Threat Model
What This Device Defends Against
And, just as importantly, what it does not. We would rather you know before you buy.
Defends Against
Passive network fingerprinting
Tor routing is enforced at the OS level. There is no app-layer toggle to forget. Traffic does not leak around the tunnel via misconfigured DNS or split routing.
Carrier-side identifier correlation
eSIM is provisioned in privacy-friendly jurisdictions that do not share subscriber data with requesting parties. The device does not expose IMEI or other hardware identifiers on the network.
Stock-app telemetry and Google services
Stock Google and OEM applications are removed at the distribution level. The device does not phone home to Google services on first boot.
Physical seizure (data-at-rest)
The kill switch destroys the keys protecting the encrypted filesystem, rendering data unrecoverable. The encryption is software-level, applied to the filesystem.
Operator misconfiguration
Hardening lives at the distribution level rather than as user-installed apps. There is no per-user config path to forget Tor, leak DNS, or accidentally turn off the messenger.
Does NOT Defend Against
Adversaries with hardware-attested crypto requirements
VaultPhone uses software-level filesystem encryption. We do NOT use hardware encryption and we do NOT make hardware attestation guarantees. If you need attested hardware crypto, look elsewhere.
PGP-keyed workflows
There is no PGP on the device. Encrypted messaging is handled by Signal. If your workflow requires PGP-signed or PGP-encrypted email, this device does not provide it.
Endpoint compromise via your own behavior
The device cannot save you from authenticating into a tracked account, sideloading hostile software, or photographing sensitive material in front of a window. Operational discipline is the user's responsibility.
Targeted active exploitation of the Pixel hardware itself
The base hardware is a Google Pixel. Pixel hardware vulnerabilities discovered upstream affect this device until patched. We mitigate at the distribution level — we do not ship a custom kernel.
Metadata visible to Signal or the Tor network itself
Tor reduces network correlation but does not eliminate it. Signal conceals message content but exposes some metadata. We do not claim otherwise.
This Device is NOT For You If…
- You require hardware-attested cryptography or a TPM-backed key store.
- Your workflow is built on PGP-signed or PGP-encrypted email.
- You expect physical kill switches that cut the camera, microphone, or baseband circuits — the kill switch is a software wipe.
- You expect a device with no baseband radio at all — this is a Pixel, the baseband exists.
- You need a phone that can run the full Google Play ecosystem without restriction.
We are honest about the boundaries of what we ship because the alternative — selling a device that does not match your threat model — gets people hurt.