The honesty centre
What this protects against — and what it doesn't.
Security is never "secure" in the abstract; it's secure against a specific adversary. Here is ours, plainly — including where it ends.
Who this is for
The adversary we design against.
GuardTalk is built for people targeted by capable, resourced adversaries — and it is honest that "capable" is not "omnipotent." We design against:
Commercial spyware vendors
The mercenary surveillance industry — the Pegasus / Predator class of tooling sold to governments and aimed at journalists and defenders.
Network interception
Observers on the network attempting to read, fingerprint, or block your traffic between you and the people you talk to.
Device seizure
Border stops and raids where the physical device is taken and an adversary attempts to extract its contents.
Metadata collection
Adversaries who can't read content but try to learn who spoke to whom, when, and from where.
Protections ↔ limits
Every protection, paired with its limit.
No mechanism on this page is presented as absolute. Each protection links to its detail on Security; each limit is stated here, in plain words.
| Protection | What it protects against | Its limit |
|---|---|---|
| Air gap | Direct exposure of your phone to the internet — the modem stays off; the gateway is the only bridge. | the gateway itself and the people you talk to are still endpoints that can be attacked. |
| Kill switch | Clearnet leaks — nftables drops all traffic the moment the tunnels drop, so nothing escapes unprotected. | it protects the network path, not a compromised endpoint behind it. |
| Tor routing | Network-location exposure — hides where you are from most observers. | a global passive adversary observing both ends can attempt end-to-end traffic correlation. Tor never claimed otherwise. |
| Hardened OS | Software attack surface — no Play Services, no browser, no extra radios. | no operating system fully protects against firmware or baseband implants below it. |
| Full-disk encryption | Data at rest on a seized device — LUKS2 / argon2id / AES-256-XTS, unlocked by a biometric key you hold. | it cannot protect a device seized while unlocked and running. |
| Duress wipe | Coerced unlock — a panic credential destroys local keys. | it cannot recover data already exfiltrated, nor protect you under physical coercion beyond the wipe itself. |
| QPC messenger encryption | Interception of message content, calls, and files — quantum-resistant algorithms protect ciphertext against both today's classical adversaries and future quantum decryption of harvested traffic. | it protects content in transit; it does not protect against endpoint compromise or metadata collection. |
| IDS & beacon detection | Known spyware patterns — Suricata rules and C2 beacon heuristics for documented families. | a novel, well-resourced 0-day may evade signatures it has never seen. |
Explicitly out of scope
What we do not protect against.
This list is permanent and prominent. If your adversary is on it, GuardTalk alone is not enough — and we would rather you knew that now than learned it later.
- Firmware or baseband implants beneath the operating system.
- A targeted 0-day exploit against the gateway itself.
- Physical coercion beyond what the duress wipe can address.
- Compromise of the other person's device or discipline.
- A nation-state observing both ends of the network for global traffic correlation.
- Human error — a screenshot, a reused identity, a careless contact.
Build your own threat model
Three questions decide whether this fits you.
- Who is your adversary? A scammer, a corporation, local police, or a state intelligence service are very different problems.
- What can they do? Intercept your network, seize your phone, buy a commercial 0-day, or compel a person?
- What is the consequence? Embarrassment, a fine, a prison sentence, a life. The stakes set how much defence is enough.
Honesty pledge
If we can't link a protection to a mechanism and a limit, we don't claim it.