Circle-Initiated Device Revocation¶
When a device is lost, stolen, or compromised, the user's immediate Circle needs a way to suspend access on their behalf — without locking out emergency tools, without alerting an attacker that anything has changed, and without requiring perfect coordination from people who may themselves be in difficult circumstances.
This page defines the tiered revocation system, the consensus model, coercion handling, and the attack surface of the system itself.
The core design constraint¶
Standard remote-wipe and account-lockout flows fail this user base in two ways:
- Visible lockout alerts an attacker. If the device shows "Your account has been suspended," the person holding it — who may be dangerous — now knows the Circle has been alerted and will act accordingly. This endangers the victim if they are nearby.
- Full lockout cuts off the victim's own safety tools. Emergency services, distress beacons, and crisis hotlines must remain accessible regardless of compromise status. A bad actor reaching 911 is acceptable; a victim being unable to reach 911 is not.
Both constraints push toward the same solution: revocation must be invisible to the device holder and must preserve outbound safety access.
Three-tier revocation model¶
flowchart TD
CONCERN["Circle member\nbelieves device is\ncompromised"]
BIO["Biometric\nauthentication\nrequired to act"]
L1["Level 1 — Soft Flag\n(any 1 member)"]
L2["Level 2 — Session Suspension\n(2 members within 30 min)"]
L3["Level 3 — DID Key Rotation\n(≥3 members or 2 + verified org)"]
SHADOW["Shadow mode:\napp appears normal\nmessages silently held"]
SUSPEND["Session token invalidated\non relay — looks like\nnetwork error to holder"]
ROTATE["DID key rotated\nnetwork-wide — device\npermanently dead"]
EMERGENCY["Emergency tools\nalways accessible:\n911 · beacon · hotlines"]
CONCERN --> BIO
BIO --> L1
L1 --> SHADOW
L1 -->|"second member\nconfirms within 30 min"| L2
L2 --> SUSPEND
L2 -->|"third member or\nverified org confirms"| L3
L3 --> ROTATE
SHADOW --> EMERGENCY
SUSPEND --> EMERGENCY
ROTATE --> EMERGENCY
Level 1 — Soft Flag¶
- Trigger: any single Circle member.
- Auth required: biometric of the flagging member (prevents borrowed-device false triggers).
- Effect on device: shadow mode activates — the app appears completely normal to the holder. Messages appear to send; delivery receipts appear; no error, no notification.
- Effect on Circle: messages from the flagged device are marked
[unverified — device flagged]. Members treat incoming messages with caution and do not confirm sensitive information (location, meeting place, plans). - Why no visible lockout: if the user is watched or coerced, a suddenly frozen app tells the attacker the Circle has been alerted. Shadow mode buys time without triggering a reaction.
- Reversal: the flagging member clears the flag, or the device user completes a fresh biometric authentication.
Level 2 — Session Suspension¶
- Trigger: two Circle members independently confirm concern within 30 minutes of the first flag.
- Auth required: biometric of each voting member, cast independently.
- Effect on device: the relay refuses the device's current session token. The app displays "Reconnecting…" — not a lockout message. To the holder it looks like a temporary network problem.
| Function | Status |
|---|---|
| 911 / local emergency services | ✅ Always on |
| Distress beacon (outbound only) | ✅ Always on |
| Crisis hotline shortcuts | ✅ Always on |
| Circle messages (read) | ❌ Suspended |
| Circle member list | ❌ Suspended |
| Help requests | ❌ Suspended |
| Posting new messages | ❌ Suspended |
- Restoration: Circle vouch recovery (2+ members confirm in person) on the compromised device or a new device.
- Quorum threshold: scales with Circle size, minimum 2 confirmations regardless — you never need all members to respond, which is unrealistic when people may be offline, asleep, or in their own difficult situations.
Level 3 — DID Key Rotation¶
- Trigger: three or more Circle members, or two members plus one verified organisation (shelter, social worker, mutual-aid org with verified badge).
- Auth required: biometric + deliberate double-confirm from each voter (irreversible action requires deliberate intent).
- Effect on device: the user's
did:keyidentity is rotated across the entire network. The old device's key is permanently invalid; no session can be restored from it. - When to use: trafficking scenarios, sustained coercion, known device theft where the attacker has likely bypassed biometrics, or any situation where the device is confirmed in hostile hands with no prospect of recovery.
- Restoration: recovery phrase (12-word card) on a clean device, followed by Circle vouch. If the phrase is also compromised, the BNI support channel (48-hour, identity-verified).
- User-initiated halt: if the legitimate user still has a clean device and their recovery phrase, they can halt a Level 3 rotation within a 15-minute window by completing biometric + phrase — preventing a coordinated Circle attack from permanently locking out the actual owner.
Coercion handling¶
Standard revocation fails when the user is watched and coerced into using the app normally — the attacker expects it to work, and any visible failure reveals that help has been called.
Shadow-mode acknowledgment layer. Messages sent in shadow mode receive synthesised delivery receipts and read confirmations timed realistically. The coercer watching the screen sees the message delivered and read; Circle members see it marked [unverified] and know not to respond in a way that reveals their awareness. Same principle as the duress PIN — a convincing normal surface over a compromised state.
Coerced Circle member. An attacker may force a member to cast a suspension vote. Circle members have their own duress authentication path: when a member uses their duress PIN before casting a vote, the vote appears to cast normally but a distress signal is sent to their own duress contacts. The revocation system becomes an alert system when operating under coercion.
Consensus design rationale¶
| Question | Decision | Rationale |
|---|---|---|
| Why not require full Circle consensus? | Too fragile — members may be offline, unreachable, or in crisis | A quorum that can never be reached provides no protection |
| Why not allow a single member to suspend? | Too easily weaponised by a bad actor | Requires compromise or coercion of at least two independent members |
| Why a 30-minute window for Level 2? | Long enough for a second member to respond; short enough to act during an active incident | Balances responsiveness with asynchronous notification reality |
| Why biometric to cast a vote? | Prevents using a member's unlocked phone to cast a false vote | Each vote must be independently authenticated |
| Why does Level 3 have a user-initiated halt? | Prevents a coordinated malicious Circle from permanently locking out the legitimate user | The owner's recovery phrase is a stronger claim than a quorum vote |
Attack surface¶
Circle-side attacks¶
Insider attack. A hostile member (abusive partner, trafficker, infiltrator) has a legitimate vote. With one ally or under coercion of a second member, they can reach Level 2; with two allies, Level 3. Mitigations: vote weight scales with trust tier (recently-added, unverified members carry reduced weight); Level 3 requires three members or a verified org; all votes are logged and visible to other members and any verified org.
Coerced Circle member. Mitigation: the duress authentication path above — coerced members can signal while appearing to comply.
Sybil attack. Fake identities accepted into the Circle used to achieve quorum. Mitigations: invitations require mutual confirmation; rate limiting; org accounts require manual verification; recently-added members carry lower vote weight; Circle size caps.
Relay and infrastructure attacks¶
Relay forgery. A compromised relay forges revocation signals. Mitigation: revocation decisions are cryptographically signed by members' DID keys before transmission. The relay routes signed payloads but cannot generate or modify them.
Timing analysis — detecting shadow mode. An observer notices a cluster of member activity consistent with a revocation vote. Mitigation: revocation traffic is indistinguishable from normal message traffic; votes are encrypted, and the relay observes only that messages were exchanged.
Shadow-mode detection. An attacker sends a message from the compromised device to a controlled account and notices it never arrives despite "delivered." Mitigation: shadow mode generates realistic fake delivery receipts/read timestamps — technically the hardest mitigation, treated as a Phase 3 hardening task.
Recovery-path attacks¶
Recovery impersonation. Mitigation: Circle vouch recovery defaults to in-person confirmation; remote vouch is permitted only if both confirming members have independent, uncoerced contact with the user through a separate channel.
Recovery-phrase theft. Mitigation: the phrase restores the DID key but not session trust automatically; after phrase-based recovery, members receive a notification and a confirmation step is required before sensitive data flows.
Level 3 race condition. Mitigation: the 15-minute user halt window above.
The structural limit¶
No system fully protects a user when the threat is someone they already trust with access — an abusive partner in the Circle, a compromised social worker, a trafficker who has built trust over time can weaponise the revocation system rather than be defeated by it.
The design response is to make each tier require more coordination, more time, and more exposure. A single bad actor reaches only Level 1 (soft, visible to others). Levels 2 and 3 require sustained coordination among multiple people — coordination that creates witnesses, logs, and opportunities for the attack to be noticed and interrupted. The system does not eliminate this risk; it raises the cost high enough that most real-world threats — opportunistic theft, impulsive coercion, single-actor abuse — cannot succeed.
Related pages¶
- Threat Model — the threat analysis this system addresses
- Authentication & Lockout — device-side failure sequence and emergency mode