Habitable: tenant evidence without a surveillance honeypot
Role: Independent product designer and engineer · 2026 · alpha
- server-side accounts or personal case records by design
- 0
- timestamp protocol for connected captures
- RFC 3161
- coordinated packet outputs: accessible HTML, PDF, and manifest
- 3
- local app and packet interface
- EN + ES
- legal, security, tenant-pilot, and human accessibility review remain open
- Alpha
Habitable is a working reference implementation for a hard product question: how can a tenant preserve housing-condition evidence without first handing a sensitive case file to another company? I built it as an independent open-source project with synthetic examples. It is not a government system, client work, legal advice, or a promise that a packet will be admitted in court.
The product, not just the architecture
The Evidence Atlas brings each condition, capture, notice, response, and integrity state onto one source-aware timeline. An operator can filter by issue, inspect where a statement came from, record new material, and see missing timestamp coverage before anything is shared.

Proof without a honeypot
A conventional cloud account would make storage convenient—and create a breach, subpoena, and retention target containing photographs, addresses, repair disputes, and household details. Habitable reverses that default. The encrypted vault and sealed originals stay on the tenant-controlled device. There is no server-side account system or personal case database. An optional relay can carry authenticated ciphertext between devices, but it can still observe timing and traffic volume; encrypted is not invisible.
Four claims that must stay separate
- A SHA-256 hash can show whether the bytes changed. It cannot show whether the image is true.
- An RFC 3161 token can show that content existed no later than a timestamp. It does not prove the moment of capture or who made it.
- A hash-linked custody log can expose later handling. It does not certify every human assertion in the timeline.
- A verifier can check the package and its selected trust anchor. Technical integrity does not prove authorship, truth, relevance, or admissibility.
Sharing is a minimizing act
The vault retains sealed originals while an export produces processed media, accessible HTML, a PDF, and a machine-readable bundle manifest. Shared copies remove metadata by default. Recipient sealing can bind a package to a public key. But omission is not anonymization, and the current whole-unit packet is intentionally conservative: issue- or date-scoped export remains blocked where a complete custody proof could leak identifiers for excluded evidence. In that conflict, the product fails closed instead of pretending the scope is private.

The skeptic gets a separate verifier
A recipient should not have to trust the application that assembled the evidence. Habitable includes a deliberately small standalone verifier that checks hashes, signatures, timestamp tokens, custody links, and the certificate the verifier chooses to trust. Keeping verification independent makes the trust decision visible instead of burying it inside the product that wants a passing result.
Why this problem deserves a product
Housing evidence is rarely one photograph. It is a sequence: the condition, the first notice, later messages, attempted repairs, recurrence, receipts, and the explanation that connects them. The California Courts' tenant trial guide (opens in a new tab) tells tenants to organize photos, receipts, texts or emails, notices, and copies for each party. Habitable addresses the product work before that moment: preserving sequence, source, scope, and a readable handoff instead of leaving a person to reconstruct a case from a camera roll and inbox under deadline.
The access problem is also large. The Legal Services Corporation's 2022 Justice Gap study (opens in a new tab) found that 92 percent of civil legal problems reported by low-income Americans received no or insufficient legal help; housing was among the problem categories with the greatest reported impact. That does not prove this alpha improves outcomes. It explains why tools that help people prepare organized, reviewable records before scarce professional time begins are worth testing.
The market value is coordination without custody
Habitable is useful on the market because it serves a multi-party workflow, not because it adds cryptography to a photo gallery. The tenant needs control and continuity. An organizer or legal-aid reviewer needs a legible chronology with clear sources and gaps. An inspector, mediator, attorney, or other recipient needs a conventional packet plus an independent way to check whether the delivered files changed. The same product creates a handoff each role can understand without making a central vendor the permanent owner of the underlying case.
- Tenant unions and housing organizers get a repeatable documentation method, shared review vocabulary, and a safer way to coordinate cases without default cloud custody.
- Legal-aid intake teams and clinics can begin with an organized human-readable packet, then spend their limited time testing facts, filling gaps, and applying local law rather than sorting an unlabeled media dump.
- Inspectors, mediators, counsel, and opposing parties can use ordinary HTML or PDF while technical reviewers inspect the signed manifest and verifier output separately.
- Implementation partners can provide packaging, training, accessibility and security review, support, and optional timestamp or ciphertext-relay infrastructure around an open-source core—without selling access to tenant records.
That smaller custody footprint is itself operational value. The NIST Privacy Framework (opens in a new tab) treats privacy as risk created across the data-processing lifecycle. A local-first architecture can reduce what an adopting organization collects and retains, which can lower breach exposure, records burden, and the trust demanded at intake. It does not remove the organization's responsibilities for the packets it chooses to receive, devices it manages, or copies its staff create.
A credible path to adoption—and the evidence still missing
The credible initial market is organizational distribution, not a mass consumer subscription. A tenant union, legal-aid program, or housing nonprofit could configure the workflow, distribute a signed local app, train members, and define a safe packet-receiving process. Paid work can sit around the open-source core: deployment, integration, training, security and accessibility review, support, and narrowly scoped relay or timestamp operations. The economic value would come from clearer intake and handoffs, less avoidable data custody, and fewer hours reconstructing disorganized records—not from locking tenants into a proprietary case silo.
That is a market hypothesis, not traction. Habitable has no customer deployment or measured field outcome. A real pilot must test whether tenants can complete the workflow safely, whether organizers spend less time reconstructing chronology, whether recipients understand the packet without overreading its technical claims, and whether local custody creates support or recovery burdens that outweigh its privacy benefit.
What exists today
The alpha includes an English and Spanish local browser app, encrypted capture, offline timestamp queuing, a source-aware timeline, hash-linked custody, packet export, recipient sealing, authenticated offline merge and sync, key rotation and recovery, a repair-letter workflow, and the standalone verifier. The public site hosts only a static explanation and a safe synthetic sample packet. Personal cases run locally, not in a hosted case application.
What remains unproven
The project has automated accessibility checks, keyboard coverage, and 320-pixel reflow tests. It has not had an independent security or legal review, a tenant-union pilot, a recorded human screen-reader pass, native Spanish review, or validation of real recovery ceremonies. A signed native app package and a duress or decoy vault are not implemented. Until those gaps close, the honest label is alpha—not secure by audit, field-tested, or court-ready.
Explore the synthetic sample packet (opens in a new tab), inspect the capability and claim ledger (opens in a new tab), read the threat model (opens in a new tab), or review the source and verification instructions (opens in a new tab).