The UVST R&D Project will develop a mobile&desktop ultra-private user-friendly end-to-end computing platform service, that provides minimalistic yet truly-trustable voice, email/text/chat and Web, for social and business use, through dedicated processes and server and end-user devices based on the same hw platform. It’s SW/HW architecture will have power consumption and form-factor that make it suitable for both a 2-2.5mm-thin touch-screen handheld device, integrated or “attached” to any user’s ordinary smartphone, as well as for server, routing and other IoT/M2M equipment, albeit with minimal features and performance. It sustainably achieves revolutionary assurance levels and low costs through revolutionary UVST Paradigms, based on extreme minimization and levels of verification relative-to-complexity, extreme user-accountability of organizational processes in the life-cycle, and user-controlled fabrication oversight of all critical hardware and software components.  

UVST Socio-technical Architecture

A dedicated 2-2.5mm-thin touch-screen e-ink screen handheld device (or CivicPod) which is available either attached to the back of any user’s mobile phone via a dedicated external case, or (outside scope of this project) “inserted” inside the internal case of a custom-built smartphone’s (or CivicPhone), sharing its battery. Each CivicPod user will also optionally receive, at cost, a paired cheap TV-connected device (or CivicDongle) with capability to act as secure Tor node for metadata privacy (and for later mass roll-out, play on-TV secure UVST content, as well as ordinary mobile-formatted Web content). CivicPods are assembled, verified, flashed, and transferred to their users in dedicated custom-built street-facing lab (or CivicLab), that contains a server room, where all privacy-sensitive services, if offered, must be hosted in dedicated hosting room (or CivicRoom), whose access requires 5 randomly selected user -witnesses and dedicated servers (or CivicServers). Fabrication and design of all critical hardware components will be subject to oversight processes (or CivicFab) that will substantially exceed in end-user-trustworthiness those of NSA Trusted Foundry Program, at substantially lower costs. After an initial exclusivity for a Post-R&D UVST Consortium, UVST services can be managed, distributed and commercialized by any willing service provider (or CivicProviders). CivicProvider service is regularly and continuously verified and certified by a to-be-established dedicated certification organization/committee (or CivicAuthority), made up mostly of world leading global digital civil rights organizations, also responsible for the updating of the certification specifications, the final formal Paradigms (or UVST Paradigms) and derived certification requirements (or UVST Specifications). The same base HW&SW base will run CivicDevices (Pod, Server, Dongle) and CivicRoom locks.
User authentication may technicall rely on a dedicated non-RF and non-MCU smart-card CivicPod-embedded chip (or CivicID), and a RF-enabled “bank-card sized” smart-card (or CivicCard) that provides 2nd factor authentication while the card is in the user’s wallet.
The same extremely-minimized HW&SW computing base will run all CivicDevices (Pod, Server, Kiosk Dongle) and CivicRoom locks, to drastically reduce costs.


The CivicPod is available either attached to any user’s mobile phone via a dedicated external case, or “inserted” inside the internal case of a custom-built 8-9mm-thin smartphone’s (CivicPhone), sharing its battery. The CivicPod is: 2/3 the size of an average smartphone; embeds encryption hardware, very minimal software, a power connector, micro-HDMI port and 2 Bluetooth ports, dual front-facing cameras for highly-innovative on-TV user interactions; and interfaces via Bluetooth to the user smartphone (as a mere hostile data connection bridge) and to desktop peripherals. For desktop use, the CivicPod is inserted in an included dedicated docking station with HDMI-switch – which charges both devices and relays the CivicPod screen info on the desktop monitor, and connects via BT to a dedicated KeyboardPad. Each CivicPod can have either a single persona, controlled by the user, or 2 “personas”, one of which can be controlled completely by a third party (such as employer).

CivicDongle: Metadata Privacy and on-TV Mobile Web

In initial premium consumer deployment (and  a phase-2 wide/market consumer deployment) scenario, the CivicPod may be used with an optional CivicDongle, a cheap HDMI TV-connected device with DVT-B2, HTML5 and Tor node capabilities device – it also provides through its front dual-cameras  unique and extremely intuitive “TV-screen touch control from the sofa” remote control for any mobile-formatted Web App, Web site and compatible mobile apps, (and even acts as a mobile kinect-like peripheral for compatible on-TV Web Apps when place on a TV-frame dock). The CivicDongle will be optional but it will be underpriced to ensure a good number of onion routing nodes to increase metadata privacy protection.

Metadata Privacy features: Tor Project (and/or other Onion routing) functionality will be provided to protect the privacy of both voice and non-voice communication metadata, except location data in some cases. It will be directly or indirectly provided through a large number of entry and exit nodes (at least many hundreds) provided by the CivicDongle. Sophisticated per-user and behavioral traffic analysis countermeasures will be put in place both on CivicPods and the CivicDongles, including: random off-setting of server connections between parties to the same IP call; random generated spoofing and decoy voice-like and data-like traffic; and several other measures. Such countermeasures will become adequately effective only when the user base will be both active and large (at least a few thousands of daily users for voice calls), especially if not using the Tor network. Since we want (and need in some case) to allow civilian security agencies to access user logs as per legislation, if authorized by a civilian court-issue warrant, in Hybrid Version, each CivicPod will send back to the CivicRoom the (encrypted) actual true parties and timings of each IP session, that goes through the onion routing network.

Entertainment Features: The user will be able to: (1). Flip and watch free-to-air digital TV channels; (2). View EPG with recording option; (3). interact with any Web page or Web app in mobile format; (4). Navigate and rearrange favorite Web pages, Web apps and video podcasts in the form of icons; (5). View and interact on-TV with the ultra-private CivicPod screen content [and possibly play selected ultra-secure video format, DRMed or not].
An optional TV-frame docking station for the CivicPod enables interaction with dedicated Kinect-like gaming or interactive Web applications on the CivicDongle (without privacy fears) or compatible application on the user’s smartphone, as well as TV remote control (thumb up for raising volume, swipe hand to previous channel, etc.).
Following possible agreements with broadcaster, content rights owners and telco – before or during the R&D phase – direct support in the CivicDongle of HbbTv, Italian MHP and TivuOn Standard, in addition to Global iTV (new global standard with plans for backward compatibility including those 2 standards).
How does the CivicPod remote-controls the CivicDongle?: Through refractive lenses of its built-in dual low-res front-facing cameras, 3d finger movements above the CivicPod screen are tracked. Movements are visible on the TV screen as halos of varying size, as finger position information appear as a semi- transparent video-overlay stream on the TV screen that decrease in opacity and size as the fingers gets closer to the CivicPod screen. Touch events are also relayed to the CivicDongle to trigger touch events on the CivicDongle UI, and therefore on the TV screen. Therefore, overall the user gets the experience of “touch controlling” their TV from the comfort of the Sofa, but while looking at all times to the TV screen instead of the Civic Pod screen. Screen size and minimum font-size of mobile Web content relayed on the TV can be adjusted by the user (depending on TV size, distance to sofa and eyesight). The CivicPod screen is off while interfaced with the CivicDongle, so as to reduce heat generation and battery consumption. CivicPod may be placed face-up on a sofa arm to enable 1-hand interaction.

Basic CivicPod features and UX

The CivicPod is typically used while firmly lodged at all times into its dedicated external smartphone case, even when detached from the smartphone, to increase form factor for easy interaction with its virtual keyboard and touch screen. Some may choose to carry it in a small case or a custom built wallet. Smartphones, in fact, are coming down to 6-7mm are therefore starting to be perceived as too thin for optimal ergonomics. Certain CivicPod internal hardware components may be aggregated towards one of the short sides, with the screen possibly not being functional in such area, in order to  make sure thickness stays under 3mm.
    CivicPod is enabled to support 2 (or more) personas, so that users may maintain a strict and ultra-secure separation between personal and organizational data. If the user is fired, for example, the organization can autonomously remove completely the organizational persona, while the user may choose to keep the CivicPod for personal use, provided he starts paying personally for the service. User may choose to pay cash for service and/or appear using a pseudonym instead of its real name. Colored led lights signal, among other things, encryption activation and recharging, providing aesthetically pleasing special effects for translucent phone cases.
   CivicPod is protected from tampering by malicious users, including the use of state-of-the-art tamper resistant chips, processors and casing. The only physical ports available will be a micro-HDMI and a micro power connector. 3D facial recognition and/or voice print, or other technologies, will be explored to enhance user login security, centered on password or passphrase, albeit they may end up adding more attack surface than additional assurance given the complexity of the systems typically involved.
Although optional, CivicDongles will be underpriced to ensure at least many hundreds of CivicDongle out there to provide essential onion routing functionality.

Through their CivicPod users can, in ultra-private, ultra-secure and ultra-authenticated way:

  • Exchange synchronous (“SMS/chat”) and asynchronous (“email”) text messaging, with other CivicPod users
  • Initiate and receive Voip and analog ultra-private voice calls, with other CivicPod users.
  • Interact with almost any Web page, although in a very-basic mostly-text format, dynamically-transformed for security and readability via the CivicRoom and/or Tor hidden services.
  • Compose, save, archive and attach rich text documents.
  • Support for multi-personas
  • Remote control a CivicDongle (and other compatible TV-connected devices)
  • (optional) Securely store passwords, including Web browser logins.
  • (optional) Social features: multi-user communication spaces will enable collective discussions, data/status sharing, off-the-record and pseudonymous discussions, and more.
  • (optional) Backup of selected CivicPod info, documents and logs in the CivicRoom, and in its zero-knowledge encrypted off-site backups selected
  • Generate time-synchronized one-time passwords (for use in bank deployment)
  • Exchange of emails and Text/SMS to any address non-CivicPod addresses, which will be relayed back and forth by the CivicRoom. UI will signal clearly if user is in secure or insecure mode.

CivicPod+CivicDongle Features and UX

Follows a description of the typical user experience of the CivicPod user, in different locations and with the use of dedicated and non-dedicated user’s peripherals. All dedicated peripherals may be optional:

ANYWHERE, the CivicPod is used for ultra-private voice and text with other CivicPods, as well as simplified Web navigation, using the user’s smartphone as a mere “hostile” communication channel accessed via Bluetooth or a BT-enabled app on such smartphone, that just routes encrypted data to the CivicRoom.
User interacts through touch screen, virtual keyboard and any [or dedicated encrypted] bluetooth earpiece. The earpiece use is protected from the possible user’s smartphone eavesdropping through an (optional) special sound-proof case, distance and/or sound isolating actions by the user. Overall audio user experience would be similar to Rhode Schwartz Top Sec, although encryption happens in the CivicPod rather than in the earpiece.
Connection between the CivicPod and peripherals will be wireless [encrypted bluetooth or  dedicated encrypted wireless] so as to keep all such devices free of physical ports (except for a micro-HDMI or mini-VGA port, and the power connector on the CivicPod) and therefore increase anti-tampering, as well as increase usability and coolness.

AT THE DESKTOP, the CivicPod is used for the same functionalities as “on the move”, but while lodged in its (optional) custom dedicated CivicPod Dock docking station with built-in (very high-security) HDMI [and/or VGA] switch – and  connected via dedicated wireless encrypted connection to a thin keyboard with mouse pad, (optional) CivicPod KeyboardPad – to interact more comfortably with long-form Web and rich text content for writing, reading and communications.
It enables its user to toggle with a switch between its ordinary (unsecured) PC and the CivicPod/UVST work space, so that he can use the same desktop monitor. The docking station has two power connectors so that it can charge both the CivicPod and the user’s smartphone at the same time. It would enable the user to have a ultra-secure work environment while at his home desktop, and/or a ultra-private personal environment while at his work desktop. It therefore enables the dual persona user experience, typical of advanced business mobile solutions, to be also experienced while at the desktop. Additional client/server applications may be available for different client-type deployments (such as ultra-private e-banking and one-time password generator, password manager, resilient backup).

AT THE SOFA OR BED, the CivicPod can be used as on the move, (although mostly attached to the external smartphone case but detached from the smartphone) to enable its use as an highly-innovative, ergonomic and immersive “magic” touch-based control of the (optional) CivicDongle contents on the TV screen.
Screen size and minimum font-size of mobile Web content relayed on the TV can be adjusted by the user (depending on TV size, distance to sofa and eyesight). The CivicPod screen is off while interfaced with the (optional but incentivized) CivicDongle, so as to reduce heat generation and battery consumption. CivicPod may be placed face-up on a sofa arm to enable 1-hand interaction.

Optional Peripherals: CivicReader & Civic LapCase

In addition (or in alternative) to the Civic KeyboardPad, users may also purchase a dedicated 7-10” CivicReader (optional) where the CivicPod can be inserted and operated on a larger touch-screen. It would include a good-battery so that it would recharge the CivicPod, while it is lodged inside of it. It will have a touch-enabled backlit EPD or e-ink&LCD screen. It can be used as a large-sized touch-enabled e-reader for non-private content, for long-form reading (and simple writing) of any Web accessible personal or public resources, such as bookmarking, archiving, news or email services (Evernote, Pocket, Gmail, and most any Web page). Contents would be transformed (XSLT) through the CivicRoom for compliance with the secure browser and for best readability.

Owners of both Civic KeyboardPad and Civic Reader may purchase a dedicated laptop-sized case, the CivicPod LapCase (optional), enables CivicPod users to interact with its contents both in a e-reader[/tablet] mode, as well as a laptop mode (similar UX to to Asus PadFone, Asus Transformer or to a number of solutions that turn an iPad into a laptop).