Trust Model
Trust is not binary. It is contextual, progressive, and earned.
Everyone gets the same tools. The ladder is about how much others trust you, not what features you unlock.
The Trust Ladder
Level 0 — Web Guest. No install, join via link. Video calls, screen share, chat. Others see “anonymous guest.” Cannot initiate connections. Browser only — close the tab and you’re gone.
Level 1 — App User. Installed FreedomDesktop. Payment via App Store is an identity signal, not a revenue model. $5 means “I’m not a bot.” Can be discovered in directory. Can introduce others (rate limited).
Level 2 — Verified. Linked an existing identity — Gmail, GitHub, LinkedIn. Bring-your-own-key (BYOK) makes abuse more expensive without creating new accounts. These providers already verified the email. We use that signal.
Level 3 — Trusted. Completed a video handshake with another trusted user. This is the core ceremony. Live video is hard to fake at scale. Creates a mutual trust certificate stored on both devices.
Level 4 — Verified Professional. Professional license verified via API (bar association, ARELLO, FSMB). Public profile in professional directory. Higher introduction capacity. Can create workspaces.
The Video Handshake
Video is the primary trust ceremony. Harder to fake than photos, signatures, or text.
- Alice and Bob are both on the mesh
- They have a video call through FreedomDesktop
- Both tap “I’ve met this person”
- A mutual certificate is created and stored on both devices
The certificate records: both device fingerprints, timestamp and duration, city-level geolocation, and a hash linking to any previous meetings. Certificates are immutable. You cannot edit the past. New meetings create new certificates that reference old ones.
A consistent chain of meetings over time = stronger trust. Thin, suspicious chains = lower trust. This is the useful part of “blockchain” without the cryptocurrency.
Introductions
Not “vouching” — that sounds legal. Introductions.
An existing trusted user introduces a new user to the network. Introductions are visible, limited in quantity, and carry cost. If someone you introduced turns bad, your introduction capacity decreases. Quality over quantity — one professional introduction is worth more than a hundred anonymous ones.
Abuse does not scale when every fake identity requires a real person to stake their reputation.
Geographic Identity
FreedomCore IDs are human-readable and geo-based:
CA-BC-Wasa-Swansburg-James-1234Not a hash. Not a UUID. A name that means something in the real world. The locality is user-selected from a map of named places — not auto-detected from an IP address.
Cloudflare’s edge provides passive evidence on every request: country, region, city, ASN, IPv6 prefix. This creates a network fingerprint that validates the claimed locality over time. A user claiming to be in Wasa, BC, connecting from a Cranbrook-area ISP, is plausible. The same user suddenly connecting from Bucharest is flagged.
Location consistency builds trust. Geographic shifts trigger review.
Anti-Abuse Design
| Attack | Defense |
|---|---|
| Spam invites | Must be invited by a paid user or higher |
| Fake profiles | Video call attestation |
| Bot accounts | Real-time video challenge |
| Mass fraud | Introduction reputation at stake |
| Sybil attack | Payment + video = high cost per identity |
The principle: make fake trust expensive. Make real trust free.
Privacy
Two modes, user’s choice:
Private (default): Not in directory. Found only by direct connection. For families, personal use.
Public (opt-in): Listed in professional directory. Searchable by anyone. Shows credentials, video availability, specialties. Does NOT show connection count, activity feed, or social graph.
We do not store: social graph, message content, call recordings, activity patterns, or location history. Certificates live on user devices. We cannot see them.
Notes
This page has no subtopics yet.
Want structure here? Add a child doc at src/content/docs/trust/<child>.md.