Camera networks usually gain usefulness by centralizing footage, which also centralizes surveillance power. Open Witness Protocol explores whether a community could answer a narrow question about a specific event without creating a general-purpose feed.
A docs-first protocol idea for signed, time-limited, geography-limited event alerts sent to participating local cameras with rolling local buffers and silence when nothing matches.
The aim. Explore whether narrowly scoped evidence requests can support public safety while preserving local control and no-match silence.
01The problem behind the project
Centralized camera networks create broad surveillance power. A citizen-owned system might answer a narrow event question without continuously exporting footage.
The core idea is an event-scoped request: signed, limited in time and geography, evaluated against a rolling buffer on participating citizen-owned devices. If nothing matches, the network should reveal nothing—not even an inventory of irrelevant footage.
Communities, incident investigators, camera owners, and people near an event are affected. Bystanders have the strongest privacy interest and cannot meaningfully opt into every recording.
02How it took shape
A conceptual RFC defining event scope, signed requests, local matching, rolling retention, no-match behavior, owner control, and privacy invariants.
The project currently exists as a docs-first RFC describing request scope, local matching, retention, owner control, no-match silence, and privacy invariants. No operating network, matching model, pilot, or security validation has been built.
Josiah developed the citizen-owned, event-scoped architecture and its central rule that nonmatches reveal nothing.
The protocol is documented as an idea; no pilot, network, matching model, or security validation exists.
03What the project means now
The protocol is interesting because minimization is structural rather than promised by policy after collection. It is also incomplete: warrants, coercion, false matches, bystander rights, device compromise, and governance require adversarial review before operational code would be responsible.
Abuse prevention, warrants and legal process, false matches, coercion, device compromise, governance, and bystander rights remain unresolved.
Privacy-preserving architecture begins by minimizing what the network can ask and learn, not by adding a policy after central collection.
Publish the RFC for adversarial privacy and security critique before writing operational code.