WitnessVault — Product Specification¶
Status: Foundation Product (Build First) Priority: P0 — Defines security patterns for all other products
Overview¶
WitnessVault is encrypted storage with dead man's switch capability. It's designed for people who have information that must be protected during their life and released if something happens to them.
Target Users¶
- Journalists with sensitive sources
- Whistleblowers with evidence
- Activists in dangerous situations
- Abuse survivors documenting patterns
- Anyone with "insurance" information
Core Value Proposition¶
"If something happens to me, this information goes to the people who need it."
User Stories¶
Primary Flow¶
As a journalist,
I want to store evidence of corporate wrongdoing,
So that if I'm silenced, the evidence still gets out.
As an abuse survivor,
I want to document incidents over time,
So that if something happens to me, there's a record.
As an activist,
I want to store information about government overreach,
So that my work continues even if I can't.
Dead Man's Switch¶
As a user,
I want the system to check if I'm okay periodically,
So that my designated recipients get access if I stop responding.
As a user,
I want multiple verification methods before my vault releases,
So that a missed check-in doesn't accidentally expose my information.
Deterrence¶
As a user,
I want to be able to prove my vault exists without revealing contents,
So that potential adversaries know I have insurance.
Features¶
MVP (Phase 2)¶
| Feature | Description | Priority |
|---|---|---|
| Encrypted Vault | Upload and store encrypted documents | P0 |
| Dead Man's Switch | Periodic check-in with release trigger | P0 |
| Executor Access | Designate who receives access | P0 |
| Multi-Signal Verification | Require 2+ signals before trigger | P0 |
| Audit Trail | Tamper-evident log of all actions | P0 |
| Simulation Mode | Test trigger without executing | P0 |
V1¶
| Feature | Description | Priority |
|---|---|---|
| Class C Encryption | Zero-knowledge option for maximum protection | P1 |
| Existence Proof | Prove vault exists without revealing contents | P1 |
| Multiple Recipients | Different documents to different recipients | P1 |
| Tiered Release | Some documents immediately, others delayed | P1 |
| Secondary Contacts | Contacts who can confirm user status | P1 |
V2¶
| Feature | Description | Priority |
|---|---|---|
| Legal Integration | Connect with attorney for triggered release | P2 |
| Media Verification | Integration with journalist verification services | P2 |
| Decoy Vault | Secondary vault with plausible deniable content | P2 |
| Geographic Trigger | Release if user enters/exits certain areas | P2 |
Encryption Model¶
Default: Class C (Zero-Knowledge)¶
WitnessVault evidence is Class C by default: - Encrypted on client before upload - Server never has decryption keys - Even under subpoena, we can only provide ciphertext
Exception: Class B for Recipients¶
If user wants recipients to access content without pre-shared keys: - Document encrypted Class B - Key escrowed with trigger - Released during trigger execution
User Choice¶
Users explicitly choose encryption class per document:
┌─────────────────────────────────────────────────────────────────────┐
│ Upload Document │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ Protection Level: │
│ │
│ ○ Maximum Protection (Class C) │
│ • Only you and your recipients can decrypt │
│ • We cannot access this content under any circumstances │
│ • You must share decryption keys with recipients separately │
│ │
│ ○ Recipient Access (Class B) │
│ • Your recipients can access without pre-shared keys │
│ • We can decrypt during trigger execution │
│ • Subject to legal process in extreme cases │
│ │
│ For sensitive evidence, we recommend Maximum Protection. │
│ │
└─────────────────────────────────────────────────────────────────────┘
Dead Man's Switch Configuration¶
Check-In Intervals¶
| Interval | Use Case | Risk Level |
|---|---|---|
| 3 days | High-risk situations | High (easy to miss) |
| 7 days | Active journalists/activists | Medium |
| 14 days | General use | Low |
| 30 days | Long-term storage | Very Low |
Recommendation: Start with 14 days. Users can reduce if needed.
Verification Methods¶
- Web Check-In: Log in to dashboard
- Email Link: Click unique link in reminder email
- SMS Code: Reply to SMS with code
- App Push: Confirm in mobile app
Multi-Signal Requirement¶
Before trigger fires, require: - Primary check-in missed - 2+ reminder channels unacknowledged - Grace period elapsed - (Optional) Secondary contact confirms concern
Existence Proof¶
Problem¶
Users may want to deter adversaries by proving they have a vault without revealing contents.
Solution¶
Generate a cryptographic proof that: - A vault exists - It contains N documents - It was created on [date] - It's configured to release to [N] recipients
Without revealing: - Document contents - Recipient identities - Trigger configuration
Implementation¶
interface ExistenceProof {
vaultId: string; // Public identifier
documentCount: number;
createdAt: Date;
recipientCount: number;
// Cryptographic commitments
contentCommitment: string; // Hash of all document hashes
configCommitment: string; // Hash of trigger config
// Signature from platform
platformSignature: string;
timestamp: Date;
}
// User can share: "Here's proof I have insurance"
// Verifier can confirm with platform: "Yes, this proof is valid"
// Neither party learns vault contents
UI Flow¶
1. Vault Setup¶
┌─────────────────────────────────────────────────────────────────────┐
│ Create Your Vault │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ Step 1 of 4: Why are you here? │
│ │
│ This helps us suggest the right settings. │
│ │
│ ○ I'm a journalist protecting sources │
│ ○ I'm documenting abuse or harassment │
│ ○ I have evidence of wrongdoing │
│ ○ I'm an activist or human rights worker │
│ ○ Something else (general protection) │
│ │
│ [Continue] │
│ │
└─────────────────────────────────────────────────────────────────────┘
2. Add Documents¶
┌─────────────────────────────────────────────────────────────────────┐
│ Add Documents to Your Vault │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ │ │
│ │ Drag files here or click to browse │ │
│ │ │ │
│ │ Files are encrypted in your browser before upload. │ │
│ │ We never see the contents. │ │
│ │ │ │
│ └─────────────────────────────────────────────────────────────┘ │
│ │
│ Documents: │
│ ┌───────────────────────────────────────────────────────────────┐ │
│ │ 📄 evidence_2024.pdf 45 KB Class C [Remove] │ │
│ │ 📄 communications.zip 2.1 MB Class C [Remove] │ │
│ │ 📹 recording.mp4 156 MB Class C [Remove] │ │
│ └───────────────────────────────────────────────────────────────┘ │
│ │
│ [Add More] [Continue] │
│ │
└─────────────────────────────────────────────────────────────────────┘
3. Configure Recipients¶
┌─────────────────────────────────────────────────────────────────────┐
│ Who Should Receive Your Vault? │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ If your dead man's switch triggers, these people receive access. │
│ │
│ Recipients: │
│ ┌───────────────────────────────────────────────────────────────┐ │
│ │ 👤 Sarah Chen (Colleague) │ │
│ │ sarah@newsorg.com │ │
│ │ Access: All documents │ │
│ │ [Edit] [Remove] │ │
│ └───────────────────────────────────────────────────────────────┘ │
│ ┌───────────────────────────────────────────────────────────────┐ │
│ │ 👤 Legal Defense Fund │ │
│ │ legal@defensefund.org │ │
│ │ Access: Legal documents only │ │
│ │ [Edit] [Remove] │ │
│ └───────────────────────────────────────────────────────────────┘ │
│ │
│ [Add Recipient] [Continue] │
│ │
└─────────────────────────────────────────────────────────────────────┘
4. Configure Dead Man's Switch¶
┌─────────────────────────────────────────────────────────────────────┐
│ Configure Your Dead Man's Switch │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ How often should we check on you? │
│ │
│ Check-in interval: [14 days ▼] │
│ │
│ Reminder channels: │
│ ☑ Email (required) │
│ ☑ SMS │
│ ☐ Push notification │
│ │
│ Grace period: [3 days] after missed check-in │
│ │
│ Secondary contacts (optional): │
│ People who can confirm you're okay before trigger fires. │
│ ┌───────────────────────────────────────────────────────────────┐ │
│ │ 👤 Mom │ │
│ │ mom@email.com | +1-555-123-4567 │ │
│ └───────────────────────────────────────────────────────────────┘ │
│ [Add Secondary Contact] │
│ │
│ [Back] [Activate Vault] │
│ │
└─────────────────────────────────────────────────────────────────────┘
Security Considerations¶
Threat Model¶
| Threat | Mitigation |
|---|---|
| Platform compromise | Class C encryption (we can't decrypt) |
| Subpoena | We only have ciphertext for Class C |
| Coerced disclosure | Existence proof without content |
| Device seizure | No local storage; keys derived from password |
| Phishing | Multi-factor check-in; secondary contacts |
| False trigger | Multi-signal verification; abort windows |
What We Can't Protect Against¶
- User's password being compromised
- All recipients being compromised
- User being coerced into disabling vault
- Government-level adversary with physical access to user
Pricing¶
| Tier | Storage | Features | Price |
|---|---|---|---|
| Free | 100 MB | 1 vault, 1 recipient, basic switch | $0 |
| Individual | 5 GB | Unlimited vaults, 5 recipients, Class C | $9/mo |
| Professional | 50 GB | + Multiple recipients, existence proof, priority support | $29/mo |
| Organization | Custom | + Team management, legal integration, dedicated support | Contact us |
Success Metrics¶
| Metric | Target | Why |
|---|---|---|
| Triggers executed correctly | 100% | Core function |
| False positive rate | < 0.1% | Trust |
| Check-in completion rate | > 95% | User engagement |
| Export success rate | 100% | Continuity |
Dependencies¶
- Encryption Service (vault-core)
- Key Management (vault-core)
- Trigger Engine (vault-core)
- Notification Service (vault-core)
- Audit Logger (vault-core)
WitnessVault is the foundation product. Its security patterns define the standard for all other products.