Admin oversight, by design

A different idea of oversight

Most apps that promise “parental controls” do one of two things: monitor everything (which means storing everything in plaintext and making your data juicier than it needs to be), or monitor nothing (which works fine until it doesn’t).

Shoal takes a third route. Oversight is part of the cryptography, not a layer on top of it.

When a child member joins a family, every admin’s public key becomes a recipient on every conversation they’re in. The conversation key is wrapped for the child and for each admin. There is no separate “admin reads everything” pathway and no server-side decryption pipeline.

What admins can see

• Every conversation a child is in within the family
• Every conversation a child is in with someone outside the family — but only the ones an admin has explicitly approved (see cross-family connections)

What admins can’t see

• Conversations between adults in the family
• Conversations on devices the admin isn’t a member of
• Anything at all, if they’re removed from the family

Why this is different

Admin oversight in Shoal is structural to the family, not granted by us as the operator. The keys that decrypt a child’s family conversations are wrapped to admins’ devices in your family — we don’t put ourselves on the recipient list and there’s no side channel for us to read those conversations.

We’re careful about what “can’t” means there. We’ve not built code that would let us decrypt at-rest data, and we have no plans to. The full architectural caveat lives on the privacy page — read it and decide what trust to extend us. The structural part of admin oversight is solid: when an admin is removed from a family, they lose the keys, and there’s nothing on our side that brings them back.