Threat Model¶
A structured analysis of physical, cyber, and legal threats across BNI projects. Threats are weighted toward the actual risk profile of the target user base — not a generic enterprise threat model.
MPowerUP¶
Physical threats¶
Device theft
The most common threat for houseless users. A stolen device is not just a stolen phone — because identity is a did:key stored locally, whoever possesses the device is that user on the network. They inherit circle memberships, message history, and the ability to post help requests as that person.
Mitigations: Biometric lockout, emergency-only mode on repeated failure, remote identity invalidation via circle quorum.
Coerced access (rubber hose) Someone physically threatening or manipulating a user to unlock the app — an abusive partner demanding to see circle messages, a trafficker monitoring a victim's support network, a dealer wanting to see who an addict is talking to. Standard authentication cannot detect coercion.
Mitigation: Duress PIN that appears to succeed but strips sensitive data and sends a silent distress signal.
Device seizure by law enforcement Formerly incarcerated users are at elevated risk of device seizure during stops, searches, or arrests. An unlocked device hands law enforcement the entire circle graph.
Mitigations: Auto-lock on screen-off, short grace periods for high-risk users, local key encryption at rest.
Device sharing Household or shelter device sharing is common in this population. A device shared with a family member or roommate exposes circle activity to someone who may not be trusted.
Mitigation: User profile switching with per-profile biometrics; clear session timeout.
Cyber threats¶
Circle infiltration A bad actor gets invited into a victim's circle through social engineering — posing as a social worker, housing org, or mutual aid group. Once inside, they see all help requests, implied location, timing patterns, and the full circle member list. This is the highest-impact cyber threat in the model.
Mitigations: Circle invitation requires mutual confirmation; organisations have verified badges; circle members can flag and eject other members by consensus.
Compromised circle member A trusted circle member's device is stolen or they become hostile. The attacker now has a valid identity inside the circle.
Mitigations: Per-message forward secrecy (compromise of one key does not decrypt past messages); circle members can revoke other members; DID rotation on suspected compromise.
Relay server metadata exposure The relay server cannot read message content, but it observes: who connects to whom, connection frequency and timing, and originating IP addresses. This metadata alone can reconstruct social graphs and is legally subpoenable.
Mitigations: Relay logs purged after session close; no persistent connection records stored; consider onion routing or Tor-optional transport for high-risk users in a later phase.
Sybil attack on circles Multiple fake accounts controlled by one attacker flood a user's circle invitations or create fake organisations that appear trustworthy.
Mitigation: Organisation accounts require manual verification; rate limiting on circle invitations; circle size caps prevent mass infiltration.
DID key compromise without device theft Side-channel attacks or malware extracting the private key from device storage without physical access.
Mitigations: Keys stored in device secure enclave (iOS Secure Enclave / Android StrongBox) where available; never written to app-accessible storage.
Legal exposure¶
| Risk | Description | Severity |
|---|---|---|
| Law enforcement subpoena | Relay metadata and any cloud-stored data is subpoenable. Users with prior convictions face elevated risk. | High |
| COPPA | Children of houseless parents may be in circles. Users under 13 trigger strict data handling obligations. | High |
| Domestic violence data exposure | Circle membership, message timing, and location patterns are dangerous if exposed to an abuser via legal process or breach. | High |
| Terms of service enforcement | Decentralised architecture makes it technically difficult to remove bad actors; BNI needs a clear policy and a reporting mechanism. | Medium |
| Mandated reporting | If the platform receives disclosure of abuse or imminent danger, BNI's legal obligation as a platform is undefined. Seek legal counsel before launch. | Medium |
| GDPR / CCPA | Relay metadata processing may trigger consent and deletion obligations even without a central data store. | Medium |
RlivN¶
Physical threats¶
Caregiver as threat actor The most dangerous person in RlivN's threat model is often the caregiver. Financial exploitation, isolation from family, and psychological abuse by caregivers are documented and common. The caregiver configuration portal gives significant control over what the client sees and hears — this power must be audited and bounded.
Mitigations: Caregiver action audit log visible to family; family members can independently flag anomalous configuration changes; configuration changes require re-authentication.
Device as surveillance tool A tablet with an always-on microphone and camera in an elderly person's home is a surveillance device if compromised. The attack surface includes the device manufacturer, the OS, and any third-party process with microphone access.
Mitigations: Hardware microphone/camera indicators always visible to client; mic active only during active conversation, not ambient; no audio recorded or stored after session.
Physical isolation of client A bad caregiver can use the device to intercept family contact attempts, making the client believe no one is trying to reach them.
Mitigation: Family members have a separate read-only view of contact attempt logs that cannot be suppressed by the caregiver portal.
Cyber threats¶
AI conversation as intelligence gathering An elderly person with dementia will share sensitive information — account numbers, family conflicts, health conditions — with an AI companion they trust. If conversation data is stored or accessible to third parties, it is a rich exploitation target.
Mitigations: Conversations processed locally via Ollama offline model where possible; cloud API calls (Claude) use ephemeral sessions with no retention; conversations never logged to a persistent store accessible outside the device.
Caregiver portal account takeover If the caregiver account is compromised (weak password, phishing), an attacker gains full control of the client's experience.
Mitigations: Caregiver portal requires 2FA; login anomalies (new device, new location) trigger family notification; session tokens expire aggressively.
Offline model poisoning If the local Ollama model can be updated remotely, a supply chain attack could alter the companion's behaviour.
Mitigation: Model updates are signed and verified before installation; model hash pinned in app configuration.
Legal exposure¶
| Risk | Description | Severity |
|---|---|---|
| HIPAA grey zone | If RlivN is used in a clinical or care facility context, AI conversation data may constitute a protected health record. Confirm with legal counsel before clinical deployment. | High |
| Elder abuse reporting | If conversation data reveals indicators of abuse, BNI and caregivers may have mandated reporting obligations depending on state. | High |
| Guardianship and consent | A client under legal guardianship may not be able to consent to data processing. The guardian's consent must be obtained and documented. | Medium |
| ADA compliance | The client interface must meet WCAG AA minimum. Failure to accommodate cognitive and physical disabilities creates legal exposure. | Medium |
Cross-Project Concerns¶
Shared relay infrastructure If MPowerUP and RlivN share relay infrastructure in later phases, a compromise of one project's relay exposes metadata for both.
Mitigation: Separate relay instances per project; no shared authentication or session tokens across projects.
Open-source IP and security through obscurity BNI publishes source code openly. Security cannot rely on obscurity — all protections must hold even when the attacker has full knowledge of the codebase. This is a strength (community audit) as well as a responsibility (no hiding weak crypto behind closed source).
Key management across devices As users upgrade devices or use multiple devices, key migration and multi-device identity management become attack surfaces. This is unsolved in the current architecture and should be addressed before public launch.