Threat Model¶
A structured analysis of physical, cyber, and legal threats for MPowerUP, weighted toward the actual risk profile of the target user base — not a generic enterprise threat model.
This page covers MPowerUP only. Cross-project and RlivN threat analysis lives in the cross-cutting BNI → Technologies → Security section.
Physical threats¶
Device theft. The most common threat for houseless users. A stolen device is not just a stolen phone — because identity is a did:key stored locally, whoever possesses the device is that user on the network: Circle memberships, message history, and the ability to post help requests as that person.
Mitigations: biometric lockout, emergency-only mode on repeated failure, remote identity invalidation via Circle quorum.
Coerced access (rubber hose). Someone physically threatening or manipulating a user to unlock the app — an abusive partner, a trafficker monitoring a victim's support network, a dealer wanting to see who an addict is talking to. Standard authentication cannot detect coercion. Mitigation: duress PIN that appears to succeed but strips sensitive data and sends a silent distress signal.
Device seizure by law enforcement. Formerly incarcerated users face elevated risk of device seizure during stops, searches, or arrests. An unlocked device hands law enforcement the entire Circle graph. Mitigations: auto-lock on screen-off, short grace periods for high-risk users, local key encryption at rest.
Device sharing. Household or shelter device sharing is common in this population and exposes Circle activity to someone who may not be trusted. Mitigation: user profile switching with per-profile biometrics; clear session timeout.
Cyber threats¶
Circle infiltration. A bad actor gets invited into a victim's Circle through social engineering (posing as a social worker, housing org, or mutual-aid group). Once inside, they see all help requests, implied location, timing patterns, and the full member list. The highest-impact cyber threat in the model. Mitigations: Circle invitation requires mutual confirmation; organisations have verified badges; members can flag and eject other members by consensus.
Compromised Circle member. A trusted member's device is stolen or they become hostile. The attacker now has a valid identity inside the Circle. Mitigations: per-message forward secrecy (compromise of one key does not decrypt past messages); members can revoke other members; DID rotation on suspected compromise.
Relay server metadata exposure. The relay cannot read content, but it observes who connects to whom, connection frequency/timing, and originating IPs. This metadata alone can reconstruct social graphs and is legally subpoenable. Mitigations: relay logs purged after session close; no persistent connection records; consider onion routing / Tor-optional transport for high-risk users in a later phase.
Sybil attack on Circles. Multiple fake accounts controlled by one attacker flood a user's invitations or create fake "organisations" that appear trustworthy. Mitigation: organisation accounts require manual verification; rate limiting on invitations; Circle size caps prevent mass infiltration.
DID key compromise without device theft. Side-channel or malware extraction of the private key from device storage without physical access. Mitigations: keys stored in the device secure enclave (iOS Secure Enclave / Android StrongBox) where available; never written to app-accessible storage.
Legal exposure¶
| Risk | Description | Severity |
|---|---|---|
| Law-enforcement subpoena | Relay metadata and any cloud-stored data is subpoenable. Users with prior convictions face elevated risk. | High |
| COPPA | Children of houseless parents may be in Circles. Users under 13 trigger strict data-handling obligations. | High |
| Domestic-violence data exposure | Circle membership, message timing, and location patterns are dangerous if exposed to an abuser via legal process or breach. | High |
| Terms-of-service enforcement | Decentralised architecture makes it technically difficult to remove bad actors; BNI needs a clear policy and reporting mechanism. | Medium |
| Mandated reporting | If the platform receives disclosure of abuse or imminent danger, BNI's legal obligation as a platform is undefined. Seek legal counsel before launch. | Medium |
| GDPR / CCPA | Relay metadata processing may trigger consent and deletion obligations even without a central data store. | Medium |
Open problem¶
Key management across devices. As users upgrade devices or use multiple devices, key migration and multi-device identity management become attack surfaces. This is unsolved in the current architecture and should be addressed before public launch.