L4
Data Sovereignty
Violation impossible, not merely forbidden
Stateless processing combined with stateful encrypted storage under the learner's control — the same architectural pattern Apple's Private Cloud Compute proved at global scale, applied to the most intimate dataset humans accumulate. Custodial keys for children with threshold cryptography and graduated transfer to adulthood. The depth of L2 is what forces L4 to be load-bearing — without it, the deep profile becomes the most dangerous surveillance instrument ever built for education.
The mechanism
Sovereignty in L4 is not a policy claim. It is a set of technical constraints that the rest of the architecture must satisfy.
Three hold the layer together. Processing is stateless wherever the function permits it: generators, evaluators and retrieval calls treat the learner profile as a transient input, not as an account they accumulate. Where state must be persisted, it is persisted under keys held by the learner — or, for minors, their custodial chain. Records flow through L7 only as derivations a learner has authorised, and authorised one purpose at a time, not as a blanket grant a vendor can broaden later.
The result: at any moment, no single actor — provider, institution, ministry — holds enough of the profile to reconstruct the learner.
Why the depth of L2 forces L4
L2 is deep on purpose. A profile rich enough to teach a child well is also rich enough to surveil her for a lifetime. The architecture chose depth in L2 because shallow profiles produce shallow tutoring; the cost of that choice is that the same record, leaked, would be catastrophic.
L4 is the price the architecture pays for L2's depth. Without it, the system trades surveillance for individualisation. With it, the trade disappears: the learner gets the personalised tutor, and no unauthorised actor gets the file.
Custodial keys for children
Children cannot meaningfully consent to lifetime data flows. L4 treats this as a first-class problem rather than a footnote.
For minors, the keys to the profile are split — typically among the custodial parent, a school authority and a public escrow — using threshold cryptography. Any two of three can act on routine operations; all three are needed for permanent transfers or external disclosures. As the learner ages, shares migrate: by fourteen the child holds one share directly; by eighteen the child holds the majority; by twenty-one full custody transfers and the previous holders' shares are revoked.
The migration is automatic, predictable and audited at every step. The architecture refuses the alternative — a vendor's "you'll get your data when we say so" — as a non-answer.
A state that demands access gets nothing — not because a contract forbids it, but because no interface exists.
What no single actor sees
Even with full audit access, no single actor sees the whole profile. The state that demands access via a contract gets the same thing the attacker who breaches a server gets: shards. To reconstruct the file you need either the learner's authenticated consent or a court order combined with the threshold custodians.
This is not designed to obstruct legitimate oversight. It is designed to make illegitimate oversight expensive enough that it becomes visible. Sovereignty held in code is harder to lose than sovereignty held in policy: contracts can be renegotiated, ownership can change, jurisdictions can be left. An interface that was never built to expose the data cannot be retroactively persuaded to expose it.
Reference
Architecture paper, Section 6. DOI: 10.5281/zenodo.18759134. CC BY 4.0.