The Forum Initiative: Citizen Led R&D for Civic Tech and Data Sovereignty

The Forum Initiative

A Democratic Model for Ethical Civic Data

A participant-owned system for collecting, protecting, and commercializing civic sentiment — designed so that the people who generate the data govern and benefit from it.

github / forum-stack airlock.yourcommunity.forum forum-egress.yourcommunity.forum

Governance Model

Participant-Owned. Democratically Governed.

The Forum Initiative is designed to operate as a data cooperative — a legal and technological entity in which participants collectively own, govern, and benefit from the system they contribute to.

Member Ownership

Participants are not users of a platform — they are members of a cooperative. Ownership of the system and its data is distributed among those who contribute to it.

Design Phase

Democratic Governance

Decisions about data use, revenue allocation, and system policy are made collectively. No single actor holds unilateral authority over member data.

Design Phase

Accountability by Design

The cooperative structure creates a formal relationship of accountability to its members — not to advertisers, platforms, or third-party data brokers.

Design Phase

Privacy Architecture

Technical Incapacity by Design

Privacy is not a policy promise. It is an architectural commitment — built into the system so that certain actions are structurally unsupported, regardless of who operates it.

The surveillance or re-identification of any participant is not prohibited by policy. It is made structurally impossible by the architecture itself.

Pseudonymization

Submissions are pseudonymized by design. Raw identity is never stored alongside content — only a cryptographic hash derived from a key the participant controls.

Live in Prototype

Zero-Knowledge Proofs

Eligibility and identity verified without revealing underlying information. Currently the prototype uses WebAuthn passkey auth. Full ZKP verification is on the roadmap.

Roadmap

No Raw Storage

The target design permanently deletes raw text after aggregation. The current prototype stores submissions in your personal Pod under your control. Automated deletion is in design.

Roadmap

Physical Isolation

The target architecture uses a hardware data diode to keep the analysis environment unreachable from the public internet. The prototype runs on Cloudflare. Hardware isolation is a later-phase build.

Roadmap

System Architecture

How a Submission Moves Through the System

Each submission passes through discrete phases before it becomes part of an aggregate dataset. Steps marked Live are implemented in the current open-source prototype.

Identity Verified. Identity Separated.

The participant's device verifies identity using a passkey bound to the device's secure enclave. The device signs a data bundle with an Ed25519 key and attaches a cryptographic hash of the public key — not the identity itself.

WebAuthn Passkey Ed25519 Signing Secure Enclave Live

Collected. Authenticated. Stored in Your Pod.

The Airlock Worker verifies the signed bundle, checks it against a replay cache, and writes it to your personal Durable Object — a Pod tied to your passkey identity. The cooperative side receives only opt-in aggregate counts and your pseudonymous hash.

Cloudflare Worker Replay Cache Durable Object Pod Live

One Direction Only.

In the target architecture, a physical data diode enforces a hardware-level one-way transfer to an offline analysis environment. This layer is not yet built. The current prototype keeps data in your Pod on Cloudflare infrastructure.

Data Diode Hardware Isolation Roadmap

Aggregated. Anonymized. Distributed via Egress.

The egress layer serves public cooperative reports — aggregate counts, no individual records — via a separate read-only Worker. The live endpoint is accessible now.

Aggregate Only No Individual Records forum-egress.yourcommunity.forum ↗ Live

Revenue Model

The Data Generates Value. Members Share In It.

Aggregate civic sentiment data has real market value to policy researchers, academic institutions, and civic organizations. The cooperative model is designed to return that value to participants. This model is in design — no revenue has been generated or distributed.

Submission

A participant submits a verified response. A payout hash is generated and logged.

Aggregation

Submissions are processed into anonymised datasets. Individual contributions are indistinguishable in the aggregate.

Data Sale

Aggregate datasets are made available to qualified buyers — researchers, policy bodies, and civic institutions.

Distribution

Revenue is distributed to participants via their payout hash. No personal information required to claim compensation.

Compensation is conditional on revenue thresholds and governed by the cooperative's founding membership agreement.

Open Source

Built in the Open. Including the Mistakes.

The full codebase is public under AGPL-3.0. Thirteen Handover documents trace every architectural decision, including the ones that failed. The live Airlock and Egress endpoints are running now.

GitHub · AGPL-3.0

forum-stack

Full source: Pod app, Airlock Worker, Egress Worker, and 13 Handover documents covering architecture history.

Live · Cloudflare Worker

airlock.yourcommunity.forum

The authentication and ingestion layer. WebAuthn passkey verification, Ed25519 bundle signing, Pod Durable Object.

Live · Public Report

forum-egress.yourcommunity.forum

The cooperative aggregate report. No individual records. The sum of what members have opted to share.