Appendix C
Worked Examples
Appendix A specified the receipt's grammar: the five-element structure (Act, Authority, Bounds, Justification, Appeal Path) formally defined in Chapter 8. Appendix B addressed engineering considerations. This appendix applies the grammar to five domains where computational authority currently operates without adequate constraint. Each example follows the same structure: the current architecture, what the receipt requirement changes, and where the requirement breaks down.
The examples are deliberately ordinary. Platform suspensions, credit scores, content rankings, benefit denials, biometric identity failures — these are not edge cases but the daily operations of systems that exercise coercive authority over millions of lives. If the receipt requirement cannot improve these cases, it cannot improve anything.
1. Platform Account Suspension
Current architecture. A user receives an email: "Your account has been suspended for violating our Community Guidelines." The email links to a page listing the Community Guidelines in their entirety: thirty pages of general prohibitions. No specific violation is identified. No timeline is given. The appeal process, if it exists, consists of a web form that accepts five hundred characters and returns an automated response within "up to thirty days." The user's content, contacts, purchase history, and accumulated reputation are inaccessible during the suspension and may be permanently deleted if the suspension becomes a termination.
With the receipt requirement. The suspension notice must contain the five-element receipt. The Act identifies the specific restriction: posting suspended, marketplace access revoked, messaging restricted to existing contacts, content archive downloadable. The Authority cites the specific policy subsection: "Section 4.2(c): repeated posting of content flagged by three or more independent reviewers as misleading health information." The Bounds specify duration and conditions: fourteen-day suspension, automatic reinstatement on a named date, escalation to ninety-day suspension if a second violation occurs within six months, and permanent termination only after external review. The Justification identifies the triggering content: three posts on specified dates, each flagged by named reviewers or described review processes, with the determination standard stated. The Appeal Path names the body, the timeline, and the binding effect: internal review within seven days, if denied, external arbitration by an independent panel, arbitration binding on both parties, and costs split or borne by the platform.
What changes. The platform can still suspend the account. The receipt requirement does not prevent action — it prevents unaccountable action. The user knows what happened, why, for how long, and how to contest it. The platform's moderation team must articulate reasons that survive scrutiny, which disciplines the process even before any appeal is filed. Moderators who know their decisions will be receipted and potentially arbitrated make different decisions than moderators who know their decisions are final and invisible.
Where it breaks down. Speed. A platform facing a coordinated disinformation campaign may need to suspend thousands of accounts in hours. Generating five-element receipts for each action introduces delay. The framework's response: provisional suspension with abbreviated receipt (Act and Bounds only), followed by full receipt within a defined period. The tradeoff is explicit. Faster action, less initial accountability, with a commitment to close the accountability gap within a stated timeline. The tradeoff is visible and auditable, which is precisely what distinguishes receipted urgency from unreceipted discretion.
2. Credit Scoring Transparency
Current architecture. A borrower is denied a mortgage. The denial letter cites "insufficient credit history" or "debt-to-income ratio outside acceptable range." The borrower can request a credit report, which shows data inputs (account balances, payment history, inquiries) but not the model that transformed those inputs into a score, or the weight assigned to each factor, or the threshold that separated approval from denial. The score is a number without a derivation. The denial is a verdict without a reasoned judgment.
With the receipt requirement. The denial must produce a receipt. The Act: mortgage application denied for property at specified address, amount requested, date of application. The Authority: lending policy section and applicable regulatory framework (Equal Credit Opportunity Act, if applicable). The Bounds: denial effective immediately. Reapplication is permitted after specified conditions are met (six months of on-time payments, debt reduction below a named threshold). The Justification: the three to five factors that most heavily influenced the denial, with directional weight: "payment history (strongest negative factor), credit utilization at 78% (second factor), length of credit history at 2.3 years (third factor)." Not the full model, which may be proprietary, but sufficient causal explanation that the borrower can identify what to change. The Appeal Path: internal reconsideration upon submission of additional documentation, regulatory complaint to the relevant agency, and timeline for each.
What changes. The borrower moves from subject to participant. The denial is no longer a verdict delivered from behind a curtain but a reasoned determination that can be examined, contested, and, critically, acted upon. A borrower who knows that credit utilization is the binding constraint can reduce utilization and reapply with a defined expectation. The opacity that currently characterizes automated lending decisions is replaced by structured transparency that respects both the lender's proprietary model and the borrower's right to understand the decision that shapes their life.
Where it breaks down. Model gaming. If the receipt reveals which factors dominate, applicants can optimize against the model rather than improving their actual creditworthiness. A borrower who learns that utilization matters more than payment history can strategically lower utilization before application while maintaining risky borrowing patterns elsewhere. The framework's response: the receipt reveals factors, not weights. Directional information (this factor hurt you most) without precise coefficients preserves enough opacity to resist systematic gaming while providing enough transparency for meaningful contest. The tension is irreducible — the same information that enables appeal enables optimization — and the receipt requirement makes the tension visible rather than hiding it behind total opacity.
3. Algorithmic Content Moderation
Current architecture. A post is demoted in the feed. The creator notices declining engagement but receives no notification. The demotion may result from automated classification (the content was flagged as borderline by a machine learning model), from manual review triggered by user reports, or from a policy change that reclassified the content category. The creator cannot distinguish between organic decline in audience interest and active suppression by the platform. The absence of any signal is itself the problem — the creator cannot contest what they cannot see.
With the receipt requirement. Demotion above a proportionality threshold triggers a lightweight receipt. Not every ranking adjustment warrants documentation — but when a post's distribution is reduced by more than a defined percentage relative to the creator's baseline, or when a creator's content is systematically classified into a restricted category, the receipt is owed. The Act: content at specified URL demoted in feed distribution by approximately a stated amount, effective from a stated date. The Authority: content policy section governing the relevant category, or the automated classification system and its confidence threshold. The Bounds: demotion applies to feed ranking only. Content remains accessible via direct link. The demotion is reviewed automatically after a stated period. The Justification: classification category (e.g., "medical claims requiring expert review"), the trigger (automated classifier confidence score above threshold, or user reports exceeding threshold), and the standard applied. The Appeal Path: request human review, response within stated timeline, and if classification reversed, distribution restored with a noted flag for monitoring.
What changes. The invisible hand becomes visible. Creators who can see what happened, why, and how to contest it are positioned differently from creators who can only speculate. The platform's moderation team must maintain consistent standards across similar content, because inconsistencies are now detectable by comparing receipts. The receipt creates an audit trail that regulators, researchers, and the platform's own quality teams can examine for systematic bias: patterns that would remain invisible under the current architecture of silent demotion.
Where it breaks down. Adversarial content. Spam networks, coordinated inauthentic behavior, and sophisticated disinformation campaigns can use the receipt system to reverse-engineer the platform's detection methods. A receipt that explains "this content was flagged because it matches patterns associated with coordinated inauthentic behavior" tells the adversary exactly what patterns to avoid. The framework's response: the receipt requirement applies to the affected party, not to all observers. The receipt is owed to the person whose content was demoted. It is not published to the world. Selective disclosure, where the creator sees their receipt but the adversary does not see other creators' receipts, preserves the detection system's integrity while maintaining accountability to the individual. Where national security or ongoing investigation requires withholding even from the affected party, the receipt is sealed and delivered upon investigation closure, with a judicial or oversight body verifying that the seal is warranted. Delayed accountability is still accountability. Permanent silence is not.
4. Government Benefit Denial
Current architecture. An applicant for disability benefits receives a letter: "Based on our review, you do not meet the eligibility criteria for the requested benefit." The letter may cite the governing statute. It rarely explains which criterion was not met, what evidence was considered, or how the applicant's circumstances were weighed against the standard. The appeal process — if the applicant can find it and follow it — may take months or years, during which the benefit is not provided.
With the receipt requirement. The denial produces a full five-element receipt. The Act: application for specified benefit denied, filed on stated date, determination issued on stated date. The Authority: governing statute and implementing regulation, section and subsection. The Bounds: denial effective immediately. Reapplication is permitted upon change in circumstances or submission of additional documentation. Interim benefits are available during appeal (if applicable under the governing statute). The Justification: the specific criterion not met. If the denial was based on income threshold: applicant's reported income, the applicable threshold, the gap. If based on medical determination: the reviewing physician's conclusion (or the automated system's classification), the standard applied, the evidence considered. The receipt provides a specific application of the rule to this applicant's circumstances, not a generic citation of the statute. The Appeal Path: administrative hearing within stated timeline. Applicant may present evidence and testimony. The hearing officer is independent of the initial determination. Judicial review is available if administrative appeal is denied. Legal aid resources are listed.
What changes. The applicant moves from supplicant to claimant. The denial becomes a door with a visible lock — the applicant can see what must change for the door to open. The receipt requirement does not guarantee approval. It guarantees that the denial is legible, the reasoning is inspectable, and the contest is real. For government benefits, where the power asymmetry between state and citizen is at its most acute, the receipt is not a courtesy but a constitutional obligation. The state that denies a benefit without explaining why exercises arbitrary power, regardless of whether the denial is substantively correct.
Where it breaks down. Capacity. Government agencies processing millions of applications per year may lack the infrastructure to generate individualized five-element receipts for each denial. Automated systems that classify applications against eligibility rules can generate receipts at scale (the five elements are derivable from the decision logic), but only if the systems are designed with the receipt requirement built in. Retrofitting the requirement onto legacy systems is expensive and slow. The framework's response: the receipt requirement is a design specification for new systems and a migration target for existing ones. The transition is gradual. The destination is non-negotiable. Every year that passes without receipted denials is a year in which citizens are denied the ability to contest decisions that shape their lives.
5. Biometric Identity Failure (Aadhaar)
Current architecture. India's Aadhaar system assigns a twelve-digit identity number to over a billion residents, linked to biometric data: fingerprints and iris scans. The system serves as the authentication layer for government benefits: food rations, cooking fuel subsidies, rural employment guarantees. To collect a benefit, the recipient places a finger on a scanner. If the biometric matches, the benefit is released. If it does not, the benefit is denied.
The failure rate is not hypothetical. Manual laborers whose fingerprints have been worn smooth by years of brickwork or agriculture fail authentication at rates far higher than office workers. The elderly, whose biometric data degrades over time, fail more often than the young. Rural connectivity gaps mean that the scanner cannot reach the central database, and the transaction times out. In each case, the recipient is denied a benefit they are legally entitled to because the verification infrastructure cannot confirm what is true.
With the receipt requirement. The denial produces a receipt even when the denial is caused by system failure rather than ineligibility. The Act: biometric authentication failed for benefit disbursement at specified location, date, and time. The Authority: Aadhaar Act and implementing regulations governing the specific benefit scheme. The Bounds: benefit withheld pending re-authentication. Manual override is available within stated timeline. Benefit is held in escrow rather than forfeited. The Justification: authentication failure: fingerprint match score below threshold (specifying the score), or connectivity timeout, or database unavailability. Critically: the receipt distinguishes between "ineligible" and "system unable to confirm eligibility." The Appeal Path: in-person re-authentication at district office within stated period. Alternative identification is accepted (Aadhaar card with photograph, ration card, voter ID). A grievance mechanism with a stated response timeline is available.
What changes. The system can no longer treat its own failure as the recipient's problem. A biometric mismatch is an infrastructure limitation, not evidence of fraud. The receipt makes the distinction legible: the recipient carries documentation that the denial was caused by the system, not by their ineligibility. The distinction matters for the pattern that follows — an accumulation of system-failure receipts at a particular ration shop, in a particular district, among a particular demographic, becomes evidence of infrastructure inadequacy that administrators can act on. The receipt creates accountability not only for individual denials but for the systemic pattern that produces them.
Where it breaks down. Literacy and access. Many Aadhaar-dependent benefit recipients are illiterate or semi-literate, in regions where digital infrastructure is sparse. A five-element receipt delivered as a printed slip or a text message is useless to someone who cannot read it. The framework's response: the receipt must be adapted to context. Voice-based confirmation in the local language. A physical token, a stamped card, that the recipient carries to the district office. A community advocate or ombudsman with access to the receipt database who can act on the recipient's behalf. The receipt requirement is universal. The form it takes is not. The grammar is constant. The medium must vary.
The Common Structure
Five domains, four of them Western institutional contexts and one from the world's largest biometric identity system. Five applications of the same grammar. The receipt does not prevent the exercise of power — it makes the exercise legible. The platform can still suspend. The lender can still deny. The algorithm can still demote. The government can still reject. The biometric scanner can still fail. What changes is the relationship between the party exercising power and the party subject to it. The receipt transforms a unilateral verdict into a bilateral exchange: the authority acts, the subject inspects, the contest is possible.
Each example also reveals a limitation. Speed, gaming, adversarial exploitation, capacity, literacy — each domain surfaces a specific tension between accountability and operational reality. The tensions are not reasons to abandon the requirement. They are the engineering problems that implementation must solve. A receipt architecture that ignores these tensions will be gamed, circumvented, or abandoned. A receipt architecture that addresses them (through provisional receipts, selective disclosure, proportional thresholds, phased deployment, and context-adapted delivery) may prove durable enough to survive the pressures that will test it.
The reader who finishes these examples thinking "I could build this" has understood the appendix. The reader who finishes thinking "this would be hard to build" has understood it better.