dmj.one

Work / Bharat-First / Digital Safety Labs

No. 14 · Bharat-First · Safety

The scam
arrived first.
The training arrived too late.

A grandmother in Bilaspur taps an OTP-fishing link. By morning, her pension is gone. We blame her. We should blame the absence of training. Digital Safety Labs are nine offline-first browser simulations that let anyone, on any phone, practice the scam before it happens. No download. No signup. No data leaves the browser.

Open the labs View source Browse all 9 labs
9Working scam simulations
1HTML file per lab
0Downloads, signups or trackers
10-20Minute classroom session
2GBandwidth budget

Act I · The Cost

A reading is not the same
as a rehearsal.

Pamphlets work for people who already understand the threat. They do not work for the first-time internet user, the senior citizen with limited literacy, or the student who has never seen a phishing page. People remember what they do, not what they read. The labs are the rehearsal.

Act II · The Promise

Open the link.
The lab begins.

The full design constraint is on the box: a single HTML file per scam, runnable from a panchayat-hall projector or a cracked smartphone. No extra cost, no privacy tradeoff, no excuse for any school, NGO or village volunteer.

What a Digital Safety Lab is not

  • An app you install
  • An account you create
  • A server that holds your data
  • A page that calls a third-party tracker
  • A real payment, login or OTP

What a Digital Safety Lab is

  • One self-contained HTML page
  • A safe, scripted scam to walk through
  • Big buttons, plain prompts, short sessions
  • A reset button that wipes local state instantly
  • Free to teach, free to translate, MIT-licensed

Act III · The Labs

Nine scams.
Nine rehearsals.

Each lab teaches one specific deception, lets the visitor act it out safely, then names the red flag they should have caught. Run them in order, or pick the one most relevant to the room.

Lab 01 · Money

UPI fraud

The "accidentally sent you money, please return" trick. The lab walks through the message, the request and the reversal that never happened.

Catch: A request is not a refund.

Lab 02 · Money

Receive-by-QR scam

Why scanning a QR code "to receive money" can in fact authorise a payment. The lab forces the user to read what they are signing.

Catch: No QR is needed to receive.

Lab 03 · Utility

Electricity disconnection

The classic SMS that says the bill is unpaid and the link must be tapped before 9 PM. The lab shows the real bill and the fake one side by side.

Catch: Real utilities call from a number you already know.

Lab 04 · Logistics

Parcel fee scam

"Pay 25 rupees customs to release your parcel." The lab walks through the receipt that never arrives.

Catch: Couriers do not collect fees over a link.

Lab 05 · Email

Email phishing

Practice spotting the spoofed sender, the urgent verb and the "verify your account" link, all before the click.

Catch: Read the address, not the name.

Lab 06 · Device

Remote screen-share

The "bank officer needs to see your screen" call. The lab demonstrates how a single install hands the device away.

Catch: No bank ever asks to see your screen.

Lab 07 · Privacy

Phone-number privacy

What apps, signups and forms can do with one phone number. The lab maps the trail in real time.

Catch: Every share is a permanent share.

Lab 08 · Privacy

Cookies simulator

What "Accept all" actually accepts. The lab pulls the curtain back on third-party tracking in plain language.

Catch: "Necessary only" is a real button.

Lab 09 · Classroom

Classroom mode

A teacher-facing hub for running any of the above labs as a 10-20 minute exercise. Reset between groups, no signup.

Catch: One lab. One lesson. One question.

Act IV · The Rules

A lab that fails on a borrowed phone
is a lab that does not exist.

The constraint is the design. Every lab must pass the same set of rules before it lands in the repo. Anyone can add a new lab. Nobody can break the contract.

  1. i.

    One self-contained HTML file

    One lab, one file. No build step. No bundler. The teacher can email it. The student can save it. The volunteer can hand it on a USB drive.

  2. ii.

    Inputs never leave the browser

    No network calls process personal data. No analytics. No third-party trackers. The simulation never performs a real payment, login or data share.

  3. iii.

    Big buttons, clear prompts, short sessions

    Designed for first-time internet users on shared devices. Minimal text, more interaction, large touch targets, and keyboard plus screen-reader support where possible.

  4. iv.

    Reset wipes local state

    One visible reset button clears localStorage, sessionStorage and reloads the page. The next group starts clean. No leftovers between visitors.

  5. v.

    Each lab names what it teaches

    An intro panel up top, a takeaways panel at the bottom. The visitor leaves knowing the red flag, not just the story.

Act V · Proof

It already runs.

Live · dmj.one/labs/digital-safety

Hub page links to all nine simulations. Open from any modern browser. Works on shared lab machines, panchayat hall projectors and second-hand smartphones.

Single-file HTML, MIT-licensed

Every lab is one HTML file you can save, share, translate or fork. MIT license: use it, adapt it, teach with it.

Auto-discovered new labs

The hub surfaces any new file dropped into the labs directory. Adding a tenth lab is one PR. No README edit needed.

Privacy by default

No analytics. No telemetry. No backend. The repo carries an explicit security policy and a code of conduct.

If a panchayat hall can run it,
your awareness drive can too.

I build accessible, offline-first, privacy-first learning artefacts for the India most software forgets. Schools, NGOs, state cyber cells and CSR teams: the labs are open. Translate them. Run them. Tell me what is missing.

Hire me Back to work