Vision & Design Principles

Project Philosophy

This is a non-profit, community-driven project. The goal is to use mobile devices to bring people together in real life. We prefer to join existing open-source projects or build upon their work — not to compete with them. If an existing project (like Berty, Briar, or p2panda) can be extended to meet these goals, that's better than starting from scratch.

Core Requirements

1. Physical-first trust: Contacts are only established through in-person interaction (NFC tap, QR scan, Bluetooth handshake)
2. Proximity discovery: Users only discover others when physically nearby — no remote search, no user directories
3. Online communication (optional): After initial physical meeting, users may connect online — but this is not required
4. No single point of surveillance: Messages, metadata, and the social graph must not be visible to any one entity
5. Structural privacy by default: Privacy is not a setting users toggle on — it is an architectural property of the system. The protocol itself must make mass surveillance technically infeasible, not just policy-prohibited
6. Anonymity by default: Users should not need to provide real names, phone numbers, emails, or any identifying information. Identities are cryptographic keypairs, nothing more
7. Offline-only viability: The app must be fully functional without ever connecting to the internet. Short-range communication (Bluetooth, WiFi Direct) should be a first-class mode, not a fallback

Never-Online as a Feature

The strongest privacy guarantee is never transmitting data over the internet at all. A purely short-range system means:

• No IP addresses to log
• No DNS lookups to monitor
• No traffic analysis possible beyond physical proximity
• No server to subpoena
• The social graph is limited to what can be physically observed

This is the gold standard. Online connectivity should be treated as an optional upgrade that users consciously opt into, with clear tradeoffs explained.

Structural Privacy vs. Policy Privacy

Most apps promise privacy through policy ("we don't log X"). Structural privacy means the system cannot violate privacy even if the operator wants to:

• No server holds the social graph → it cannot be leaked
• Messages are E2E encrypted → operator cannot read them
• No user directory exists → mass scraping is impossible
• Metadata is minimized at the protocol level → traffic analysis yields little

Anonymity Layers

• Layer 1 — Identity: Cryptographic keypair only. No PII required at any point
• Layer 2 — Network: No IP addresses in offline mode. Tor or mixnets when online
• Layer 3 — Social: No global username namespace. Contacts know you by the name they assign, or a local nickname you share at meeting time
• Layer 4 — Temporal: Message expiration / ephemeral modes to limit forensic exposure