# III. Threat Model ### Part 3 — Threat Model, Misuse Resistance, Contestability, and Rights Safeguards #### 1. Guild Threat Model and Abuse-Case Register 1.1 **Threat model objective.** The Guild maintains a standing threat model to prevent its research, artifacts, and platform-adjacent outputs from being captured, gamed, weaponized, misrepresented, or coerced into roles outside the non-executing perimeter. 1.2 **Primary threat classes.** The threat model shall, at minimum, cover:\ 1.2.1 **capture and influence** (sponsor dominance, vendor steering, state pressure, reputational leverage, access-for-favor dynamics);\ 1.2.2 **gaming and benchmark tampering** (metric manipulation, synthetic compliance, staged test environments, adversarial “goodharting”);\ 1.2.3 **dataset poisoning and measurement drift** (tainted sources, injected artifacts, adversarial content shaping, long-tail drift);\ 1.2.4 **coercion and legal compulsion** (subpoena/FOI/discovery pressure, compelled disclosure, gag constraints, cross-border conflict);\ 1.2.5 **misrepresentation and badge misuse** (false claims of certification, selective quoting, out-of-context excerpts, brand laundering);\ 1.2.6 **dual-use abuse** (turning defensible research into exploit enablement, evasion guidance, or surveillance mechanics);\ 1.2.7 **identity and participant risk** (doxxing, retaliation, harassment, targeted intimidation);\ 1.2.8 **supply chain compromise** (malicious contributions, build pipeline tampering, dependency injection, signing key risk);\ 1.2.9 **operational confusion** (adopters treating Guild outputs as enforcement, compliance advice, or incident command). 1.3 **Abuse-case register.** The Guild shall maintain an abuse-case register for each domain and major artifact family, including:\ 1.3.1 plausible attacker profiles and motivations;\ 1.3.2 likely attack surfaces (data sources, publication channels, badges, benchmarks, release tooling);\ 1.3.3 impact pathways (harm to rights, safety, markets, infrastructure reliability);\ 1.3.4 mitigations (handling class defaults, disclosure abstraction, anti-gaming controls, contestability pathways);\ 1.3.5 triggers for stop-the-line and emergency correction. 1.4 **Risk posture.** Where the threat model identifies credible pathways to large-scale harm, the Guild’s default posture is to reduce exploitability and reduce misuse—even at the cost of slower publication. *** #### 2. Rights Impact Standard 2.1 **Rights-by-design invariants.** Guild outputs must respect and protect:\ 2.1.1 privacy and data minimization;\ 2.1.2 freedom of expression and association;\ 2.1.3 non-discrimination and accessibility;\ 2.1.4 due process and contestability;\ 2.1.5 safety of participants and affected communities. 2.2 **Rights impact review triggers.** A rights impact review is mandatory when an output:\ 2.2.1 could materially influence access, eligibility, reputation, or enforcement;\ 2.2.2 introduces new measurement collection categories or expands coverage scope;\ 2.2.3 creates a new scoring, ranking, or labeling mechanism;\ 2.2.4 touches vulnerable populations, sensitive categories, or safety-critical systems. 2.3 **Minimum rights impact fields.** Rights impact documentation shall include:\ 2.3.1 intended use and prohibited uses;\ 2.3.2 foreseeable misuse pathways;\ 2.3.3 discrimination and accessibility risks;\ 2.3.4 privacy posture (what is collected, what is avoided, what is redacted);\ 2.3.5 contestability plan (who can challenge, how quickly, and what remediation exists). 2.4 **No adverse action enablement.** Outputs must not be designed to directly enable coercive adverse actions (blocking, takedown, denial of service, profiling) without due process and contestability safeguards. *** #### 3. No Censorship Blueprinting Rule 3.1 **Rule statement.** The Guild does not design, publish, or maintain blueprints for coercive content moderation, censorship operations, or political opinion control. 3.2 **Permitted integrity research.** The Guild may conduct measurement and integrity research that:\ 3.2.1 evaluates provenance mechanisms, authenticity signals, and transparency patterns;\ 3.2.2 measures manipulation and inauthentic coordination as research findings;\ 3.2.3 documents resilience patterns for crisis communications;\ 3.2.4 publishes uncertainty, limitations, and non-equivalence warnings. 3.3 **Boundary condition.** Research becomes prohibited when it prescribes coercive moderation tactics, operational enforcement workflows, or targeted suppression methods. 3.4 **Neutral measurement posture.** The Guild’s integrity work is evidence-oriented and contestable, not punitive and not directive. *** #### 4. Misuse Resistance Requirements 4.1 **Misuse resistance as a release gate.** No artifact may be labeled “Release-Ready,” “Benchmark-Ready,” or “Enterprise-Deployable” without a documented misuse resistance review. 4.2 **Minimum misuse resistance controls.** Each qualifying artifact must include:\ 4.2.1 explicit misuse scenarios and mitigations;\ 4.2.2 safe-use warnings and reliance bounds;\ 4.2.3 handling class default and distribution guidance;\ 4.2.4 redaction/abstraction rules where relevant;\ 4.2.5 “do not deploy if…” conditions and safe-mode guidance. 4.3 **No exploit enablement threshold.** The Guild shall not publish technical detail that materially lowers the cost of exploitation, evasion, or coercive surveillance. Where educational value exists, the Guild publishes at a level that preserves safety and operator coordination. 4.4 **Anti-evasion posture.** When publishing detection or measurement methods, the Guild shall:\ 4.4.1 avoid disclosing specific evasion triggers where doing so would increase harm;\ 4.4.2 provide principled defenses rather than brittle signatures;\ 4.4.3 use delayed disclosure or controlled access where warranted by threat conditions. *** #### 5. Contestability, Grievance, and Remedy 5.1 **Contestability principle.** Any consequential claim produced under Guild validity markings must be contestable by affected parties through a defined mechanism. 5.2 **Who may contest.** Contestation may be initiated by:\ 5.2.1 subjects of measurement (site owners/operators) where identification is reasonably verifiable;\ 5.2.2 impacted users or rights advocates presenting credible harm claims;\ 5.2.3 researchers raising methodology, bias, or reproducibility concerns;\ 5.2.4 participating members identifying integrity or handling violations. 5.3 **Contestable items.** The following are contestable:\ 5.3.1 measurement results and scoring outcomes;\ 5.3.2 benchmark methodology and sampling;\ 5.3.3 dataset provenance and integrity;\ 5.3.4 mislabeling, misrepresentation, or misuse of Guild marks;\ 5.3.5 correction failures and improper supersession. 5.4 **Minimum grievance pathway.** The Guild maintains:\ 5.4.1 an intake route with handling-class selection;\ 5.4.2 a triage clock aligned to correction clocks;\ 5.4.3 a recorded outcome (upheld, corrected, superseded, withdrawn, or restricted);\ 5.4.4 a remedy menu (errata, retraction, re-score, deprecation, distribution correction). 5.5 **Non-punitive posture.** Contestability is an integrity function; it is not an enforcement action against the subject. *** #### 6. Misrepresentation Controls and Badge Misuse 6.1 **Non-certification control.** Guild marks shall be explicitly non-certifying and non-compliance-determining in all public-facing descriptions. 6.2 **Misuse patterns.** Misrepresentation includes:\ 6.2.1 claiming “certified by” or “approved by”;\ 6.2.2 implying endorsement or procurement preference;\ 6.2.3 selective quoting that reverses meaning or hides uncertainty;\ 6.2.4 using outdated versions without supersession disclosure;\ 6.2.5 applying Guild marks to third-party outputs not produced under Guild records. 6.3 **Takedown and correction protocol.** Where misrepresentation is credible, the Guild may:\ 6.3.1 issue a public correction notice (public-safe) or controlled notice (controlled);\ 6.3.2 require removal of marks and issue a supersession pointer;\ 6.3.3 suspend participation rights for members involved;\ 6.3.4 restrict future access or distribution where necessary to prevent ongoing harm. 6.4 **Screenshot-resistance principle.** Where feasible, artifacts shall include embedded version identifiers and reliance warnings that remain visible in excerpted form. *** #### 7. Legal Compulsion and Identity Protection Posture 7.1 **Minimization by design.** The Guild minimizes collection and retention of identity-linked data, especially for contributors, reporters, and affected parties. 7.2 **Compulsion response discipline.** In the event of subpoena, FOI, or discovery pressure:\ 7.2.1 requests are routed through designated officers under handling discipline;\ 7.2.2 only the minimum necessary disclosure is made, consistent with lawful obligations;\ 7.2.3 where lawful, the Guild seeks protective orders or equivalent safeguards;\ 7.2.4 disclosures are recorded as handling-classed events. 7.3 **Lawful unmasking only.** Any unmasking of identity is permitted only where legally required and only through a documented, dual-control decision record. 7.4 **Cross-border caution.** Where jurisdictions conflict or safety risks are elevated, the Guild may restrict disclosures, delay publication, or publish at higher abstraction to prevent harm. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.therisk.global/organization/cooperation/nexus-guilds/future-of-web/iii.-threat-model.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.