|
| 1 | +# Coercion-Safe Delaying Architecture |
| 2 | + |
| 3 | +## Overview |
| 4 | + |
| 5 | +Phasmid implements a coercion-safe delaying architecture to increase uncertainty, |
| 6 | +delay confident conclusions, separate coerced disclosure from true disclosure, and |
| 7 | +improve operator survivability in hostile or coercive environments. |
| 8 | + |
| 9 | +This architecture does not claim permanent secrecy against unlimited forensic |
| 10 | +analysis. Its purpose is to avoid immediate proof, increase investigation cost |
| 11 | +and time, and provide plausible controlled disclosure under stress, coercion, or |
| 12 | +opportunistic inspection. |
| 13 | + |
| 14 | +--- |
| 15 | + |
| 16 | +## Design Principles |
| 17 | + |
| 18 | +- Prioritize survivability over perfect secrecy. |
| 19 | +- Avoid obvious failure states under coercion. |
| 20 | +- Prefer plausible ambiguity over active deception. |
| 21 | +- Use pre-consistent disclosure profiles instead of emergency fake generation. |
| 22 | +- Avoid claims of forensic invisibility. |
| 23 | +- Avoid anti-forensic or malware-like behavior. |
| 24 | +- Treat delay and uncertainty as defensive mechanisms. |
| 25 | + |
| 26 | +--- |
| 27 | + |
| 28 | +## Security Claims |
| 29 | + |
| 30 | +| Claim | Description | |
| 31 | +|---|---| |
| 32 | +| Separation of coerced from true disclosure | Coerced disclosure path uses a pre-configured dummy profile that is operationally separate from the true disclosure path. | |
| 33 | +| Immediate proof avoidance | No single action or observation confirms or denies the existence of protected content. | |
| 34 | +| Increased analysis cost | An adversary must invest time to distinguish dummy content from protected content. | |
| 35 | +| Pre-consistent disclosure | Dummy profiles are configured and populated before any coercive event, not generated on demand. | |
| 36 | +| Local-only operation | All standby, dummy, and profile operations are local. No network calls are introduced. | |
| 37 | +| Natural coercion-safe flow | Standby and dummy disclosure transitions do not require suspicious rapid key sequences or visible "panic" indicators. | |
| 38 | + |
| 39 | +--- |
| 40 | + |
| 41 | +## Non-Claims |
| 42 | + |
| 43 | +- Phasmid does not guarantee permanent secrecy against a capable forensic examiner |
| 44 | + with unlimited time and resources. |
| 45 | +- Phasmid does not claim that dummy content is indistinguishable under forensic analysis. |
| 46 | +- Phasmid does not forge or tamper with filesystem metadata, kernel logs, or timestamps. |
| 47 | +- Phasmid does not conceal the existence of the software itself. |
| 48 | +- Phasmid does not provide coercion-proof operation; survivability is a probabilistic |
| 49 | + improvement, not an absolute guarantee. |
| 50 | +- Silent Standby does not erase data; it removes it from the visible UI surface only. |
| 51 | +- Recovery from standby requires re-authentication; no automatic re-entry is provided. |
| 52 | + |
| 53 | +--- |
| 54 | + |
| 55 | +## Assumptions |
| 56 | + |
| 57 | +- The operator has pre-populated a plausible dummy profile before any coercive event. |
| 58 | +- The dummy profile is internally consistent: file types, sizes, and directory structure |
| 59 | + match the declared context profile. |
| 60 | +- The operator activates standby before a coercive party reaches the active UI state. |
| 61 | +- The hardware form factor does not itself attract hostile inspection. |
| 62 | +- The host operating system is not compromised at the time of standby activation. |
| 63 | + |
| 64 | +--- |
| 65 | + |
| 66 | +## Known Limitations |
| 67 | + |
| 68 | +- Standby transition is a UI-layer operation. It does not erase key material from memory. |
| 69 | +- A live memory capture performed after standby activation but before process exit may |
| 70 | + still expose in-memory key material. |
| 71 | +- Dummy content plausibility depends entirely on operator preparation; a trivially empty |
| 72 | + or structurally inconsistent dummy profile reduces survivability. |
| 73 | +- Recognition confidence routing (coercion_safe mode) routes low-confidence recognition |
| 74 | + to dummy disclosure but does not verify physical coercion context. |
| 75 | +- The dummy plausibility report is a local advisory tool; it does not verify adversarial |
| 76 | + perception. |
| 77 | + |
| 78 | +--- |
| 79 | + |
| 80 | +## Three-Component Architecture |
| 81 | + |
| 82 | +### 1. Silent Standby |
| 83 | + |
| 84 | +Silent Standby provides a coercion-safe transition from a sensitive UI state to a |
| 85 | +non-sensitive standby state. |
| 86 | + |
| 87 | +States: |
| 88 | + |
| 89 | +```text |
| 90 | +active - Normal operation; sensitive UI visible. |
| 91 | +standby - Sensitive UI cleared; non-sensitive screen displayed. |
| 92 | +sealed - Session sealed; re-authentication required to return to active. |
| 93 | +dummy_disclosure - Operator is presenting dummy content as the apparent data. |
| 94 | +``` |
| 95 | + |
| 96 | +Transition rules: |
| 97 | + |
| 98 | +- `active → standby`: Triggered by configurable hotkey (default: Ctrl+S). |
| 99 | +- `standby → sealed`: Automatic; standby always seals the session. |
| 100 | +- `sealed → active`: Requires re-authentication; direct re-entry to prior state is disallowed. |
| 101 | +- `sealed → dummy_disclosure`: Coercion-safe mode routes naturally toward dummy path. |
| 102 | + |
| 103 | +What standby clears: |
| 104 | + |
| 105 | +- Visible sensitive content in the TUI. |
| 106 | +- True-profile UI references. |
| 107 | +- Temporary display buffers. |
| 108 | + |
| 109 | +What standby does NOT do: |
| 110 | + |
| 111 | +- Erase key material from process memory. |
| 112 | +- Prevent a live memory capture from recovering in-use key material. |
| 113 | +- Fabricate system events or fake log entries. |
| 114 | +- Hide the Phasmid process from the process list. |
| 115 | + |
| 116 | +### 2. Plausible Dummy Dataset |
| 117 | + |
| 118 | +Dummy datasets provide a disclosure-ready alternative content set that can plausibly |
| 119 | +stand alone without the true protected content being visible or required. |
| 120 | + |
| 121 | +Dummy content rules: |
| 122 | + |
| 123 | +- Generated or imported before any coercive event. |
| 124 | +- Context-consistent: file types and directory structure match the declared context profile. |
| 125 | +- Occupancy ratio must be plausible relative to the container size. |
| 126 | +- File count and size distribution must be realistic for the declared context. |
| 127 | + |
| 128 | +Explicit restrictions: |
| 129 | + |
| 130 | +- No forged forensic artifacts. |
| 131 | +- No fake kernel logs or system event fabrication. |
| 132 | +- No timestamp forgery or anti-forensic metadata tampering. |
| 133 | +- No intentional forensic-tool deception. |
| 134 | +- No malware-like behavior. |
| 135 | + |
| 136 | +### 3. Context Profile Templates |
| 137 | + |
| 138 | +Context profiles define the expected content structure for a given operational context. |
| 139 | +They guide dummy generation and provide plausibility validation. |
| 140 | + |
| 141 | +Built-in profiles: |
| 142 | + |
| 143 | +| Profile | Intended Use | Typical Content | |
| 144 | +|---|---|---| |
| 145 | +| `travel` | Travel data carrier | Images, itinerary, notes, receipts | |
| 146 | +| `field_engineer` | Engineering field work | Logs, configs, exported diagnostics, manuals | |
| 147 | +| `researcher` | Research material | PDFs, notes, references, exported datasets | |
| 148 | +| `maintenance` | Device maintenance | Diagnostic exports, system check results, update files | |
| 149 | +| `archive` | Long-term archive | Documents, media, backups | |
| 150 | + |
| 151 | +--- |
| 152 | + |
| 153 | +## Coercion-Safe Recognition Fallback |
| 154 | + |
| 155 | +Recognition mode controls how the system responds to low-confidence or failed recognition. |
| 156 | + |
| 157 | +| Mode | Behavior | |
| 158 | +|---|---| |
| 159 | +| `strict` | Mismatch → failure | |
| 160 | +| `coercion_safe` | Low confidence → dummy disclosure path | |
| 161 | +| `demo` | Safe debug visibility | |
| 162 | + |
| 163 | +In `coercion_safe` mode: |
| 164 | + |
| 165 | +- Low recognition confidence routes to dummy disclosure rather than returning an obvious |
| 166 | + access-denied error. |
| 167 | +- Repeated recognition instability also routes to dummy disclosure. |
| 168 | +- The transition is natural and does not produce visible "access denied" loops. |
| 169 | + |
| 170 | +Failure handling rules: |
| 171 | + |
| 172 | +- Repeated obvious lockout messages are avoided. |
| 173 | +- Aggressive error messages are avoided. |
| 174 | +- Visible "access denied" cycling is avoided. |
| 175 | + |
| 176 | +--- |
| 177 | + |
| 178 | +## Allowed and Disallowed Behaviors |
| 179 | + |
| 180 | +### Allowed |
| 181 | + |
| 182 | +- Plausible dummy disclosure using pre-configured content. |
| 183 | +- Privacy-preserving standby transitions that remove sensitive UI state. |
| 184 | +- Ambiguity-preserving workflows where no single observation confirms or denies. |
| 185 | +- Local-only operation with no network side effects. |
| 186 | +- Configurable hotkey-triggered standby. |
| 187 | +- Context-profile-guided dummy structure. |
| 188 | +- Local plausibility reports for operator self-assessment. |
| 189 | + |
| 190 | +### Disallowed |
| 191 | + |
| 192 | +- Rootkits or kernel-level hiding mechanisms. |
| 193 | +- Hidden process persistence. |
| 194 | +- Anti-forensic data destruction triggered by coercion detection. |
| 195 | +- Forensic tool bypass or interference. |
| 196 | +- Malware-like concealment behavior. |
| 197 | +- False system event fabrication. |
| 198 | +- Timestamp forgery. |
| 199 | +- Fake law enforcement or intrusion log generation. |
| 200 | +- Anti-forensic metadata tampering. |
| 201 | + |
| 202 | +--- |
| 203 | + |
| 204 | +## Operational Guidance |
| 205 | + |
| 206 | +Before deployment in any environment where coercion is a realistic risk: |
| 207 | + |
| 208 | +1. Select a context profile appropriate to the operational context. |
| 209 | +2. Populate the dummy dataset with plausible, context-consistent content. |
| 210 | +3. Run the dummy plausibility report and resolve all warnings. |
| 211 | +4. Test the standby transition to confirm it clears the sensitive UI. |
| 212 | +5. Confirm that re-authentication is required to return from standby. |
| 213 | +6. Review the Seizure Review Checklist (`docs/SEIZURE_REVIEW_CHECKLIST.md`). |
| 214 | + |
| 215 | +--- |
| 216 | + |
| 217 | +## References |
| 218 | + |
| 219 | +- `docs/THREAT_MODEL.md` — threat model and adversary definitions |
| 220 | +- `docs/NON_CLAIMS.md` — explicit non-claims inventory |
| 221 | +- `docs/CLAIMS.md` — claims inventory |
| 222 | +- `docs/SEIZURE_REVIEW_CHECKLIST.md` — seizure-condition review checklist |
| 223 | +- `docs/FIELD_TEST_PROCEDURE.md` — field testing procedures |
| 224 | +- `docs/JANUS_EIDOLON_SYSTEM.md` — two-slot architecture specification |
0 commit comments