Constitutional Proposal

The Constitutional Machine: Design Brief

26 min read

This abridged brief condenses the canonical design brief and constitutional orientation as of the edition's frozen source revision. It states the floor, institutions, implementation path, amendment rule, and unresolved calibrations needed to criticize or implement the proposal. The canonical essays govern if an accidental conflict remains; the concordance gate prevents such a conflict from shipping silently.


I. Definitions

The following terms carry specific constitutional meaning throughout. Each names a structural feature, not a contingent technology.

Coercive Computational Authority (CCA). Any entity (state agency, platform, protocol, or autonomous agent system) that exercises power over persons through computational processes at or above a threshold of systemic significance. Two gating tests determine inclusion:

  1. Unavoidable-passage or dependency threshold. Coverage turns on practical power, not size alone. Relevant evidence includes user count, transaction volume, market share, switching cost, interoperability, and the share of affected people for whom the service has no reasonably available substitute. A small forum normally falls outside. A payment rail on which a merchant's livelihood depends may qualify even without national scale.

  2. Procedural automation threshold. The adverse act must be materially mediated by an automated or model-driven process without contemporaneous individualized deliberation by an answerable office. A manager who personally reviews and owns a decision is exercising authority, but not this specific form of authority. A platform that deactivates a driver at an algorithmic threshold without such review qualifies.

An entity that satisfies both tests is a CCA regardless of its self-description, legal form, or stated intent.

Coercive Computational Act. Any act by a CCA that restricts, denies, degrades, suspends, or eliminates a person's access to services, funds, credentials, reputation, communication, or economic participation. The act need not be intentional. Emergent effects of algorithmic classification, model retraining, and automated policy application qualify if they produce material adverse consequences for identifiable persons. An act is "material" when it plausibly changes a person's access to livelihood, housing, banking, insurance, employment, legal standing, or essential communication. A change in visibility within a discretionary feed does not qualify unless that feed is livelihood-critical for the affected person. The definition covers: account freezes and holds; deplatforming and service denial; content removal or distribution throttling where the creator's livelihood depends on the platform; credential invalidation or reputation suppression; algorithmic scoring changes that alter access to services; payment-rail severance; and automated denial of employment, housing, insurance, or credit.

Receipt. A structured, machine-readable, human-evaluable record of a coercive computational act, containing five mandatory fields:

FieldContentConstitutional Function
ActThe specific predicate that fired, the specific state transition imposedNames the harm so it can be evaluated
AuthorityThe specific rule, clause, or algorithmic threshold that triggered the actConverts discretion into articulable authority
BoundsScope (which services affected), duration (how long), reach (associated accounts, family)Enables proportionality review
JustificationEvidence or reasoning that triggered the actionConverts assertion into argument
Appeal PathThe mechanism for contestation, the timeline, the reviewing bodyConverts doom into process

A receipt is issued at the time of the act. A provisional receipt (Act and Bounds filled immediately, Justification completed within forty-eight hours) is permitted for emergency actions. A receipt whose fields contain only template language satisfies the form but not the substance and is subject to challenge. Receipt schema is defined by the Standard-Setting Body and versioned for backward compatibility.

Appeal. A process for contesting a coercive computational act, reviewed by a party independent of the entity that took the action, operating on defined timelines, with the power to reverse or modify the action. Independence means: no contractual, commercial, or employment relationship between the reviewing body and the operator. An appeal reviewed by the entity that took the original action is reconsideration, not appeal. An appeal whose timeline exceeds the duration of the harm is autopsy, not contestation.

Proportionality tiers for review (illustrative calibration points; thresholds set by the Standard-Setting Body):

SeverityExamplesReview RequirementTimeline
CriticalPayment freeze above $5K; account or credential termination; adverse employment actionIndependent human reviewWithin 3–5 business days
SignificantContent removal, temporary restriction, rating adjustment affecting livelihoodExpedited algorithmic reconsideration + right to escalate to human review5–10 business days
RoutineTemporary visibility reduction, minor threshold adjustment, informational flagAlgorithmic reconsideration + sampled audit by independent body15 business days

Exit. The right to leave a coordination substrate without forfeiting the value accumulated within it. Exit is credible only when it preserves four layers:

  • Data, including relational context: network position, connection patterns, community memberships. Export formats defined by interoperability standards.
  • Identity: portable credentials attesting to performance. The credential travels with the person, not the platform.
  • Rules: governance formula, modifiable above the constitutional floor.
  • Protocol connections: interoperability preventing exit from becoming exile.

Portable Credential. A verifiable attestation of a person's performance, history, or standing that can be presented to any compatible system without requiring the issuing platform's permission or cooperation. Privacy-preserving mechanisms (zero-knowledge proofs, differential privacy, k-anonymity) protect counterparty data. The credential attests to what the person did, not to membership.

Settlement Layer. The substrate of record on which receipts, credentials, and constitutional commitments are registered. The editability constraint governs: no single actor, or plausibly coordinating bloc, can rewrite the record without publicly detectable cost.

Audit. Systematic inspection of a CCA's receipt stream by a body with the technical capacity and legal authority to identify patterns of abuse, deficient receipts, proportionality violations, and demographic disparities. Audit addresses systemic practice. Appeal addresses individual acts.

Delegating Principal. The persistent party at the end of every delegation chain: the entity that set the objective the computational process pursued, bears liability for its effects, and answers when the process has terminated. Infrastructure providers that did not set the objective are not the principal.

Designed Forgetting. The structured constraint on a system's memory through five operations (periods and thresholds below are illustrative defaults; calibration is a political determination made by the administering jurisdiction through democratic deliberation):

OperationFunctionExample
ExpirationRecords leave the composition space after defined periodsHealth records unrelated to ongoing treatment expire from commercial queries after seven years
SealingRecords visible only to defined parties via due processCompleted misdemeanor convictions sealed from commercial background checks
Aggregation limitsNo single system composes records across more than a defined number of domains without consentBackground-check companies cannot join health, criminal, and financial records into a single cross-domain portrait
SeparationProtocol-level barriers between domain databasesSocial-media archive cannot communicate with professional-credential database without authorization
AmnestyJurisdictional determination that dismissed or resolved cases do not burden future prospectsDismissed eviction proceedings expunged from housing databases after five years

Designed forgetting applies to records of persons. It does not apply to records of coercive authority.

Four questions remain distinct: whether an event occurred, whether its record may be retained, who may access it and for what purpose, and whether it may contribute materially to a present adverse act. The last concerns the record's coercive jurisdiction. A record may remain true, retained, and accessible for a defined purpose while losing authority in an unrelated decision.

Thresholds are calibrated by record type, severity, present purpose, current evidence, affected-party interests, and narrowly specified safety, archival, investigatory, or adjudicative needs. Once the applicable threshold passes, non-use is the default. An authority seeking renewed adverse use must show a present, domain-specific nexus and explain why current evidence or a less restrictive means is inadequate. It must give notice before the act where practicable and state the authorization's duration. Emergency or protected investigative use receives prompt later notice unless an independent, time-limited order provides otherwise. An independent body reviews the decision, which is receipted and appealable. Authorization permits the stated use only. It neither restarts the threshold nor restores general authority for adverse use, and the record holder may not extend or suspend the threshold unilaterally.

An operator may not evade the threshold by transforming the record or routing it through an affiliate, data broker, proxy, derived score, cached classification, embedding, or model output that contributes materially to the adverse act. The FTC's final Everalbum order required deletion of specified face embeddings and models or algorithms developed using covered biometric information, a case-specific remedy rather than a general rule.1 Trained systems make individual influence difficult to trace, and verification strategies for machine unlearning remain vulnerable to evasion.2 Operators must preserve enough lineage for independent testing and disclose uncertainty in the justification and audit record. No particular unlearning method is constitutionally prescribed.


II. The Constitutional Floor

These twelve articles are guarded text. They attach to any person subject to a coercive computational authority.

Article 1. Every person subject to a coercive computational act shall receive a receipt at the time of the act, specifying Act, Authority, Bounds, Justification, and Appeal Path in terms evaluable by a literate person or by standardized verification software.

Article 2. Every person who receives a receipt shall have the right to contest the act through a process reviewed by a party independent of the entity that took the action, on a timeline proportionate to the severity of the harm.

Article 3. Where an act restricts funds, employment, housing, medical care, communication, or legal standing, the affected person shall have the right to review by a qualified, independent human arbiter within a defined period. Lower-severity acts require prompt reconsideration and sampled audit.

Article 4. Every person shall have the right to export data, identity credentials, reputation attestations, and relational context in interoperable, machine-readable formats without requiring the platform's continuing cooperation.

Article 5. Every person shall have the right to present portable credentials attesting to performance, history, and standing to any compatible system without the issuing platform's permission.

Article 6. No coercive computational authority shall compose personal records across domains, directly or through inferred joins, without explicit, informed, revocable consent.

Article 7. Personal records of conduct shall be subject to expiration, sealing, and separation under schedules defined by the administering jurisdiction. Records of coercive authority are not entitled to the same decay.

Article 8. An affected person may obtain the specific rule and threshold invoked in an adverse act in terms that person or an advocate can evaluate. Narrow security redactions must be time-bounded and independently audited.

Article 9. Coercive computational authorities shall collect only the data necessary for the contracted service. Collection beyond that purpose requires explicit, informed, revocable consent and is subject to audit.

Article 10. No contract or platform policy may waive the rights enumerated in Articles 1 through 9.

11. Right to an independent record. No coercive computational authority may control the sole authoritative record of its own acts. The record must be independently verifiable and resistant to unilateral revision, suppression, or censorship. Its integrity must rest on a constraint external to the authority's control, whose defeat is publicly detectable and costly in proportion to the power the record constrains.

Article 12. Every coercive computational authority above the coverage threshold shall submit to periodic independent audit of receipts, portability, and proportionality.

Canonical construction of Article 7. After the applicable threshold, renewed adverse use requires fresh, purpose-specific justification and independent review.


III. The Separation of Powers

Four Institutional Separations

Issuers vs. Verifiers. The entity that issues a credential may not be the sole entity that can verify it. An employment credential issued by Platform A must be verifiable by Platform B, Auditor C, and Court D without requiring Platform A's cooperation. Monopoly over verification is monopoly over identity. Implementation: credential standards based on W3C Verifiable Credentials or equivalent, with resolution independent of the issuing platform.

Operators vs. Auditors. The entity that exercises coercive computational authority may not audit its own compliance. Independent auditors (publicly chartered or privately bonded, with access to receipt streams and the technical capacity to evaluate them) inspect operators the way financial auditors inspect banks: systematically, adversarially, with the power to compel disclosure. Auditor independence requirements mirror those of financial auditing: no commercial relationship with the audited entity, mandatory rotation, liability for negligent audit.

Rule-Makers vs. Adjudicators. The entity that sets the rules governing a coordination substrate may not adjudicate disputes arising under those rules. Standard-setting bodies draft the receipt format, portability requirements, and audit criteria. Arbitration bodies (independent, bonded, accountable to judicial review) adjudicate disputes. The separation prevents the rule-maker from interpreting its own rules in its own favor.

Credentialers vs. Identity Providers. The entity that attests to a person's performance is distinct from the entity that attests to a person's identity. A seller's reputation is credentialed by the transaction record. Her identity is attested by an identity provider. The two functions are separated at the protocol level to prevent any single entity from controlling both what a person can prove she did and who she can prove she is.

Institutional Blueprint: Payment Platform

How the separations work for a payment platform operating above the systemic-significance threshold:

The arrows mark duties and routes of challenge, not command over every institution. The Operator owes receipts to the affected person and Auditor. The affected person may appeal to the Adjudicator or seek an audit referral. The Auditor can compel records and refer patterns or cases. The Standard-Setting Body defines the public schema and thresholds but cannot decide an individual appeal. Courts review adjudication and the legal authority of the other bodies.

Institutional blueprint for a payment platform: the operator issues receipts to affected people and the independent auditor; affected people appeal to an adjudicator; the auditor can refer cases; a separate standards body defines the rules; courts review adjudication and the public law governing the other bodies.

The Operator processes transactions, applies fraud-detection models, and exercises coercive acts (freezes, holds, restrictions). For every coercive act, it issues a receipt to the affected person and files a copy with the Auditor.

The Auditor receives receipt streams, inspects them for patterns of abuse, template justifications, proportionality violations, and demographic disparities. It publishes periodic reports. It compels disclosure of receipt metadata. It refers cases to the Adjudicator. It does not reverse individual decisions.

The Adjudicator reviews individual appeals. The affected person files a contestation. The Adjudicator evaluates the receipt against the rule invoked, the evidence cited, and the proportionality of the bounds. It has the power to reverse, modify, or uphold the action, and to award remedy including expedited release, compensation, and structural injunctions.

The Standard-Setting Body (a multi-stakeholder organization including platform representatives, civil-society organizations, technical experts, and affected-party advocates) defines the receipt schema, portability standards, audit criteria, and proportionality guidelines. It does not adjudicate. It publishes, reviews, and revises.

The Affected-Person Representative Body gives governed populations an institutional voice distinct from the Operator. It may bring class claims, trigger audits, require a deliberation interval before material rule changes, refer floor-weakening changes for adjudication, and participate in extensions of record-retention periods. Members are selected through a mixture of affected-constituency election, sortition from qualified pools, and reserved independent civil-society seats. Conflicts and recent financial ties to covered operators disqualify service. The body does not manage platforms or decide individual cases; it creates standing and friction where atomized users otherwise have neither.

The Court System provides the backstop. Adjudicator decisions are subject to judicial review. Standard-Setting Body rules are subject to legislative override. Auditor charters are subject to public accountability. No element of the Constitutional Machine is beyond democratic contestation.

Receipts at the Seam

Where several systems compose an act, the final receipt must name the rules that governed the handoff, the evidence transferred, and any convention used to translate one system's claim into another's. A declared convention must be disclosed and recomputable. If a secret rule is necessary to exercise coercion, secrecy cannot erase the duty to provide a contestable public basis; an independent arbiter may inspect protected material while the affected person receives the fullest account compatible with a specific, reviewable security need.

Competence Attestations

A human signature is not enough when human review is what licenses an act. The reviewer records the scope examined, the evidence used, the means by which disagreement with the automated recommendation could have been detected, and the avenue for reopening the review. Auditors test for signs of ceremony: uniform approval, review times inconsistent with the claimed scope, and error patterns that merely duplicate the system's. Reviewers are requalified through independent sampling and blinded tests. If competence attestations cannot distinguish review from ritual, the permitted scope of delegation must narrow.

The Surviving Principal

Every delegation chain must register a persistent party before it can exercise covered authority. The registration supplies six mechanisms:

  1. a named legal principal and responsible officer.
  2. a bond or insurance policy sized to the class of harm.
  3. strict liability for the deployer where delegation obscures the actor.
  4. an experience-rated industry pool for losses that exceed or outlive one principal.
  5. declared jurisdiction, forum, and service-of-process rules.
  6. an orphan-commitment payer of last resort with subrogation rights against later-identified responsible parties.

These mechanisms answer who can be found and who can pay. They do not settle every allocation among model developer, integrator, deployer, and operator. That calibration remains political and sector-specific; delegation may not be used to leave the affected person without a defendant.


IV. Implementation Pathway

Phase 1: Receipts and Appeal (Years 1–3)

Scope. Payment platforms, employment platforms, housing-eligibility systems, and critical-communications platforms above the systemic-significance threshold.

Requirements. Every coercive computational act produces a receipt with five fields. Every affected person has access to appeal with defined timelines and independent review. Provisional receipts permitted for emergency actions, with justification required within forty-eight hours.

Legislative mechanism. Modeled on existing consumer-protection frameworks:

  • TILA (Truth in Lending Act) model for financial disclosure requirements
  • FCRA (Fair Credit Reporting Act) model for adverse-action notice requirements
  • GDPR model for data-subject rights and penalty structures

Alternatively, regulatory mandate through existing agencies: CFPB for payments, FTC for platform practices, sectoral regulators for domain-specific applications. Early voluntary adoption creates compliance infrastructure and competitive pressure.

Institutional build.

  • Training and certification pipeline for independent arbiters
  • Receipt-schema standards through multi-stakeholder standard-setting process
  • Standardized verification software for receipt-adequacy evaluation
  • Verification-advocate roles analogous to public defenders: professionals who inspect receipts on behalf of affected parties lacking technical capacity

Phase 2: Portability and Fork Rights (Years 2–5)

Scope. All Phase 1 entities, plus social platforms, credential-issuing systems, and marketplace platforms above the threshold.

Requirements. Data portability in interoperable formats, including relational context. Portable credential standards. Protocol interoperability. Privacy-preserving mechanisms protecting counterparty data during export.

Legislative mechanism. Modeled on telecommunications portability:

  • Number portability → credential portability
  • Interconnection requirements → protocol interoperability mandates
  • Account-switching services → data-export standards with defined timelines

Credential-portability standards developed through industry consortia with regulatory backstop. Overlap with existing legislative proposals (ACCESS Act, Digital Markets Act) provides coalition surface.

Institutional build.

  • Independent audit bodies with technical capacity and legal authority
  • Portability standards through standard-setting organizations
  • Privacy-preserving export protocols (zero-knowledge proofs, differential privacy, secure multi-party computation)

Phase 3: Settlement and Audit Infrastructure (Years 3–10)

Scope. The settlement layer on which Phase 1 and Phase 2 commitments are registered.

Requirements. Receipt registries satisfying the editability constraint. Periodic independent audits with published reports and enforcement consequences.

Settlement-layer requirements calibrated by assurance level:

Assurance LevelApplicationsEditability Requirement
HighCriminal-justice records, financial regulatory receipts, identity credentialsThermodynamic grounding or equivalent: rewriting requires physical expenditure detectable by any participant
MediumPayment-dispute receipts, employment-action receipts, housing-eligibility recordsMulti-institutional architecture where no single actor, or plausibly coordinating bloc, can rewrite records without publicly detectable cost
StandardContent-moderation receipts, marketplace dispute records, service-level recordsAppend-only logs with multi-party attestation and periodic anchor to higher-assurance layer

The constitutional question at each level: what would it cost to rewrite this record, and who would have to cooperate?

Institutional build.

  • Professional culture of computational auditing: standards, certification, liability for negligent audit, independence requirements
  • Cross-jurisdictional mutual recognition of audit findings
  • Settlement-layer interoperability standards allowing credentials and receipts to move between assurance tiers

V. Coalition Map

Who Benefits Immediately

Small and medium business. Merchants whose livelihoods depend on platforms they do not control. The receipt regime makes the payment hold contestable. Fork rights make the platform replaceable. The potter whose ninety-day hold was disproportionate can fight it, and if the platform will not reform, she can leave without forfeiting her eight hundred reviews.

Gig workers and algorithmic labor. Drivers, delivery workers, freelancers subject to opaque ratings, undisclosed thresholds, uncontestable deactivation. The receipt converts algorithmic management from a black box into a contestable system. Coalition overlap with labor organizations is direct and immediate.

Civil liberties and privacy organizations. Civic asymmetry is their core commitment stated as constitutional architecture. The transparency direction aligns with existing advocacy for surveillance reform, data minimization, and algorithmic accountability.

Consumer finance reform. The receipt regime extends FCRA/TILA/ECOA to computational governance. Natural coalition with existing consumer-finance advocacy infrastructure.

Dissidents, journalists, and at-risk populations. Fork rights and independent-record protection are existential for populations whose access to communication, payment, and identity can be severed by a state or platform.

Antitrust and interoperability advocates. Fork rights and portability standards directly advance interoperability-focused antitrust policy. Overlap with ACCESS Act and Digital Markets Act provisions.

Open-source and protocol-development communities. Open standards, interoperable implementations, and public standard-setting processes align with existing commitments.

National-security institutionalists. Auditability and receipt integrity serve institutional accountability interests. A receipt regime makes it harder for foreign platforms to operate opaquely within domestic markets. Independent-record protection prevents adversaries from editing records undetectably.

Who Pays

Platforms above the significance threshold. Receipt requirements impose compliance costs. Portability reduces lock-in. Fork rights reduce switching costs. The cost is real. It is the cost of legitimacy.

Institutional build. Training arbiters, chartering auditors, developing standards requires investment. Funding: regulatory fees on operators, fines from deficient-receipt issuers, public investment in digital-governance infrastructure.

Who Fights

Lock-in-dependent platforms. Will argue portability compromises security, interoperability degrades quality, fork rights endanger privacy. Each contains a genuine concern wrapped in a structural defense of market position. Genuine concerns addressed in Phase 2 design. Structural defense overcome through legislative mandate.

Surveillance-advertising interests. Will argue targeted advertising funds the free internet. Response: the free internet is not free; its price is domination, invisible because the advertising model requires it to be.

State surveillance interests. Will argue national security. Response: civic asymmetry does not prohibit lawful surveillance under judicial oversight. It prohibits the inversion that makes every citizen visible to the state while the state's criteria remain invisible to the citizen.

The Three Wedge Lines

Three sentences that translate constitutional architecture into political grammar:

  • Receipts are consumer protection for the agent economy.
  • Portability is antitrust for the agent economy.
  • Designed forgetting is the civil rights act for the agent economy.

VI. The Opponent Model

The Quiet Foreclosure is not an accident. It is a stable equilibrium maintained by four structural interests, each of which resists a corresponding constitutional commitment.

InterestHow It ProfitsWhat Threatens It
OpacityDecision criteria invisible to users → extraction without political response. The trust tax is invisible because visibility would invite competition.Civic asymmetry — transparency obligations on authority
Lock-inNon-portable data, credentials, reputation → retention through switching cost, not quality. Proprietary formats are not product features; they are structural barriers.Fork rights — credible exit across four layers
Permanent memoryComprehensive documented past used to control an institutional future → risk pricing from decades-old data, employment screening from archived social media. The permanence is an asset.Designed forgetting — temporal limits on personal records
Editable ledgersThe entity that controls the audit log can edit the audit log. Accountability is voluntary when the record-keeper can revise the record.Independent-record right — the authority may not control the sole authoritative evidence of its own acts

These four interests (opacity, lock-in, permanent memory, editable ledgers) constitute the structural architecture of the Quiet Foreclosure. Each serves a constituency. Each generates revenue. Each is rationally defended by well-funded, politically organized entities. A constitutional orientation that does not name its opponents cannot defeat them.


VII. What This Is Not

Not crypto-libertarianism. The crypto-libertarian position holds that code is the only legitimate law and exit is the only legitimate remedy: that governance itself is the problem and sovereign individuals can coordinate without constitutional constraints. Computational republicanism argues the opposite: ungoverned coordination at machine speed is domination automated, because the party with the most compute, the most capital, and the most network effects will set the terms for everyone else, and "just fork" is not a constitutional guarantee when the fork costs more than the submission. The Protocol Republic requires institutions (auditors, arbiters, standard-setting bodies, appeal processes, verification advocates, professional cultures of impartiality) because constitutionalism is the technology for constraining power, and power does not constrain itself. Exit without voice is exile. Voice without exit is petition. The framework requires both, institutionally guaranteed.

Not techno-utopianism. A floor, not a ceiling. Magna Carta did not end tyranny. It specified what the governed could demand, in terms precise enough to argue over and durable enough to survive the arguing.

Not a party platform. Prior to any specific policy agenda. A social democrat and a market liberal can both operate within the constitutional floor, disagreeing about tax rates while agreeing that no computational authority exercises coercive power without a receipt.


Articles 1, 2, 3, and 10 are non-derogable minima: receipt, contest, qualified human review for material adverse acts, and anti-waiver. Implementation parameters such as review deadlines, audit frequencies, severity thresholds, and retention periods are revisable if the change preserves meaningful contestability.

Any three institutional roles may propose an amendment. Adoption follows public notice, a reasoned response to substantive objections, a two-thirds vote of the Standard-Setting Body, and a majority vote of the Affected-Person Representative Body. The Adjudicator reviews claims that an amendment breaches the floor. Fork rights remain available when lawful amendment cannot resolve a participant's objection.

Consent binds to a witnessed system state. A material change in purpose, controller, affected population, decisional consequence, retention, or identity-resolution scope triggers a new accounting and, where consent is the legal basis, new consent. An old click may not be reanimated to authorize a materially different system. The same doctrine turns inward: on a declared cycle, the living re-ratify the floor while retaining power to revise its calibrations. Re-ratification affirms the minima; it does not place the conditions of contestable consent up for ordinary repeal.

Emergencies do not create a secret constitution. Two institutional roles must invoke an emergency jointly and publicly, naming the threat, provisions affected, duration, and review channel. Every suspension receives a receipt. No suspension lasts beyond ninety days without the amendment vote, and the non-derogable minima remain in force. If primary infrastructure fails, duties move to a degraded channel and the records are reconciled when service returns.

IX. Relation to Existing Law

The proposal extends rather than erases familiar law: adverse-action notice and dispute duties in consumer credit; procedural review in administrative law; data minimization, erasure, and portability in data-protection law; independent audit in financial regulation; and interoperability duties in competition law. It adds two claims with no close general analogue: a prohibition on cross-domain composition without valid authority, and a settlement-integrity requirement independent of the operator whose acts are being recorded. Existing rights remain available whenever they provide stronger protection.

X. Open Questions

Constitutional documents that pretend completeness invite brittle implementation. The following questions are identified as requiring further development through multi-stakeholder deliberation:

  1. Threshold calibration. What user count, transaction volume, or dependency ratio defines "systemic significance"? The answer is political, not technical, and different jurisdictions may set different thresholds.

  2. Cross-jurisdictional enforcement. How are receipt and portability requirements enforced against entities operating across jurisdictions with different regulatory frameworks? Mutual recognition agreements, treaty-based coordination, and unilateral market-access conditions are candidate mechanisms.

  3. Funding the institutional build. Who pays for arbiter training, auditor certification, standard-setting infrastructure, and verification advocates? Regulatory fees, penalty revenue, and public appropriation are candidate mechanisms, each with different political viability.

  4. Delegation allocation. The surviving-principal rules prevent an absent defendant, but sectors still need allocation rules among developers, integrators, deployers, insurers, and operators. The framework should fail closed: no covered act without a registered principal and remedy fund.

  5. Mercy calibration. What expiration periods, sealing conditions, and amnesty terms are appropriate for which domains? These are moral-political questions that require democratic deliberation, not technical specification.

  6. Thermodynamic grounding at scale. If high-assurance settlement requires energy expenditure proportional to security, what is the acceptable energy cost for constitutional infrastructure? The question mirrors existing debates about the energy cost of military defense, judicial systems, and financial infrastructure.

XI. Falsification Conditions

The proposal should be weakened or abandoned where evidence defeats it:

  • If large-scale covered systems without receipts and independent contestation remain legitimate, corrigible, and non-dominating, the receipt floor is unnecessary.
  • If ordinary portability produces credible exit despite network effects, shared models, and unavoidable passages, fork rights add cost without freedom.
  • If records controlled solely by receipted authorities remain durable, independently verifiable, and resistant to capture at civilizational scale, Article 11 overreaches.
  • If comprehensive durable personal records produce no persistent exclusion and ordinary correction suffices, designed forgetting lacks its constitutional premise.
  • If individual remedies adequately reveal and repair class-wide harms, the Affected-Person Representative Body is overhead.
  • If competence attestations cannot distinguish independent review from ceremony, they must be replaced by tighter structural limits on delegation.

These are program-level tests. Individual calibrations may fail without defeating the whole framework, and a successful pilot does not prove civilizational necessity.

Notes

1. Federal Trade Commission, In the Matter of Everalbum, Inc., Decision and Order, Docket No. C-4743 (May 6, 2021), Definitions ¶¶ 1, 5–6 and Part III.B–C. The remedy reached specified face embeddings and affected work product developed using covered biometric information.

2. Binchi Zhang et al., “Verification of Machine Unlearning is Fragile,” in Proceedings of the 41st International Conference on Machine Learning, PMLR 235 (2024), pp. 58717–58738. The paper demonstrates ways an adversarial provider can circumvent several verification strategies; it does not establish that unlearning is impossible.


This document operationalizes "Computational Republicanism: A Constitutional Orientation for the Agent Economy." Both documents together constitute the constitutional proposal. Neither is sufficient alone.