we focus on detecting repeat offenders: only when a set number of accusations are lodged against the same party will the accusations be revealed to a legal counselor. Previous solutions to this privacy-preserving reporting problem, such as the Callisto Protocol of Rajan et al., have focused on the confidentiality of accusers. This paper proposes a stronger security model that ensures the confidentiality of the accuser and the accused as well as the traceability of false accusations. We propose the WhoToo protocol to achieve this notion of security using suitable cryptographic techniques. The protocol design emphasizes practicality, preferring fast operations that are implemented in existing software libraries. We estimate that an implementation would be suitably performant for real-world deployment.