Is not.bot Safe?
You are thinking about joining not.bot, and you want to be sure it is safe before you do. Smart. People join because they see something worth having: a site that offers verified humans a cleaner experience or premium access, a way to prove you are over 18 without handing over your birthdate, the ability to sign your own content so no one can pass off a fake as yours, a space with the bots kept out.
Think of this as your due diligence. It explains what joining involves, what leaves your phone and what does not, who can see your activity, and what happens when something goes wrong. It avoids the cryptography. If you want the proof behind any claim here, the linked documents at the end carry the full architecture.
One principle runs through all of it. The protections below are enforced by how the system is built, not by a promise to behave. Julia Social, the company behind not.bot, designed itself so that it cannot see who you are or whether you use your identity. That is a structural fact about the software, and the rest of this guide shows where it comes from.
What joining involves
You install the not.bot app and enroll once. Enrollment means holding your phone against the chip in your passport so the app can confirm the passport is genuine. After that, you create one or more aliases and use them to sign content, prove a fact about yourself to a website (that you are a person, or over 18, without saying more).
Two limits to state up front:
- Enrollment is available today only to users on US app stores. People elsewhere can install the app in scan-only mode, where they can verify other people's signatures but cannot enroll or create their own. International enrollment is planned.
- Enrollment today is done from home with your passport. A stronger in-person option, where a trusted partner like a bank, hospital, or employer confirms your identity face to face, is on the near-term roadmap. More on why that matters under "What we are still building."
You need a current, NFC-enabled passport to enroll.
The passport scan: where does my data go?
This is the question most people lead with, so here is the whole path.
Scanning your passport takes two steps on your phone. The chip is encrypted, and the key that unlocks it is printed in the strip of text at the bottom of the data page, so the app first photographs that page and reads the strip with on-device text recognition. That photo never leaves your phone, and the app uses it to read text, not your face. The app then uses the key to open the chip and read the data it holds: your name, date of birth, gender, and nationality. It does not read the facial image stored on the chip. No biometric data leaves the passport.
That text goes to a passport-validation provider, Signicat, which confirms the chip's government signatures are authentic and the passport has not expired. Signicat holds the data for a few minutes at most. Signicat is never told which not.bot identity the passport belongs to, or whether the scan is a first enrollment or a recovery. By the time enrollment completes, Signicat has deleted your data.
The data goes straight from Signicat to Praxis Escrow, an independent US data escrow company that has completed a SOC 2 Type 1 examination. Praxis stores only an encrypted copy of the data, and Praxis does not have the decryption key. Julia Social holds the only decryption key and has no access to the stored record. The decryption key is stored on computers that never connect to a network, and so cannot be hacked over a network.
Julia Social never sees your passport data at any point in this flow.
When enrollment finishes, no one holds a readable copy of your identity. The single stored copy is encrypted, sitting with an independent escrow company that cannot open it, and it can be opened only through the law-enforcement process described below. Your personal information is not in a database someone can query, leak, or sell.
Can anyone watch what I do?
The two things you do most, signing content and verifying someone else's signature, never contact Julia Social. Your phone signs with keys stored on the device. Verification reads public blockchain data. When you prove a fact to a website, that exchange runs only between your phone and the site. No traffic reaches Julia Social.
Julia Social does not see which sites you visit, what you sign, or whether you are using your identity at all. It is reached only for occasional administrative actions: enrolling, creating an alias, recovering after you lose your phone. Day-to-day use is invisible to it.
The sites you use learn less about you than you might expect, and you decide what each one sees.
Most sites need one narrow fact, and that fact is all they get. A site that wants to keep out bots gets "a real person." A site with an age gate gets "over 13," or "over 18," with no birthdate behind it. You answer the exact question asked and hand over nothing else: not your name, not your other details, not anything about what you do elsewhere.
When you come back to a site, it should recognize you, and it can. With your consent, the not.bot app and the site will work together to create a site pass: a tag that stays the same on that one site every time you return, so your account stays yours, and is different on every other site you use. Two sites that share their data find no match between their site passes, so neither one can work out that you are the same person, even if they try. The site pass also means the site can tell if two accounts both belong to you, which is how not.bot keeps out bots and sock puppets, and it does that while telling the site nothing about who you are.
You also do not have to be the same person everywhere. You can keep separate aliases for separate parts of your life, a public name in one place and a quiet one in another, and those aliases cannot be tied to each other or traced back to one person. You set what each corner of the web sees. You can hide any alias whenever you like, so you control which ones are visible, and your aliases are kept rather than deleted.
Are you taking my biometrics?
No. The app never reads your passport's facial image, and Julia Social never receives a scan of your face. The only biometric in the system is the Face ID or fingerprint already on your phone, which you use to unlock your own keys and to authorize a signature. That check happens on your device, against data your phone already holds. Neither your face nor your fingerprint leaves your phone. The page photo your phone takes to unlock the passport chip also stays on the device, read for text and never for your face. This is the opposite of the iris-scanning and selfie-vault approaches that have drawn breaches and regulatory fines.
What if I lose my phone, or you get hacked?
You lose your phone. If you have more than one device set up, you keep going on the others. If you lose all of them, you recover your identity with your recovery password and your passport. Recovery takes about five days. The delay is a safety feature: if someone tries to hijack your identity, you get a window to cancel before it completes, and even a completed hijack can be reversed back to you. Choose a strong recovery password; it is the one secret that protects you here.
Julia Social gets hacked. Because signing and verifying never depend on Julia Social, a breach of the company does not touch your ability to use your identity, and it does not expose your passport data, which Julia Social never holds in readable form.
Can law enforcement see everything I do?
No, and the system is built so that bulk surveillance is not possible. There is no list to pull and no profile to match against.
Identifying a single user takes a specific legal demand naming one identity. The independent escrow company reviews that demand and can release only the one encrypted record it names; by contract it cannot release records in bulk. Even then, decrypting one record takes days of computation, by deliberate design. So identification is possible, but it is constrained, auditable, slow, and one record at a time.
This is deliberate. Julia Social could have built a system where identifying you is impossible, or one where it is trivial. It built one where lawful identification of a named person under due process stays possible, and everything short of that stays invisible. Your ordinary activity is not watched by anyone, including Julia Social.
Is this crypto? Do I need a wallet?
No wallet, no token, no fee. not.bot records identities on the Chia blockchain because that is a durable, decentralized place to anchor them, but you never have to hold cryptocurrency, never pay a blockchain fee, and never see a wallet. Julia Social covers the blockchain costs behind the scenes. You will not get a crypto bill, a tax form, or a seed phrase to lose. What is stored on the blockchain is identity records, not your name and birthdate, and Julia Social cannot see which blockchain queries your app makes.
What am I committing to, and how do I leave?
There is no account to delete. To leave, you stop using the app and delete it. Deleting the app removes your identity information, cryptographic keys, aliases, contacts, and history from your device. Without starting recovery, the identity is abandoned: no one can use it, and Julia Social cannot reach the underlying data.
What we are still building
- In-person enrollment is on the near-term roadmap. Enrolling from home needs an NFC-enabled passport, the kind whose chip a phone can read and verify. In-person enrollment lets a trusted partner, such as a bank, hospital, or employer, verify your government ID against you in person, so you can join without a chip-enabled passport. It is coming.
Who is behind this
not.bot is made by Julia Social. The design commitment behind everything above is that the company cannot see your identity or your activity, because it built itself to be unable to, not because it promises to look away. An independent escrow company that has completed a SOC 2 Type 1 examination holds the only stored record and gates any release. The privacy-critical code is open to independent audit. And the company has put its name to the No Phone Home campaign rather than build a system that watches you use it.
If you want to check any claim here against the architecture, these documents carry the proof.
Related documents
- The not.bot App (Doc #5): what the app does, how enrollment, aliases, and recovery work in detail.
- Privacy Architecture (Doc #7): the formal guarantees, including what each party can and cannot access.
- Security Model and Known Weaknesses (Doc #8): the threats the system defends against, and the limitations it states outright.
- Law Enforcement and Accountability (Doc #9): the one deliberate exception, and how it is constrained.
- Enrollment and Identity Proofing (Doc #11): the verification levels, including the in-person option on the roadmap.