Spam, Bots, and Malicious Actors

SECR operates without phone numbers, emails, or centralized identity verification. While this protects user privacy, it also creates opportunities for spam, automated accounts, and malicious actors to attempt abuse. SECR includes a dedicated protection layer designed to reduce these risks without compromising anonymity or requiring personal information from users.

1. No Phone Numbers, No Email, No Traditional Verification

SECR intentionally avoids traditional verification methods that expose identity. This means the platform cannot rely on:

• SMS codes • email confirmations • device-based identifiers • IP-based account limits

Instead, SECR uses private, in-app behavioral signals and cryptographic checks that preserve anonymity.

2. Behavior-Based Anti-SPAM Controls

SECR monitors anonymous behavior patterns locally, not user identities. This allows the system to detect:

• automated mass messaging • repetitive spam behavior • high-volume unsolicited contact attempts • excessive group creation • unnatural activity spikes

These signals trigger local warnings, throttling, or temporary blocks, without exposing identity or logging metadata.

3. Bot Detection Without Identity Collection

SECR uses device-local heuristics to identify bots or automated scripts, such as:

• abnormal sending frequency • identical message bursts • script-like interaction timing • machine-generated typing patterns

All detection happens on the user’s device, not on SECR servers. SECR does not track or store device fingerprints.

4. Anti-Abuse for One-Time Chat Links

One-Time Chat Links are protected from abuse through:

• rate limits • link expiration • one-use restrictions • cryptographic token validation • automatic invalidation after viewing

This prevents attackers from generating large volumes of links for phishing or spam campaigns.

5. Group Protection and Access Controls

SECR groups include built-in safeguards:

• PIN-locked groups to restrict access • invite-based entry with local verification • limited message attempts for new or flagged accounts • hidden groups that remain invisible to outsiders

Group creators maintain full control over membership and visibility.

6. No Central User Directory

SECR does not maintain a global directory of usernames. This prevents malicious actors from:

• scraping contacts • scanning for new accounts • conducting mass outreach • harvesting usernames

Users only see people they directly communicate with, preventing spam waves across the network.

7. Abuse Mitigation Without Metadata

SECR does not track IP addresses, timestamps, device IDs, or message logs. Despite this, it can still mitigate abuse by using:

• anonymous rate-limiting tokens • in-app verification challenges • client-side throttling • challenge-response proof-of-work for message bursts

None of these mechanisms reveal identity or weaken privacy.

8. Honest Limitations

SECR cannot eliminate all spam or malicious activity due to its privacy-first design. Realistic limitations include:

• no global blacklists (by design) • no KYC or personal verification • persistent attackers may create new identities • groups remain vulnerable to malicious invites • botmakers may bypass client-side restrictions

SECR focuses on minimizing abuse while preserving user anonymity, not total elimination.

SECR’s anti-spam and anti-bot systems reduce abuse without compromising privacy, identity freedom, or decentralization. Protection occurs locally, anonymously, and without collecting user data.