Section navigation
Custody and Privacy: Distinct Governance Questions
Standard Context: ARCS v1.0 Published by: Vega Commons Project, Inc.
1. Purpose
This document distinguishes between custody controls and privacy controls as they apply to interaction records generated by automated systems. The two categories are frequently conflated in governance discussions. Custody posture addresses whether deliberative logs exist as operator-controlled records reachable by legal process, security breach, or internal access. Privacy controls govern access to existing records. Custody controls govern whether records are created and retained. The two address different governance surfaces and are complementary rather than interchangeable.
2. Definitions
For the purposes of this document:
Deliberative logs are records of human-system interaction that can include prompts, responses, reasoning traces, and related cognitive artifacts. They are distinguished from final business records that an enterprise affirmatively elects to retain.
Custodial architecture is a system that retains deliberative logs beyond the immediate session on operator-controlled infrastructure, making them persistent records subject to legal process, internal access, and breach exposure.
Non-custodial architecture is a system designed so that deliberative logs are not retained after session termination on operator infrastructure by default. Session data exists only in volatile memory on the user's device and is cryptographically destroyed at session close. The operative test is whether the platform operator can produce session logs in response to legal process.
Privacy controls are measures that limit who can access, link, or use existing records. Examples include routing concealment (VPNs), transport-layer unlinkability (blind signatures), and vendor-side contractual retention limits (Zero Data Retention agreements).
Custody controls are measures that minimize record creation and retention on operator infrastructure, reducing the historical production surface available to legal process, breach, or internal misuse.
3. Infrastructure Layers and Residual Exposure
Several approaches to interaction record privacy are commercially available or under active development. Each operates at a distinct layer of the infrastructure stack and leaves a distinct residual exposure. No single layer replaces the others.
| Layer | Example | Scope of Protection | Residual Exposure |
|---|---|---|---|
| Network | VPNs, TLS | Routing metadata; IP-layer association concealment. | Content remains visible to service endpoints. Vendor and operator retain full interaction records. |
| Transport / Linkability | Unlinkable inference (blind signatures, secure proxies) | Provider-side longitudinal profiling across sessions. | Single-session content remains readable. Does not address operator-side retention. User-supplied context can weaken cross-session unlinkability. |
| Vendor Storage | Zero Data Retention contracts | Limits vendor-side prompt/response persistence and secondary use, subject to contractual exceptions. | Does not govern operator retention. Safety monitoring, legal holds, and court orders can create residual vendor retention. Protection is contractual, not architectural. |
| Operator Custody | ARCS and non-custodial architecture | Minimizes operator-side creation and retention of deliberative logs. Reduces historical production surface. | Does not prevent an enterprise from retaining final business records it affirmatively elects to keep. |
4. Content-Based Identification and De-Identification Limits
Inference capabilities have reduced the cost of extracting identity from content patterns, which narrows the effectiveness of de-identification strategies that primarily address metadata-layer identifiers.
In February 2026, John Scott-Railton, a senior researcher at the Citizen Lab at the University of Toronto, posted a public analysis responding to research demonstrating that large language models can deanonymize pseudonymous writing through stylistic analysis at scale. The analysis observed that privacy protections that previously depended on practical friction in identification are subject to erosion as automated inference lowers that friction. Network-layer concealment addresses routing metadata, and pseudonymization addresses account-level identifiers, but neither addresses stylistic content patterns.
In high-value enterprise workflows, the content of a prompt can function as a fingerprint independent of any metadata. A specific snippet of proprietary code, a unique deal term, or a chemical formula may identify the organization even if account identifiers are stripped. Technologies such as unlinkable inference protect against longitudinal profiling across sessions. They do not prevent retrieval of specific records by content. A subpoena seeking records containing references to a particular project would reach an anonymized log if the content is responsive.
De-identification, pseudonymization, and access controls each address a real governance surface. The limitation is that the records themselves may contain identifying information extractable through automated analysis, which constrains the durability of privacy approaches that depend on controlling access to or linkage of existing records rather than minimizing record creation.
5. Custody as a Legal and Governance Concept
Legal process, breach, and internal misuse operate on information that exists. The operative question in a compelled-production context is whether the operator can produce session logs in response to legal process. Where architecture prevents those records from existing on the operator's infrastructure, the question of privilege, protective orders, or confidentiality designations does not arise.
Signal's documented responses to federal legal process illustrate this condition. Signal's published subpoena responses confirm that it can produce the date of account creation and the date of last connection, and nothing else, because nothing else exists on its servers.
The term "custody" is used in this standard because it refers specifically to possession, control, and producibility of records. It is the operative term in discovery practice, records management, insurance underwriting, and regulatory compliance. "Privacy" and "governance" are broader terms that do not isolate the question of whether records exist and can be produced.
6. Implementation Boundary
Non-custodial design is compatible with retaining final business outputs. The governance boundary is between provisional workflow artifacts created during system-mediated interaction and final records an enterprise affirmatively elects to retain. Integration-layer controls can minimize retention of provisional artifacts while preserving downstream business records and audit requirements.
Vega Commons Project, Inc. | Custody and Privacy: Distinct Governance Questions | v4 | April 2026