Coordination Integrity Scores

Measures how spread out participants are across legislative districts. Computed as 1 − HHI, where HHI is the Herfindahl–Hirschman Index — the sum of each district's share squared.

Privacy: Computed from district hashes, not addresses. Districts with fewer than 5 actions are suppressed.

Measures how unique each participant's message is. Computed as the ratio of unique message hashes to total message hashes. When people write in their own words, it demonstrates genuine engagement.

Privacy: Only message hashes are compared, never content.

Measures how evenly participation spreads over time using Shannon entropy over hourly buckets. Organic campaigns build over hours and days. Bot operations spike in minutes.

The ratio of peak hourly action count to average hourly count. This is the only inverted metric — lower is better. A steady pace indicates organic human engagement; extreme spikes suggest coordinated inorganic activity.

The ratio of deeply engaged participants (Veterans + Pillars) to newer participants (Active tier). Measures whether the people behind a campaign have demonstrated sustained civic participation over time, or appeared for the first time.

Engagement tiers (0–4) measure platform participation history, not identity verification level.

What These Scores Never Reveal

• No individual addresses. Geographic diversity is computed from hashed district identifiers. The hash cannot be reversed to an address.
• No message content. Message authenticity compares SHA-256 hashes. No text is stored or compared.
• No individual attribution. Scores are aggregates. There is no way to trace a score back to a specific person.
• Small groups are protected. Any aggregate with fewer than 5 entries is suppressed (k-anonymity).

What Commons Does With Your Data

Plain-language summary of how we collect, use, and retain personal data. Full Terms of Service and Privacy Policy documents are forthcoming; until they ship, this section is the canonical disclosure on the Commons domain. Companion technical detail lives in our security limitations doc.

• Legal basis (GDPR Art. 6(1)): we process address fields under our legitimate interest in district verification (Art. 6(1)(f)) and your account email under contract performance for authentication (Art. 6(1)(b)). For users in the EU/UK we honor the standard GDPR rights (access, rectification, erasure, portability, objection); contact information is on the homepage.
• Address fields — mDL path: when you verify with a state-issued mobile driver's license, your wallet shares postal code, city, and state with our servers. Those fields are used to derive your congressional district and may be represented afterward as encrypted ground-vault material and disclosed district/cell metadata. We do not store identity documents or keep plaintext address fields at rest.
• Address fields — Shadow Atlas path: your browser computes a cryptographic commitment to your district. Approximate coordinates may transit our servers briefly so we can confirm the district mapping is authentic. After successful attestation, the address can be saved as encrypted ground-vault material for future delivery.
• What we persist: a one-way district hash, disclosed district/cell metadata, encrypted ground-vault material, your account email (for sign-in and anti-sybil), engagement-tier counters, the actions you take through the platform, and operational logs stripped of plaintext address fields.
• Hardware-isolated processing (TEE / enclave) is on the roadmap; today the address-resolution and proof-witness paths run in our standard server runtime. Our retention commitment for raw address fields (seconds, not minutes) holds in both architectures.
• We do not currently sell your data, and we have no plans to. If our practices change in any way that would constitute a "sale" or "share for cross-context behavioral advertising" under CCPA, we will provide at least 30 days' notice via in-product banner and email before the change takes effect. We do not use third-party advertising trackers. We use minimal first-party analytics and operational telemetry.
• mDL verification is currently feature-flagged off; the surface is not reachable in production. When it goes live, replay and relay limits are documented in our KNOWN-LIMITATIONS file (F-1.3). Full DeviceAuth verification (T3) is a launch checkpoint.