PainTracker Protective Computing Reference Packet v1.0
A versioned proof packet for outsiders: scope, control boundaries, evidence anchors, negative claims, known limitations, and review hooks for the current PainTracker reference implementation.
Packet status: Public reference packet, not certification.
Implementation posture: Level 2–3 Protective Computing v1.0 with explicit gaps in active-coercion resistance and degraded-functionality accessibility.
Primary source mapping: PainTracker compliance mapping.
Packet Contents
| Section | Current statement | Evidence anchor |
|---|---|---|
| Threat model | PainTracker resists passive surveillance, data breach, and operator decrypt scenarios better than typical health journaling apps, but does not yet resist active compelled-disclosure scenarios. | Threat models, coercion boundary matrix, coercion scenario packet |
| Local-first architecture | Essential journaling remains locally authoritative; optional backup and sync are additive rather than required for core use. | local authority operating profile, offline parity and sync spec |
| Exposure minimization | Collection and retention are explicitly bounded, with published field-level justifications and retention defaults. | field justification ledger, retention policy table, local retention defaults |
| Essential utility | The essential journaling path remains intact when optional features are removed or degraded. | feature justification matrix, subtraction report |
| Audit reproducibility | Normative claims, evidence indexes, CI gates, and site-level metadata audit are public and reproducible. | audit path, audit evidence index, MUST ledger |
Threat Model Summary
Resisted well enough for current claim: plaintext exposure through ordinary operator access, uncontrolled retention growth, loss of connectivity for core use, and non-essential feature removal breaking the primary task.
Not resisted well enough for stronger claim: state interrogation, forced unlock, compelled export, keyboard-only parity failures, and screen-reader-complete degraded-mode use.
Architecture and Behavior
Local-first architecture statement
PainTracker treats the user device as the authority for core journaling actions. Optional server interactions support encrypted backup and synchronization, but core logging, viewing, and editing are designed to remain available without the server.
Degraded mode behavior
Current degraded-mode support is partial. Core use survives ordinary mobile and intermittent-network conditions, but the implementation still depends on JavaScript and retains accessibility gaps around keyboard navigation and WCAG AA coverage.
Coercion risk notes
PainTracker does not claim deniable panic mode, decoy vault behavior, or a coercion-safe secondary path. The current public posture remains: suitable for passive-surveillance contexts, not suitable for active-coercion scenarios.
Export boundary
Export and disclosure behavior must remain bounded by published evidence and user intent. There is no claim that exports are deniable, hidden, or safe under coercion; only that plaintext is not exposed to administrators through a master decrypt capability.
Analytics and telemetry position
No claim is made that operator-visible metadata is zero. The current posture is bounded metadata retention with published limits rather than a claim of telemetry elimination.
Known Limitations
- Not suitable for active torture, interrogation, or forced-unlock scenarios due to lack of deniability controls.
- Not yet WCAG AA complete across the essential path.
- Not yet resilient to non-JavaScript operation or sub-512MB-class degraded-device targets.
- Optional sync metadata remains visible to operators within published retention bounds.
Partial Standards Mapping
| Framework | Current bounded claim | Reference anchor |
|---|---|---|
| NIST Privacy Framework | Strongest overlap is privacy-by-design via field minimization, retention bounds, and explicit operator non-possession boundaries. | standards crosswalks, field ledger |
| OWASP ASVS | Current packet supports partial mapping on cryptography, data protection, and access boundaries; it does not yet satisfy a published full ASVS control matrix. | standards crosswalks, compliance mapping |
PLS Disclosure
PainTracker is a strong candidate for a public PLS walkthrough because it already documents both strengths and disqualifying gaps. This packet does not publish a final multi-rater PLS score; it exists to make that later score inspectable.
False Claim Register
| Claim | Status | Reason |
|---|---|---|
| Deniable panic mode | Not claimed | Current implementation does not provide a defensible coercion-safe path or decoy behavior. |
| HIPAA compliant | Not claimed | This packet maps engineering controls and evidence, not covered-entity legal compliance. |
| Zero-knowledge cloud sync | Partially bounded | Encrypted backup is claimed; zero operator plaintext access is claimed. Zero metadata visibility is not claimed. |
| Accessibility-complete degraded mode | Not claimed | Keyboard parity and WCAG AA gaps remain public and unresolved. |
| Independent certification | Not claimed | No external certifier or governance body has issued certification. |
External Review Hooks
This packet is designed to be reviewed, not trusted by default. Use the external review workflow and packet template to confirm, refute, or tighten any claim here.