
Table of Contents
Preface
Why withdrawal is harder than consent
Introduction
The residue problem, the verification problem, and the book you can build from
Reader’s Map
Three paths through the book, academic, operator, governance
Definitions and Commitments
Residue, propagation, derived artifact, withdrawal, deletion, isolation, unlearning, evidence, attestation
Part I
Residue as the real object of governance
- Consent Events and Propagation Harms
- The Liturgy of “We Deleted It”
- Residue Classes, From Logs to Latent Space
- The Politics of Measurability
Part II
Provenance and lineage as withdrawal infrastructure
- Provenance Is Not Metadata, It Is Accountability Geometry
- The Lineage Graph You Actually Need
- Evidence, Not Dashboards
- Trust Boundaries and Vendor Processors
Part III
Technical mechanisms of withdrawal
- Deletion, Isolation, and the Semantics of Removal
- Feature Stores and the Tyranny of Reuse
- Training Data Governance Beyond Dataset Cards
- Machine Unlearning as Bounded Honesty
- Model Editing, Redaction, and Policy Constrained Generation
- Logs, Telemetry, and the Paradox of Audit Trails
Part IV
The economics of remediation and the governance of cost
- Withdrawal as a Cost Curve
- Insurance, Incentives, and the Market for Residue
- Procurement as Moral Engineering
Part V
Institutional designs that make withdrawal real
- The Withdrawal Review Board
- Continuous Monitoring for Consent States
- Regulation as Phased Time
- Management Systems and the Problem of Audit Theater
Part VI
Case studies as design pressure
- Welfare and the Impossibility of Refusal
- Workplace Analytics and Quantified Labor
- Health Data, Genomics, and the Long Tail of Inference
- Consumer Platforms, Personalization, and Latent Profiles
Part VII
The moral remainder and the orientation that survives
- What Cannot Be Deleted
Coda
Verifiable withdrawal as institutional humility
Appendices for operators and engineers
A. Residue Ledger Reference Architecture
B. Control Objectives and Test Cases
C. Model Withdrawal Evaluation Suite
D. Procurement Clauses and Evidence Schedules
E. Glossary Designed to Stop Meetings From Dissolving Into Ambiguity
Introduction
The residue problem, the verification problem, and the book you can build from
A contemporary institution can become fluent in consent language while becoming incompetent at refusal. The words proliferate, the banners multiply, the policy pages lengthen, the trainings repeat, the attestation flows through ticketing systems, the audit binders thicken, and yet the lived reality for the person inside the system often remains structurally unchanged: the moment of “yes” is treated as binding and portable, while the moment of “no” is treated as either inconvenient or metaphysical. The system hears a revocation request and translates it into an administrative gesture, then returns to its default condition of propagation.
This book begins from a claim that should feel austere rather than provocative: in modern sociotechnical systems, harm is rarely produced at the point of initial collection. Harm is produced by downstream movement, by recombination, by reuse, by the creation of derived artifacts that cannot be straightforwardly recalled, and by organizational incentives that reward closure narratives over remedial truth. As a result, the ethical center of gravity shifts from permission capture to withdrawal verification. If a system cannot demonstrate, under adversarial scrutiny, what it did with a datum, what it derived from that datum, what remains after removal, what tradeoffs it accepted, and what evidence supports its claim, then it is not governing consent. It is staging consent.
The shift matters because the most common institutional response to the withdrawal problem is rhetorical inflation. When revocation proves hard, organizations do not always change architecture. They often change language. They rename deletion as deactivation, isolation as access control, “we cannot remove this” as “we no longer process this,” and “we do not know where this went” as “we take privacy seriously.” In that slippage, withdrawal becomes a moral claim without a systems property, and the people most exposed to extraction inherit the cost of institutional ambiguity. The core thesis of The Residue Ledger is that withdrawal must be treated as an auditable and economically explicit property of a system, not as a promise that dissolves upon contact with pipelines.
The phrase “Residue Ledger” is not a metaphor. It is an insistence on two disciplines that modern governance too often avoids because they are expensive, politically inconvenient, and technically unglamorous.
First, residue must be made legible enough to be governed, but not in the familiar way institutions make people legible enough to be controlled. The target of legibility here is the system itself. If the organization cannot trace propagation paths, it cannot truthfully claim withdrawal. If it cannot classify residues, it cannot prioritize remediation. If it cannot quantify remainder, it cannot price the cost of ethical reversal. If it cannot produce durable evidence, it cannot sustain accountability beyond the memory of a few engineers and a handful of dashboards.
Second, a ledger must exist not as a decorative audit log, but as an accountability geometry. A ledger is an institutional memory that resists the two failure modes that dominate modern compliance regimes: selective amnesia, where the system “forgets” what is inconvenient, and narrative substitution, where documentation is treated as a surrogate for control. The ledger proposed here is a reference design pattern for tracking propagation and executing withdrawal actions with evidence artifacts that can survive team turnover, vendor transitions, organizational reorgs, and the ordinary institutional impulse to declare completion prematurely.
To be explicit about scope, this book is not an argument for utopian erasure. Erasure is sometimes impossible, sometimes unjust, and sometimes a form of institutional lying. There are residues that must remain for justice, for safety, for contestability, and for the integrity of the social record. The ethical question is not “can everything be deleted.” The ethical question is whether an institution can distinguish, with discipline, what must remain from what remains only because it is profitable, convenient, or architecturally neglected, and whether it can show its work.
This requires a different grammar than most privacy or AI governance texts provide. Many books either remain at the altitude of moral exhortation or descend into narrow technical recipes detached from political economy. This one refuses the separation. Power is the object, systems are the medium, and evidence is the forcing function that prevents the argument from collapsing into virtue.
The argument is built around a definition that will carry the book.
Verifiable withdrawal is the capacity of a sociotechnical system to do four things under constraint.
It must trace where a datum, or a decision basis, has flowed across datasets, logs, caches, feature stores, vendor processors, analytic marts, and model training corpora.
It must quantify what artifacts remain after removal, including transformed copies, aggregated statistics, learned representations, and inferred profiles, and it must characterize the risk those residues continue to pose.
It must enact a technically meaningful form of forgetting or isolation appropriate to the residue class and threat model, whether that action is hard deletion, cryptographic revocation, access isolation, retraining, bounded unlearning, or targeted editing.
It must produce evidence that an adversarial auditor can validate, rather than a narrative the organization can recite.
Everything else in the book is a disciplined expansion of that definition into taxonomies, architectures, control objectives, test cases, procurement language, governance operating models, and case studies that apply pressure to theory until it either breaks or becomes implementable.
The book is organized to move in deliberate phases because withdrawal is not one problem. It is a set of coupled problems that organizations mistakenly treat as one.
Part I names residue as the governed object and explains why consent rituals fail under propagation. This is where the book makes its foundational pivot and refuses to treat deletion as a help desk request. It also establishes a taxonomy of residue classes that will later determine which technical mechanisms are meaningful and which are theater.
Part II treats provenance and lineage as infrastructure rather than ornament. Many organizations believe they have provenance because they have metadata. Many believe they have lineage because they have a few dashboards. This part insists on a stricter standard: a withdrawal ready lineage graph with defined nodes and edges, and with evidence requirements attached to every propagation transition that matters.
Part III moves into mechanisms. It clarifies the semantics of removal, then addresses the real propagation engines, especially feature reuse and training data assembly. It discusses unlearning and model editing with bounded honesty. It also confronts the paradox that auditability itself generates residue, and it proposes an architecture for minimized audit that preserves verifiability without producing gratuitous surveillance.
Part IV makes the economic argument explicit. Withdrawal is not only an ethical obligation. It is a cost curve shaped by architectural choices. If an organization does not model that curve, it will externalize the cost onto those least able to refuse. This part therefore treats remediation cost as a governance object, proposes a market logic for pricing residue risk, and translates verifiable withdrawal into procurement language that can travel across trust boundaries.
Part V turns to institutional design. The book proposes a Withdrawal Review Board not as committee theater but as an operating model with decision rights, escalation paths, and required artifacts, because hard withdrawal tradeoffs cannot be handled by informal heroics without reproducing the same incentive to hide residue. It also introduces continuous monitoring for consent states as a parallel to continuous security monitoring, because withdrawal readiness must be sustained, not achieved once.
Part VI provides case studies that function as design pressure. Welfare systems, workplace analytics, health data, and consumer personalization are not illustrative decorations. They are environments where consent is structurally coerced and residue accumulates by design. These chapters test whether verifiable withdrawal can matter even when refusal is not freely available, and they force the book to articulate restraint mechanisms, retention minimization, and contestability that do not rely on fantasy choice.
Part VII refuses a triumphant ending. It insists on distinguishing residues that must remain from residues that remain by default, and it closes with withdrawal as institutional humility, not as cleanliness.
If you are reading as an academic, the book offers a conceptual architecture that ties administrative power, legibility, political economy, and technical evidence into one accountable argument. If you are reading as an engineer, the book offers reference designs, specifications, control objectives, and test procedures that you can implement without laundering uncertainty. If you are reading as a governance leader, the book offers operating models and procurement language that can be enforced because it is tethered to measurable evidence.
There is also a quieter ambition underneath these practical aims. Modern institutions increasingly treat people as inexhaustible sources and then call the remainder “data exhaust,” as if residue were a natural byproduct rather than a design decision. A withdrawal centered architecture is, at its best, a form of restraint that institutionalizes the ability to reverse extraction, to pay for remediation, and to admit what cannot be undone. That admission is not weakness. It is the precondition of any governance that deserves to be called real.
A note on scholarly apparatus is necessary. The book’s argument is built to be citation dense, primary source grounded, and operationally precise, but it also refuses to weaponize citations as ornament. The Works Cited and in text references in the final manuscript should be anchored to a locked edition set so that page level specificity is exact and reproducible. The conceptual commitments in this introduction are therefore written to stand independently of any single pagination scheme, while remaining accountable to the thinkers and traditions the book engages.
This is the point of the project. Withdrawal is not a vibe. It is not a statement. It is not a policy. It is a property you can test, a cost you can model, an evidence chain you can audit, and an institutional discipline you can either build into your systems or avoid until harm forces it upon you. The Residue Ledger is a refusal of that avoidance.
Chapter 1: Consent Events and Propagation Harms
The systems that govern contemporary life have learned to speak the language of consent with great fluency, but they remain comparatively inarticulate about what consent must mean after information has moved, multiplied, and been metabolized into downstream artifacts. This chapter names the pivot on which the whole book turns. The ethical unit of analysis can no longer be restricted to the moment in which a person is asked, or nudged, or coerced, into saying yes. The ethical unit must become the lifetime of downstream movement, because modern harms are not primarily born at intake but across propagation. What looks like an administrative event becomes, under computation, a temporal and topological condition.
The event model is seductive because it is legible. It fits the institutional desire for an answerable timestamp: consent captured, artifact stored, ticket closed, audit line satisfied. It also fits the psychological desire, shared by organizations and sometimes by regulators, to believe that permission is a kind of moral solvent: if the initial act is proper, downstream acts inherit legitimacy by default. Yet this is precisely the inheritance that modern technical systems have made untrue. The contemporary pipeline takes what was once a bounded exchange and turns it into a graph of reuse, because copying is cheap, caching is prudent, denormalization is efficient, and recombination is the principal engine of machine learning value. What used to be an agreement between parties becomes a sequence of transformations in which the parties dissolve into roles, and the roles dissolve into processes.
To see why the event model fails, one must first take seriously an elementary fact of distributed computation: modern systems do not produce a single, shared, authoritative time in which an event is simply “before” or “after” another event in the way ordinary moral storytelling assumes. Leslie Lamport’s foundational account begins from a simple observation that has moral consequences when consent is treated as a clock stamp: “In a distributed system, it is sometimes impossible to say that one of two events occurred first.” (Lamport 558). The phrase is technical, but its implications are institutional. When data moves across processes that do not share a perfectly synchronized temporal frame, the semantics of “before withdrawal” and “after withdrawal” become contingent on the ordering relation the system can justify, not on the moral chronology an organization would prefer to narrate. That does not mean systems lack order. It means their order is partial, and partial order is where residue begins to accumulate.
Lamport’s “happened before” relation is not merely a theorem about clocks. It is a discipline of specification: if a system is to “meet a specification correctly,” the specification must be given “in terms of events observable within the system,” not in metaphysical time (Lamport 558). When consent is specified as a single observable event, institutions quietly assume that all obligations can be reduced to that event, because the event is what the system can prove. But propagation harms are not reducible to the event because they are produced by a chain of subsequent observables: copies, joins, feature extractions, embeddings, checkpoints, exports, audits, vendor transfers, and cache warms. In other words, the harm is not the first observable. It is the family of observables that follow. The book’s first claim therefore has a computational form: consent must be specified as a temporal regime, not as a moment.
James C. Scott’s analysis of legibility projects helps name why institutions cling to the event model even when it misdescribes the object of governance. Scott argues that certain schemes of administrative control require “a narrowing of vision,” a kind of simplification that renders a complex lived world into an administrable schema (Scott 11). The consent event is exactly such a schema. It narrows a lifetime of informational movement into a single, documentable unit. It converts the reality of information flow into an intake ritual. It creates what looks like a stable boundary between legitimate and illegitimate processing, but that boundary is maintained by institutional storytelling, not by the mechanics of propagation. The simplification is not merely epistemic; it is organizational. It allows responsibility to be routed to intake teams and compliance functions while leaving engineering architectures structurally unchanged.
Scott’s point is not that simplification is always wrong; it is that simplification always has a politics, because what is simplified is not a neutral selection but a reconfiguration of accountability. If governance is built on a simplification, then what lies outside the simplification becomes easier to ignore, easier to externalize, and easier to describe as accidental. In technical systems, downstream movement is often treated as operational inevitability rather than as a domain of choice. That framing is itself a legibility maneuver. It makes propagation appear as an engineering natural law rather than as an institutional design decision whose costs are distributed across people unequally.
Hannah Arendt gives language for how that unequal distribution can occur without a single villain at the center of the system. Arendt’s analysis of bureaucracy describes a form of power in which domination is exercised not by a sovereign subject but by administrative structures that routinize judgment into procedure. In such a form, “nobody” rules, and yet the consequences are real, durable, and often violent, because responsibility is dispersed through offices, steps, and workflows (Arendt 40). The consent event model is one of the contemporary offices of “nobody.” It permits an organization to say, with perfect sincerity at the level of process, that it has done what is required, while the substantive condition of the person whose data has propagated remains unchanged. The deletion request becomes a ticket, the ticket becomes an SLA, the SLA becomes a dashboard, the dashboard becomes an assurance, and assurance becomes a substitute for truth.
What makes this substitution persuasive is that it aligns with a second institutional fantasy, namely that information can be treated as though it remains in the context in which it was collected. Helen Nissenbaum’s theory of contextual integrity provides the most operationally precise refutation of that fantasy. In her conclusion, she defines contextual integrity as “compatibility with presiding norms of information appropriateness and distribution.” (Nissenbaum 155). The phrase “distribution” matters. Privacy is not primarily the possession of data. It is the governance of flow, where flow is specified by roles, contexts, and norms. When a system treats consent as an event, it often treats “distribution” as a downstream implementation detail rather than as the object of normative evaluation. Nissenbaum insists that evaluation cannot be done in the abstract because “whether a particular action is determined a violation of privacy is a function of several variables,” including context, roles, relationships, and “the terms of further dissemination.” (Nissenbaum 155). The event model fails because it collapses all that context relative structure into a single term: consent obtained.
Propagation harms are therefore, in Nissenbaum’s sense, harms of contextual breach. They occur when information leaves the normative context whose informational norms justified the collection and enters new contexts whose norms are different, often adversarial, often commercially extractive, and frequently coercive. This movement can be literal, as when a dataset is transferred to a vendor processor. It can also be representational, as when data is transformed into an embedding that encodes behavioral traces, or when it becomes part of a predictive feature reused across domains. In each case, the informational content no longer lives where the organization pretends it lives. It lives as an effect inside a new computational setting, under new incentives, where the original terms of appropriateness cannot be enforced by the fact that a consent click exists somewhere in storage.
Shoshana Zuboff’s account of surveillance capitalism gives the macroeconomic reason why propagation is not a bug but a business logic. In her definitional framing, surveillance capitalism is “a new economic order that claims human experience as free raw material for hidden commercial practices of extraction, prediction, and sales.” (Zuboff 8). This sentence is not about a single collection event. It describes a regime of transformation, in which experience is continually rendered into data, then into prediction products, then into behavioral interventions. In such a regime, the value is downstream by design. The incentive is not to keep information local and bounded; it is to propagate it into ever more profitable forms. The consent event, when it exists, functions as a ceremonial gateway into this downstream apparatus. The apparatus then produces residues that cannot be understood as mere copies. They are economic derivatives: learned preferences, inferred propensities, segment assignments, latent profiles, and automated decisions that become part of a person’s institutional atmosphere.
Zuboff’s definition also clarifies why revocation becomes institutionally difficult. If experience is treated as “free raw material,” then the system is built to convert it into new assets. Withdrawal is therefore not just an ethical obligation; it is an interruption of value production. The event model masks this conflict by isolating consent into intake, where it can be managed as a front door ritual. But propagation harms reveal the truth: the conflict is not only between organization and person but between governance and the internal market logic of reuse. In surveillance capitalism, the primary threat is not that data was collected once, but that it becomes a standing reserve for transformation.
Ruha Benjamin’s concept of the New Jim Code adds the distributive dimension that any serious theory of propagation must acknowledge. She defines the New Jim Code as “the employment of new technologies that reflect and reproduce existing inequities but that are promoted and perceived as more objective or progressive than the discriminatory systems of a previous era.” (Benjamin 3). If propagation is the engine of value, it is also the engine of unequal harm, because downstream reuse amplifies whatever patterns are already sedimented into data, into institutional history, into policing practices, into labor hierarchies, into housing segregation, into differential access to contestability. Propagation harms do not fall evenly because systems do not encounter people evenly. They encounter people through social structures that have already allocated risk and vulnerability. A person who can opt out without consequence experiences propagation differently from a person for whom refusal threatens survival or employment, and even when the initial consent artifact looks symmetrical, the downstream coercion is not.
Benjamin’s definition also punctures a comforting organizational defense: the claim that harm is an unfortunate side effect of otherwise neutral optimization. If technologies “reflect and reproduce” inequities while being “perceived as more objective,” then the harm is not an accident external to the system but an internal product of design choices and their institutional interpretation (Benjamin 3). Propagation is one such choice. Feature reuse is another. Outsourcing decisions to models is another. Each choice increases downstream movement and therefore increases the range across which inequities can be carried, intensified, and hidden behind system complexity. The event model makes this invisibility easier, because it allows the organization to point to an intake artifact while the downstream system continues to operate as an inequity multiplier.
These sources, taken together, allow a sharper definition of propagation harm than conventional privacy discourse usually provides. A propagation harm is a harm produced by the downstream movement of informational substance across contexts, processes, and representational layers, such that the moral conditions governing the initial transfer no longer determine the system’s subsequent operations. The harm is not reducible to exposure, though exposure can be part of it. The harm can also take the form of constraint, as when a downstream model score becomes a gating function for resources. The harm can take the form of classification, as when inferred attributes circulate as quasi facts. The harm can take the form of irreversibility, as when a withdrawal request cannot be made meaningful because the system has already embedded the person’s traces into artifacts whose removal is technically and institutionally expensive.
To say this precisely, one must abandon the linear story in which consent is the start of a timeline and deletion is the end. Propagation makes consent a branching structure. Each branch creates residues. Each residue carries obligations of a different kind. Some residues are direct copies. Some are transformed. Some are aggregated. Some are learned. The event model treats all of them as though they were the same moral object, governed by a single yes. The point of this book is to show that such a governance stance is not an ethic but an evasion.
At this point, an informed reader will raise two defenses of the event model. The first defense is normative: consent is still morally important because it expresses autonomy, and shifting focus to downstream movement risks reducing persons to objects of systems management rather than bearers of rights. The second defense is operational: full accounting of downstream propagation is impossible at scale, and making governance depend on such accounting will either freeze innovation or produce performative paperwork rather than substance.
Both defenses deserve a serious response, because this book is not an argument against consent. It is an argument against the fiction that consent alone, treated as a moment, can govern systems whose harms are produced as propagation. On the normative side, the shift to downstream movement does not replace autonomy; it preserves autonomy under contemporary conditions. A person’s agency is not preserved when the system is designed such that a withdrawal request, once data has propagated, cannot be implemented without institutional pain. Autonomy that cannot be operationalized becomes a moral ornament. If a system cannot make “no” meaningful after “yes,” then autonomy has been treated as ceremonial. The book therefore proposes a stricter autonomy: autonomy that remains operative as systems evolve.
On the operational side, the impossibility claim is often overstated because it equivocates between two tasks: perfect erasure and verifiable governance. Perfect erasure is indeed unattainable in many architectures, not because morality is irrelevant but because the mechanics of distributed systems, caching layers, replicated stores, and model training make total reversal expensive and sometimes destructive to legitimate accountability needs. But verifiable governance does not require perfection. It requires truthful specification, measurable residual risk, and the ability to reduce and bound residue under defined semantics. Lamport’s discipline is instructive again: systems meet specifications when specifications are stated in terms of observables (Lamport 558). The event model survives by specifying only the observable it wants to prove, the consent click. A withdrawal centered system specifies the observables that matter: where the data went, what artifacts were produced, what remains after attempted removal, and what evidence can be presented to an adversarial auditor. That is not a demand for omniscience. It is a demand for honesty about what the system has done.
Scott and Arendt clarify why “impossibility” so often functions as an institutional shield. Legibility projects allow institutions to treat what they do not measure as though it does not exist (Scott 11). Bureaucratic forms allow institutions to treat the harms produced by procedure as though they lack authors and therefore lack accountability (Arendt 40). In the context of withdrawal, the claim of impossibility often means something narrower: it is expensive to build the instrumentation that would make downstream movement visible, and that expense competes with product incentives. Zuboff’s analysis makes the incentive conflict explicit, because downstream movement is where surplus is produced (Zuboff 8). In such a context, “impossible” frequently means “unpriced.” This book’s wager is that governance becomes real when the cost curve of withdrawal is internalized early, rather than paid later by those with the least power to contest.
Nissenbaum’s theory also refines the operational response. If privacy is compatibility with norms of distribution, then governance is not the construction of a universal deletion mechanism but the construction of context sensitive flow constraints and evidence regimes (Nissenbaum 155). A system that cannot delete perfectly can still constrain dissemination, isolate access, reduce future reuse, and prove that constraints have been applied. In other words, even when residues cannot be erased without unacceptable collateral damage, the system can still be governed such that residues do not continue to propagate as though withdrawal never occurred. The event model fails not because deletion is hard but because it treats dissemination as morally downstream, when dissemination is the central moral object.
The deeper point is that propagation has created a new moral time. Under pre digital conditions, many harms of information were bounded by friction. Copies took effort. Transfers were visible. Human memory was limited. Now, copying is automatic, and visibility is optional. Therefore time itself becomes a vector of harm: the longer data lives in systems designed for reuse, the more obligations accumulate, and the less plausible it becomes to treat the initial consent as dispositive. Arendt’s “rule by nobody” names the institutional feeling that often results: harm occurs, yet no single actor can be located as the decider (Arendt 40). The book will insist that this feeling is itself a governance failure, because systems were designed, and design has authors. The authors may be distributed across teams and years, but the absence of a single author is not the absence of responsibility.
Chapter 1 therefore establishes a baseline proposition that will govern every subsequent chapter, and it does so without promising utopia. Consent events matter, and they will remain part of any serious ethic. But in systems built for propagation, consent events are not sufficient, because they do not govern the downstream graph where contemporary harms are produced. If we continue to treat consent as an event while living inside architectures of propagation, then we will continue to perform ethics at intake while permitting extraction, inequity, and irreversibility downstream. The proper response is not despair and not purity. The proper response is to treat withdrawal verification as an assessable systems property, which requires provenance, lineage, evidence, and an explicit account of what remains. That is the work of the next chapters. For now, the thesis of Chapter 1 can be stated with the bluntness systems design demands: modern systems do not primarily violate consent by taking data without a click; they violate consent by making refusal non executable once propagation has occurred.
Chapter 2: The Liturgy of “We Deleted It”
A modern institution says “we deleted it” in the same way a bureaucracy says “the matter is resolved.” The phrase is rarely a lie in the narrow sense. Someone usually did execute a deletion in some system of record. A row was removed or a key was revoked or a user was deactivated or a file was purged from a primary store. Yet the phrase functions less as a report than as a ritual of closure, a speech act that converts technical uncertainty into administrative finality. Once the words are spoken, the organization feels licensed to stop looking, and the person who asked for withdrawal is asked, implicitly or explicitly, to accept the institution’s confidence as evidence.
This chapter argues that “we deleted it” has become a liturgy. By liturgy I mean a repeatable sequence of institutional gestures that produces reassurance and moral cleanliness without necessarily producing the governed outcome. In organizations that manage data and models, the liturgy often begins with intake, where a request is made legible through a form, then translated into a ticket, then routed into a queue, then closed with a templated resolution. The closure is not always malicious. It is often the natural output of bureaucratic forms that reward completion narratives, because completion narratives enable throughput, and throughput is how organizations cope with the scale of what they have built. Arendt’s diagnosis of administrative domination remains relevant here because bureaucratic power is uniquely capable of producing grave consequences while dispersing responsibility through procedure. When responsibility is routed into office, workflow, and role, the harm can be real even when no individual intends it, and the organization can experience itself as compliant even while the person experiences themselves as trapped inside the downstream life of a past yes (Arendt).
The liturgy persists because the event model of consent, and the event model of deletion, are both aligned with what institutions can most easily prove. A timestamp can be stored. A form can be retained. A ticket can be closed. An attestation can be signed. Lamport’s specification discipline helps clarify why this alignment is seductive. Systems can only guarantee properties defined in terms of observable events, and organizations therefore prefer to define obligations in terms of the observables they already collect (Lamport). The problem is that propagation harms are produced by a sequence of observables after intake, and withdrawal requires a sequence of observables after the first deletion action. If governance defines success as a single observable, the closure of a ticket or the deletion of a primary record, then governance is structurally incentivized to ignore the rest of the graph.
Scott’s account of legibility projects provides the political logic of this narrowing. Administrative schemes select a simplified representation of reality that can be managed, audited, and scaled, and then they treat the representation as though it were the world (Scott). The consent artifact and the deletion ticket are legibility objects. They are not meaningless. They are often necessary. Yet when they become sufficient in institutional imagination, they operate as a screen. They make the complex life of information appear governable precisely because they hide what is hardest to govern, namely downstream flow, derived artifacts, and the residues that remain after any single deletion action. In the language of this book, the liturgy is a simplification that reallocates accountability away from propagation and toward intake, away from evidence and toward assertion.
The liturgy’s strength lies in its ability to convert technical ambiguity into social confidence. This conversion has a structure that recurs across organizations and sectors. First, the organization narrows the domain of the claim. “We deleted it” silently comes to mean “we deleted it from the system of record,” or “we deleted it from the user profile service,” or “we deleted it from the analytics warehouse.” Second, the organization narrows the semantics of deletion. Deletion becomes synonymous with deactivation, or with access restriction, or with retention expiration, even when the person requested reversal rather than dormancy. Third, the organization narrows the time horizon. Deletion becomes something that will occur in the next backup rotation, or the next data lake compaction cycle, or the next model retrain, which may be weeks or months away, but the speech act of “done” is spoken now. Fourth, the organization substitutes documentation for control. A policy says a thing, therefore the thing is treated as true, even when there is no telemetry that demonstrates the policy’s effect. Fifth, the organization externalizes trust boundaries. Vendor processors are asked to comply contractually, and the organization treats the vendor’s assurance as equivalent to evidence of action, even when the organization cannot test the vendor’s deletion interface or validate the vendor’s shadow stores. These moves are not rare exceptions. They are the predictable outputs of governance regimes that have not priced residue and have not built withdrawal verification into their systems.
The result is a distinctive form of institutional speech. “We deleted it” becomes a statement whose social function is absolution rather than truth. At this point, the reader may object that absolution language is unfair to engineers and operators, many of whom are acting in good faith under severe constraints. The objection is correct as far as it goes, and it is part of the tragedy of contemporary governance. In many organizations, engineers are asked to implement deletion in architectures built for replication, caching, denormalization, feature reuse, and model training, and then they are asked to certify completion in a format the institution can digest. The engineer becomes a priest of the ritual despite having no power to change the architecture that makes the ritual necessary. This is again Arendt’s problem of rule by procedure, in which the organization produces outcomes through a machinery of roles such that moral agency is present everywhere and decisive nowhere (Arendt).
If “we deleted it” is a liturgy, then the question becomes what kind of liturgy governance needs instead. The answer begins with a demand for attention, in the strict sense that Simone Weil gives the word. Weil describes attention as a disciplined orientation toward reality, a refusal to substitute imagination for what is there, and she links the ethical life to the capacity to endure the truth of affliction rather than flee into comforting abstractions (Weil). In the withdrawal domain, attention has an institutional translation. It means refusing to treat the deletion act as the endpoint of obligation, and refusing to treat the organization’s desire for closure as a substitute for the person’s right to reversal that is not merely ceremonial. Weil’s insistence on truthfulness is not a pious add on. It is a governance requirement. A system that cannot tell the truth about residue will, under pressure, tell the story it needs to tell.
Truth telling, however, is not enough, because truth telling can become yet another ritual, a moral performance that changes nothing. Here Ostrom’s work becomes necessary. Ostrom demonstrates that durable governance depends on monitoring, on rules that are enforceable, and on graduated sanctions that make norms real rather than aspirational (Ostrom). The relevance for withdrawal is direct. Withdrawal commitments that cannot be monitored will be honored selectively. Deletion policies that cannot be tested will become theater. Vendor clauses that cannot be verified will become decor. A withdrawal regime therefore requires the institutional equivalent of monitoring and sanction, not necessarily punitive in the dramatic sense, but real in the systems sense: controls that fail closed, evidence requirements that block release, procurement terms that trigger remediation cost, and internal escalation paths that force residue decisions into accountable forums. In short, the governance must have teeth, which means it must be coupled to measurable observables and to consequences that matter.
Sheila Jasanoff’s science and technology studies framework clarifies why ritual and theater are not superficial defects but structural outputs. Jasanoff’s work on the coproduction of knowledge and social order shows that governance mechanisms do not merely regulate technologies from the outside. They participate in constructing what the technology is taken to be, what counts as valid evidence, and which futures become institutionally imaginable (Jasanoff). If an organization’s governance apparatus is built around attestations and policies, then the organization will inhabit a world where those artifacts become substitutes for reality. If governance is built around evidence and testable interfaces, then the organization will inhabit a world where claims are constrained by what can be verified. The difference is not cosmetic. It is ontological at the level of the institution. It determines whether the organization experiences withdrawal as a real systems obligation or as a compliance narrative.
This is where Donald Knuth’s ethic of literate programming becomes relevant in a way that is often overlooked by compliance culture. Knuth argues that programs should be written as works of explanation, structured for human understanding rather than for machine consumption alone (Knuth). The compliance industry often treats specifications as artifacts to satisfy auditors, and it treats code as the real system. Knuth’s ethic collapses that separation. When applied to withdrawal, literate system building means that a withdrawal claim must be accompanied by an intelligible explanation of the system’s propagation paths, its residue classes, the semantics of its removal action, and the evidence that supports its claim. The withdrawal story cannot be a marketing sentence. It must be a readable specification that links architecture to obligation. This is not academic ornament. It is what allows verification to be socially portable inside an organization. Teams change. Vendors change. The ledger remains only if the explanation remains.
At this point the deeper failure of the “we deleted it” liturgy can be stated more precisely. The liturgy collapses contextual norms into a binary, deleted or not, and it collapses social meaning into a technical gesture, row removed or not. Nissenbaum’s contextual integrity shows why this collapse is structurally misleading. If privacy is about norms of appropriateness and distribution, then deletion is not merely the removal of a record but the reformation of flows so that information no longer moves in ways that violate the governing context (Nissenbaum). A withdrawal request, in a downstream system, is therefore a demand for flow transformation. It demands that derived uses be interrupted, that reuse be bounded, that propagation be traced and constrained, and that the system not continue to act as though the person’s past yes grants indefinite downstream license. When the organization says “we deleted it” while leaving downstream flows unchanged, it may have performed a deletion gesture while failing to meet the normative obligation that made the request meaningful.
The liturgy also interacts with political economy. Zuboff’s account of surveillance capitalism describes an economic order oriented around extraction and downstream transformation of behavioral surplus (Zuboff). In such an order, the most valuable artifacts are not the raw records that deletion requests typically target. The valuable artifacts are the derivatives: propensity scores, audience segments, embeddings, models, and the infrastructures that keep these artifacts circulating. The deletion liturgy often focuses on the least valuable layer because that layer is easiest to modify without disrupting revenue. The organization can delete a profile record while leaving the learned model intact. It can remove a log line while leaving the feature store unchanged. It can honor an opt out of targeted advertising while keeping the latent profile alive for other forms of personalization. The person hears “deleted,” but the system’s behavior remains meaningfully similar. This is not always deliberate deception. It is the predictable outcome of an economic and architectural regime in which downstream artifacts are treated as assets, and withdrawal is treated as a cost.
Benjamin’s analysis of the New Jim Code makes the distributive stakes nonnegotiable. If technologies reproduce inequities while presenting themselves as objective, then governance rituals that simulate withdrawal will reproduce inequities as well, because those most exposed to institutional coercion are least able to contest the difference between ceremonial deletion and real constraint (Benjamin). The liturgy therefore functions as a mechanism of differential truth. Those with power can demand bespoke remediation. Those without power receive the institution’s speech act and are expected to accept it. Any publication grade framework must name this plainly. Withdrawal verification is not only a technical aspiration. It is a distributive justice requirement in systems whose harms are produced at scale.
What replaces the liturgy is not a single mechanism but a different standard of claim. A withdrawal statement must be decomposed into verifiable components: what was removed, from where, under which semantics, with which residuals acknowledged, with which downstream flows altered, and with which evidence artifacts produced. If the institution cannot answer these questions, then it does not know what it has done, and it is relying on ritual to cover ignorance. This is where the concept of residue becomes the forcing function. The liturgy survives by refusing to name residue. Once residue is named, the organization must choose between truth and theater. It must admit that some artifacts remain, that some flows are hard to reverse, that some vendors cannot be trusted without testable interfaces, and that some models cannot be updated without cost. That admission does not weaken governance. It makes governance possible, because it makes obligations measurable and therefore contestable.
The chapter ends with a sober conclusion that prepares the next movement of the book. The phrase “we deleted it” will continue to exist because organizations need closure, and some forms of deletion are genuinely achievable. The problem is not that closure is always wrong. The problem is that closure has been institutionalized as a substitute for verification. The work of withdrawal governance is therefore to discipline closure, to constrain it with evidence, and to design systems in which statements of completion correspond to observable transformations in downstream flow. That discipline requires provenance and lineage, because an organization cannot withdraw from what it cannot trace. It requires evidence, because an organization cannot claim what it cannot prove. It requires economic honesty, because an organization will not build what it refuses to price. It requires institutional design, because engineers cannot bear the moral weight of withdrawal alone inside architectures built for propagation. And it requires attention, in Weil’s sense, because the first step toward any ethical withdrawal regime is the refusal to comfort oneself with a speech act.
The liturgy ends when the institution treats withdrawal not as a ticket to close but as a property to demonstrate, and when it becomes willing to say, with exactness rather than with reassurance, what it did, what remains, and what it will do next.
Chapter 3: Residue Classes, From Logs to Latent Space
A withdrawal request fails most often for a reason that looks technical but is, in fact, conceptual. Institutions treat “the data” as a single thing, housed in a single place, governed by a single switch. In operational reality, what a person supplied, or what a system inferred about them, is quickly reconstituted into many different kinds of artifacts that live in different layers, obey different retention regimes, travel through different trust boundaries, and require different semantics of removal. The term residue is therefore not a rhetorical flourish. It is a demand for classification. Unless an institution can name the kinds of remnants it produces, it will keep promising deletion while performing only a subset of the actions that withdrawal actually requires.
The need for a taxonomy is not merely a matter of engineering hygiene. It is a matter of truth. Arendt’s analysis of bureaucratic rule helps explain why institutions cling to singular nouns. A unified object is easier to route through procedure, easier to assign to an office, easier to declare resolved. A plural object produces conflict and delay. It forces decisions about what counts as enough. It forces accountability for what cannot be done quickly. In administrative environments that prize closure narratives, the pressure is always toward a single story, even when the system is a graph (Arendt). This is the moral function of technical ambiguity. Ambiguity allows closure without full confrontation.
Scott’s critique of state legibility clarifies why the single object story becomes institutional common sense. Legibility requires simplification. A complex world is rendered into a schema that can be administered, measured, and scaled, and what lies outside the schema becomes easy to ignore, or easy to describe as exceptional (Scott). In withdrawal governance, the simplification takes a specific form. “Deletion” becomes the removal of a record in a system of record, and the rest of the artifacts are treated as peripheral. But it is precisely the peripheral artifacts that accumulate fastest and travel farthest. The taxonomy proposed in this chapter is therefore an antidote to legibility theater. It does not make people more legible. It makes the institution’s own downstream machinery legible to itself.
Nissenbaum’s contextual integrity provides the normative basis for insisting on classification. Privacy, on her account, is not reducible to secrecy, and it is not reducible to a personal preference state. It concerns the appropriateness of information and the legitimacy of its flows, given a context’s governing norms (Nissenbaum). If governance is about flows, then residues are not just leftovers. They are the concrete traces through which flows continue. A withdrawal request is not only a request that a record disappear. It is a demand that downstream movement be interrupted, reshaped, and evidenced, so that the person’s informational presence does not continue to act in contexts that exceed the terms under which it was first taken.
The practical conclusion follows. A system cannot honestly claim withdrawal unless it can state, residue class by residue class, what it produced, where it lives, how it moves, what semantics of removal apply, what remains after action, and what evidence supports the claim. This is where Lamport’s discipline becomes decisive. In distributed systems, correctness can only be asserted against a specification phrased in observable events (Lamport). If withdrawal is specified as a single deletion event, then the system will optimize for producing that observable, and governance will celebrate the observable as success. If withdrawal is specified as a set of observables across residue classes, then governance becomes tethered to the downstream graph rather than to a single ritual act. The taxonomy is therefore the bridge between moral obligation and verifiable specification.
The rest of this chapter names seven residue classes that recur across contemporary pipelines. The purpose is not to multiply categories for their own sake. The purpose is to force the organization to stop speaking in generic nouns, because generic nouns are where audit theater breeds. Each class is described in terms of how it is produced, why it persists, what kind of withdrawal semantics are meaningful, and what kind of evidence can plausibly support a completion claim.
The first class is direct copies. These are the artifacts institutions most readily acknowledge: the primary records in systems of record, the rows in transactional databases, the documents in object stores, the tables in analytic warehouses, the raw files in a data lake. They are direct in the sense that they preserve the informational substance in a relatively untransformed form, even when fields are normalized or schemas evolve. Direct copies are also where organizations concentrate their deletion mechanisms, because deletion can often be implemented as a conventional operation. Yet even here, the temptation toward liturgy is strong. A direct copy can be deleted while replicas remain, backups persist, or recovery snapshots continue to carry the material. In distributed storage, the difference between deletion in the primary store and deletion across replicas is not pedantry. It is the difference between a speech act and a systems property. The evidence expected for this class must therefore move beyond an assertion that a record was removed and toward proofs that replicas, backups, and restore paths are governed under an explicit retention policy, with controls that make post deletion recovery auditable and constrained. This is not a demand for perfect erasure across all time. It is a demand for honest semantics, because governance cannot claim withdrawal in contexts where the system can silently resurrect what was supposedly removed.
The second class is cached copies. These include content delivery caches, application level memoization, intermediate query results, search indexes, edge caches, browser caches, and the quiet persistence of derived data in performance layers built for speed and availability. Caches exist because engineering has learned that scale requires duplication. The cache is also where withdrawal is most often falsified by time. The system of record changes, but the cache continues to serve the earlier state until expiration or invalidation. If an institution claims “we deleted it” while a cache can continue to return it, then withdrawal is temporally untrue even when it is eventually true. This matters because many harms are produced in the interval, and because trust is destroyed by the experience of the system continuing to behave as though nothing changed. Lamport’s ordering insight can be felt here in ordinary life. The organization thinks deletion happened, the user experiences non deletion, and both are correct under different partial orders of observation (Lamport). Governance for cached copies therefore requires explicit invalidation logic, explicit retention horizons, and evidence that invalidation propagated through the cache graph. When evidence cannot be produced, governance must limit the claim. A system can say it has scheduled withdrawal, or that withdrawal will be complete within a defined time window. It cannot honestly say it has withdrawn if it cannot demonstrate cache invalidation semantics.
The third class is transformed copies. These are artifacts produced by extraction, transformation, and loading processes, tokenization, normalization, pseudonymization, hashing, feature engineering, de duplication, record linkage, and schema derived projections. Transformed copies are the workhorses of contemporary value creation, because they make disparate data interoperable and useful for analysis and modeling. They are also where the institution begins to lose track of provenance, because transformation breaks the intuitive link between input and output. The organization deletes the original record and assumes the derivative will fade. But transformed artifacts persist because they have become useful in their own right. Here the normative stakes sharpen. Nissenbaum’s theory insists that distribution and secondary dissemination are central to privacy evaluation (Nissenbaum). Transformed copies are a mechanism of dissemination, not simply a technical necessity. They are often precisely how information crosses contextual boundaries. The withdrawal problem in this class is therefore one of reversibility. If a feature was computed from a user attribute and then shared broadly, withdrawal requires either recomputation without that contribution or isolation of downstream uses. The evidence standard must include demonstrable linkage between a withdrawal request and the set of transformations that produced dependent artifacts. Without that linkage, the organization has no principled basis for claiming it knows what must change. This is why the book later treats lineage as accountability geometry rather than as metadata. The point is not to collect more annotations. The point is to make transformations traceable in a way that supports action.
The fourth class is aggregated statistics. These include counts, histograms, cohort metrics, summary tables, dashboards, and any form of analytic output that combines many individuals into a collective signal. Aggregates are often invoked as a governance escape clause. Organizations say, sometimes correctly, that they cannot remove a single person’s influence from an aggregate without undermining the integrity of the statistic, or without requiring expensive recomputation. But aggregate residue is not automatically harmless. Aggregates can be used to govern people even when they do not identify them. They can be used to justify policy interventions, resource allocation, targeted enforcement, and risk scoring. In other words, aggregates can be an instrument of governance even when they are not an instrument of identification. This is where Benjamin’s analysis of the reproduction of inequity through ostensibly objective systems becomes essential. Technical artifacts can maintain the aesthetic of neutrality while reproducing unequal power (Benjamin). Aggregates can perform this function. They can also function as proxies that produce disparate impact even when individual removal is not meaningful. Withdrawal governance for aggregates must therefore adopt a different honesty. Sometimes the meaningful withdrawal promise is not “we will subtract you from all aggregates,” but “we will constrain what aggregates we produce, we will constrain how long we retain them, we will constrain the decision uses they feed, and we will document and evidence those constraints.” The evidence standard becomes about purpose binding and use limitation, not about literal subtraction. This is not evasion. It is the refusal to promise a mathematically incoherent action while still governing the downstream harms aggregates can produce.
The fifth class is learned representations. This includes embeddings, vector indexes, model weights, fine tuned adapters, cached activations, and any learned parameterization that encodes traces of training data. This is where residue takes its most politically charged form, because it is the layer where organizations claim that data has been abstracted away into statistics, and therefore no longer matters, while critics observe, often correctly, that the data continues to act through the model. Zuboff’s account of behavioral extraction clarifies why this layer is so contested. Surveillance capitalism is not satisfied with storing records. It seeks to convert experience into predictive products (Zuboff). Learned representations are the quintessential predictive product. They are also the most valuable artifacts, which means they are the most institutionally protected. The withdrawal problem here is therefore not only technical. It is an incentive conflict. Organizations will tend to treat unlearning as unnecessary or infeasible because it threatens the asset that monetizes downstream movement.
A publication grade approach must therefore insist on bounded honesty. A model can continue to carry influence even when the source record is deleted. Whether that influence is detectable depends on model class, training procedure, and evaluation method. Withdrawal governance in learned representation systems must therefore specify what is promised. Is the promise to prevent regurgitation of memorized strings. Is the promise to reduce membership inference risk. Is the promise to remove targeted influence from a local region of parameter space. Is the promise simply to cease using the data in future training runs while acknowledging that existing checkpoints remain affected. These are different promises and they require different evidence. Knuth’s ethic is directly applicable here. A system that cannot explain, in readable form, what it means by withdrawal at the representation layer is a system that will rely on slogans (Knuth). The evidence standard must be tied to reproducible evaluation, not to narrative assurances. This chapter does not attempt to solve unlearning. It attempts to prevent the institution from claiming unlearning when it has only performed record deletion.
The sixth class is human memory artifacts. These include screenshots, exports, spreadsheets created for ad hoc analysis, data pulled into personal notebooks, email attachments, incident reports, copies pasted into tickets, and the informal datasets that emerge wherever work is done under time pressure. This residue class is often ignored in formal governance because it is embarrassing. It is where the gap between policy and practice becomes undeniable. Yet it is also where many harms persist, because human artifacts travel outside the technical enforcement perimeter. Arendt’s account of dispersed responsibility explains why this class is hard. The institution can enforce deletion on a database, but it cannot easily enforce deletion on a spreadsheet on a laptop, or on an attachment sent to a vendor, or on an image embedded in a slide deck. The organization therefore tends to pretend this class does not exist, and then it is surprised when an exposure occurs. A withdrawal centered regime must treat human artifacts as governed data flows, not as behavioral exceptions. Ostrom’s insistence on monitoring and enforceable rules is relevant here. Durable governance does not emerge from exhortation. It emerges from institutional arrangements that make compliance feasible and deviation costly or unlikely (Ostrom). In practice, that means minimizing the production of human residues through controlled access patterns, governed export mechanisms, and tooling that reduces the need for ad hoc copying, while also acknowledging that no tooling eliminates it. Evidence in this class is partly technical and partly institutional: device management controls, data loss prevention signals, retention enforcement on collaboration platforms, and training that is tethered to enforcement, not to moral pleading.
The seventh class is vendor shadow stores. These are the stores that exist because modern systems are composed across boundaries. Data is sent to processors for analytics, customer support, marketing, monitoring, and model training. The processor maintains logs, backups, debug stores, and internal derived datasets. Even when a contract states deletion obligations, the organization often lacks testable interfaces to confirm that deletion happened across the processor’s internal graph. This is the purest form of the “we deleted it” liturgy, because the claim depends on trust at a distance. Jasanoff’s coproduction insight helps explain why the problem persists. Governance mechanisms shape the institutional imagination of what counts as knowledge and what counts as evidence (Jasanoff). If a contract is treated as knowledge, then assurance becomes evidence by fiat. A withdrawal centered regime refuses that substitution. It treats vendors as trust boundaries that require telemetry, testability, and explicit evidence delivery, because in systems built for propagation, the vendor is not a peripheral actor. The vendor is part of the propagation graph.
At this point the reader may notice that each residue class is not merely technical. Each class corresponds to a different way power is exercised. Direct copies are the raw materials of administrative action. Cached copies are the time lag through which systems continue to act after consent is withdrawn. Transformed copies are the mechanism by which information crosses contexts under the guise of engineering necessity. Aggregates are the way institutions govern populations while claiming not to govern individuals. Learned representations are the way institutions extract predictive value while claiming the source is no longer relevant. Human memory artifacts are the informal lifeblood of bureaucratic work, often unacknowledged, often decisive. Vendor shadow stores are the externalized remainder of responsibility.
This is why classification is not optional. It is also why classification must be handled carefully. Scott’s warning about legibility applies here as well. A taxonomy can become a new form of simplification that creates false confidence (Scott). The organization can treat the taxonomy as a checklist rather than as a discipline of attention. It can claim it has “addressed” a class because it has named it. This is where the book’s method insists on a coupling between classification and evidence. A residue class is not governed because it is listed. It is governed only when a withdrawal action is specified for it, evidence is defined for that action, and the evidence can be produced and validated.
Nissenbaum’s contextual integrity provides a useful way to restate this requirement. The legitimacy of information practice depends on norms of flow, and those norms are contextual (Nissenbaum). Residue classes are the concrete channels through which flows persist. A withdrawal request is therefore a demand to reshape flows across classes, and the institution’s obligations differ by class. The institution can, in some classes, perform literal removal. In other classes, it must constrain dissemination and use. In still other classes, it must admit remainder and bound its risks through time, isolation, and monitoring. But in all cases, it must tell the truth about what it can do, and it must show evidence that it did it.
This chapter also clarifies why the book refuses purity. Some residues cannot be removed without undermining other ethical goods, such as accountability, contestability, and the integrity of records necessary for justice. A system that deletes all traces indiscriminately can become a system that cannot be audited. Withdrawal governance must therefore distinguish between residue that is necessary and residue that is convenient. This is not a philosophical aside. It is a practical requirement, because many of the most damaging residues persist not because they are required for justice but because they are required for profit or convenience. Zuboff’s analysis makes this distinction unavoidable. If the economic order treats human experience as a raw material for extraction and prediction, then residue will be defended as an asset (Zuboff). The role of governance is to internalize the cost of that asset and to constrain its downstream uses, especially when those uses fall disproportionately on those with the least power to refuse.
The chapter closes by preparing the transition to provenance and lineage. A taxonomy is necessary, but it is not sufficient, because classification without traceability produces the illusion of control. The organization can know which classes exist in the abstract and still fail to know which artifacts, in which class, are connected to a given withdrawal request. This is why the next part of the book treats provenance not as metadata and lineage not as a dashboard, but as accountability geometry. Without that geometry, withdrawal remains a liturgy. With it, withdrawal becomes specifiable, testable, and economically honest.
Chapter 4: The Politics of Measurability
Residue becomes governable only when it becomes measurable, but measurability is never a neutral upgrade to truth. It is a political act that rearranges attention, redistributes institutional labor, and hardens some realities into numbers while leaving other realities in the moral fog where organizations can deny them without formally lying. The project of this part has been to move consent out of ritual time and into system time, out of event language and into propagation language, out of reassuring claims and into verifiable properties. Yet the moment we say “measure residue,” we step into a terrain where the instruments of truth can also become instruments of domination, and where organizations can manipulate the boundary between what is counted and what is ignored in order to preserve power, preserve profit, and preserve the comfort of closure.
This chapter therefore does two things at once. It defends measurability as a condition of accountable withdrawal, because no institution can verify what it refuses to observe. It also refuses the fantasy that measurement is synonymous with ethics, because measurement can become its own liturgy, producing dashboards that substitute for action and proxy metrics that become targets rather than signals. The politics of measurability is the hinge between Part I and the rest of the book. Part I names residue as the governed object and shows why consent event governance fails under propagation. Part II will build the infrastructure that makes withdrawal verifiable rather than ceremonial. But we cannot enter Part II honestly without first describing why organizations unmeasure what they most need to govern, and why some forms of measurement can deepen the harm they claim to prevent.
To understand why quantification is so often treated as virtue, it helps to begin with a basic fact about modern legitimacy. Numbers travel. They cross internal boundaries between teams and external boundaries between institutions. They create the appearance of objectivity and comparability, especially in environments where trust is thin and contestability is dangerous. Theodore Porter’s analysis of quantification in public life explains why this appearance is socially valuable. Quantification offers a portable form of authority, a way to replace judgment with procedure and thereby to defend decisions in adversarial environments, especially when the decision maker anticipates scrutiny and wants insulation from claims of arbitrariness. In the withdrawal domain, this creates a paradox that runs through the remainder of the book. On one hand, verification requires quantification, because auditability depends on evidence that can be checked and reproduced. On the other hand, the institution’s appetite for numerical legitimacy can flatten the complex ethical reality of residue into a small set of indicators whose primary function becomes institutional reassurance.
Scott’s account of administrative simplification makes the shape of this paradox visible. When the state sees, it often sees by narrowing, by selecting a few variables that can be monitored and then treating those variables as the terrain itself. The simplification is not always a mistake. It is often what makes governance possible at scale. But simplification becomes harmful when it causes institutions to confuse their schema with the world, and to forget that what is not captured by the schema remains real. In the withdrawal context, “percent of deletion requests closed within SLA” can become the schema. So can “number of records deleted.” So can “time to ticket closure.” None of these are meaningless. Yet if they become the sole measure of withdrawal, they simply reproduce the liturgy of “we deleted it” at a higher resolution. The institution becomes better at narrating completion without becoming better at tracing propagation, bounding derived artifacts, and evidencing remainder.
Arendt’s account of bureaucratic domination sharpens this point by naming how procedure becomes a moral alibi. The bureaucratic form does not need malice to produce injury, because it can route responsibility into the machinery of process and thereby make harm feel authorless. When quantification is tied to that machinery, it can create a second order alibi. The organization can say not only “the procedure was followed,” but also “the numbers show compliance.” This is the most stable form of closure theater because it feels empirical. The person who experiences residue as ongoing constraint is then asked to trust the institution’s metrics over their own encounter with the system. In such a setting, measurability becomes a tool for institutional self confidence rather than a discipline of accountability.
The withdrawal project must therefore insist on a more demanding standard. Measurability is not the production of indicators. It is the production of evidence. Evidence is something that can withstand adversarial inquiry, something that can be traced back to system behavior, something that can be reproduced by an auditor who does not share the organization’s incentives. The difference between indicators and evidence is not semantic. Indicators are often designed for governance leaders and quarterly reviews. Evidence is designed for dispute.
This difference matters because the hardest residues to govern are also the easiest residues to mismeasure. Learned representations, vendor shadow stores, transformed artifacts that break intuitive lineage, and human memory residues do not lend themselves to clean counting. Their metrics require instrumentation across boundaries, careful specification of semantics, and costly evaluation. The organizational temptation is therefore to measure what is easy, not what is morally weighty. This is where the politics becomes explicit. The easiest residues to count are not always the residues that do the most harm. The residues that do the most harm are often those that are strategically left uncounted, because counting them would make the institution’s obligations inescapable and expensive.
Zuboff’s political economy makes this strategic uncounting legible. If the system is built to convert experience into downstream predictive products, then the valuable artifacts are not the raw records that deletion requests target but the derivatives, including inferred profiles, segment assignments, embeddings, and models. When an institution measures deletion primarily at the level of raw records, it can claim ethical progress while leaving the high value residues intact. That is not simply an engineering oversight. It is a structural alignment between measurement and monetization. The institution measures what it is willing to give up and avoids measuring what it is built to protect. This is why the book refuses a withdrawal discourse that remains at the level of intake artifacts. Withdrawal must be expressed in terms that reach the derivative layer, or it will be absorbed by the economics of propagation.
Benjamin’s analysis of the reproduction of inequity through technical systems adds another layer. When harms fall unevenly, measurement regimes can either reveal that distribution or conceal it. A measurement that aggregates away disparity can preserve an appearance of neutrality while allowing unequal residue burdens to persist. A measurement that is not disaggregated by exposure, context, and coercion can tell a clean story while the system continues to operate as an amplifier of structural inequality. In the withdrawal domain, the political question is not only “did the organization do deletion actions,” but also “who receives real withdrawal and who receives ritual withdrawal,” because the gap between the two often maps onto power.
At this point a reader could reasonably worry that the argument is cornering itself. If measurement can become domination, and if measurement can become theater, then why insist on measurement at all. The answer is not to abandon measurability but to relocate what is made measurable. The withdrawal project should not primarily aim to make persons more measurable. It should aim to make systems more accountable. This is where classification theory becomes more than an academic aside. Bowker and Star show that classification systems are not inert containers. They are infrastructural decisions that shape what can be seen, what can be acted on, who is burdened, and what disappears into the background. When the institution classifies residue classes, it is building an infrastructure of visibility. The ethical demand is that this infrastructure illuminate the institution’s own propagation machinery rather than produce a new regime of legibility that tightens surveillance on those already burdened. Put directly, the ledger should measure the system’s obligations, not intensify the capture of subjects.
Nissenbaum’s contextual integrity provides a clear normative test for this relocation. If privacy is governed by appropriate flows within contexts, then the measurement problem is not solved by collecting more and more information about people in order to better manage consent states. The measurement problem is solved by specifying and enforcing flow constraints, by proving that information does not travel into contexts where it violates governing norms, and by evidencing those constraints in a way that can be audited. In that sense, the highest value measurement is not a measurement of the person. It is a measurement of the system’s distribution behavior, the system’s purpose binding, the system’s retention adherence, and the system’s ability to execute withdrawal semantics across residue classes.
This is also where Ostrom’s work becomes operationally decisive. Durable governance does not arise from moral language alone. It arises from monitoring arrangements that make rules real, and from enforceable consequences that prevent norms from dissolving into aspiration. In the withdrawal domain, this means that measurability must be attached to decision rights and to institutional consequences. If a vendor cannot produce deletion evidence, the procurement relationship must be renegotiated or terminated. If a feature store cannot trace downstream dependencies, the feature must not be reusable by default. If a model pipeline cannot separate training bills of materials by consent state, the pipeline must fail closed. If a cache layer cannot guarantee invalidation semantics within a declared time window, the public claim about withdrawal must be bounded to that window rather than spoken as immediate completion. These are not mere technical preferences. They are governance commitments that couple measurement to constraint.
Jasanoff’s work in science and technology studies helps clarify why such coupling cannot be treated as a final technical design that sits outside institutional imagination. Evidence regimes are part of how institutions produce reality. If governance treats dashboards as knowledge, dashboards will become the dominant form of truth inside the organization, and whatever the dashboards omit will become institutionally unreal. If governance treats reproducible evidence as knowledge, then teams will orient toward building telemetry, traceability, and testable interfaces rather than toward producing narratives of completion. This is coproduction at the level of withdrawal. The instruments by which we claim to know determine what we become capable of doing.
The deepest risk, then, is not that measurement fails to capture everything. The deepest risk is that measurement becomes a moral substitute. This happens when organizations measure what they can easily show and then treat that showing as the ethical work. Knuth’s insistence that systems building is also an epistemic discipline becomes relevant precisely here. A literate withdrawal regime requires that every measurement be accompanied by an explanation of what it means, what it does not mean, what residue it leaves untouched, and what threat model it is designed to satisfy. Without that explanatory discipline, metrics become incantations.
Weil’s ethics of attention provides the interior counterpart to this institutional discipline. Attention is the refusal to let imagination replace reality. In the withdrawal domain, attention means refusing to let measurement replace truth. It means using measurement as a tool for truth telling, not as an escape hatch from responsibility. It also means being willing to measure the painful parts, the parts that reveal high remediation cost, the parts that reveal architectural negligence, the parts that reveal externalized harm. An institution that measures only what flatters its own narrative is not measuring. It is staging.
The correct aim of a withdrawal measurement regime can now be stated with precision. The aim is to design measurability that increases accountability for propagation without increasing extractive capture. This requires at least three commitments that will govern the remainder of the book. The first commitment is semantic honesty. Every measurement must be tied to a declared semantics of withdrawal. Deletion cannot mean everything. Isolation cannot mean everything. Unlearning cannot mean everything. If the semantics are not declared, the measurement will be interpreted as a proof of whatever the institution wants it to prove.
The second commitment is adversarial verifiability. Measurements must be grounded in evidence artifacts that can be checked, not merely in internal dashboards. This includes proofs of action across replicas, caches, and downstream processors, testable interfaces to vendors, and evaluative suites for representation layer residues. The book will not claim that all this is easy. It will claim that without it, “we deleted it” remains a liturgy.
The third commitment is distributive vigilance. Measurement must not erase disparity. It must make visible who bears residue and who receives meaningful withdrawal. It must expose where refusal is structurally unavailable. It must show when the institution has chosen convenience over reversal, and it must force those choices into accountable forums rather than burying them in internal ambiguity.
With these commitments, Part I can close. We have established why consent events misdescribe the ethical terrain of propagation harms, why “we deleted it” functions as a ritual of closure, why residues must be classified across artifact types from logs to latent space, and why measurability is both necessary and politically dangerous. Part I has therefore named the object and the failure modes. It has also named the trap, namely that governance can become a higher resolution theater if it measures the easy and declares victory.
Part II begins from the refusal of that trap. If withdrawal is to become verifiable rather than ceremonial, the institution must treat provenance and lineage as infrastructure, not as annotation. It must build the accountability geometry that makes a withdrawal request computable as an impact analysis across transformations, caches, vendors, and models, and it must do so in a way that produces evidence rather than reassurance. The next chapter will therefore begin with a claim that sounds technical but functions as an ethical axiom: provenance is not metadata. Provenance is the shape of accountability.
Section II
Provenance and Lineage as Withdrawal Infrastructure
Part I ended by insisting that residue becomes governable only when it becomes measurable, and that measurability is always contested because institutions can use metrics to secure legitimacy without accepting obligation. Section II begins from a narrower, more operational claim that nevertheless carries the moral weight of the entire manuscript. Withdrawal cannot be verifiable unless a system can answer, with reproducible specificity, what used what, what produced what, who was responsible, and when each dependency relation became true. In other words, withdrawal is not first a deletion problem. It is first an accountability geometry problem.
This section therefore builds the infrastructural spine that makes the rest of the book possible. It moves from the question of what residue is to the question of how residue is traced, bounded, and evidenced across time, across transformations, across services, and across vendors. Chapter Five begins with the discipline that makes every later chapter either feasible or fictive.
Chapter 5: Provenance Is Not Metadata, It Is Accountability Geometry
In most organizations, provenance is treated as a decorative layer. It is confused with metadata, folded into ad hoc tags, attached to tables as optional columns, and invoked primarily when something has already gone wrong. That posture is not only insufficient for withdrawal. It is the mechanism by which withdrawal becomes a liturgy. If provenance is optional, then accountability is optional, and if accountability is optional, then revocation becomes a request for institutional goodwill rather than an auditable systems property.
To recover provenance from this fate, we need to say what provenance is, and we need to say what it is for. The World Wide Web Consortium’s PROV Data Model offers a definition that is austere enough to be operational and broad enough to be portable across domains. Provenance is information about entities, activities, and people involved in producing a thing, and it is usable for assessing reliability and trustworthiness. This is not a rhetorical definition. It is an engineering definition. It tells you what kinds of objects provenance must represent and what questions it must enable.
Notice what is absent. The definition does not say provenance is a label, a description, a static attribute, or an annotation one can add later. It implies a graph of relations among entities, activities, and agents. It implies that what matters is not merely that a dataset has an owner, but that a dataset was generated by a particular activity, using particular inputs, under particular responsibility, and at a particular time, in a way that can be reconstructed as a history rather than asserted as a belief.
This is why provenance is not metadata. Metadata tends to be treated as a property of an object, usually present tense, often human authored, and commonly optimized for discovery, classification, and governance workflow. Provenance, by contrast, is a record of production and dependence. It is past tense. It is a statement about what happened, not merely what something is called. It is therefore closer in spirit to distributed systems truth than to catalog convenience. It belongs to the same family of disciplines as Lamport’s insistence that ordering must be represented in a way that survives partial observation. A system can only establish meaningful claims about behavior when it can represent causal relationships among events rather than relying on a single global narrative that no process can actually see.
The withdrawal problem is exactly this. A withdrawal request is an attempt to change the future behavior of a system by asserting a new norm about the legitimacy of certain flows. Yet the system is distributed across services, caches, feature pipelines, vendors, and model checkpoints. No single actor sees the whole. If provenance is merely descriptive metadata, then it cannot carry the burden of coordinating withdrawal action across these partial views. If provenance is accountability geometry, then it becomes the structure by which partial views can be reconciled into a traceable impact analysis.
This is the first pivot of Section II. Provenance is not a report. It is infrastructure. It is not what you attach to data once governance asks. It is what makes governance computable.
Why provenance matters for withdrawal
A withdrawal regime must do at least four things if it is to tell the truth. It must identify where a datum flowed, it must identify what artifacts remain downstream, it must enact a semantics of removal that is meaningful for the residue class in question, and it must produce evidence that an auditor can validate. Part I framed these requirements as verifiable withdrawal. Provenance is the dependency substrate that makes each requirement more than aspiration.
To see why, consider the simplest seeming withdrawal action, deletion of a primary record. Even here, “deletion” is an event whose meaning depends on replication, snapshotting, caching, indexing, and backup policy. The organization can delete a row and still leave its influence present in search indexes and analytic extracts. Without provenance, the organization cannot state what else must change. It can only hope. Provenance makes hope unnecessary by representing dependency relations as explicit edges rather than as institutional memory.
This is also why the PROV model’s emphasis on temporal information and responsibility is not a scholarly preference but an enforcement requirement. PROV distinguishes the use and production of entities by activities and includes the role of agents who bear responsibility. Withdrawal is a claim about responsibility across time. It demands that an institution be able to say, not only that a record existed, but when it was generated, when it was used, and who authorized or operated the activities that propagated it. Where these relations are absent, the institution does not merely lack documentation. It lacks the ability to attribute obligations to concrete system actions. That absence becomes a moral loophole.
At this point, a temptation emerges. An institution might respond by collecting more metadata. It might attach more tags, enforce stricter naming conventions, require more manual annotation. These steps can improve catalog hygiene, but they do not solve provenance. They can even worsen it by substituting human asserted meaning for system verified history. A withdrawal ledger built on manual description will fail under dispute, because the very moments that matter most for accountability are the moments where manual description is least trustworthy. When the incident is live, when the deadline is tight, when incentives are misaligned, descriptive fields are filled in to close a ticket. The institution ends up with beautiful metadata and a weak proof.
The stronger approach is to design provenance capture as an event level discipline, aligned with the way systems actually run. This is not a stylistic choice. It is the only route to evidence that can survive adversarial inquiry.
Accountability geometry rather than catalog ornament
The phrase accountability geometry is chosen deliberately. Geometry names a structure that can be reasoned over. It implies nodes, edges, composition, and constraints. It implies that one can compute the consequences of change. Provenance is geometry because it is the representation of dependency relations in a form that supports inference, not merely lookup.
PROV makes this explicit by defining core relations such as generation, use, and derivation, and by providing a way to represent responsibility and attribution. Buneman, Khanna, and Tan make the same point from within database theory, in a way that is directly useful for withdrawal. They distinguish why provenance, which concerns what source data influenced the existence of a derived result, from where provenance, which concerns the locations in the source from which data was extracted. This distinction is not academic taxonomy. It mirrors the operational needs of withdrawal. If a model feature exists because of a person’s record, that is a why relation. If a derived table contains values extracted from a particular source column, that is a where relation. Withdrawal must often answer both. It must identify whether the person’s data influenced an artifact’s existence, and it must identify where in a pipeline that influence was carried forward so that removal semantics can be enacted at the right points.
A governance regime that lacks why relations will delete raw records while leaving downstream transformations untouched, because it will not know which artifacts depended on the withdrawn input. A governance regime that lacks where relations will know that an artifact depended on something, but it will not be able to locate the concrete points in storage and processing where removal must be enacted. In both cases, the organization will default to the liturgy of closure. It will perform the actions it can see and declare completion because it cannot see the rest.
This is why provenance cannot be treated as a single field called source. Source fields are not dependency graphs. A source tag is a narrative. Provenance is a structure that can be computed.
The temporal spine of provenance and the refusal of retroactive fiction
One of the most dangerous habits in governance is retroactive coherence. After an event, organizations reconstruct a tidy story in which everything has an origin, a purpose, and a responsible owner. This story is psychologically comforting and administratively useful, but it is often false. It compresses ambiguity, erases branching, and hides the informal pathways by which data actually moved. In withdrawal governance, retroactive coherence is not only a truth problem. It is an evidence problem. It leads institutions to claim they have traced propagation when they have only narrated it.
Lamport’s central lesson can be translated directly into this domain. In a distributed system, different observers can disagree about event ordering, and correctness must be formulated in terms that are consistent with the partial ordering implied by causality rather than a fictional global time. Withdrawal is a change that must be coordinated across that same partial ordering. If provenance capture relies on after the fact narration, it will import a false global ordering and will quietly lose the causal edges that matter for impact analysis.
PROV’s emphasis on explicit relations and constraints is a response to this risk. The specification itself notes that a provenance description can be composed in nonsensical ways, such as stating that an entity was used before it was generated, and it points to constraints as the mechanism for validating provenance. This matters because a withdrawal ledger is only as trustworthy as its internal consistency. If provenance can be written arbitrarily, it becomes a new theater. If provenance is constrained, validated, and tied to observed system events, it becomes evidence.
This is also where the book’s broader ethic asserts itself. The point is not to create perfect histories. The point is to make it expensive for institutions to lie to themselves. A constrained provenance graph forces the organization to face what it does not know, because gaps become visible as missing nodes and missing edges rather than as vague uncertainty that can be papered over with a policy statement.
Provenance as a mechanism of contestability
Withdrawal governance is not only about internal operations. It is about contestability. It is about the ability of an affected person or regulator to challenge an institution’s claim that withdrawal occurred. In such disputes, the institution’s incentives are rarely aligned with full disclosure. The institution wants closure, reputational protection, and cost containment. The person wants certainty, safety, and repair. The only ethically stable bridge across that conflict is verifiable evidence.
This is where Nissenbaum’s contextual integrity becomes an engineering demand. If privacy is governed by norms of flow, then disputes about privacy are disputes about whether information flowed appropriately. In practice, this means that a serious institution must be able to show the flow constraints it claims to enforce and to show evidence that those constraints held. Provenance is the record of actual flows and derivations. Without it, contextual integrity remains a normative aspiration without an operational substrate.
Contestability also reveals why provenance must represent agents and responsibility rather than only data transformations. A system that can trace derivation but cannot attribute responsibility will still fail ethically. It will treat harm as an emergent property of pipelines rather than as an outcome of decisions. PROV’s explicit inclusion of agents and responsibility is therefore not optional for withdrawal. It is what allows a withdrawal regime to connect technical propagation to institutional accountability.
Ostrom’s governance grammar deepens this point. Monitoring and sanctions are meaningful only when rule violations can be attributed to actors, processes, and decision points in a way that supports enforceable consequences. If provenance is only about data lineage but not about responsibility, then governance becomes toothless. It can observe, but it cannot correct. Withdrawal then becomes a repeated failure with no institutional learning.
What provenance must do, and what it must refuse to do
At the start of Section II, it is necessary to be explicit about what provenance is being built for. Many provenance efforts fail because they begin as an attempt to capture everything. They create an enormous graph of questionable fidelity, expensive to maintain, difficult to query, and politically easy to ignore. The organization then declares the provenance initiative complete while engineers route around it and leadership stops using it because it is too noisy. Provenance becomes another compliance artifact, and withdrawal remains a liturgy.
The alternative is to treat provenance as purposive infrastructure, designed to support specific queries that matter for accountability. Buneman’s framing is again instructive because it ties provenance to the question, for a given result, what parts of a database contributed and from where. In withdrawal governance, the primary query is impact under revocation. Given a withdrawal request tied to a datum, a consent state, or a subject identity, what entities, transformations, caches, exports, and learned artifacts were downstream influenced, and what actions must be taken to enact the declared semantics of removal. The provenance system should be designed to answer that query with bounded cost and reproducible evidence.
Equally important are the refusals. Provenance must refuse to become a mechanism of expanded surveillance. The temptation is strong to solve withdrawal by tracking people more intensively, linking more identifiers, collecting more behavioral telemetry, and thereby increasing the very residue burden the book is attempting to reduce. The correct design principle is the inverse. Provenance should measure the system’s obligations, and it should do so through event relations that are about the system’s handling of data, not through new layers of person centered capture. This is where the ethics of measurability from Part I carries forward as a constraint on Section II’s infrastructure work. The provenance graph should be built to limit flows, not to rationalize them.
Provenance as specification discipline
The final move of this chapter is to place provenance inside the tradition of specification, not inside the tradition of reporting. Lamport’s work has already shown why ordering must be represented if correctness is to be argued. Knuth adds the complementary discipline. Systems are not only built. They are explained. A system that cannot explain its own behavior in a form that others can audit is a system that will quietly drift from its professed norms. Provenance is part of that explanatory discipline, but it cannot be treated as after action prose. It must be part of the system’s semantics.
PROV helps here by giving a shared conceptual vocabulary, one that can be specialized while preserving semantics. It is designed so heterogeneous systems can export native provenance into a core model and other systems can import it and reason over it. This is precisely what withdrawal needs across vendors and across internal boundaries. An institution cannot verify withdrawal if each service speaks a different provenance dialect that cannot be reconciled. It also cannot verify withdrawal if provenance is not portable enough to be used in procurement and audit.
The reader should now feel the constraint that will govern the next chapters. Provenance is not a nice to have. It is the only stable substrate on which lineage, evidence, and withdrawal orchestration can be built. If provenance is treated as metadata, governance will remain narrative. If provenance is treated as accountability geometry, governance can become testable. The next chapter will take this one step further. Provenance is the conceptual model. Lineage is the implementable graph you actually need, with required nodes and edges, with evidence at each edge, and with interfaces that turn withdrawal from a moral appeal into a reproducible systems operation.
Chapter 6: The Lineage Graph You Actually Need
Chapter Five argued that provenance is not ornamentation but accountability geometry, because a withdrawal regime that cannot represent dependency relations as a computable history will default to ritual claims of completion. Chapter Six tightens the argument by moving from conceptual provenance to implementable lineage, meaning a graph whose nodes, edges, and version semantics are sufficiently concrete that a system can answer the withdrawal question under adversarial scrutiny: given a withdrawal request, what ran, what used the withdrawn material, what was produced, where it moved, what remains, and what actions were executed to make the new constraint real.
The reason lineage must be treated as a distinct problem is that provenance, as a general concept, is easy to affirm and easy to dilute. Most organizations already have something they call provenance, often a catalog field, a source tag, or a dashboard with arrows. Lineage becomes real only when it is expressed as a graph that is mechanically tied to execution. The graph cannot be a picture. It must be an interface contract between systems that produce data and systems that must later govern that data. Without that contract, the withdrawal claim will be a narrative rather than a verifiable property.
Two primary source traditions anchor the chapter. The first is the W3C PROV family, which provides a general model of entities, activities, and agents, and relations such as generation and use, as the basis for exchanging provenance across systems. The second is the database lineage tradition, formalized for warehousing transformations by Cui and Widom, which treats lineage as something that must be computed relative to transformation semantics, often requiring an explicit inverse mapping of how outputs depend on inputs. The contemporary data engineering world adds a third, practical articulation in OpenLineage, an event based specification that models jobs, runs, and datasets and communicates lineage by emitting standardized events at runtime and at design time.
A withdrawal ready lineage graph must join these traditions. It must preserve the conceptual clarity of PROV, the semantic rigor of database lineage, and the operational concreteness of event based lineage capture. If it fails any of the three, it will either be too abstract to be executable, too narrow to be portable across platforms, or too informal to survive dispute.
Why lineage cannot be optional annotation
In the warehousing lineage literature, lineage is not a marketing claim but a definitional problem: given an output produced by some transformation, determine which parts of the inputs contributed. Cui and Widom describe lineage tracing for general warehouse transformations and show that tracing often requires transformation specific knowledge, operationalized through an inverse or weak inverse that relates outputs back to the relevant inputs. The moral importance of this for withdrawal is immediate. If a system does not know how an output depends on an input, it cannot know how to remove the input’s influence without either over deleting, which can destroy legitimate records and accountability, or under deleting, which preserves residue while claiming withdrawal.
Organizations frequently attempt to solve this by collecting descriptive metadata. They require teams to fill in source fields, to document pipeline diagrams, to record a destination table, to tag a dataset with a product name. None of this is useless, but none of it is lineage in the sense required for withdrawal. It is a description of intent, not a record of dependence. It is also rarely versioned in a way that corresponds to what actually ran. When governance later asks, after a withdrawal request or a dispute, which run produced which output using which version of code and which inputs, descriptive metadata often cannot answer, because it is written for humans and updated irregularly, while pipelines run continuously.
This is why the OpenLineage model is instructive, even when one does not adopt the specification wholesale. OpenLineage treats lineage as a stream of events about job runs and datasets, emitted as jobs execute and as job metadata is declared. In other words, it treats lineage as operational telemetry, not as an after action diagram. That shift is what makes lineage a substrate for evidence. A governance regime that relies on diagrams will always lose to time. A regime that relies on events can, at least in principle, reconstruct what happened.
The minimum graph that withdrawal requires
The phrase the lineage graph you actually need is not an invitation to maximalism. The failure mode of lineage initiatives is often bloat: a graph so large, so noisy, and so politically burdensome that it becomes an ignored warehouse of questionable fidelity. Withdrawal governance requires something narrower and stricter. It requires a minimal graph whose edges are defensible, whose nodes are versioned, and whose semantics align with the withdrawal questions that must be answered.
Start with PROV’s core insight. Provenance is information about entities, activities, and people involved in producing a thing, and it supports assessment of reliability and trustworthiness. A withdrawal ready lineage graph therefore needs entities that correspond to the things whose residues matter, activities that correspond to the transformations and movements that propagate those things, and agents that correspond to accountable roles and systems. But the generality of PROV is not enough. A withdrawal regime must be able to compute impacts under revocation, and that requires precise identity and version semantics.
OpenLineage offers a practical decomposition: jobs, runs, and datasets are the core nouns, and lineage is built by weaving together observations of many jobs that have input and output datasets. This provides a concrete implementable spine. A job is a logical transformation definition. A run is a specific execution instance. A dataset is an input or output object that can be named consistently across systems. Job run state updates communicate what happened at runtime, and job metadata updates communicate static lineage, such as declared inputs, outputs, and code location.
For withdrawal, the graph must refine these nouns in two ways.
First, it must distinguish logical identity from physical versions. A dataset is not one thing through time. A dataset has versions, partitions, snapshots, or materializations, and withdrawal often targets specific temporal slices. If the graph treats dataset identity as a single node, it will produce false impacts and will either over remediate or under remediate. In database lineage terms, granularity matters: lineage defined at a table level cannot support instance level withdrawal, and lineage defined only at a run level cannot support fine grained residue accounting. The exact granularity will vary by system, but the graph must represent it rather than hope it away.
Second, it must represent transformation semantics where it matters. The lineage literature shows that dependence is not always inferable from surface level structure. Cui and Widom’s approach requires transformation definers to specify a weak inverse for each transformation, precisely because the system cannot guess which inputs contributed to which outputs in arbitrary transformations. Withdrawal governance should internalize the same lesson: for certain classes of transformation, especially those that collapse many records into aggregates or learned representations, one cannot rely on generic lineage edges alone. The graph must record the semantics of dependence at the level needed to support the declared withdrawal promise. Sometimes that semantics will be exact. Sometimes it will be bounded and probabilistic. In either case, it must be stated and versioned, because without that statement, the organization cannot honestly claim it knows what it must remediate.
A withdrawal ready lineage specification in prose
A useful way to state the required graph is to treat each lineage edge as a claim that must carry its own evidentiary payload. The organization is not merely building a map. It is building a ledger of obligations.
At minimum, the lineage graph must represent a run as an activity with a stable identifier, a start time, an end time or terminal state, and a link to the job definition that was executed, consistent with the event based run cycle model in OpenLineage. The job definition must itself be versioned, because a job name without a code reference is a narrative, and narratives cannot be audited. OpenLineage explicitly supports job metadata updates that can include location in source code and declared inputs and outputs, which are precisely the kinds of attachments that allow a lineage edge to be interpreted as more than an arrow.
Each run must then carry explicit relations to its input dataset versions and output dataset versions, not merely to datasets in the abstract, because withdrawal is applied to the material that actually moved, not to the conceptual name. Each such relation is, in PROV language, a use or generation relation between an activity and an entity. The lineage store must retain these relations in a form that can be queried for impact analysis and also replayed for evidence.
Crucially, each relation must be annotated with the dependency semantics the institution is willing to claim. For exact relational transformations, this may be expressed as a witness relation, a mapping, or a predicate that is mechanically derivable from the transformation definition. For complex transformations and especially for learned representations, the semantics may be expressed as bounded influence, such as membership risk bounds, memorization risk bounds, or retraining requirements, but the semantics must exist. This is the essential lesson of the warehouse lineage work: if the transformation is general, lineage tracing needs explicit inverse knowledge rather than hope.
The graph must also represent trust boundaries as first class constraints. A dataset edge that crosses into a vendor processor must not be stored as though it were just another internal movement. It must be recorded as a boundary crossing with an evidence obligation attached, because the institution cannot honestly claim withdrawal unless it can validate downstream action across that boundary. OpenLineage’s own ecosystem reflects this need for interoperability, with multiple platforms ingesting and displaying OpenLineage events through an API, which is a concrete example of how lineage must cross system boundaries to be useful. The point is not that one must adopt any particular vendor integration. The point is that lineage is a governance interface, and interfaces across trust boundaries must be testable.
Finally, the graph must represent agency in a way that supports accountability. PROV explicitly includes people and agents involved in producing data. For withdrawal, this does not mean a return to person tracking. It means recording which service, team, or responsible role owned the transformation, which policy or contract governed the flow, and which control objective was in force. If a withdrawal dispute arises, the institution must be able to show who had the authority to define the semantics and who had the obligation to execute the remediation. Otherwise the graph will exist but responsibility will still dissolve into procedure, and the organization will relapse into the liturgy of closure.
Runtime lineage versus design time lineage, and why both are needed
A common mistake is to treat lineage as either static dependency documentation or as runtime telemetry, and then to treat the chosen one as sufficient. Withdrawal governance needs both, because each answers a different failure mode.
Design time lineage, what OpenLineage calls job metadata updates, captures declared inputs and outputs and the code location or ownership of a job. This is necessary for governance because it creates a contract that can be validated before execution. It supports fail closed controls, meaning the system can refuse to run a job that lacks declared inputs, lacks a versioned code reference, or lacks a consent state mapping. Design time lineage is how one prevents future residue.
Runtime lineage, what OpenLineage expresses through run events and run cycle states, captures what actually happened during execution, including the concrete input and output dataset instances that were touched. This is necessary for evidence because what was declared is not always what occurred. Pipelines read unexpected partitions. Jobs are rerun with different parameters. Backfills touch historical slices. A lineage regime that relies only on design time declarations will generate confident but false proofs. A lineage regime that relies only on runtime telemetry will generate a reactive record of harm without preventing future harm. Withdrawal verification requires a closed loop between the two.
The deeper point is that withdrawal is both retrospective and prospective. It is retrospective because it must trace where something went. It is prospective because it must prevent future propagation under a changed consent state. The lineage graph must therefore support both historical reconstruction and policy enforced routing. This is why Section II treats lineage as infrastructure rather than as reporting.
The counterposition, and the restraint that makes lineage ethically stable
A serious counterposition holds that lineage graphs, if built aggressively, can themselves become an engine of surveillance and coercion. They can centralize power by making flows too visible to administrators, they can create new incentives to link identities, and they can become a mechanism by which institutions rationalize extraction under the banner of accountability.
This counterposition is correct to warn, and Part I already established why measurability is politically contested. The response is not to abandon lineage but to design it under restraint. Restraint here has a technical meaning: minimize person centered identifiers in the lineage store, prefer dataset and run identifiers over subject identity, and attach withdrawal obligations through controlled joins that are executed only for withdrawal operations and only with audited access. The lineage graph should be a record of what systems did, not a new warehouse of who a person is. The object of visibility should be the institution’s propagation machinery.
Restraint also has a governance meaning: lineage should exist to support verifiable withdrawal, not to expand optional observability. Every captured edge should answer a question the withdrawal regime actually needs to answer, and every captured facet should have an explicit purpose. OpenLineage itself emphasizes an extensible model through facets, which is powerful but also dangerous if used without constraint. A withdrawal ready lineage design must therefore govern extension. Extensions should be admitted only when they enable new evidence or new fail closed controls.
Closing the chapter and turning toward evidence
This chapter has insisted that the lineage graph you actually need is not the maximal graph you can collect, but the minimal graph that makes withdrawal computable and evidence bearing. It must represent jobs, runs, and dataset versions in a way that ties lineage edges to execution events. It must represent transformation semantics where dependence is not inferable. It must preserve trust boundary crossings as obligations, not as decorations. It must represent responsibility in a way that does not intensify capture. It must integrate design time contracts with runtime truth.
Chapter Seven will take the next step. A lineage graph, even a well formed one, can still be used to tell stories rather than to prove claims. Evidence is what prevents that drift. The next chapter will therefore define an evidence ladder and show why dashboards are insufficient, why attestations are weak, and why a residue ledger must be constructed as an append only record designed to survive institutional amnesia.
Chapter Seven: Evidence, Not Dashboards
The moral center of verifiable withdrawal is not the act of deletion alone but the ability to produce evidence that a skeptical, time constrained, and institutionally adversarial reviewer can validate without relying on your narrative competence. Dashboards are where organizations go to feel that they know. Evidence is where organizations go to accept that they can be wrong and still be governable. This chapter therefore tightens the conceptual bolt that holds the whole book together: withdrawal is not a promise, it is a property whose truth can be interrogated.
A dashboard is an interface for internal reassurance. It compresses complexity into a shape that leadership can tolerate and that teams can maintain. It is not useless. It can be necessary for operations. But dashboards are structurally hospitable to the central failure mode of contemporary governance, namely the substitution of visibility for accountability. Visibility is the sensation that something is being watched. Accountability is the condition in which someone else can prove that what you claimed is false. The difference is not philosophical. It is architectural. The difference is whether your system emits durable traces that preserve content and ordering, resist modification, and allow reconstruction of what happened by parties who do not share your incentives.
NIST makes this distinction explicit in the language of audit controls. An organization may implement audit record reduction and reporting, but the reduction mechanism must not alter the original content or the time ordering of audit records, precisely because the moment you allow the reporting layer to rewrite the record, you allow governance to become a presentation. The control is not a demand for better dashboards. It is a demand for non destructive summarization over a preserved substrate. In NIST’s formulation, the reporting capability must support on demand review and after the fact investigation, while not altering the original content or time ordering of audit records. The same document requires protection of audit information and tools from unauthorized access, modification, and deletion, and it treats immutable or tamper resistant strategies as legitimate enhancements, including hardware enforced write once storage and cryptographic integrity protection. These are not UI principles. They are epistemic principles expressed as controls.
Verifiable withdrawal inherits this logic but applies it to a harder object. Conventional auditability asks whether a system action occurred and whether it was authorized. Withdrawal verification asks whether the system’s downstream artifacts were actually affected, and whether the remaining residue has been measured and bounded honestly. This shift expands what counts as evidence. Evidence is no longer only an account of administrative action, such as ticket opened, ticket closed, job run, job succeeded. Evidence becomes an account of material change across a propagation graph.
This is why provenance cannot remain a narrative footnote. Provenance is a formal statement about entities, activities, and agents involved in producing a thing, and it exists because assessments of trustworthiness require more than a single assertion that something is true. In the withdrawal setting, provenance is not merely about how data was produced. It is also about how a deletion or isolation obligation is produced, how it is carried across systems, and how enforcement actions are linked back to a specific obligation with time correlated ordering.
The first design decision, then, is definitional. Evidence is not documentation. Evidence is a verifiable claim bound to an observable artifact whose integrity properties are defensible. That definition commits you to an adversarial stance toward your own outputs. It commits you to asking, before you build another status page, whether any independent assessor could use what you emit to reconstruct what happened in the presence of negligence, ambiguity, or malice.
To operationalize that stance, I use an evidence ladder. The ladder is not a maturity model intended to flatter. It is a disciplined way of speaking about what kinds of claims an organization can make without lying to itself.
At the lowest rung are assertions. An assertion is any statement that depends primarily on institutional trust. “We deleted the record.” “We removed it from training.” “Our vendor processed the request.” Assertions are not automatically false. But they have no intrinsic adversarial resilience. They are the first material of audit theater because they can be produced at negligible marginal cost.
The next rung is basic logging. Logs are better than assertions only if they are treated as governed records rather than as debug exhaust. NIST is explicit that audit records require careful handling, because audit trails can themselves create privacy risk, and because the reliability of an audit trail depends on time correlation and preservation of ordering within organizational tolerance. A log line that says “deleted user 123” is not evidence of deletion unless you can show what it targeted, what downstream jobs were triggered, what repositories were affected, and that the record has integrity protection against retrospective editing. When logs are mutable, they are narrative tools rather than evidence tools.
The third rung is controlled attestation. Here the system produces structured statements about what was executed, by whom, on which objects, at what time, under which policy. This is the beginning of evidence as a product. It is also the point at which many organizations stop and declare victory, because attestation feels formal. Yet attestation without integrity guarantees remains a higher status assertion.
The fourth rung is cryptographically bound integrity. NIST treats cryptographic mechanisms as a way to protect the integrity of audit information and tools, enabling verification through public key distribution while protecting the signing capability. In the withdrawal setting, cryptographic integrity is not about encryption as secrecy. It is about signatures as immutability, about hash chained event sequences, about non repudiation in the literal sense that you cannot plausibly deny that a specific event sequence was produced by your system under your keys. This rung does not make your governance good. It makes your governance falsifiable.
The fifth rung is reproducible reconstruction. At this rung, evidence supports a rebuild or a re evaluation that can reproduce the claimed state transition. A withdrawal claim becomes “given this deletion request identifier, this lineage graph, and these job manifests, you can re run the impact analysis and see why these nodes were targeted, then re run the deletion workflow in a controlled environment and verify that the state transitions match the ledger.” This is expensive. It is also where the ethics of withdrawal becomes credible because it becomes inspectable without a priesthood.
The sixth rung is differential testing. Instead of trusting that the right job ran, you test whether the post withdrawal world differs from the pre withdrawal world in the way your semantics promised. This is where model related withdrawal begins to escape marketing. You do not only say that you removed a user from a training corpus. You run a defined suite that seeks traces of membership or memorization and you publish the results as part of the evidence record. This rung is compatible with bounded honesty. You may show that risk decreased and that some residue remains.
The seventh rung is independent verification. Here, third parties or cross organizational assessors can validate inclusion, ordering, and immutability properties without trusting your infrastructure. The canonical example of an append only verification regime is Certificate Transparency. The RFC defines a log as a single ever growing append only Merkle Tree, and it describes how auditors can verify that a certificate associated with a signed timestamp actually appears in the log, with the log periodically signing a tree root. This is a profound governance pattern: the system is designed so that independent auditors can detect misbehavior without requiring privileged access to internal systems. It is the architectural opposite of dashboard culture.
This ladder is not prescriptive in the sense that every claim must reach the top rung. It is prescriptive in the sense that you must stop describing a rung as if it were higher than it is. Most organizations speak in the language of independent verification while operating at the level of assertion plus mutable logs. That mismatch is where residue multiplies. You have an obligation, if you claim to govern withdrawal, to name the rung you are on for each residue class and to price the gap.
This is where the Residue Ledger enters as a foundational object. I do not mean a marketing term. I mean an append only record whose primary purpose is to preserve the causal trace of propagation and withdrawal actions, in an ordering that can be audited after the fact, and under integrity protections that make retrospective rewriting detectable. The ledger is not a replacement for lineage systems. It is a binding substrate between lineage and enforcement.
The ledger needs three properties.
First, it must preserve ordering and content under reduction. NIST’s requirement that reporting not alter original content or time ordering is precisely the ethos we inherit. Your ledger can have summaries, rollups, and views. But the underlying record must remain a preserved sequence of events.
Second, it must be protected against unauthorized modification and deletion, including by privileged insiders who have incentives to erase embarrassing traces. NIST explicitly frames protection of audit information as protection from unauthorized access, modification, and deletion, with alerts on detection and with integrity enhancing strategies including write once media and cryptographic mechanisms. In withdrawal, insider threat is not an edge case. It is an expected governance pressure, because the easiest way to meet a service level objective for deletion is to declare success.
Third, it must be designed for cross boundary verification rather than only internal confidence. This is the lesson of transparency logs. The point is not that every withdrawal ledger must be globally public. The point is that the ledger should be structured so that you can grant verification capabilities without granting total access. Certificate Transparency shows that append only structures and signed roots can enable external checking of inclusion and consistency properties. A Residue Ledger for a company can adopt analogous techniques to make it possible for auditors, regulators, or even counterparties to verify that specific classes of withdrawal obligations were processed and that the evidence record has not been silently rewritten.
Once you accept these properties, the conversation about governance changes tone. You stop asking whether your dashboard shows green. You start asking what claims your evidence can actually support. This is where the chapter returns to the institutional stakes: the Residue Ledger is not a technical flourish. It is the organizational mechanism that makes amnesia harder.
NIST’s continuous monitoring guidance is helpful here because it explicitly frames the transition from compliance driven practice to data driven risk management, where monitoring enables ongoing insight into control effectiveness, and where reporting and response are part of a cycle rather than a one time exercise. The continuous monitoring mindset is not a call to instrument everything. It is a call to treat evidence production as a living capability whose relevance and accuracy must be regularly reviewed against risk tolerance and measurement correctness. If you apply that mindset to withdrawal, you get a governance system that does not wait for the next deletion incident to discover that your evidence is theatrical. You run withdrawal drills. You monitor deletion queues. You sample residue classes. You test whether the semantics you promised actually hold.
But there is an ethical trap here, and it is important to name it without melodrama. Evidence systems can become extraction systems. Audit trails can become surveillance trails. NIST acknowledges that audit trails can reveal personally identifiable information and may give rise to privacy risk, especially if trails record inputs or are based on patterns of usage. This is not a minor footnote. It is the central design tension of withdrawal governance: you need evidence strong enough to be trustworthy, while building evidence systems that do not create a parallel residue domain that becomes the next scandal.
The response is not to retreat to dashboards. The response is to build what I call minimized audit architecture. The principle is straightforward: evidence should be sufficient for verification, but non excessive relative to the claim. The ledger should store identifiers and hashes where possible rather than raw content. It should use controlled retention windows that reflect legitimate audit need rather than indefinite institutional anxiety. It should implement access controls that treat evidence repositories as high risk datasets, because they are. It should adopt the same withdrawal hooks it governs, so that when evidence itself becomes residue, the system can respond coherently rather than improvisationally.
This is where provenance standards provide conceptual discipline. Provenance is not a demand to collect everything. It is a demand to represent relationships between entities, activities, and agents in a way that supports assessment. In minimized audit design, you represent enough relationship structure to answer withdrawal verification questions, and you avoid retaining raw payloads that are not needed to validate those relationships. In other words, you preserve causal geometry while minimizing informational mass.
At this point, the reader may object that this sounds like an audit fantasy, that in real organizations the adversary is time, that engineers do not have the budget to build cryptographic ledgers for every deletion request. That objection is correct in a narrow sense and wrong in the sense that matters. The point is not maximal rigor everywhere. The point is honesty about where rigor is absent and a plan to allocate it where residue risk is highest. The evidence ladder is therefore also a budgeting tool. It tells you where you are spending credibility and where you are earning it. It allows a Withdrawal Review Board, which we will design later, to adjudicate tradeoffs explicitly rather than burying them in quiet exceptions.
If you want a single sentence that captures the ethic of this chapter, it is this: do not build a dashboard until you can answer, with evidence, what would convince your harshest reviewer that your withdrawal claim is true. Everything else is theater, even if it is well intentioned.
This completes Section II’s third movement, and it tees up the next chapter. Once you accept that evidence must survive adversarial review, you can no longer treat third parties as peripheral. Trust boundaries become the primary governance problem, because residue propagates across vendors, subprocessors, and shared infrastructure, and evidence breaks precisely where your control ends. Chapter Eight therefore turns to vendor processors and cross boundary withdrawal, treating third parties not as contractual footnotes but as structural constraints on verifiable withdrawal.
A council rating, for the purposes of our internal editorial discipline, is therefore straightforward: this chapter is a ten out of ten only if it forces the reader to stop confusing visibility with verification, and if it gives operators a precise vocabulary for grading their own claims without moralizing. On that standard, it is a ten out of ten, because it anchors withdrawal evidence in established audit control language, imports proven transparency log architecture as a governance pattern, and names the privacy hazard of evidence itself as a design constraint rather than as an afterthought.
Chapter Eight
Trust Boundaries and Vendor Processors
The moment you name a vendor, you have drawn a boundary that is simultaneously technical, legal, and epistemic. In pipeline diagrams this boundary is often rendered as a box labeled with a product name, a region, and a service level objective. In governance language it is rendered as a contract exhibit, a data processing addendum, a list of subprocessors, and a set of audit rights. In operational reality it is a transformation of responsibility: the system remains yours, the risk remains yours, and the evidence burden becomes harder because the most consequential operations now occur where you do not have direct visibility. NIST states this bluntly in its supply chain risk guidance: outsourcing reduces the acquirer’s visibility into and management of outsourced functions, which means increased rigor in defining requirements, monitoring delivered services, and evaluating compliance, while accountability remains with the acquirer.
This chapter argues that verifiable withdrawal fails most often at these boundaries, not because vendors are uniquely malicious, but because organizations treat boundaries as procurement artifacts rather than as accountability geometry. The residue ledger, if it is serious, must therefore treat vendor processors as first class nodes in the propagation graph, with explicit trust assumptions, explicit test surfaces, and explicit evidence interfaces. If the residue ledger is an institutional promise to tell the truth about where data and derived artifacts went, then vendor processors are where that promise is easiest to falsify without anyone having to lie. The boundary creates a convenient alibi: we asked for deletion, the vendor said yes, and the ticket closed. That is the liturgy you are here to dismantle.
- The boundary is not the vendor. The boundary is what you cannot prove.
To call something a trust boundary is not to moralize it. It is to identify the place where you stop being able to directly validate control effectiveness and begin relying on representations. NIST’s control for external system services requires that providers comply with organizational security and privacy requirements, that oversight roles be defined, and that processes be employed to monitor control compliance on an ongoing basis. The point is not the bureaucratic phrasing. The point is the epistemic shift: the organization has no direct control over the implementation or assessment of required controls, so it must establish and document a chain of trust and then monitor that relationship.
In withdrawal terms, a trust boundary is any place where a withdrawal request becomes a message rather than an action, and where the confirmation becomes a claim rather than a proof. Some organizations respond to this by collecting more attestations. Others respond by collecting more dashboards. Both are usually forms of self soothing. The correct response is to build verification surfaces that survive adversarial interpretation. NIST’s assessment guidance is explicit that control assessments are not about checklists, pass or fail theater, or paperwork to satisfy audits, but about verifying that controls are implemented and meeting stated objectives. Verifiable withdrawal inherits this stance: evidence is not a file you store to end a conversation. Evidence is an artifact that changes what can be rationally believed about a system’s state.
A useful discipline here is to translate every vendor promise into a question of falsifiability. If the vendor says, “We delete within thirty days,” then what observable artifact would prove that deletion occurred for a specific identifier and also prove that the deletion was not selectively performed only in the systems that are easiest to surface. If the vendor says, “We do not retain derived data,” then what measurement would detect embedding retention, feature retention, or log retention that functions as a shadow store. If the vendor says, “We do not use customer data to train,” then what evidence would distinguish training from evaluation, from debugging, from safety filtering, from caching, from red team corpora. Your ledger is not a museum of promises. It is a machine for turning promises into bounded truths.
- The legal boundary is a control surface, not a moral shield.
In many jurisdictions, the controller processor distinction is treated as a compliance taxonomy. In a residue centered framework it becomes an architectural statement: some systems decide purposes and means, and some systems process on behalf of those decisions. The General Data Protection Regulation is clear that processing by a processor must be governed by a contract or other legal act that binds the processor to the controller and specifies subject matter, duration, nature, purpose, types of data, and obligations. It is also explicit that the processor acts only on documented instructions, ensures confidentiality, supports appropriate security measures, and provides information needed to demonstrate compliance, including allowing and contributing to audits.
The most important move is to treat this legal requirement as a blueprint for evidence interfaces. “Allowing and contributing to audits” is not a right to receive a PDF. It is a right to compel testable visibility into the claims that matter. In residue terms, audits must include the ability to validate deletion semantics, retention semantics, and subprocessor propagation semantics. The contract is not the proof. It is the instrument that makes proof demandable.
You can now see why the processor boundary is where verifiable withdrawal either becomes real or becomes fiction. If the vendor contract does not require auditable deletion hooks and auditable lineage exports, then the residue ledger will necessarily contain gaps that you cannot close after the fact. Those gaps will be treated as exceptions, and exceptions are how systems normalize dishonesty without ever speaking a false sentence.
- Subprocessors are not a list. They are a propagation multiplier.
Most organizations maintain a subprocessor list as a compliance display. In a residue ledger, the subprocessor list is a dynamic expansion of the lineage graph. Every additional processor increases propagation depth, increases the number of places residue can persist, and increases the cost curve of remediation later. NIST’s supply chain guidance emphasizes that outsourcing reduces visibility and therefore requires increased rigor in stating requirements and monitoring compliance. The same passage also acknowledges an uncomfortable reality: demanding transparency from suppliers has cost implications and can reshape procurement choices. This is not a reason to avoid transparency. It is a reason to model withdrawal readiness as a procurement primitive and to price it deliberately rather than pretending it is free.
Here the residue ledger must do something that feels culturally unfamiliar to many legal and procurement teams: it must treat vendor selection as selection of a verification regime. If a vendor cannot produce verifiable lineage exports, verifiable deletion receipts, and verifiable subprocessor propagation maps, then the vendor is not simply risky. The vendor makes your system epistemically incapable of telling the truth about withdrawal. That is a categorical design failure. In NIST’s language, the acquirer remains accountable for risk regardless of who performs services. In your language, accountability includes the obligation to not purchase opacity.
- Evidence interoperability is the only scalable audit right.
Audit clauses fail in practice because they are expensive, adversarial, and rarely invoked until after harm. Verifiable withdrawal requires a different posture: routine, low friction, machine readable evidence exchange. This is where provenance standards become more than academic niceties. The W3C’s PROV family defines provenance as information about entities, activities, and people involved in producing a piece of data or thing, enabling assessments of quality, reliability, and trustworthiness, and aims at interoperable exchange in heterogeneous environments. That is exactly the kind of semantic backbone a multi vendor residue ledger needs. You are not trying to standardize all vendor internals. You are trying to standardize the minimal set of claims that must be externally provable: what entity flowed, what transformation occurred, what agent or system performed it, when it happened, and what derived artifacts were generated.
In practice, this means your vendor requirements should include a lineage export interface whose semantics are stable and whose payload is sufficient to reconstruct propagation paths relevant to withdrawal. It also means the exports must support the “provenance of provenance” problem: you need to know not only what the vendor says happened, but what instrumentation produced that statement, what coverage it has, and what blind spots remain. PROV explicitly supports describing entities, activities, agents, and derivations, and provides mechanisms for bundling provenance about provenance. This is not optional sophistication. Without it, vendor lineage becomes a new genre of marketing.
A parallel effort exists in operational lineage for data pipelines, for example the OpenLineage initiative, which aims to standardize lineage and metadata collection for jobs and datasets in running systems. You do not need to commit to a specific ecosystem in this chapter. You need to commit to a principle: evidence must be exchangeable, not manually curated.
- Deletion receipts must be designed like public logs, not like customer support tickets.
The deletion confirmation email is the ritual object of modern privacy theater. It is also nearly useless as evidence, because it is not cryptographically bound to an auditable state transition, it is not linked to specific storage strata, and it is not falsifiable without extraordinary access. The residue ledger demands a different object: a deletion receipt that is verifiable, queryable, and consistent across time.
One proven pattern for making claims publicly auditable is the transparency log. The Certificate Transparency protocol was designed to publicly log the existence of security certificates so that anyone can audit issuance activity and audit the logs themselves. The deeper idea is not about certificates. It is about designing an evidentiary system where a promise can be checked later, where inclusion can be proven, and where equivocation can be detected. Earlier versions of the transparency work describe how Merkle tree constructions can support proofs that later log states contain earlier ones and can detect attempts to present conflicting views. You should import this pattern into withdrawal without importing its entire public visibility model. Many deletion events cannot be public. But the log semantics can be: a vendor can maintain an internal evidence log that only grows, produces signed checkpoints, and supports proofs of inclusion for specific deletion events. The controller can receive those checkpoints and proofs as ledger artifacts.
If you do this, you transform the vendor conversation. The question is no longer “Did you delete,” answered by a support agent. The question becomes “Provide an inclusion proof that this deletion event was recorded under this identifier and that the log state you present is consistent with prior checkpoints.” You still must address whether the deletion event reflects meaningful deletion semantics. But you have at least built a mechanism that resists casual fabrication.
This is the heart of verifiable withdrawal at a trust boundary: move from assertion to structured proof, and from one time communication to a continuity of evidence.
- A vendor boundary must come with explicit withdrawal semantics.
Vendors often offer deletion, but they rarely specify what deletion means across the strata that matter to residue. Your ledger must require that vendors declare, in advance and in auditable form, which deletion semantics they provide for each residue class. When NIST describes external services, it emphasizes service level agreements that define expectations, measurable outcomes, and remedies for noncompliance. Withdrawal semantics belong in that measurable outcome layer. If the vendor provides key revocation but not physical deletion within backups, then that is one semantic. If the vendor provides hard deletion in primary stores but retains derived aggregates, that is another. If the vendor retains logs for security reasons, that is another. The goal is not purity. The goal is to avoid the lie where “deleted” means “made inconvenient.”
You should therefore require a vendor to publish a withdrawal semantics statement that is stable, versioned, and referenced by every deletion receipt. When the vendor changes its retention architecture, the semantics statement must change and the ledger must record the version boundary. This is governance as systems engineering: you are binding claims to specific architectures so that audits do not devolve into philosophical debates.
- Monitoring must be ongoing, because drift is inevitable.
If you treat vendor assurance as a one time onboarding event, you have already failed. NIST’s control language explicitly requires ongoing monitoring of control compliance by external service providers. NIST’s supply chain guidance similarly frames monitoring and evaluation as continuous obligations under reduced visibility. In withdrawal terms, “ongoing” means at least three things.
First, periodic evidence refresh. Deletion receipts and lineage exports must be sampled and validated, not merely stored. Second, drift detection. If a vendor adds a new subprocessor, changes region replication, changes cache retention, or changes logging, your withdrawal cost curve changes. Third, adversarial testing. The controller must run tests that attempt to detect memorization, retention, or policy bypass in vendor systems where applicable, because trust boundaries are also where unintended behavior persists longest.
This is where the residue ledger becomes an operating system for governance rather than a reporting layer. It tells you when a vendor’s evidence coverage decreased. It flags when a deletion receipt is missing required proof artifacts. It triggers review when a subprocessor was added without a corresponding lineage integration. It is not a dashboard of compliance. It is a machine for refusing epistemic comfort.
- Supply chain governance must be team based, because the boundary crosses disciplines.
Vendor boundaries are where legal, security, privacy, engineering, procurement, and business incentives collide. NIST’s supply chain controls call for coordinated processes and documentation of supply chain controls and for a coordinated team approach to identify, assess, and manage supply chain risks. This matters because withdrawal is not purely technical. You can build deletion APIs and still fail if procurement cannot enforce evidence clauses, if legal cannot insist on audit rights that include technical tests, or if engineering cannot budget the operational cost of continuous verification.
This is why the residue ledger requires an institutional owner that is not merely compliance and not merely platform engineering. It requires a governance function that can hold line on evidentiary standards while also managing the cost implications that NIST explicitly acknowledges when transparency demands increase supplier costs. This is the point where your book’s thesis becomes practically sharp: withdrawal is not only a moral claim. It is an economically explicit property. Vendor trust boundaries are where that economics becomes visible.
- The boundary is where your system learns humility, or learns to lie.
A final insistence. The purpose of this chapter is not to demonize vendors. It is to remove the convenient fiction that delegation dissolves responsibility. NIST makes the accountability claim explicit for external services. The GDPR makes it explicit by binding processors contractually to controller instructions and by requiring processors to support compliance demonstration. Your residue ledger makes it explicit by turning every boundary into a proof obligation.
If you embrace that discipline, you can build vendor relationships that are less adversarial and more precise, because both parties know what must be provable. If you refuse it, the organization will drift back into the liturgy of “we deleted it,” and the ledger will become a decorative artifact that records closure rather than truth.
Section II ends here because you now have the conceptual and infrastructural scaffolding for withdrawal across trust boundaries: requirements, provenance semantics, evidence interoperability, and ongoing monitoring. Part III begins next, where we move from infrastructure to mechanisms, and we ask the harsher question: what does removal mean in specific technical domains once we stop treating “delete” as a single verb and start treating it as a family of threat model dependent actions.
Chapter Nine: Deletion, Isolation, and the Semantics of Removal
A withdrawal request enters most organizations as a sentence. “Delete my data.” “Remove my record.” “Do not use this for training.” In intake, this reads like a single act with a single end state. In systems, it is never a single act, because information is not one thing and “removal” is not one meaning. Data lives as bytes on media, as rows in databases, as cached replicas, as logs, as aggregates, as learned parameters, as indexes, as backups, as exports sitting on laptops, and as contractual shadows in vendor processors. A withdrawal regime that treats removal as a unitary verb will either fail quietly or lie loudly.
This chapter is therefore about semantics, because semantics are where ethics becomes testable: what exactly do we mean by deletion, what are the distinct families of removal we can perform, what threat model does each family satisfy, and what evidence can convince an adversarial reviewer that the system did what it claimed. My claim is not that every residue can be erased. My claim is narrower and harsher: a mature institution is defined by its ability to name which kind of removal it is performing, to bind that choice to a threat model, and to produce evidence that is commensurate with the promise. Anything else is the liturgy of “we deleted it,” dressed up as engineering.
The first discipline, then, is to stop calling everything deletion. NIST’s media sanitization guidance is instructive precisely because it refuses the fantasy of a single technique. It distinguishes families of sanitization actions according to the assurance they provide against different adversaries, and it ties those actions to verification requirements rather than to slogans. It also makes explicit that some media and architectures render naive overwriting insufficient, and that cryptographic erase is itself a method with conditions and verification expectations, not a magical incantation.
That NIST posture is a template for withdrawal semantics at the system level. In what follows, I treat “removal” as a controlled vocabulary with several legitimate meanings. Each meaning has its proper domain, its failure modes, and its evidentiary burden.
9.1 Hard deletion is a storage claim, not an institutional claim
Hard deletion is the narrowest semantics: the system removes a specified representation of information from a specified storage location such that routine retrieval no longer returns it, and, depending on the medium, the underlying bits are cleared, purged, or destroyed with an assurance level matched to the threat model. This is where most teams stop, because it is the only semantics that maps neatly to a ticket and a query.
But even in the narrow storage sense, hard deletion is not a universal operation. On some media, overwriting may not sanitize data in unaddressable regions or in remapped physical blocks; on some devices, the practical sanitization techniques include device supported sanitize commands, block erase, or cryptographic erase, and each option has its own verification expectations. NIST’s treatment of flash based storage is a quiet rebuke to the folk belief that “overwrite equals gone,” and it demonstrates why deletion semantics must be keyed to storage realities rather than to compliance theater.
This is also the first place where verifiable withdrawal diverges from performative withdrawal. A team that says, “We ran a delete,” has asserted an action. A team that says, “We performed a purge equivalent removal on encrypted media by cryptographic erase, and we validated that the operation completed successfully before applying any additional techniques,” has made a claim that can be audited, challenged, and reproduced.
Two consequences follow. First, hard deletion is always scoped: it attaches to a representation, a location, and a time. Second, hard deletion never by itself settles the institutional question of residue, because it cannot speak to derived artifacts, replicated caches, vendor shadows, or learned influence. If the organization treats hard deletion as synonymous with withdrawal, it will keep producing a residue ledger with blank columns.
9.2 Tombstoning is not deletion, it is a distributed promise about time
Many systems cannot delete immediately without breaking their own consistency guarantees. Under replication, eventual convergence, and partial failure, “delete now everywhere” is often not implementable as an atomic fact. Instead, systems represent deletion as a marker that dominates prior writes and allows replicas to converge on the absence without resurrecting stale values. In practice, this takes the form of a tombstone: a metadata record that says, in effect, “this key is deleted as of this logical time.” The point is not the elegance of the mechanism. The point is the semantic gap between “tombstoned” and “erased.”
A precise statement of that gap appears in Paolo Viotti’s treatment of the Hybris protocol. Deleting a value creates a metadata tombstone to preserve monotonicity and authoritative ordering, and the deleted values are only “eventually removed” from stores through normal garbage collection. This is not a bug. It is a design choice required by the system’s truth conditions about time.
Here the ethical stakes sharpen: tombstoning is a removal semantics whose core promise is about future behavior, not immediate erasure. It promises that the system will not return the deleted value, and that replicas will converge on its absence, but it often leaves the bytes physically present for some period and sometimes indefinitely in backup strata. A withdrawal regime that calls tombstoning “deletion” is making a claim about physical residue that the mechanism does not necessarily satisfy.
So the institutional duty is to name tombstoning accurately, bind it to a clearly stated time horizon, and attach it to a garbage collection and backup expiry story that is itself governed. If the organization cannot state the maximum time a tombstoned value can survive in any retrievable form across its storage tiers, then it cannot claim verifiable withdrawal. It can only claim that it changed the system’s read semantics for the moment.
9.3 Cryptographic erasure is key destruction plus governance of keys
In many architectures, the only scalable way to make stored data unrecoverable is to render the decryption keys unavailable. This is the logic of assured deletion systems: encrypt data, separate encryption keys from storage, and make deletion equivalent to revoking or destroying the keys that enable recovery.
The FADE design makes the intention explicit: it aims to “assuredly delete” files by making them unrecoverable upon revocation of file access policies, using cryptographic techniques as the substrate of deletion. The aim is not just confidentiality during storage, but unrecoverability after policy driven revocation.
NIST’s media guidance likewise treats cryptographic erase as a legitimate sanitization method when encryption is in place and when the device and implementation satisfy conditions that make key destruction equivalent to sanitization. It also insists on verification as part of the method rather than as an afterthought.
For withdrawal semantics, cryptographic erase is not a synonym for “we rotate keys sometimes.” It is a controlled operation with at least four required commitments.
First, key scope must match residue scope: per object, per tenant, per dataset, or per training shard. Broad keys create broad blast radius, and they convert withdrawal into a service wide outage or, more commonly, into a refusal to honor deletion because the cost is too high.
Second, key lifecycle must be governed as evidence. If the institution cannot prove when a key existed, who could access it, when it was revoked, and that the old key material is not recoverable through backups or escrow paths, then “crypto delete” is an assertion without an audit trail. The deletion verb has moved from the data plane to the key plane, but the evidentiary burden has not disappeared.
Third, cryptographic erase has a nontrivial remainder: plaintext exposures that occurred before encryption, decrypted caches, logs containing derived or raw values, and exports that escaped the trust boundary. Crypto delete is powerful precisely because it is narrow. It makes a stored ciphertext unrecoverable, not a broader ecosystem pure.
Fourth, the institution must treat key destruction as an operation whose misuse is catastrophic. NIST’s control catalog, in its audit protection controls, repeatedly foregrounds the need for cryptographic protection, separation of duties, and dual authorization for actions that can delete or manipulate records in ways that undermine accountability. That posture applies to key destruction because keys are now deletion power.
The consequence is simple: cryptographic erase can be the most auditable and scalable removal semantics, but only if the organization governs keys as withdrawal infrastructure rather than as an implementation detail.
9.4 Isolation is removal from access, not removal from existence
Sometimes the honest semantics is not deletion at all. Sometimes the system cannot safely delete because it would destroy accountability, break safety obligations, or invalidate regulated records. Sometimes deletion would be technically disproportionate relative to the threat model, while isolation would meaningfully reduce harm. Sometimes the system must retain certain traces for security investigations, fraud prevention, or legal duties, but it can and should prevent those traces from being used for personalization, training, or secondary purposes.
Isolation is the semantics of removal from use. It includes revoking access, changing authorization boundaries, moving data to quarantined stores with tightened controls, and enforcing purpose binding at runtime. Isolation is not a consolation prize. It is often the correct semantics for a defined threat model, particularly when the central risk is future misuse rather than present recoverability.
What matters is whether isolation is enforceable and whether it can be proven. In verifiable withdrawal terms, isolation requires two things: a policy mechanism that is difficult to bypass, and evidence that the policy is actually being enforced in the pipelines that matter. If “isolated” data can still be joined in analytics, pulled into feature stores, copied into sandboxes, or swept into training corpora, then isolation is an aesthetic label that has not altered propagation.
This is one of the points where law and engineering must speak to each other without mutual dishonesty. The right to erasure in the GDPR, for example, is not written as a naive guarantee that every trace in every context must vanish instantly. It is framed as an obligation to erase personal data under specified conditions, with attention to feasibility and cost when informing other controllers of the request, and it also enumerates exceptions where retention is necessary for legal obligations or public interest tasks. The structure implies what engineers already know: withdrawal semantics must be conditional, scoped, and justified, and the justification must be inspectable rather than rhetorical.
An institution can therefore legitimately say, “We are performing isolation rather than deletion for this residue class because deletion would compromise regulated accountability, and here is the precise enforcement boundary and the evidence we generate to show that training ingestion, personalization services, and ad targeting all exclude the isolated class.” That is a defensible claim. The problem is when the institution says “delete” while doing isolation, because it wants the moral glow of erasure without paying the operational cost of truth.
9.5 Re encryption is migration, and migration is where residue often multiplies
Re encryption sounds like deletion’s ally: rotate keys, re encrypt data under a new key, and render old exposures inert. In practice, re encryption is frequently a residue generator because it induces copying, staging, retries, and rollback paths. It creates time windows where multiple encrypted versions exist, and it often leaves behind old blobs in backups, caches, and replication queues. It also complicates provenance because lineage must now track key epochs and transformation events as first class facts.
If cryptographic erase is key destruction, re encryption is key transition. The semantics is not removal but containment and forward security. It is powerful, but it must be treated as a pipeline with its own evidence obligations: which objects moved, which did not, what failed, what was retried, what remained under old keys, and what deletion commitments attach to the deprecated ciphertext.
In withdrawal terms, re encryption becomes relevant in two cases. The first is when a compromise event demands rapid containment and future protection. The second is when a withdrawal program is maturing and the institution is narrowing keys from coarse scope to fine scope in order to make future withdrawal cheaper. In the second case, re encryption is the preparatory work that turns future deletion from a heroic incident into a routine operation. The key point is that this preparatory work must itself be tracked in the ledger, because otherwise the organization will not know which residue class it created while trying to reduce another.
9.6 A decision procedure that an auditor can understand
At this point, the temptation is to turn semantics into a menu, as if teams can pick “delete” versus “isolate” based on taste. Verifiable withdrawal demands something sterner: a decision procedure that binds a residue class to a removal semantics via an explicit threat model and an explicit evidence pattern.
The procedure begins with the residue class taxonomy already established in Part One. For direct copies in controlled stores, hard deletion with media appropriate sanitization may be correct, and NIST’s distinctions among clear, purge, and destroy provide a vocabulary for the assurance level. For replicated data under eventual consistency, tombstoning may be an unavoidable first step, but it must be paired with governed garbage collection and backup expiry; otherwise the semantics is “will not return” rather than “removed.” For encrypted objects in commodity cloud stores, cryptographic erase may be the most reliable way to make ciphertext unrecoverable, but only if keys are scoped, revocation is real, and key lifecycle evidence exists. For audit logs and accountability traces, the institution may need isolation plus strong protections against unauthorized deletion, and NIST’s audit protection controls explicitly foreground cryptographic integrity protections, restricted privileged access, and dual authorization for deletion related actions, which is a direct reminder that “withdrawal” can become “cover up” unless evidence is protected.
The decision procedure then forces an economics question that is also an ethics question: what time horizon is promised, what is the marginal cost of fulfilling it, and what cost is the institution willing to bear to prevent harm rather than to settle claims after harm occurs. That economics is not a later chapter add on. It is already embedded in the semantics, because a system that can only delete at heroic cost will drift toward symbolic deletion as a social compromise.
Finally, the decision procedure ends where auditors live: evidence. Each semantics has its proof form. Hard deletion requires verifiable execution records and, in some cases, sampling verification. Tombstoning requires proof of read path exclusion plus proof of garbage collection and backup retention behavior. Cryptographic erase requires key revocation evidence plus proof that old key material is not accessible through recovery paths. Isolation requires enforcement telemetry showing exclusion in the pipelines that matter, not only in the database. Re encryption requires migration accounting that tracks what is now under the new key epoch and what is not. The principle is that removal semantics without an evidence form is a moral claim dressed as an operational statement.
9.7 The dangerous confusion: privacy deletion versus accountability deletion
One of the sharpest confusions in modern governance is the conflation of privacy deletion and accountability deletion. Privacy deletion is intended to reduce future misuse and reduce harm from retention. Accountability deletion destroys records that make power answerable. A withdrawal regime that cannot distinguish these will either produce surveillance permanence in the name of safety or produce institutional amnesia in the name of privacy.
This is why audit protection controls matter in a book about withdrawal. NIST is explicit that audit information requires cryptographic integrity protection, restricted access to audit management, and even dual authorization for deletion related actions, precisely because deletion can be weaponized as an evasion tactic.
The implication for verifiable withdrawal is not that we should retain everything. It is that we must treat deletion power as governed power. Withdrawal must be structured so that a person can reduce unnecessary exposure and secondary use, while the institution remains unable to erase the traces that are necessary for contestability, safety, and justice. In later chapters, this becomes the design challenge of “minimized audit”: enough evidence to prove compliance and detect abuse, not so much evidence that audit becomes a second extraction engine. But the conceptual seed is here: deletion semantics are inseparable from institutional power.
9.8 Closing the chapter: what this changes about the Residue Ledger
Chapter Seven introduced the Residue Ledger as an append only institutional memory of propagation and withdrawal actions. Chapter Nine specifies what must be recorded in that ledger if it is to be more than a dashboard.
For every withdrawal action, the ledger must record the semantics performed, the scope of the action, the threat model it is claimed to satisfy, and the evidence artifacts produced. “Deleted” is not a ledger entry. “Cryptographic erase performed for object set S under key epoch K, with revocation event R and verification V, and with documented exclusions E for caches and logs” is a ledger entry. “Tombstone written at logical time T, read path exclusion confirmed, garbage collection window W, backup retention policy P, and purge completion attested at time U” is a ledger entry. “Isolation policy applied with enforcement boundary B, verified by pipeline telemetry suite Q, and with explicit statement of remaining residues” is a ledger entry.
This is the hinge between Section Two and Part Three. Chapters Five through Eight built the accountability geometry. Chapter Nine now turns that geometry into a semantics discipline that can survive contact with storage systems, distributed time, and institutional incentives. We can now say, without mysticism, what it would mean for a system to make withdrawal non fictional.
In Chapter Ten, I move from semantics to the most common propagation engine in contemporary organizations: feature reuse. If Chapter Nine is about the meaning of removal, Chapter Ten is about why removal is rarely local once teams start building on each other’s derived representations.
Chapter Ten
Feature Stores and the Tyranny of Reuse
A feature store is often introduced as a convenience layer. It promises that teams will stop rederiving the same features, stop shipping inconsistent transformations between training and serving, stop losing time to ad hoc pipelines, and stop rearguing what a feature means every time a new model arrives. Uber’s own description of Palette, their feature store inside Michelangelo, begins from this operator pain: it is hard to identify good domain features, hard to build pipelines to generate them, hard to compute them in real time, hard to guarantee that training data matches scoring data, and hard to monitor features once they are deployed. Palette is positioned as the relief: a curated and internally contributed repository of features, with automated pipelines for generation and dissemination, supporting batch and near real time computation and enabling teams to reuse pruned features maintained by other teams under access restrictions.
This chapter accepts the value proposition and then turns it inside out. Reuse is not only an efficiency strategy. Reuse is a moral multiplier. The feature store is a propagation engine that converts one upstream decision about data into many downstream dependencies, and it does so precisely by making reuse easy and socially legitimate. The danger is not that feature stores exist. The danger is that they become the most successful mechanism ever invented for turning local data obligations into systemic residue.
If Chapter Nine disciplined the language of removal, Chapter Ten disciplines the language of reuse. It argues that every feature in a store is a derived artifact whose obligations are inherited, transformed, and amplified, and that the institution cannot claim verifiable withdrawal unless it can answer, with evidence, three questions that feature reuse makes unavoidable. First, which models and services have consumed this feature, and when. Second, what upstream sources and consent states the feature depends on, including the temporal logic of those dependencies. Third, what happens when an upstream withdrawal request arrives after the feature has already been materialized, replicated, and used as a decision basis in production.
The engineering world built feature stores to standardize workflow and reduce the friction of feature management across the model lifecycle. Orr, Sanyal, Ling, Goel, and Leszczynski describe feature stores as systems developed to manage and standardize the end to end engineer workflow around feature data, training, deployment, and monitoring, and they explicitly locate the origin in industrial experience, including the claim that a subset of the authors built one of the first industrial feature stores in 2017. Their larger point is that feature management is not a side task; it is the substrate of reproducibility and maintenance in production machine learning.
That same standardization is what creates the governance trap. Standardization makes features legible and portable. Portability makes features reusable. Reuse makes features infrastructural. Infrastructure makes features hard to withdraw, because it makes them socially and technically expensive to disturb.
Reuse changes the unit of responsibility
In a naive pipeline, a model team owns its features. The lineage graph is short and the blame path is, at least in theory, traversable. In a feature store regime, the feature becomes a shared dependency whose production pipeline may be owned by one team, whose semantics may be partly social and partly encoded, whose consumers may span dozens of models, and whose effect on downstream decisions may be diffuse. The more the store succeeds, the more it shifts responsibility from “this model used this dataset” to “this ecosystem reused this feature.” It is not an accident that the Uber Palette description emphasizes crowd sourced features and reuse across teams; it is describing an internal market in which features circulate as a common good.
Hopsworks’ feature store paper makes the same point in more formal terms by foregrounding centralization and reuse as core capabilities. It reports the industrial observation that features are widely reused across many models and ties the benefits of reuse to quality scrutiny, reduced storage and operational costs, and the fact that models that reuse features do not need new feature pipelines. It then builds an architecture whose purpose is precisely to compute once and reuse across multiple models.
The ethical cost of that success is that withdrawal no longer attaches cleanly to a model. A withdrawal request that implicates an upstream source must now be reasoned about at the feature level, because a single feature can be a shared derived artifact that flows into many models and services, and those models may have their own persistence layers, caches, and logs. The feature store becomes the first place where “consent is treated as an event while harm is produced as propagation” becomes operationally concrete.
This is why Chapter Ten is not a general celebration or critique of feature stores. It is a narrow argument that a feature store can only be ethically operated under a withdrawal regime if it is treated as a governed dependency graph whose nodes are obligation bearing objects. The store must therefore carry not only feature values, but also a machine checkable representation of the obligations attached to those values and the evidence required to prove that those obligations are being honored.
The feature store as the institutionalization of derived artifacts
A feature is rarely raw data. It is computed, normalized, bucketed, aggregated, joined, windowed, lagged, smoothed, and shaped into a representation that a model can use. This shaping is typically justified as a technical step, but it is also an act of institutional imagination. It decides what counts as signal and what is treated as noise. It decides what temporal window defines relevance. It decides which relationships are made visible through joins and which are ignored. It decides which categories become stable objects in the system.
Because the feature store makes these representations portable, it effectively institutionalizes the feature as a stable fact, and it incentivizes others to treat it as authoritative. A feature that was originally crafted for one task begins to travel. It is pulled into adjacent use cases because it is available. It becomes a default input because it is documented and tested. It begins to feel like infrastructure rather than like a choice.
This is the tyranny of reuse. It is not coercion by command. It is coercion by default. The system invites reuse and then punishes deviation. Teams stop building bespoke features not only because it is faster to reuse, but because the social and operational environment evolves such that reuse is treated as maturity. Over time, the feature store becomes a memory palace of institutional decisions that are difficult to revisit.
The withdrawal consequence is severe: the more a feature becomes infrastructural, the more expensive it becomes to change or remove, and the more the institution will be tempted to treat withdrawal as an isolation semantics in the read path while leaving the underlying propagation untouched. Chapter Nine already named the semantic danger: the organization says “deleted” while performing something closer to “no longer served,” because it cannot afford the systemic disruption that true recomputation and remediation would require.
Training serving consistency is also withdrawal consistency
Feature stores are often justified by training serving consistency. Uber’s Palette description explicitly frames one central difficulty as guaranteeing that data used at training is the same as the data used for scoring predictions. Hopsworks likewise centers the need to ensure correct and consistent data between feature engineering, model training, and model inference, and it goes further by specifying point in time correctness and query models designed to avoid future data leakage.
Withdrawal imposes a parallel requirement that most teams have not named with the same seriousness: withdrawal serving consistency. It is not enough to ensure that training and serving use the same transformations. The institution must ensure that when a withdrawal state changes, the change propagates through the feature lifecycle with semantics that match the promise. If a person withdraws a datum, the institution must know whether the feature computed from that datum is still being served, still being used in training, still present in offline stores, still replicated, still cached, and still driving decisions.
This is where the feature store becomes a withdrawal control plane or a withdrawal failure amplifier. If the feature store owns the canonical definitions and pipelines, it is the place where withdrawal can be implemented coherently, because it is the chokepoint where many consumers meet. If the feature store is only a value cache with thin metadata, then it becomes the place where withdrawal is hardest, because it has maximized reuse while minimizing obligation visibility.
What a withdrawal ready feature store must assert
A withdrawal ready feature store must be able to make a claim that is meaningful under audit. The claim is not that everything can be erased. The claim is that the institution can determine, with bounded uncertainty, what must change when an upstream obligation changes, and that it can produce evidence that the change was executed.
This requires an explicit internal specification for every feature that goes beyond the common habit of describing a feature in prose and pointing to a query. The specification must contain at least four components.
The first component is provenance sufficient to support impact analysis. Chapters Five and Six established that provenance is accountability geometry. Chapter Ten makes that geometry concrete at the feature level: the system must be able to traverse from a feature to the upstream sources, transformations, and time windows that produced it, and it must be able to traverse from a feature to every known consumer model, service, and training dataset that has pulled it. Without these traversals, a withdrawal request cannot be executed except as a best effort guess.
This is why metadata and lineage systems appear as foundational infrastructure in modern production pipelines. TensorFlow’s ML Metadata tutorial describes MLMD as storing metadata about pipelines and lineage, artifacts generated, and executions, and it emphasizes that production pipelines serve multiple models and that when erroneous results occur, the system can query metadata to isolate erroneous models and trace lineage to debug. The debugging framing is important because it reveals what withdrawal requires: the same capability to trace from output back through lineage and then to act.
Schelter and colleagues make the provenance point in a more general and production oriented manner by describing a system to extract, store, and manage metadata and provenance information of common machine learning artifacts, with the aim of enabling comparability and repeatability and integrating with popular frameworks. The core moral relevance is that provenance is not a nicety for researchers; it is an operational requirement for any institution that wants to be able to explain and remediate.
The second component is intended use constraints, encoded as policy rather than as documentation. A feature created for fraud detection should not silently become an input for performance scoring or marketing personalization simply because it is available. In the language of this book, reuse is a propagation mechanism, and propagation must be governed by purpose binding. If purpose is only written in a wiki, it will not constrain a pipeline. If purpose is enforced by policy at retrieval time and at training dataset assembly time, it can become an actual control.
The third component is temporal semantics. Features have time, not only in their values but in their meaning. Hopsworks makes point in time correctness explicit by discussing training data creation without future data leakage and by using query semantics designed to respect temporal ordering. Withdrawal introduces another temporal semantics: when a withdrawal request arrives, which time windows of historical feature materialization are affected, what is the promised remediation horizon, and what counts as acceptable remainder. If the store cannot represent time precisely, it cannot implement withdrawal honestly, because withdrawal is an obligation that arrives after propagation has already occurred.
The fourth component is evidence generation. Chapter Seven insisted that evidence is not dashboards. A withdrawal ready feature store must produce attestable artifacts showing which consumers were notified or blocked, which feature materializations were recomputed or purged, which training datasets were rebuilt, which online caches were updated, and which derived features downstream were affected. The evidence must be queryable by an auditor and understandable by an operator. It must also be protected from tampering. The point is not bureaucracy. The point is that the institution must be able to demonstrate that it did not treat withdrawal as a mere policy statement.
The central design move: treat features as governed products
Many organizations already speak of features as products. They create catalogs, owners, descriptions, and adoption metrics. This is useful but incomplete. A governed feature product must include a withdrawal contract.
Palette is described as a repository of curated and crowd sourced features that teams can reuse, with pipelines auto generated for feature generation and dispersal. That architecture implies, whether acknowledged or not, that feature producers are publishing a dependency for others to build upon. Publishing a dependency creates a duty: the publisher must specify not only what the feature is, but what happens when the feature’s upstream obligations change. Without that, every consumer will implement its own withdrawal semantics, and the institution will end up with a patchwork of inconsistent behaviors that cannot be audited.
A feature store that wants verifiable withdrawal must therefore formalize the role of feature producer and feature consumer in a way that resembles a mature distributed system contract. The producer must publish semantics and constraints. The consumer must accept them as enforceable, not optional. The platform must mediate the relationship so that breaking changes and withdrawal changes propagate deterministically rather than by rumor.
Here the distributed systems analogy is not decoration. It is the core. In a distributed system, you cannot rely on everyone remembering to do the right thing. You define interfaces, invariants, and failure handling, and you build mechanisms that make the correct behavior the default. A withdrawal ready feature store is the same: it must make the ethical behavior operationally easiest, and it must make the unethical behavior difficult enough that it becomes visible.
Reuse and the temptation to hide residue in embeddings
Orr and colleagues argue that feature stores arose with tabular feature data but that modern pipelines are shifting toward pretrained embeddings used as model features, creating new challenges around managing embedding training data, measuring embedding quality, and monitoring downstream models that use embeddings, challenges that standard feature stores do not fully address. This shift has a direct withdrawal consequence that many institutions have not yet faced with candor: embeddings are a residue amplifier because they can encode information in ways that are difficult to interpret and difficult to attribute to a single upstream record.
When a feature is a straightforward aggregate like “thirty day purchase count,” its upstream dependencies are legible. When a feature is a dense representation learned from large corpora, the institution is tempted to treat it as a non personal artifact, precisely because it is not easily decomposed into human understandable components. That temptation is one of the most dangerous forms of audit theater, because it hides obligation behind mathematical opacity.
A withdrawal ready feature store must therefore extend its governance beyond tabular features into embedding ecosystems, not by pretending that perfect removal is always possible, but by insisting that embedding production, versioning, training data sourcing, and downstream use are subject to the same provenance and evidence discipline. Orr and colleagues’ framing is again instructive: embeddings introduce new lifecycle challenges that require management of training data and monitoring of downstream models. In the vocabulary of this book, the institution must be able to say what an embedding is trained on, how it is versioned, who consumes it, and what bounded remediation actions exist when upstream obligations change.
A concrete control plane for feature reuse under withdrawal
The architecture of Feast, a widely used open source feature store, makes explicit the core separation that many systems adopt: an offline store for historical feature extraction for training and an online store for low latency serving for inference, with a central registry that defines and manages feature definitions and their serving behavior. This separation is not only a performance architecture. It is a governance problem, because withdrawal must be executed across both planes. Offline training datasets must be rebuilt or masked according to the withdrawal contract, and online serving must stop providing withdrawn influenced features within the promised horizon.
A withdrawal ready control plane therefore requires three integrated capabilities that many organizations build separately and then struggle to reconcile.
The first capability is registry as policy object. The registry must not only list features; it must store enforceable constraints such as allowed purposes, allowed consumers, retention and recomputation obligations, and the semantic choice for removal when upstream withdrawal occurs. The registry must also bind the feature definition to the exact transformation code version that produced it, because otherwise the institution cannot prove that it recomputed the same feature after a withdrawal event.
The second capability is lineage capture that spans training and serving. MLMD style metadata systems show how pipeline lineage can be tracked and queried to isolate and debug served models. That same lineage needs to connect feature retrieval events, training dataset assembly events, model training runs, model deployments, and online serving calls, at least at a granularity that enables impact analysis. The goal is not surveillance of developers. The goal is the ability to answer an auditor’s question: which deployed decisions were influenced by a feature that depends on a withdrawn record, and what remediation did the institution perform.
The third capability is orchestration for recomputation and blocking. The store must be able to initiate recomputation of affected features and retrigger downstream pipelines, or, where recomputation is not feasible, to enforce isolation semantics that prevent further use. This orchestration must be coupled to evidence generation so that every withdrawal event produces a ledger entry that records what was recomputed, what was blocked, what could not be changed, and what remainder remains.
If this sounds heavy, it is because withdrawal is heavy. The alternative is to keep the feature store as a speed layer while treating withdrawal as an external policy, which is precisely how organizations end up with “non executable no” once propagation has occurred.
The cost curve that reuse hides until it is too late
Feature reuse creates a cost illusion. At build time, reuse is cheap and feels virtuous. At withdrawal time, reuse is expensive and feels like an attack on productivity. The institution will therefore be tempted to underinvest in withdrawal readiness, because the benefits of reuse are immediate and measurable while the costs of future withdrawal are delayed and often externalized onto data subjects.
This is exactly why Chapter Fifteen will formalize withdrawal as a cost curve, but the conceptual point belongs here: feature stores are the place where the marginal cost of withdrawal grows non linearly with adoption. The institution needs to internalize that cost early by making withdrawal readiness a publication requirement. In practical terms, a feature should not be publishable to the shared store unless it satisfies a minimum withdrawal readiness bar: provenance capture, consumer tracking, temporal semantics, and a defined remediation plan. Without that bar, the store will accumulate features that are easy to use and impossible to withdraw, and the institution will respond by renaming impossibility as compliance.
Closing the chapter: why Chapter Ten ends Part Three’s innocence
Chapter Ten ends the last place where withdrawal can be treated as a local operation. In a feature store regime, withdrawal becomes a cross model ecosystem obligation. It is no longer sufficient to delete a row or isolate a dataset. The institution must be able to reason about shared derived artifacts that circulate across teams and services, and it must be able to do so with evidence.
Uber’s Palette description is a statement of ambition: features are centralized, curated, shared, and monitored, with pipelines generated and dispersed across offline and online stores. Hopsworks formalizes the same ambition by defining feature reuse, transformation taxonomies, and point in time correct training data creation as core capabilities. Orr and colleagues locate feature stores in the broader lifecycle need for reproducibility and then warn that embedding ecosystems create new governance challenges that standard feature stores have not yet solved. Taken together, these sources show that the industry has already built the infrastructure of reuse. The question is whether it will also build the infrastructure of withdrawal.
Chapter Eleven now narrows from reuse as a general propagation engine to the specific domain where the temptation to treat reuse as pure value is strongest and the withdrawal consequences are most politically charged: training corpora. If features are the portable representations that models consume, training datasets are the assemblages that make those representations possible. Chapter Eleven therefore treats training data governance not as documentation, but as a build pipeline that fails closed when withdrawal readiness is not satisfied.
Chapter 11: Training Data Governance Beyond Dataset Cards
If Chapter 10 named the tyranny of reuse inside feature stores, then this chapter names the parallel tyranny of reuse inside training corpora. In most organizations, the feature store is treated as an engineered system, while the training set is treated as a file, a bucket, or a folder of examples whose provenance is allegedly “documented” somewhere else. This asymmetry is one of the quiet reasons withdrawal becomes fictional after propagation: we build mature systems for serving and monitoring, then we treat the data supply chain that generates learned behavior as a loosely narrated archive. The result is predictable. When a withdrawal request arrives, teams can often delete a row from an operational database, sometimes delete a blob from an object store, occasionally delete a feature from a feature store, and almost never produce rigorous evidence about what actually trained what, when, under which transforms, with which exclusions, and with what remaining residue inside checkpoints, derived datasets, caches, and warm started training state. The governance problem here is not that documentation is pointless. The governance problem is that documentation is often mistaken for control.
The literature has tried to correct this confusion for years. Datasheets for datasets argue that every dataset should be accompanied by systematic documentation of motivation, composition, collection process, recommended uses, distribution, and maintenance, precisely because misuse and harm become likely when developers are not domain experts and when provenance is vague (Gebru et al.). Data statements for language datasets push the same impulse in a different register: the point is not narrative virtuosity but disciplined contextualization so that research and engineering claims do not silently universalize from one population to another (Bender and Friedman). Data Cards likewise frame dataset documentation as a human centered artifact intended to support a dataset’s lifecycle, including transformations and safe joining and forking guidance, because modern datasets are assembled, transformed, and recombined rather than simply collected once and used in a single pipeline (Pushkarna et al.). These interventions matter. They also share a boundary: they are primarily about legibility to humans. Withdrawal readiness, by contrast, is legibility to systems and to auditors, where the claim must survive adversarial inspection, replay, and recomputation.
The pivot, then, is to treat the training set as a compiled artifact rather than a found object. A training corpus in a modern organization is rarely a single dataset. It is an assemblage: upstream sources, crawls, licensed corpora, user generated content, partner feeds, internal logs, synthetic expansions, deduplicated and filtered shards, and annotation layers that themselves may be composites of crowd work, expert review, heuristics, and model assisted labeling. Even when the organization uses the vocabulary of “the dataset,” what it actually uses is a build: a specific construction of an artifact at a point in time from a directed graph of inputs and transforms. If you accept this, then the governance target changes. The target is no longer a static description. The target is a build system that can answer, with evidence, “What exactly was trained, from which ingredients, through which transforms, under which constraints, and with which withdrawal hooks still live.”
11.1 From dataset cards to training bills of materials
Dataset cards and datasheets are interpretive surfaces. They help humans understand a dataset’s purpose, scope, collection conditions, and limitations. They are necessary for responsible practice, and they are ethically serious because they force the institution to name what it otherwise prefers to leave implicit. But they do not, on their own, give you the mechanics required for verifiable withdrawal. To get mechanics, you need something closer to what the software world calls a bill of materials: a machine readable inventory of components, versions, sources, and dependency structure that is produced automatically as part of building an artifact, then carried forward as an auditable object.
I will call the training counterpart a Training Bill of Materials, or TBOM. This is not a marketing layer. It is a concrete schema and a pipeline contract. The TBOM is generated by the dataset build process, not by a slide deck. It enumerates, at minimum, the source inputs, their versions or snapshots, the licenses or use permissions that govern them, the consent state and withdrawal obligations attached to each input, the transforms applied, the deduplication and filtering steps used, the join logic that produced composed examples, and the exact output shards that were emitted for training. It includes cryptographic identifiers for inputs and outputs, and it binds each component to a provenance edge in the lineage graph described earlier in this section. The core point is that withdrawal cannot be verified against a story. Withdrawal can be verified against a build graph and the artifacts that graph emitted.
This is not an exotic idea. The database provenance community has spent decades formalizing provenance precisely because, without it, you cannot answer why a record exists, how it was derived, or where it came from in the transformation chain (Cheney, Chiticariu, and Tan). Dataset version management systems explicitly model datasets as branching, merging, and differencing artifacts, because real data work is iterative and collaborative, and errors must be isolatable to versions and changesets rather than treated as timeless properties of “the data” (Bhardwaj et al.). The TBOM is simply the governance specialization of this lineage and versioning logic for the specific purpose of withdrawal and audit.
Once you name the TBOM, a second shift follows. It becomes possible to make training ingestion fail closed. In the same way that a serious build system fails when dependencies are missing, ambiguous, or compromised, a withdrawal oriented training build system should fail when any input component lacks an attached consent state, lacks a traceable source, lacks license metadata, lacks a retention policy, or lacks a defined deletion or isolation mechanism. This is where the moral claim becomes a systems property: the organization is no longer asking engineers to remember ethics. It is forcing ethics into the compilation step.
11.2 Continuous ingestion means continuous governance
A major reason teams cling to documentation artifacts is that they are cheaper than rebuilding the world. But continuous ingestion makes static artifacts decay quickly. Most modern ML production environments are not “train once, deploy once.” They are pipelines that retrain, warm start, and iterate. In the TensorFlow Extended ecosystem, for example, continuous pipelines are treated as standard operating conditions, and the pipeline state itself becomes the substrate on which new runs build, meaning that corrupted data can propagate forward through warm started checkpoints even if a later validation gate prevents a bad model from shipping (Baylor et al.). This matters for withdrawal because it reveals a neglected residue class: the trainer state. A withdrawal that deletes a record from the current build but leaves warm start state intact may not remove influence; it may simply ensure that the influence persists in a more opaque substrate.
If you accept continuous training as the norm, then governance must be continuous as well. This is one of the places where technical debt becomes moral debt. Data validation work aimed at production ML emphasizes that anomalies in the data pipeline are not peripheral: they are a recurring failure mode that must be detected and managed as part of the ML system, not as a one time sanity check (Breck et al.). In withdrawal terms, the point generalizes: you do not only validate distributions and schemas, you validate consent states, provenance completeness, and withdrawal readiness invariants across every run.
A TBOM therefore cannot be a manual artifact generated quarterly. It must be emitted per build, persisted, and compared across builds so that the organization can answer questions that auditors will ask and that engineers secretly need in order to do their jobs: Which upstream sources newly entered the corpus since the last run, and under what permission? Which transforms changed, and how does that affect downstream residue? Which exclusions were applied, and are they still applied? Which withdrawals were processed, and do we have evidence that they were applied to every build target that consumed the affected components?
This is also where “dataset drift” becomes governance drift. When the corpus shifts, the obligations shift, not only the accuracy. If a new source enters whose consent semantics differ, or whose license imposes new obligations, the training system must treat that as a configuration change with enforcement consequences. The organization does not get to treat “new data” as a neutral improvement. New data is new obligation.
11.3 A training corpus is a sociotechnical supply chain
If you want to build withdrawal into training governance, you must be willing to model the training corpus as a supply chain. That language is sometimes resisted because it sounds industrial. But the analogy is disciplined and clarifying. Supply chain thinking forces three habits: inventory, traceability, and recall. Inventory means you know what components exist. Traceability means you can map where components went. Recall means you can remove compromised components from downstream products and prove you did it. In this book’s language, recall is the operational substrate of withdrawal verification.
This supply chain view aligns with broader risk management frameworks that treat AI as lifecycle bound and measurement oriented. The NIST AI Risk Management Framework emphasizes governance, mapping, measurement, and management as ongoing functions rather than one time compliance milestones, explicitly positioning the framework as a living document intended to be iterated as systems and contexts change (Tabassi). The relevance here is not the framework’s vocabulary but its insistence on measurability and lifecycle: training data governance is not an ethics addendum. It is a core control surface.
The supply chain view also discloses why dataset cards alone cannot do the job. Cards are not inventories. Cards are not traceability graphs. Cards are not recall mechanisms. They can support these mechanisms by giving humans meaning and context, and they can prevent misuse by making “intended use” and “limitations” explicit, which is ethically significant. But verifiable withdrawal requires system level invariants that are enforced at build time and observable at audit time.
11.4 The TBOM schema as a withdrawal instrument
At minimum, a TBOM must be structured to support four auditor grade questions, each of which corresponds directly to the definition of verifiable withdrawal introduced in this book.
First, composition: what sources are included, at what versions, under what licenses or permissions, and with what consent states. Second, transformation: what was done to each input component, including filtering, normalization, redaction, deidentification, aggregation, deduplication, and labeling. Third, propagation targets: which training runs, model families, and downstream derivatives consumed the resulting build artifact. Fourth, withdrawal hooks: what mechanisms exist to remove or isolate components when consent changes, including deletion orchestrations, retraining triggers, unlearning workflows, or access isolation controls.
Here the dataset documentation literature becomes operationally useful. Datasheets and Data Cards explicitly demand attention to dataset maintenance and transformations, and they treat documentation as something that must evolve with the dataset lifecycle rather than remain frozen at creation (Gebru et al.; Pushkarna et al.). The TBOM takes that lifecycle orientation and binds it to machinery: every transform becomes a recorded build step; every maintenance action becomes a versioned change; every join becomes a lineage edge that can be traversed during a withdrawal impact analysis.
The versioning dimension is not optional. Without versioned dataset artifacts, you cannot prove that withdrawals were applied to new builds, nor can you reconstruct which model versions were trained on pre withdrawal states. The DataHub line of work exists because data science is collaborative, iterative, and branching by nature; it gives the vocabulary of branching, merging, and differencing to datasets themselves so that changes can be tracked and errors can be localized (Bhardwaj et al.). Withdrawal governance needs the same capability, but with a sharper aim: it needs to localize consent changes and their downstream effects, then prove the system responded across all dependent artifacts.
11.5 Fail closed training builds
A withdrawal oriented training build pipeline is defined by refusal: refusal to ingest components that cannot be governed, refusal to train on artifacts that cannot be traced, refusal to ship models whose training lineage cannot be reconstructed. This is the systems translation of the book’s moral thesis. Withdrawal is not a promise; it is an enforced property. That enforcement occurs at build time because build time is where the institution still has leverage. After training, the cost curve steepens and residue becomes harder to reduce.
Practically, this means that training data governance must adopt the discipline of production ML systems engineering: validation gates, invariant checks, and continuous monitoring. Data validation research aimed at production ML explicitly argues for systems that detect anomalies in data fed into ML pipelines, and it treats such validation as deployed infrastructure rather than ad hoc testing (Breck et al.). A withdrawal oriented system extends the anomaly concept. It treats missing provenance fields, inconsistent consent states, ambiguous licenses, orphaned sources, and unversioned transforms as anomalies. If any such anomaly is detected, the build fails, the TBOM is incomplete, and training does not proceed.
This is also where the book’s insistence on “bounded honesty” becomes an engineering constraint. It is better to fail closed than to train on an artifact whose withdrawal obligations you cannot later satisfy. If an organization cannot tolerate such failures, then it is admitting, implicitly, that its operating model requires non auditable training behavior. That admission is precisely what this book is trying to make explicit and costly.
11.6 Audit evidence: reproducible builds and attestations
Documentation tells a story. Evidence allows replay. To support auditors, the TBOM must be coupled to reproducible dataset builds. That means that given a TBOM, a reviewer should be able to reconstruct the exact dataset artifact, or else prove why reconstruction is not possible and what compensating controls exist. The TBOM should therefore include stable identifiers for source snapshots, transform code references, parameter settings, and output shard hashes, so that the training set can be treated as a deterministic build product under defined assumptions.
This approach aligns with the ethos behind datasheets and data statements: insist on context, scope, and maintenance, and do it in a standardized form so that stakeholders can compare and reason across datasets rather than treating every dataset as an idiosyncratic narrative (Gebru et al.; Bender and Friedman). The TBOM formalizes standardization further by making it machine readable and coupling it to the act of construction.
It also reduces a known institutional failure mode: the rebranding of ignorance as “we cannot tell.” When training sets are assembled ad hoc, “we cannot tell” is often true. When they are assembled through a governed build system, “we cannot tell” becomes an operational failure and a governance finding. This is one of the most important transformations in the entire book. Verifiable withdrawal requires that ignorance be treated as a defect, not as a normal state.
11.7 The hard case: derived artifacts and inferred attributes
Training data governance meets its hardest boundary when the dataset includes derived artifacts, inferred labels, or synthetic expansions. Here, the question of withdrawal is no longer only about the raw source row. It is about the derivatives. Data Cards explicitly foreground transformations and their risks, precisely because transformations can introduce system level harms that are not obvious from the raw source (Pushkarna et al.). The governance implication is sharp: every transform must declare whether it creates derivative artifacts that are themselves subject to withdrawal obligations, and the TBOM must record the mapping from source components to derived outputs so that derivatives can be targeted during withdrawal orchestration.
This is where the “inference withdrawal” idea, introduced later in the book, begins to take shape. If the training corpus includes inferred attributes, embeddings, or synthetic labels, withdrawal may require more than deleting the raw input; it may require removing or isolating the derivative representations that were generated from the input. A TBOM does not solve this on its own, but it creates the necessary precondition: a traceable map from source to derivative.
11.8 Why this chapter ends where unlearning begins
This chapter has insisted on a point that will discipline the next one. If training data governance is treated as documentation, unlearning becomes a desperate, expensive fantasy invoked after damage. If training data governance is treated as supply chain infrastructure, unlearning becomes a bounded tool in a broader withdrawal system: one option among deletion, isolation, retraining, and evidence production, chosen according to residue class and cost curve.
In other words, Chapter 12 does not begin with algorithms. It begins with the constraints that Chapter 11 imposes on the institution. A system that cannot produce a TBOM, cannot reproduce a dataset build, cannot version transforms, and cannot trace training artifacts has no business promising unlearning guarantees to regulators, users, or itself. Conversely, a system that can do these things has earned the right to ask a more precise question: given traceability and controlled builds, what forms of unlearning are feasible, what guarantees are meaningful, and what remainder must be named honestly.
A final word, because it is the ethical spine of this section. The aim of training data governance is not purity. It is restraint with evidence. It is the institutional willingness to say: we will not train on what we cannot later withdraw from with measurable integrity. That willingness is the first real cost an institution pays for consent. Without it, consent remains theater.
Chapter Twelve
Machine Unlearning as Bounded Honesty
A withdrawal request arrives in the language of the person, not in the language of your pipeline. In the person’s language, the request is plain: remove what I gave you, stop using what I gave you, stop making me legible through what I gave you. In the system’s language, the request becomes a graph of obligations that is already late, because the data has likely moved into denormalized tables, cached joins, feature stores, logs, vector indices, training shards, checkpoints, evaluation sets, and vendor processors. This is the moral hinge of modern learning systems: the request is singular, but the residue is plural. Your institution feels tempted to answer with ceremony, with a ticket closed and a screenshot of a deletion job, because ceremony is cheap and coherence is expensive. The work of this chapter is to deny you that cheap coherence. It treats “unlearning” not as a public relations term and not as a promise of purity, but as a bounded practice of truth telling under constraint, where the bounds are specified, the tradeoffs are explicit, and the evidence is auditable.
Regulators have already named the basic ethical pressure without supplying a systems blueprint. The GDPR’s right to erasure describes a duty to erase “without undue delay” in defined circumstances, and it also quietly admits what operators know but rarely say out loud: erasure is not absolute, because it collides with countervailing obligations such as freedom of expression, public health, archiving in the public interest, and the establishment or defense of legal claims, and even when erasure is owed, the controller’s obligation is conditioned by “available technology and the cost of implementation,” including the requirement to take “reasonable steps” to notify downstream controllers where replication has occurred (Regulation (EU) 2016/679, art. 17, paras. 1 to 3; art. 19). The legal text, read with operator eyes, is already a theory of residue: it assumes propagation, it assumes downstream recipients, it assumes feasibility limits, and it assumes that withdrawal is not a single atomic action but a process that must be evidenced across boundaries.
Machine unlearning is the narrowest and most technically charged subset of that broader withdrawal problem. It concerns what happens after training has already occurred, when the system has transformed data into parameters, features, statistics, centroids, embeddings, or other learned representations. The foundational move in the literature is blunt and still correct: if you want a trained system to “forget a piece of training data completely,” you are trying to “revert the effects of the data on the extracted features and models,” and retraining from scratch is the naïve baseline that defines what complete removal would mean, while also revealing why complete removal is operationally costly (Cao and Yang 2). This baseline is the discipline that keeps us honest. If you cannot articulate what “equivalent to retraining without the removed data” means in your setting, you are not doing unlearning; you are doing something else, which may still be useful, but it must be named accurately.
The most rigorous formulations therefore treat unlearning as an indistinguishability claim. Guo, Goldstein, Hannun, and van der Maaten define “certified removal” as a guarantee that a model from which data is removed “cannot be distinguished from a model that never observed the data to begin with,” and they show a mechanism for linear classifiers where the guarantee is not a vibe but a theorem, and where the certification is an artifact you can hand to an adversarial reviewer (Guo et al. 1). In the same register, the practical motivation is not only rights language but attack language: membership inference and training data extraction demonstrate that learning systems can leak information about whether particular records were in the training set and, in some cases, can leak the records themselves. Shokri, Stronati, Song, and Shmatikov formalize membership inference as the question of whether a given record was part of the training dataset, showing that models can leak membership through prediction behavior, including in black box service settings (Shokri et al., sec. I). Carlini and coauthors later demonstrate training data extraction at scale, showing concrete instances where models can output memorized sensitive strings, and they frame mitigation as a technical discipline rather than an ethical slogan (Carlini et al. 3). If you claim unlearning without confronting these attack models, you are not defending withdrawal; you are defending the aesthetic of withdrawal.
Bounded honesty begins by refusing a single word, “forget,” as a universal descriptor, and instead specifying which of several things you are trying to change. Sometimes the object is training influence, meaning you want the post withdrawal model to behave as if the removed records were never used in training. Sometimes the object is memorized verbatim content, meaning you want to prevent reproduction of particular sequences even if broad statistical influence remains. Sometimes the object is decision basis in an institutional sense, meaning you want to ensure that a person’s data is no longer used as a basis for decisions about them, which can include both model behavior and non model artifacts like profiles, caches, and derived features. These are not the same objective, and confusing them is one of the fastest ways to produce audit theater.
When you hold those objectives apart, the technical landscape becomes legible. There are unlearning regimes that are exact or nearly exact within a class of models, and there are regimes that are approximate, where you aim to get close to retraining without paying the full cost, and where the distance from retraining must be measured and bounded. There are designs that make unlearning cheaper later by constraining training now, and there are designs that attempt to repair a system that was not built for withdrawal. There are also designs that are less about unlearning and more about insulation, such as isolation, access revocation, and output filtering, which can be valuable but are not equivalent to removing training influence.
The oldest honest move is to modify training so that later subtraction is feasible. In their early framework, Cao and Yang treat unlearning as a first class property, and a recurring theme is that certain learning procedures can be structured so that the contribution of a record is localized and therefore reversible without full retraining (Cao and Yang 2 to 3). This is not a footnote. It is a design doctrine. If your training process entangles every point with every parameter across many epochs in a way you cannot decompose, then later “unlearning” is an act of faith. Conversely, if you train in ways that preserve decomposability, such as maintaining sufficient statistics for convex objectives, partitioning data, or limiting cross shard dependence, you convert later withdrawal from a metaphysical demand into an engineering task.
A clean example of the decomposability approach appears in Ginart, Ge, Valiant, and Zou’s work on data deletion, where they formalize efficient deletion for k means clustering and show algorithms that can dramatically reduce deletion cost while keeping the learned structure comparable to retraining baselines, which makes deletion something closer to an incremental maintenance problem than a full rebuild (Ginart et al. 1). The details are model specific, and that specificity is the point: unlearning is not one algorithm. It is a family of strategies indexed to the learning objective, the training procedure, and the risk you are trying to mitigate.
Another strong and operationally influential design is SISA training, introduced by Bourtoule and colleagues as a framework that “strategically limit[s] the influence of a data point in the training procedure,” with the goal of expediting unlearning for stateful algorithms like stochastic gradient descent, especially in deep networks (Bourtoule et al., abstract). SISA partitions data into shards, trains in slices, and thereby creates a structure where removing points triggers partial retraining rather than total retraining, trading some training complexity for withdrawal readiness. What matters for our purpose is the institutional translation: SISA is a declaration that the cost of withdrawal should be paid partly up front, as an infrastructure cost, rather than entirely at the moment of harm.
The most stringent unlearning claims remain easiest in convex settings where the mathematics supports certification. Guo and coauthors, as noted, provide a certified mechanism for linear classifiers and tie the guarantee directly to indistinguishability from retraining without the removed data (Guo et al. 1). Warnecke, Pirch, Wressnegger, and Rieck push in a related direction by treating unlearning not only at the granularity of individual points but at the level of features and labels, using influence functions and closed form updates, and they distinguish settings where they can provide certified unlearning guarantees for strongly convex loss functions from settings where they can only provide empirical evidence for non convex losses (Warnecke et al. 1). The contribution here is both technical and conceptual: it shows that “remove this” will increasingly refer not only to data points but to categories of leakage that span many points, such as a leaked credential pattern, a protected attribute proxy, or a mislabeled target that propagates across training corpora.
Deep learning, and especially foundation models, pushes the problem into the zone where approximate unlearning dominates. Approximate unlearning means you aim to produce a model whose behavior is close to the behavior of a model retrained from scratch on the dataset with removed content excluded, but you do not claim exact equivalence. The ethical hazard is immediate: approximate unlearning can be sold as if it were erasure, and the institution can take refuge in the ambiguity. Bounded honesty forbids that refuge. It requires you to specify what notion of closeness you are using, which adversaries you defend against, and what residual risks remain.
Large language models make this hazard louder because their outputs are generative and their memorization can be textually explicit. The recent literature increasingly distinguishes “LLM unlearning” from classical unlearning because the scale and usage patterns introduce new targets, such as removing knowledge of topics, removing specific copyrighted sequences, or reducing harmful completion tendencies, and because evaluations that look good on synthetic benchmarks can fail under more adversarial probes. Liu and collaborators explicitly frame “LLM unlearning” as a distinct regime with challenges in defining scope, formulating targets, and assessing effectiveness, emphasizing that definitions and evaluations must be made explicit rather than assumed (Liu et al. 2). In parallel, methods marketed as unlearning sometimes function more like safety alignment procedures, which may be valuable but must not be misrepresented as removing training influence. The ECO prompts work, for example, positions itself as “unlearning” knowledge from an LLM to address harmful responses and other objectives while seeking efficiency gains over more expensive alignment pipelines, which underscores that the field is using the unlearning label across multiple adjacent goals that are not identical (Liu, “Embedding Corrupted Prompts,” 1).
If you want bounded honesty, you must treat evaluation as adversarial by default. One reason is that fragile unlearning can look successful until an attacker, or even ordinary post deployment distribution shift, reactivates what was supposedly removed. Hu and coauthors demonstrate “targeted relearning attacks” that can “jog” the memory of unlearned LLMs, reversing the effects of unlearning with access to a small amount of auxiliary data, which implies that unlearning evaluations that ignore post unlearning adaptation risk overclaiming (Hu et al. 1). Their broader point for operators is not that unlearning is futile, but that unlearning must be treated as a security problem with an evolving adversary, not as a compliance checkbox with a static test suite.
This is why the evidence story of withdrawal must be layered. In earlier chapters we built an evidence ladder and insisted that dashboards are not evidence. For unlearning, the ladder becomes concrete. At the lowest level, you can show that a particular record was removed from a training corpus and that retraining jobs were triggered. This is necessary but rarely sufficient, because it does not demonstrate that the trained artifact no longer bears the record’s influence. A stronger layer compares model behavior after unlearning to a retrain from scratch baseline, measuring differences on targeted and general evaluation sets. But behavior level similarity, by itself, can hide leakage. Membership inference shows that models can leak training membership even when they generalize well, and that leakage correlates with overfitting and other factors, which means that privacy relevant evaluations must include membership tests rather than only accuracy tests (Shokri et al., sec. I and V). Data extraction work shows that memorization can surface as verbatim strings, implying that canary based tests and targeted prompting can reveal failures that average metrics will miss (Carlini et al. 3 to 4).
A still stronger layer, when feasible, is certification, meaning a proof or a cryptographically supported claim that under specified assumptions the post removal model is indistinguishable from a model trained without the data. Certified removal in linear settings exemplifies this layer (Guo et al. 1). The honest operator takeaway is not that you should demand certification everywhere, but that you should classify where certification is possible, where it is not, and what evidence substitutes are admissible. In other words, you should treat “certified where possible” as a design preference and “empirically bounded where necessary” as a second best option that must be labeled as such in your audit narrative.
Once you start thinking this way, a disciplined decision procedure emerges, even if you never write it down as a flowchart. If the harm is concentrated, the model class supports certification, and the withdrawal volume is moderate, then certified removal mechanisms are attractive because they produce strong claims with auditor friendly artifacts. If the model class is non convex and the training process entangles data heavily, but you can afford partial retraining and you can restructure training going forward, then architectures like SISA training offer a way to buy future withdrawal readiness by paying an up front tax in pipeline design (Bourtoule et al., abstract). If neither is possible, then you may be forced into approximate methods, including finetuning based unlearning approaches for LLMs, but bounded honesty demands you then expand the evaluation set, include adversarial probes, and make explicit what you are not claiming, including the possibility of relearning and resurgence of removed content (Hu et al. 1).
Notice what is missing here: the fantasy that unlearning is a retrofit feature you can bolt onto any system without altering how you train, store, and version artifacts. That fantasy is institutionally convenient, because it allows leaders to promise compliance without funding redesign, and it allows teams to treat withdrawal as an exception path rather than as a core invariant. But the literature’s strongest results consistently imply the opposite. Efficient deletion in k means depends on algorithm specific structures (Ginart et al. 1). Certified removal depends on model class and mechanisms designed for certification (Guo et al. 1). SISA depends on training partitioning choices made before any request arrives (Bourtoule et al., abstract). The operator conclusion is that unlearning, to the extent you want it to be real, must be treated as an architectural requirement upstream of the request, not as a remediation step downstream of the request.
Bounded honesty also requires you to recognize the difference between removing influence and preventing output. Many organizations conflate them because both can be framed as “the model does not say the thing anymore.” But refusal to output can be achieved by post processing, safety layers, or policy constrained decoding without changing the underlying model’s learned representation. This can reduce harm and may be necessary for safety, but it is not withdrawal verification. Conversely, removing training influence may reduce memorization risk but may still leave a model capable of producing harmful content that is generatively available from other sources in the training distribution. The right posture is additive and explicit: you may need both unlearning and output constraint, but you must keep their evidence stories separate. Chapter Thirteen will take up this distinction systematically by separating model editing, redaction, and policy constrained generation as different tools with different claims.
To integrate unlearning into the Residue Ledger, you need an auditable story that is neither absolutist nor evasive. The ledger entry for an unlearning action must specify the unlearning target in precise terms, the training artifacts implicated, the mechanism used, the threat model addressed, and the evidence produced. In certified settings, that evidence may include formal certificates and reproducible derivations. In approximate settings, it must include at least a retrain from scratch comparator for a representative slice, membership inference style probes where applicable, and targeted extraction style tests when the risk is memorization of sequences, along with explicit thresholds and failure criteria. The ledger is not a narrative of perfection; it is a record of what was attempted, what was verified, what remains uncertain, and what residual risk is being accepted with named authority.
This leads to the ethical center of the chapter. Unlearning is not the promise that the past can be erased cleanly. It is the practice of building systems that can change their commitments after they have already acted, and then proving, with bounded claims, what changed. In institutional terms, it is a refusal to treat withdrawal as an embarrassment. It is a willingness to say, in writing, that the system contains residue, that some residue can be reduced, that some residue cannot be reduced without destroying other obligations, and that the institution will pay in compute, latency, accuracy, and redesign time to make withdrawal less fictional than it would otherwise be. The moment you can say this publicly inside your organization, you have begun to exit the liturgy of “we deleted it,” because you have replaced the performance of closure with the discipline of evidence.
Chapter Thirteen
Model Editing, Redaction, and Policy Constrained Generation
Withdrawal fails most often at the level of vocabulary. Institutions learn to say “we removed it” when what they did was stop serving it, stop showing it, or stop acknowledging it. The precision this book requires is harsher: withdrawal is about influence and basis. It asks whether a person’s data continues to shape a system’s decisions, representations, and outputs, even after the institution performs some visible act of removal. Chapter Twelve treated unlearning as the narrow technical attempt to reduce training influence under auditable bounds. This chapter isolates two adjacent practices that are often marketed as unlearning but are not logically identical to it. The first practice is model editing, which directly changes weights to revise a small set of behaviors or associations. The second practice is redaction and policy constrained generation, which aims to prevent specific outputs, or entire classes of outputs, at inference time, often without altering the underlying training influence. Each practice is legitimate within its own claim space. Each practice becomes unethical when it borrows the moral authority of withdrawal while delivering something else.
A disciplined distinction begins with the simplest adversarial question: if I can make the system produce the removed content again, or act as though it still believes the removed association, then what exactly was removed. This is why the privacy and security literature is not a mere aside to governance. Membership inference formalizes a basic test: given a record, and black box access to a model, determine whether the record was in the training dataset. Shokri, Stronati, Song, and Shmatikov show that many trained models leak membership through prediction behavior, and they discuss mitigation strategies that reduce the leakage by changing what the model reveals, rather than changing what the model learned. The strategic lesson is uncomfortable: output restriction can reduce evidence of membership without removing influence. If a system can be made less talkative, it may become harder to audit through black box attacks, while still retaining the same internal dependence on the training record. This is one of the first reasons that policy constrained generation cannot be equated with unlearning.
The second adversarial lens is memorization. Carlini and coauthors show that generative models can unintentionally memorize rare sequences and that the risk can be quantified and tested, introducing methods that rely on canary like inserted secrets and a metric called exposure to measure memorization in sequence models. Later work on extracting training data from large language models demonstrates concretely that memorized data can be recovered as verbatim strings in some settings. These results matter here because they reveal a second way institutions evade precision. They may prevent a model from outputting a specific secret under ordinary prompts and then declare victory, while the secret remains extractable under different prompting strategies, or remains present as latent influence. Redaction is therefore not the same as unlearning, even when it is motivated by privacy, because a system can be redacted in a way that blocks one pathway while leaving the underlying memorization and influence intact.
With that adversarial framing in place, the chapter makes a three part claim. The first claim is that model editing is best understood as targeted behavior modification, not as removal of training influence, unless the editing method can supply a credible argument that it achieves indistinguishability from retraining on a dataset that never contained the removed data. The second claim is that redaction and policy constrained generation are best understood as output governance, not as withdrawal, unless they are paired with evidence that training influence has been reduced and that extraction style attacks fail under specified threat models. The third claim is that institutions need all three tool classes, but they must carry separate evidence burdens, because conflating them creates audit theater.
Model editing as localized rewriting, not ontological removal
Model editing enters the discourse because it is fast, surgical, and psychologically satisfying. When someone discovers that a model contains a false or harmful factual association, or contains an unwanted behavior that seems tied to a narrow prompt pattern, it is tempting to treat the association as a line in a database. If the model can be edited to say something else, then the institution feels that the harmful content has been removed. The most influential work in this direction explicitly proposes direct weight edits that update a factual association. Meng and colleagues introduce Rank One Model Editing, or ROME, treating certain transformer feedforward modules as mediating factual association recall, and then performing a rank one update to write a new key value pair into the model’s weights. They evaluate edits on a benchmark designed to test whether the new association is expressed, whether the edit is specific, and whether it generalizes across paraphrases. The claim is real within its scope: model behavior can be updated by a direct weight edit without full retraining.
MEMIT extends this idea to many edits at once, showing that large numbers of associations can be rewritten in transformer models via direct editing methods, scaling beyond single fact updates. These works are essential because they establish a viable engineering primitive: direct edits can be applied to deployed weights to modify a bounded set of behaviors.
But this is precisely where bounded honesty must tighten. Editing a factual association is not the same as removing the influence of the record that originally taught the association, and it is not the same as removing the record from the training set. Model editing can overwrite a behavioral expression while leaving the record’s other influences intact, including influences distributed across many parameters, representations, or learned heuristics. Even within the model editing literature, the framing centers on replacing obsolete information and adding specialized knowledge, rather than on satisfying a withdrawal right tied to a specific data subject. This is not a weakness, but it is a boundary. Model editing is a governance tool for correcting model behavior and knowledge bases. It becomes a withdrawal tool only when the institution can show that the edit removes, under a defined threat model, the data subject’s influence across the system in a way comparable to retraining without the subject. That is a far stronger claim than behavior replacement, and most editing methods do not aim to prove it.
Therefore the Residue Ledger must treat model editing as its own action class with its own semantics. A ledger entry for an edit should specify what was edited, which prompt classes are expected to change, what collateral behavior was tested, and what the edit does not claim. If the institution uses edits as a remediation for memorized output, the ledger must include evidence that the memorization pathway is actually blocked under adversarial tests, not merely under a friendly prompt.
Redaction as output control and the ethics of partial silence
Redaction is the practice of preventing specific strings, patterns, or classes of content from appearing in model output. It can be implemented at several layers. It can be a postprocessing filter that blocks or masks detected sequences. It can be a retrieval and generation constraint, where sensitive documents are removed from retrieval indexes so that they are not surfaced during generation. It can be a decoding time constraint that alters token probabilities to avoid certain content. It can also be an internal training objective, where the model is trained to refuse or to avoid generating prohibited content.
The key point is that redaction is not primarily about influence. It is about emission. When redaction succeeds, a model may no longer say a secret, but the secret may remain encoded. Carlini and coauthors show why this matters. Their testing methodology for unintended memorization uses canaries and exposure to quantify how much a model has memorized rare sequences, and the purpose of the metric is precisely to detect memorization even when it is not obvious in ordinary use. If your institution only tests whether the secret appears under a small set of prompts, you are testing convenience, not risk.
Redaction is still necessary because withdrawal is not only about training influence. It is also about harm prevention. If a model can emit a person’s data, even if that data remains influential, the institution must reduce emission pathways. But bounded honesty demands that redaction be described as emission control, not as removal. Moreover, redaction produces a subtle governance hazard: it can make models less auditably leaky while leaving underlying leakage intact. Shokri and colleagues discuss mitigation strategies like limiting output detail, decreasing precision, and increasing entropy, all of which reduce an attacker’s signal without necessarily altering training influence. An institution can therefore reduce visible leakage while keeping the same model dependence, and then claim that a withdrawal request has been satisfied because the system is quieter. This is how audit theater becomes technically sophisticated.
A withdrawal serious institution must therefore treat redaction as a compensating control whose adequacy depends on the threat model. If the threat model is ordinary user prompting, then filters and refusal behaviors may be adequate. If the threat model includes motivated adversaries using extraction and membership inference techniques, then the evidence burden increases. The system must demonstrate that canary exposure is reduced, that targeted extraction attempts fail within defined limits, and that membership inference style tests show reduced leakage under the output interface the adversary can access. These are not perfect guarantees, but they are measurable and reviewable.
Policy constrained generation and the difference between safety alignment and withdrawal
Policy constrained generation is the broadest of the three practices. It includes training time alignment methods and inference time steering methods that shape what the model is willing to do. Reinforcement learning from human feedback, as described in the InstructGPT work, is one influential approach: models are fine tuned on demonstrations and then optimized using preference rankings so they better follow instructions and reduce undesirable outputs. Constitutional AI describes a related trajectory of training a more harmless assistant through self improvement guided by principles, with supervised and reinforcement learning phases. These methods are significant for governance because they show that institutions can shape model refusals and safety behaviors at scale.
Inference time steering methods likewise provide control without retraining the base model. Plug and Play Language Models introduce a method for controlling generation by guiding hidden activations using gradients from attribute models, allowing controllable generation without modifying base weights. GeDi proposes guiding generation using smaller class conditional language models as generative discriminators to steer token probabilities toward desired attributes and away from undesired attributes. These are powerful levers, and their existence explains why organizations are tempted to treat policy constrained generation as a universal remediation. If a model can be induced not to produce harmful content, then the institution feels it has solved the governance problem.
But policy constrained generation is not unlearning. It is not even redaction in the strict sense. It is behavioral governance. It tells the model how to act, not necessarily what to forget. A refusal to answer does not imply that the data subject’s record has been removed from training, or that the record no longer influences the model, or that the record is non extractable under other prompts. In fact, the more effective the refusal system, the more it can conceal the presence of memorized content by reducing the surface area of outputs, which again can reduce observable leakage without changing internal dependence.
The governance consequence is therefore non negotiable: policy constrained generation can be a necessary safety control and still be insufficient for withdrawal verification. In the Residue Ledger, policy constrained generation should be logged as a separate class of control, tied to policy compliance and harm reduction objectives, not to data subject withdrawal satisfaction, unless it is paired with a credible unlearning or removal mechanism and evidence.
An evaluation protocol that separates the claims
Because the three tools make different claims, they require different tests. Model editing must be evaluated for specificity, generalization, and side effects, as the editing literature itself emphasizes, because an edit that works for one prompt and fails for paraphrases is not an edit, it is a brittle patch. Redaction must be evaluated under canary and exposure style tests that quantify memorization risk for rare sequences, because ordinary prompts under sample based testing will systematically under detect memorization. Policy constrained generation must be evaluated under adversarial prompt suites for policy compliance and harmfulness, as alignment literature routinely does, but it must not be treated as evidence of unlearning.
When withdrawal is the objective, not just safety, the evaluation must include at least two adversarial families. The first family is membership inference style probes, which test whether the system’s outputs reveal whether a record was in training. The second family is extraction style probes and memorization metrics, which test whether the system emits rare sequences that were present in training. The presence of these tests in the ledger is what prevents the institution from relabeling silence as forgetting. Silence may be appropriate. Silence may reduce harm. Silence may even be mandated by policy. But silence is not proof of absence, and the difference matters when you claim verifiable withdrawal.
The chapter’s thesis, stated without comfort
Model editing, redaction, and policy constrained generation are indispensable governance tools, but they are not interchangeable. Model editing is a way to rewrite behavior and associations quickly, as demonstrated by ROME and extended by MEMIT, and it should be treated as a controlled change management operation on deployed weights. Redaction is a way to prevent emissions of sensitive content, and the Secret Sharer methodology shows why you must measure memorization rather than trust intuition. Policy constrained generation is a way to shape model conduct at scale, through training and decoding interventions, as shown by RLHF, Constitutional AI, PPLM, and GeDi. None of these, on its own, satisfies the core demand of withdrawal verification, which is influence reduction and auditable evidence across the propagation graph.
The consequence for the next chapter is immediate. If Chapter Thirteen disciplined the taxonomy of interventions, Chapter Fourteen must confront the paradox these interventions generate: the very systems that produce audit evidence, telemetry, logs, and monitoring are themselves residue generators. In other words, if you make governance measurable, you create new data. If you create new data, you create new withdrawal obligations. Chapter Fourteen therefore treats logging and telemetry as governed datasets, not as engineering exhaust, and proposes a minimized audit architecture in which evidence is sufficient to satisfy adversarial review while avoiding a runaway production of new residue.
Chapter Fourteen
Logs, Telemetry, and the Paradox of Audit Trails
The book has now insisted, repeatedly, that withdrawal cannot be governed by narrative, because narrative collapses under adversarial review, and because narrative cannot follow propagation through complex systems. The primary institutional response to that insistence is to log more: to instrument every pipeline, to capture every access, to retain every event, and to build dashboards that seem to turn messy reality into legible compliance. This response is rational within a security culture that has learned, correctly, that absence of logging is absence of accountability. NIST’s guidance on log management frames logs as essential for security, incident response, and understanding system activity, and it treats log management as an enterprise program with policy, roles, responsibilities, architectures, and ongoing processes rather than a narrow engineering afterthought. NIST’s catalog of security and privacy controls likewise treats audit and accountability as a control family, emphasizing that organizations must define auditable events, protect audit information, and manage retention and review as part of risk management.
The paradox is that the same machinery that makes withdrawal verifiable also produces new residue. Logs are data. Telemetry is data. Audit evidence is data. Much of that data is personal data or becomes personal data through linkability, even when the institution avoids obvious identifiers. Once you accept this, a deeper ethical problem emerges: a maximalist approach to logging can quietly recreate the very extraction and permanence that withdrawal seeks to resist. The system becomes honest about its actions at the price of expanding its archive of people. If the organization responds to every governance demand by collecting and retaining more traces, it can satisfy the auditor while failing the person, because the person’s interiority and limits become ever more legible to the institution.
The law has already anticipated this collision, even if operators often treat it as someone else’s problem. The GDPR’s principles require data minimisation and storage limitation, meaning personal data should be adequate, relevant, and limited to what is necessary for the purpose, and kept no longer than necessary for the purposes of processing, with explicit recognition that some longer retention can be justified for narrowly framed public interest archiving, research, or legal claims. Those principles apply to logs when logs are used for purposes that touch individuals, which is increasingly the case in modern systems where access records, decision records, and model interaction traces can be mapped back to specific persons. The governance consequence is immediate: you cannot defend verifiable withdrawal by building an infinite audit archive, because the infinite archive becomes a new form of nonwithdrawable residue.
NIST’s privacy work offers a parallel framing in risk language rather than rights language. The NIST Privacy Framework explicitly positions privacy as an enterprise risk management problem, emphasizing data processing management and principles such as data minimization and lifecycle alignment. Taken seriously, this implies a design obligation: auditability must be engineered as a constrained system that produces sufficient evidence without producing gratuitous observability. This chapter therefore argues for a minimized audit architecture. The phrase does not mean weak logging. It means logging that is purpose bound, evidence grade, and measurably restrained. It is an architecture that treats audit trails as governed datasets with the same seriousness you apply to training corpora and feature stores, because audit trails are now, in practice, one of the most persistent and most difficult to withdraw residue classes in the modern organization.
The first discipline of minimized audit is scoping, and scoping must be formal rather than cultural. NIST’s log management guidance stresses that organizations should define log management requirements and policies as a program, aligning what is logged and how it is handled with organizational needs. In withdrawal terms, the policy must explicitly separate at least three purposes that institutions often collapse: security monitoring and incident response, compliance evidence for auditors, and product analytics or experimentation. When these purposes are merged into a single telemetry lake, minimization becomes impossible, because any record can be justified by appealing to some broad purpose. Purpose separation is not bureaucracy. It is the precondition for retention limits and access limits that can be enforced. It also creates a clear boundary for withdrawal: a record held for security for a short retention period is not the same moral object as a record held indefinitely for optimization.
The second discipline is event design. Audit systems frequently begin by capturing everything that is easy to capture. Minimized audit begins by capturing what is necessary to support specific claims. NIST’s security and privacy controls treat auditing as tied to defined events and defined content, not as an undifferentiated dump, and they tie audit capability to protection of audit information and control of audit access. This supports a design principle for withdrawal governance: log events should be shaped around evidentiary propositions, where each proposition corresponds to a control objective that an auditor can validate. If the control objective is that a withdrawal request triggered deletion orchestration across specified systems within specified time bounds, the evidence needed is the fact of request intake, the authorized decision, the orchestration actions with timestamps, and the verification results. The evidence is not the entire content of the user’s record, the full payload of every request, or the raw prompts that happened to coincide with the deletion. Evidence oriented event design can be rigorous while still minimal.
The third discipline is retention as an engineered control rather than a policy slogan. GDPR storage limitation is not satisfied by a PDF that says logs expire; it is satisfied by deletion hooks and enforcement. NIST’s approach to security monitoring similarly treats continuous monitoring as an organizational program that collects information according to preestablished metrics to maintain ongoing awareness, which implies that collection and retention are tuned to defined metrics and risk decisions rather than boundless accumulation. In a minimized audit architecture, retention is tiered by residue class and threat model. High sensitivity traces that contain content, such as full request bodies, should have short default retention and narrow access, with explicit exception handling for incident investigation and legal holds. Lower sensitivity traces that capture state transitions without content, such as hashed identifiers and coarse event markers, can often be retained longer because they carry less personal residue while still supporting accountability. This is not a promise of perfect anonymity, because linkability can return through joins, but it is a measurable reduction in exposure.
The fourth discipline is integrity without voyeurism. Security logging is not only about having records, it is about being able to trust them. If an insider can alter logs to erase evidence of misuse, audit trails collapse. NIST treats audit as part of a broader control environment, including protection of audit information and assessments that verify controls are implemented and meeting objectives. A minimized audit architecture therefore needs tamper evidence. The most mature public example of tamper evident append only logging is Certificate Transparency. RFC 6962 describes a log as a single, ever growing append only Merkle Tree, where the append only property is enforced through consistency proofs, enabling detection if a log shows different views to different parties. The governance translation is direct. A Residue Ledger that aims to survive institutional amnesia and bad faith should use append only structures and cryptographic commitments to make retroactive rewriting detectable, while still limiting the content stored so that integrity does not require maximal personal trace capture. The point is not to imitate internet PKI. The point is to learn from its core insight: you can design for accountability by making certain kinds of deception expensive, without logging everything about everyone.
The fifth discipline is separation of duties and controlled observability. If every engineer can query raw logs, logs become a surveillance system with optional restraint. NIST’s security control framework treats access control and auditing as linked, in the sense that both who can access systems and how access is recorded are part of the control fabric. In a minimized audit architecture, access to raw traces should be exceptional, time bound, and itself audited. Most compliance evidence can be generated through derived, aggregated, and minimized representations that preserve the ability to validate claims while limiting exposure of personal content. This is the practical reconciliation of security needs and privacy needs: the system records enough to support accountability, but it defaults to showing auditors and operators the least revealing view that still supports verification.
The sixth discipline is treating logs as first class governed datasets, not as exhaust. Chapter Eleven introduced training bills of materials for training corpora. The same conceptual machinery must apply to audit datasets. A log stream should have a schema contract, a provenance record, a defined purpose, a retention schedule, and deletion or isolation hooks that can be triggered when obligations change. This is where verifiable withdrawal becomes self consistent. The organization cannot claim withdrawal readiness while treating its evidence systems as outside governance. If audit logs are exempt from governance, then the Residue Ledger becomes a machine that guarantees permanent residue. If audit logs are governed, then the ledger can hold truthful evidence while still participating in the discipline of minimization.
At this point, the paradox becomes more precise and therefore more solvable. The problem is not that logging is incompatible with withdrawal. The problem is that undisciplined logging is incompatible with withdrawal. Minimized audit is the design compromise that makes the book’s commitments coherent: produce evidence that an adversarial auditor can validate, while limiting observability and retention so that the evidence system does not become a second extraction system. NIST’s continuous monitoring guidance supports this posture by treating monitoring as visibility into assets, vulnerabilities, threats, and control effectiveness, which implies that what you collect should be driven by defined risk decisions, not by a fantasy of total capture. NIST’s privacy framework supports it by foregrounding data lifecycle management and minimization as core to privacy risk management. GDPR supports it by requiring minimisation and storage limitation as binding principles. RFC 6962 supports it by showing how to make certain records append only and verifiable without requiring blind trust.
This chapter therefore closes Section Two’s technical movement with a final structural claim. Provenance and lineage are the geometry of withdrawal. Evidence systems are the lungs. If the lungs overinflate, the body suffocates on its own trace. The way out is not less evidence. The way out is evidence that is engineered as a constrained, purpose bound, integrity preserving system, one that can be audited without becoming a permanent archive of people.
The next section will turn the lens from infrastructure to economics. If minimized audit makes withdrawal verifiable without generating runaway residue, it also exposes the cost curve of remediation. When you treat evidence as a governed dataset, you can measure how much withdrawal actually costs, in compute, labor, vendor coordination, and model coupling. Chapter Fifteen will name that cost curve explicitly and argue that the moral failure of modern systems is not only that they produce residue, but that they systematically externalize the cost of residue onto the vulnerable, treating remediation as an exceptional burden rather than as a priced design constraint.
Chapter Fifteen
Withdrawal as a Cost Curve
Withdrawal becomes real when an institution stops speaking about it as a moral posture and starts treating it as a priced property of systems. Up to this point, the book has constructed the technical possibility of verifiable withdrawal: provenance and lineage as accountability geometry, evidence as adversarially valid proof, and minimized audit as the constraint that prevents verification from becoming a second archive. But even perfect architecture fails if the organization can always postpone the expense of making that architecture complete. The decisive failure mode is not conceptual confusion. It is cost externalization. Organizations design systems so that propagation is cheap and reversal is expensive, and then they behave as though reversal is a rare exception rather than the inevitable counterpart of extraction. The point of this chapter is to name that asymmetry as an economic structure and to make it governable.
The GDPR already encodes the economic fact that withdrawal is not cost free. Article 17, in the clause dealing with public disclosure and downstream copies, requires controllers to take reasonable steps to inform other controllers processing the data of the erasure request, explicitly “taking account of available technology and the cost of implementation.” Article 19 adds the communication obligation to each recipient, unless this proves impossible or involves disproportionate effort. These clauses are often treated as loopholes or excuses. They are better read as admissions: modern systems create propagation, and propagation creates work, and work has a cost that institutions must bear if they claim that withdrawal has meaning. The ethical question is therefore not whether withdrawal has a cost. The ethical question is who pays, when they pay, and whether the system was designed so that the cost can be anticipated, measured, and internalized before it becomes a crisis.
Economics offers the vocabulary to state the problem cleanly. Pigou’s welfare analysis of external costs formalizes the basic pattern: when an actor can impose costs on others without paying them, private incentives diverge from social welfare, and the actor will tend to overproduce the activity that creates the unpriced harm. Coase then reframes the problem around transaction costs: if bargaining were frictionless, parties could negotiate to an efficient outcome regardless of initial rights allocation, but in the world we inhabit transaction costs are high, and legal and institutional structures determine who bears the burden of harm and remediation. In withdrawal terms, the externality is residue. The transaction costs are the coordination burdens across pipelines, caches, vendors, models, and institutional silos. When those costs are high, insisting that individuals manage their own privacy and withdrawal collapses into a fiction. The literature on privacy externalities makes this explicit: harms and costs often spill beyond the person making a choice, undermining the model of privacy as self management.
The cost curve is therefore not a metaphor. It is the mathematical shape of governance honesty. If withdrawal is cheap early and brutally expensive late, then systems that ignore withdrawal readiness will always appear profitable and fast until a request arrives and the institution discovers that its “no” is administratively non executable. What the Residue Ledger demands is that the organization expose the curve, price it, and design so that propagation depth does not silently convert into moral debt.
To make that demand operational, the chapter introduces a simple economic model that captures the real drivers of withdrawal cost without pretending that the institution can compute exact numbers ex ante. Let a withdrawal request concern a specific subject or record class that has flowed through a sociotechnical system. Define propagation depth, , as the number of distinct processing stages and storage surfaces the data has traversed, counting feature stores, logs, caches, analytics warehouses, vendor processors, derived datasets, and model training artifacts. Define artifact complexity, , as a weighted sum over residue classes, where direct copies and indexed records have low weights, and learned representations, embeddings, aggregated statistics, and model checkpoints have higher weights because removal requires recomputation, retraining, editing, or bounded unlearning. Define vendor boundary count, , as the number of independent processors and platforms across which the institution must coordinate. Define coupling, , as the degree to which the data is entangled in shared assets, such as reused features, shared training corpora, and composite models, where removal has collateral consequences. Define evidence burden, , as the level of proof required by the organization’s commitments and risk posture, ranging from internal assertion to reproducible rebuilds and third party validation.
Then the expected cost of a withdrawal action, , can be framed as:where is the fixed cost of maintaining withdrawal readiness infrastructure, including lineage collection, orchestration tooling, evidence pipelines, and governance staffing, and is the variable cost that increases with propagation depth, artifact complexity, vendor boundaries, coupling, and evidence burden.
The important claim is not the algebra. The important claim is the curvature. For most organizations, is convex with respect to and . Early deletion in a system that maintains clean data boundaries is often close to linear work. Later deletion after propagation into coupled assets becomes superlinear because each additional surface multiplies coordination work and increases the chance that removing one artifact requires recomputing many others. Coase’s lesson about transaction costs applies directly: the friction is not just technical. It is organizational bargaining, cross team negotiation, vendor escalation, and the cognitive labor of reconstructing what happened when the system did not record lineage in the first place.
This is why the seemingly abstract emphasis on lineage and evidence is, in economic terms, a cost reduction program. Lineage does not make withdrawal free. It makes the cost predictable and it collapses the search space. It lowers transaction costs by reducing the labor required to determine where the data went and what it touched. The economic effect of lineage is therefore to flatten the curve, not by eliminating , but by reducing its growth rate and variance.
A second economic structure appears when the organization considers not only the cost of performing withdrawal, but the cost of not performing it. The most widely discussed analogue is breach cost. IBM’s Cost of a Data Breach reporting, which aggregates extensive survey data with the Ponemon Institute, provides headline estimates of average global breach costs and highlights the compounding effects of disruption, response, and governance gaps. Breach economics is not withdrawal economics, but the analogy is instructive: a failure to invest in controls can look rational until the tail risk is realized. Withdrawal obligations, especially under regulatory regimes and contractual commitments, exhibit a similar distribution. The cost of building readiness is a steady expenditure. The cost of a failure becomes discontinuous, arriving as regulatory penalties, litigation, operational disruption, and reputational harm. When organizations treat withdrawal as an edge case, they are effectively placing a bet that the tail will not be realized, and they are often placing that bet with other people’s lives and time.
Acquisti, Taylor, and Wagman synthesize the economics of privacy literature by emphasizing how information technology complicates incentives and how privacy choices and outcomes do not align neatly with simple preference models. What matters for this chapter is the broader implication: privacy and withdrawal are not only values, they are institutional production problems with strategic behavior and asymmetric information. Firms often have stronger incentives to collect and retain data than to create credible mechanisms for revocation, because the benefits of retention are immediate while the costs of residue are delayed, diffuse, and often externalized. The consequence is predictable: absent a pricing mechanism that makes residue expensive inside the organization, residue will accumulate.
The Residue Ledger introduces that pricing mechanism by insisting on measurement. But measurement alone does not internalize cost. It can even worsen incentives if it becomes a reporting regime that teams learn to game. Internalization requires that the organization change its accounting, its governance, and its operating model so that the marginal cost of creating residue is felt by the team that creates it, not by an abstract compliance function later.
This is where the withdrawal cost curve becomes a management control. The curve must be embedded into three institutional levers.
First, design review must treat withdrawal cost as a first class requirement, as real as latency budgets and reliability targets. The question is not, can we delete. The question is, what is the estimated for a representative withdrawal request after one month, one year, and three years of operation, given anticipated propagation. That estimation is necessarily imperfect, but its existence forces teams to confront coupling and vendor boundaries before they become irreversible. It also forces the institution to ask whether a proposed use of data is worth its implied remediation debt.
Second, the organization must create internal cost allocation that charges teams for residue. In environmental economics, Pigouvian taxes are a canonical mechanism for internalizing negative externalities by forcing actors to pay the social marginal cost of their actions. A direct tax is not the only mechanism in a firm, but the logic can be translated. You can implement internal transfer pricing where shared platforms charge higher rates for storage classes and retention durations that produce high withdrawal costs. You can charge teams for vendor processors in proportion to the downstream deletion coordination burden. You can price coupling by charging more for reuse of shared features without provenance guarantees. None of this requires moralizing. It requires accounting that stops pretending residue is free.
Third, governance must treat withdrawal failures as incidents with postmortems that include cost accounting. The safety culture of modern operations already understands postmortems as a mechanism for learning and reducing future risk. The innovation here is to treat each withdrawal action as a measurable event whose variable cost is recorded in the ledger and fed back into design decisions. When a deletion required a week of cross team coordination, that is not merely a technical inconvenience. It is a signal that the system has accumulated transaction costs. Coase’s framing clarifies what must follow: change the institutional conditions that make coordination expensive, or accept that your rights claims about withdrawal are performative.
At this point the cost curve becomes the hinge between ethics and operations. A system that makes propagation cheap and reversal expensive will always be tempted to declare that certain withdrawals are disproportionate effort. That language appears directly in GDPR obligations around notification to recipients. A verifiable withdrawal program must not deny that disproportionate effort exists. It must instead make disproportionate effort an indictment of system design, not a normal condition. The only way to achieve that is to shift expenditures earlier in time, investing in fixed infrastructure so that variable cost is bounded. This is a temporal moral claim: pay up front so you do not make people pay later.
The chapter also clarifies a second, less intuitive property of the curve: the existence of irreducible remainder. Even with excellent design, some artifacts cannot be removed without destroying accountability, legal compliance, or the integrity of records necessary for justice. GDPR itself anticipates this through its exceptions and its balancing of erasure with other obligations, and through principles that allow retention when necessary for legal claims and other specified purposes. The existence of remainder does not weaken the argument. It strengthens it by clarifying the target: not purity, but bounded residue and truthful accounting. This is exactly why the curve must be explicit. If you cannot eliminate a residue class, then you must price it, constrain it, and disclose it. Honesty is a control.
An instructive parallel comes from differential privacy and official statistics, where privacy protection and accuracy are treated as a resource allocation problem. Abowd and Schmutte propose an economic framework that formalizes the tradeoff and argues for an optimal choice where the marginal cost of increasing privacy equals the marginal benefit, treating privacy loss as a quantity that can be allocated under constraints. The withdrawal problem is not identical, but the structural similarity is decisive: privacy is not a slogan, it is a budget. Withdrawal readiness is not an aspiration, it is a production function. Institutions must decide how much evidence to retain, how much coupling to allow, and how much remediation capability to fund, under constraints of performance and cost. The way to make those decisions ethical is to force the organization to account for the marginal cost of creating residue and the marginal benefit of the data use that created it.
The chapter now returns, briefly, to the question of incentives under sociotechnical reality. Privacy externalities imply that individual choice cannot bear the full burden of privacy governance because others’ decisions and institutional architectures impose privacy costs. In withdrawal terms, this is why consent as an event is insufficient. Even if a person refuses, the system may have already inferred, propagated, and embedded. Therefore the moral promise of withdrawal must be institutional, not individual. That promise is credible only if the institution commits to paying the cost of its own reversibility. If the institution designs so that it cannot afford to reverse, then its consent language is, in practice, a one way valve.
The practical deliverable of Chapter Fifteen is therefore a reframing that will drive the rest of Section Four. Withdrawal is not only a right. It is a liability curve. It rises with propagation depth and coupling. It is flattened by lineage, minimization, and architectural separation. It is made honest by evidence burdens that are commensurate with threat models. And it is made real by internal pricing that forces teams to feel the cost of residue at design time.
This sets up the next chapter, which addresses a question that organizations often treat as novel but is structurally familiar: can there be a market for residue risk, and can that market price withdrawal readiness in a way that changes incentives. If Chapter Fifteen is the internal economics of remediation, Chapter Sixteen will examine insurance, underwriting, and the emerging logic of pricing governance evidence, asking whether institutions can be forced, by market mechanisms as well as law, to pay for reversibility before they need it.
Chapter Fifteen: Withdrawal as a Cost Curve
Withdrawal becomes real when an institution stops describing it as a moral posture and starts treating it as a priced property of systems. Up to this point, the book has built the technical prerequisites of verifiable withdrawal: provenance and lineage as accountability geometry, evidence that survives adversarial review, and an audit architecture that constrains observability so verification does not become a second archive. The remaining question is the one that decides whether any of that will survive contact with incentives. If withdrawal is expensive, who pays, when do they pay, and what design choices silently decide those answers.
The GDPR already encodes the economic fact that reversal has a cost, even if organizations prefer to hide that cost inside vague language. Article 17, in the clause dealing with public disclosure and downstream copies, requires controllers to take reasonable steps to inform other controllers processing the data of the erasure request, explicitly taking account of “available technology and the cost of implementation” (Regulation (EU) 2016/679 art. 17(2)). Article 19 adds the notification obligation to each recipient unless this proves impossible or involves disproportionate effort (Regulation (EU) 2016/679 art. 19). Read as engineering rather than as excuse, these clauses make a sober admission: modern systems create propagation, propagation creates work, and work has a cost that institutions must bear if they claim withdrawal has meaning.
Economics supplies the vocabulary to state the structure without sentiment. Pigou’s analysis of external costs formalizes the core pattern: when an actor can impose costs on others without paying them, private incentives diverge from social welfare and the actor tends to overproduce the activity that generates the unpriced harm (Pigou). Coase reframes the problem around transaction costs, showing that when coordination is costly, the allocation of rights and institutional structure determine who bears the burden of harm and remediation (Coase 1–44). In withdrawal terms, the externality is residue. The transaction costs are the coordination burdens across pipelines, caches, vendors, feature reuse, retraining, and internal bargaining. When those costs are high, the idea that individuals can manage their own withdrawal through consent choices collapses into a fiction, which is one reason privacy economics has repeatedly emphasized how real world privacy outcomes do not reduce to a simple preference model (Acquisti, Taylor, and Wagman 442–92).
This is the meaning of the cost curve. Withdrawal cost is not a single number. It is a function of propagation depth and entanglement. Early in a data lifecycle, removal can be close to routine operational work. Later, after fan out into multiple storage surfaces and model artifacts, the same request becomes superlinear because each additional surface multiplies coordination, recomputation, and the likelihood that removal triggers collateral disruption. Coase’s transaction costs are not an academic aside here. They are the labor of reconstructing lineage after the fact, the time spent negotiating across teams that do not share incentives, and the friction of pushing obligations across vendor boundaries (Coase 15–18). The curve steepens when the system was not built to remember where data went, and it steepens again when shared assets turn individual removal into a collective refactor.
A withdrawal serious institution should therefore describe total withdrawal cost in plain language that operators can actually use. There are two components. First there is a fixed, ongoing program cost, the baseline investment required to keep withdrawal from being an improvisation. This includes lineage capture, orchestration tooling, evidence generation, governance staffing, and the minimized audit controls that prevent evidence systems from becoming infinite retention machines. Second there is the variable per request cost, the marginal work triggered when a concrete withdrawal request arrives. That variable cost increases with propagation depth, with the difficulty of the residue classes involved, with the number of vendor and trust boundaries that must be coordinated, with the degree of coupling created by feature reuse and shared corpora, and with the evidence burden the institution has committed to produce. Once those drivers are stated explicitly, an institution can stop pretending that withdrawal is an edge case and start treating it as an engineering budget that is shaped by design choices.
This framing also exposes why lineage and evidence are not administrative overhead. They are transaction cost reduction. They lower the search space, reduce uncertainty about where data flowed, and shrink the amount of human coordination required to produce a credible proof. In economic terms, they flatten the curve by reducing both the growth rate of marginal cost and the variance of cost outcomes, which matters because variance is what makes withdrawal feel like a crisis rather than a routine obligation. A firm that refuses to fund fixed readiness ends up paying a chaotic premium later, and it often pays that premium only when compelled by law, litigation, or reputational shock, which is a predictable incentive failure.
The next step is to connect withdrawal costs to the broader risk economy organizations already understand. Breach cost modeling is not identical to withdrawal cost modeling, but it clarifies a similar temporal structure. The IBM and Ponemon Cost of a Data Breach Report provides quantitative evidence that security failures carry large and rising costs, including business disruption and response overhead, and it frames investment decisions as risk management rather than as moral performance (IBM Security and Ponemon Institute 2–6). Withdrawal failures exhibit a related distribution. The steady cost is readiness infrastructure. The discontinuous cost arrives when an institution cannot satisfy its withdrawal obligations, or cannot prove it did, and the resulting damage shows up as operational disruption, legal exposure, and loss of trust. When organizations treat withdrawal as exceptional, they are placing a bet that the tail will not materialize, and they are often placing that bet with other people’s time, dignity, and contestability.
Internalization is therefore the real governance objective. Measurement alone does not internalize cost, because a reporting regime can be gamed. Internalization means the organization changes its accounting and decision rights so that the marginal cost of creating residue is felt by the team that creates it at design time, not offloaded to a compliance function later. Pigou’s logic is instructive even inside a firm: if a team can externalize the future remediation burden, it will rationally overproduce propagation because propagation makes short term delivery easier (Pigou). Coase’s logic is equally instructive: if the organization makes cross team and cross vendor coordination expensive, it will rationally underinvest in withdrawal because every withdrawal becomes a transaction cost swamp, and decision makers will learn to call that swamp “disproportionate effort” (Coase 15–18; Regulation (EU) 2016/679 art. 19).
A practical internalization program therefore has three implications, stated here in continuous prose because they must be absorbed as a single logic rather than as a menu of options. First, design review must treat withdrawal cost as a first class systems property, comparable in seriousness to reliability and latency, by requiring teams to estimate how the marginal cost of a withdrawal request will evolve over time given anticipated propagation, coupling, and vendor boundaries. Second, internal cost allocation must change so that retention duration, coupling into shared assets, and expansion of vendor processors carry internal charges that reflect their predictable remediation burden, making residue expensive inside the organization rather than cheap until it becomes a crisis. Third, withdrawal actions and withdrawal failures must be treated as incidents with postmortems that include cost accounting, so the organization learns concretely which architectural choices made reversal expensive and which governance gaps turned a routine request into a coordination meltdown.
The final step is to name the remainder without letting remainder become an excuse. Even with excellent design, some artifacts cannot be removed without harming accountability, violating legal retention duties, or erasing records needed for justice. The GDPR itself anticipates this through its structured exceptions and through the balancing of erasure against other obligations (Regulation (EU) 2016/679 art. 17(3)). The existence of remainder does not weaken the argument for verifiable withdrawal. It strengthens it by clarifying the aim. The aim is not purity. The aim is bounded residue and truthful accounting, with explicit disclosure of what cannot be withdrawn, why it cannot be withdrawn, and what institutional constraints govern its retention.
One final analogy, drawn from the economics of differential privacy, helps sharpen this orientation. Abowd and Schmutte treat the tradeoff between privacy protection and statistical accuracy as a resource allocation problem, proposing an approach where an institution operates where the marginal cost of increasing privacy equals the marginal benefit, making privacy a governed budget rather than a slogan (Abowd and Schmutte 171–202). Withdrawal readiness is not the same object, but the structure is similar: institutions must decide how much evidence to retain, how much coupling to allow, and how much reversibility to fund under constraints, and the ethical difference emerges from whether they make those decisions by externalizing costs onto the vulnerable or by pricing and internalizing the burden of their own systems.
This is where the chapter lands. Consent as an event cannot carry the burden of privacy governance because modern data systems generate privacy externalities that spill beyond individual choice, making self management inadequate as a primary governance model (de Brouwer). Therefore withdrawal must be institutional. If it is institutional, then the institution must pay for its own reversibility. The cost curve is the accounting device that makes this requirement concrete. It reveals how propagation depth and coupling generate moral debt, how lineage and minimized audit flatten that debt, and how internal pricing forces the organization to feel the cost of residue before it becomes a crisis. Chapter Sixteen will take the next step and ask whether markets, especially insurance and underwriting logics, can price withdrawal readiness in ways that reinforce, rather than undermine, this internalization project.
Chapter 16: Insurance, Incentives, and the Market for Residue
Insurance is the canonical institution for turning diffuse uncertainty into a priced obligation, and it is therefore the most revealing place to watch the modern consent failure mature into something measurable. If Chapter 15 argued that withdrawal is a cost curve that steepens with propagation depth, this chapter argues that insurance and reinsurance are the social technologies that decide whether that curve becomes a private inconvenience, a priced discipline, or a public crisis. The question is not whether cyber insurance exists. It does. The question is whether the market can be made to price residue, rather than price only headline incidents, and whether it can do so without converting the most vulnerable domains of life into premium bearing objects whose only moral status is actuarial.
The classical economics here is not decorative. Arrow’s point was that when uncertainty is the governing condition, markets depend on institutions of trust, norms, and verification that exceed simple price signals, because information asymmetry and the difficulty of specifying quality and contingency break the competitive ideal (Arrow 941 to 943, 952). He makes an argument, in effect, about why “insurance” is never just a contract, but a governance system: the ability to pool risk depends on what can be known, what can be enforced, and what can be observed. When cyber insurance fails to price residue, it is not because insurers are foolish. It is because residue is the very kind of obligation markets underproduce when observation is weak, incentives are misaligned, and losses are correlated rather than independent. Rothschild and Stiglitz formalize the sharper edge: when buyers know more about their risk than insurers do, equilibrium itself can fracture, and even where it exists it is shaped by screening, separation, and strategic contract design rather than naive pooling (Rothschild and Stiglitz 633 to 634). Cyber risk is saturated with this problem because firms privately know their internal controls, their incident histories, and their operational coupling, while the insurer sees a thin questionnaire, a broker narrative, and sometimes a scanning report.
Residue makes the asymmetry worse in a specific way. Most organizations can estimate the probability of a visible breach and the likely first order loss. Few can honestly enumerate the downstream artifacts that persist after “remediation,” and fewer can quantify their endurance across vendors, feature stores, caches, derived statistics, and model checkpoints. That is precisely why, in the cyber insurance literature, secondary losses and interdependence become decisive. In their unifying framework for modeling cyber insurance, Böhme and Schwartz emphasize how information asymmetry and losses that sit outside the contract can distort premiums and demand, producing overpricing and an underdeveloped market, and they foreground interdependent security as a structural condition rather than an edge case (Böhme and Schwartz 26). Their diagnosis maps cleanly onto the residue ledger thesis: when what matters most is what cannot be directly observed and cannot be cleanly indemnified, price alone fails to discipline behavior, and the market either shrinks, or it expands on paper while quietly excluding the events that would test it.
- Why cyber insurance misprices residue
The most basic mispricing mechanism is correlation. Insurance works best when risks are independent enough that the law of large numbers stabilizes aggregate losses. Rothschild and Stiglitz explicitly mark the boundary: some risks cannot be diversified, such as nuclear war, and models premised on diversifiable risk do not apply there (Rothschild and Stiglitz 633). In cyber, what looks diversifiable at the level of single firms becomes correlated at the level of shared software monocultures, shared cloud dependencies, shared identity providers, and shared vendor incident response networks. That is why market actors have been forced, in recent years, to develop explicit frameworks for what counts as a major cyber event, because the hard underwriting question is not whether loss is possible, but whether losses aggregate across the book in a way that threatens solvency.
The industry effort to define major cyber events is itself an admission that cyber risk is not yet a stable insurable object in the classical sense. The ABI and Lloyd’s Cyber Working Group explicitly frames the problem as definitional and systemic, emphasizing the absence of a comprehensive global definition and the lack of historical precedent as obstacles that complicate modeling, monitoring, and transferring risk, and they propose a component framework meant to support risk appetite setting and coverage design (Lloyd’s and the ABI 6). The important move for our purposes is that they treat major cyber events as multi dimensional, spanning attribution, cause of loss, footprint, duration, spreading mechanism, motive, and monetary loss, and they warn that scenario precision can create false confidence (Lloyd’s and the ABI 5 to 6). That warning is also a warning about residue. If you specify only the incident and not the propagation surface, you will design a contract that performs well on a narrow story and fails under the actual ecology of artifacts.
A second mispricing mechanism is that insurance contracts tend to price what is legible and exclude what is politically and operationally explosive. This is visible in the contemporary handling of state linked or war adjacent cyber operations. The Lloyd’s Market Association cyber war clauses are a public artifact of this pressure, offering clause types that exclude state backed attacks in varying degrees, and in some cases exclude significant impairment losses even outside war framing. Exclusions are not morally neutral. They are an economic confession about what the market cannot safely bear without some form of backstop or reinsurance structure. When the excluded tail overlaps with the kinds of events that generate maximal residue across critical infrastructure and shared dependencies, then the incentive effect of insurance weakens precisely where governance needs it most.
A third mispricing mechanism is that the insured’s objective function and the insurer’s objective function do not align. The insured cares about reputational harm, operational downtime, regulatory action, and the internal cost of restoring trust. The insurer cares about indemnifiable financial loss within policy terms. ENISA’s research oriented report on cyber insurance models makes this divergence explicit when it notes that aspects such as reputational damage are not as relevant to the insurer as to the affected firm, and it emphasizes that portfolio loss distributions are strongly influenced by dependencies across policies. That is a technical way of saying that the market prices only the subset of harm that can be formalized, and it does so under correlation pressure. Residue, by definition, is the remainder that persists after the contractual harm has been paid or denied. If residue is outside the contract, it can still be the dominant moral object, but it will not be the dominant pricing object.
- A more precise claim: residue is an insurability problem
To say that cyber insurance misprices residue is not to say that the market is “wrong” in the moral sense. It is to say that residue has the features that make risks hard to insure: it is difficult to observe, expensive to verify, and entangled with correlated loss. Even the modeling literature that tries to tame cyber risk immediately reaches for contagion and coupling. ENISA’s discussion of contagion models begins from the premise that systemic risks arise from the coupling and interaction of entities and that these have high relevance in networked cyber systems, then draws on epidemic and financial modeling approaches to represent systemic spread. When you translate that into withdrawal governance, you get a crisp inference: if propagation is the harm mechanism, then withdrawal readiness is the only plausible lever that turns the harm mechanism into a bounded obligation.
This is where the Residue Ledger becomes legible as an underwriting object. Underwriting is, at bottom, a decision about what evidence is admissible as a proxy for future behavior. If we want insurance to discipline residue rather than only breach headlines, we need to change what counts as underwriting grade evidence. The market is already moving in that direction, though not yet with our terminology. Lloyd’s cyber market management work emphasizes better exposure understanding, more granular claims data frameworks, and preparation for major events including third party incident response supply contracts, precisely because the book must be understood at the level of aggregates and dependencies. When a market starts demanding aggregate exposure reporting and more granular data, it is implicitly demanding a lineage and evidence discipline. The Residue Ledger proposal makes that demand explicit and relocates it from vague “cyber hygiene” to auditable withdrawal properties.
- Evidence based underwriting: from hygiene narratives to withdrawal readiness
Insurance markets shape behavior only when the insured believes that premium, coverage, and renewal are meaningfully connected to controls, and when the insurer can verify those controls with enough fidelity to avoid being gamed. Here the classic moral hazard problem becomes concrete: if insurers cannot observe the insured’s security and governance investment, then the insured may underinvest, and insurance becomes an anesthetic rather than a discipline. Böhme and Schwartz’s survey makes this explicit in the interdependent security setting: when security investment is unobservable, the market can fail due to moral hazard; when investment is contractible and included in the contract, equilibrium can exist, but insurance can still reduce security investment because insurance and security become substitutes in the insured’s decision calculus (Böhme and Schwartz 26). That analysis is not an argument against insurance. It is an argument for specifying what must be observable, testable, and evidence producing if insurance is to improve welfare.
Withdrawal readiness is a better underwriting target than generic cyber posture because it ties directly to the mechanism of harm propagation. A firm can have strong perimeter controls and still produce catastrophic residue because its data and model pipelines are architected for reuse without lineage and without deletion semantics. Conversely, a firm that treats withdrawal as an operational primitive will, as a byproduct, tend to have stronger segmentation, stronger inventory discipline, clearer vendor boundaries, and clearer incident response playbooks, because withdrawal forces you to map what you have and how it moves. This is why the ABI and Lloyd’s “major cyber event” components are instructive even though they are not written for our book: the components are not simply descriptive, they are the axes along which evidence must be produced if an event is to be analyzed, bounded, and priced. Our claim is that the same orientation can be imposed at the level of individual withdrawal requests and cumulative residue obligations.
In practice, evidence based underwriting for residue would pivot from self attestation to adversarially meaningful proofs. In Chapter 7 I defined an evidence ladder for withdrawal. Here I am proposing that insurers, reinsurers, and brokers begin to treat that ladder as a pricing schedule. The lowest rung is narrative: policy statements, training, and a deletion ticket workflow. The higher rungs are technical: lineage graphs that can be sampled, deletion orchestration logs that can be replayed, independent verification of vendor deletion hooks, reproducible rebuilds that demonstrate the absence of a withdrawn datum from a derived artifact, and targeted model evaluation suites that test whether withdrawn canaries appear. The point is not that every insured must reach the highest rung. The point is that the market must stop treating the lowest rung as an acceptable substitute for the middle.
The industry’s movement toward defining major cyber events is, again, a clue that the market wants a more disciplined grammar for accumulation and aggregation. The ABI and Lloyd’s framework explicitly aims to support risk appetite and solutions across the risk management chain, including insured confidence, risk tolerance setting, and capital requirement evaluation. A residue centered underwriting logic would extend that chain into a technical specification: what data lineage primitives exist, what deletion semantics exist by residue class, what evidence artifacts can be produced on demand, and what the measured time to withdrawal is for each class.
- The market for residue and the backstop question
Even if we succeed in making withdrawal readiness an underwriting object, a hard remainder remains: there are cyber events, and therefore residue cascades, that the private market will try to exclude unless a public private backstop exists. This is not conjecture. It is visible in the discourse around state backed cyber risk and terrorism frameworks. The Financial Times reports concern that existing UK terrorism reinsurance structures risk becoming obsolete under the rising threat of state sponsored cyber attacks, and it describes the pressure this places on certification thresholds and government guidance. It also reports that UK cyber insurance claims in 2024 surged sharply and that industry leaders and regulators have called for government backed reinsurance to protect against large scale cyber risks, while noting that coverage often excludes state backed attacks. These are symptoms of the same structure: correlated tail risk pushes private markets toward exclusions, and exclusions push losses back onto firms, workers, and publics, often in the most infrastructure coupled domains where residue is maximal.
A residue ledger perspective clarifies what a backstop is for. A backstop is not an excuse for lower controls. It is a mechanism for absorbing correlated tail loss while enforcing a code of evidence. In the best case, it operates like fire codes and building inspections: it does not promise that fires will never happen, but it conditions coverage on architecture that reduces spread, documents escape routes, and makes loss bounded rather than existential. The ABI and Lloyd’s effort to define major cyber event components can be read as early code writing, a way of making the tail legible enough to be discussed without collapsing into either panic or denial. Our addition is to insist that the code must include withdrawal readiness, because in data and model systems the analog of fire spread is propagation, and the analog of containment is verifiable withdrawal.
This is also the place to name a moral hazard that is usually hidden. When governments implicitly socialize catastrophic cyber losses through emergency guarantees, bailouts, or ad hoc support, they create a de facto backstop without any code. The Financial Times coverage of the Jaguar Land Rover cyber incident and the subsequent government credit guarantee debate captures the moral hazard anxiety and the desire for more systematic approaches such as strengthening insurance and reinsurance schemes. I do not need to litigate the particulars of that case to make the point. The point is structural: informal backstops are the worst of both worlds, because they socialize loss while failing to enforce evidence producing controls. A formal backstop, tied to residue evidence, can do better.
- The insured, the insurer, and the worker who actually pays
A market for residue cannot be evaluated only at the level of firm behavior. It must be evaluated at the level of who bears the remainder when insurance fails. If cyber insurance primarily prices breach response while excluding the long tail of state linked events, inference harms, and latent profile persistence, then the costs of residue are pushed onto those with the least bargaining power: workers subject to monitoring systems, welfare recipients subject to administrative surveillance, patients whose data travel through vendor ecosystems, and consumers whose inferred attributes are traded as durable profiles.
This is why I refuse to treat underwriting as neutral. Underwriting is a political economy instrument. It decides what kinds of harms count as compensable and what kinds of harms count as acceptable externalities. Zuboff’s analysis of behavioral extraction is relevant here not as rhetoric but as a description of an economic model that generates persistent residue by design: the firm profits from the endurance of the profile, not from its deletion. In that model, the rational response to withdrawal requests is to comply at the surface while retaining derived artifacts that keep the predictive surplus intact. Insurance markets that price only surface compliance participate in that structure. Insurance markets that price evidence of withdrawal, especially evidence about derived artifacts, begin to pressure the extraction model at its technical core.
The academic modeling literature gives us a technical bridge for this argument. ENISA’s emphasis on systemic dependencies and contagion models is, in effect, an argument that cyber risk is a network phenomenon, not a firm isolated phenomenon. Interdependent security models show that one actor’s investment affects others. Böhme and Schwartz emphasize that insurers can improve social welfare while potentially harming network security under some parameter ranges because of substitution effects (Böhme and Schwartz 26). The lesson is that naive insurance can backfire. The corrective is not to abandon insurance, but to design insurance and underwriting so that what is incentivized is not only breach prevention but also containment, reversibility, and evidence. Withdrawal readiness is precisely the reversibility discipline that transforms network risk from an unbounded externality into a managed obligation.
- A practical proposal: underwriting schedules for withdrawal evidence
I am deliberately not presenting a shopping list of controls here, because lists are how governance becomes theater. The proposal is simpler and more demanding. Insurers should begin to require, for coverage above certain thresholds and for renewals in high coupling sectors, a withdrawal evidence schedule that is auditable and testable. This schedule would specify, in contract terms, what evidence artifacts must be producible on request and on incident, what sampling methods can be used by the insurer or a third party auditor, what time to withdrawal service levels are promised by residue class, and what exceptions exist, with explicit language for the moral remainder.
This proposal is aligned with where the market is already going. The ABI and Lloyd’s guidance is explicitly designed to support coverage design, capital assessment, and risk tolerance setting, and it warns about false confidence and the need for holistic component analysis. The Lloyd’s cyber strategy work emphasizes aggregate exposure collection and more granular claims data, which implies a move toward more structured evidence and taxonomy. My claim is that withdrawal readiness should be the taxonomy that organizes this evidence, because it is the only taxonomy that directly binds consent ethics to pipeline mechanics.
The market also needs to be honest about exclusions. The LMA cyber war clause typology is a reminder that some categories will be excluded unless a backstop exists. The residue ledger approach does not pretend otherwise. It demands that excluded categories be treated as governance obligations nonetheless, with internal cost internalization and public accountability. If the market cannot bear the tail, the institution still must, because the tail is where the most severe residues often live.
- Where this leaves us
By the end of this chapter, the argument should feel less like an abstract critique of insurance and more like a concrete design constraint for the entire book. If withdrawal verification is the ethical center of gravity, then insurance is one of the few institutions that can force firms to build withdrawal infrastructure before the worst incidents occur. But insurance can only do that if underwriting stops accepting narrative compliance and starts demanding withdrawal evidence that survives adversarial scrutiny. That is the technical meaning of a market for residue: premiums and coverage become functions of measurable reversibility, not just of promised best efforts.
In Chapter 17 I will turn this underwriting logic into procurement language and institutional contracting practice, because procurement is where firms currently launder responsibility through vendors, and it is where withdrawal readiness can be made enforceable across trust boundaries rather than confined to internal posture.
Chapter Seventeen: Procurement as Moral Engineering
Procurement is where institutions decide, in binding language, whether withdrawal is a lived capability or a ceremonial promise. Engineers often treat contracts as paperwork that arrives after design, and lawyers often treat systems as opaque artifacts whose internal logic is outside the deal. Verifiable withdrawal collapses that separation. In complex pipelines, residue is manufactured as a supply chain phenomenon: vendors ingest, transform, cache, replicate, fine tune, subcontract, log, and retain, and each boundary multiplies the number of places where “we deleted it” can be said without being true. The procurement function is therefore not a clerical back office. It is the institution’s most concentrated instrument for turning ethics into enforceable telemetry, evidence, and time bound obligations.
The basic legal architecture already states this, even if most organizations operationalize it weakly. The GDPR requires that processing by a processor be governed by a binding contract that sets out the processing subject matter, duration, nature, purpose, data categories, and the obligations and rights of the controller, and it enumerates minimum contractual requirements including confidentiality, security measures, subprocessor conditions, assistance duties, deletion or return after service provision, and audit enablement (Regulation (EU) 2016/679 art. 28(3)). The GDPR does not treat these as optional improvements. It treats them as baseline conditions for lawful outsourcing. The European Data Protection Board has also published standard contractual clauses for controller processor relationships, including explicit audit and inspection language requiring the processor to make available information necessary to demonstrate compliance and to enable audits, including on site inspections, by the controller or a mandated auditor. The United Kingdom Information Commissioner’s Office guidance likewise emphasizes that Article 28 contracts must include specific terms, including confidentiality commitments for those who process the data, which is one of the simplest examples of how procurement becomes an enforceable control rather than a statement of intent.
The Residue Ledger framework tightens the interpretation of these obligations. “Delete or return” is not a single act. It is a family of semantics that must be specified in the contract in ways that map onto residue classes. “Enable audits” is not a right to ask questions. It is a right to obtain verifiable evidence and to test it. “Subprocessors” are not a disclosure checkbox. They are a graph expansion mechanism that must be bounded by flow down obligations that preserve lineage, withdrawal semantics, and evidence production. Once you see procurement in these terms, a procurement clause is no longer a legal ornament. It is a systems specification that decides whether downstream systems are built to support revocation verification or to defeat it.
This chapter therefore treats procurement as moral engineering in three senses that must be held simultaneously. First, procurement is an epistemic instrument that decides what the institution is allowed to know about itself, because you only get the evidence you contract for. Second, procurement is an incentive instrument that decides whether vendors will invest in withdrawal readiness, because vendors rationally build what buyers pay for and what buyers can test. Third, procurement is a boundary instrument that decides whether residue is internalized or exported, because outsourcing without verifiable withdrawal terms is cost externalization disguised as modernization.
The procurement failure pattern: when control objectives do not bind to evidence
James C. Scott’s critique of legibility projects is often read as a warning about bureaucratic simplification, but its most actionable insight for operators is this: institutions routinely substitute administrable representations for reality, then govern the representation while harm accumulates in the gap (Scott). Procurement can become exactly that kind of legibility theatre. A vendor provides a compliance packet, a policy statement, and an annual attestation, and the buyer treats the packet as the system. Meanwhile, the actual processing reality is an evolving pipeline of caches, model updates, internal analytics, subcontractors, and debugging exports. The administrative representation is legible, therefore governable, therefore safe, until the moment a withdrawal request arrives and the buyer realizes that the representation never contained the edges where residue actually lives.
The NIST body of supply chain risk management guidance is valuable here because it describes supply chain risk as a lifecycle phenomenon rather than a one time assessment. The updated NIST guidance on cybersecurity supply chain risk management emphasizes integrating risk management practices across the system lifecycle and treating supply chain risks as spanning suppliers and their own supply chains, which is precisely the structure that makes residue proliferate across fourth parties when contracts do not enforce flow down obligations. This is not only security doctrine. It is withdrawal doctrine, because the same dependencies and visibility limits that produce systemic security risk also produce withdrawal non executability. If a buyer cannot map its software and data supply chain with enough granularity to manage a vulnerability, it will not be able to map propagation with enough granularity to execute deletion semantics or prove isolation across vendors.
The procurement challenge is therefore to translate control objectives into contract language that produces testable evidence, not just promises. This is aligned with the GDPR’s insistence that processors must make available the information necessary to demonstrate compliance and must enable audits. The Residue Ledger simply insists that “information necessary” includes lineage relevant to withdrawal and evidence artifacts that can be validated by an adversarial auditor, because without those artifacts there is no way to distinguish truthful deletion from ceremonial deletion.
The central procurement move: evidence schedules, not generic assurances
A useful way to state the heart of the chapter is this: procurement should demand an evidence schedule that is specific enough to be testable, light enough to be sustainable, and strict enough to survive adversity.
An evidence schedule is not a list of documents. It is a set of obligations linking each claim to its proof. The European Data Protection Board standard clauses already point toward this structure by binding the processor to provide information necessary to demonstrate compliance and to support audit and inspection. The buyer’s task is to translate “information necessary” into concrete evidence artifacts for residue, then enforce them with service levels and remedies.
Because a book chapter must be directly usable, I will now write the core procurement language as adaptable clauses. I am writing them in plain text, intentionally, because many organizations will paste these into Google Docs and WordPress, and the aim is usability under constraint rather than typographic elegance.
Clause family 1. Data mapping and propagation disclosure. The supplier shall maintain a current processing map for the services, including all systems where customer data is stored, cached, logged, transformed, or used to train, tune, evaluate, or otherwise influence models or derived artifacts. The map shall identify subprocessors and material fourth party dependencies involved in data storage, processing, model operations, telemetry, and support. The supplier shall provide the map to the customer on request and at least quarterly, and shall notify the customer in advance of material changes to the map. This clause makes “inventory” non symbolic, aligning with the GDPR requirement to specify subject matter, duration, nature, purpose, and categories, but extending it into the propagation surfaces where withdrawal actually fails.
Clause family 2. Withdrawal semantics by residue class. The supplier shall implement and document withdrawal semantics for each residue class implicated by the services, including primary records, replicas, caches, backups, logs, analytics stores, derived features, aggregated statistics, embeddings, and model artifacts. For each residue class, the supplier shall specify the withdrawal method, the expected completion time, the scope of effect, and the evidence artifact produced. The supplier shall not represent that deletion of a primary record constitutes withdrawal unless the supplier also executes the corresponding withdrawal actions for downstream residue classes or explicitly declares which residue classes remain and why. This clause is a direct response to the GDPR’s delete or return requirement, which is otherwise routinely complied with at the surface while leaving derived artifacts untouched.
Clause family 3. Delete or return and the boundary of retention. At the choice of the customer, upon termination or upon completion of services, the supplier shall delete or return customer data and shall delete existing copies unless retention is required by applicable law, mirroring the GDPR’s requirement. The supplier shall also provide a retention declaration describing any retained residue classes, the legal or operational basis for retention, the retention period, and access restrictions. This clause transforms an often vague promise into a residue statement that is reviewable and auditable.
Clause family 4. Subprocessor flow down for withdrawal and evidence. The supplier shall not engage subprocessors without prior written authorization or a general authorization mechanism consistent with Article 28, and shall impose equivalent contractual obligations on subprocessors regarding withdrawal semantics, evidence production, audit enablement, and retention declarations. The supplier shall remain fully liable for subcontractor performance under these obligations. This clause treats subcontracting as graph expansion and forces the withdrawal discipline to survive the expansion.
Clause family 5. Audit, inspection, and adversarial testing. The supplier shall make available to the customer all information necessary to demonstrate compliance with these obligations, and shall enable and assist audits, including on site inspections when warranted, consistent with the European Data Protection Board standard clauses. The supplier shall also support adversarial validation procedures for withdrawal claims, including sampling based lineage trace tests and, where model artifacts are implicated, evaluation procedures designed to test whether withdrawn canaries remain retrievable. This clause extends audit from compliance theatre to technical truth, while still grounding itself in the existing audit framework already recognized in GDPR contracting practice.
Clause family 6. Evidence artifacts and service levels. The supplier shall produce, for each withdrawal action, an evidence packet consisting of at least a request identifier, timestamp, residue class actions executed, system identifiers involved, completion status, and audit logs necessary to validate execution. The contract shall define service levels for the completion of withdrawal by residue class. Remedies for repeated service level failure shall include service credits, termination rights, and, where appropriate, indemnification for regulatory exposure caused by the supplier’s failure to meet contracted deletion and evidence obligations. This clause is where procurement becomes engineering, because it converts an ethical aspiration into time bound operational commitments and consequences.
Clause family 7. Logging that supports withdrawal without generating uncontrolled residue. The supplier shall treat logs and telemetry as governed datasets, with retention limits, access controls, and withdrawal hooks where feasible, and shall document how audit trails are minimized while remaining sufficient for evidence. This is consistent with the broader information security control families that emphasize logging and monitoring, while the book’s distinctive move is to require that logging itself be designed not to become a second ungoverned residue surface.
Clause family 8. Training and model influence restrictions. If customer data can be used to train, fine tune, evaluate, or otherwise influence models, the supplier shall provide a clear opt in mechanism, a description of the model influence pathways, and a technical description of how withdrawal requests will be honored in relation to model artifacts. The supplier shall not use customer data for such purposes without explicit authorization and shall provide an evidence packet showing how withdrawal affects training corpora, derived features, embeddings, and model checkpoints. This clause anticipates the common ambiguity where a vendor asserts “we do not train on your data” while still using it for evaluation, quality improvement, or model monitoring, each of which can produce derived artifacts. The clause forces precise disclosure and auditable semantics.
Clause family 9. Incident reporting as residue reporting. The supplier shall notify the customer of incidents that may affect withdrawal obligations, including incidents involving unauthorized access, integrity compromise, or uncontrolled propagation of customer data across systems or subprocessors. The supplier shall also notify the customer of any failure to complete withdrawal within agreed service levels or any discovery that withdrawal actions were incomplete due to unknown propagation paths. This clause treats withdrawal failures as incidents, aligning with the book’s insistence that the institution must tell the truth about what it has done and what it cannot yet prove.
Clause family 10. Regulatory alignment for high risk AI deployments. Where the supplier provides high risk AI systems or components that place the customer in the role of deployer, the supplier shall provide the instructions, technical documentation, logging capabilities, and support necessary for the customer to meet its deployer obligations. The EU Artificial Intelligence Act is explicit that deployers have duties around use according to instructions, human oversight, monitoring, and log retention under certain conditions, and that providers must implement post market monitoring systems that collect and analyze relevant data on performance over the system lifetime. Procurement must therefore include obligations that the vendor actually supply the artifacts that make compliance and governance real, rather than selling a system whose legal obligations are pushed onto the buyer without the means to satisfy them.
These clauses are not exhaustive, and they are not meant to be. Their function is to show the correct binding pattern: every moral claim becomes a technical obligation, every technical obligation produces an evidence artifact, and every evidence artifact is testable within a defined time horizon.
Procurement as incentive design: making vendors build what buyers can test
The deepest procurement mistake is to ask for “best efforts” and then act surprised when best efforts are optimized for the vendor, not for withdrawal truth. Ostrom’s work is instructive here because she emphasizes that durable governance depends on clear rules, monitoring, and graduated sanctions, all of which must be enforceable within the system rather than imposed as moral pleading (Ostrom). Procurement is how institutions implement those conditions across organizational boundaries. The GDPR already encodes something like a graduated sanction logic by requiring contract terms and by allowing supervisory action where processors and controllers fail to meet obligations, but internal procurement must add a second layer: contractual remedies that are triggered by measurable failures in evidence delivery, service level adherence, and subprocessor control.
Here the NIST approach to supply chain risk management again becomes structurally relevant. NIST treats supply chain risk as requiring ongoing management and integration across lifecycle processes rather than a single assessment, which implies continuous supplier monitoring and contract management as part of risk governance. If buyers only assess vendors at onboarding, they will never have leverage over the changes that actually produce new residue, such as new subprocessors, new logging pipelines, new model training practices, or new analytics integrations. Therefore procurement must include change control rights and periodic evidence delivery, and contract operations must treat those rights as active, not symbolic.
Procurement as boundary discipline: refusing residue export
There is a specific ethical failure that appears as a procurement convenience: outsourcing the hardest part of governance. Vendors can become residue sinks. If the buyer does not have audit rights, does not have evidence schedules, and does not have withdrawal semantics contractually specified, then the buyer has not reduced its residue. It has only made the residue harder to see and harder to reverse. Hannah Arendt’s analysis of administrative domination is relevant here in a narrow but potent way: bureaucracy can convert responsibility into procedure, and procedure can be used to diffuse accountability until no one is accountable for what the system does. Procurement that relies on generic assurances reproduces that diffusion. Procurement that requires evidence and testability reverses it.
This is why the European Data Protection Board clauses on audits matter. They reassert that a controller’s obligations do not dissolve when processing is outsourced, and they embed a right to inspect and validate rather than a right to receive narratives. The Residue Ledger framework simply insists that the thing being validated includes propagation and withdrawal, because in data and model systems propagation is the harm mechanism and withdrawal verification is the only durable check on that mechanism.
Procurement for AI systems: aligning contracts with lifecycle governance
The rapid expansion of third party AI systems intensifies the procurement problem because many AI risks are produced not only by what the model outputs but by how the model is integrated, monitored, and updated. The NIST Artificial Intelligence Risk Management Framework emphasizes that risk measurement and management can be complicated by third party data and systems and by insufficient internal governance structures and technical safeguards. That statement has a procurement implication: if the buyer cannot obtain the documentation, logging, and monitoring hooks required to govern the system in situ, then the buyer cannot manage risk no matter how many internal policies it writes. Procurement is the only way to force those hooks into existence, because the buyer cannot retrofit them into a vendor’s black box.
The EU Artificial Intelligence Act adds a second procurement implication: obligations attach across the AI value chain, including deployer duties for high risk systems and provider duties for post market monitoring, which depend on the availability of relevant performance data across the system lifetime. A buyer that procures a high risk system without contractual access to logs, technical documentation, and post market monitoring support is buying compliance debt and withdrawal debt simultaneously. In this sense, AI procurement is not simply a commercial decision. It is a decision about whether the organization will be capable of meeting legal obligations and ethical obligations without improvisation.
Closing the chapter: procurement as the place where withdrawal becomes non fictional
By now the reader should be able to name the procurement test that matters. If a vendor cannot describe where data goes, cannot specify deletion semantics by residue class, cannot provide an evidence packet that can be audited, and cannot bind subprocessors into the same obligations, then the vendor cannot support verifiable withdrawal. Everything else is narrative, and narrative collapses under pressure.
This chapter therefore ends with a simple reorientation. Procurement is not where ethics goes to be simplified. Procurement is where ethics becomes enforceable reality. The procurement artifact is the institution’s boundary grammar. It defines what the institution can know, what it can test, and what it can credibly promise when a person withdraws consent after propagation. If Chapter 16 asked whether insurance can price residue, Chapter 17 insists that procurement can. It can price residue directly through service levels, evidence schedules, remedies, and audit rights. It can force the creation of the withdrawal infrastructure that makes insurance underwriting rational. And it can stop the quiet export of residue costs onto those who have the least capacity to contest the system.
Chapter 18 will move from contract language into operating model design and will specify the Withdrawal Review Board as the internal institution that adjudicates tradeoffs, sets evidence thresholds, and makes the organization publicly responsible to itself for what it claims and what it can prove.
This closes Section III with the recognition that procurement is not downstream paperwork but upstream architecture, because it is where withdrawal semantics, evidence schedules, audit rights, and subprocessor flow downs either become enforceable or remain rhetorical, and where the institution decides whether residue is internalized as a priced obligation or exported into vendor opacity. Section IV begins from that closure by shifting from external binding to internal constitution, moving from what you force vendors to prove to what you force yourself to govern, namely decision rights, escalation paths, evidence thresholds, and the public adjudication of tradeoffs that determine what counts as sufficient withdrawal under constraint.
Chapter Eighteen: The Withdrawal Review Board
Part V begins at the point where external enforcement becomes insufficient, because the most decisive failures of withdrawal do not happen at the edge of the enterprise where procurement clauses can be invoked, but inside the enterprise where no contract can substitute for decision rights, evidence standards, and the willingness to pay the internal cost of reversibility. The institutional problem is straightforward to state: if withdrawal is a system property, then someone must be authorized to declare what evidence is sufficient, what time horizon is promised, what residue remains, and what tradeoffs are legitimate when the cost curve steepens. In most organizations, those declarations are made informally by whoever is awake, whoever owns the ticketing queue, or whoever fears the regulator most this week. The result is predictable. The organization oscillates between overpromising purity and underdelivering substance, then uses policy language to blur the boundary between the two. The Withdrawal Review Board exists to end that oscillation by creating an internal court of admissible proof.
The most useful precedent is not a privacy committee aesthetic. It is risk authorization as practiced in mature governance frameworks. NIST’s Risk Management Framework is explicit that a senior authorizing official determines whether the risk from operating a system or using common controls is acceptable, and that this decision is integrated with organization level risk governance through roles such as the senior accountable official for risk management or the risk executive function, along with continuous monitoring responsibilities that treat risk acceptance as an ongoing posture rather than a one time signoff (NIST, Risk Management Framework Appendix E). The Withdrawal Review Board borrows this logic and reorients it. Instead of authorizing a system to operate, it authorizes an institution to claim that withdrawal has been executed to a defined standard, and it authorizes the institution to claim, with bounded honesty, what remains and why.
This reorientation matters because withdrawal verification is inherently adversarial. It has an implied skeptic. A regulator, a court, a journalist, a labor union, an auditor, a customer, or an affected person asks whether the institution can prove that data, influence, or derived artifacts have been removed, isolated, or rendered non operative within a specified scope. A sincere internal team can still fail that test if it has no shared definition of evidence, no shared taxonomy of residue classes, and no single place where the organization must disclose its own uncertainty. The Withdrawal Review Board is that place. Its purpose is not to accelerate deletion tickets. Its purpose is to force the institution to decide what it believes counts as a truthful act of withdrawal, then to bind operations, engineering, and procurement to that decision through artifacts that can be audited.
The legal environment already expects something like this internal court, even if it does not name it. The GDPR processor clauses used by European supervisory authorities require that the processor make available all information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, by the controller or its mandated auditor. That obligation creates a practical question for the controller: who inside the controller has authority to declare that the information received is sufficient, who can demand additional proof, and who can accept a remainder when the vendor cannot do better. Likewise, the European Union Artificial Intelligence Act imposes explicit obligations on deployers of high risk AI systems to use the system according to instructions and to assign human oversight to natural persons with the necessary competence, training, authority, and support. Human oversight is not a generic virtue. It is an organizational arrangement that must be instantiated as roles, authority, and escalation, and the Act’s text repeatedly connects oversight to lifecycle monitoring and log collection. If an organization is serious about withdrawal in AI mediated decisions, it must be able to govern the human oversight and logging apparatus that makes claims about withdrawal credible.
The Withdrawal Review Board therefore has four non negotiable functions, each of which corresponds to a failure mode that Chapter Two called liturgy. First, it defines withdrawal semantics by residue class and by context, because the same word deletion can hide incompatible actions. Second, it defines evidence thresholds and the admissible forms of proof, because evidence is the only boundary between honest limitation and performative assurance. Third, it adjudicates tradeoffs under constraint, because withdrawal is where privacy, security, accountability, and operational continuity collide, and those collisions require explicit rulings rather than quiet improvisation. Fourth, it preserves an institutional memory of those rulings, because organizations do not only forget facts, they forget their own promises, and the residue ledger dies the moment governance becomes episodic.
To avoid becoming theater, the Board must be constituted as an operating model, not a committee. It must have membership that maps to actual control surfaces, decision rights that bind budgets and engineering priorities, and a defined docket of matters it must hear. It is helpful to state the membership in functional rather than personal terms. The Board must include the senior accountable official for risk management or equivalent enterprise risk leader, because withdrawal decisions are risk acceptance decisions in the NIST sense and must integrate with organization level risk tolerance. It must include the senior privacy leader and the senior security leader, because withdrawal is simultaneously a privacy promise and a security boundary problem, and NIST’s RMF explicitly coordinates security and privacy risk governance rather than treating them as separate universes. It must include the system owners or platform owners for the data plane and the model plane where propagation occurs, because without operational ownership the Board will issue unenforceable decrees. It must include procurement or vendor management representation with authority, because as Chapter Seventeen argued, withdrawal fails across trust boundaries unless contracts and telemetry obligations exist, and NIST explicitly situates acquisition roles within risk governance coordination. It must include an internal audit or assurance function, because the Board must be able to test itself and to treat its own outputs as auditable claims rather than internal narratives. Finally, whenever the withdrawal question touches high risk AI systems, the Board must include the human oversight function in the AI Act sense, meaning the natural persons assigned oversight must have competence, authority, and support, and the Board must be able to verify that those conditions exist rather than assuming they do.
Decision rights are the Board’s center of gravity. The Board must be empowered to do three things that many organizations avoid because they are uncomfortable. It must be empowered to declare that a withdrawal claim cannot be made because evidence is insufficient, even if that declaration delays a public response or complicates customer assurances. It must be empowered to order engineering work that creates withdrawal capability, including lineage instrumentation, deletion orchestration, or log governance changes, and to require a timeline and owner for that work. This aligns with the logic of continuous monitoring strategies in the RMF, where organizations develop strategies for continuously monitoring control effectiveness and respond to ongoing monitoring results through authorized risk response decisions rather than discretionary best effort. It must be empowered to accept bounded residue explicitly, with a written rationale, when further reduction is infeasible or would destroy necessary accountability records, and to specify compensating controls such as isolation, access restriction, retention limits, or increased transparency.
The Board’s docket should be designed so that it is activated by the conditions that most reliably produce residue. The first condition is propagation uncertainty, meaning the organization cannot enumerate where a datum, feature, embedding, or model influence has flowed with enough confidence to execute withdrawal semantics. The second condition is cross boundary dependence, meaning one or more vendors, subprocessors, or internal shared platforms are involved and evidence must be collected across trust boundaries, invoking the same audit logic embedded in standard processor clauses. The third condition is AI mediated decision risk, meaning a withdrawal request touches an AI system used in contexts where errors implicate health, safety, or fundamental rights, and where the AI Act’s human oversight requirements and logging expectations are relevant governance constraints. The fourth condition is time horizon conflict, meaning the requested completion time is incompatible with the organization’s withdrawal capability, and a decision must be made about what the institution can honestly promise now and what it will build for the future. The fifth condition is contested meaning, meaning internal stakeholders disagree about whether deletion, isolation, unlearning, or model editing is required, and the disagreement is not technical trivia but a dispute about what counts as withdrawal.
The Board’s process should be understood as a sequence of evidence producing steps rather than a meeting ritual. A matter enters the docket through a structured intake that forces the organization to specify the object of withdrawal, the asserted propagation surfaces, the residue classes implicated, and the claim the institution wishes to make when the action is complete. The Board then requires a residue map and an evidence plan. The residue map is the institution’s explicit statement of where the object is believed to exist across the data lifecycle, including collection, processing, dissemination, use, storage, and disposition, which is consistent with the orientation of privacy risk assessment in the NIST Privacy Framework, where privacy risk assessments often focus on the data lifecycle and include destruction and deletion as explicit lifecycle stages. The evidence plan is the institution’s explicit statement of what artifacts will be produced to prove that withdrawal semantics were executed, including what will be validated internally and what will be validated across vendors. At this point, the Board’s most important action is negative: it refuses to allow the organization to treat an internal ticket closure as evidence, and it refuses to allow a vendor’s untestable assurance to substitute for the audit enabling obligations that controllers are entitled to demand and processors are obligated to provide.
The Board then rules on withdrawal semantics. This is where the taxonomy of residue classes built earlier in the book becomes operational. For some residue classes, hard deletion is meaningful and verifiable, for others isolation or key revocation is the only feasible approach, and for model artifacts the organization may need to separate influence removal from output suppression and from policy constrained generation. The Board’s ruling must specify which semantics apply and why, and it must bind them to an evidence threshold. Evidence thresholds should be calibrated to the stakes and the feasibility, not to internal convenience. In the RMF, ongoing authorization and continuous monitoring are explicit tasks that determine whether risk remains acceptable as conditions change, and these tasks are tied to roles such as the authorizing official and risk executive function. The Board is importing that discipline: the evidence threshold is the boundary of acceptable risk for a withdrawal claim, and risk acceptance must be explicit rather than implied.
This is also the point where the Board becomes the institution’s defense against its own desire for false certainty. The Board should maintain a formal category called the unavoidable remainder. This category is not a loophole. It is a disclosure requirement. When the Board concludes that some residue cannot be removed without destroying necessary accountability records or without violating legal retention duties, it must specify what remains, who can access it, how long it will persist, and what compensating controls exist. It must also specify what the institution will not claim, including prohibiting language such as complete deletion when the remainder is known. This is how the Board converts humility into governance rather than sentiment.
The Board’s relationship to human oversight in AI contexts deserves special precision. The AI Act requires that high risk AI systems be designed and developed so they can be effectively overseen by natural persons during use, that human oversight aims to prevent or minimize risks to health, safety, or fundamental rights, and that oversight measures be commensurate with risk, autonomy, and context. It also connects oversight to enabling the assigned humans to understand capacities and limitations, monitor operation, detect anomalies, and remain alert to automation bias. The Withdrawal Review Board is the internal mechanism that ensures those oversight conditions are not only described in documentation but instantiated in the withdrawal process. When a withdrawal request touches an AI mediated decision path, the Board must be able to ask whether logs exist, whether they are governed, whether the relevant humans have authority to pause the system, and whether the institution can actually interpret the system’s outputs and behaviors well enough to identify whether a withdrawn datum continues to influence outcomes. Without that capability, the organization’s withdrawal promise in AI contexts becomes a fiction built atop an uninspected model.
The Board must also be integrated into continuous monitoring rather than operating as a rare escalatory forum. The NIST Privacy Framework emphasizes ongoing reassessment and capturing results in a current profile to verify that privacy capabilities and requirements are still fulfilled. The RMF likewise treats continuous monitoring as an organization wide strategy and assigns ongoing risk response and ongoing authorization responsibilities. The Withdrawal Review Board should therefore receive periodic signals, not only incidents. It should receive metrics on withdrawal completion times by residue class, counts of withdrawal failures by cause, vendor evidence compliance rates, lineage coverage percentages, and the rate at which new propagation surfaces are introduced through product change. The Board’s role is not to stare at dashboards, but to interpret these signals as governance facts and to order corrective actions when trends indicate that withdrawal is becoming less executable over time.
To prevent itself from becoming another form of administrative domination, the Board must be constrained by transparency and contestability inside the organization. The Board should publish internal rulings in a way that is accessible to engineers and governance staff, describing the semantics chosen, the evidence thresholds required, and the rationale for accepting any remainder. This is not public relations. It is how an institution creates consistent practice and avoids the moral injury of asking frontline workers to make promises the institution cannot prove. The Board should also be subject to internal audit scrutiny, and its rulings should be sampled for evidence completeness and factual accuracy. This closes the loop demanded by the processor audit clauses that insist on information necessary to demonstrate compliance, but it applies the same demand inward, because internal governance that cannot be audited is structurally indistinguishable from external assurance theater.
The last design requirement is economic. The Board cannot be credible if it cannot allocate cost. If withdrawal is a cost curve, someone must be empowered to decide whether the organization pays now by building withdrawal infrastructure or pays later through incidents, regulatory action, and reputational erosion. The RMF’s authorizing official is meaningful because that official can accept risk on behalf of the organization. The Withdrawal Review Board must be meaningful in the same way. It must be empowered to require investment and to refuse unpriced propagation. Otherwise it becomes a place where engineers explain why the system cannot do what the institution promised, and nothing changes.
This chapter closes with the Board as a constitutional mechanism: it makes the institution capable of truthful speech about withdrawal. It creates a shared grammar for residue, a shared standard for evidence, and a shared forum for adjudicating tradeoffs that cannot be eliminated by better intentions. It also creates a durable internal memory of what the institution decided, which is the only way to prevent the future from repeating the same failure in a new vocabulary. Chapter Nineteen now extends this constitution into daily operations by specifying continuous monitoring for consent states, treating changes in consent not as static artifacts but as signals that must propagate through systems with the same rigor as configuration changes.
Chapter Nineteen: Continuous Monitoring for Consent States
Continuous monitoring is the institutional refusal of surprise. In security governance, that refusal is expressed as ongoing awareness of assets, vulnerabilities, threats, and the effectiveness of controls, with the explicit aim of supporting risk decisions that remain valid as systems change (Dempsey et al.). The argument of this book is that consent, when it is treated as a one time artifact, becomes an instrument for hiding change rather than governing it, because the world in which consent operates is not static. Data move. Features are reused. Vendors expand. Models are updated. Logs accumulate. Derived artifacts persist. The ethical center of gravity therefore shifts from permission capture to withdrawal verification, and verification cannot be episodic if propagation is continuous. This chapter names the operational corollary: consent states must be continuously monitored with the same seriousness that organizations already apply to security control effectiveness, because a consent state is not a preference stored in a database. It is a constraint that must propagate through systems as they evolve.
Law already implies this temporal logic even where it speaks in simple sentences. The GDPR conditions for consent specify that the data subject has the right to withdraw consent at any time and that withdrawal must be as easy as giving consent, which means the institution must maintain a live capability to enact the change, not just a way to record it (Regulation (EU) 2016/679 art. 7(3)). The United Kingdom Information Commissioner’s Office sharpens the operational reading by noting that because the right to withdraw is “at any time,” it is not sufficient to provide a narrow or delayed mechanism such as requiring a reply, because the individual must be able to opt out at any time on their own initiative. If withdrawal must be possible at any time, then systems must be built so that the institution can observe whether the withdrawal constraint remains true across the data lifecycle, including after product changes, pipeline refactors, vendor onboarding, and model updates. In other words, withdrawal is not only a request handling workflow. It is a standing property whose truth must be maintained.
NIST’s Information Security Continuous Monitoring guidance is helpful precisely because it is explicit that continuous monitoring is a program with a strategy, metrics, and an emphasis on visibility into the effectiveness of deployed controls, not a collection of dashboards (Dempsey et al.). The analog in consent governance is a continuous consent monitoring program that provides visibility into where consent constrained data exist, where they have propagated, where enforcement occurs, and whether enforcement remains effective under change. The point is not to import security jargon into privacy. The point is to import the discipline that security has learned the hard way: the organization must be able to detect drift between what it claims and what its systems actually do, and it must treat that drift as a governance event. A consent promise that cannot be monitored becomes, over time, indistinguishable from a marketing sentence.
The NIST Privacy Framework provides the vocabulary for this translation because it is designed to manage privacy risk through enterprise risk management, including outcomes that emphasize data processing management with sufficient granularity for organizations and individuals to manage privacy risks (NIST, Privacy Framework). When the Privacy Framework’s Control function describes enabling data management with sufficient granularity, it is naming the opposite of the common enterprise pattern where consent is stored as a single boolean flag while data propagate into countless systems that never consult the flag again. Granularity in this book’s sense is not fine grained user interface toggles. It is technical and institutional granularity: the ability to bind a consent state to specific data flows, specific processing purposes, specific derived artifacts, and specific trust boundaries, then observe whether the binding still holds.
A continuous consent monitoring program therefore begins by treating consent state as configuration, not as documentation. Configuration is actionable because it has defined consumers and defined enforcement points. A consent state that is monitored must have, at minimum, a canonical source of truth, an event mechanism that propagates changes, and a set of enforcement points that are obligated to consult the current state before processing and obligated to emit evidence that they did so. This is the same structural idea as security continuous monitoring programs that collect information according to preestablished metrics using information available through implemented controls, then use that information to support risk decisions (Dempsey et al.). The consent monitoring program collects state change events and enforcement evidence, then uses that evidence to support withdrawal verification decisions and to detect drift.
Drift is the core failure mode. Drift occurs when consent state changes but downstream systems continue processing based on cached assumptions, stale copies, or inherited datasets whose provenance has been forgotten. Drift also occurs when consent state remains unchanged but the system changes around it, creating new propagation paths that were never instrumented. Security governance has a mature word for this problem: maintaining ongoing awareness of vulnerabilities and threats and the effectiveness of controls as systems change (Dempsey et al.). Consent governance needs the same posture: ongoing awareness of propagation paths and enforcement effectiveness as pipelines change. Without this, the organization can truthfully claim that the withdrawal request was recorded and still be unable to truthfully claim that the withdrawal constraint governs reality.
The monitoring program must therefore specify what it monitors and how it interprets signals. At the system level it monitors coverage, meaning the percentage of data flows and processing systems that are instrumented to consult consent state and emit evidence. At the operational level it monitors latency, meaning the time between a consent state change and full enforcement across all affected systems, because if withdrawal must be possible at any time, the institution must be able to state its propagation time horizon honestly and improve it over time (Regulation (EU) 2016/679 art. 7(3)). At the integrity level it monitors correctness, meaning whether enforcement points apply the correct semantics for the residue class involved, because the meaning of withdrawal differs across primary records, caches, logs, derived features, aggregated statistics, embeddings, and model artifacts. This is where the Residue Ledger’s taxonomy becomes operational: monitoring does not only measure that an action occurred, it measures that the right action occurred for the right class and purpose.
A common objection is that monitoring consent states intensifies surveillance by generating more logs and more metadata. The objection is valid and it cannot be dismissed. It is also the reason the monitoring program must be designed with the same minimized audit logic developed earlier in the book. The NIST security continuous monitoring posture is oriented toward visibility, but privacy governance must treat visibility as a constrained instrument rather than an unbounded good. The monitoring program therefore collects the minimum evidence necessary to validate enforcement without reconstructing the full content of what was processed, and it applies strict retention limits, access controls, and purpose binding to monitoring artifacts. This is the privacy version of control effectiveness monitoring: you verify that the control fired without storing what the control was protecting.
Standards work in privacy management systems reinforces the legitimacy of continuous monitoring as a privacy obligation rather than a security import. ISO IEC 27701 describes a privacy information management system as something established, implemented, maintained, and continually improved as an extension to an information security management system, which is a direct statement that privacy governance is a lifecycle discipline rather than a static compliance snapshot. The commentary on the updated standard emphasizes performance evaluation, including monitoring and measuring the performance of the privacy information management system and determining what will be monitored, how, and when. This language is not identical to our consent monitoring program, but it supports the underlying stance: if an institution claims a privacy capability, it must be able to measure its performance.
The deepest purpose of continuous monitoring for consent states is therefore not operational convenience. It is institutional honesty. A consent regime that is not monitored will predictably become a theater of ticket closure and policy attestations, because the organization will lack the evidence necessary to distinguish compliance language from actual withdrawal. A consent regime that is monitored becomes capable of saying, with precision, where consent constrained data exist, how quickly withdrawals propagate, what residue classes remain, and what evidence supports each claim. That capability changes governance behavior because it makes drift legible and therefore governable, but it also changes institutional ethics because it forces the organization to internalize the fact that promising withdrawal without a monitoring program is promising what it cannot continuously maintain.
This chapter ends by tightening the link between monitoring and adjudication. Continuous consent monitoring generates signals, but signals require authority to interpret and act. That is why Chapter 18 established the Withdrawal Review Board as an internal court of admissible proof and risk acceptance. Chapter 19 gives that court its sensory apparatus. Chapter 20 will extend the temporal logic outward into regulation, treating modern AI and data regulation as phased time rather than as a single deadline, and showing how organizations must build withdrawal controls and monitoring programs as rolling capabilities that can survive staged obligations and shifting system boundaries.
Chapter Twenty: Regulation as Phased Time
The temptation in every compliance regime is to treat the law as a date, because a date can be turned into a project plan, a dashboard, a status meeting, and a release train. The reality is that modern digital regulation is structured as time, meaning not a single deadline but a sequence of staged obligations that arrive on different clocks, bind different actors, and demand different forms of evidence at different moments. When an institution mistakes phased time for a deadline, it reliably produces two pathologies that this book has named in other registers. First, it front loads documentation and back loads control, because documents can be produced quickly while withdrawal infrastructure requires systemic change. Second, it treats early applicability as low stakes, because penalties and enforcement attention may crescendo later, even though early obligations often define the interpretive frame that will govern the later ones. Regulation becomes not a moral boundary but a scheduling problem, and residue accumulates in the gap between the schedule and the system.
The European Union Artificial Intelligence Act makes this temporal structure explicit in its entry into force and application clause. The Regulation enters into force twenty days after its publication in the Official Journal, and it applies from 2 August 2026, while also stating the earlier and later application of specified chapters and provisions. The legal architecture is therefore not a single activation but a staged sequence. Chapters I and II apply from 2 February 2025, which is where the Act’s definitional frame and the prohibitions on certain practices become operative. A further set of provisions, including Chapter III Section 4, Chapter V, Chapter VII, Chapter XII, and Article 78, apply from 2 August 2025, while the core application date remains 2 August 2026. Article 6(1) and corresponding obligations apply from 2 August 2027. Even within the Act’s own frame, the law is telling you that governance must be built as a rolling system, because the institution must remain truthful across multiple transition points, not only at the moment that enforcement feels intense.
The same legal text also reveals why phased time is not administrative trivia but a design constraint. Article 111 provides transitional obligations for systems and models already placed on the market, including a requirement that providers of general purpose AI models placed on the market before 2 August 2025 take the necessary steps to comply with the obligations by 2 August 2027. Transitional clauses like these are the law’s admission that technical reality includes legacy systems, long lived deployment footprints, and institutional inertia, and that the compliance question is therefore not whether one can build a perfect system by a date, but whether one can move an installed base toward verifiable controls while maintaining credible evidence and governance along the way. That is precisely the terrain of withdrawal, because withdrawal is the domain where legacy, propagation, and the impossibility of clean reversal collide.
A governance program that respects phased time begins by refusing the false division between early applicability and real compliance. The first wave, effective 2 February 2025, is not merely about banning a short list of unacceptable practices. It is about establishing the category boundaries through which the rest of the Act will be interpreted, and it is about forcing institutions to confront whether they can identify prohibited uses in their own environment and stop them without relying on vague policy language. In the language of this book, it is where the institution must demonstrate that it can translate a normative prohibition into operational enforcement and auditable evidence. The European Commission has also issued guidelines intended to help interpret prohibited practices, underscoring that the early phase is meant to be lived as governance, not filed as legal theory. The existence of guidelines is itself a governance clue: regulators expect ambiguity, expect contestation, and expect institutions to build interpretive capacity rather than waiting for perfect clarity.
The second wave, effective 2 August 2025, is where the Act begins to bind deeper institutional machinery, including provisions tied to governance infrastructure, codes, enforcement mechanisms, and the institutional organs that will supervise compliance. In a mature organization, this is the moment when the Withdrawal Review Board designed in Chapter Eighteen should become not aspirational but operative, because it is the point at which the institution must be able to adjudicate claims, manage evidence, and respond to regulatory signals as part of a standing operating model rather than as an emergency response. The Act’s staged structure therefore aligns with this book’s structural claim: you cannot make withdrawal real without institutions that can decide what counts as proof.
The central application date, 2 August 2026, is where most organizations will attempt to declare arrival. The danger is that arrival rhetoric produces theater. The law does not ask whether you feel compliant. It asks whether you can demonstrate compliance under scrutiny. The earlier chapters on provenance, lineage, and evidence were written for this exact confrontation. When regulators arrive, your dashboards are not evidence. Your policy is not evidence. Your claim that you deleted something is not evidence. Evidence is what remains after an adversarial reader tries to falsify your story and fails. If the institution has not spent the earlier phases building lineage coverage, enforcing consent state propagation, and producing tamper resistant records of withdrawal actions, then the 2026 moment becomes a scramble to narrate controls that do not exist.
The later application of Article 6(1) and corresponding obligations from 2 August 2027 is the clearest demonstration that phased time is a structural feature, not a transitional inconvenience. It effectively tells you that the classification and scope logic around high risk, and the obligations that attach to that logic, must be built in a way that can be updated and re interpreted as the Act’s later pieces come into force. This matters for withdrawal because withdrawal obligations cannot be statically scoped either. A system that is low risk today can become high risk tomorrow because it is repurposed, coupled into a different decision path, or integrated into a regulated product context, and propagation does not wait for your governance documents to catch up. The only defensible response is to build governance as a living system that can re compute scope and re issue withdrawal semantics as contexts change.
This is also why the Commission’s insistence on maintaining the timeline matters for operators. In July 2025, Reuters reported that the European Commission rejected calls to pause the rollout and confirmed that implementation would proceed as scheduled, noting that some provisions were already in effect and that general purpose AI obligations would start in August 2025, with high risk obligations arriving in August 2026. Whether one applauds or critiques the regulatory posture, the operational implication is simple: governance cannot be postponed into a future of perfect clarity. It must be built under partial information, staged enforcement, and evolving guidance, which means your internal capability to interpret, test, and verify becomes the scarce resource.
The practical translation of phased time into verifiable withdrawal is not a list of tasks. It is a change in posture. You treat each phase as a test of whether your institution can keep its claims aligned with reality under change. In the early phase, the test is identification and cessation: can you find prohibited or out of scope practices in your own environment and stop them with evidence that survives challenge. In the middle phase, the test is governance and evidence generation: can you operate a Board that rules on semantics and proof, and can you produce records that demonstrate withdrawal actions rather than describing them. In the main application phase, the test is system wide consistency: can you show that the same withdrawal semantics apply across products, teams, and vendors, and that exceptions are explicitly ruled, documented, and monitored rather than hidden. In the later phase, the test is re scoping and re classification: can you adjust your withdrawal commitments when systems move into new regulatory categories without pretending that legacy propagation can be erased.
Once you internalize regulation as phased time, you also see why procurement, monitoring, and review boards are not separate chapters but one architecture. Procurement binds external parties to your evidence requirements before the phase where you will be asked to produce that evidence. Monitoring ensures that consent states and withdrawal constraints remain true as systems change between phases. The Board is the organ that interprets signals and makes risk acceptance decisions that remain coherent across the staged regime. The staged regime, in turn, is the regulator’s way of forcing institutions to stop treating governance as a project and start treating it as an operating system.
Chapter Twenty ends with a claim that is operational rather than rhetorical: phased regulation is not a calendar you follow, it is a discipline that tests whether your institution can remain truthful over time. When you build verifiable withdrawal, you are building the capability to survive that test, because you are building the capability to say, in each phase and under scrutiny, what flowed, what remains, what was removed, what cannot be removed, and what evidence makes those sentences defensible. Chapter Twenty One will now move from temporal staging to institutional staging by confronting the management system itself, and by showing how governance frameworks can either become audit theater or become the machinery by which residue is actually reduced and verified.
Chapter Twenty One
Management Systems and the Problem of Audit Theater
Management systems promise a particular kind of institutional maturity: the organization becomes able to say what it does, do what it says, measure whether it is doing it, and correct itself when it is not. That promise is attractive to governance leaders because it offers a way to convert a moral problem into a repeatable discipline, and it is attractive to auditors because it offers a way to translate organizational life into verifiable artifacts. The danger is that the same architecture that makes an organization measurable can also make it performative, because measurement can be satisfied by the production of documents that mimic control without compelling the underlying system to change. Audit theater is not an accidental defect in otherwise sound governance. It is a predictable failure mode whenever a management system is implemented as an overlay rather than as an operating constraint on real pipelines, real incentives, and real propagation surfaces.
The standards ecosystem itself acknowledges both the promise and the risk, if one reads it with sufficient literalness. ISO IEC 27001 specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system, meaning an interlocking set of policies, objectives, processes, and performance evaluation routines designed to remain alive as circumstances change (ISO). ISO IEC 42001 mirrors the same logic for artificial intelligence, specifying requirements for establishing, implementing, maintaining, and continually improving an artificial intelligence management system intended to govern the responsible development, provision, or use of AI systems within an organization’s context (ISO). ISO 19011 then provides guidance on auditing management systems by articulating the principles of auditing, the management of audit programmes, and the conduct of audits across management system types (ISO). Together these texts sketch an institutional loop: a system of governance exists, it is evaluated, it is audited, and it is improved. If that loop is bound to real operations, it becomes a discipline that resists drift. If it is bound to paperwork, it becomes a liturgy that protects drift.
The central claim of this chapter is that withdrawal governance is the most reliable test of whether a management system is real. Many domains allow organizations to hide behind proxies. Security can be reduced to controls that look plausible, privacy can be reduced to notices and toggles, AI governance can be reduced to principles. Withdrawal refuses proxies because it is defined by downstream reality. Either the withdrawal constraint propagates through systems and artifacts, or it does not. Either the organization can produce evidence that a reasonable auditor could validate, or it cannot. In that sense, verifiable withdrawal is not a new management system. It is the adversarial case that reveals whether existing management system structures are capable of governing the residue that their own architectures generate.
COSO’s internal control framework offers a parallel warning from a different tradition. COSO treats monitoring as one of the five components of effective internal control, and its own executive summary notes that guidance on monitoring has similar applicability to the updated framework, which is another way of saying that control quality depends on an organization’s ability to evaluate itself over time rather than only design controls once (COSO). Yet the same internal control logic also illustrates the theater risk: if monitoring becomes a checklist that proves the monitoring process exists, rather than a practice that detects deficiencies and compels remediation, then internal control becomes a representational system that can be satisfied without constraining behavior. Withdrawal governance forces the distinction because deficiencies appear as residue that keeps harming people after the organization claims completion.
The mistake most organizations make is not that they adopt management systems. It is that they substitute certification grammar for operational capability. This substitution is structurally encouraged by the fact that management system standards are designed to be auditable across diverse organizations, which means they privilege general requirements over domain specific mechanisms. ISO IEC 42001, for example, is intentionally framed as a management system standard, offering requirements for establishing and continually improving an AI management system rather than prescribing one fixed technical architecture for every organization (ISO). That abstraction is a strength. It is also an opportunity for theater, because a management system can be demonstrated through policy statements, risk registers, committee minutes, and training records even when technical systems remain architected for uncontrolled propagation. ISO 19011 then provides audit guidance that can be used well or poorly: it can support audits that interrogate evidence quality and test whether controls function, or it can be used to standardize the production of audit artifacts that are never falsified by real operational testing (ISO).
The relevant question, then, is how to force management system structures to bind to substance. The answer is not to reject management systems, but to make withdrawal the reference test that the system must pass. To do that, the organization must treat its management system not as a documentation layer but as a control plane, meaning it must have authority over the actual places where data and model influence propagate. ISO IEC 27001’s insistence on continual improvement matters here because continual improvement can be interpreted as a procedural aspiration or as an obligation to reduce measurable deficiencies (ISO). Withdrawal turns improvement into a measurable claim: are propagation surfaces becoming more instrumented, are completion times decreasing, are evidence artifacts becoming more adversarially robust, are vendor boundaries becoming more testable. Without such metrics, an organization can claim improvement while residue expands.
This is the point where the Withdrawal Review Board designed in Chapter Eighteen becomes the institution’s defense against management system theater. A management system without an internal court of admissible proof tends toward ambiguity, because no one is empowered to refuse a convenient narrative. ISO management system logic assumes leadership involvement and review as part of sustaining suitability and effectiveness over time (ISO). The Board operationalizes that leadership function for withdrawal, not by convening executives for a ceremonial review, but by giving an empowered body authority to rule on what counts as sufficient evidence, what semantics of removal apply, what residue remains, and what investment must be made to close the gap between promise and reality. This is the difference between a management review that preserves the appearance of adequacy and a governance court that compels truth.
Audit theater also emerges when organizations treat audits as evaluative events rather than as instruments of continuous monitoring. COSO’s emphasis on monitoring activities is precisely the opposite: it treats monitoring as an ongoing component of control effectiveness, not a periodic test that can be rehearsed (COSO). ISO IEC 42001’s continual improvement frame implies the same stance for AI governance, because an AI management system that does not continuously adapt will fail in an environment where models and pipelines are continuously updated (ISO). The withdrawal lens forces the organization to adopt a continuous posture because a withdrawal promise that cannot be monitored becomes false as soon as systems change. If consent states and withdrawal constraints are treated as configuration that must propagate, then monitoring becomes the institution’s ability to detect drift between the canonical state and downstream reality. That drift is the earliest indicator of residue accumulation.
The last and most corrosive form of audit theater is the outsourcing of assurance. An organization procures a vendor, obtains an attestation, and treats the vendor’s assurance packet as proof that withdrawal will work through the vendor boundary. Yet the standards logic, and the regulatory logic described in Chapter Twenty, do not permit that moral outsourcing. ISO IEC 42001 is explicit that it is meant for organizations that provide or utilize AI based products or services, meaning governance responsibility does not dissolve when a system is purchased rather than built (ISO). COSO’s monitoring logic likewise does not permit a boundary where monitoring ceases. The procurement architecture in Chapter Seventeen exists precisely to prevent this theater by requiring evidence schedules, audit enablement, and testable interfaces rather than assurances. The management system must incorporate those procurement obligations as living controls, because if vendor governance remains a contract file rather than an operational interface, withdrawal will fail at the boundary where residue tends to persist longest.
A management system that is real will therefore do something that is uncomfortable: it will make uncertainty explicit. It will publish internal rulings where it cannot prove full withdrawal, it will name the unavoidable remainder, and it will bind that remainder to compensating controls and time bound improvement plans. This is not moral pessimism. It is the only way to avoid laundering uncertainty into assurance language. COSO’s internal control framing explicitly treats the identification and communication of deficiencies as part of monitoring activity, which is an institutional permission to name what does not work rather than hiding it (COSO). The withdrawal program adopts that permission and raises the standard: deficiencies are not only control gaps, they are residues that persist in systems and continue to shape outcomes after a person has withdrawn consent.
This closes Part V. The last four chapters built the internal constitution that makes withdrawal governable: procurement binds vendors into evidence and semantics, the Withdrawal Review Board adjudicates tradeoffs and admissible proof, continuous monitoring keeps consent states alive as systems change, and phased regulation forces the institution to remain truthful across time rather than only at a deadline. Part VI begins now, not to decorate the argument with anecdotes, but to apply design pressure through case studies where coercion, inference, and institutional dependence make withdrawal hardest and therefore most revealing. In welfare systems, workplace analytics, health data, and consumer personalization, the question is not whether consent was captured, but whether refusal can be made meaningful after propagation, and whether the institution can prove what remains without pretending to purity.
Chapter Twenty Two: Welfare and the Impossibility of Refusal
Welfare administration is the place where the modern vocabulary of consent is most visibly strained by the brute grammar of necessity. The applicant does not arrive to a service desk as a sovereign chooser weighing optional terms; the applicant arrives because food, housing, heat, medication, or childcare is already on the edge of collapse, and the state appears not as a market actor offering alternatives but as the institution that can convert vulnerability into administrative conditions. The core difficulty for verifiable withdrawal in this setting is not that governments lack policies about privacy or deletion, but that the systems are designed to treat eligibility as a continuous audit state, so that data collection is not an episode but an ongoing condition of survival. Philip Alston’s report on digital welfare states captures this inversion with unusual clarity: digitization is regularly bundled with intensified conditionality, stronger sanctions regimes, and an accountability reversal in which the citizen becomes ever more visible to the state while the state becomes less visible to the citizen (Alston 2). In the welfare domain, the residue problem is therefore not only technical. It is constitutional, institutional, and moral. The residue that matters is produced where coercion meets propagation: data taken under conditions that resemble compulsion, then copied, recombined, scored, and retained across time horizons that the claimant cannot meaningfully see, negotiate, or contest.
I will treat welfare here in the broad sense Alston intends, namely social protection systems that distribute survival linked benefits and attach compliance and verification regimes to that distribution (Alston 2). This chapter follows the case study structure that pressures design into honesty: I describe the system, map residue, name withdrawal failure modes, specify evidence gaps, propose redesign, and end with the remainder that cannot be eliminated without deforming either justice or memory.
System description
A contemporary welfare eligibility system is best understood as a distributed administrative machine whose primary outputs are not only benefit payments but also eligibility determinations, compliance signals, and enforcement actions. It integrates identity proofing, income and asset verification, residency checks, household composition inference, and fraud or error detection. It also integrates appeals processes, recertification cycles, and caseworker discretion, although digitization often aims to compress discretion into rules and thresholds. Alston notes that digitization is frequently justified by the rhetoric of efficiency and fraud reduction while operating alongside budget cuts, tightened eligibility, and more intrusive conditions (Alston 2). That pattern matters because it shapes the architecture: systems optimized for exclusion, sanctioning, and deterrence will inevitably generate more residue than systems optimized for care, because exclusion needs proof, proof needs data, and deterrence needs surveillance.
In the United States, a significant portion of this architecture is built around data verification mandates. The Government Accountability Office has documented that programs such as Medicaid, SNAP, and Housing Choice Vouchers are generally required to use electronic data sources to verify income as part of eligibility determinations, and that across selected programs agencies draw on dozens of federal, state, and commercial data sources for income and asset verification (United States, Government Accountability Office 1). This is not an incidental choice made by individual offices; it is a structural preference for electronic verification that naturally multiplies data flows, expands vendor reliance, and increases the number of systems that contain eligibility relevant traces. When verification becomes continuous, every recertification becomes a re propagation event, not merely a re check.
Two legal anchors illuminate what is at stake. Goldberg v. Kelly frames welfare benefits as a statutory entitlement, holds that procedural due process applies to termination, and emphasizes the recipient’s interest in uninterrupted assistance that provides essentials such as food, clothing, housing, and medical care (Goldberg v. Kelly 261–66). Mathews v. Eldridge later formalizes a balancing framework that weighs the private interest, the risk of erroneous deprivation and the probable value of additional safeguards, and the government’s interest including fiscal and administrative burdens (Mathews v. Eldridge 335). Together, these cases do not merely dictate hearing timing. They describe the moral geometry of welfare administration: when deprivation is catastrophic and error risk is high, procedural safeguards are not decorative. In a digitized welfare system, the question becomes whether the data and model infrastructure is compatible with that geometry, or whether it quietly dissolves it by making deprivation fast, automated, and difficult to reverse.
The international comparative case makes the same point under a different constitutional vocabulary. In the SyRI judgment, the Hague District Court describes SyRI as a legal instrument used to detect fraud including social benefits fraud, and holds that the legislation regulating SyRI violates Article 8 of the European Convention on Human Rights because the application is insufficiently transparent and verifiable and does not strike a fair balance (NJCM et al. 1). The phrase insufficiently transparent and verifiable is decisive for this book. It is a judicial recognition that welfare fraud detection systems are not legitimate merely because they claim a public interest. They must be intelligible enough, testable enough, and constrained enough to warrant the rights intrusion.
Residue map
Residue in welfare is produced by two structural mechanisms: verification fan out and enforcement retention. Verification fan out occurs when a claimant’s eligibility assertion is decomposed into a set of checks against multiple repositories. Enforcement retention occurs when determinations, flags, and investigative artifacts are preserved for audit, prosecution, or deterrence. Because welfare systems treat claimants as continuously re verifiable, the same person’s record is repeatedly re assembled, producing layered residue across time.
The GAO report provides a concrete picture of the verification substrate: agencies use federal and state sources such as unemployment insurance data and Social Security related income records, and they also use commercial sources in some settings (United States, Government Accountability Office 1, 15). Even where federal law does not explicitly mandate electronic verification for a given program, agencies report at least some use of electronic data (United States, Government Accountability Office 1). The technical implication is that welfare data is often not confined to a single program database. It is distributed across hubs, matching services, state wage files, third party verification systems, and vendor tools that are often procured as modular components. Each component tends to create its own logs, caches, error queues, and analyst workspaces. These are not peripheral. They are where residue accumulates most rapidly because they are where operational work happens.
The SyRI record shows how residue can become a cross domain profiling mechanism. The judgment summarizes arguments that SyRI functions as a categorization system producing risk profiles using linked data sources across domains such as tax and social security, and highlights anxieties about large scale linking and secret processing, with the court foregrounding transparency and verifiability deficits (NJCM et al. 1, 20). Even when a government disputes characterizations such as deep learning, the basic structure remains: multiple files are linked and analyzed to generate a risk report that then changes how a person is treated. The residue here is not only the raw data. It is the risk report itself and the implied label attached to the person, which may propagate to investigators, local offices, or downstream agencies. In welfare contexts, labels become life shaping because they control access to the administrative benefit of the doubt.
A related residue vector emerges when automated systems generate determinations that claimants do not learn about until appeal windows expire. The Sixth Circuit’s description of Michigan’s MiDAS system is a paradigmatic warning: when MiDAS determined that a claimant committed fraud, benefits terminated immediately and severe penalties were automatically assessed, and many claimants did not know about the determination until after the time for appeal had expired, while the agency garnished wages and intercepted tax refunds without an opportunity to contest the determinations (Cahoo v. SAS Analytics Inc. 5). Although unemployment insurance is not identical to welfare assistance, it belongs to the same social protection family and it demonstrates how automation can create residue with coercive force: a fraud label, a penalty calculation, a collection action, and the evidentiary artifacts used to justify those steps.
In welfare, I model residue as layered strata.
First, intake residue: identity proofs, household declarations, scanned documents, call recordings, device and session metadata, and the internal case notes that translate a human narrative into administrable fields.
Second, verification residue: match results, mismatch explanations, third party query logs, vendor decision outputs, and the operational metadata that shows which sources were queried and when. Because programs often require repeated verification, this layer grows with time.
Third, adjudication residue: eligibility decisions, sanction decisions, and the rationales offered, including any scoring outputs or heuristics used to prioritize scrutiny.
Fourth, enforcement residue: fraud referrals, investigation notes, overpayment calculations, recovery actions, and litigation artifacts. This layer can outlive benefit periods by years.
Fifth, interagency residue: copies and references exchanged with tax authorities, child support agencies, law enforcement, housing authorities, or contractors, which often persist outside the originating program’s deletion capacity.
Sixth, analytics residue: model training data drawn from historical cases, derived features built from claimant behavior over time, and risk models that re encode prior enforcement patterns. This is the point where withdrawal becomes hardest because the residue is no longer a file. It becomes a parameterized pattern.
Verifiable withdrawal in welfare must be designed to operate across all six strata, with the honesty that some strata cannot be fully cleared without undermining accountability or statutory duties.
Withdrawal failure modes
The first failure mode is structural coercion masquerading as consent. Welfare recipients often cannot refuse data collection without forfeiting the benefit, so the ethical justification for data use cannot rest on preference capture. Alston emphasizes that welfare recipients’ relative deprivation and powerlessness enable intrusiveness that would not be accepted if piloted on the better off (Alston 3). That means any welfare system that uses consent language as its legitimacy narrative is already in danger of self deception. The correct legitimacy narrative is necessity constrained governance with due process, purpose binding, and contestability.
The second failure mode is opacity driven by fraud rhetoric. Fraud detection systems routinely invoke the public interest and fiscal stewardship, but the SyRI judgment shows that courts can reject this framing when transparency and verifiability are insufficient and when proportionality fails (NJCM et al. 1). In practice, welfare fraud systems often embed secrecy claims about detection methods, vendor proprietary logic, or investigative sensitivity. That secrecy becomes a withdrawal blocker because a person cannot withdraw from what they cannot see, and an institution cannot audit what it cannot explain.
The third failure mode is appeal window mismatch. When determinations propagate faster than notice, the harm is not only erroneous deprivation, it is the conversion of administrative time into punishment. The MiDAS facts illustrate how automated determinations can terminate benefits and impose penalties before claimants can meaningfully contest them (Cahoo v. SAS Analytics Inc. 5). In welfare assistance, similar dynamics appear when benefits are suspended pending verification or when sanctions trigger automatically due to missed appointments generated by notification failures. Withdrawal requests in such contexts are often treated as back office privacy tasks while the enforcement machine continues to run. Verifiable withdrawal must treat time as a control variable. If the system can act instantly against the claimant, the claimant must have comparably rapid mechanisms to halt propagation, contest inputs, and trigger isolation of disputed data.
The fourth failure mode is propagation through vendor and interagency boundaries. The GAO report documents that agencies use a wide range of federal, state, and commercial sources (United States, Government Accountability Office 1). Every commercial source and matching vendor becomes a separate retention and logging regime, and often a separate legal regime. Even if a welfare agency deletes a local record, the match vendor may retain query logs, the identity vendor may retain verification artifacts, and the analytics contractor may retain derived features. Withdrawal becomes a fiction if it is defined at the agency boundary rather than across the full processor graph.
The fifth failure mode is the audit trail paradox. Welfare programs are routinely audited. Overpayments are investigated. Fraud prosecutions require evidence. All of these incentives push toward longer retention and richer logging. Yet the same evidence infrastructure becomes a residue generator that intensifies surveillance and increases the blast radius of breaches and misuse. In welfare, the paradox is not theoretical. It is operational: the more an agency tries to prove it did its job, the more it accumulates sensitive traces about those it governs.
The sixth failure mode is model persistence. Once welfare agencies and contractors use historical cases to train prioritization models, the residue is no longer stored as a record that can be deleted. It is embedded as a weight that influences future scrutiny. This is a defining point for this book: withdrawal is not only about removing data from storage, it is about neutralizing the downstream influence of data on decisions. In welfare, that influence is morally heightened because the decision target is survival linked access.
Evidence gaps
The primary evidence gap in welfare is the absence of a withdrawal ready lineage graph that spans program boundaries and vendors. Agencies can often describe what they collect, but cannot demonstrate, in an adversarial audit sense, where it flowed, which systems used it, which models incorporated it, and what artifacts remain. The GAO report’s catalog of numerous data sources used across programs is itself an indirect indicator of this gap: when the verification substrate is that broad, lineage must be treated as infrastructure or else no one can honestly attest to withdrawal (United States, Government Accountability Office 1).
A second evidence gap is determination explainability at the point of deprivation. Goldberg requires notice and an opportunity to defend with reasons and evidence before termination (Goldberg v. Kelly 266–71). In a digitized system, reasons are often expressed as codes or mismatch flags tied to data matches that the claimant cannot inspect or challenge. When a match drives a denial, the evidence package must include source identification, query time, returned fields, transformation steps, and an account of how uncertainty was handled. Without that, appeals become ritualized hearings over inscrutable outputs.
A third evidence gap concerns timing proofs. If the state can suspend benefits quickly, it must be able to show, with logs and attestations, that notice was sent, that it was sent to the correct channel, that the claimant had a meaningful opportunity to respond, and that any automated action was gated by due process constraints. The MiDAS facts indicate what happens when this is not done: claimants learn too late, and enforcement actions proceed (Cahoo v. SAS Analytics Inc. 5). A withdrawal evidence framework for welfare must treat notice and contestability as evidence objects, not soft process.
A fourth evidence gap is retention justification at the residue class level. Welfare agencies often have generalized retention schedules. Verifiable withdrawal requires something stronger: per residue class retention rationales and deletion hooks. Some artifacts must be retained for justice, such as records needed to contest an erroneous termination or to prove discriminatory enforcement. Other artifacts persist simply because storage is cheap and institutional habits are inert. Without residue class level justification, the system cannot distinguish necessary memory from profitable or convenient memory, the distinction the concluding part of this book will insist upon.
Redesign
A withdrawal centered redesign for welfare must begin by abandoning the fantasy that consent is the legitimating mechanism. The legitimating mechanism is constrained state power under necessity, bounded by rights, auditability, and procedural fairness. That is not rhetoric. It is a design requirement that can be translated into controls.
First, I would impose a due process gate as a control plane primitive. Any action that deprives a claimant of benefits, reduces benefits, or triggers enforcement must pass through a gate that verifies notice delivery, time to respond, and evidence package completeness. Goldberg’s requirement of timely and adequate notice and an effective opportunity to defend is not merely a legal post condition, it should become a pre condition enforced by system design (Goldberg v. Kelly 266–70). For automated actions, Mathews’s risk of erroneous deprivation factor should be operationalized as a measurable error budget and a threshold for mandatory human review when uncertainty exceeds a defined bound (Mathews v. Eldridge 335). This is not a call for romantic discretion. It is a call for calibrated friction where harm is irreversible.
Second, I would build a claimant facing evidence portal that exposes the minimum necessary provenance for each adverse action. This portal would reveal which data sources were used, what fields were returned, what mismatch triggered the action, and how to correct or contest it. The SyRI judgment’s insistence on transparency and verifiability is directly relevant here: a system that cannot be meaningfully inspected by those it governs is not just ethically suspicious, it is legally unstable in rights based frameworks (NJCM et al. 1). The portal must be designed for comprehension, but it must also be designed for audit. Every displayed element should be traceable back to immutable logs and attested match records.
Third, I would separate verification data from analytics training data through purpose bound storage and strict minimization. Verification requires timely accuracy. Analytics often seeks long horizon patterns. When these are mixed, welfare recipients become training substrate for future suspicion. The redesign should treat analytics training as a distinct data product requiring explicit authorization, strict sampling minimization, and demonstrable fairness testing. Where models are used to prioritize scrutiny, there must be an evidentiary requirement that the model does not function as a proxy for protected traits or neighborhood based profiling, and that it can be subjected to external review under controlled conditions. The SyRI record shows that broad data linking and profiling in welfare fraud contexts can fail proportionality and transparency requirements (NJCM et al. 1, 20). That is not merely a European concern. It is a warning about how quickly welfare analytics becomes an architecture of suspicion.
Fourth, I would implement a welfare specific Residue Ledger designed around withdrawal and contestability rather than solely around program integrity. The ledger would record every propagation event that materially affects eligibility or enforcement, including vendor queries, match outputs, decision rules invoked, and downstream referrals. It would also record every withdrawal relevant event: correction requests, appeals, reversals, deletions, isolations, and model influence mitigation actions. The ledger must be append only, because welfare agencies are subject to institutional amnesia, staff turnover, and political shifts. But append only must not mean maximal collection. It must mean minimized, scoped evidence sufficient for adversarial validation, with strict retention tiers. This is the minimized audit principle applied to welfare.
Fifth, I would define withdrawal semantics suitable for welfare realities. In many welfare contexts, hard deletion is neither possible nor always desirable. A claimant may need prior records to prove eligibility continuity, to contest an overpayment, or to demonstrate agency error. Therefore withdrawal must include isolation, access revocation, and purpose binding. If an individual withdraws from a particular secondary use, the system should enforce purpose separation, preventing use of prior records for analytics or cross program profiling while retaining what is needed for rights protection and statutory duties. This is the distinction between justice preserving memory and extractive memory. The design must encode that distinction mechanically.
Sixth, I would restructure vendor contracts around testable interfaces for deletion and evidence delivery. Given the breadth of data sources and processors documented by GAO, any welfare agency that cannot demand deletion attestations, query log retention minimization, and audit access is guaranteeing that withdrawal will fail at the boundary (United States, Government Accountability Office 1). Procurement language must require vendors to provide machine readable propagation records and to support isolation or deletion requests within specified time bounds, with cryptographically signed attestations. Without this, welfare agencies will continue to perform ritual compliance while residue persists in shadow stores.
Finally, I would treat the claimant as a first class observer of the system. This is not sentimental participation. It is a control architecture. People detect errors that matching systems miss. They can correct data that vendors misattribute. They can reveal identity resolution failures. Yet current systems often treat claimants as adversaries. A withdrawal centered design treats claimants as necessary co auditors of their own administrative reality, precisely because the system’s error costs are borne by them.
The unavoidable remainder
Even with the redesign above, welfare systems cannot promise purity. Some residue must remain for justice. Goldberg’s vision of due process assumes that a recipient can confront adverse evidence and defend against termination (Goldberg v. Kelly 266–70). That requires records. Appeals require documentation. Anti discrimination enforcement requires data to prove disparate impact. Fraud prosecutions, when justified, require evidence. Moreover, welfare is a site of collective accountability: the public has legitimate interests in program integrity, and recipients have legitimate interests in not being subjected to arbitrary suspicion. These interests cannot be balanced without institutional memory.
The question is therefore not whether welfare can become residue free. It cannot, and pretending otherwise is one more form of administrative lying. The question is whether welfare can distinguish between residue that protects rights and residue that intensifies domination. Alston’s warning about accountability reversal should be read as a design constraint: the state must not become more capable of seeing the poor while becoming less accountable to them (Alston 2). The SyRI judgment sharpens that constraint into a legal test: when new technologies are applied, the state bears a special responsibility to strike the right balance, and systems that are insufficiently transparent and verifiable can fail that responsibility (NJCM et al. 1). The MiDAS story is a practical corollary: when automated determinations and penalties propagate faster than notice and contestability, the system manufactures residue that functions as punishment (Cahoo v. SAS Analytics Inc. 5). Welfare withdrawal, if it is to be real, must be designed as restraint under necessity: procedural, technical, and contractual mechanisms that slow the machine at the points where error destroys lives, while maintaining enough memory to make justice and correction possible.
This is also where the book’s larger thesis becomes visibly non negotiable. Withdrawal verification is not a boutique privacy feature. In welfare, it is the difference between a system that can admit error and repair it, and a system that converts error into debt, sanctions, and disappearance. If verifiable withdrawal can be made to work here, where refusal is structurally thin, then it can serve as an institutional proof of seriousness everywhere else. The next chapter turns to the workplace, where consent rhetoric returns in the form of policies and acknowledgments, and where the residue ledger becomes a labor relation instrument as much as a compliance instrument.
Chapter Twenty-Three: Workplace Analytics and Quantified Labor
Workplace analytics is often introduced as a modest promise: safer shifts, fairer evaluations, fewer injuries, better staffing, higher engagement, cleaner compliance. The promise is rarely framed as surveillance. It is framed as optimization, and then as inevitability. The worker is told that measurement is neutral, that the instrument sees only performance, that the number is merely a mirror. The system, however, does not behave like a mirror. It behaves like a refinery. It takes the ordinary exhaust of labor, breaks it into legible particles, and converts those particles into administrative power. The resulting object is not simply data about work. It is a programmable employment relation.
This chapter treats quantified labor as a pressure test for verifiable withdrawal. The relevant fact is not that workers consent poorly, though they do. The relevant fact is that, in many workplaces, consent is structurally unavailable as a freely chosen ground for processing. European law names the imbalance directly: where there is a clear imbalance between worker and employer, consent is presumed not freely given, and withdrawal without detriment is precisely what the employment relation struggles to allow (Regulation (EU) 2016/679 recital 43). In the United States, the baseline is different, but the outcome converges. The Supreme Court’s caution in a public employment context, refusing to set broad privacy premises while upholding a search as reasonable, signals a jurisprudence that is willing to grant management wide latitude where “work related” purpose is asserted (Ontario v. Quon 757 to 765). In both settings, the worker’s practical problem is not merely that monitoring exists. The problem is that monitoring systems generate residue that is hard to name, hard to see, and easy to reuse.
The central claim is therefore simple. Quantified labor is not just an application domain for the Residue Ledger. It is the domain that reveals why the ledger must be designed as an infrastructure of power restraint rather than as a document of managerial prerogative. If the ledger is built only to protect organizations from claims, it will deepen the asymmetry it purports to govern. If it is built to make withdrawal testable, it becomes a worker facing control in the strongest sense: a constraint on the organization’s ability to convert the worker into an endlessly reusable signal.
System description
The contemporary workplace analytics stack is a composite. It combines instrumentation, inference, and enforcement. Instrumentation captures events: keystrokes, application focus time, location pings, device identifiers, badge swipes, point of sale interactions, camera feeds, microphone inputs, productivity counts, task completion timestamps, call metadata, sentiment measures, and collaboration graphs. It also captures what used to be socially implicit: how long a person pauses, how quickly they respond, whether they are “away,” who they meet, whether their tone is “positive.” Aiha Nguyen’s account of digital surveillance at work makes the point with concrete specificity: warehouses, retail, and remote work environments increasingly treat nearly every aspect of the job as capturable and analyzable, often with limited worker insight into how the data is used (Nguyen 3 to 7). Ajunwa, Crawford, and Schultz extend the frame by arguing that legal constraints are often insufficient in the face of “limitless” surveillance capabilities, especially when monitoring moves beyond the workplace boundary into wellness programs and always on tracking (Ajunwa, Crawford, and Schultz 738 to 744).
Inference transforms captured events into managerial objects. A raw event becomes a performance score, a risk flag, a predicted attrition probability, an “engagement” index, a trust rating, or a compliance risk measure. This is not a technical inevitability. It is a design choice, and it is frequently justified through what Arendt called the substitution of administrative procedures for politics, where action is replaced by process and Iresponsibility is dissolved into system outputs (Arendt 45 to 55). The system’s outputs acquire an aura of necessity, and the organization’s decisions begin to speak in the voice of the model. The worker is no longer disciplined by a supervisor’s judgment alone. The worker is disciplined by a score that can be replicated, compared, exported, and defended as objective.
Enforcement closes the loop. Automated schedules are assigned. Work is reallocated. Warnings are triggered. Performance improvement plans are initiated. Termination recommendations are generated. This is where surveillance becomes governance. The system is no longer merely observing work. It is shaping what kinds of work count as work, and which kinds of bodies can endure the demanded cadence. Data and Society’s depiction of the “constant boss” is accurate precisely because digital surveillance in practice tends to produce speedups, insecurity, and a shifting of risk and cost from employer to worker, while also intensifying existing patterns of bias and scrutiny (Nguyen 9 to 17). Zuboff’s analysis of surveillance capitalism is often discussed in consumer contexts, but its core mechanism applies cleanly to labor: extraction of behavioral data at scale enables prediction, and prediction enables control through new architectures of power (Zuboff 75 to 89). In the workplace, the extracted behavioral surplus is not sold as advertising inventory. It is converted into managerial instrumentation.
The governance question becomes sharply operational. When a worker requests withdrawal, what exactly is being withdrawn from what exactly, and what evidence could demonstrate that withdrawal has been executed to a defensible standard?
Residue map
Workplace analytics produces residue that is both thicker and more durable than teams tend to admit. The residue is thick because it spans multiple layers: raw telemetry, transformed features, derived scores, decision artifacts, and downstream institutional memory. The residue is durable because employment systems are built for retention and defensibility. Logs are kept to manage disputes. Records are kept to manage compliance. The organization’s natural instinct is to preserve, and it will describe preservation as prudence.
For the purposes of verifiable withdrawal, the residue classes appear in at least six forms.
First, direct copies exist across devices and systems. A time tracking app records the same event as a badge system and a collaboration platform. Replication is a feature. Replication is also an ethical multiplier.
Second, cached copies proliferate. Metrics dashboards, exports, email attachments, and shared spreadsheets create unofficial stores that are often invisible to formal governance. This is why “we deleted it from the system of record” is a liturgical claim rather than a verifiable claim. The system of record is rarely the whole system.
Third, transformed copies embed telemetry into features. A location ping becomes “route efficiency.” A keyboard event stream becomes “active time.” A camera feed becomes “attention.” A chat graph becomes “collaboration centrality.” In contextual integrity terms, the transmission principle has changed even if the information type is claimed to be the same. The flow is no longer “communication for coordination,” but “communication for evaluation,” and that shift is a privacy violation because it violates the norms of the context, not because it reveals a secret (Nissenbaum 119 to 123).
Fourth, aggregated statistics persist even after deletion. Teams tell themselves that aggregates are harmless because they are not “about” any one worker. Yet aggregates can still function as discipline. They define norms, set quotas, and justify speed. They also enable reidentification risks in small teams, and they can be used to contest workers’ accounts of events.
Fifth, learned representations, including embeddings and model parameters, create the hardest residue. A model trained on worker behavior can continue to influence scheduling, evaluation, and discipline even if the underlying raw data is deleted. In this sense, the workplace is a direct analogue to consumer personalization. Withdrawal is not simply deletion. Withdrawal is influence control.
Sixth, decision artifacts become institutional residue. Performance reviews, termination memos, HR notes, incident investigations, and workplace safety reports are not “data exhaust.” They are governance artifacts, and they have their own retention requirements. Some of this residue is necessary for justice and accountability. Some of it is merely convenient. A verifiable withdrawal program must distinguish the two without collapsing into either purity fantasies or managerial discretion.
This residue map is not an abstract taxonomy. It is the object the Residue Ledger must represent, with enough specificity that an auditor could test claims and a worker could contest them.
Withdrawal failure modes
Workplace withdrawal fails in repeatable ways, and these failures are not technical accidents. They are predictable outcomes of incentives, legal uncertainty, and operational convenience.
The first failure mode is definitional drift. The organization treats withdrawal as a request to delete a record in one system, while the worker is requesting withdrawal from being governed by a score derived from many systems. This failure is enabled by language. Employers say “we do not sell your data,” and workers are disciplined anyway. The organization says “we removed your profile,” and the model remains.
The second failure mode is purpose laundering. Data is collected for safety, then reused for productivity. Data is collected for security, then reused for evaluation. Once the pipeline exists, reuse is cheap and therefore attractive. Ajunwa, Crawford, and Schultz emphasize how modern surveillance technologies permit boundary crossing that earlier regimes could not sustain, which is why existing legal constraints fail to create meaningful limitations (Ajunwa, Crawford, and Schultz 745 to 750). The ethical problem is not collection alone. It is the conversion of context into control.
The third failure mode is asymmetrical transparency. Workers are measured while the measuring system is opaque. They do not know what is captured, how it is transformed, what thresholds trigger discipline, or how to challenge errors. This is precisely the kind of “tendency to interfere” with protected activity that the National Labor Relations Board General Counsel highlighted, proposing a framework in which intrusive monitoring that chills Section 7 activity is presumptively unlawful unless justified by business need and constrained by disclosure and necessity (National Labor Relations Board). Even when labor law does not directly govern a specific scenario, the analytic is transferable: if monitoring tends to prevent reasonable workers from exercising rights, it is not a neutral tool.
The fourth failure mode is vendor diffusion. Employers adopt analytics tools that run outside their direct control. The vendor becomes a shadow processor, and withdrawal becomes an email request rather than an orchestrated, testable action. Contracts promise deletion, but without telemetry, proofs, or test interfaces, contract language becomes theater.
The fifth failure mode is log absolutism. Organizations retain extensive logs to defend decisions, then treat that retention as non negotiable. The worker is told that withdrawal cannot be honored because the record might be needed later. Sometimes this is true. Often it is an unexamined default. Without a minimization oriented evidence architecture, the audit trail becomes the privacy violation.
The sixth failure mode is disciplinary entanglement. Even if data is deleted, the consequences remain. A worker was denied a promotion because of a score. Deleting the score does not undo the decision. Here the residue ledger must expand beyond data deletion into remediation accounting: what decisions were made, what artifacts were produced, and what corrective actions are required when the basis for a decision has been withdrawn.
Each failure mode indicates the same structural point. Withdrawal is not an event. Withdrawal is a continuing ability to constrain downstream governance.
Evidence gaps
Most workplace analytics programs can produce dashboards. Very few can produce evidence. Dashboards reassure management. Evidence convinces an adversarial auditor and empowers a worker.
The primary evidence gaps are predictable.
There is usually no lineage graph that spans systems. Without lineage, the organization cannot enumerate where worker data flowed, what derived artifacts exist, and which models were trained on it. This makes withdrawal non executable in the strict sense.
There is usually no stable set of semantics for removal. Deletion means different things across systems, and “deleted” often means “hidden.” Without a shared semantic layer, teams cannot attest truthfully.
There is rarely a test suite that can be run to validate withdrawal. The organization cannot prove, for example, that a worker’s data no longer influences a scheduling model, or that a performance score cannot be reconstructed from retained logs.
There is usually no worker legible access to the residue ledger. Workers are governed by systems they cannot inspect. This ensures that contestability is rhetorical rather than operational.
There is usually no separation of evidence and surveillance. Logs meant to enable accountability become themselves a mechanism of over capture. This is the paradox of audit trails, now intensified by ubiquitous instrumentation.
These gaps matter because workplace analytics is increasingly implicated in worker well being. A recent United States Government Accountability Office report details potential effects of digital surveillance on workers’ physical health, mental health, and safety, which is precisely the domain where organizations claim monitoring is justified while the lived experience may be harm and fear (United States Government Accountability Office). The goal here is not to adjudicate every monitoring instance as illegitimate. The goal is to build withdrawal infrastructure that allows necessity claims to be tested and constrained.
Redesign
A withdrawal centered redesign does not begin by banning all monitoring. It begins by making each monitoring claim specific, bounded, and auditable, and by reallocating power so that workers are not asked to trust what they cannot verify.
The first redesign move is purpose binding as a systems primitive. Every data flow must be attached to an intended use, expressed not as a policy paragraph but as an enforceable specification. Contextual integrity provides the philosophical backbone: information flows must be appropriate to the context and governed by norms of transmission, not by unilateral managerial preference (Nissenbaum 127 to 132). In practice, this means that safety telemetry must not be silently reused for discipline. If reuse is proposed, it must be treated as a new processing purpose requiring justification, constraints, and a visible record in the ledger.
The second move is worker visible provenance. The Residue Ledger must have a worker facing projection, a view that can explain what categories of data are captured, where they flow, what decisions they support, and how long they are retained. This is not about revealing proprietary thresholds. It is about making the existence of governance legible to the governed. In Arendt’s terms, it restores the possibility of responsibility by preventing the system from hiding behind administrative anonymity (Arendt 61 to 66).
The third move is minimization oriented evidence. The audit trail must be redesigned so that the organization can demonstrate compliance and fairness without collecting more than is necessary. This requires cryptographic and procedural methods that preserve attestability while reducing raw retention. It also requires an internal discipline of deletion service levels, stated explicitly as obligations rather than as best efforts.
The fourth move is worker governed retention and contestability. Here Ostrom’s relevance becomes concrete. Durable governance requires rules in use, monitoring of those rules, and graduated sanctions when rules are violated (Ostrom 90 to 102). Translating that grammar into workplace analytics means establishing worker participation in rule formation for monitoring, and building mechanisms for contestation that can trigger investigations, corrections, and sanctions inside the organization when monitoring exceeds agreed limits. Without enforcement, transparency becomes an aesthetic.
The fifth move is model influence control. Where models shape scheduling, promotion, or discipline, withdrawal must include the ability to bound influence. Sometimes that will require retraining. Sometimes it will require isolation techniques, access revocation, or replacement models. The design must tell the truth about what can be done within a given time horizon. The ledger must record the chosen mechanism and its limitations as a decision artifact that can be audited later.
The sixth move is vendor interoperability and deletion tests. Contracts must require not only deletion promises but test interfaces, evidence delivery, and periodic verification. The organization must treat vendors as part of its trust boundary. If it cannot audit the processor, it must treat the processor as a risk and adjust scope accordingly.
The seventh move is a labor rights aligned disclosure regime. The NLRB General Counsel’s approach is instructive, not merely legally but architecturally: disclose the technologies, disclose the reasons, disclose how information is used, and justify necessity where monitoring tends to chill protected activity (National Labor Relations Board). Withdrawal centered design should adopt disclosure and necessity as default constraints, not as exceptional concessions.
In combination, these redesign moves shift workplace analytics from a unilateral extraction regime into a governed measurement regime. The objective is not to eliminate measurement. The objective is to convert measurement into a bounded institutional practice that can be reversed, audited, and contested.
The unavoidable remainder
Even in the best designed system, some residues cannot be withdrawn without collapsing legitimate accountability. If a workplace injury investigation relies on certain records, the record cannot always be erased without harming justice. If an organization must document compliance with safety regulations, some telemetry may be necessary. If a worker contests unfair discipline, evidence may be required to vindicate them. Withdrawal therefore cannot be framed as absolute erasure. It must be framed as a principled partition: what is necessary for justice, and what is merely profitable, convenient, or disciplinary.
This is why quantified labor is an ethical crucible. Surveillance in employment is rarely only about efficiency. It is about authority, and authority tends to expand when its instruments are cheap. The Residue Ledger, applied to the workplace, must therefore do more than enumerate artifacts. It must encode institutional humility: an insistence that the employer cannot claim infinite rights to the worker’s exhaust, and cannot convert the conditions of earning a living into a condition of total observability.
The chapter ends with a design axiom that will recur in the next case study. When refusal is structurally expensive for the subject, the system has a heightened duty to make withdrawal operational. Where the worker cannot meaningfully say no, the institution must build mechanisms that restrict what it can do with what it takes.
In the next chapter, the health domain intensifies every problem described here: the long tail of inference, the persistence of derived artifacts, the collision between individual withdrawal and collective research, and the moral hazards of promising erasure where the record is also the site of care.
Chapter Twenty-Four: Health Data, Genomics, and the Long Tail of Inference
A patient asks a clinic to delete a genetic test result. The request is coherent in ordinary language, because most people still imagine information as an object that can be picked up, moved, and put back on a shelf. Inside modern health systems, the request becomes a traversal problem across institutions with different duties, different retention clocks, and different technical substrates. The result may sit in an electronic health record, in a laboratory information system, in payer claims, in a quality reporting feed, in a research registry, in a vendor analytics environment, and in the feature space of a model that estimates readmission risk. Even where the patient is told that the record has been removed, what often happened is that one interface stopped showing it, while the residues remained where they matter most: inside downstream decision systems and inside the administrative memory that governs coverage, access, and care. This is why health data is not simply another domain for verifiable withdrawal. It is the domain where withdrawal, if it is made real, must learn to coexist with clinical duty, public health, and the moral need for records that can support accountability.
The long tail of inference is the defining problem. In consumer contexts, inference often means personalization and prediction. In health contexts, inference becomes a medical and administrative fate. A diagnosis can be inferred from medication, from billing codes, from lab patterns, from clinician notes, from care pathways, and from genomic variants that implicate not only the individual but biological relatives. Once inference is operational, deletion of a single input may do little, because the same signal can be reconstructed from adjacent traces. Governance therefore shifts, again, from permission capture to withdrawal verification, but with an added constraint that does not exist in most consumer domains: the system sometimes must remember in order to treat, and must sometimes remember in order to be held accountable.
This chapter designs a withdrawal centered approach for health and genomics that tells the truth about what can and cannot be withdrawn, while still refusing the common institutional alibi that clinical complexity is a reason to avoid building real controls.
System description
Health data systems are federations. A single episode of care can involve providers, laboratories, pharmacies, payers, public health agencies, and research institutions, each with distinct legal regimes and technical stacks. Inside the provider, the electronic health record is only the visible surface. Underneath sit imaging archives, laboratory systems, scheduling, revenue cycle, identity resolution, and interoperability layers that move data outward through interfaces and exchanges. Outside the provider, payers process claims that encode diagnostic and procedural information, and those claims often persist longer than patients expect because they are part of adjudication, fraud detection, utilization management, and actuarial modeling. Meanwhile, the research ecosystem treats health data as a generative resource, a substrate for discovery, replication, and translational pipelines. The National Institutes of Health has explicitly articulated an expectation of broad sharing for genomic research data through its Genomic Data Sharing policy, aiming to promote wide and responsible sharing while establishing expectations for protections. NIH has also moved toward an infrastructure norm in which investigators plan for data management and sharing as a standard requirement, not an exceptional decision.
The legal baseline, in the United States, is frequently misunderstood. HIPAA governs certain covered entities and their business associates, but it does not govern all entities that hold health adjacent data, and its rights architecture is not a full withdrawal architecture. It gives individuals a right of access to protected health information in a designated record set. It also gives an individual a right to an accounting of certain disclosures, but explicitly carves out large categories, including disclosures for treatment, payment, and health care operations, which are precisely the categories where administrative propagation is deepest. This means that a person can have access rights and still lack a meaningful mechanism to see where their data has moved in the systems that shape coverage and care.
Genomics intensifies the governance challenge. Even when data is described as de identified, the HIPAA de identification standard is framed as the absence of identification and the absence of a reasonable basis to believe the information can be used to identify an individual, expressed in regulation at 45 CFR 164.514. Yet a long line of research demonstrates that genomic data, summary genomic statistics, and related artifacts can support re identification under certain conditions. Homer and colleagues showed that individuals can be detected in complex genomic mixtures using high density SNP data, undermining a simplistic belief that aggregate results are always safe. Gymrek and colleagues demonstrated surname inference from genomes, illustrating a route from ostensibly de identified genomic data to identity through linkage with external resources. Subsequent work, including re identification attacks on genomic beacons, further shows that the boundary between shareable genomic data and identifiable inference is contingent and moving, which means governance must be designed as a living restraint rather than as a one time classification.
Research governance adds another layer. The Common Rule provides a federal framework for human subjects protections, including informed consent and institutional review board structures, and it explicitly recognizes broad consent for the storage, maintenance, and secondary research use of identifiable private information or identifiable biospecimens. The Common Rule further specifies a hard edge that matters for withdrawal: if an individual was asked to provide broad consent and refused, an institutional review board cannot waive consent for the storage, maintenance, or secondary research use of the identifiable information or biospecimens. That is a rare place where refusal is treated as binding in a way that can be operationalized. It is also a reminder that verifiable withdrawal must attach not only to technical pipelines but to research governance decisions and documentation that must be made testable.
Residue map
Health and genomics generate residues that are uniquely layered. The same clinical fact can appear as narrative in a clinician note, as a code in a claim, as an image in a radiology archive, as a lab value in a results system, as a flag in a care management program, and as a coefficient in a risk model. The residues that matter for withdrawal are therefore not only direct copies, but also the inferential and institutional artifacts that persist when direct copies are removed.
The first residue class is the clinical record core. This includes the medical record as maintained in the designated record set, where HIPAA access rights attach. The clinical record core is not simply a dataset. It is a care instrument, and it is also a liability and accountability instrument. It often cannot be deleted in the way consumer data can be deleted, because it serves ongoing treatment and legal obligations. That does not mean it is exempt from governance. It means it must be governed with explicit semantics that distinguish correction, segmentation, and access control from erasure.
The second residue class is administrative propagation. Claims, prior authorizations, utilization management notes, denial rationales, and payment histories encode diagnosis and treatment in ways that can be used to infer sensitive conditions. The individual may never see most of these artifacts, and HIPAA accounting of disclosures does not require a full accounting for the most common operational disclosure pathways. A withdrawal request that touches only the provider record and not the payer and vendor analytics environment is therefore structurally incomplete.
The third residue class is operational telemetry. Patient portal access logs, audit logs, interoperability transaction logs, and system monitoring create a second order record of the record. Some of this is necessary for security and compliance, but it becomes a privacy residue when retained excessively or repurposed.
The fourth residue class is research copies. Biobank datasets, registry extracts, de identified datasets, limited datasets, and shared genomic repositories create long lived artifacts that move through institutions and into publications, models, and derivative datasets. NIH policies are oriented toward broad sharing as a scientific norm, which is ethically defensible only if the resulting propagation is governed with strong protections and honest communication about what can and cannot be withdrawn once sharing has occurred.
The fifth residue class is inferential profiles. Risk scores, propensity models, comorbidity indices, and predicted outcomes are often treated as administrative conveniences, but in practice they are governance levers. These are derived artifacts that can persist even if raw data is removed, because the score itself becomes a new record, and because the score can be recalculated from adjacent traces.
The sixth residue class is genomic permanence. Genomic information is not like a password. It cannot be rotated. It implicates kin. It can generate inferences long after the original context of collection. This is why the de identification framing in 45 CFR 164.514, even when followed in good faith, cannot be treated as a guarantee for genomic privacy, because the reasonable basis calculus evolves as re identification techniques evolve.
A verifiable withdrawal architecture in health must therefore represent not only where data lives, but what the system has learned, what the system has inferred, and what the system has decided.
Withdrawal failure modes
Health systems fail withdrawal for reasons that are not reducible to bad intent. They fail because the system was not built to support refusal as an executable property.
The first failure mode is category confusion. Organizations conflate access rights with withdrawal rights. HIPAA gives strong access rights for information in a designated record set, but access does not entail the ability to withdraw the record from downstream administrative uses, nor does it entail the ability to withdraw influence from models trained on historical data. Patients are given documents and portals, while their data continues to govern them elsewhere.
The second failure mode is the accounting gap. Individuals can request an accounting of disclosures, but the regulatory design explicitly excludes many disclosures that matter most for propagation, including those for treatment, payment, and health care operations. A governance system that points to accounting as evidence of control can therefore comply and still fail to provide meaningful traceability for withdrawal.
The third failure mode is de identification theater. Institutions treat de identification as a state rather than as a risk claim. In practice, the de identification standard is framed as a lack of identification and a lack of reasonable basis to believe identification is possible, which is a contextual and moving threshold. Genomic research has repeatedly shown that linkage and inference can defeat naive anonymity assumptions, whether through mixture detection, surname inference, or beacon style inference attacks. Withdrawal fails when organizations use the label de identified as permission to abandon provenance, access controls, and downstream obligations.
The fourth failure mode is research propagation without withdrawal semantics. NIH policy encourages broad genomic data sharing, and modern data sharing norms assume that sharing is beneficial for science and public health. That assumption is not wrong, but it becomes ethically brittle when participant withdrawal is handled as an administrative annotation rather than as a propagating constraint. If a participant withdraws from a biobank, what happens to already shared copies, derived models, and publications? Without explicit semantics, the answer becomes informal and inconsistent, which is the opposite of verifiable withdrawal.
The fifth failure mode is vendor diffusion. Health systems rely on business associates and technology vendors. If the organization cannot enumerate processors and cannot test deletion and retention claims, withdrawal becomes a chain of emails rather than an orchestrated control. This is structurally analogous to the vendor boundary problem in earlier chapters, but here it is intensified because vendors often operate across multiple providers and because health data is routinely combined with other datasets.
The sixth failure mode is clinical duty used as a blanket exemption. Some records must be retained to support safe care and accountability. That truth becomes a pretext to avoid building any withdrawal mechanisms for secondary uses, analytics, commercialization, or model training. A verifiable withdrawal architecture must separate the clinical record core, which has distinct retention obligations, from secondary use layers that are ethically and operationally optional.
Evidence gaps
The main evidence gap in health is simple: most institutions cannot prove where data went, and cannot prove what residue remains after a withdrawal request.
There is usually no coherent lineage graph across provider, payer, lab, and vendor systems. Without lineage, a withdrawal request cannot be evaluated for completeness, and cannot be audited.
There is usually no testable definition of removal semantics. In health records, removal might mean correction, segregation, restricted access, redaction from portals, or deletion from certain analytics environments, and those semantics differ across systems. HIPAA access rules define where the right attaches, but they do not define a unified withdrawal semantic across the entire sociotechnical federation.
There is rarely an influence test for models. If a hospital uses a risk model trained on historical records, a patient withdrawal request cannot be evaluated unless the organization can test whether the patient’s data continues to influence predictions or resource allocation decisions.
There is often no coherent relationship between research consent artifacts and technical enforcement. The Common Rule provides a framework for broad consent, and it provides a strong constraint when broad consent was refused, but most infrastructures do not translate that constraint into executable controls and propagating flags across datasets and pipelines.
There is limited use of protective legal mechanisms that are often misunderstood. Certificates of Confidentiality, grounded in statute and implemented through federal policy, can protect against compelled disclosure of identifiable sensitive research information, but they do not, by themselves, create a withdrawal mechanism across operational systems, nor do they resolve downstream propagation problems.
These evidence gaps make it easy for institutions to claim moral seriousness while remaining technically incapable of demonstrating it.
Redesign
Health requires a layered withdrawal model. The layered model is not a compromise. It is the only honest architecture that can preserve care and accountability while still constraining extraction and downstream propagation.
The first layer is the clinical record core, governed by care semantics. Here, the relevant capabilities are access, correction, segmentation, and purpose constrained access, aligned with HIPAA’s concept of a designated record set and an individual’s right of access. A verifiable withdrawal system should not promise deletion of the clinical record core as a default, because that promise is often incompatible with care obligations. Instead, it should make visible what can be corrected, what can be sequestered, and what can be restricted, and it should produce evidence that those actions were executed.
The second layer is the secondary use layer, governed by withdrawal semantics. This includes analytics, quality improvement beyond minimal necessity, commercialization, and model training. The design objective here is straightforward. If the use is not necessary for immediate care, it must be withdrawable, and withdrawal must propagate across lineage. This is where the Residue Ledger becomes decisive. The ledger must represent every transformation and every downstream dependency, so that withdrawal can be executed as a graph operation with auditable proofs, rather than as a single deletion ticket.
The third layer is the research layer, governed by consent, broad consent, and durable protections. The Common Rule’s treatment of broad consent provides a scaffold for executable refusal. If broad consent was sought and refused, the system must enforce that refusal by design, because the institutional review board cannot waive consent for the storage, maintenance, or secondary research use of the identifiable information or biospecimens in that circumstance. This should be operationalized as a hard control in the ledger: a refusal state that blocks secondary research transformations and generates evidence artifacts that can be audited.
The fourth layer is the inference layer, governed by bounded influence. In genomics and health analytics, withdrawal is often better conceptualized as influence reduction rather than as total erasure. The system should support mechanisms that reduce the ability of a person’s data to shape downstream models and profiles, and should provide a transparent statement of what was done, what cannot be done, and what residual influence may remain. This is where the long tail of inference demands a shift in governance language. Withdrawal is not a metaphysical act. It is an engineered constraint with measurable residuals.
The fifth layer is the disclosure and accountability layer, governed by evidence minimalization. Audit trails are necessary, but they must be designed to minimize privacy residue. This requires separating evidence sufficient for verification from raw data retention that is merely convenient. Where the organization invokes security or compliance to retain extensive logs, it must show why those logs are necessary and how they are protected, and it must treat the logs themselves as governed datasets.
Genomics demands an additional design principle: anti finality. Because re identification techniques evolve, the system must treat de identification as a risk claim that must be revisited. HIPAA de identification standards are real and must be respected, but genomic evidence shows that the privacy boundary is contingent, so the ledger should include a mechanism for periodic reassessment of disclosure risk and for revoking access when risk profiles change.
Finally, research sharing policy must be integrated into the withdrawal design rather than treated as an external constraint. NIH policies push toward data sharing as a norm, which is compatible with ethics only if withdrawal semantics and downstream protections are built as first class controls. In other words, it is not enough to say that data will be shared responsibly. Responsibility must be testable.
The unavoidable remainder
In health, there are residues that cannot be deleted without harming justice or care. A medication allergy, a surgical history, an adverse reaction, and certain diagnostic facts may need to persist in the clinical record core because forgetting can be lethal. Accountability also requires memory. If a person was harmed by a system, erasing records can erase the possibility of redress. The ethical objective is therefore not total deletion. The objective is to distinguish necessary residues from merely profitable residues, and to make that distinction legible, auditable, and contestable.
This is why a withdrawal centered health architecture must end with humility rather than triumph. It must be able to say, with precision, which parts of the system can be reversed, which parts cannot, and why. It must also be able to show, with evidence, that secondary uses were actually constrained when withdrawal was requested, and that the system is not converting clinical vulnerability into an indefinite right to extract.
The next chapter shifts from clinical and research institutions to consumer platforms, personalization, and latent profiles. The purpose is not to treat consumer systems as trivial compared to health, but to show how the same inferential residues that trouble genomics now appear in everyday recommender systems and embeddings, where withdrawal is framed as preference while functioning as governance.
Chapter Twenty Five: Consumer Platforms, Personalization, and Latent Profiles
Consumer platforms are the canonical residue machines because their core product is not a static service but a continuously updated prediction of what will hold a person’s attention next, which means that every interaction is simultaneously a behavioral event and a training signal. What the user experiences as a feed, a ranked list, a search result, a recommended video, or an advertisement that seems to “find” them is, at the systems level, a cascade: instrumentation captures events; pipelines normalize and enrich those events; models compress histories into vectors and factors; ranking services assemble candidates; and the interface renders a choice architecture that feeds back into the next wave of data collection. The point is not simply that the system observes. The point is that the system learns structures about the person that outlive the original observation, often in forms that neither resemble the raw data nor respond cleanly to a deletion request, because the user’s data has been transformed into parameters, embeddings, audience segments, and similarity relations, which are designed to be reusable across contexts and time.
This chapter treats consumer personalization as a case study in inference residue. It follows the fixed structure of this section: system description, residue map, withdrawal failure modes, evidence gaps, redesign, and the unavoidable remainder. The central claim is straightforward. In a mature personalization stack, raw data deletion is only the most visible and least morally decisive layer of withdrawal. The harder layer is derived identity, the latent profile that is continuously inferred from behavior and then exported into adjacent systems such as advertising marketplaces, measurement vendors, and cross property analytics. If verifiable withdrawal is to mean anything in this environment, it must include an explicit protocol for inference withdrawal, meaning the detection, measurement, attenuation, and where required the recomputation of profiles and segments that were built from data that the user has withdrawn, even when those profiles are expressed as vectors, ranks, or lookalike sets rather than as an obvious row in a table.
System description: personalization as continuous inference infrastructure
A modern personalization platform is typically composed of five coupled layers. First, the event layer: page views, clicks, dwell time, scroll depth, purchases, likes, shares, follows, and device signals. Second, the enrichment layer: identity resolution, device graphs, location signals, content metadata, and third party data or brokered data. Third, the representation layer: embeddings and latent factors that compress high dimensional behavior into lower dimensional structures that a model can generalize over, which is a standard move in recommendation and representation learning, from matrix factorization to implicit feedback ranking methods to neural embeddings (Koren, Bell, and Volinsky; Rendle et al.; Mikolov et al.). Fourth, the ranking layer: candidate generation, scoring, and reranking with constraints, often optimized for engagement and revenue. Fifth, the export layer: analytics, advertiser reporting, audience segments, and partnerships, including flows that may leave the platform’s direct control.
Regulators and enforcement bodies increasingly describe this ecosystem in terms that align with our residue vocabulary. The Federal Trade Commission staff report on social media and video streaming services describes vast surveillance practices, the role of targeted advertising incentives, broad data sharing, and the use of tracking technologies such as pixels, while also noting concerns about retention and even failures to delete all user data in response to deletion requests (Federal Trade Commission, “FTC Staff Report Finds Large Social Media and Video Streaming Companies Have Engaged in Vast Surveillance of Users with Lax Privacy Controls and Inadequate Safeguards for Kids and Teens”). In parallel, FTC enforcement actions against location data brokers describe the extraction of sensitive location data via real time bidding markets, the retention of bidstream data even when a bid does not win, and the creation of audience segments derived from sensitive characteristics such as visits to pregnancy centers or places of worship, which illustrates how quickly behavioral traces become marketable inferences (Federal Trade Commission, “FTC Takes Action Against Mobilewalla for Collecting and Selling Sensitive Location Data”; Federal Trade Commission, “FTC Takes Action Against Gravy Analytics, Venntel for Unlawfully Selling Location Data Tracking Consumers to Sensitive Sites”).
From the standpoint of verifiable withdrawal, the most important feature of this architecture is that the platform’s “memory” is not a single datastore but a stratified set of representations. Some are direct. Some are transformed. Some are aggregated. Some are learned. Withdrawal must therefore be defined as an action on a graph, not a record level mutation.
Residue map: what persists after the user withdraws
The residue surface of a consumer personalization stack is broad, but it clusters into predictable classes.
There is direct residue: raw event logs, account attributes, customer support transcripts, and explicit preferences. There is cached residue: content delivery caches, search indexes, feature caches, offline stores for experimentation, and replicated logs in analytics warehouses. There is transformed residue: derived features such as frequency counts, recency scores, and topic vectors. There is aggregated residue: cohort statistics and reporting metrics. There is learned residue: model parameters, latent factors, and embeddings that encode a person’s tendencies in a way that can generalize beyond observed behavior (Koren, Bell, and Volinsky; Mikolov et al.). There is relational residue: similarity graphs and lookalike audiences where the person’s behavior helps define the neighborhood structure of other people’s recommendations. There is marketplace residue: audience segments shared with advertisers or processors, and bidstream artifacts produced by advertising auctions. There is human residue: screenshots, exports, and informal datasets created by employees or contractors.
Two technical facts make inference residue uniquely difficult. First, a profile can be highly identifying even when it is not labeled with a name, because high dimensional microdata is often reidentifiable with minimal auxiliary knowledge, as demonstrated in classic deanonymization work on sparse preference datasets (Narayanan and Shmatikov). Second, inferences can surface sensitive traits even when the platform does not solicit them, because behavioral traces can predict attributes that the user never directly disclosed, including traits that are socially and legally sensitive, which has been shown in work predicting private traits from digital records such as social media likes (Kosinski, Stillwell, and Graepel).
These are not edge cases. They are structural properties of personalization: the system is designed to infer.
Withdrawal failure modes: how platforms simulate deletion while keeping the profile
The common failure mode in consumer platforms is to treat deletion as an account state rather than as a provenance obligation. The user can deactivate or delete an account, and the visible surface changes, but the back end often retains multiple forms of residue for reasons that range from operational convenience to revenue. The FTC staff report explicitly flags concerns about data retention practices and notes that some companies did not delete all user data in response to user deletion requests (Federal Trade Commission, “FTC Staff Report Finds Large Social Media and Video Streaming Companies Have Engaged in Vast Surveillance of Users with Lax Privacy Controls and Inadequate Safeguards for Kids and Teens”). Even when raw data is partially deleted, derived artifacts can persist by default, because their lifecycles are rarely tied to the user’s lifecycle. The profile, the embedding, the segment membership, the similarity edges, and the influence on other users’ neighborhoods often remain unless there is an explicit mechanism to remove or recompute them.
A second failure mode is the decoupling of deletion from exports. Audience segments, measurement partners, and downstream processors can retain and reprocess signals even after the platform has updated its own stores, which is why enforcement actions that focus on third party markets are so revealing: they show that the bidstream itself is a residue production line, and that firms may collect and retain sensitive data from advertising exchanges even when the auction was lost, which makes “consent” conceptually thin and withdrawal operationally elusive (Federal Trade Commission, “FTC Takes Action Against Mobilewalla for Collecting and Selling Sensitive Location Data”). When inferences are sold, licensed, or shared, deletion requests become contractual and technical coordination problems across trust boundaries, not merely internal database operations.
A third failure mode is the semantic laundering of inferences. Platforms will often claim they do not have a certain sensitive attribute, while relying on proxies and segments that function as if they did. Zuboff’s account of behavioral extraction helps name the macro logic that makes this profitable, while Scott’s analysis of legibility helps name why the platform prefers categories that are administrable and monetizable, even when those categories harm the person (Zuboff; Scott). The practical point for our framework is that inference residue often persists precisely because it is framed as a product, not as personal data, which allows organizations to treat it as exempt from withdrawal obligations.
Evidence gaps: why auditors cannot validate withdrawal claims in personalization stacks
The evidence gap in personalization is usually not the absence of logs but the absence of binding between three things: the user’s withdrawal request, the provenance graph of derived artifacts, and the recomputation or attenuation actions that follow. In many platforms, deletion is implemented as a service level workflow that updates a few authoritative stores and then relies on retention policies to age out the rest. That is not verifiable withdrawal. It is delayed forgetting with unknown residue.
For an auditor, the minimum evidentiary question is not “did you delete the account row” but “did you remove the person’s influence from the representations that shape ranking and targeting.” Without a lineage graph that ties a user’s raw events to feature derivations to model training runs to segment exports, a platform cannot produce adversarially testable evidence. It can only produce assertions, which is precisely the liturgy this book rejects.
Regulatory texts already point toward the demanded direction: withdrawal must be actionable and not merely theoretical. Article 7 of the General Data Protection Regulation states that withdrawal must be as easy as giving consent, and it clarifies that withdrawal does not retroactively affect lawfulness of prior processing, which increases the importance of specifying what ongoing processing and retention must cease (Regulation (EU) 2016/679, art. 7). Article 17 establishes the right to erasure under defined grounds and thus forces the question of what counts as “personal data concerning” a person when the relevant artifacts are latent profiles rather than raw records (Regulation (EU) 2016/679, art. 17). The European Data Protection Board guidelines on consent further underscore the practical obligations around withdrawal and transparency about how it is exercised, reinforcing that the user’s act must translate into operational change rather than interface theater (European Data Protection Board).
Redesign: an inference withdrawal protocol that can be audited
A consumer platform that aims at verifiable withdrawal must explicitly elevate inferences to governed objects. The redesign therefore begins with a definitional commitment that is simultaneously technical and moral: audience segments, embeddings, and latent profiles are treated as regulated residue classes, each with a declared lifecycle, provenance requirements, and withdrawal semantics.
The protocol has five linked components.
First, inference inventory and typing. Every derived profile artifact must be cataloged as a first class entity with an owner, an intended purpose, retention constraints, and a mapping to the upstream event sources and enrichment sources that feed it. This is not documentation; it is the prerequisite for a lineage graph that can drive deletion orchestration. The FTC staff report’s emphasis on inadequate minimization and retention practices is a reminder that inventory is not optional if the business model incentivizes indefinite retention (Federal Trade Commission, “FTC Staff Report Finds Large Social Media and Video Streaming Companies Have Engaged in Vast Surveillance of Users with Lax Privacy Controls and Inadequate Safeguards for Kids and Teens”).
Second, binding between deletion requests and representation updates. A withdrawal request must create a durable, machine readable claim in the Residue Ledger that triggers actions on each residue class. For raw data, the action may be deletion or key revocation. For transformed features, it may be recomputation of feature stores for the relevant time windows. For embeddings and latent profiles, it may be retraining, targeted removal, or isolation depending on the model coupling and the promised semantics. The key is that each action is an evidence producing step that can be inspected later, not a best effort job that disappears into an operations queue.
Third, purpose binding as constraint, not policy. Contextual integrity insists that information flows must be evaluated relative to social context and norms, not merely user preference (Nissenbaum). In personalization systems, purpose binding must be operationalized as constraints in ranking and targeting pipelines: the platform must restrict the export of sensitive proxies, restrict the use of brokered data in personalization unless the provenance includes verifiable consent, and enforce retention and deletion on bidstream artifacts when the platform touches advertising auctions, because enforcement actions show that auction participation can become an extraction channel even when the bid fails (Federal Trade Commission, “FTC Takes Action Against Mobilewalla for Collecting and Selling Sensitive Location Data”).
Fourth, inference withdrawal as recomputation or attenuation with measurable targets. Not every learned artifact can be perfectly reversed without disproportionate cost, and the framework has never promised purity. What it can promise is bounded honesty with measurable deltas. An inference withdrawal procedure should define what measurable change is expected after withdrawal. For example, if a user withdraws, the platform should be able to show that the user is no longer eligible for certain segments, that their embedding is deleted or replaced with an inert representation, and that the influence of their events on neighbor relations is attenuated within a declared time bound. This is where classic research on recommender latent factor models becomes operationally relevant: because matrix factorization and implicit feedback ranking explicitly encode user preference structure, the platform can design recomputation pathways that update user factors and neighborhood relations, rather than pretending that deleting raw events has erased influence (Koren, Bell, and Volinsky; Rendle et al.). Similarly, the widespread use of embeddings as compressed representations underscores why the profile itself must be treated as residue: embeddings are designed to preserve relationships and generalizations, which is exactly why they persist as influence even when the raw data is removed (Mikolov et al.).
Fifth, adversarially meaningful evidence. The platform must produce evidence that a reasonable auditor can validate without trusting internal narratives. At minimum, this includes a cryptographically protected record of the withdrawal request, a provenance trace of affected artifacts, execution logs of deletion and recomputation actions, and differential tests that demonstrate that the user’s segment membership and profile availability changed as specified. The FTC staff report’s focus on weak oversight and inconsistent monitoring of automated systems strengthens the claim that monitoring and testing must be integral to withdrawal, not an afterthought (Federal Trade Commission, “FTC Staff Report Finds Large Social Media and Video Streaming Companies Have Engaged in Vast Surveillance of Users with Lax Privacy Controls and Inadequate Safeguards for Kids and Teens”).
This redesign does not abolish personalization. It abolishes the lie that personalization can be built on indefinite inference while still claiming to honor withdrawal in any meaningful sense.
The unavoidable remainder: what still persists even after inference withdrawal
Even a well designed inference withdrawal protocol cannot erase all residues without collapsing the social record, the security record, or the accountability record. A platform may need to retain certain logs to investigate fraud, to secure the system, or to comply with legal obligations. More importantly, a person’s past interaction may have shaped aggregate statistics and model behaviors in ways that are not individually isolatable without full retraining. The correct ethical move is not to deny this but to declare it precisely and to price it honestly, which is the orientation of this book.
Two boundary truths close the case study. First, the reidentification literature demonstrates that “anonymized” behavioral data can remain linkable to individuals with small amounts of auxiliary information, so deidentification claims must be treated as hypotheses to be tested, not as guarantees to be asserted (Narayanan and Shmatikov). Second, the predictability of sensitive attributes from ordinary behavior means that platforms must treat inference as a form of personal data processing in practice, because the system can manufacture sensitivity even when the input appears banal (Kosinski, Stillwell, and Graepel). Together these truths mean that the moral problem of consumer platforms is not a lack of consent banners. It is the industrialization of inference and export.
This is why the next chapter must shift from the platform as a residue engine to the deeper question that every residue ledger eventually faces. Some residues cannot be deleted without erasing accountability, memory, or the possibility of contesting harm. With Chapter Twenty Five complete, the case studies close and the book turns to its final conceptual hinge: Chapter Twenty Six, which names what cannot be deleted and therefore forces the distinction between residue that serves justice and residue that serves extraction.
Chapter Twenty-Six: What cannot be deleted
A withdrawal system fails in two symmetrical ways. In the first failure, it promises erasure where the system has no coherent mechanism to locate, isolate, and retire what has already propagated, and then it disguises this inability as completion. In the second failure, it treats any impossibility as a permanent exemption, and then it uses the language of accountability to justify indefinite retention, indefinite inference, and indefinite leverage. The moral remainder lives between these failures: there are residues that cannot be deleted without damaging justice, contestability, and the very conditions under which harms can be proven, appealed, or repaired, and there are residues that are defended as “necessary” only because they are profitable, convenient, or institutionally habitual. The work of verifiable withdrawal in its mature form is therefore not the fantasy of purity but the discipline of discrimination, which means building systems that can distinguish these classes, name the tradeoffs, expose the incentives, and produce evidence that an adversarial reviewer can validate.
The correct starting point is political rather than technical: institutions are not neutral containers for information, because information is one of the primary instruments by which institutions stabilize their authority. Arendt’s analysis of the vulnerability of factual truth under political pressure remains instructive here, not because this book is about partisan struggle, but because factuality is what administrative systems continuously adjudicate, and because an institution that controls records can control what is sayable, contestable, and compensable. When a person challenges a denial, a termination, a classification, or a model driven allegation, their demand is not for a “preference” to be honored, but for a fact pattern to be heard and a decision to be answerable. If a system responds to withdrawal by deleting the very traces that would enable appeal, it converts consent into a tool for its own insulation, and it makes the weak pay for the institution’s fear of being audited. In that sense, not everything can be deleted because some traces are the material conditions of justice.
This is why welfare jurisprudence is a useful anchor for the remainder. Goldberg insists that procedural protection is demanded precisely where deprivation would collapse the recipient’s capacity to survive long enough to contest the decision. The Court’s formulation that termination pending resolution may deprive a person “of the very means by which to live while he waits” is not a rhetorical flourish; it is an explicit statement that time is a weapon, and that administrative latency can be lethal when the affected party is already near the margin of subsistence. In systems that process withdrawal requests, the same weapon appears in a new costume: if deletion is performed in a way that destroys the contestable record, then the system can say “we complied” while preventing the person from proving what happened, when it happened, and why. A withdrawal control that cannot preserve due process is not an ethical control. It is an institutional convenience masquerading as restraint.
Mathews sharpens the point by formalizing the balancing logic that administrative systems repeatedly perform, whether they admit it or not: private interest, risk of erroneous deprivation, and the burdens of additional safeguards. Withdrawal engineering lives inside this triad. It is not enough to say that additional evidence8retention is “expensive” or that deleting everything is “safer.” The question is which evidence is necessary to reduce error and enable redress, and which evidence is surplus accumulation that increases power asymmetry. A system that can compute propagation depth but cannot compute contestability requirements is mis-specified. Verifiable withdrawal must therefore include a dedicated concept that many current control frameworks treat as an afterthought: the right of a subject to contest, and the duty of an institution to remain provable.
This is also where the European Union’s right to erasure is often misunderstood by operators who encounter it as a deletion ticket and by critics who treat it as a promise of immaculate forgetting. The Regulation itself explicitly enumerates contexts where erasure is limited, including obligations tied to freedom of expression and information, compliance with legal obligations, public interest tasks, public health, archiving in the public interest, scientific or historical research under constraints, and the establishment, exercise, or defense of legal claims. These are not loopholes in an otherwise pure principle. They are an admission that democratic life and institutional accountability require durable traces, and that some deletion would be a form of historical falsification. The ethical question is therefore not whether exceptions exist, but whether the system can justify them with boundedness, specificity, and evidence, and whether the exceptions are governed in a way that prevents the institution from classifying everything as a legal claim, an archive, or a public interest task by default.
Once this is conceded, the remainder can be named with more precision. I propose that verifiable withdrawal must treat retention as a constrained, auditable claim, not as a background entitlement. Every denial of deletion, every partial fulfillment, and every decision to retain a residue class must generate a Retention Justification Record that includes: the articulated basis for non deletion; the narrowest scope that satisfies that basis; the time horizon and reevaluation trigger; the access boundaries; and the evidence that the retained artifact is being used for the stated purpose and not being repurposed as a general substrate for prediction or control. The point is to render the exception legible to oversight without rendering persons legible to extraction, a distinction Scott helps clarify. Legibility projects flatten local context into administrable categories, and one of the easiest ways to produce administrative domination is to force the world into record formats that the center can process at scale. Withdrawal governance must therefore do something difficult: it must increase legibility of institutional action while decreasing legibility of persons as harvestable objects.
This is where contextual integrity becomes a non negotiable constraint. Nissenbaum’s argument is not that privacy is secrecy, but that information flows are governed by norms that specify appropriate actors, attributes, and transmission principles within contexts. A remainder that must be retained for contestability does not automatically become permissible to reuse for model training, ranking, or targeting, because the contextual norm that legitimizes retention is not the same norm that would legitimize repurposing. In plain terms, “we keep this record so you can appeal” and “we keep this record because it improves a model” are morally different claims, and a withdrawal system that cannot technically enforce the difference will drift toward the stronger institutional incentive, which is almost always the incentive to reuse. Verifiable withdrawal must encode purpose binding not as documentation but as access control, pipeline gating, and evidence.
The deepest temptation, and the hardest to prevent, is to turn the remainder into a general memory substrate for social sorting. Here Benjamin’s account of the “New Jim Code” is not an external critique appended for moral color; it is a design warning about how supposedly neutral technical infrastructures reproduce hierarchy through classification, scoring, and automated allocation. If a remainder contains the traces of disadvantage, then using it as a training reservoir risks laundering structural inequality into model parameters while maintaining the aesthetic of objectivity. In that sense, some residues cannot be deleted because they are needed to prove harm, but they also cannot be casually retained because they can become the raw material for new harms. The remainder therefore demands dual containment: preservation for justice, and insulation against opportunistic reuse.
This is where Ostrom’s institutional grammar becomes operational rather than decorative. Durable governance is built from rules that are clear, enforceable, monitored, and backed by graduated sanctions, with mechanisms for conflict resolution and rule revision that do not depend on heroic virtue. In withdrawal terms, the Retention Justification Record must trigger monitoring obligations, not aspirational reviews; access to retained residues must be actively audited; violations must have predictable consequences; and there must be an institutional pathway by which subjects, advocates, or oversight bodies can contest a retention claim without begging the very institution whose power is at issue. This is the point at which verifiable withdrawal becomes a governance system rather than a deletion feature.
At the technical layer, the remainder forces a disciplined separation of planes. The content plane contains data that can be removed, transformed, or isolated. The evidence plane contains the minimum information needed to prove actions taken, obligations invoked, and controls performed, including cryptographic attestations, deletion orchestration logs, and auditor verifiable traces. The ethical requirement is that evidence be sufficient while content be minimized. If a system retains expansive content in order to support auditability, it has confused proof with hoarding. Conversely, if it deletes content so aggressively that it cannot prove what happened or enable contestation, it has weaponized compliance. The design challenge is to build an evidence plane that is narrow, structured, and reviewable, and to treat the remainder as a bounded object with strict access semantics rather than as a general purpose archive.
This discrimination should also be reflected in the system’s claims language. Instead of promising “we deleted it,” the system should produce an explicit Withdrawal Statement that includes: what was deleted, what was isolated, what could not be removed, why it could not be removed, and what compensating controls now govern the remainder. The Withdrawal Statement is not public relations. It is the institution’s sworn account of its own limits. The statement must be written so that a regulator, auditor, court, or subject can identify the difference between technical impossibility and institutional preference. It must also be written so that the institution cannot hide behind vagueness. The remainder is where vague language becomes a form of power.
The chapter’s claim can now be stated without romance: what cannot be deleted is not a residual embarrassment, but a jurisdictional problem in the literal sense, because it is about who has the right to retain, under what authority, for what purpose, with what evidentiary burden, and under what conditions of review. Verifiable withdrawal is therefore an institutional humility practice only if it includes the humility of bounded memory: the willingness to retain what justice requires, the refusal to retain what extraction desires, and the capacity to show the difference in evidence that survives adversarial scrutiny.
Transition to the Coda
Part VII ends here because the remainder cannot be solved by another mechanism. It can only be governed by an orientation that tells the truth about limits, incentives, and power, and then binds the institution to those truths through auditable practices. The Coda therefore returns, not to repeat the earlier argument, but to name the stance that must hold when technical means are finite and administrative temptation is infinite.
Coda
Verifiable withdrawal as institutional humility
Humility in institutional design is not softness, and it is not a pose. It is a specific refusal: the refusal to claim purity where the system cannot deliver it, and the refusal to exploit the gap between what can be proven and what can be done. The entire arc of this book has argued that withdrawal is the hard case because propagation turns consent into a graph problem and because derived artifacts turn simple removal into epistemic residue. The temptation in that terrain is to choose between two lies, the lie of perfect deletion and the lie of inevitable retention. The orientation I want to defend is a third posture: governed remainder, evidenced action, and explicit cost internalization.
To practice verifiable withdrawal as humility, a system must be designed to be contradicted. It must make it possible for a subject, an auditor, an advocate, or a regulator to catch the institution in overclaim, to detect noncompliance, and to force correction. This is the opposite of most contemporary compliance theater, which is designed to produce closure rather than truth. Humility therefore requires an evidentiary posture that is legible to adversarial review, a lineage posture that treats provenance as accountability geometry rather than metadata, and an economic posture that prices withdrawal readiness as an ongoing obligation rather than an exceptional incident response.
It also requires a disciplined relationship to power. Legibility must be redirected: institutions must become legible to oversight in their actions and constraints, while persons become less legible to extraction as a default substrate. Contextual integrity must be enforced as an engineering constraint, so that retained traces for contestability do not silently become fuel for profiling. Equity must be treated as a safety property, so that remainder retention does not reinstantiate hierarchy through classification and allocation. And due process must be treated as a technical requirement, so that withdrawal does not erase the very record needed to dispute harm.
The book began by shifting the ethical center of gravity from permission capture to withdrawal verification, because harm in contemporary systems is produced as propagation, not as a single moment of collection. The end of the book does not reverse that shift. It sharpens it. When a system can tell the truth about where data went, what remains, what it did, what it could not do, and what it will do next, it stops treating people as inexhaustible sources and starts treating itself as accountable infrastructure. That is the only form of consent language that deserves to survive contact with pipelines, models, and institutions.
Appendices that remain part of the final manuscript
Appendix A presents the Residue Ledger reference architecture as a coherent system with explicit trust boundaries, including lineage collection, policy evaluation, deletion orchestration, and evidence generation paths, written so that an auditor can map each component to a specific claim. Appendix B enumerates control objectives as verifiable statements with corresponding test procedures and expected evidence artifacts, designed to prevent meetings from collapsing into definitional drift. Appendix C specifies a model withdrawal evaluation suite, including canary design, targeted prompt corpora, regression thresholds, and reporting formats that separate influence removal from output suppression. Appendix D provides procurement clause families paired with technical prerequisites and an evidence schedule, so that third party processors become governed interfaces rather than black boxes. Appendix E is a glossary that enforces hard definitions where institutions typically substitute euphemism for capability.
Appendix A
Residue Ledger reference architecture
The Residue Ledger is a control plane whose purpose is to make withdrawal non fictional by turning it into a computable, testable, and attestable property of a socio technical system. Architecturally, it is not a single database and it is not a dashboard. It is a set of interoperating services that together implement four invariants: first, every withdrawal request resolves to a subject identity and a scope definition that can be defended; second, every downstream dependency in scope is discoverable through a provenance and lineage graph; third, every action taken is executed through an orchestrator that binds action semantics to residue classes; fourth, every action and every justified remainder yields evidence artifacts that an adversarial auditor can validate without relying on organizational assurances. These invariants align to the NIST AI RMF emphasis on measurable governance and to the W3C PROV data model requirement that provenance be expressible in terms of entities, activities, and agents.
At the boundary of the system is the Withdrawal Intake Gateway. It receives withdrawal requests, authenticates the requester, and records the request as a first class event, with an immutable identifier that persists through all later steps. Identity cannot be treated as a formality because withdrawal obligations attach to a person, an account, a device, or a legal subject, and because identity collisions are a primary failure mode in large systems. The gateway therefore routes into an Identity Resolution Service that supports probabilistic matching under explicit uncertainty, and it must be instrumented so that uncertainty is visible rather than silently coerced into false certainty, a principle consistent with privacy risk management as described by the NIST Privacy Framework.
From identity, the system moves into Scope Determination and Policy. Scope is not a free choice by the implementer. It is derived from declared processing purposes, consent states, contractual commitments, and legal retention exceptions. This is implemented as a Policy Decision Service that evaluates the request against a Purpose and Obligation Registry, and produces a Withdrawal Plan. The plan is a structured object with three parts: the removal semantics required, the residue classes affected, and the justified remainder categories, each tied to a retention basis and a time horizon where applicable. This is the point where the architecture forces truth telling about limits, consistent with the GDPR structure that recognizes erasure while enumerating explicit exceptions and obligations.
The Withdrawal Plan becomes executable only when the system can enumerate dependencies. That requires provenance and lineage capture that is not optional telemetry. The Lineage Collection Layer ingests events from data pipelines, feature stores, model training runs, deployment registries, logging systems, and vendor exchange points. The lineage representation should be compatible with the PROV conceptual structure, where entities include datasets, feature sets, model checkpoints, and logs, activities include transforms and training runs, and agents include services, teams, and vendors. The Lineage Graph Store then supports two query classes: impact analysis, which enumerates all artifacts influenced by the subject within a defined time and purpose scope; and evidence reconstruction, which proves the chain of derivation when challenged.
The central executor is the Withdrawal Orchestrator. It translates a Withdrawal Plan into a sequence of actions with explicit semantics. In the content plane, those actions include hard deletion where feasible, tombstoning and reference breakage where data is replicated in systems that cannot immediately purge, key revocation and reencryption where cryptographic separation is the correct boundary, and isolation controls that prevent further use even when a residue cannot be physically removed. In the model plane, the actions include retraining triggers, unlearning actions when appropriate, model editing actions when influence removal is bounded to targeted behavior, and output suppression controls when the objective is to prevent memorized disclosure rather than to remove training influence. The orchestrator is required to record not only what it attempted, but also what it could not do and why, because the core ethic of this book is that governance must be able to survive adversarial audit rather than depend on internal faith.
Verification is not a final checkbox. It is a suite of tests bound to residue classes. For direct copies, verification can include storage scans and referential integrity checks. For caches, it includes cache invalidation confirmation and drift monitoring. For transformed artifacts, it includes recomputation attestations or differential checks. For model related residues, it includes canary evaluation, membership inference style checks where appropriate, and regression controls that show that withdrawal did not silently degrade safety or performance in ways that create new harms. This verification posture is consistent with NIST AI RMF guidance to test and monitor AI systems across the lifecycle and to treat governance as measurable practice.
Evidence is stored in an Evidence Plane that is deliberately separate from the content plane. The Evidence Store is append only, tamper evident, and access controlled. Its purpose is not to preserve extractive detail but to preserve proofs of action, justification, and boundaries. A useful design analogy is Certificate Transparency, where the point of an append only log is to enable third party auditing of issuance and to detect misbehavior, and where the log itself becomes an object of audit. The Residue Ledger borrows the structure but applies it to withdrawal events, so that an auditor can validate that actions occurred, that vendor attestations were received, and that claimed remainders match policy.
Trust boundaries must be explicit because most withdrawal failures occur where boundaries are blurred. At minimum, the architecture includes four boundaries. The first is between the request gateway and internal systems, where identity and authorization must be enforced. The second is between internal systems and vendors, where evidence must be contractually and technically required. The third is between the Evidence Plane and all production pipelines, where secondary use must be structurally blocked. The fourth is between governance and engineering, where decision rights about justified remainder must be constrained and reviewable rather than discretionary. This boundary driven approach is consistent with the enterprise risk orientation of NIST SP 800 53, which frames controls as organizational practice rather than local good intentions.
Appendix B
Control objectives and test cases
This appendix provides a catalog of verifiable control objectives written as statements that can be tested. Each objective is paired with a test procedure and a minimal evidence set, with the explicit aim of preventing audit theater by replacing narrative assurance with reproducible validation. The control language is aligned to the governance and measurement posture emphasized by NIST SP 800 53 and to the risk and lifecycle emphasis of the NIST Privacy Framework and AI RMF.
Control RL 01 Withdrawal intake integrity. The system shall record every withdrawal request as an immutable event with a unique identifier, request metadata, and a traceable decision outcome. Test procedure: submit a controlled set of withdrawal requests covering valid, invalid, and ambiguous identities, then confirm that each request produces a persistent record, that no record can be modified without detection, and that outcome states are consistent with policy. Evidence: request event log extracts, integrity proofs for immutability, and policy evaluation artifacts.
Control RL 02 Identity resolution defensibility. The system shall resolve subject identity with an explicit confidence measure and shall refuse automatic execution when confidence is below the configured threshold. Test procedure: run a red team set of near collision identities and confirm that low confidence cases route to adjudication rather than silent execution. Evidence: identity resolution outputs with confidence values, adjudication queue records, and sampled reviewer decisions.
Control RL 03 Provenance completeness threshold. For any system in scope for withdrawal, the lineage graph shall meet a declared completeness threshold, and the system shall fail closed for withdrawal execution when required edges are missing. Test procedure: deliberately break lineage ingestion for one pipeline and confirm that the orchestrator produces a plan that identifies the missing dependency and blocks execution for residue classes that would otherwise be unverifiable. Evidence: lineage ingestion health records, blocked execution records, and dependency gap reports.
Control RL 04 Scope and purpose binding. The system shall bind each withdrawal plan to declared purposes and obligations, and shall emit a Retention Justification Record for every remainder, including legal or contractual basis and time horizon. Test procedure: exercise requests under different purposes and verify that the plan differs predictably, that remainder claims are enumerated, and that time horizons are present. Evidence: withdrawal plans, retention justification records, and policy rules.
Control RL 05 Deletion semantics correctness. The system shall implement deletion semantics appropriate to each residue class, including hard deletion where feasible and key revocation or isolation where physical deletion is not feasible within the required time. Test procedure: for each residue class, execute withdrawal in a test environment with seeded artifacts, then validate removal using class specific checks. Evidence: storage confirmations, key revocation proofs, access control state, and verification logs.
Control RL 06 Propagation freeze. Upon validated withdrawal request, the system shall prevent further propagation of in scope data within a bounded time, including halting new downstream usage. Test procedure: simulate a streaming ingestion pipeline and confirm that downstream jobs fail closed or receive filtered inputs. Evidence: pipeline gate logs, enforcement policy state, and job failure artifacts.
Control RL 07 Model influence management. When training influence is in scope, the system shall execute one of three documented strategies: retraining, certified unlearning where feasible, or bounded isolation with explicit remainder disclosure. Test procedure: run a controlled dataset with canary points, apply each strategy, and measure influence reduction against the evaluation suite in Appendix C. Evidence: model version lineage, training run records, unlearning logs where used, and evaluation reports.
Control RL 08 Memorization prevention distinctness. The system shall not claim withdrawal completion based solely on output suppression controls. Test procedure: apply output suppression to a model with known memorized canaries and verify that the system reports suppression as a safety control rather than as evidence of influence removal. Evidence: policy classification of control type, canary test results, and withdrawal statement language.
Control RL 09 Evidence plane isolation. Evidence artifacts shall be segregated from production training and analytics pipelines and shall be protected by access controls, retention limits, and secondary use prohibitions. Test procedure: attempt to join evidence artifacts into training pipelines in a test environment and confirm that enforcement prevents access. Evidence: access control logs, denied access records, and system configuration proofs.
Control RL 10 Vendor withdrawal enforcement. The system shall require third party processors to provide machine verifiable evidence of deletion or isolation within defined service levels and shall record vendor evidence in the ledger. Test procedure: invoke a vendor deletion workflow and validate receipt, format, and auditability of evidence, including failure paths. Evidence: vendor attestations, evidence verification outputs, and escalation records.
Control RL 11 Transparency log integrity. The append only evidence log shall be tamper evident, and the system shall support independent verification of log consistency. Test procedure: attempt to modify past events, then verify detection through consistency checks. Evidence: log consistency proofs, audit outputs, and incident records.
Control RL 12 Withdrawal statement completeness. The system shall emit a human readable and auditor readable withdrawal statement that distinguishes deleted artifacts, isolated artifacts, and justified remainder, including purpose basis and time horizon where applicable. Test procedure: sample completed requests and assess statements against a completeness rubric. Evidence: withdrawal statements and rubric scoring artifacts aligned to policy.
Appendix C
Model withdrawal evaluation suite
This appendix defines a practical evaluation suite whose aim is not to win a research benchmark but to produce bounded, defensible evidence that model related residues have been reduced in ways consistent with the withdrawal plan. The suite separates three often conflated claims: influence removal, memorized disclosure prevention, and policy constrained behavior. That separation is required because each claim corresponds to a different technical mechanism and a different evidentiary standard. This framing is consistent with the NIST AI RMF emphasis on measurable governance and on evaluation across the lifecycle, and it is informed by the machine unlearning literature that formalizes deletion of points from trained models as a problem distinct from ordinary retraining.
The suite begins with canary design. Canary items are unique strings or structured tokens inserted into training data under controlled conditions, with provenance recorded so that their presence and removal obligations are known. Canary design must be robust against accidental collisions with natural text, and it must be instrumented so that canaries test both memorization and influence. This aligns with the documentation discipline recommended by datasheets and model cards, which treat dataset and model documentation as structured artifacts that support accountability.
The evaluation suite then uses three families of tests. Influence tests measure whether removing a datum changes model behavior in ways consistent with theoretical expectations. In practice, this can include targeted loss differentials, gradient based approximations where available, and controlled retraining baselines for comparison. Disclosure tests measure whether the model can still output memorized canaries or near neighbors under adversarial prompting. These tests use a prompt corpus that systematically varies instruction framing, indirect elicitation, translation, and formatting to reduce false reassurance. Policy behavior tests measure whether safety policies prevent prohibited output independent of influence removal, and they are included primarily to prevent teams from claiming withdrawal success by deploying policy wrappers that suppress outputs while leaving influence unchanged. This separation is demanded by the core unlearning problem statement articulated by Ginart and colleagues, where the objective is to delete specific points from trained models rather than merely to constrain outputs, and it is operationalized by frameworks such as SISA training that aim to make unlearning feasible under computational constraints.
Membership inference style methods can be used as an additional signal when appropriate, but they are not a universal requirement because their applicability depends on model class, access assumptions, and threat model. When used, they should be treated as evidence of risk reduction rather than as proof of erasure. The evaluation report must explicitly state which threat model is assumed, what access an attacker has, and what the test can and cannot conclude. This is consistent with the NIST AI RMF posture that risk is contextual and that measurement must be tied to stated assumptions.
The suite ends with a structured reporting format that is designed for auditors and engineers at the same time. Each report includes the withdrawal claim type, the model version lineage, the training data bill of materials identifier, the test corpus identifier, the results and thresholds, and a signed attestation of who ran the tests and where the artifacts are stored in the evidence plane. The report must also include a remainder disclosure section when influence removal cannot be proven, because this book’s position is that bounded honesty is preferable to theatrical certainty.
Appendix D
Procurement clauses and evidence schedules
Withdrawal infrastructure fails when suppliers and processors are treated as black boxes. This appendix provides clause families and an evidence schedule designed to make verifiable withdrawal enforceable across organizational boundaries. The clauses are framed to align with management system thinking in ISO standards, and with privacy management obligations that distinguish controllers and processors, while remaining implementable by engineering teams who must deliver evidence rather than narratives.
Clause family one is definitions and scope. The agreement should define withdrawal request, deletion, isolation, unlearning, model editing, evidence artifact, and justified remainder. Definitions are not legal ornamentation. They are the preconditions for testable interfaces. The agreement should also declare which systems are in scope, including sub processors, and should require a processor mapping that includes data categories, processing purposes, storage locations, retention horizons, and deletion hooks. This aligns with the processor responsibility emphasis in privacy management standards and with the purpose binding stance embedded in privacy risk frameworks.
Clause family two is service levels for withdrawal execution. The supplier should commit to time bounds for propagation freeze, deletion, and isolation actions, segmented by residue class. The contract should also define acceptable semantics in constrained environments, such as key revocation and access isolation where physical deletion is delayed, and it should require explicit remainder disclosure when semantic goals cannot be met. This is how procurement prevents the common failure mode in which deletion is promised as a single action without semantics.
Clause family three is evidence deliverables. The supplier must provide machine verifiable evidence artifacts, including signed attestations, deletion job identifiers, storage confirmations, and lineage pointers that connect the evidence to the requester scope. The evidence must be delivered in a structured format agreed at onboarding. The contract should treat evidence as a required deliverable, not as a best effort report, and it should specify that failure to deliver evidence is failure to perform. The reason for this posture can be understood through the transparency log analogy: the purpose of a log is to force observable behavior and to enable auditing, not to accept private assertions.
Clause family four is audit rights and verification interfaces. The agreement should provide audit rights that include the ability to validate evidence artifacts, to run agreed verification queries against a supplier provided interface, and to inspect the supplier’s own controls relevant to withdrawal. The agreement should also constrain secondary use of evidence artifacts and specify retention and access rules for audit logs, consistent with the principle that auditability must not become a shadow surveillance channel.
Clause family five is sub processor flowdown. The supplier must flow down equivalent withdrawal and evidence obligations to all sub processors, and must provide a current roster of sub processors and data flows. A withdrawal claim cannot be stronger than the weakest sub processor. This is the procurement translation of the trust boundary principle.
Clause family six is model and training restrictions. If the supplier trains models on customer data, the agreement must specify whether training occurs, under what consent states, how withdrawal requests are honored in training corpora, and what unlearning or retraining strategies are used. It should also require documentation artifacts aligned to datasheet and model card disciplines, because documentation is part of evidence readiness when the object is model influence rather than raw data retention.
The evidence schedule then operationalizes these clauses. At onboarding, the supplier provides processor mapping, data flow diagrams, retention policies, deletion hooks, evidence format specification, and sample evidence artifacts. Quarterly, the supplier provides updated processor mapping, lineage completeness metrics, withdrawal test results from a jointly agreed suite, and any changes to sub processors. Upon withdrawal request, the supplier provides the execution evidence artifacts and the remainder disclosure if applicable within the agreed service levels. Upon incident, the supplier provides a residue map, an impact analysis report, and a corrective action plan tied to evidence. Upon termination, the supplier provides final deletion or isolation evidence and a ledger closure record.
Appendix E
A glossary designed to stop meetings from dissolving into ambiguity
Residue. Any artifact that persists after a withdrawal request that could continue to represent, expose, or operationalize the subject’s data or its derivatives, including copies, transforms, aggregates, learned representations, logs, exports, and vendor shadow stores.
Propagation. The downstream movement of data, features, labels, or influence through pipelines, replication systems, caching layers, vendor transfers, and model training and deployment processes, such that obligations multiply with each new dependency edge.
Derived artifact. Any artifact that is not a raw copy of source data but is produced from it through transformation, aggregation, inference, embedding, feature engineering, or model training, and that may continue to encode information about the subject even when direct identifiers are removed.
Withdrawal request. A request by a subject or authorized representative to remove, isolate, or otherwise cease using certain data or derived influence under defined legal, contractual, or policy bases.
Deletion. A class of actions that remove content from storage or make content irrecoverable through secure erasure, deletion of keys, or destruction of references, subject to the constraints of the storage system and the defined semantics.
Isolation. A class of actions that prevents access or use of an artifact without necessarily removing it from storage immediately, including access revocation, purpose binding enforcement, encryption boundary changes, and pipeline gating.
Unlearning. A class of model level procedures intended to remove the influence of specific training points or subsets from a trained model without full retraining, under defined assumptions and with measurable but bounded guarantees.
Model editing. A class of targeted interventions that change model behavior or representations to remove specific associations or outputs, which may mitigate disclosure risk but is not equivalent to removing training influence unless proven by evaluation.
Attestation. A signed statement by a responsible party that specific actions occurred under specified conditions, accompanied by evidence artifacts sufficient for independent verification.
Audit evidence. Artifacts that enable an adversarial reviewer to validate that a control was performed and that its outcome matches the claim, including logs, cryptographic proofs, reproducible rebuilds, differential tests, and third party verification outputs.
Retention justification record. A structured artifact produced when a remainder cannot be deleted, specifying the basis for retention, the minimal necessary scope, the time horizon, the access boundary, and the prohibition of secondary use beyond the stated purpose.
Residue ledger. The append only evidence plane that records withdrawal requests, plans, execution actions, verification results, vendor evidence, and justified remainder records, designed so that claims can be audited rather than merely asserted.
Withdrawal statement. A human readable and auditor readable summary of what was deleted, what was isolated, what remains, why it remains, how it is governed, and what evidence artifacts substantiate the claim.
Works Cited
Abowd, John M., and Ian M. Schmutte. “An Economic Analysis of Privacy Protection and Statistical Accuracy as Social Choices.” American Economic Review, vol. 109, no. 1, 2019, pp. 171 to 202, doi:10.1257/aer.20170627.
Acquisti, Alessandro, Curtis Taylor, and Liad Wagman. “The Economics of Privacy.” Journal of Economic Literature, vol. 54, no. 2, 2016, pp. 442 to 492, doi:10.1257/jel.54.2.442.
Ajunwa, Ifeoma. The Quantified Worker: Law and Technology in the Modern Workplace. Cambridge University Press, 2023.
Ajunwa, Ifeoma, Kate Crawford, and Jason Schultz. “Limitless Worker Surveillance.” California Law Review, vol. 105, no. 3, 2017, pp. 735 to 760, doi:10.15779/Z38G44HM4Q.
Alston, Philip. Report of the Special Rapporteur on Extreme Poverty and Human Rights: Digital Welfare States and Human Rights. United Nations General Assembly, 11 Oct. 2019, document A/74/493.
Arendt, Hannah. The Human Condition. 2nd ed., University of Chicago Press, 1998.
Arendt, Hannah. “Truth and Politics.” Between Past and Future: Eight Exercises in Political Thought, Penguin Books, 2006, pp. 227 to 264.
Arrow, Kenneth J. “Uncertainty and the Welfare Economics of Medical Care.” The American Economic Review, vol. 53, no. 5, 1963, pp. 941 to 973.
Bai, Yuntao, et al. “Constitutional AI: Harmlessness from AI Feedback.” arXiv, 2022, arXiv:2212.08073.
Baylor, Denis, et al. “Continuous Training for Production ML in the TensorFlow Extended Platform.” USENIX Workshop on Operational Machine Learning, 2019.
Bender, Emily M., and Batya Friedman. “Data Statements for Natural Language Processing: Toward Mitigating System Bias and Enabling Better Science.” Transactions of the Association for Computational Linguistics, vol. 6, 2018, pp. 587 to 604, doi:10.1162/tacl_a_00041.
Benjamin, Ruha. Race After Technology: Abolitionist Tools for the New Jim Code. Polity Press, 2019.
Bhardwaj, Anant, et al. “DataHub: Collaborative Data Science and Dataset Version Management at Scale.” arXiv, 2014, arXiv:1409.0798.
Böhme, Rainer, and Galina Schwartz. “Modeling Cyber Insurance: Towards a Unifying Framework.” Workshop on the Economics of Information Security, 2010.
Bourtoule, Lucas, et al. “Machine Unlearning.” Proceedings of the 2021 IEEE Symposium on Security and Privacy, IEEE, 2021.
Bowker, Geoffrey C., and Susan Leigh Star. Sorting Things Out: Classification and Its Consequences. MIT Press, 1999.
Breck, Eric, et al. “Data Validation for Machine Learning.” Proceedings of Machine Learning and Systems, 2019.
Buneman, Peter, Sanjeev Khanna, and Wang Chiew Tan. “Why and Where: A Characterization of Data Provenance.” Database Theory: ICDT 2001, edited by Jan Van den Bussche and Victor Vianu, Springer, 2001, pp. 316 to 330, doi:10.1007/3-540-44503-X_20.
Cahoo v. SAS Institute Inc. No. 18-1296. United States Court of Appeals for the Sixth Circuit. 3 Jan. 2019.
Cao, Yinzhi, and Junfeng Yang. “Towards Making Systems Forget with Machine Unlearning.” Proceedings of the 2015 IEEE Symposium on Security and Privacy, IEEE, 2015, pp. 463 to 480.
Carlini, Nicholas, et al. “The Secret Sharer: Evaluating and Testing Unintended Memorization in Neural Networks.” Proceedings of the 28th USENIX Security Symposium, USENIX Association, 2019.
Carlini, Nicholas, et al. “Extracting Training Data from Large Language Models.” Proceedings of the 30th USENIX Security Symposium, USENIX Association, 2021, pp. 2633 to 2650.
Cheney, James, Laura Chiticariu, and Wang Chiew Tan. “Provenance in Databases: Why, How, and Where.” Foundations and Trends in Databases, vol. 1, no. 4, 2009, pp. 379 to 474, doi:10.1561/1900000006.
Committee of Sponsoring Organizations of the Treadway Commission. Internal Control: Integrated Framework: Executive Summary. 2013.
Coase, R. H. “The Problem of Social Cost.” Journal of Law and Economics, vol. 3, 1960, pp. 1 to 44.
Cui, Yingwei, and Jennifer Widom. “Lineage Tracing for General Data Warehouse Transformations.” Stanford University, 2001.
Dathathri, Sumanth, et al. “Plug and Play Language Models: A Simple Approach to Controlled Text Generation.” International Conference on Learning Representations, 2020.
de Brouwer, Sophie. “Privacy Self-Management and the Issue of Privacy Externalities: Thwarted Expectations and the Benefits of Going Beyond Consent.” Internet Policy Review, vol. 9, no. 4, 2020.
Dempsey, Kelley, et al. Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. NIST Special Publication 800-137, National Institute of Standards and Technology, 2011.
European Commission. “AI Act.” Shaping Europe’s Digital Future, updated 5 Dec. 2025.
European Data Protection Board. Guidelines 05/2020 on Consent under Regulation 2016/679. Adopted 4 May 2020.
European Union. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation). Official Journal of the European Union, L 119, 4 May 2016.
European Union. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act). Official Journal of the European Union, 12 July 2024.
European Union Agency for Cybersecurity. Cyber Insurance: Models and Methods and the Use of AI. ENISA, Feb. 2024, doi:10.2824/773850.
Federal Trade Commission. “FTC Staff Report Finds Large Social Media and Video Streaming Companies Have Engaged in Vast Surveillance of Users with Lax Privacy Controls and Inadequate Safeguards for Kids and Teens.” 19 Sept. 2024.
Federal Trade Commission. “FTC Takes Action Against Gravy Analytics, Venntel for Unlawfully Selling Location Data Tracking Consumers to Sensitive Sites.” 3 Dec. 2024.
Federal Trade Commission. “FTC Takes Action Against Mobilewalla for Collecting and Selling Sensitive Location Data.” 3 Dec. 2024.
Feast Contributors. “Introduction.” Feast Documentation, 27 Oct. 2025.
Gebru, Timnit, et al. “Datasheets for Datasets.” Proceedings of the Workshop on Fairness, Accountability, and Transparency in Machine Learning, 2018.
Ginart, Antonio, et al. “Making AI Forget You: Data Deletion in Machine Learning.” Advances in Neural Information Processing Systems, vol. 32, 2019.
Goldberg v. Kelly. 397 U.S. 254. Supreme Court of the United States. 23 Mar. 1970.
Google Cloud. “Integrate with OpenLineage.” Dataplex Universal Catalog Documentation, Google, 2025.
Gymrek, Melissa, et al. “Identifying Personal Genomes by Surname Inference.” Science, vol. 339, no. 6117, 2013, pp. 321 to 324, doi:10.1126/science.1229566.
Homer, Nils, et al. “Resolving Individuals Contributing Trace Amounts of DNA to Highly Complex Mixtures Using High-Density SNP Genotyping Microarrays.” PLOS Genetics, vol. 4, no. 8, 2008, e1000167.
Hu, Shengyuan, et al. “Jogging the Memory of Unlearned LLMs Through Targeted Relearning Attacks.” Advances in Neural Information Processing Systems, 2024.
Hu, Shengyuan, et al. “BLUR: A Benchmark for LLM Unlearning Robust to Forget-Retain Overlap.” arXiv, 28 May 2025, arXiv:2506.15699.
IBM Security and Ponemon Institute. Cost of a Data Breach Report 2024. IBM, 2024.
Information Commissioner’s Office. “How Should We Obtain, Record and Manage Consent.” ICO, 2025.
Information Commissioner’s Office. “What Needs to Be Included in the Contract.” ICO, 2025.
International Association of Privacy Professionals. “ISO Updates Standard on Managing Privacy Compliance Programs.” IAPP, 14 Oct. 2025.
International Organization for Standardization. ISO/IEC 19011:2018: Guidelines for Auditing Management Systems. ISO, 2018.
International Organization for Standardization. ISO/IEC 27001:2022: Information Security Management Systems: Requirements. ISO, 2022.
International Organization for Standardization. ISO/IEC 27701:2025: Information Security, Cybersecurity and Privacy Protection: Privacy Information Management Systems: Requirements and Guidance. ISO, 2025.
International Organization for Standardization. ISO/IEC 42001:2023: Artificial Intelligence: Management System. ISO, 2023.
Jasanoff, Sheila. The Ethics of Invention: Technology and the Human Future. W. W. Norton, 2016.
Kent, Karen, and Murugiah Souppaya. Guide to Computer Security Log Management. NIST Special Publication 800-92, National Institute of Standards and Technology, 2006.
Knuth, Donald E. Literate Programming. Center for the Study of Language and Information, 1992.
Koren, Yehuda, Robert Bell, and Chris Volinsky. “Matrix Factorization Techniques for Recommender Systems.” Computer, vol. 42, no. 8, 2009, pp. 30 to 37.
Kosinski, Michal, David Stillwell, and Thore Graepel. “Private Traits and Attributes Are Predictable from Digital Records of Human Behavior.” Proceedings of the National Academy of Sciences, vol. 110, no. 15, 2013, pp. 5802 to 5805, doi:10.1073/pnas.1218772110.
Krause, Ben, et al. “GeDi: Generative Discriminator Guided Sequence Generation.” Findings of the Association for Computational Linguistics: EMNLP 2021, 2021, pp. 4929 to 4952.
Lamport, Leslie. “Time, Clocks, and the Ordering of Events in a Distributed System.” Communications of the ACM, vol. 21, no. 7, 1978, pp. 558 to 565, doi:10.1145/359545.359563.
Laurie, Ben, et al. Certificate Transparency. RFC 6962, RFC Editor, June 2013.
Laurie, Ben, et al. Certificate Transparency Version 2.0. RFC 9162, RFC Editor, Dec. 2021.
Liu, Chengyue, et al. “Large Language Model Unlearning via Embedding Corrupted Prompts.” arXiv, 2023, arXiv:2310.10683.
Liu, Shuang, et al. “Rethinking Machine Unlearning for Large Language Models.” arXiv, 2024, arXiv:2402.08787.
Lloyd’s and the Association of British Insurers. Components of a Major Cyber Event: A Reinsurance Approach. ABI and Lloyd’s Cyber Working Group, 2024.
Lloyd’s Market Association. “Cyber War Clauses.” Lloyd’s Market Association, n.d.
Mathews v. Eldridge. 424 U.S. 319. Supreme Court of the United States. 24 Mar. 1976.
Meng, Kevin, et al. “Locating and Editing Factual Associations in GPT.” Advances in Neural Information Processing Systems, 2022.
Meng, Kevin, et al. “Mass Editing Memory in a Transformer.” International Conference on Learning Representations, 2023.
Mikolov, Tomas, et al. “Efficient Estimation of Word Representations in Vector Space.” arXiv, 2013, arXiv:1301.3781.
Moreau, Luc, and Paolo Missier, editors. PROV-DM: The PROV Data Model. W3C Recommendation, 30 Apr. 2013.
Narayanan, Arvind, and Vitaly Shmatikov. “Robust De-anonymization of Large Sparse Datasets.” Proceedings of the 2008 IEEE Symposium on Security and Privacy, IEEE, 2008.
National Institutes of Health. “NIH Genomic Data Sharing Policy.” NIH Guide for Grants and Contracts, 27 Aug. 2014.
National Institutes of Health. “Final NIH Policy for Data Management and Sharing and Supplemental Information.” Federal Register, 30 Oct. 2020.
National Labor Relations Board. “NLRB General Counsel Issues Memo on Unlawful Electronic Surveillance and Automated Management Practices.” 31 Oct. 2022.
National Institute of Standards and Technology. Guidelines for Media Sanitization. NIST Special Publication 800-88 Revision 1, Dec. 2014.
National Institute of Standards and Technology. Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. NIST Special Publication 800-37 Revision 2, 2018, doi:10.6028/NIST.SP.800-37r2.
National Institute of Standards and Technology. NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. Version 1.0, 2020.
National Institute of Standards and Technology. Security and Privacy Controls for Information Systems and Organizations. NIST Special Publication 800-53 Revision 5, 2020, doi:10.6028/NIST.SP.800-53r5.
National Institute of Standards and Technology. Assessing Security and Privacy Controls in Information Systems and Organizations. NIST Special Publication 800-53A Revision 5, 2022.
National Institute of Standards and Technology. Artificial Intelligence Risk Management Framework (AI RMF 1.0). NIST AI 100-1, 2023, doi:10.6028/NIST.AI.100-1.
National Institute of Standards and Technology. Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile. NIST AI 600-1, 2024.
National Institute of Standards and Technology. Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. NIST Special Publication 800-161 Revision 1 Update 1, Nov. 2024.
Nguyen, Aiha. The Constant Boss: Work Under Digital Surveillance. Data and Society Research Institute, May 2021.
Nissenbaum, Helen. “Privacy as Contextual Integrity.” Washington Law Review, vol. 79, no. 1, 2004, pp. 119 to 158.
Nissenbaum, Helen. Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford University Press, 2010.
Nederlands Juristen Comité voor de Mensenrechten et al. v. The State of the Netherlands (SyRI). District Court of The Hague. 5 Feb. 2020.
Office for Human Research Protections. “45 CFR 46: Protection of Human Subjects.” U.S. Department of Health and Human Services, 2025.
Office for Human Research Protections. “Certificates of Confidentiality.” U.S. Department of Health and Human Services, 18 Mar. 2016.
Ontario v. Quon. 560 U.S. 746. Supreme Court of the United States. 17 June 2010.
OpenLineage. “Object Model.” OpenLineage Documentation, Linux Foundation AI and Data Foundation, 2025.
OpenLineage. “The Run Cycle.” OpenLineage Documentation, Linux Foundation AI and Data Foundation, 2025.
Orr, Laurel, et al. “Managing ML Pipelines: Feature Stores and the Coming Wave of Embedding Ecosystems.” Proceedings of the VLDB Endowment, vol. 14, no. 12, 2021, pp. 3178 to 3181, doi:10.14778/3476311.3476402.
Ostrom, Elinor. Governing the Commons: The Evolution of Institutions for Collective Action. Cambridge University Press, 1990.
Ouyang, Long, et al. “Training Language Models to Follow Instructions with Human Feedback.” Advances in Neural Information Processing Systems, 2022.
Pigou, Arthur Cecil. The Economics of Welfare. 4th ed., Macmillan, 1932.
Porter, Theodore M. Trust in Numbers: The Pursuit of Objectivity in Science and Public Life. Princeton University Press, 1995.
Pushkarna, Mahima, Andrew Zaldivar, and Oddur Kjartansson. “Data Cards: Purposeful and Transparent Dataset Documentation for Responsible AI.” Proceedings of the ACM Conference on Fairness, Accountability, and Transparency, 2022, doi:10.1145/3531146.3533231.
Rendle, Steffen, et al. “BPR: Bayesian Personalized Ranking from Implicit Feedback.” Proceedings of the Twenty-Fifth Conference on Uncertainty in Artificial Intelligence, 2009.
Reuters. “EU Lays Out Guidelines on Misuse of AI by Employers, Websites and Police.” 4 Feb. 2025.
Reuters. “EU Sticks with Timeline for AI Rules.” 4 July 2025.
Rothschild, Michael, and Joseph E. Stiglitz. “Equilibrium in Competitive Insurance Markets: An Essay on the Economics of Imperfect Information.” The Quarterly Journal of Economics, vol. 90, no. 4, 1976, pp. 629 to 649.
Scott, James C. Seeing Like a State: How Certain Schemes to Improve the Human Condition Have Failed. Yale University Press, 1998.
Shokri, Reza, et al. “Membership Inference Attacks against Machine Learning Models.” Proceedings of the 2017 IEEE Symposium on Security and Privacy, IEEE, 2017.
Tang, Yang, Patrick P. C. Lee, John C. S. Lui, and Radia Perlman. “FADE: Secure Overlay Cloud Storage with File Assured Deletion.” SecureComm, 2010.
TensorFlow. “Better ML Engineering with ML Metadata.” TensorFlow Extended Tutorials, 30 Apr. 2024.
TensorFlow. “ML Metadata: Version Control for ML.” TensorFlow Blog, 8 Jan. 2021.
Uber. “Palette Meta Store Journey.” Uber Engineering Blog, 18 Jan. 2024.
United States Code of Federal Regulations. “45 CFR 46.116: General Requirements for Informed Consent.” eCFR, Office of the Federal Register, 2025.
United States Code of Federal Regulations. “45 CFR 164.514: Other Requirements Relating to Uses and Disclosures of Protected Health Information.” eCFR, Office of the Federal Register, 2025.
United States Code of Federal Regulations. “45 CFR 164.524: Access of Individuals to Protected Health Information.” eCFR, Office of the Federal Register, 2025.
United States Code of Federal Regulations. “45 CFR 164.528: Accounting of Disclosures of Protected Health Information.” eCFR, Office of the Federal Register, 2025.
United States Government Accountability Office. Federal Low-Income Programs: Use of Data to Verify Eligibility Varies Among Selected Programs and Opportunities Exist to Promote Additional Use. GAO-21-183, Apr. 2021.
United States Government Accountability Office. Digital Surveillance: Potential Effects on Workers and Efforts to Protect Privacy. GAO, 2025.
U.S. General Services Administration. Cybersecurity Supply Chain Risk Management Acquisition Guide. Apr. 2025.
Viotti, Paolo. Consistency in Distributed Storage Systems: Theoretical Foundations with Applications to Cloud Storage. Télécom ParisTech dissertation, 2017.
von Thenen, Nora, et al. “Re-identification of Individuals in Genomic Data Sharing Beacons via Allele Inference.” Bioinformatics, vol. 35, no. 3, 2019, pp. 365 to 371, doi:10.1093/bioinformatics/bty643.
Warnecke, Alexander, et al. “Machine Unlearning of Features and Labels.” Network and Distributed System Security Symposium, Internet Society, 2023.
Weil, Simone. “Reflections on the Right Use of School Studies with a View to the Love of God.” Waiting for God, translated by Emma Craufurd, G. P. Putnam’s Sons, 1951, pp. 57 to 78.
World Wide Web Consortium. “PROV Overview.” W3C, 30 Apr. 2013.
World Wide Web Consortium. “PROV-DM: The PROV Data Model.” W3C Recommendation, 30 Apr. 2013.
Zuboff, Shoshana. “Big Other: Surveillance Capitalism and the Prospects of an Information Civilization.” Journal of Information Technology, vol. 30, no. 1, 2015, pp. 75 to 89.
Zuboff, Shoshana. The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power. PublicAffairs, 2019.
Leave a comment