Name the fight · public
Threat model
Privacy products fail when they market vibes. A threat model names who might hurt you, what they want, what we do, and what we still cannot stop.
ddl-threats/1 · updated 2026-07-11
T1 — Upstream search / model provider
reduced- Wants
- Link prompts or queries to a person or durable profile
- Asset
- Query text, prompt text, IP, account ids
- Mitigation
- Server-side proxy; no client IP to provider; no user-tied conversation ids; hashed aggregate stems only
- Residual
- Provider may log content; proxy operator sees content in transit
T2 — Curious proxy operator (us)
reduced- Wants
- Build dossiers from demo usage
- Asset
- Queries, prompts, identity
- Mitigation
- Schema forbids who→what joins; Glass Box + unit tests; invite-only reduces casual abuse
- Residual
- We could change the code; verifiability and public claims make silent betrayal harder to hide
T3 — Bot / scraper burning paid APIs
mitigated- Wants
- Drain Brave / model budget
- Asset
- API keys, money
- Mitigation
- Invite-only allowlist, HumanVerify, rate limits, constant-response OTP
- Residual
- Compromised allowlisted mailbox
T4 — Passive network observer on the client path
reduced- Wants
- See destinations and metadata
- Asset
- SNI, timing, destinations
- Mitigation
- TLS to our origin; third-party calls originate from server
- Residual
- Observer still sees you talk to duckduckllama.com
T5 — Malicious page under tracker analysis
reduced- Wants
- Attack the fetcher (SSRF, huge payloads)
- Asset
- Server resources, internal network
- Mitigation
- http(s) only, timeouts, size cap, no internal redirect follow into RFC1918 (best-effort)
- Residual
- SSRF hardening can always deepen
T6 — Future agent tooling
reduced- Wants
- Exfiltrate PII via tool calls
- Asset
- User content in agent loops
- Mitigation
- PII gateway + egress policy labels; preflight preview before send
- Residual
- Pattern detectors miss novel PII; full agent sandbox not shipped
T7 — Compelled disclosure / breach of our DB
accepted- Wants
- Historical content
- Asset
- Anything durable
- Mitigation
- Minimise durable content; no raw queries/prompts stored; short TTLs
- Residual
- Allowlisted emails and session hashes still exist
Machine-checkable proofs: /verify · interactive demo stays invite-only.