Threat Model
This site is not an anonymity service. This threat model provides an educational, realistic description of exposure pathways in common web and email workflows when submitting public-records requests. The project advocates for individual privacy and full government transparency.
Key point: VPNs and private browsing can change some network observations, but they do not eliminate recipient retention, forwarding, or the existence of durable copies.
No legal advice. This threat model is provided for educational purposes only. We are not lawyers, do not provide paid services, and do not provide legal advice.
Threat table
| Threat | What it looks like | What this site can do | What this site cannot do |
|---|---|---|---|
| Recipient retention | Agency keeps the message and attachments | Warn users; encourage restraint | Force deletion or prevent archiving |
| Forwarding / disclosure | Message is forwarded internally or disclosed later | Warn users; reduce accidental oversharing | Control downstream behavior |
| Email ecosystem copies | Copies exist in sent folders, inboxes, gateways, and backups | Explain lifecycle; design for minimal content | Eliminate third-party retention |
| Infrastructure logs | Server, CDN, WAF, or mail gateway logs store metadata | Keep claims conservative; avoid needless collection | Guarantee “no logs” across providers |
| User-side mistakes | Autofill, attachments with metadata, pasted identifiers | Use warnings and guardrails | Prevent all user error |
Scope and intent
This threat model is intentionally narrow. It focuses on realistic risks present in lawful public-records workflows, not speculative attacks or anonymity guarantees. Transparency in government processes and informed user decision-making are the primary goals.