clawd/drafts/vault1984-pr-plan.md

# vault1984 — PR & Communications Plan
*Saved March 2026 — DO NOT EXECUTE until product is locked*

**Status: HOLD. Product must ship before any of this moves.**

---

## The core asset: "We Do Not Comply"

A formal open letter published on vault1984.com, addressed simultaneously to:
- The Five Eyes alliance (NSA, GCHQ, CSE, ASD, GCSB)
- The FSB (Russia)
- The MSS (China)

Not a blog post. A letter. With the list of laws, the architecture argument, and one line: *"We cannot comply. Not because we won't. Because we don't have what you're asking for."*

### Countries/laws to name explicitly

**Authoritarian:**
- China — Network Data Security Regulations (2024), Criminal Code decryption requirements, Cryptography Law
- Russia — Yarovaya Law (Federal Law No. 374-FZ): mandatory handover of decryption keys to FSB
- Kazakhstan — data localization + mandatory government access
- Vietnam — Cybersecurity Law 2019

**Western democracies (no favorites):**
- USA — PATRIOT Act, CLOUD Act, FISA courts, National Security Letters with gag orders
- UK — Investigatory Powers Act 2016 ("Snoopers' Charter"): bulk collection, compelled backdoors, Technical Capability Notices
- Australia — TOLA Act (Assistance and Access Act 2018): compels tech companies to build decryption capabilities on demand
- EU — Chat Control proposal: client-side scanning of encrypted messages
- Five Eyes collectively — formally and repeatedly called for encryption backdoors

**The line:** Architecture doesn't discriminate by flag. FBI, FSB, MSS, GCHQ — same answer. We don't have your keys.

**The Orwell connection:** He was British. The UK's surveillance law is a monument to the warning he wrote.

---

## High-value X targets

**Peter Steinberger (@steipete)**
Founder of OpenClaw, just joined OpenAI to "bring agents to everyone." Actively amplifies tools built around OpenClaw. 5.3M views on his OpenAI announcement tweet. Not a cold pitch — engage when vault1984 is the natural answer to "my OpenClaw agent needs credentials." The connection: vault1984 is the credential layer for exactly what he's building.

**Chao Huang (@huang_chao4969)**
CLI-Anything — "making ALL software agent-native." 11K GitHub stars in 5 days, 18.2K views on this tweet. The connection: CLI-Anything makes any software agent-controllable. Every agent controlling software needs credentials. vault1984 is the answer to the problem CLI-Anything creates at scale. Engage in the #clianything / #AIAgents threads when vault1984 ships. Natural reply, not a cold pitch.

**Brian Krebs (@briankrebs)**
krebsonsecurity.com. Most read security journalist. Covered LastPass breach exhaustively. Pitch the LastPass page + architecture when product ships.

**Troy Hunt (@troyhunt)**
HaveIBeenPwned.com. THE breach authority. One mention reaches every security professional. Architecture argument is his language.

---

## Distribution plan (when ready)

### Anchor
- Publish the open letter at vault1984.com/cannot-comply
- Simultaneously publish a /security page explaining the architecture

### Press pitches
- **Wired** — covered LastPass breach extensively, covers surveillance, 15M readers
- **The Intercept** — built for this. Surveillance, encryption, government overreach.
- **The Register** — UK audience, Investigatory Powers Act is their beat
- **EFF** — don't pitch a story, pitch a partnership. Ask for formal recognition / co-sign.

### X
- One image post: governments on one side, "Your answer: We don't have your keys." Not a thread. An image. Screenshot-shareable.

### YouTube (without being on camera)
- Pitch to privacy YouTubers: Techlore, Mental Outlaw, or a security researcher channel
- They make the video, vault1984 gets the reach

### HN
- Let it be discovered organically via the open letter, or submit as a link post (not Show HN)
- Technical debate in comments = credibility

### Long game
- Submit architecture paper to DEF CON or Black Hat
- If accepted: the talk reaches every security professional who matters; the YouTube recording does itself

---

## Why this works

Every other password manager complies with government requests — because they have the keys. vault1984 structurally cannot comply. Being compelled and refusing is the proof-of-work that the claims are real.

If China sends a legal demand: publish the response. The headline writes itself. Signups spike.

Apple's San Bernardino moment made every privacy claim credible overnight. This is vault1984's equivalent — except proactive, not reactive.

---

## Timing

**Not before:** Product is shipped, tested, and stable. Nailing the product is the prerequisite. Going public before the product is locked hands competitors a roadmap.

**Trigger:** Show HN ships and is successful. Product has paying users. Then this plan activates.

---

## Ideas pool — parked for later

**Open letter to LastPass's 33M users**
"Here's what happened to your vault and why it can't happen here." Published on vault1984.com, pitched to Krebs and Troy Hunt. Facts only, sourced to FBI and TRM Labs.

**Architecture comparison page**
vault1984 vs. LastPass model, side by side. No opinion. Just the architecture. Devastating in its accuracy.

**Bug bounty as PR**
"Extract a credential from a vault1984 server. We'll pay $10,000." Mathematically impossible to win. Excellent press. Proves the claim costs nothing because nobody can collect.

**The acquisition angle**
LastPass is owned by Francisco Partners (PE). Architecture is broken, can't be fixed without destroying the product. 33M users hemorrhaging. Acquiring vault1984 gives them a rebuilt architecture and a redemption story. The provocation ladder (plaintiff page → open letter → architecture comparison) makes vault1984 undeniable — too credible to dismiss, too well-positioned to out-build. Acquisition becomes cheaper than watching vault1984 eat their users.

All of the above: hold until product ships and Show HN is live.

---

*George for Johan. Hold until product ships.*