Privacy Architecture
Privacy in Quira is not a feature — it is an architectural constraint. Every subsystem is designed under the principle of data minimization: collect only what is needed, store it locally, encrypt it at rest with forward secrecy, and never transmit it without explicit consent.
Local-first storage
All browsing data — history, Context Graph, bookmarks, passwords, form data — is stored exclusively on the user's device. There is no cloud sync by default.
- SQLite + SQLCipher — AES-256 encryption at rest for all structured data
- Per-profile keys — Each browser profile has its own master key derived from the OS keychain
- Embedding independent encryption — Semantic embeddings are encrypted with a separate key from the main database, so compromising one does not expose the other
- Secure deletion — Deleted data is overwritten with random bytes, not just unlinked
Cryptographic architecture
Quira goes beyond standard encryption-at-rest with several cryptographic innovations designed specifically for knowledge graph protection. For state-dependent graduated encryption (four protection classes tied to authentication state), see Knowledge Protection Classes (KPC).
| Technique | What it protects | How it works |
|---|---|---|
| Forward secrecy at rest | Past data after key compromise | Epoch-based key rotation. Old epoch keys are securely erased. Forensic access to current key cannot decrypt past epochs. |
| Threshold encryption | Single-point-of-failure key management | Shamir Secret Sharing (3-of-5). Master key is split across device, cloud backup, recovery phrase, biometric, and hardware key. Any 3 reconstruct the key. |
| Verifiable deletion | User trust in data removal | Cryptographic proof that deleted data is irrecoverable — the encryption key for that data segment is provably destroyed. |
| Differential privacy | Graph queries leaking patterns | Calibrated noise injection on aggregate queries. Individual browsing patterns cannot be reconstructed from query results. |
Post-quantum readiness
Phase 3 (2027) will introduce hybrid post-quantum key exchange (ML-KEM / Kyber) alongside X25519 for future-proofing against quantum attacks on stored data.
Temporal security
Quira treats time as a security dimension. Permissions and data access are not static — they decay, expire, and self-destruct.
| Mechanism | Purpose | Example |
|---|---|---|
| Permission decay | Prevent stale grants accumulating risk | A plugin's read:nodes token auto-expires after 24 hours unless renewed |
| Session amnesia | Limit temporal correlation attacks | Context Graph queries in Strict mode only return data from the current session |
| Dead man's switch | Protect data if user is incapacitated | If no unlock within N days, graph is cryptographically sealed (configurable) |
| Forward-secret sessions | Prevent retroactive session reconstruction | Each browsing session derives ephemeral keys; session data cannot be decrypted after session ends |
Anti-tracking measures
Quira implements multiple anti-tracking layers that work together:
| Technique | What it blocks |
|---|---|
| Cookie partitioning | Third-party cookies isolated per first-party origin |
| Storage partitioning | localStorage, IndexedDB, Cache API isolated per origin pair |
| Fingerprint resistance | Canvas, WebGL, AudioContext, font enumeration noise injection |
| Referrer trimming | Cross-origin referrers stripped to origin-only |
| Bounce tracking protection | Detects and blocks redirect-based tracking chains |
Hardware-software co-design
Quira is designed to leverage hardware security features when available, with graceful fallback to software-only protection.
| Hardware feature | Quira usage | Fallback |
|---|---|---|
| TEE (Intel SGX / ARM TrustZone) | AI inference in isolated enclave — model weights and graph data never exposed to main OS | Process-level isolation with encrypted memory pages |
| Secure Enclave / TPM | Master key derivation and storage; biometric unlock binding | OS keychain with PBKDF2 derivation |
| Memory encryption (Intel TME / AMD SME) | Per-tab memory encryption — compromising one tab's memory region does not expose others | Address space randomization (ASLR) |
Privacy modes
Quira offers graduated privacy modes that users can set globally or per Context Space:
| Mode | Context Graph | AI | Network | Temporal |
|---|---|---|---|---|
| Standard | Full capture | Local | Normal + tracker blocking | Configurable retention |
| Strict | Titles only | Local only | Aggressive filtering, no WebRTC | Session-only data |
| Incognito | Disabled | Disabled | Tor-ready (optional) | RAM-only, zero persistence |
| Lockdown | Disabled | Disabled | Tor + JIT disabled | Panic wipe on trigger phrase |
Context Lockdown Mode
Lockdown Mode is designed for journalists, activists, and users in hostile environments. It disables JavaScript JIT compilation, restricts all network to Tor circuits, runs Context Graph in RAM-only mode, and supports a panic wipe triggered by a configurable key combination.