SILENT WITNESS.
Secure source-side intake for high-risk information.
Silent Witness is UNDERWORLD’s protected evidence and reporting layer for people and organizations that need to move sensitive information without exposing the source before the message reaches the right destination.
Built for journalists, freelance reporters, NGOs, human-rights operators, legal teams, diplomatic offices, investigators, security personnel, field operators, and public-interest organizations, Silent Witness supports Custom Verified Tunnels: organization-specific secure intake paths configured around each recipient’s endpoint, fingerprint checks, routing policy, verification material, security requirements, and evidence-handling instructions.
It is designed for information that cannot be handled like an ordinary message.
Human-rights abuse. Corruption. Institutional violence. War-crime documentation. Security incidents. Protected testimony. Internal misconduct. Public-interest evidence.
Silent Witness is not a social feed, not a public leak marketplace, and not a publishing platform.
It is a hardened source-to-organization communication framework built to protect the path before exposure happens.
THE PURPOSE
In sensitive reporting, the weakest point is often not the encryption.
It is everything around it.
A source may use the wrong address. A fake reporting page may copy a real logo. A browser session may expose network traces. A file may reveal GPS coordinates. A cloud upload may create a permanent record. A notification may expose intent. A rushed submission may reveal more than the evidence itself.
Silent Witness reduces those failure points by giving the source a controlled workflow: prepare the material locally, reduce metadata, verify the receiving tunnel, encrypt before movement, route through protected transport, and block unsafe fallback when the path cannot be trusted.
The objective is clear:
Move critical information without turning the source into the most exposed part of the chain.
WHO SILENT WITNESS IS FOR
Silent Witness is designed for people and institutions operating around sensitive information.
Journalists and freelance reporters can receive material from sources who may be monitored.
NGOs and human-rights teams can collect testimony, field reports, and abuse documentation through a more controlled intake path.
Legal teams can handle protected evidence, witness material, and sensitive case files with stronger source-side safeguards.
Diplomatic and consular offices can maintain controlled reporting channels for sensitive communication.
Investigators and security teams can receive incident reports from exposed environments.
Field operators can preserve and move information when networks are restricted, unstable, or unsafe.
Sources and whistleblowers can prepare information before identity becomes the risk.
Silent Witness is built for verified, source-protective communication between the person carrying the information and the organization responsible for receiving it.
CUSTOM VERIFIED TUNNELS
Silent Witness can provide Custom Verified Tunnels for newsrooms, NGOs, legal teams, embassies, investigative units, security departments, whistleblower support organizations, and public-interest institutions.
A Custom Verified Tunnel is a locked intake profile configured around the receiving organization’s security model.
Each tunnel can define:
The receiving endpoint.
Organization identity material.
Public-key or fingerprint verification.
Routing requirements.
Tor or anonymity-network transport policy.
Allowed submission behavior.
Evidence-handling instructions.
Attachment restrictions.
Safety warnings.
Channel lock conditions.
Destination verification rules.
Fail-closed requirements.
This allows organizations to create hardened intake paths without asking sources to rely on exposed web forms, ordinary email, public upload pages, social media accounts, or unverified contact addresses.
The public name is simple: Custom Verified Tunnel.
The technical purpose is stronger: a verified destination profile with cryptographic identity, routing policy, endpoint validation, metadata controls, and source-side safety rules.
DESTINATION VERIFICATION
Sensitive information should not be sent somewhere just because a name, logo, or domain looks familiar.
Fake pages, copied branding, wrong addresses, impersonated recipients, outdated submission links, and phishing endpoints can expose a source before the evidence is even reviewed.
Silent Witness is built around destination assurance.
A verified tunnel can include endpoint validation, fingerprint checks, organization identity material, expected routing behavior, and channel-specific safety requirements.
Where supported, a tunnel can remain locked until verification conditions are satisfied.
This reduces the risk of fake reporting pages, copied organization branding, wrong addresses, phishing endpoints, impersonated recipients, unsafe public upload forms, unverified email handoff, outdated submission links, incorrect destination routing, and man-in-the-middle destination substitution.
The goal is not only encrypted transmission.
The goal is verified encrypted transmission.
SOURCE-SIDE WORKFLOW
Silent Witness starts before the network is used.
The source prepares material locally on the device. Notes, files, reports, images, voice material, documentation, and evidence capsules can be organized before anything is transmitted.
This local-first model reduces dependence on exposed browser uploads, ordinary email attachments, consumer cloud drives, public forms, and unsafe forwarding chains.
The workflow is designed around six stages:
Prepare locally.
Reduce metadata.
Verify the tunnel.
Encrypt before movement.
Route through protected transport.
Warn or block when trust breaks.
The source stays in control until the material is ready to move.
CRYPTOGRAPHIC PROTECTION
Silent Witness uses UNDERWORLD’s restricted-security communication model.
Sensitive material is protected locally before transmission. The relay does not receive plaintext. Private keys remain on the user’s device. The cloud is not used as a recovery path for source identity or private message content.
The underlying security architecture can include:
Device-bound cryptographic identity.
X3DH-style secure session establishment.
Double Ratchet message encryption.
Authenticated encryption.
Message-key isolation.
Forward secrecy.
Post-compromise recovery behavior.
Post-quantum hybrid defense.
CNSA 2.0-aligned cryptographic direction.
Local identity storage.
Ciphertext-only relay transport.
The message is sealed before the relay ever sees it.
The receiving path is not trusted with plaintext until the material reaches the intended destination.
POST-QUANTUM HYBRID DEFENSE
Silent Witness is designed for information that may remain sensitive for years.
Some evidence does not lose value quickly. Abuse documentation, war-crime material, corruption files, identity records, testimony, internal misconduct reports, and legal evidence may still be dangerous long after transmission.
Silent Witness benefits from UNDERWORLD’s post-quantum hybrid defense model, designed to reduce long-term interception and store-now-crack-later risk.
The architecture follows modern high-assurance cryptographic direction, including alignment with NSA-published CNSA 2.0 principles for future quantum-resistant protection.
This does not imply government approval, military certification, or NSA endorsement.
It means Silent Witness is designed with future decryption risk in mind, not only today’s interception threats.
ANONYMITY-NETWORK ROUTING
Silent Witness separates encryption from network anonymity.
Encryption protects the content.
Tor and I2P reduce direct network exposure.
The relay moves ciphertext.
The destination receives through the configured protected path.
When an Underworld-compatible tunnel is active, transmission can be routed through anonymity-network transport such as Tor, with I2P support forming part of the broader UNDERWORLD routing architecture.
The system is designed to avoid direct exposure, plaintext relay fallback, and silent downgrade behavior.
If protected routing cannot be established, unsafe transmission should be blocked rather than hidden behind a false success state.
ZERO-KNOWLEDGE RELAY TRANSPORT
The relay is treated as transport, not trust.
Silent Witness assumes relay infrastructure may be observed, probed, unavailable, misconfigured, seized, or hostile.
For that reason, the relay should not receive plaintext, private identity keys, cloud backups, recoverable source identity, or server-side copies of sensitive material.
Its role is limited to moving encrypted payloads through the configured delivery path.
This reduces the value of relay compromise and keeps the security boundary focused on local encryption, verified destination control, and fail-closed routing.
METADATA REDUCTION
Evidence can expose a source before anyone reads it.
A file may contain GPS coordinates, device identifiers, timestamps, author names, embedded thumbnails, editing history, application metadata, hidden file paths, or misleading format information.
Silent Witness uses UNDERWORLD’s attachment-defense layer to reduce this exposure before material is shared.
Technical protections can include:
Attachment metadata sanitization.
Risky MIME mismatch detection.
Dangerous attachment checks.
Oversized payload controls.
Path-traversal protection.
Malformed attachment packet rejection.
Attachment metadata deception detection.
Controlled evidence packaging.
The visible content is only one part of the risk.
Silent Witness is designed to reduce what the file reveals silently.
ATTACHMENT AND EVIDENCE HARDENING
Files are treated as security objects, not simple uploads.
Silent Witness can apply checks before transmission to reduce the chance that an attachment becomes a tracking device, exploit path, identity leak, or uncontrolled disclosure.
The attachment layer is designed to address unsafe file metadata, hidden identifiers, misleading extensions, suspicious MIME types, oversized payload abuse, path-traversal attempts, malformed packets, dangerous attachment patterns, and unnecessary identifying properties.
For journalists, NGOs, legal teams, and investigators, evidence integrity and source protection must exist together.
A document may prove something.
It should not also expose the person who carried it.
BLACKOUT MODE COMPATIBILITY
Silent Witness can work with Blackout Mode when the internet is unavailable, blocked, monitored, or unsafe.
In those conditions, the user can prepare encrypted offline capsules and move them later through controlled local carriers such as QR transfer, file transfer, Wi-Fi, Bluetooth, or physical handoff.
The carrier does not receive plaintext.
This gives journalists, NGOs, field operators, diplomatic staff, and security teams an alternative workflow when the network itself becomes part of the threat environment.
Blackout Mode does not perform blind fallback.
The user enters manually, prepares encrypted material locally, and controls when the capsule moves.
ACTIVE ATTACK AWARENESS
Silent Witness inherits UNDERWORLD’s active alarm model.
The app can treat suspicious conditions as security events instead of ordinary failures.
Detectable or security-relevant conditions can include packet injection attempts, replay behavior, malformed encrypted packets, authentication-tag failure, relay message forgery, routing downgrade attempts, identity substitution signals, duplicate encrypted message abuse, sender-binding failures, ratchet-state anomalies, dangerous attachments, risky MIME mismatches, oversized attachment abuse, path-traversal attempts, screen overlay attacks, and obscured-touch conditions.
A sensitive reporting tool should not fail silently.
When trust changes, the user should see it.
FAIL-CLOSED SECURITY
Silent Witness is designed to prefer blocked transmission over unsafe transmission.
If a verified tunnel cannot be trusted, if routing requirements cannot be satisfied, if destination verification fails, or if protected transport is unavailable, the system should stop rather than silently downgrade.
No ordinary direct route.
No plaintext relay.
No silent fallback.
No false sense of delivery.
In high-risk communication, failure can be protection.
ORGANIZATION-SPECIFIC INTAKE
Silent Witness can be adapted for organizations that need a hardened intake layer without building secure communication infrastructure from zero.
A newsroom can define a source tunnel.
An NGO can define a field-evidence tunnel.
A legal team can define a protected witness tunnel.
An embassy can define a controlled reporting tunnel.
A security team can define an incident intake tunnel.
An investigative unit can define a case-specific destination.
Each tunnel can carry its own identity, verification rules, instructions, routing requirements, safety constraints, and evidence-handling logic.
This makes Silent Witness more than a feature inside a messenger.
It becomes a secure intake framework for organizations receiving information from exposed users.
EXAMPLE PUBLIC-INTEREST DESTINATIONS
Silent Witness can guide users toward public-interest reporting destinations such as OCCRP, ProPublica, Whistleblower Aid, Human Rights Watch, and the ICC Office of the Prosecutor.
These examples show the type of organization Silent Witness is designed to support.
Organization names and logos are shown for identification of public reporting destinations only.
No affiliation, partnership, approval, sponsorship, or endorsement is implied unless explicitly stated.
WHAT SILENT WITNESS DOES NOT DO
Silent Witness is not a media organization, legal authority, investigation unit, or publishing platform.
It does not publish evidence.
It does not verify facts.
It does not decide legal status.
It does not guarantee a destination will respond.
It does not control recipient-side handling after delivery.
It does not protect a fully compromised device.
It does not replace legal advice, editorial review, human-rights verification, or operational judgment.
Its role is source-side protection: preparing, sanitizing, encrypting, verifying, routing, and reducing exposure before the information leaves the user’s control.
LAWFUL PUBLIC-INTEREST USE
Silent Witness is intended for lawful public-interest reporting, journalism, human-rights documentation, anti-corruption evidence, war-crime documentation, institutional abuse reporting, legal support, diplomatic reporting, security incident reporting, and secure communication with legitimate receiving organizations.
It is not designed for criminal coordination, threats, extortion, trafficking, terrorism, illegal markets, or harmful activity.
UNDERWORLD is built to protect people carrying critical information, not to enable abuse.
USER AND ORGANIZATION RESPONSIBILITY
Silent Witness strengthens the path, but it does not remove operational responsibility.
Users should verify tunnels carefully, avoid compromised devices, protect local identity, review attachments before sending, avoid unnecessary screenshots, and treat security warnings seriously.
Organizations should maintain accurate endpoint information, rotate verification material when necessary, publish clear handling instructions, protect receiving infrastructure, and avoid exposing sources after receipt.
A secure tunnel reduces exposure.
It does not replace judgment, training, or destination-side discipline.
FINAL POSITION
Silent Witness is built for the moment when information must move, but exposure can destroy the person carrying it.
It gives sources and receiving organizations a hardened path based on local preparation, Custom Verified Tunnels, destination verification, metadata reduction, end-to-end encryption, anonymity-network routing, ciphertext-only relay transport, Blackout Mode compatibility, active attack awareness, and fail-closed behavior.
It is not designed to make information louder.
It is designed to make the path safer.
Silent Witness protects the source-side chain before the first irreversible step is taken.