Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreier656c4yjipyqbaagd7mrsip5wvanlgt7rpxutrdi424aznuqdau",
    "uri": "at://did:plc:ep3fxt5imrl3vy62u2j2i4vl/app.bsky.feed.post/3mfrdytnwjui2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreief4m6yvfzs7ww454isiaug476drksb5gzvmfaxerzix4fgifoe4q"
    },
    "mimeType": "image/png",
    "size": 2325535
  },
  "description": "In the last piece, we covered why PoBU is probabilistic. It explained that the strength of the “one eligible account per human” rule depends on two things: biometric error rates and policy choices.\n\nNow comes the next natural question:\n\nEven if the rule is clearly defined, what can still go wrong in a real system?\n\nThis is where the threat model comes in.\n\nIn simple terms, this part of the paper lists the main ways a PoBU system can fail, be weakened, or be attacked in practice.\n\nThe paper highl",
  "path": "/what-can-go-wrong-in-pobu-threat-model/",
  "publishedAt": "2026-02-26T13:56:40.000Z",
  "site": "https://blog.humanode.io",
  "tags": [
    "https://papers.humanode.io/pobu.pdf"
  ],
  "textContent": "In the last piece, we covered why PoBU is probabilistic. It explained that the strength of the “one eligible account per human” rule depends on two things: biometric error rates and policy choices.\n\nNow comes the next natural question:\n\nEven if the rule is clearly defined, what can still go wrong in a real system?\n\nThis is where the **threat model** comes in.\n\nIn simple terms, this part of the paper lists the main ways a PoBU system can fail, be weakened, or be attacked in practice.\n\nThe paper highlights four main risk areas:\n\n  * issuer concentration\n  * compromise / coercion\n  * availability\n  * privacy / linkability\n\n\n\nLet’s unpack them in plain language.\n\n## **1) Issuer concentration**\n\nPoBU needs a process that decides whether someone is eligible.\n\nThe paper flags a risk here: what if too much of that power sits with too few parties?\n\nIn normal terms, this means:\n\nIf only a small number of actors control who gets marked as eligible, they become a powerful gate in the system.\n\nEven if the chain is open, this part can still become concentrated.\n\nWhy this matters is simple. PoBU is trying to define participation at the level of unique humans. But if the ability to approve that participation becomes too concentrated, then the system can be shaped by a small group at the point where eligibility is decided.\n\nSo this threat is not about the idea of PoBU itself. It is about who controls the “entry point.”\n\n## **2) Compromise / coercion**\n\nThe paper also flags compromise and coercion.\n\nThis is about what happens if eligibility is not simply “owned and used safely” by the intended person.\n\nIn plain language, even if the rule is one eligible account per human, someone can still try to break the system by:\n\n  * stealing access\n  * forcing access\n  * pressuring people\n  * or controlling eligibility in practice through real humans\n\n\n\nThis matters because PoBU limits how many eligible accounts a person can have, but it does not magically remove the risk that real humans can be manipulated, pressured, or compromised.\n\nSo this threat is about the difference between:\n\n  * **who should control eligibility** , and\n  * **who actually controls it in practice**\n\n\n\nThat gap matters a lot in any real system.\n\n## **3) Availability**\n\nThis one is easy to understand.\n\nThe eligibility system has to be available and working.\n\nIf it is down, unstable, or unreachable, people may not be able to:\n\n  * prove uniqueness\n  * renew eligibility\n  * or recover after resets\n\n\n\nSo availability is the “can people actually use the system when they need to?” problem.\n\nA simple way to think about it:\n\nEven a well-designed system becomes a problem if people cannot access it at the right time.\n\nIn PoBU terms, eligibility is not just a definition on paper. It is something people need to interact with over time. If that process is unavailable, participation itself gets affected.\n\n## **4) Privacy / linkability**\n\nPoBU is not about putting civil identity on-chain.\n\nBut the paper still flags privacy and linkability as a risk.\n\nWhy?\n\nBecause even if a system does not store “who you are,” it can still create patterns that make activity easier to connect over time.\n\nThat means the risk is not only “identity exposure.” It can also be “making people easier to track or connect across actions.”\n\nA normal way to think about this:\n\nA system may avoid storing your name, but still leave enough traces that someone can connect your actions together.\n\nThat is why privacy and linkability appear in the threat model. The system is about unique-human eligibility, so it still has to care about what gets exposed around that process.\n\n## **Why this section matters**\n\nThis part of the paper is important because it shows PoBU is not presented as “problem solved.”\n\nThe paper does not only define the rule.\n\nIt also names the main places where real-world systems can break:\n\n  * too much control at the eligibility issuer layer\n  * compromised or coerced eligibility in practice\n  * system downtime / unavailability\n  * privacy and tracking risks\n\n\n\nThat makes the paper easier to trust as a technical framework, because it not only describes what should happen. It also describes what can go wrong.\n\nYou can read the paper here: https://papers.humanode.io/pobu.pdf\n\n## **What’s next**\n\nThe next theme after this is how the paper connects the PoBU idea to a real running system and evaluates it using public chain-derived data.\n\nThat’s where the paper moves from definition and risks to measurement on a live network.",
  "title": "What can go wrong in PoBU? (Threat model)",
  "updatedAt": "2026-02-26T13:56:40.896Z"
}