Spaces:
Sleeping
Sleeping
Threat Model Appendix
Threat Modeling Framework
This application follows a STRIDE-informed but scope-limited threat model, focused on misuse prevention rather than adversarial exploitation.
Identified Threats & Mitigations
1. Unauthorized Data Collection
Threat: Automated scraping or bulk harvesting
Mitigation:
- Link-out only architecture
- No crawlers or schedulers
- No background tasks
2. AI Hallucination or Misuse
Threat: AI outputs mistaken for evidence
Mitigation:
- AI disabled by default
- Mandatory disclosure footer
- Citation-anchored prompts
- Integrity hashing
3. Surveillance or Profiling
Threat: Use for tracking individuals
Mitigation:
- Public records only
- No personal data ingestion
- No identity resolution features
4. Data Persistence Risk
Threat: Long-term storage of sensitive material
Mitigation:
- In-memory session state only
- No databases required
- No logs of user queries
5. Agency Policy Circumvention
Threat: Bypassing FOIA site controls
Mitigation:
- No automated access
- No authentication bypass
- User-initiated navigation only
Out-of-Scope Threats
- Nation-state cyber attacks
- FOIA content authenticity disputes
- Agency data completeness or redaction
Residual Risk Assessment
Overall residual risk is LOW, given:
- Public data only
- No automation
- No persistence
- No privileged access
Conclusion
This tool presents materially lower risk than traditional search engines or document crawlers due to its intentionally constrained design.