Skip to main content
Moral Trade
Understand▾
UnderstandStart with the idea, source, and safest first route.
Choose your pathRoute by intent: learn, test an example, donate, or join/build.What is Moral Trade?A plain-language primer for new visitors.How it worksA simple walkthrough from example to review.SourcesPrimary references and product-boundary notes.FAQCommon questions and operating limits.
Explore▾
ExploreInspect what is live enough to read, clone, or donate through.
ProjectsWhat is live, illustrative, or upcoming.Worked examplesSeeded structures, not live offers.All offersLive offers and worked examples.Pledge swapsExchange bounded commitments.Donation offsetsRedirect matched opposed donations.Donate through a routeUse a vetted external donation handoff.
Join▾
JoinMove from examples into one supported pilot action.
Create bounded tradeDraft terms with baseline, exit, evidence, and review gates.Create donation offsetSet baseline, match, destination, surplus, and evidence rules.Create wish profileDescribe broad wishes before mutual disclosure.Founding cohortInvite one serious counterparty and start small.Private matchingConsent-gated counterparty discovery.Create accountUse member workflows after the public primer.
Trust▾
TrustCheck status, review rules, safety boundaries, and recourse.
AboutWhat exists today, what does not, and what comes next.What you can rely onPrototype guarantees, review states, and non-guarantees.Pilot statusWhat is real, reviewed, or still prototype-stage.ValidationEvidence states, challenge windows, and review scopes.SafetyCoercion, fraud, and pressure boundaries.Anti-threat rulesBaseline integrity and externality checks.AccessibilityWCAG-oriented QA scope, limitations, and support route.MeasurementPrivacy-safe event taxonomy and performance baselines.TransparencyAggregate review, disclosure, report, appeal, and operator timing counts.Team and governanceOperator routes, reviewer roles, and public gaps.Pilot updatesPublic logs, governance updates, and case-study notes.ContactReach the pilot operators or report a support issue.
Search
See exampleSign in

Background networking

Find possible trades without turning people into targets.

Background networking is a conservative matching layer. It compares broad public previews, saved preferences, and manual source notes so a participant can decide whether an introduction is worth exploring.

Create accountSearch broad previews

Boundary

01
Broad previews first

Cause areas and high-level aims can be compared before exact wishes are shared.

02
Consent before detail

Contact details and private constraints remain gated until both sides opt in.

03
No autonomous outreach

The platform records suggestions; it does not message strangers on a user's behalf.

How it works

Match suggestions are staged, reviewable, and reversible

The dashboard stores private wish profiles, manual source notes, saved searches, and broad registry previews. A deterministic scan can suggest possible counterparties, but a suggestion is not an introduction and does not reveal private data by itself.

Manual sources

Users can add notes about public pages or conversations they choose to record. The current prototype does not ingest private feeds, scrape profiles at scale, or mine email and chat histories.

Deterministic matching

Candidate matches are banded from declared cause areas, trade modes, constraints, location sensitivity, and verification preferences. Compatibility bands are prompts for human review, not automatic rankings of people.

Consent gates

A participant can request more detail, decline, or report a suggestion. Exact wishes, contact information, and sensitive constraints should only move forward after staged disclosure and mutual consent.

Match explanations

Match cards show coarse reason codes, confidence bands, trust and risk badges, scanned surfaces, and redacted surfaces. They explain why a suggestion exists without exposing raw wish text, contact details, or source notes.

Purpose-bound grants

Private facts should be shared for a narrow decision and, by default, a time box. Grants can expire or be revoked instead of becoming permanent background access.

Minimal telemetry

Operational metrics use buckets and counts, such as scan runs and request states. Analytics should not store exact wishes, private constraints, report bodies, or message text.

Anti-enumeration budgets

Manual scans, helper jobs, saved searches, and signed-in registry searches are budgeted and logged with hashed query fingerprints. Highly specific sparse registry searches are withheld until the user broadens the query.

Match signal contract

Suggestions explain public compatibility without revealing private wishes.

The report recommends factor-code explanations, staged disclosure, and no autonomous outreach. This contract keeps background matching to redacted profile previews, a confidence band, explicit blockers, and human review before disclosure or contact.

Redacted match-signal preview

pass

pass

9 contract check(s), 0 blocker(s), mode redacted profile match preview only.

Open match contractTechnical specDisclosure rules

Why you are seeing this match

You are seeing this suggestion because public cause areas, trade mode, and verification preferences are compatible. Exact wishes and contact details are still hidden.

cause_area_overlapcause_area_complementaritytrade_mode_compatibleverification_preference_compatiblelocation_constraint_satisfiedprivacy_stage_compatibleprivacy_safe_previewstated_exclusions_clearhuman_review_required

Exact wishes, contact details, sensitive constraints, raw profile notes, protected traits, and ideology or psychology inferences stay hidden until a valid consent stage. Redacted fields: exact_private_wishes, contact_details, sensitive_constraints, raw_profile_notes, protected_traits, ideology_or_psychology_inferences.

Counts, not hidden inference

  • Shared cause areas: 1
  • Cause-area complementarity: 2
  • Compatible trade modes: 1
  • Compatible verification preferences: 1

The evaluator does not infer ideology, psychology, protected traits, or hidden preferences.

Redactions and review gates

  • exact private wishes
  • contact details
  • sensitive constraints
  • raw profile notes
  • protected traits
  • ideology or psychology inferences

Human review is mandatory before disclosure, contact, reliance, or state changes.

Capability gates

Higher-power background features stay gated until privacy review is done.

The reports recommend staged expansion rather than broad passive ingestion. This public gate keeps source connectors, AI summarization, and private-overlap computation default-off, shadow-only, or design-only until DPIA, lawful-basis, privacy-design, external review, and human-control checks are satisfied. Private-overlap checks are not live; any future pilot must use curated tags only, not free text or raw tag disclosure.

Expansion gate

pass

pass

6 check(s), 0 blocker(s), expansion ready: false.

Open gate contractSafety posturePrivate overlap contract

Bg14 rollout

internal

pass

Deploy bg14 lanes to internal/staff profiles first, then a tiny consenting cohort, then a pilot pack; broaden only after transparency, privacy, and operator-review checks stay clean.

Rollback: Disable the specific bg14 flag, pause new promotion, preserve user revocation paths, and review audit rows before re-enabling.

background_source_summary_enabled: offbackground_wish_interview_enabled: offbackground_opportunity_briefs_enabled: off

default off

Source connector imports

Consent ledger, approved manual summaries, field-scoped retention, and revocation controls only.

Required before expansion: DPIA and documented privacy-design review; lawful-basis record of processing; source-specific retention and deletion test.

Current blocker: No live connector worker may run before DPIA completion.

shadow only

AI shadow summarization

Shadow-only comparison on approved, redacted source summaries from consenting users.

Required before expansion: DPIA and documented privacy-design review; measured precision, explanation-quality, and user-endorsement lift; unsafe-exposure regression review.

Current blocker: No AI output may create live matches or disclosure decisions.

design only

Privacy-preserving overlap computation

Design-only exploration of blinded tags, VOPRF, HPKE sealed fields, PSI, or PIR-PSI for narrow sensitive overlap checks.

Required before expansion: DPIA and documented privacy-design review; formal cryptographic design review; narrow threat model and abuse case review.

Current blocker: No production private-set intersection lane exists.

RLS and encryption audit

Private background tables now have an executable access-control contract.

The schema audit covers private wishes, manual source notes, saved searches, match suggestions, grants, concierge requests, notifications, helper runs, risk signals, and audit events. The regression test fails if those tables lose row-level security, participant-scoped policies, or ciphertext/version columns for sensitive text.

Repository schema audit

pass

pass

36 RLS table requirement(s), 7 sensitive storage requirement(s), 0 blocker(s).

Open RLS contractData inventory

Private by default

No anonymous private-table policies

Every background-networking table requirement disallows anonymous policies. Public discovery stays on broad previews rather than private wish or source tables.

Participant scoped

Match data uses participant helper checks

Match suggestions, grants, requests, reports, and audit events are checked through owner, counterparty, or participant predicates instead of public reads.

Sensitive text

Ciphertext columns are part of the contract

Wish bodies, exact profile notes, source notes, connector consent notes, and synthesis summaries require encrypted storage slots and encryption-version columns.

AI shadow mode

Optional AI assistance must earn trust before it can affect matching.

The next AI layer is shadow-only: it can test approved, redacted source summaries from consenting users, but it cannot create live match suggestions, disclose private details, contact counterparties, change ranking, or store raw source content.

Shadow contract

pass

pass

5 contract check(s), 0 blocker(s), use shadow only no matching or disclosure.

Open shadow contractSource permissions

Approved inputs only

  • access status
  • ai shadow mode allowed
  • allowed field keys
  • last sync summary
  • raw ingestion allowed
  • retention expires at

Prohibited effects

  • live match suggestion
  • participant disclosure
  • counterparty contact
  • ranking change
  • state mutation

Sample redaction

Approved summary: this source mentions climate adaptation and institutional grantmaking capacity. Contact [redacted-email] for raw details.

Blocked sample reasons: Raw ingestion is disabled; shadow evaluation may use approved summaries only.; Source must be connected before shadow evaluation.; The source retention window has expired..

Privacy controls

What the current pilot stores and how it is bounded

The signed-in dashboard now exposes the background-networking data map, active grants, notification channel choices, local drafts, local transparency receipts, and data-right requests.

public-preview

Broad previews

Searchable registry surface and broad match candidate scan.

Retention: Until the profile is hidden, corrected, or deleted.

Control: Disable discoverability or public preview sharing from the wish profile; remove through self-serve background deletion.

private-profile

Private wishes, asks, constraints, and capabilities

Deterministic synthesis and owner-reviewed matching.

Retention: Until correction, deletion, or account removal, subject to safety/legal holds.

Control: Visible to the owner; exact detail moves only through grants; owner-confirmed self-serve deletion is available.

private-profile

Intent claims

Dashboard explanation of what deterministic matching thinks the user wants.

Retention: Until regenerated, superseded, corrected, or deleted with background-networking data.

Control: Owner-scoped under RLS; regenerated from explicit fields and reviewed permissions instead of imported as authority.

consent-ledger

Disclosure grants and access requests

Staged disclosure and mutual-consent review.

Retention: For the active introduction plus audit retention after expiry or revocation.

Control: Purpose, audience stage, expiry, and revocation are recorded per grant; participant-facing grants are removed during self-serve deletion.

manual-source-summary

Source notes and connection permissions

Optional deterministic context for owner-reviewed matching after approval.

Retention: Until the source-level retention timer expires, source removal, deletion request, or safety/legal hold.

Control: Manual and review-approved summaries only; source notes and connectors require field permissions, retention expiry, and no raw ingestion; expired or inactive source notes and derived signals stop influencing deterministic synthesis.

operations

Budgets, snapshots, reports, appeals, and operator queues

Anti-enumeration, opportunity packaging, explanation provenance, safety review, SLA tracking, and concierge appeal review.

Retention: Operational window plus abuse-prevention audit retention.

Control: Buckets, counts, status labels, hashed fingerprints, SLA state, and appeal status only; safety audit rows are retained without an active profile link when deletion completes.

Source connector boundary

External sources require explicit, revocable field permissions

Connect a source only to produce a private summary for matching. Moral Trade does not search the raw source continuously, contact anyone from it, or copy raw content into analytics. Participants can review a summary before saving, limit which fields it may influence, and revoke access at any time.

Raw connector ingestion remains disabled. Active external connections require consent notes, a supported retention window (30, 90, 180, 365 days), and at least one broad field permission.

  • Cause priorities: Use only broad cause priorities and tags derived from the approved summary.
  • Capability tags: Use broad capability tags such as skills, institutional access, or resources.
  • Offer and ask terms: Use broad offer or ask terms without copying exact private requests.
  • Verification preferences: Use coarse verification preferences and evidence expectations.
  • Availability context: Use coarse availability, location, or collaboration-context hints.
  • Safety constraints: Use coarse safety constraints and uncertainty flags for review only.

Deletion scope

Participants can remove the background layer without erasing the whole account

The dashboard self-serve flow requires the exact confirmation phrase DELETE BACKGROUND NETWORKING, then removes private wishes, broad previews, source summaries, saved searches, grants, suggestions, notifications, helper records, and introduction artifacts tied to background networking. Safety and operator audit rows stay only as redacted or anonymized records when review integrity requires retention.

  • Private wish profile and wish entries
  • Deterministic intent claims and profile synthesis
  • Broad preview and discoverability surface
  • Manual source summaries and connector permissions
  • Saved searches, delegate strategy records, and helper runs
  • Match suggestions, opportunity feedback, consent records, notifications, privacy grants, and access requests
  • Introduction planning records, network invites, bounties, and collectives
  • Queued background-networking emails
  • Safety, budget, and operator audit rows retained only as redacted or anonymized records
Open deletion controlsPrivacy and retention

Concierge intake

Turn a broad preview into a reviewed introduction request

This request goes to an operator queue first. It records intent, proposed trade shape, privacy constraints, and an SLA before anyone receives contact details or exact wishes. Declined or closed concierge decisions can be appealed from the dashboard for a second operator review.

Sign in to request concierge review.

The operator queue needs an accountable requester before it can triage an introduction.

Create account

Safety posture

Background networking is not a private-feed automation product

Moral trade needs trust and permission. The matching layer is therefore designed to reduce search costs without creating pressure, doxxing risk, harassment, or surprise exposure of sensitive values.

What can be public

Broad cause areas, public offers, and voluntarily written previews can help people discover overlap without revealing exact asks or bargaining constraints.

What stays private

Exact wishes, sensitive evidence, contact information, and negotiation details are private unless the relevant parties choose to disclose them through the dashboard.

What is not automated

The prototype does not perform autonomous outreach, mass scraping, or dark-pattern matching. It records possible introductions for human review.

Cohort pilot packs

Start with specific communities before broad rollout

Background networking should prove itself in reviewed niches before making wider discovery claims. Pilot packs give operators a narrow audience, a clear matchmaker role, and a weekly funnel to inspect.

Donor circles

Use broad cause previews, donation-route constraints, and reviewed introduction requests to find reciprocal pledge or donation-offset conversations.

Reading groups

Let a facilitator collect private wish profiles, review opportunity briefs, and decide which broad previews merit consent-gated follow-up.

Organization cohorts

Keep outreach inside partner-approved boundaries while operators track brief opens, intro requests, and declined-match reasons.

Where to use it

The dashboard is the working surface

Signed-in members can create a wish profile, save search constraints, add manual source notes, export their profile data, and review suggestions from one place.

Create accountReview privacy rulesReview safety rules

Moral Trade

A pilot institution for cooperation under disagreement.

Moral Trade helps serious participants test small, reviewable commitments across moral disagreement. It does not provide legal, tax, escrow, or custody services.

Marketplace

  • Projects
  • Choose your path
  • Browse offers
  • Worked examples
  • Pledge swaps
  • Donation offsets
  • Donate through a route
  • Public Goods Fund
  • Private matching

Learn

  • About
  • What is moral trade?
  • How it works
  • Methodology
  • Measurement
  • Transparency report
  • Safety policy
  • Anti-threat rules
  • Validation
  • Accessibility
  • Moral Trade technical spec
  • Evidence standards
  • FAQ
  • Deferred paid offers
  • Sources

Community

  • Team and governance
  • People
  • Wish registry
  • Founding cohort
  • Pilot updates
  • Create account
  • Sign in

About

  • Contact
  • Pilot status
  • What you can rely on
  • Transparency report
  • Research and governance
  • Reasoning Center
  • Allocation notes
  • Candidate pools

Legal

  • Privacy
  • Terms
  • Accessibility
  • Safety policy
  • Evidence review

Reference points include Toby Ord's paper on moral trade and Forethought's discussion of convergence, compromise, threats, blockers, and moral public goods.