Threat Model
Source document: docs/en/05-threat-model.md / Propose an edit
Purpose
Section titled “Purpose”This document identifies risks that could move World Foundation Design toward abuse, corruption, domination, conflict, surveillance, or stagnation.
It is used to improve the design before implementation, not to block all experimentation.
Assumptions
Section titled “Assumptions”- Participation, exit, transparency, and forkability are core safety mechanisms.
- This design does not aim at overthrowing states, violence, legal evasion, ideological control, or closed communities.
- Economy, welfare, reputation, arbitration, and infrastructure can create strong power if not bounded.
- Transparency must be balanced with privacy and safety.
- Important changes should be tracked through Proposals and Decisions.
Risks and Mitigations
Section titled “Risks and Mitigations”Power Concentration
Section titled “Power Concentration”Authority, funds, infrastructure, or review power can concentrate in a few actors.
Mitigations: explicit authority, decision logs, conflict-of-interest disclosure, role separation, periodic review, forkability.
Maintainer Corruption
Section titled “Maintainer Corruption”Maintainers may use review, merge, issue management, or moderation powers arbitrarily.
Mitigations: recorded decisions, appeals, multiple reviewers, reviewable maintainer rules.
Founder Worship
Section titled “Founder Worship”Founders or early members may become treated as unreviewable authorities.
Mitigations: documents and Decisions are the reference; founders remain reviewable.
Cult-like Dynamics
Section titled “Cult-like Dynamics”Names, ideology, or loyalty may become informal participation requirements.
Mitigations: Non-goals, Code of Conduct, exit rights, separation between support and ideology.
Loss of Transparency
Section titled “Loss of Transparency”Important decisions, accounting, authority changes, or review reasons may stop being recorded.
Mitigations: Proposals, Decisions, Audit Module, change history.
Surveillance in the Name of Transparency
Section titled “Surveillance in the Name of Transparency”Participants’ private life, communications, beliefs, or behavior may be over-recorded.
Mitigations: public/protected data boundaries, minimal logging, retention limits, appeals.
Loss of Exit
Section titled “Loss of Exit”Participants may become unable to leave because of economy, welfare, reputation, data, or affiliation lock-in.
Mitigations: data portability, exit procedures, support boundaries, forkability.
Economic Lock-in
Section titled “Economic Lock-in”Internal points, life access, or shared purchasing may narrow participants’ external options.
Mitigations: legal/tax review, clear usage limits, external alternatives, rollback plans.
Internal Point Misuse
Section titled “Internal Point Misuse”Internal points may become pseudo-currency, wage substitutes, investment products, or control tools.
Mitigations: pre-implementation Proposal, expert review, clear transferability and convertibility rules, audit logs.
Legal, Tax, Labor, or Financial Conflicts
Section titled “Legal, Tax, Labor, or Financial Conflicts”Poorly designed points, payments, compensation, employment, or life support can create legal risk.
Mitigations: jurisdiction-specific expert review, scoped experiments, risk assessment, Decisions before implementation.
Reputation-based Discrimination
Section titled “Reputation-based Discrimination”Reputation may become a fixed measure of human worth or a broad exclusion tool.
Mitigations: contextual reputation, explainable evidence, appeals, updateability, limited use.
Welfare as Control
Section titled “Welfare as Control”Life support may become conditional on obedience, ideology, work, or continued affiliation.
Mitigations: documented support conditions, recorded rationale, appeals, separation from ideology.
Arbitration as Private Punishment
Section titled “Arbitration as Private Punishment”Arbitration may become punishment, exclusion, or public shaming rather than due process.
Mitigations: evidence records, right to respond, conflict-of-interest disclosure, appeals.
Infrastructure Surveillance or Censorship
Section titled “Infrastructure Surveillance or Censorship”Infrastructure providers may monitor or restrict participants and discussions.
Mitigations: data portability, backups, decentralization, log boundaries, alternative infrastructure.
Translation Drift
Section titled “Translation Drift”Translations may change voluntary and non-coercive ideas into controlling or hostile language.
Mitigations: single Glossary, Translation Issues, status tracking, review of important Decisions.
Unnecessary Hostility Toward States or Society
Section titled “Unnecessary Hostility Toward States or Society”Language may become provocative rather than focused on gradual dependency reduction.
Mitigations: Safety, Non-goals, PR checks, legal connection principles, wording review.
External Capture
Section titled “External Capture”Companies, political groups, funders, or bad-faith actors may capture governance.
Mitigations: conflict-of-interest disclosure, role separation, Decision Logs, maintainer review.
Discussion Breakdown
Section titled “Discussion Breakdown”Personal attacks, spam, provocation, or unstructured abstraction can make review impossible.
Mitigations: Code of Conduct, issue templates, topic decomposition, recorded moderation.
Mission Drift
Section titled “Mission Drift”Documents and processes may grow without improving survival anxiety, cooperation, or freedom.
Mitigations: roadmap completion criteria, small experiments, periodic review.
Module Responsibility Creep
Section titled “Module Responsibility Creep”Modules may exceed their scope, such as reputation controlling economy or audit becoming surveillance.
Mitigations: module READMEs, architecture review, Proposal checks for scope boundaries.
Convenience as De Facto Coercion
Section titled “Convenience as De Facto Coercion”Useful infrastructure can become effectively mandatory if alternatives disappear.
Mitigations: external alternatives, exit procedures, staged adoption, no penalty for non-participation.
Multi-affiliation Becoming Nominal
Section titled “Multi-affiliation Becoming Nominal”Multi-affiliation may exist in language while dependence on one organization or protocol grows.
Mitigations: open protocols, data portability, forkability, local autonomy.
Norms Becoming a Private Legal System
Section titled “Norms Becoming a Private Legal System”Shared rules may be used as an illegal replacement for state law.
Mitigations: respect state law, require expert review where needed, check Non-goals, and define boundaries with arbitration.
Public Safety Becoming Vigilantism
Section titled “Public Safety Becoming Vigilantism”Safety work may become private punishment, surveillance, exclusion, or armed organization.
Mitigations: ban private punishment, define reporting paths, connect to public institutions where appropriate, audit safety actions.
Federation Becoming Central Rule
Section titled “Federation Becoming Central Rule”Federation may become a central authority instead of an interoperability protocol.
Mitigations: exit procedures, local autonomy, minimal shared protocols, Proposal requirements for federation standard changes.
Founder Authority Becoming Permanent
Section titled “Founder Authority Becoming Permanent”Founders or early administrators may keep permanent authority or informal veto power.
Mitigations: Founder Non-privilege Decision, conflict-of-interest disclosure, reviewability of founder statements, authority transfer procedures.