# **Law Enforcement & Accountability** Some uses of not.botâ„¢ would be criminal. Someone could sign child sexual abuse material, authenticated deepfake harassment, or fraudulent financial documents. Law enforcement must be able to identify perpetrators when presented with evidence of such crimes. not.bot makes this possible while preventing the capability from being abused. Identification requires a specific signature, legal process, cooperation between multiple independent parties, and days of computation. The architecture rules out bulk surveillance, fishing expeditions, and shortcuts. ## **The identification process** Law enforcement starts with a specific not.bot signature, the piece of evidence associated with the crime. Without a signature, there is no entry point. Julia Social has no mapping from real-world identities to root DIDs. The signature is the key. **Step 1: Signature to root DID.** Law enforcement presents a valid legal demand to Julia Social along with the specific signature. Julia Social extracts the alias DID and the not.bot credential ID from the signature. Julia Social holds a mapping from SHA2-256(alias DID, not.bot credential ID) to root DID. This mapping can only be queried with both values together, and both values are available together only inside a signature. Julia Social looks up the root DID. **Step 2: Root DID to encrypted data.** Julia Social submits a release request to the escrow agent (Praxis Escrow, an independent US escrow company that has completed a SOC 2 Type 1 examination), accompanied by the law enforcement documentation. Praxis reviews the demand and releases the encrypted identity record. This step takes approximately five business days and carries a significant financial cost. **Step 3: Decryption.** Julia Social performs decryption on air-gapped infrastructure that never connects to the internet. Each user's identity data is encrypted with a unique AES key. The air-gapped RSA key is used to decrypt the AES key used to encrypt the data. During enrollment, the Escrow Server deliberately erases some of the bits of the AES key before RSA encryption. To decrypt a record, Julia Social must reconstruct the missing bits by brute-force, trying all possible combinations until a valid decryption is found. This computation takes 3-7 days per record. **Step 4: Disclosure.** Julia Social provides the decrypted identity information (name, birthdate, gender, nationality) to law enforcement. Total time from demand to disclosure: approximately nine to fourteen days. There is no expedited process. ## **Why bulk surveillance is impossible** The architecture blocks bulk data extraction at every layer. **No bulk lookup exists.** The alias-to-root-DID mapping (Step 1\) requires both the alias DID and the not.bot credential ID. These values appear together only inside signatures. Julia Social cannot enumerate its users, list their aliases, or run a query like "give me all identities." Each lookup requires a specific signature as input. **The escrow agent gates release.** Praxis is an independent third party. It reviews each law enforcement demand before releasing an encrypted record. A request for "records matching a profile" has no meaning in this system, because each record is identified only by a root DID. By contract, Praxis cannot release any record without a specific law enforcement demand for that record, and cannot release records in bulk. **Decryption does not scale.** Each user's record is encrypted with a unique key whose bits were partially erased. Decrypting one record requires a multi-day brute-force computation on air-gapped hardware. Decrypting a hundred records requires a hundred separate computations. The per-record cost makes mass decryption impractical. **Three-party cooperation required.** An attacker or overreaching agency would need simultaneous access to Julia Social's production systems (for the alias-to-root mapping), Praxis's storage (for the encrypted data), and Julia Social's air-gapped decryption infrastructure (for the RSA key and brute-force capability). Compromising one or two of these three is insufficient. ## **Jurisdictional boundaries** Julia Social is a US-based company. Non-US law enforcement agencies must submit requests through a US agency. Julia Social only responds to valid US legal process. ## **Deterrence with accountability** not.bot makes a deliberate design choice: criminal misuse can be investigated, but investigation requires specific evidence (a signature), legal process, multiple independent parties, and significant time and financial cost. The system provides deterrence (a criminal who signs content with not.bot can be identified) alongside accountability safeguards (identification cannot happen without evidence and due process). This model serves both civil-liberties and regulatory audiences. Privacy advocates can verify that bulk surveillance is architecturally impossible and that identification requires real evidence. Regulators and enterprise buyers can verify that the system cooperates with lawful investigation. The same architecture satisfies both requirements because the constraints are structural, not policy decisions that could change. The escrow architecture exists for this purpose. Julia Social could have designed a system where identification is impossible (by not storing encrypted identity data at all) or trivial (by holding identity data in cleartext). The three-party model with an independent escrow agent, air-gapped decryption, and deliberate key erosion sits at a specific point on that spectrum: identification is possible, constrained, auditable, and slow. For the full set of privacy properties that govern what each party can and cannot access, see the [Privacy Architecture](http://doc_07_privacy_architecture.md) document.