Skip to content

Circle-Initiated Device Revocation

When a device is lost, stolen, or compromised, the user's immediate circle needs a way to suspend access on their behalf — without locking out emergency tools, without alerting an attacker that anything has changed, and without requiring perfect coordination from people who may themselves be in difficult circumstances.

This page defines the tiered revocation system, the consensus model, coercion handling, and the attack surface of the system itself.

The core design constraint

Standard remote-wipe and account-lockout flows fail this user base in two ways:

  1. Visible lockout alerts an attacker. If the device shows "Your account has been suspended," the person holding the device — who may be dangerous — now knows the circle has been alerted and will act accordingly. This endangers the victim if they are nearby.

  2. Full lockout cuts off the victim's own safety tools. Emergency services, distress beacons, and crisis hotlines must remain accessible regardless of compromise status. A bad actor reaching 911 is acceptable; a victim being unable to reach 911 is not.

Both constraints push toward the same solution: revocation must be invisible to the device holder and must preserve outbound safety access.

Three-tier revocation model

flowchart TD
    CONCERN["Circle member\nbelieves device is\ncompromised"]
    BIO["Biometric\nauthentication\nrequired to act"]
    L1["Level 1 — Soft Flag\n(any 1 member)"]
    L2["Level 2 — Session Suspension\n(2 members within 30 min)"]
    L3["Level 3 — DID Key Rotation\n(≥3 members or 2 + verified org)"]
    SHADOW["Shadow mode:\napp appears normal\nmessages silently held"]
    SUSPEND["Session token invalidated\non relay — looks like\nnetwork error to holder"]
    ROTATE["DID key rotated\nnetwork-wide — device\npermanently dead"]
    EMERGENCY["Emergency tools\nalways accessible:\n911 · beacon · hotlines"]

    CONCERN --> BIO
    BIO --> L1
    L1 --> SHADOW
    L1 -->|"second member\nconfirms within 30 min"| L2
    L2 --> SUSPEND
    L2 -->|"third member or\nverified org confirms"| L3
    L3 --> ROTATE
    SHADOW --> EMERGENCY
    SUSPEND --> EMERGENCY
    ROTATE --> EMERGENCY

Level 1 — Soft Flag

Trigger: Any single circle member

Auth required: Biometric of the flagging member (prevents borrowed-device false triggers)

Effect on device: Shadow mode activates — the app appears completely normal to the holder. Messages appear to send. Delivery receipts appear. The device holder sees no error, no notification, no indication anything has changed.

Effect on circle: Messages from the flagged device are marked [unverified — device flagged]. Circle members know to treat incoming messages with caution and not confirm sensitive information (location, meeting place, plans).

Why no visible lockout: If the user is being watched or coerced, a suddenly frozen app tells the attacker the circle has been alerted. Shadow mode buys time without triggering a reaction.

Reversal: The flagging member can clear the flag, or the device user successfully completes a fresh biometric authentication.

Level 2 — Session Suspension

Trigger: Two circle members independently confirm concern within 30 minutes of the first flag

Auth required: Biometric of each voting member, cast independently

Effect on device: The relay refuses the device's current session token. The app displays "Reconnecting…" — not a lockout message. To the holder, it looks like a temporary network problem.

What remains accessible:

Function Status
911 / local emergency services ✅ Always on
Distress beacon (outbound only) ✅ Always on
Crisis hotline shortcuts ✅ Always on
Circle messages (read) ❌ Suspended
Circle member list ❌ Suspended
Help requests ❌ Suspended
Posting new messages ❌ Suspended

Restoration: Circle vouch recovery (2+ members confirm in person) on the compromised device or a new device.

Quorum threshold: Scales with circle size. Minimum 2 confirmations regardless of circle size — you never need all members to respond, which is unrealistic when people may be offline, asleep, or in their own difficult situations.

Level 3 — DID Key Rotation

Trigger: Three or more circle members, or two members plus one verified organisation (shelter, social worker, mutual aid org with verified badge)

Auth required: Biometric + deliberate double-confirm from each voter (irreversible action requires deliberate intent)

Effect on device: The user's did:key cryptographic identity is rotated across the entire network. The old device's key is permanently invalid. No session can be restored from it.

When to use: Trafficking scenarios, sustained coercion, known device theft where the attacker has likely bypassed biometrics, or any situation where the device is confirmed to be in hostile hands with no prospect of recovery.

Restoration: Recovery phrase (12-word card) on a clean device, followed by circle vouch to restore network trust. If the recovery phrase is also compromised, BNI support channel (48-hour, identity-verified process).

User-initiated halt: If the legitimate user still has access to a clean device and their recovery phrase, they can halt a Level 3 rotation within a 15-minute window by completing biometric + phrase. This prevents a coordinated circle attack from permanently locking out the actual owner.

Coercion handling

Standard revocation fails when the user is being watched and coerced into using the app normally. The attacker expects the app to work — any visible failure reveals that help has been called.

Shadow mode acknowledgment layer

Messages sent in shadow mode receive synthesised delivery receipts and read confirmations timed realistically. The coercer watching the screen sees the message delivered and read. Circle members see the message marked [unverified] and know not to respond in a way that would reveal their awareness of the situation.

This is the same principle as the duress PIN — the system presents a convincing normal surface to an observer while operating in a compromised state underneath.

Coerced circle member

An attacker may force a circle member to cast a suspension vote. To address this:

Circle members have their own duress authentication path. When a circle member uses their duress PIN to authenticate before casting a vote, the vote appears to cast normally but a distress signal is sent to their own duress contacts. The revocation system becomes an alert system when operating under coercion.

Consensus design rationale

Question Decision Rationale
Why not require full circle consensus? Too fragile — members may be offline, unreachable, or in crisis themselves A quorum that can never be reached provides no protection
Why not allow a single member to suspend? Single-member suspension is too easily weaponised by a bad actor in the circle Requires compromise or coercion of at least two independent members
Why 30-minute window for Level 2? Long enough for a second member to see the alert and respond; short enough to act during an active incident Balances responsiveness with the reality of asynchronous notification
Why biometric to cast a vote? Prevents a bad actor from using a circle member's unlocked phone to cast a false vote Each vote must be independently authenticated
Why does Level 3 have a user-initiated halt? Prevents a coordinated malicious circle from permanently locking out the legitimate user The owner's recovery phrase is a stronger claim than a quorum vote

Attack surface

Circle-side attacks

Insider attack — bad actor in the circle A circle member who is hostile (abusive partner, trafficker, infiltrator) has a legitimate vote. With one ally or under coercion of a second member, they can reach Level 2. With two allies, Level 3.

Mitigations: - Vote weight scales with trust tier — recently added, unverified members have reduced weight - Level 3 requires either three members or inclusion of a verified org, which is harder to compromise - All revocation votes are logged and visible to other circle members and any verified org in the circle

Coerced circle member Attacker finds a circle member and forces them to cast votes. One coerced member reaches Level 1; two reach Level 2.

Mitigation: Duress authentication path (see above) — coerced circle members can signal while appearing to comply.

Sybil attack — fake circle members Attacker creates multiple fake identities, gets them accepted into the target's circle, uses them to achieve quorum for Level 2 or 3.

Mitigations: - Circle invitations require mutual confirmation - Rate limiting on invitations - Organisation accounts require manual verification - Recently added members carry lower vote weight - Circle size caps prevent mass infiltration

Relay and infrastructure attacks

Relay forgery A compromised relay forges revocation signals — falsely suspending legitimate users, or blocking valid suspension signals.

Mitigation: Revocation decisions are cryptographically signed by circle members' DID keys before transmission. The relay routes signed payloads but cannot generate or modify them. A relay that cannot produce a valid multi-party signature cannot trigger revocation.

Timing analysis — detecting shadow mode An attacker observing relay traffic notices a cluster of member activity consistent with a revocation vote. They infer the flag has been raised before the device shows any visible change.

Mitigation: Revocation traffic is indistinguishable from normal message traffic. Votes are encrypted and the relay observes only that messages were exchanged.

Shadow mode detection by attacker Attacker sends a message from the compromised device to a controlled account and notices it never arrives, despite showing "delivered."

Mitigation: Shadow mode generates realistic fake delivery receipts and read timestamps timed to match normal response patterns. This is technically the hardest mitigation to implement correctly and should be treated as a Phase 3 hardening task.

Recovery path attacks

Recovery impersonation After suspension, the attacker claims to be the legitimate user and initiates circle vouch recovery. If they social-engineer two circle members into confirming remotely, they gain access on a new device.

Mitigation: Circle vouch recovery should default to in-person confirmation as the primary path. The notification language explicitly says "physically locating" the user — this must not be relaxed to allow remote-only confirmation. Remote vouch is permitted only if both confirming members have independent, uncoerced communication with the user through a separate channel.

Recovery phrase theft Attacker finds the user's 12-word physical card — stored at a shelter, in a wallet, or in the home — and uses it to restore identity on a new device.

Mitigation: Recovery phrase restores the DID key but does not restore session trust automatically. After phrase-based recovery, circle members receive a notification and a confirmation step is required before sensitive data flows. The phrase proves key ownership; the circle confirms the person is safe.

Level 3 race condition Attacker uses coerced circle members to initiate a DID rotation before the legitimate user can use their recovery phrase on a clean device. Neither device now has valid identity and the user is locked out.

Mitigation: The 15-minute user halt window (see Level 3 above). If the user can reach any device and complete biometric + recovery phrase within that window, they can cancel the rotation in progress.

The structural limit

No system fully protects a user when the threat is someone they already trust with access. An abusive partner in the circle, a compromised social worker, or a trafficker who has built trust over time can weaponise the revocation system rather than being defeated by it.

The design response is to make each tier require more coordination, more time, and more exposure. A single bad actor reaches only Level 1, which is soft and visible to other members. Levels 2 and 3 require sustained coordination among multiple people — coordination that creates witnesses, logs, and opportunities for the attack to be noticed and interrupted.

The system does not eliminate this risk. It raises the cost of executing it high enough that most real-world threats — opportunistic theft, impulsive coercion, single-actor abuse — cannot succeed.