DuckShield

An anonymous, privacy-first safety reporting tool for RoseHack. AI helps structure incidents into actionable summaries, and a KMS-signed hash chain makes every report tamper-evident for staff review.

Comment

Inspiration

Harassment, discrimination, and stalking don’t just ruin an event—they silence people. At hackathons like RoseHack, participants (especially women and other vulnerable groups) often hesitate to report because they fear retaliation, exposure, or not being believed.

DuckShield is built as an anonymous, privacy-first safety reporting tool:

  • It lowers the barrier to report without forcing identity disclosure.
  • It turns “messy narratives” into actionable staff-ready summaries.
  • It creates a tamper-evident audit trail so staff can trust the integrity of what they review.

What it does

DuckShield provides two experiences:

Participant experience (anonymous)

  • Anonymous reporting for harassment / discrimination / stalking / safety concerns
  • A guided form that helps the reporter share only what they want:
    • What happened, when/where, who is involved (optional), immediate safety level
    • Evidence links or details (optional)
  • After submission, the reporter receives a Case Access Code (no login required).
    • They can return later to check status updates without revealing identity.

Staff experience (admin dashboard)

  • A triage queue with AI-generated structured summaries:
    • Incident type, severity, time/location, key facts, recommended next actions
  • Status workflow (e.g., Received → Reviewing → Action Taken → Closed)
  • A one-click Integrity Verification check:
    • Every staff-visible action is written to an append-only audit log
    • A hash chain + Cloud KMS asymmetric signature makes the log tamper-evident

How we built it

DuckShield is designed to minimize trust assumptions:

1) Anonymous intake (privacy-first)

  • No account required to submit or track a case
  • Reporter gets a one-time Case Access Code (only hashed in the database)

2) AI structuring (actionable, not invasive)

  • The raw report is preserved, but staff primarily sees a structured summary:
    • “What / Where / When / Who (optional) / Risk level / Suggested next steps”
  • The model is prompted to avoid unnecessary sensitive details and focus on operational triage.

3) Tamper-evident review (hash chain + Cloud KMS signing)

  • Every sensitive staff action appends an audit entry.
  • Each entry includes prevHashchainHash linkage and is signed by Cloud KMS (EC P-256).
  • Integrity can be verified anytime using the public key.

Challenges

  • Designing true anonymity while still enabling follow-up (solved via Case Access Code)
  • Preventing “demo-only security”:
    • The audit log is append-only and locked down by Firestore rules
    • Verification is built into the admin UI
  • Making AI useful for staff:
    • The output must be concise, structured, and operationally relevant, not just “summarization”

Impact

DuckShield turns a scary, high-friction moment into a safe, low-barrier workflow. It helps participants report earlier, helps staff act faster, and strengthens trust that sensitive incident handling cannot be quietly altered after-the-fact.

What’s next

  • Optional secure evidence uploads with retention controls
  • Stronger role-based access and incident assignment
  • Event-specific policy integrations (resources, escalation protocols, on-call routing)

Built With

Share this project:

Updates