jwc-global

ACT I: Architectural choices that degrade fidelity below observability create a new category of harm that doctrine hasn't named—until now.

When systems fail, law reflexively asks "who made the bad decision?" But a class of harms originates not in human choice but in architectural allocation—the upstream design decision to compress, abstract, or constitute information through fixed interfaces that present nominal equivalence while degrading fidelity below observability thresholds. The Structural Defect Framework provides a doctrinal mechanism to identify these harms through a sequential filter: first locating fidelity parameters, then testing for the tripartite condition (fixed interface + nominal equivalence + two-axis opacity), and finally applying four diagnostic elements (structural invisibility, foreseeable harm, doctrinal mismatch, information asymmetry). The framework's dual-arm structure—distinguishing transmitted artifacts with upstream baselines from constituted signals with only compliance claims—reveals that seemingly unrelated domains (streaming video, airbag sensors, victim conferral, Title VII compliance) share the same generative mechanism: contravariance violation, where strong guarantees flow forward to users while severed assumptions flow backward to operators. The doctrinal payoff is a new allocation rule: the party controlling architecture and choosing non-observability bears the evidentiary gap unless diagnostic sufficiency is proven.

ACT II: Quantization is that architectural choice operating at scale in legal AI, trading reasoning for compute while hiding the loss.

Legal AI tools marketed as reasoning assistants increasingly run on quantized models—neural networks compressed from 16-bit floating point to 4-bit integers to reduce costs—but this compression degrades precisely the capabilities lawyers are paying for while preserving the fluency that conceals the loss. The technical reality is stark: quantization clips outlier weights that encode fine-grained distinctions, creating "silent defects" where models confidently hallucinate citations, miss dispositive issues, and collapse multi-step reasoning—all behind the same interface, the same API, the same marketing. This isn't a bug; it's a design choice that trades reasoning fidelity for compute savings, shifting costs from provider to practitioner while defeating the observability that bounded professional responsibility requires. Under the Structural Defect Framework, quantization satisfies every element: structural opacity (wrapper fragmentation, float-compatible interfaces), temporal opacity (silent updates, version meaninglessness), nominal equivalence (INT4 answers look like FP16), foreseeable harm (known degradation curves), and information asymmetry (only providers know which variant answered). The liability implications are immediate: quantization is a design defect under risk-utility analysis (reasonable alternatives exist), a failure to warn (generic "may hallucinate" disclaimers don't address configuration-specific risks), and a breach of implied warranty (marketing as "legal AI" represents fitness for legal reasoning). When defendants argue "you cannot prove INT4 caused this error," the framework's allocation rule responds: the party who chose non-observability bears the gap.

ACT III: Here's the empirical proof that the silent defect zone exists—where models fail without looking like they're failing.

Theory predicts a "silent defect zone"—a quantization regime where legal reasoning degrades substantially while surface fluency remains stable, creating errors invisible until they matter. This empirical study tests that prediction through a parallel-arms, glass-box experiment: exact replication of Stanford RegLab's legal hallucination benchmark plus LegalBench issue-spotting tasks, varying only PTQ bit-width (FP16 → INT8 → INT4 → 2-bit) across multiple architectures. The design isolates the critical question: does the gap between reasoning accuracy and fluency widen as quantization increases? If H7 confirms—that INT4/INT8 models show significant reasoning degradation while maintaining near-baseline perplexity—then quantized legal AI tools are epistemically worse than obviously broken ones: they fail without signaling failure. The study provides the empirical foundation for the liability framework developed in Act II, transforming "quantization degrades reasoning" from theoretical prediction to documented fact, with category-specific hallucination rates, complexity-tier breakpoints, and cross-architecture replication that precludes "one model's quirk" defenses.

STRUCTURAL DEFECT FRAMEWORK, DUAL NATURE AND APPLICATIONS

This book has two parts- Act I and Act II. Act I will cover the Dual SDF and Act II will cover Quantization in depth.

A DUAL SYSTEM

I. The Foundation: Shannon’s Unfinished Business

A. Shannon’s Brackets

B. Core Claim: Don't Blame the Human—Fix the Architecture

C. Architectural Inflection

II. Theoretical Foundation

A. The New Wrong: Unilateral Architectural Allocation

B. The 3-Phase Boundary Mechanism

Phase 1: Threshold—Baseline Exists+Parameter Turned Down

Phase 2: Observability Gap — The Tripartite Condition

Phase 3: Diagnostic — The Four Elements Test

The Sequential Filter

C. The Doctrinal Ancestors

C.1. The Lineage

Porat & Stein: Evidential Damage

Anderson v. Mt. Clemens Pottery: The Judicial Template

Sindell v. Abbott Laboratories: Pricing Causation Gaps

McPeak: Non-Retention by Design

Cohen: Platforms Constitute Reality

Hildebrandt: Legal Protection by Design

C.1.5 Functional Analogs

C.2. Where SDF DIffers

Mt. Clemens Pottery: Right Instinct, Wrong Unit

Sindell: Attribution Without Provenance

McPeak: The Balancing Collapse

Cohen: The Remedial Gap

Hildebrandt: Aspiration Without Enforcement

C.3. The Comparative Posture — Summary Table

D. The Hard-Stance Position

Why "Soft" Solutions Fail

Why "Hard" Solutions Work

Recursive Structural Defects

F. What SDF Does—And Does Not—Claim

What SDF Claims

What SDF Does Not Claim

G. The Comparative Posture — Summary Table

III. The Dual-Arm Structure

A. One Framework, Two Substrates

B. T-Arm: The Transmitted Artifact

C. P-Arm: The Constituted Signal

E. Triage: Which Arm?

IV. The Lifecycle - The Physics

A. The Data Pipeline

B. But Data Degrades by Design, Not Accident

C. The Three States

V.The Sequential Filter

The Diagnostic Protocol

A. Phase 1: Fidelity <

A.1. The Triage Question

A.2. T-Arm: The Transmitted Artifact

A.3. P-Arm: The Constituted Signal

A.4. The Baseline Distinction

A.5. Phase 1 Exit

B. Phase 2: The Tripartite Condition (Observability Gap)

B.1. Fixed Interface

B.2. Nominal Equivalence

B.3. Two-Axis Opacity

B.4. Convergence: The Discretionary Zone

B.5. Phase 2 Exit

C. Phase 3: The Four Elements Test

C.1. Structural Invisibility

C.2. Foreseeable Harm

C.3. Doctrinal Mismatch

C.4. Information Asymmetry

C.5. Phase 3 Exit

D. Arm-Specific Proof Packages

D.1. T-Arm Proof Chain

D.2. P-Arm Proof Chain

D.3. Stacked Cases

E. Not Applicable

E.2. Diagnostic Sufficiency (Safe Harbor)

Summary: The Filter in One Page

VI. Epistemic Latency

What Happens After the Filter Fires

A. Low-Latency Defects

B. High-Latency Defects

C. Epistemic Intermediaries

D. The Lifecycle Trap

F. Litigation Consequences

Summary: Latency and the Filter

VII. Applications: Seven Cases within the Dual-Arm System

The Matrix: Isomorphism of the fidelity parameter

Case 1: Streaming Video and the Vanishing Frame (T-Arm)

Part 1: Context

The Promise

The Mechanism

The Artifact

The Economics

The Invisibility

Part 2: SDF Analysis

A. Fidelity Parameter

B. Observability Gap

D. Proof Targets

Bridge

Case 2: Takata Airbags and the Slow Bomb (T-Arm in Atoms)

Part 1: Context

The Deployment

The Chemistry

The Temporal Bet

The Supply Chain Opacity

The Regulatory Gap

Part 2: SDF Analysis

A. Fidelity Parameter

B. Observability Gap

C. Signature Failure

D. Proof Targets

E. Remedy

Bridge

Case 3: Right to Confer and the Checkbox Collapse (P-Arm)

Part 1: Context

The Experience Gap

The Epistemic Trap

The Doctrinal Collision

The SDF Reframe

The Doctrinal Void

Part 2: SDF Analysis

A. Fidelity Parameter

B. Observability Gap

C. Signature Failure

D. Proof Targets

E. Arizona Already Knows How to Build This

F. Remedy

Bridge

Case 4: Title VII and the Reality Trap (P-Arm)

Part 1: Context

The Experience Gap

The Epistemic Trap

The Doctrinal Collision

The SDF Reframe

The Doctrinal Void

Part 2: SDF Analysis

A. Fidelity Parameter

B. Observability Gap

C. Signature Failure

D. Proof Targets

E. Remedy

Bridge

Part 1: The Protocol

Part 2: The Protocol Working

Part 3: The Protocol Breaking

Part 4: The View from Inside

Part 5: SDF Diagnostic

Coda: Architectures That Could Verify

Case 6: Boeing 737 MAX and the Jedi Mind Trick (T→P Stacking)

Part 1: Context

The Experience Gap

The Epistemic Trap

The Doctrinal Collision

The SDF Reframe

The Doctrinal Void

Part 2: SDF Analysis

A. Fidelity Parameter

B. Observability Gap

C. Signature Failure

D. Proof Targets

Case 7. Theoretical P → T Stacking: The Frozen Precedent

Part 1: Context

The Loop of Error

2026: The Quantized Brief

2027: The Judicial Validation

2028: The Corpus Ingestion

2029: The Freeze

The Recursive Horror

Part 2: SDF Analysis

A. Fidelity Parameter

B. Observability Gap

C. Signature Failure

D. Proof Targets

E. Remedy: The Doctrinal Circuit Breaker

Bridge to Governance

VIII. Shifting the Equation

A. The Severed Arrow

B. Three Contract Postures

D. T-Arm and P-Arm: Two Modes of Violation

F. Act II Isomorphism: FRD as Computational Contravariance

G. The Closing Argument (One Question)

IX. Implications

A. The Crisis of Accountability

B. Three Allocation Mechanisms

B.1. The Silent Witness (Maritime)

B.2. The Illiquidity Discount (Financial)

B.3. Constructive Spoliation (Evidentiary)

B.4. The Convergent Principle

C. The Rule

E. The Synthesis

XI.

C. The Intellectual Lineage: Convergent Discovery

XII. Conclusion

[ACT III] QUANTIZATION - EMPIRICAL STUDY

This paper was the driving force behind a decision to start studying the law after 15 years of professional experience. My hope is that it finds its place in legal scholarship.

A. Shannon’s Brackets

In 1948, Claude Shannon published A Mathematical Theory of Communication1 in which he solved the engineering problem of communication: how to move symbols accurately through a noisy channel. His framework gave us bits, bandwidth, and the mathematics of compression.

But Shannon also made an explicit choice. In his opening pages, he bracketed the “semantic aspects” of communication to isolate the engineering problems.2 Level A—did the symbols arrive?—was his domain. Level B—did the meaning survive?—was someone else's problem.3

Shannon's bracket gave designers permission to optimize for transmission (Level A) while sacrificing meaning (Level B)—and law has no vocabulary to describe the loss. A compressed video that arrives intact but cannot identify a face is a Level A success and a Level B failure. Current doctrine cannot see the difference.

Shannon's collaborator, Warren Weaver, advanced the work and made the structures explicit. In his essay, Weaver divided communication problems into three levels: Level A (technical) - can symbols be transmitted accurately; Level B (semantic) - do transmitted symbols convey the intended meaning; Level C (effectiveness) - does the received meaning produce the desired conduct?

Shannon solved Level A. Legal disputes live at Level B.4 SDF operationalizes Level B fidelity for legal accountability—to ask not merely whether the signal arrived intact, but whether it carried sufficient meaning to support the judgments made upon it.

The Structural Defect Framework attempts to unbracket these by systematically diagnosing whether the signals arrived intact, and whether it carried sufficient meaning to support the judgments made upon it.

B. Core Claim: Don't Blame the Human—Fix the Architecture

The Structural Defect Framework (SDF) is a diagnostic protocol for identifying systems that attenuate normatively relevant information while maintaining the appearance of fidelity—producing foreseeable harms that are structurally hidden from view.

Concealment: Does the architecture hide relevant information from downstream users in ways that make it impossible to recognize and inspect?

Attenuation: Does the system compress, discard, or fail to capture the information that is necessary to verify its fidelity?

Allocation: When such characteristics have been designed into the architecture, who bears responsibility for the resulting harms?

Its core message is actually quite simple:

For decades, law has tried to solve discrimination, negligence, and institutional failure by hunting for the bad actor—the racist manager, the lazy prosecutor, the negligent programmer—asking what was he thinking? It has failed because it interrogates the operator while ignoring the operating system.

Human error is inevitable. James Reason's Swiss Cheese Model established that active failures will occur; safety depends on defensive layers, not perfected operators. Bias contaminates perception before conscious thought can intervene—the brain categorizes and evaluates before the prefrontal cortex arrives. Asking individuals to "check their bias" is asking the Ego to police a process it cannot observe. This is why Batson fails: by the time the prosecutor articulates a reason, she is rationalizing a decision that was never fully rational in the first place.

Structure works where training fails. The precise mechanisms underlying discriminatory outcomes remain contested—implicit bias, in-group favoritism, statistical discrimination—but they share a common channel: unstructured discretion. Training targets the mechanism. Structure targets the channel. Structure works because it does not require knowing which mechanism is operative; it narrows the space through which any biased cognition can reach outcomes.

C. Architectural Inflection

Consider what you don't know about the AI that answered your question this week. Which model was it—the one on the label, or a cheaper derivative? Whose weights, trained on what, fine-tuned by whom, served through whose infrastructure, optimized for whose costs? You don't know. You can't know. The session ended. Whatever happened inside is already gone.

The answer was not to address the bias. It was to make the bias irrelevant by removing the information that triggered it. The evaluators' conscious commitment to fairness had always been genuine, but it had never been sufficient. Only when the architecture prevented bias from operating did merit actually prevail.

SDF inverts the question. A discrimination claim is a bug report. A hallucination is a null pointer. A persistent pattern of disparate outcomes is a stack trace. The relevant question is no longer what was he thinking? but why was the system designed to allow it?

Every system that runs at near-perfect levels stops asking humans to be something they are not. These systems take humans out of the critical path of failure. A fair and just system should not ask humans to be better than they are. It respects human limitations and builds appropriate guardrails into the architecture. It frees the candidate from the harm of unchecked bias, and it frees the manager from the complicity of being an unwitting participant.

By shifting our gaze from the operator to the architecture, we lose the satisfaction of moral condemnation. But we gain something far more valuable: the ability to actually fix the code.

A. The New Wrong: Unilateral Architectural Allocation

The Structural Defect Framework identifies a category of legal harm that existing doctrine does not adequately name: unilateral architectural allocation. This is the condition in which one party designs a system that predictably blocks verification of legally relevant information at the moment of reliance, then benefits from the resulting evidentiary gap.

The traditional unit of analysis in tort and evidence law is the act—a negligent omission, a spoliation event, a failure of reasonable care. SDF shifts the unit of analysis to the architecture: the set of design choices that determine what information will exist, persist, and remain verifiable when a dispute arises.

This shift matters because modern systems do not create evidentiary gaps through episodic negligence. They create gaps through industrial-scale design. When a vendor chooses Retention = 0 as the default, that choice is not a one-off failure; it is hard-coded into millions of interactions simultaneously. When an AI system is deployed without configuration provenance, that opacity is not accidental; it is the predictable output of a supply chain structured to externalize verification costs.

The wrong is not that someone lost a file. The wrong is that the architecture was designed to ensure the file never existed—or that its existence would be unverifiable at the moment someone needed to rely on it.

SDF names this allocation and prices it. The rule is simple: if you controlled the parameter and chose non-observability, you bear the consequences of the gap you created.

B. The 3-Phase Boundary Mechanism

SDF is not a general theory of information asymmetry or platform power. It is a diagnostic protocol with strict boundary conditions. The framework only fires if a case clears three sequential gates. Failure at any gate terminates the analysis.

Phase 1: Threshold—Baseline Exists+Parameter Turned Down

T-Arm (Technical Systems): A fidelity parameter exists—bitrate, precision tier, safety margin, model version—with a known higher-fidelity setting that could have been selected. The vendor chose the lower setting.

P-Arm (Procedural Systems): Diagnostic architecture exists as a design choice. The system could have been built with structured rubrics, retention policies, or audit trails. It was built without them.

Outside SDF: Natural entropy, unavoidable physics, and non-controllable human cognition fall outside the framework. If there is no parameter—no design choice that could have preserved fidelity—SDF does not apply. The framework targets chosen opacity, not inherent limits.

Example (Inside): A legal AI vendor offers configurable precision tiers but defaults enterprise clients to lower-cost quantized models without disclosure. exists; vendor controlled it.

Example (Outside): A witness forgets details of an event due to ordinary memory decay. Does not exist; no SDF.

Phase 2: Observability Gap — The Tripartite Condition

SDF only attaches if verification is structurally blocked at the moment of reliance. Three conditions must converge:

2.1 Fixed Interface. The user interacts with a stable endpoint or workflow treated as "the system"—an API, an HR portal, a streaming service, a 4K badge. The interface presents itself as the thing being relied upon.

2.2 Nominal Equivalence. Materially different configurations share identical labels. "GPT-4" names dozens of backend variations. "Conferred" applies to decisions made through radically different processes. "4K" describes both native and upscaled content. The label is stable; the referent is not.

2.3 Two-Axis Opacity. Verification is blocked along both dimensions:

  • Structural (Vertical): parameter control is fragmented upstream. The supply chain, wrappers, and infrastructure providers each control fidelity settings invisible to the endpoint user.
  • Temporal (Horizontal): Provenance is erased over time. Silent updates, session amnesia, and non-retention policies ensure that the configuration active at the moment of reliance cannot be reconstructed later.

Convergence Requirement. All three conditions must hold. If the interface discloses its configuration (defeats Fixed Interface), if materially different versions carry different labels (defeats Nominal Equivalence), or if provenance is preserved and auditable (defeats Two-Axis Opacity), Phase 2 fails and SDF does not apply.

The Observability Gap is the stable invisibility produced when Nominal Equivalence masks Two-Axis Opacity behind a Fixed Interface.

Phase 3: Diagnostic — The Four Elements Test

SDF only diagnoses legal harm if the Observability Gap produces foreseeable, legally cognizable effects. Four elements must be established:

3.1 Structural Invisibility. The gap blocks verification of normatively relevant information—information that legal doctrine treats as material to the claim or defense at issue.

3.2 Foreseeable Harm. The architecture produces predictable signature failures: Fluency-Reasoning Divergence in quantized models, distributional bias patterns in HR systems, proxy collapse in algorithmic recommendations. These are not random errors; they are repeatable consequences of the design choice.

3.3 Doctrinal Mismatch. Legal baselines are miscalibrated to the architecture. Title VII demands individualized proof from systems that generate only aggregate signals. Contract law assumes disclosed terms when the configuration was never visible. The doctrine presupposes information the architecture structurally withholds.

3.4 Information Asymmetry. The controller bears superior knowledge of the fidelity setting. The vendor knows the model version, the precision tier, the retention policy. The relying party does not and cannot.

Defeaters (Exit from Phase 3):

  • Diagnostic Sufficiency: If the system includes auditable architecture—structured criteria, configuration logs, real-time fidelity indicators—the gap is cured and SDF does not apply.
  • Informed Acceptance: If the relying party had actual knowledge of the tradeoff and meaningful choice to accept or reject it, the asymmetry is dissolved.
  • Incidental Error: If the harm is not a signature failure but a one-off malfunction unconnected to the architectural choice, ordinary negligence doctrine applies.

The Sequential Filter

A hidden fidelity parameter → EXIT (Phase 1 fail)

observability gap → EXIT (Phase 2 fail)

No legally cognizable harm → EXIT (Phase 3 fail)

All phases pass → Priced Opacity reallocation

This filter is what distinguishes SDF from general platform critique. The framework is not a complaint about opacity in the abstract. It is a diagnostic that identifies when opacity becomes actionable and why burden reallocation is the appropriate response.

C. The Doctrinal Ancestors

SDF draws on four intellectual ancestors and two judicial templates. Each provides essential vocabulary and doctrinal grounding. This section first presents what they contributed, then explains where each breaks under the conditions SDF addresses.

C.1. The Lineage

Porat & Stein: Evidential Damage

In 1997, Ariel Porat and Alex Stein introduced the concept that creating uncertainty is an actionable wrong. Their foundational proposition is precise: "Because factual uncertainty distorts the allocation of civil liability, this Article argues that the law should impose liability for uncertainty." The trigger is specific: a party "negligently aggravates the uncertainty of a civil case by making its evidential base deficient." Critically, they emphasize that evidence "belongs to the world of inferences rather than things"—meaning evidential damage extends far beyond physical destruction of documents to encompass any conduct that renders the inferential chain unavailable.

Ariel Porat & Alex Stein, Liability for Uncertainty: Making Evidential Damage Actionable, 18 Cardozo L. Rev. 1891, 1891–93 (1997).

Porat and Stein ground their argument in both corrective justice and economic efficiency. From the corrective justice perspective, a person sustaining evidential damage "is deprived of information to which she is entitled." This deprivation "makes her less autonomous in pursuing her legal rights" and "diminishes the settlement value of her case." From the economic efficiency perspective, liability serves "as an incentive for people to cost-effectively prevent evidential damage and as a vehicle for optimizing allocation of the primary damage in conditions of uncertainty."

Their proposed remedy draws on game theory: a mechanism that "monetizes evidential damage by comparing the postdamage settlement value of the case with its pre-damage value." When evidential damage resulted from one litigant's fault, "this mechanism is fortified by a reallocation of the persuasion burden to the benefit of the afflicted party."

Id. at 1893–94; see also Ariel Porat & Alex Stein, Tort Liability Under Uncertainty 163–97 (2001).

Anderson v. Mt. Clemens Pottery: The Judicial Template

If Porat and Stein provide the doctrinal theory, Anderson v. Mt. Clemens Pottery Co. provides the judicial template. The Supreme Court's 1946 decision is the canonical U.S. example of burden inversion triggered by recordkeeping failure.

Justice Murphy's opinion establishes a two-step framework. First, where the employer's records are "inaccurate or inadequate," an employee satisfies his burden "if he proves that he has in fact performed work for which he was improperly compensated and if he produces sufficient evidence to show the amount and extent of that work as a matter of just and reasonable inference." Second, "the burden then shifts to the employer to come forward with evidence of the precise amount of work performed or with evidence to negative the reasonableness of the inference to be drawn from the employee's evidence." If the employer fails, "the court may then award damages to the employee, even though the result be only approximate."

Anderson v. Mt. Clemens Pottery Co., 328 U.S. 680, 687–88 (1946).

The Court's policy rationale directly anticipates SDF's "premium on failure" argument:

"The solution, however, is not to penalize the employee by denying him any recovery on the ground that he is unable to prove the precise extent of uncompensated work. Such a result would place a premium on an employer's failure to keep proper records in conformity with his statutory duty; it would allow the employer to keep the benefits of an employee's labors without paying due compensation."

Id. at 687.

The architecture point is explicit: "Due regard must be given to the fact that it is the employer who has the duty under § 11(c) of the Act to keep proper records... and who is in position to know and to produce the most probative facts concerning the nature and amount of work performed." When one party controls the record architecture and fails to maintain it, treating the resulting gap as the other party's problem rewards the architectural choice.

Id. at 686–87.

Sindell v. Abbott Laboratories: Pricing Causation Gaps

Sindell addresses what happens when the structure of harm makes defendant-specific attribution impossible—not because records were destroyed, but because product fungibility and temporal distance have erased provenance.

The plaintiff developed cancer from prenatal DES exposure. Over 200 manufacturers had produced DES using an identical formula. Decades had passed. The plaintiff could not identify which manufacturer produced the specific pills her mother consumed. Under ordinary causation doctrine, all defendants would escape liability—each could point to the others.

The California Supreme Court developed market-share liability: apportion damages across producers in proportion to their market share. Justice Mosk's opinion explicitly accepts that "determining market share with mathematical exactitude may be impossible" and tolerates discrepancy. The court prefers approximate justice over complete immunity for defendants who definitely caused harm to someone but cannot be linked to this specific plaintiff.

Sindell v. Abbott Labs., 26 Cal. 3d 588, 611–13 (1980).

The doctrinal move: if the plaintiff joins manufacturers of a "substantial percentage" of the market, the burden shifts to defendants to prove they did not cause the harm. The court explicitly rejects treating attribution impossibility as a plaintiff-loss. Instead, it prices the uncertainty across parties who collectively created the risk.

Id. at 610–12.

McPeak: Non-Retention by Design

Agnieszka McPeak's work on ephemeral messaging identifies designed non-retention as a structural category distinct from event-based deletion.

In Disappearing Data and Self-Destruct Apps: Spoliation by Design?, McPeak identifies the collision between "privacy by design"—the principle that technology should minimize data retention—and the Federal Rules' assumption that potentially relevant data will be preserved. "Ephemeral" applications like Snapchat "embody privacy by design by offering ephemeral communication tools that mimic the impermanence of face-to-face conversations." But preservation duties for this "new brand of ephemeral data... have not been clearly defined."

Agnieszka McPeak, Disappearing Data, 2018 Wis. L. Rev. 17, 19–22 (2018); Agnieszka McPeak, Self-Destruct Apps: Spoliation by Design?, 51 Akron L. Rev. 739, 741–44 (2018).

McPeak's contribution is recognizing non-retention by design as an architectural choice. Traditional spoliation doctrine assumes someone destroyed a record that once existed. McPeak identifies systems that never generate durable records in the first place—a structural category, not a one-off bad act.

McPeak herself urges caution against treating self-destruct apps as "spoliation by design," arguing that "in some contexts, ephemeral messaging may be more akin to live conversation than electronic records."

Cohen: Platforms Constitute Reality

Julie Cohen's Between Truth and Power argues that law is not external to the construction of informational capitalism—it is constitutive of it. The "so-called technology sector" is "configurable"; what it becomes "depends on institutional and legal choices." Platform authority is "both practical and normative, and it has become both something taken for granted and a powerful force reshaping the law in its own image."

Julie E. Cohen, Between Truth and Power: The Legal Constructions of Informational Capitalism 3–7 (2019).

For SDF, Cohen supports the claim that the "platform record" or "system output" is not neutral evidence about events—it is a governance artifact produced under a regime of rules and incentives. "Proof" questions are therefore also design questions: what did law allow or incentivize the system to preserve or discard?

Mireille Hildebrandt's Smart Technologies and the End(s) of Law warns that data-driven systems threaten the properties of modern law that depend on interpretability and contestation. Smart technologies can "undermine, reconfigure and overrule the ends of the law in a constitutional democracy, jeopardizing law as an instrument of justice, legal certainty and the public good." Systems capable of "prediction and preemption" can shift governance from ex post adjudication toward architectural constraint—bypassing the contestability that legitimates legal judgment.

Mireille Hildebrandt, Smart Technologies and the End(s) of Law: Novel Entanglements of Law and Technology 3–11 (2015).

Hildebrandt calls for Legal Protection by Design: integrating due process norms (contestability, transparency, reason-giving) directly into system architecture.

C.1.5 Functional Analogs

The preceding lineage traces SDF's intellectual ancestry—the doctrinal parents from whom the framework inherits vocabulary and structure. But three legal constructions operate as functional analogs: they solve structurally similar problems through burden inversion when systemic opacity would otherwise produce injustice. They are cousins, not parents—parallel developments that illuminate why the SDF construction is neither novel nor radical.

Ybarra v. Spangard: The Unconscious Patient (T-Arm Analog)

In 1944, a patient underwent an appendectomy and awoke with a paralyzed shoulder. He could not identify which member of the surgical team had injured him. The doctors remained silent or pointed fingers at each other. Under ordinary burden rules, the plaintiff would lose—he could not prove which defendant caused his harm.

The California Supreme Court refused this result. Because the patient was "unconscious and under anesthesia" during the procedure, he was structurally incapable of observing what occurred. The defendants had exclusive control over the instrumentalities of harm during the period of the plaintiff's blindness. The court applied res ipsa loquitur collectively: the burden shifted to the entire surgical team to exonerate themselves.

The structural parallel to T-Arm cases is precise. The user of a quantized model is epistemically anesthetized. The fixed interface renders the user blind to backend configuration during the period of reliance. The supply chain—base model provider, fine-tuner, wrapper, cloud infrastructure—operates like the surgical team: each can point to the others, and all benefit from the user's inability to observe. Ybarra's remedy is Priced Opacity avant la lettre: "We do not require the plaintiff to identify which defendant turned the dial. You all bear the burden unless you produce the records that would permit differentiation."

The T-Arm Observability Gap is digital Ybarra. The user is the unconscious patient on the table.

Basic v. Levinson: Fraud on the Market (P-Arm Analog)

Securities fraud under Rule 10b-5 faces a structural proof problem. When a company makes material misrepresentations that inflate its stock price, thousands of shareholders suffer harm. But requiring each shareholder to prove individual reliance—that they personally read the lie and acted on it—would make class certification impossible. The fraud would go unremedied.

The Supreme Court's solution was the fraud-on-the-market presumption. In an efficient market, the price reflects all public information. If the company lied, the market price is wrong. Anyone who purchased at the distorted price is presumed to have relied on the integrity of the pricing mechanism itself. Individual proof of reliance is replaced by systemic proof of distortion.

The structural parallel to P-Arm cases—and to Nominal Equivalence generally—is direct. The label "4K" or "GPT-4" or "merit-based selection" sets a market expectation. Users rely not on inspecting the underlying configuration but on the integrity of the label as a pricing signal. When the label masks material variation, the reliance is defrauded at the systemic level. Requiring each user to prove they individually inspected and relied on specific capabilities recreates the Dukes trap: the very architecture that caused the harm defeats the proof of harm.

SDF's P-Arm claim is, in structure, a fraud-on-the-compute-market theory. The vendor sells sub-prime compute (INT4) at prime prices (FP16 capability claims). The user relies on the label's integrity. Nominal Equivalence is the efficient market hypothesis applied to capability representations—and when the label lies, the "price" of reliance is rigged.

Ayres & Gertner: Penalty Default Rules (The Design Theory Bridge)

Ian Ayres and Robert Gertner's theory of information-forcing default rules provides the high-theory frame that unifies T-Arm and P-Arm remedies.

The conventional view holds that courts should set default rules to match what parties would have bargained for. Ayres and Gertner argue this is often wrong. Where one party possesses private information that affects efficient allocation, courts should set the default rule against that party—not to punish, but to force revelation. The classic example is Hadley v. Baxendale: the carrier is not liable for consequential damages unless the shipper reveals the special circumstances. This "penalty default" forces the informed party to speak.

SDF inverts the Hadley structure. The architect possesses private information about configuration, fidelity, and diagnostic capacity. The user cannot observe it. The efficient rule is not to assume adequate fidelity (rewarding concealment) but to assume inadequate fidelity unless the architect reveals—Diagnostic Sufficiency as the price of deference.

Priced Opacity is a penalty default rule. The framework sets the default at high liability (the gap is probative against the architect) precisely to force the cheapest cost revealer (the party who controls the parameter) to disclose. If the architect builds observability, the penalty lifts. If the architect retains opacity, the default binds.

This reframes SDF from tort theory (punishing wrongful harm) to mechanism design (structuring incentives for efficient information production). The framework does not ask whether the architect acted wrongfully. It asks who can reveal the configuration at lowest cost—and sets the default rule to force that revelation.

The Unified Construction

The three analogs converge on a single structural insight: when architecture forecloses observation, burden rules must account for the foreclosure or they become instruments of injustice.

Ybarra addresses foreclosed observation through physical incapacity (anesthesia). Basic addresses foreclosed observation through market structure (no individual can inspect price formation). Ayres and Gertner address foreclosed observation through information asymmetry (one party knows, the other cannot discover). SDF addresses foreclosed observation through system design (the interface masks the parameter).

The legal response in each case is the same: shift the burden to the party whose control created the opacity. This is not doctrinal innovation. It is the convergent solution that legal systems reach whenever the alternative is rewarding architectural concealment.

C.2. Where SDF DIffers

Each ancestor provides essential vocabulary and grounding. SDF positions itself differently probafrom each of with each in the ceach also fails under the conditions SDF addresses. This subsection is not conventional "related work"; it is a positioning device that shows where legacy doctrine breaks and why a hard fork is necessary.

Where SDF differs. While SDF relies on the evidentiary burden-shifting mechanics established by Porat and Stein, it diverges in its diagnosis of defect origin. Porat and Stein address episodic negligence, or episodic failures by specific actors. SDF addresses architectural qualities that that are architectural or designed-in harms that function as a feature, not a failure.

SDF adopts binary burden inversion rather than probabilistic allocation as a deliberate design choice. Porat and Stein's graded approach is mathematically coherent, but graded liability can be institutionalized. A vendor who faces 40% expected damages on opacity-dependent claims can budget for it, price it into the service, and continue operating non-auditable systems at scale. The opacity becomes a cost center, not a design constraint.

SDF rejects this absorption. The vendor either builds diagnostic architecture and escapes the adverse inference entirely, or doesn't and bears the full evidentiary weight. We intentionally attempt to remain rigid as a means to define its logical clear boundary If a graded liability system is extended There is no middle position to optimize around. The framework is designed to change architecture, not to tax it.

Their probabilistic remedy—"split the baby" based on likelihood ratios—works for isolated torts. It fails for industrial systems where opacity is a calculated feature. Probabilistic pricing institutionalizes opacity as a tolerable cost. Vendors can run non-auditable systems at scale, paying occasional probabilistic damages while preserving the structural advantage.

The SDF Move. SDF employs Priced Opacity: a binary burden shift, not a probabilistic allocation. If you controlled the parameter and chose non-observability, you bear the full evidentiary gap.

The Friction. Porat and Stein skip Phase 2. They do not test whether opacity was architectural; they assume negligence and proceed to remedy. SDF inserts the Observability Gap analysis: the question is not "did someone lose the file?" but "was the system designed so the file would never exist?"

Mt. Clemens Pottery: Right Instinct, Wrong Unit

What It Got Right. Mt. Clemens Pottery is Priced Opacity in judicial form: record duty + failure → plaintiff gets inference-friendly standard → defendant must rebut with records it controlled. The "premium on failure" language exactly matches SDF's argument against treating evidentiary gaps as neutral.

Where SDF differs. The case addresses episodic recordkeeping failure—a specific employer's inadequate timekeeping. SDF addresses architectural non-generation: systems designed so the record never exists. The FLSA framework assumes a duty to keep records that the employer violated. SDF addresses systems where no such duty has been articulated, and where the vendor's architecture ensures non-existence by default.

The SDF Move. Generalize the template beyond FLSA: any P-Arm system where the party asserting compliance controls the architecture that would generate diagnostic evidence triggers the same burden structure.

Sindell: Attribution Without Provenance

What It Got Right. Sindell shows courts pricing uncertainty rather than treating attribution impossibility as a plaintiff-loss. When provenance is erased and defendant-specific causation cannot be proven, responsibility may be allocated proportionally.

Where SDF Differs. Sindell addresses fungible physical products with a known, finite set of manufacturers. AI systems present fragmented supply chains (base model, fine-tune, wrapper, infrastructure) with unclear boundaries and silent updates. Market-share math assumes stable shares; configuration provenance involves dynamic, unobservable variation.

The SDF Move. Sindell provides a doctrinal hook for T-Arm situations where Reference Baseline knowledge is supply-chain controlled and provenance is missing. SDF extends the logic: when configuration knowledge is fragmented and no single actor can be definitively identified, courts may allocate responsibility rather than granting immunity to all.

McPeak: The Balancing Collapse

Where SDF Differs. McPeak's reasonableness balancing becomes non-falsifiable when the system is structurally non-auditable. Any vendor can invoke "privacy" as a defense.

McPeak assumes destruction of existing records. SDF addresses non-constitution: systems designed so the record never exists. The question is not "was deletion reasonable?" but "who chose Retention = 0, and why?"

The SDF Move. SDF reclassifies auto-delete as Temporal Opacity and treats "privacy" labels as potential Nominal Equivalence—masks that hide liability shields.

The Fidelity Consent Rule: user agreement to ephemerality is void unless the user had (a) actual control over the retention parameter and (b) understood the evidentiary cost. Vendors cannot hard-code Retention = 0 and claim user consent defeated the claim.

The Inversion. SDF does not dispute McPeak's caution for genuine privacy contexts. But when vendors sell Zero Data Retention as a privacy feature while using it as a liability shield, the defense collapses into "the evidentiary suicide pact." SDF rejects Model Rule 1.6 "privacy" as automatic safe harbor when Retention = 0 was chosen to externalize liability costs, not protect users.

Cohen: The Remedial Gap

Where SDF Differs. Cohen's contribution is descriptive. She diagnoses how constitutive power works. She does not prescribe what a judge should do about it.

SDF accepts Cohen's premise—platforms define truth—but rejects cooperative governance as the remedy. More participation does not restore auditability; it muddies attribution and creates new discretion-driven opacity. The Discretionary Zone expands.

The SDF Move. Operationalize the insight through the P-Arm: since platforms constitute reality, they must build verification capacity. The Four Elements test provides the litigation mechanic Cohen's theory lacks. SDF is the "Sword" to Cohen's "Pen."

Hildebrandt: Aspiration Without Enforcement

Where SDF Differs. Hildebrandt's call is aspirational. She tells designers what to build. She does not tell litigators how to hold designers accountable when they refuse.

The "black box" problem is treated as a technical limitation. Hildebrandt worries about it; she does not price it.

The SDF Move. Treat Legal Protection by Design as a Safe Harbor requirement. The Diagnostic Sufficiency Defeater allows defendants to escape P-Arm liability only if they prove they built the protection Hildebrandt called for.

The "black box" excuse is rejected. If the system cannot explain itself, it lacks Diagnostic Architecture. That is a design choice, now priced. Hildebrandt tells designers what to do; SDF tells litigators how to punish those who didn't listen.

C.3. The Comparative Posture — Summary Table

FeatureAncestor PostureSDF Posture
The WrongNegligence (Porat/Stein) or Spoliation (McPeak)Unilateral Architectural Allocation
Parameter Setting baselineA specific act of destruction or carelessnessA Fidelity Parameter (vertical) or Retention Setting (horizontal)
The Label"Privacy" is a valid interest (McPeak)"Privacy" is potential Nominal Equivalence (a mask)
The RemedyBalancing tests / Probabilistic damagesBurden Inversion (Priced Opacity)
The LogicCorrective Justice (fix the specific harm)Product Liability (fix the architecture)
The EnforcementAspiration (Hildebrandt) / Description (Cohen)Safe Harbor + Strict Liability default
The UnitEpisodic failure (Mt. Clemens) / Fungible product (Sindell)Architectural condition at industrial scale

D. The Hard-Stance Position

SDF takes a deliberately hard stance on remedies. This section explains why.

Why "Soft" Solutions Fail

Soft solutions—reasonableness balancing, cooperative governance, probabilistic pricing, re-humanizing the gap—share a common defect: they manage opacity rather than eliminate it.

Re-Humanizing the Gap. One common response to algorithmic opacity is to add humans back into the decision chain: human review, appeals processes, oversight committees. SDF rejects this approach because it expands the Discretionary Zone. The system becomes opaque again, just in a different register—procedural, narrative, or organizational opacity rather than technical opacity. The human reviewer lacks the information to verify the algorithm's output; she can only perform verification theater.

Probabilistic Pricing. Porat and Stein's approach lets courts "split the baby" based on likelihood estimates. SDF rejects this because it institutionalizes opacity as a tolerable cost. Vendors can run non-auditable systems at scale, paying occasional probabilistic damages as a cost of doing business. The structural defect remains; it is merely taxed.

Cooperative Governance. Cohen-style participation models add stakeholders, deliberation, and process. SDF accepts the descriptive insight but rejects the remedial posture. More governance does not restore auditability; it creates new arenas for discretion and new forms of attribution-muddying. The Discretionary Zone grows.

Reasonableness Balancing. McPeak-style balancing asks whether the design choice was reasonable given competing interests (privacy vs. preservation). SDF is skeptical because balancing becomes non-falsifiable when the system is structurally non-auditable. Any vendor can articulate a "reasonable" justification; the label provides cover regardless of actual motive.

Why "Hard" Solutions Work

Hard solutions force a choice: build verifiable architecture or bear the consequences of the gap.

The ADA Precedent. The Americans with Disabilities Act stopped litigating motives, relationships, and individual accommodations. It mandated design constraints: ramps, accessible bathrooms, captioning. Years later, these constraints are normalized. The world caught up.

The Design-or-Consequence Rule. SDF does not require every system to be fully transparent. It requires a choice:

  • Option A (Design): Build Diagnostic Architecture—configuration logs, audit trails, real-time fidelity indicators. If you do, you earn the Safe Harbor; the Diagnostic Sufficiency Defeater applies.
  • Option B (Consequence): Keep the non-auditable architecture. If you do, you bear the evidentiary gap in any dispute. Priced Opacity applies.

This is not a ban on opacity. It is a pricing mechanism. Vendors may choose opacity if they are willing to internalize its costs.

Recursive Structural Defects

In preparing this empirical study, I encountered what appeared to be exactly the kind of independent verification infrastructure that a well-functioning market for AI services would produce. A benchmarking platform—sleek, professionally designed, with the visual grammar of authoritative assessment: clean data tables, methodology white papers, comparative performance charts across dozens of AI models. The presentation borrowed every signifier of rigorous consumer protection: side-by-side accuracy comparisons, task-specific breakdowns, even latency measurements. It looked, in short, like what independent evaluation is supposed to look like.

The deeper I examined the methodology, the more the architecture revealed itself.

Participation was vendor-permissioned. The platform evaluated only those tools whose developers opted in. Vendors who performed poorly in initial rounds quietly withdrew from subsequent studies—and their absence left no visible trace on the polished interface. A consumer viewing the published results would see only the survivors of a selection process that the platform's design rendered invisible. The benchmark did not mark which vendors had declined to participate, which tasks had been selectively avoided, or which configurations had been strategically withheld. The gaps were not disclosed because the architecture was not built to disclose them.

The evaluation methodology itself operated under constraints that the professional presentation obscured. All assessments were conducted via zero-shot API prompts—the simplest possible interaction mode. The specialized workflows, multi-turn prompting capabilities, and integrated document management features that vendors actively market were excluded from testing. The platform's authors acknowledged, buried in methodology notes, that "the true sourcing capability of the AI products may not have been tested in full." Yet this caveat appeared nowhere on the comparative charts that users would actually consult.

Most telling: the platform could not—and did not attempt to—verify the architectural parameters that would explain performance variance. Whether a vendor deployed a full-precision model or an aggressively quantized cost-optimized variant remained undisclosed. Whether accuracy differences reflected genuine capability or merely differential investment in the benchmark itself was unknowable. The evaluation measured outputs while the inputs—the fidelity parameters that determined those outputs—remained in the Discretionary Zone.

Level 1: The AI Tool (Primary Defect)

  • Vendor deploys model under opaque conditions: undisclosed versioning, silent updates, unverified training data provenance, architectural parameters hidden behind API
  • Creates Observability Gap (tripartite condition satisfied)
  • User interacts with Fixed Interface ("GPT-4," "Legal AI Assistant") while backend configuration shifts without notice
  • User cannot verify what system actually processed their query

Level 2: The Market Response (Predicted Correction)

  • Information asymmetry recognized → market demands third-party verification
  • Benchmarking platform emerges to audit AI tools and signal quality
  • Should reveal which tools are reliable vs. degraded
  • Should provide the transparency that vendor opacity denies
  • Law-and-economics theory predicts: efficient third-party auditor arbitrages information gap

Level 3: The Benchmark Creates Its Own Gap (Independent Emergence)

The benchmarking platform—through its own architectural choices, facing its own constraints—independently creates a secondary Observability Gap:

  • Fixed Interface: Professional website, clean data tables, methodology white papers—the visual grammar of rigor and professional presentation
  • Nominal Equivalence: Labels such as "Independent Benchmark" or "Industry Report" applied to what is architecturally a vendor-permissioned selection process; the apparent precision of comparative metrics (78%-81% accuracy spreads) presents as meaningful differentiation while masking structural unknowns
  • Two-Axis Opacity: Cannot penetrate vendor architecture (vertical); cannot reconstruct what configurations were active during testing (horizontal)

Level 4: Epistemic Foreclosure (The Trap Springs)

  • Potential genuine auditor surveys the market
  • Encounters existing benchmark: professional, cited, apparently authoritative
  • Rational response: defer, calibrate to existing baseline, or exit as redundant
  • The contaminated benchmark preempts the emergence of real verification by occupying the ecological niche
  • The cure that could have existed never actualizes—not because it was impossible, but because its counterfeit arrived first

Level 5: Authority Cascade (Harm Propagation)

  • Downstream deployer reads benchmark results (e.g., "81% accuracy—top performer")
  • Deployer treats benchmark as independent verification—the "efficient third-party audit" that market theory promised
  • Deployer forgoes supplementary testing (economically rational given apparent expert validation)
  • Deployer integrates tool into high-stakes workflow
  • Tool fails in ways the benchmark methodology could not detect
  • Harm occurs: the supposed market correction did not reduce risk—it manufactured false confidence that displaced the caution that would otherwise have prompted verification

What I had encountered was not the structural correction for the Observability Gap. And the gap created here compounds the opacity characterizing the AI industry.The Fixed Interface, the deceptive labels, the opacity on behind the scenes interests, lacking clarity and transparency around methodology, actual study execution, and vendor data verification and validation produce devastating information asymmetry.

N the Instituaion

A short list of core terminology is defined here to facilitate understanding. An extensive list of terms is included at the end of this Article.

Unilateral Architectural Allocation. The condition in which one party designs a system that predictably blocks verification of legally relevant information at the moment of reliance, then benefits from the resulting evidentiary gap.

Observability Gap. The stable condition produced when Nominal Equivalence masks Two-Axis Opacity behind a Fixed Interface, rendering the system's actual configuration unverifiable at the moment of reliance.

Nominal Equivalence. The condition in which materially different configurations share identical labels, preventing relying parties from distinguishing high-fidelity from low-fidelity instantiations.

Two-Axis Opacity. The dual structure of verification failure: Structural (vertical) opacity fragmenting control across supply chains and wrappers; Temporal (horizontal) opacity erasing provenance through updates, amnesia, and non-retention.

Fixed Interface. A stable endpoint or workflow that users treat as "the system," masking backend variation.

Diagnostic Sufficiency. The condition in which a system includes adequate verification architecture (structured criteria, audit trails, configuration logs) to permit after-the-fact reconstruction of the configuration active at the moment of reliance.

Signature Failure. A repeatable, predictable pattern of harm traceable to the architectural choice (e.g., Fluency-Reasoning Divergence in quantized models, distributional bias in unstructured evaluation systems). Distinguished from incidental error.

Non-Constitution. The P-Arm condition in which the record never existed because the architecture was designed without diagnostic capacity. Distinguished from destruction (spoliation), where a record once existed and was later eliminated.

Discretionary Zone. The unstructured space within which decision-makers operate without externally verifiable criteria, producing outcomes that cannot be audited against objective baselines.

Fidelity Consent Rule. The rule that user agreement to reduced fidelity (e.g., ephemerality, data minimization) is void unless the user had (a) actual control over the relevant parameter and (b) understood the evidentiary cost of the setting.

F. What SDF Does—And Does Not—Claim

SDF is a diagnostic framework, not a general theory of platform accountability or AI ethics. This section clarifies its scope.

What SDF Claims

  1. A new unit of analysis. The relevant wrong is not episodic negligence but architectural condition—a design choice that predictably blocks verification at scale.
  2. A sequential diagnostic. The 3-Phase Boundary Mechanism provides a repeatable test: Threshold Premise → Observability Gap → Four Elements. Cases that fail any phase exit the framework.
  3. A burden-allocation rule. Priced Opacity shifts evidentiary consequences to the party who controlled the fidelity parameter and chose non-observability.
  4. A safe harbor. Diagnostic Sufficiency provides an escape: build verifiable architecture and earn deference.
  5. Doctrinal mismatch as actionable harm. When legal doctrine presupposes information the architecture structurally withholds, the mismatch is itself a cognizable defect.

What SDF Does Not Claim

  1. Universal applicability. SDF applies only where fidelity is controllable (Phase 1), observability is structurally blocked (Phase 2), and legally cognizable harm results (Phase 3). Many opacity complaints will not clear these gates.
  2. Moral condemnation of opacity. Opacity may be chosen for legitimate reasons (privacy, security, trade secrets). SDF does not condemn the choice; it prices it. Vendors may keep opacity if they accept the evidentiary allocation.
  3. Replacement of all existing doctrine. SDF supplements, rather than supplants, existing frameworks. Ordinary negligence, contract, and products liability continue to apply where their elements are met. SDF addresses a specific gap: architecture-driven verification impossibility that existing doctrine does not adequately capture.
  4. Technical prescription. SDF does not mandate specific architectures, technologies, or retention periods. It requires Diagnostic Sufficiency—however achieved. Vendors choose their implementation; SDF tests outcomes.

G. The Comparative Posture — Summary Table

FeatureAncestor PostureSDF Posture
The WrongNegligence (Porat/Stein) or Spoliation (McPeak)Unilateral Architectural Allocation
Parameter Setting baselineA specific act of destruction or carelessnessA Fidelity Parameter (vertical) or Retention Setting (horizontal)
The Label"Privacy" is a valid interest (McPeak)"Privacy" is potential Nominal Equivalence (a mask)
The RemedyBalancing tests / Probabilistic damagesBurden Inversion (Priced Opacity)
The LogicCorrective Justice (fix the specific harm)Product Liability (fix the architecture)
The EnforcementAspiration (Hildebrandt) / Description (Cohen)Safe Harbor + Strict Liability default

A. One Framework, Two Substrates

SDF is a coordinate system for the legal Observability Gap. The framework identifies systems where verification fails at the moment of use—but verification can fail in two structurally distinct ways, depending on what the system is processing.

Both arms share the same threshold: the Observability Gap is satisfied when three conditions converge—fixed interface, nominal equivalence, and opacity. Both arms share the same diagnostic: the Four Elements test whether the resulting invisibility produces legally cognizable harm. Both arms share the same remedial logic: Priced Opacity allocates evidentiary burdens to those who control the architecture.

What differs is the substrate—what is being attenuated and what baseline governs proof.

Pipeline opacity and record non-diagnosticity are the same abstract problem expressed on different substrates—and both are two-axis phenomena (vertical control-chain + horizontal provenance).

B. T-Arm: The Transmitted Artifact

The T-Arm concerns bounded artifacts transmitted from upstream to downstream. A fidelity parameter is controlled and degraded, but nominal equivalence is maintained. The paradigm case is AI quantization: a model trained at high precision is compressed to lower precision to reduce computational costs5, then deployed under the same name, through the same API, with the same marketing posture.

The defining feature of T-Arm defects is that a master artifact exists somewhere. There is an upstream baseline—the original weights, the uncompressed stream, the specification-grade component—against which degradation can be measured. The defect occurs when a designer turns a parameter to lower fidelity while maintaining nominal equivalence at the interface.

A common failure mode is fluency-reasoning divergence: surface fluency persists while multi-step reasoning collapses.6 The output sounds confident and coherent; the internal informational capacity has shrunk.7

The paradigm cases: A model trained at high precision is quantized to lower precision, then deployed under the same name through the same API. A video encoded at studio quality is compressed through adaptive bitrate, then labeled "4K." An airbag inflator is specified at one safety margin, manufactured at a cheaper margin, then sold under the same part number.

The defining feature: A reference baseline exists somewhere. There is an upstream artifact—the original weights, the uncompressed stream, the specification-grade component—against which degradation can be measured. The defect occurs when a designer turns a fidelity parameter down while maintaining nominal equivalence at the interface.

The legal question is delta: How much fidelity was lost relative to the reference baseline, and was that loss disclosed? If the plaintiff can surface the baseline, the gap becomes measurable. The evidentiary problem is access, not ontology.

The signature failure: Fluency-reasoning divergence, pixelation, rupture under stress—artifacts that reveal the gap between what was promised and what was delivered, visible only to those who know what full fidelity would look like.

C. P-Arm: The Constituted Signal

The P-Arm concerns decision signals that do not pre-exist as transmissible artifacts. The "signal" is produced by an institutional proxy and record architecture—forms, metrics, heuristics, documentation routines. The defect is that the architecture permits low-fidelity proxies to dominate while the system continues to present itself as functionally equivalent to meaningful compliance.

The paradigm cases: An employer claims to select on "merit" but maintains an evaluation architecture—unstructured interviews, undocumented criteria, unreviewable "fit"—that cannot verify whether the claimed standard was actually applied. A prosecutor claims to have "conferred" with a victim but the record architecture cannot distinguish a robust dialogue from a rushed voicemail. A court applies "proportionality" to discovery but the proxy regime cannot detect when platform changes have decalibrated the burden calculus.

The defining feature: No reference baseline exists. There is no master file containing the "correct" hiring decision or the "true" conferral. The baseline is the institution's own compliance claim—"we selected on merit," "conferral occurred," "proportionality was applied." The decision signal exists only because the proxy architecture constitutes it.

The legal question is verifiability: Can the architecture generate evidence sufficient to test whether compliance occurred? The plaintiff does not show "here is what you degraded"; the plaintiff shows "your system is structurally incapable of demonstrating compliance with your own claimed baseline."

The signature failure: The individual decision looks rational in isolation, yet aggregate distributions correlate with convenience proxies—fit narratives, affinity, pedigree, timing shortcuts—rather than the stated standard. The harm is not merely in outcomes; it is in the architecture's inability to verify its own compliance claim.

Requiring a P-Arm plaintiff to produce a "baseline" in the T-Arm sense is requiring production of something that does not exist. Burden allocation must account for this structural difference or it becomes immunity.

E. Triage: Which Arm?

One question sorts cases:

Is there a transmitted artifact with an upstream baseline?

If yes → T-Arm. The system transmits a bounded artifact downstream. The defect is hidden downgrade of a concrete fidelity parameter relative to a recoverable reference.

If no → P-Arm. The relevant "signal" is produced by proxies and institutional measurement. The defect is that the architecture permits low-fidelity proxies to dominate while nominal compliance language persists.

Some cases stack: a T-Arm change upstream (platform reduces friction) causes a P-Arm failure downstream (doctrine's burden proxy loses calibration). Rule 26 is the paradigm stacking case—the handoff zone where T and P meet.

A. The Data Pipeline

When an event occurs, it does not instantly become a record. It passes through transformation processes—logging, categorization, aggregation, compression—that systematically alter what survives.

Consider a customer interaction. The original event has texture: tone of voice, pauses, hesitations, context from prior calls, the agent's mood, what wasn't said. This is the Source State—reality in its full complexity.

The interaction enters the system. Voice is transcribed (lossy). Transcription is categorized into predefined fields (lossy). Fields are aggregated into metrics (lossy). Metrics are rolled up into dashboards (lossy). Each transformation discards what the schema doesn't capture. This is the Transformation Layer—the architecture that converts event into record. [add citation]

What emerges is a row in a database, a point on a graph, a score in a report. It is not the interaction. It is a residue shaped by what the pipeline preserved and discarded. This is the Presentation State—what institutions actually see and act upon.

The dashboard is not a photograph of reality. It is a filtered, compressed, transformed residue. Systems professionals study data architecture because interpretation is impossible without understanding what was lost in transformation.

Legal evidence undergoes the same journey. An event occurs—a crime, an employment decision, a contractual breach. Recording devices, witnesses, documents, and systems capture some of it. Those captures are processed: compressed, summarized, excerpted, translated into institutional categories. The processed record enters adjudication.

What emerges as "the facts" bears the same relationship to the original event as a dashboard metric bears to the underlying transactions: a degraded proxy, shaped by pipeline architecture.

B. But Data Degrades by Design, Not Accident

Here is where the analogy sharpens. Network noise is largely passive: packet loss happens, storage degrades, entropy accumulates. Data pipeline degradation is different—it is architectural. Someone chose the schema. Someone designed the intake form. Someone decided which fields would be mandatory and which optional. Someone selected the retention policy. Someone configured the system to capture outcomes but not reasons, decisions but not deliberations, checkboxes but not context.

The critical move is recognizing that pipeline degradation is not accidental. It results from choices made by people who control the architecture. And those choices—often invisible to downstream users—determine what can and cannot be proved.

The economic mechanism is mundane: systems optimize the inspectable layer. What users, regulators, and buyers can readily observe gets investment; what is under the hood gets cost-cut. Fidelity becomes a private cost variable unless architecture forces it to be a public constraint.

The pipeline exposes two distinct ways this can go wrong.

C. The Three States

The pipeline clarifies the lifecycle:

The Source State: The original event in its full complexity—the actual transaction, the hiring meeting, the customer interaction with all its context and texture.

The Transformation Layer: The pipeline architecture—schema design, aggregation rules, retention policy, compression settings, procedural constraints—that converts event into record. This is where fidelity parameters are set and proxy structures are chosen.

The Presentation State: The dashboard, report, checkbox, or record the institution treats as truth. This is what courts act upon.

The insight is simple: the Presentation State is not the Source State. The record is a structured proxy shaped by what the pipeline captured, transformed, and discarded. The question is who controlled that shaping—and whether the resulting gaps were disclosed or concealed.

The Diagnostic Protocol

The Structural Defect Framework is not a theory. It is an algorithm. This section provides the protocol.

SDF SEQUENTIAL FILTER PHASE 1: THRESHOLD │ Baseline type? → Artifact (T-Arm) or Claim (P-Arm)? │ Fidelity controllable? → Parameter exists? │ If no parameter → EXIT │ │ PHASE 2: OBSERVABILITY GAP │ Fixed Interface + Nominal Equivalence? + Two-Axis Opacity │ All threeconverge? → Discretionary Zone established │ │ │ PHASE 3: DIAGNOSTIC │ Structural Invisibility? + Foreseeable Harm? │ + Doctrinal Mismatch? + Information Asymmetry? │ All four elements? → Priced Opacity attaches │ If elements not met │

The filter is what distinguishes SDF from general platform critique. The framework is not a complaint about opacity in the abstract. It is a diagnostic that identifies when opacity becomes actionable and why burden reallocation is the appropriate response.

A. Phase 1: Fidelity <

SDF applies only if fidelity was controllable. This is the threshold premise.

The question is simple: Does a parameter exist?

If someone controlled a parameter that determined how much normatively relevant information would survive transmission or be captured by the record—and that parameter could have been set differently—Phase 1 is satisfied.

A.1. The Triage Question

One question sorts cases into arms:

Is there a transmitted artifact with an upstream baseline?

If yes → T-Arm. The system transmits a bounded artifact downstream. A reference baseline exists somewhere—the original weights, the uncompressed stream, the specification-grade component. The defect is hidden degradation of a fidelity parameter relative to that recoverable reference. The legal question is delta: how much was lost?

If no → P-Arm. The relevant "signal" is produced by institutional proxies and record architecture. No master artifact exists. The baseline is a compliance claim the system asserts—"merit-based," "conferred," "proportional." The defect is that the architecture permits low-fidelity proxies to dominate while nominal compliance language persists. The legal question is verifiability: can the architecture test its own claim?

Some cases stack. A T-Arm change upstream (platform reduces friction, vendor switches propellant) causes a P-Arm failure downstream (doctrine's burden proxy loses calibration, certification process is gamed). Rule 26 and Boeing are paradigm stacking cases—the handoff zone where T and P meet.

A.2. T-Arm: The Transmitted Artifact

The T-Arm concerns bounded artifacts transmitted from upstream to downstream. A fidelity parameter is controlled and degraded, but nominal equivalence is maintained.

The paradigm cases:

  • A model trained at FP16 precision is quantized to INT4, then deployed under the same name through the same API
  • A video encoded at studio quality is compressed through adaptive bitrate, then labeled "4K"
  • An airbag inflator is specified at one safety margin, manufactured at a cheaper margin, then sold under the same part number

The defining feature: A reference baseline exists somewhere. There is an upstream artifact against which degradation can be measured. The defect occurs when a designer turns a fidelity parameter down while maintaining nominal equivalence at the interface.

The fidelity parameter examples:

  • Quantization precision (FP16 → INT4)
  • Bitrate ladder configuration (rungs, encoding settings, selection logic)
  • Stability margin (propellant chemistry, testing regime)
  • Sensor redundancy (single vs. dual input)

The legal question is delta: How much fidelity was lost relative to the reference baseline, and was that loss disclosed? If the plaintiff can surface the baseline, the gap becomes measurable. The evidentiary problem is access, not ontology—the baseline exists but is hidden.

A.3. P-Arm: The Constituted Signal

The "signal" is produced by institutional proxy and record architecture. The defect is that the architecture permits low-fidelity proxies to dominate while the system presents itself as functionally equivalent to meaningful compliance.

The paradigm cases:

  • An employer claims to select on "merit" but maintains evaluation architecture—unstructured interviews, undocumented criteria, unreviewable "fit"—that cannot verify whether the claimed standard was actually applied
  • A prosecutor claims to have "conferred" with a victim but the record architecture cannot distinguish robust dialogue from a rushed voicemail
  • A court applies "proportionality" to discovery but the proxy regime cannot detect when platform changes have decalibrated the burden calculus

The defining feature: No reference baseline exists. There is no master file containing the "correct" hiring decision or the "true" conferral. The baseline is the institution's own compliance claim. The decision signal exists only because the proxy architecture constitutes it.

The fidelity parameter examples:

  • Diagnostic schema (structured vs. unstructured evaluation)
  • Procedural bandwidth (channel capacity for victim input)
  • Retention architecture (what the system preserves vs. discards)
  • Verification protocol (what checks exist vs. don't exist)

The legal question is verifiability: Can the architecture generate evidence sufficient to test whether compliance occurred? The plaintiff does not show "here is what you degraded"; the plaintiff shows "your system is structurally incapable of demonstrating compliance with your own claimed baseline."

A.4. The Baseline Distinction

This distinction explains why proof structures must diverge:

DimensionT-ArmP-Arm
Baseline typeReference-upstream artifact existsCompliance (claim asserted)
Baseline natureEmpirical (recoverable fact)Normative (claimed standard)
Fidelity meaningPreservation (how much retained)Capture (resolution of record)
Legal questionDelta: How much was lost?Verifiability: Can the claim be tested?
Proof targetSurface the baseline, measure the gapShow architecture cannot verify compliance
Evidentiary problemAccess (baseline exists but is hidden)Ontology (baseline never existed as artifact)

Requiring a P-Arm plaintiff to produce a "baseline" in the T-Arm sense is requiring production of something that does not exist. Burden allocation must account for this structural difference or it becomes immunity.

A.5. Phase 1 Exit

No controllable fidelity parameter → EXIT.

If there is no parameter—no design choice that could have preserved fidelity—SDF does not apply. The framework targets chosen opacity, not inherent limits.

Outside SDF:

  • Natural entropy and unavoidable physics
  • Non-controllable human cognition (ordinary memory decay)
  • Random malfunction unconnected to parameter setting
  • Genuine technical impossibility (not commercial inconvenience)

Example (Inside): A legal AI vendor offers configurable precision tiers but defaults enterprise clients to lower-cost quantized models without disclosure. Parameter exists; vendor controlled it.

Example (Outside): A witness forgets details of an event due to ordinary memory decay. Parameter does not exist; no SDF.

B. Phase 2: The Tripartite Condition (Observability Gap)

SDF attaches only if verification is structurally blocked at the moment of reliance. Three conditions must converge to establish the Observability Gap.

This is the gateway. All three prongs must hold. If any prong fails, Phase 2 fails and SDF does not apply.

B.1. Fixed Interface

The user interacts with a stable endpoint or workflow treated as "the system"—an API, an HR portal, a streaming service, a dashboard indicator, a 4K badge, a type rating certificate.

The interface presents itself as the thing being relied upon. Changes upstream do not announce themselves downstream. The tap looks the same whether the reservoir has changed.

What satisfies Fixed Interface:

  • The API endpoint that returns responses without disclosing model version
  • The subscription tier badge that displays regardless of actual delivery quality
  • The airbag indicator light that illuminates regardless of propellant chemistry
  • The conferral checkbox that looks identical regardless of underlying substance
  • The rejection letter that reads the same regardless of decision process

What defeats Fixed Interface:

  • Real-time quality indicators visible to users
  • Configuration metadata exposed in API responses
  • Labels that vary with underlying state
  • Interfaces that disclose the parameter setting

If the interface exposes its configuration, the Fixed Interface prong fails and Phase 2 exits.

B.2. Nominal Equivalence

Materially different configurations share identical labels. The label is stable; the referent is not.

What satisfies Nominal Equivalence:

  • "GPT-4" names dozens of backend variations (quantized, full-precision, different serving infrastructure)
  • "4K" labels both reference-quality streams and heavily compressed streams resolving at the same pixel count
  • "Airbag certified" describes both guanidine nitrate inflators with thirty-year stability margins and ammonium nitrate inflators degrading in humidity
  • "Merit-based selection" labels both structured assessment systems and golf-course preference systems
  • "Conferred: ☑" applies to hour-long meetings, two-minute hallway conversations, and voicemails to disconnected numbers

The label provides assurance of uniformity that is false. Two users accessing the same service tier may receive materially different products under an identical label—and the label prevents them from looking for the difference.

What defeats Nominal Equivalence:

  • Different labels for different configurations
  • Precision-tier disclosure in product naming
  • Version strings that track material changes
  • Quality grades that correspond to actual settings

If materially different versions carry different labels, the Nominal Equivalence prong fails and Phase 2 exits.

B.3. Two-Axis Opacity

Verification is blocked along both dimensions:

Structural Opacity (Vertical Axis): Parameter control is fragmented upstream. The supply chain, wrappers, and infrastructure providers each control fidelity settings invisible to the endpoint user. Multiple intermediaries can transform, optimize, or substitute configurations without downstream visibility. No single actor in the pipeline possesses full information about the precise specification the end user actually receives. The end user possesses none.

Temporal Opacity (Horizontal Axis): Provenance is erased over time. Silent updates change configurations without notice. Session amnesia prevents reconstruction of what was active during a specific interaction. Non-retention policies ensure that the configuration active at the moment of reliance cannot be recovered later. The moment passes; the evidence vanishes.

What satisfies Two-Axis Opacity:

  • Supply chain fragmentation (base model → fine-tune → wrapper → infrastructure)
  • Silent version updates with no changelog
  • Session logs that auto-purge after 30 days
  • Inference traces that dissolve in milliseconds
  • Interview notes that are never retained
  • Conferral timing undocumented relative to decision points

What defeats Two-Axis Opacity:

  • Configuration logs retained and accessible
  • Provenance tracking through the supply chain
  • Session-level delivery telemetry exposed to users
  • Audit trails that permit after-the-fact reconstruction
  • Structured records capturing timing and substance

If provenance is preserved and auditable, the Two-Axis Opacity prong fails and Phase 2 exits.

B.4. Convergence: The Discretionary Zone

When all three conditions converge—Fixed Interface masking Nominal Equivalence behind Two-Axis Opacity—the Discretionary Zone is established.

The Observability Gap and the Discretionary Zone describe the same architecture from opposite directions:

  • The Gap names what is missing at the moment of reliance: visibility, auditability, verifiable provenance
  • The Zone names what that absence enables: ongoing, effectively unconstrained control over a fidelity parameter whose downstream effects remain real even when they are not provable from the outside

The Zone is where defects hide. It is the unstructured space within which fidelity parameters are adjusted, decisions are made, and configurations are set—without externally verifiable constraint. The architecture that creates the Gap simultaneously creates the Zone.

The Zone in T-Arm cases: The platform adjusts bitrate, the vendor switches propellant, the lab quantizes the model—all invisible to downstream users who see only the stable interface and the unchanged label.

The Zone in P-Arm cases: The hiring manager exercises "discretion," the prosecutor makes a "judgment call," the court applies "proportionality"—all producing outcomes that cannot be audited against objective baselines because the record architecture was never designed to capture the inputs.

B.5. Phase 2 Exit

Any prong fails → EXIT.

  • If the interface discloses its configuration → Fixed Interface fails → EXIT
  • If materially different versions carry different labels → Nominal Equivalence fails → EXIT
  • If provenance is preserved and auditable → Two-Axis Opacity fails → EXIT

The Observability Gap is conjunctive. Partial opacity is not sufficient. The framework targets systems where verification is structurally foreclosed, not merely difficult.

C. Phase 3: The Four Elements Test

SDF diagnoses legal harm only if the Observability Gap produces foreseeable, legally cognizable effects. Four elements must be established.

C.1. Structural Invisibility

The gap blocks verification of normatively relevant information—information that legal doctrine treats as material to the claim or defense at issue.

This is not general opacity. The invisibility must matter to the legal question. The hidden parameter must be one that would affect the outcome of a legal dispute if it were known.

Examples:

  • The precision tier affects whether the AI output was negligently produced
  • The propellant chemistry affects whether the inflator was defectively designed
  • The conferral timing affects whether the constitutional right was honored
  • The evaluation criteria affect whether the selection was discriminatory

C.2. Foreseeable Harm

The architecture produces predictable signature failures: repeatable patterns of harm traceable to the design choice, not random malfunction or idiosyncratic error.

T-Arm signature failures:

  • Fluency-Reasoning Divergence: surface fluency persists while multi-step reasoning collapses
  • Compression artifacts: banding, smearing, macro-blocking clustering around scenes that stress the encoder
  • Rupture patterns: failures clustering by geography, age, and environmental exposure

P-Arm signature failures:

  • Distributional clustering: outcomes correlating with demographic proxies rather than stated criteria
  • Timing inversion: conferral occurring after decisions are functionally final
  • Binary output compression: high-dimensional inputs collapsing into low-resolution checkboxes

The signature is configuration-linked. Change the parameter, change the pattern. The failures are not noise; they are artifacts of the architectural choice.

C.3. Doctrinal Mismatch

Legal baselines are miscalibrated to the architecture. The doctrine presupposes information the architecture structurally withholds.

Examples:

  • Title VII demands individualized proof from systems that generate only aggregate signals—and Dukes forecloses aggregation
  • Contract law assumes disclosed terms when the configuration was never visible
  • Discovery proportionality assumes stable burden proxies when platform architecture has shifted the calculus
  • Certification assumes manufacturer disclosure when the manufacturer designed for concealment
  • Victims' rights doctrine treats "conferral" as binary when the architecture cannot distinguish substance from checkbox

The mismatch is the doctrinal collision. Current law asks questions the architecture cannot answer—or punishes plaintiffs for failing to produce evidence the defendant's architecture was designed not to generate.

C.4. Information Asymmetry

The controller bears superior knowledge of the fidelity setting and its consequences.

The vendor knows:

  • The model version, the precision tier, the retention policy
  • The encoding ladder, the selection algorithm, the cost optimization
  • The propellant chemistry, the accelerated aging data, the field failure mapping
  • The evaluation criteria (or their absence), the comparator pool, the decision timeline

The relying party knows:

  • The interface
  • The label
  • Nothing else

This asymmetry is not incidental. It is the product of the same architectural choices that created the Observability Gap. The party who set the parameter knows what it was set to. The party who relies on the output does not.

C.5. Phase 3 Exit

Elements not met → EXIT.

  • If the hidden information is not legally material → Structural Invisibility fails → EXIT
  • If the harm is random or idiosyncratic rather than configuration-linked → Foreseeable Harm fails → EXIT
  • If doctrine is calibrated to the architecture → Doctrinal Mismatch fails → EXIT
  • If the relying party had equivalent access to fidelity information → Information Asymmetry fails → EXIT

Incidental errors, disclosed tradeoffs, and symmetrically informed parties fall outside the framework.

D. Arm-Specific Proof Packages

Cases that pass all three phases require different proof structures depending on the arm.

D.1. T-Arm Proof Chain

A transmissive defect claim requires showing five linked propositions:

  1. Upstream baseline exists. A higher-fidelity version of the artifact establishes what full fidelity looks like.
  2. Fidelity parameter exists and is controlled. A design parameter determines how much precision survives transmission. Someone chose the setting.
  3. Parameter was turned down. The lower-fidelity setting was a deliberate design choice, not an accident.
  4. Nominal equivalence maintained. The degraded version shipped under the same name, label, API, or interface as the baseline.
  5. Repeatable signature failures emerged. Predictable degradation patterns in identifiable task categories—not random or idiosyncratic errors.

T-Arm Evidentiary Package:

TargetWhy Critical
Commit history / change logsDocuments when parameter changed
Configuration flags / feature togglesShows what settings were active
Supplier change orders / BOM substitutionsTraces supply chain decisions
Encoding ladders / A/B test configsReveals quality-cost tradeoffs
Internal benchmarks (baseline vs. deployed)Proves delta was known
QA testing at various fidelity levelsShows failure modes were foreseeable
Documentation of known failure modesEstablishes knowledge of risk

D.2. P-Arm Proof Chain

A proxy defect claim requires showing five linked propositions:

  1. No master baseline exists. The "correct" decision is not sitting in a file somewhere.
  2. Institution asserts compliance baseline. A claimed standard exists—"merit-based," "conferred," "proportional"—against which architecture should be evaluated.
  3. Record architecture is non-diagnostic. Missing mandatory fields, reasons, intermediate states, or comparators necessary to verify compliance.
  4. Discretionary zone exists. Low-structure decision-making where convenience proxies dominate.
  5. Predictable outcome patterns emerge. Distributions correlate with proxy architecture rather than the stated baseline, visible through aggregation.

P-Arm Evidentiary Package:

TargetWhy Critical
Intermediate-state logs / discarded dataShows what was not retained
Scoring rubrics / version historyReveals whether structured criteria existed
Reason-giving requirements (or absence)Tests whether architecture demanded explanations
Inter-rater reliability dataShows whether consistent standards applied
Retention policies / audit trail architectureDocuments what system was designed to preserve
Comparator availabilityTests whether "similarly situated" can be reconstructed
Training materials on decision criteriaShows what decision-makers were told

D.3. Stacked Cases

Where T-Arm and P-Arm defects co-exist, both proof chains apply. The T-Arm package targets the upstream artifact layer; the P-Arm package targets the institutional decision layer. Neither substitutes for the other.

T→P Stacking: A technical design choice propagates downstream and defeats a procedural safeguard.

  • Rule 26: Zero-retention architecture (T) creates "no responsive documents" claim that triggers proportionality protection (P)
  • Boeing: Single-sensor MCAS (T) designed to avoid triggering differences-training requirement (P)

P→T Stacking: A procedural failure creates an artifact that propagates forward.

  • Frozen Precedent: Court adopts AI-induced error (P) → error enters training corpus (T) → next model learns error as ground truth

In stacked cases, burdens apply at both layers. Failure at either layer can establish the claim.

E. Not Applicable

The following are a few examples when SDF would not be applicable. Two conditions defeat the claim even when all three phases are satisfied.

User acceptance of reduced fidelity defeats a Structural Defect claim only if two conditions are met:

Condition 1: 2-Axis Clarity. 2-Axis does not exist or is minmial so that the User can be meaningfully informed of the evidentiary tradeoffs—not just the "privacy" label, but the actual consequences for verification and proof.

Condition 2: User Agency. The user possessed a functional fidelity parameter—actual control over retention, precision, or resolution settings based on their needs.

Condition 3: Random or Uncontrollable . The user possessed a functional fidelity parameter—actual control over retention, precision, or resolution settings based on their needs.

Absent both conditions, the data loss is Unilateral Architectural Allocation by the vendor, not waiver by the user.

The Fidelity Consent Rule attacks Nominal Equivalence directly. If the label says "Privacy" but the function is "Evidence Destruction," the user was not meaningfully informed. The "agreement" is void because of the bait-and-switch. The user agreed to the label, not the reality.

What satisfies the Rule (defeats the claim):

  • User explicitly selected a retention setting from meaningful options
  • User was informed that reduced retention would limit ability to reconstruct interactions
  • User had comparable high-fidelity option available at comparable cost
  • User's choice was affirmative, not buried in terms of service

What fails the Rule (claim proceeds):

  • Hard-coded Retention = 0 with no user control
  • "Privacy" framing that obscures evidentiary consequences
  • Opt-out rather than opt-in for reduced fidelity
  • Meaningful choice available only to enterprise clients at premium price
  • Terms of service acceptance without specific fidelity disclosure

Vendors cannot hard-code non-retention and claim user consent defeated the claim. The evidentiary suicide pact—where vendor invokes user "privacy" while using zero-retention as a liability shield—is not informed consent.

E.2. Diagnostic Sufficiency (Safe Harbor)

The system includes adequate verification architecture to permit after-the-fact reconstruction of the configuration active at the moment of reliance.

For T-Arm claims, Diagnostic Sufficiency requires:

  • Configuration logs showing what fidelity setting was active
  • Version tracking permitting baseline comparison
  • Session-level telemetry accessible to relying parties
  • Real-time fidelity indicators visible at the interface

For P-Arm claims, Diagnostic Sufficiency requires:

  • Mandatory reason-giving for decisions
  • Structured criteria applied consistently
  • Retention of intermediate states and comparators
  • Audit trails sufficient for ex post reconstruction

The test: Can the architecture answer the question "did this system do what it claimed?"

If yes—and the answer is favorable to the defendant—the Diagnostic Sufficiency Defeater applies. The claim exits.

If no—if the architecture cannot answer the question because it was never designed to generate the answer—the claim proceeds. The non-diagnosticity is the defect.

The Safe Harbor Logic:

Defendants who deploy verifiable high-fidelity, diagnostic architectures may qualify for safe harbor. SDF does not take a position on the types of companies or organizations who must be have verifiable architecture that must be in or out. That It is beyond this framework’s primary scope to regulatiang The framework does not require every system to be fully transparent. It requires a choice:

  • Option A (Design): Build Diagnostic Architecture—configuration logs, audit trails, real-time fidelity indicators, structured criteria. If you do, you earn the Safe Harbor.
  • Option B (Consequence): Keep the non-auditable architecture. If you do, you bear the evidentiary gap in any dispute. Priced Opacity applies.

This is not a ban on opacity. It is a pricing mechanism. Vendors may choose opacity if they are willing to internalize its costs.

Summary: The Filter in One Page

PHASE 1: THRESHOLD — Parameter Turned Down from Known Baseline

  • Is there a parameter? A controllable parameter that determines fidelity?
  • T-Arm: Reference baseline exists → question is delta
  • P-Arm: Compliance baseline asserted → question is verifiability
  • No parameter → EXIT

PHASE 2: OBSERVABILITY GAP — THE TRIPARTITE CONDITION

  • Fixed Interface: Stable endpoint masks backend variation?
  • Nominal Equivalence: Same label, different configurations?
  • Two-Axis Opacity: Structural (vertical) + Temporal (horizontal)?
  • All three converge → Discretionary Zone established
  • Any prong fails → EXIT

PHASE 3: DIAGNOSTIC — THE FOUR ELEMENTS

  • Structural Invisibility: Gap blocks legally material information?
  • Foreseeable Harm: Signature failures traceable to design choice?
  • Doctrinal Mismatch: Law presupposes info architecture withholds?
  • Information Asymmetry: Controller knows what relying party cannot?
  • All four elements → Priced Opacity attaches
  • Elements not met → EXIT

Others

  • Meaningful User Consent:
  • Diagnostic Sufficiency: Architecture verifies compliance → EXIT

OUTPUT

  • All phases pass, no defeater → Burden reallocation
  • Party who controlled parameter and chose non-observability bears gap
  • The architecture could not verify the claim → gap follows architectural choice

What Happens After the Filter Fires

The Sequential Filter identifies systems where verification is structurally blocked. But passing the Filter does not mean the defect is provable. It means the defect is diagnosable—the architecture has the signature.

This section addresses what happens next: how long it takes for evidence to become available, what mechanisms bridge the gap between harm and proof, and why doctrine systematically fails to see certain categories of defect.

The concept is epistemic latency: the delay between when harm occurs and when evidence of harm becomes legally cognizable.

A. Low-Latency Defects

Low-latency defects produce artifacts visible near the moment of harm. The signature failure is perceptible—not necessarily to everyone, but to someone positioned to observe.

T-Arm examples:

  • Pixelation appears on the screen during playback

  • A hallucinated citation is discoverable by checking the reporter

  • Compression artifacts—banding, smearing, macro-blocking—are visible to trained eyes

  • The airbag ruptures; shrapnel is recovered from the vehicle

P-Arm examples:

  • A rushed "conferral" is experienced as it happens—the victim knows she received a voicemail, not a dialogue

  • A rejection letter arrives immediately after an interview that felt perfunctory

  • The checkbox is marked before any meaningful exchange occurred

Characteristics:

  • Evidence exists at or near the moment of harm

  • Individual litigation is viable—one plaintiff can prove one defect

  • Amenable to technocratic interventions: standards, labeling, disclosure, testing protocols

  • The challenge is access (getting the evidence), not existence (whether evidence exists)

Low-latency defects are hard to win but conceptually familiar. Something happened; someone saw it; the question is whether the plaintiff can surface what the defendant controls.

B. High-Latency Defects

High-latency defects produce artifacts visible only through aggregation. The individual instance looks normal. The defect becomes visible only when you step back and see the pattern.

T-Arm examples:

  • Propellant degradation takes 8-10 years to manifest; the inflator passes bench testing

  • Model drift accumulates over silent updates; no single session shows the change

  • Compression quality varies by scene complexity; the degradation is statistical, not constant

P-Arm examples:

  • The rejected candidate sees nothing wrong: a polite letter, facially neutral reasons, no smoking gun

  • The conferral checkbox is marked for every case; the pattern of timing inversions emerges only across hundreds of cases

  • The "merit-based" system produces distributions that correlate with demographics, visible only through regression analysis

Characteristics:

  • Evidence does not exist at the moment any single harm occurs

  • Individual litigation is often impossible—one plaintiff cannot prove a pattern

  • Requires aggregation mechanisms: class actions, statistical experts, longitudinal studies, audits

  • The challenge is existence (whether evidence can be constituted), not just access

High-latency defects are not merely "harder to prove." The proof often does not exist until someone builds it. The harm is the distribution; the distribution requires data the individual plaintiff does not have.

C. Epistemic Intermediaries

High-latency defects require epistemic intermediaries: mechanisms that bridge the gap between harm occurrence and legal cognizability.

Intermediary types:

IntermediaryFunctionExample
Statistical analysisReveals distributional patternsRegression showing callback gap by race
AuditsSystematic inspection of processEEOC investigation of hiring practices
DiscoveryCompelled production of internal recordsInterrogatories revealing evaluation criteria
WhistleblowersInsider disclosure of hidden practicesEngineer revealing suppressed test data
JournalistsPublic investigation and exposureReporting on geographic clustering of failures
Aggregation counselClass action assemblyPlaintiffs' attorneys pooling individual claims

Sufficient vs. Necessary:

Some intermediaries are sufficient: they can reveal the defect if deployed. An audit could find the pattern; discovery could surface the criteria; a whistleblower could disclose the data.

Other intermediaries are necessary: without them, the harm cannot become legally cognizable. For distributional discrimination, aggregation is not optional—the harm is the distribution. You cannot see a pattern in a sample of one.

The Intermediary Chokepoint:

When doctrine restricts intermediaries, it restricts visibility. Barriers to class certification, restrictions on pattern evidence, demands for individualized proof, heightened pleading standards before discovery—these do not merely raise a proof burden. They can block the only pathway to cognizability.

Wal-Mart v. Dukes is the paradigm. The Court held that discretionary decision-making is not a "policy" susceptible to class treatment—precisely because each manager's exercise of discretion is individual. But discretion exercised within non-diagnostic architecture produces the same signature failures across thousands of instances. The ruling did not declare the pattern lawful. It defined the pattern out of existence by foreclosing the only mechanism that could make it visible.

D. The Lifecycle Trap

Epistemic latency interacts with the data lifecycle. As information moves through the pipeline, options narrow.

The progression:

Reality → Artifact → Record → Decision → Precedent

At each stage, fidelity can be lost and recovery becomes harder:

  • Reality contains full complexity: context, texture, what was said and unsaid

  • Artifact captures what the system was designed to capture (and discards the rest)

  • Record is the institutional residue—the checkbox, the score, the file

  • Decision treats the record as truth and acts upon it

  • Precedent treats the decision as authority and propagates it forward

The trap: Intervention is easiest early and hardest late. You can turn an egg into an omelet, but not an omelet back into an egg.

Early intervention (tractable):

  • Mandate diagnostic architecture before decisions are made

  • Require retention of intermediate states

  • Build audit trails into the system from inception

Late intervention (difficult to impossible):

  • Reconstruct what the record didn't capture

  • Prove what the architecture was designed not to preserve

  • Unwind decisions that have been ratified by subsequent reliance

Litigation timing: By the time a case reaches court, the harm has progressed through most of the lifecycle. The plaintiff confronts a record—not reality. The record was shaped by architecture the defendant controlled. The question is whether doctrine will account for that shaping or treat the record as neutral.

E. Doctrinal Blind Spots

Existing doctrine has partial overlaps with SDF but systematic blind spots for high-latency, architecture-driven defects.

Product Liability:

  • Optimized for visible malfunction and safety risk

  • Asks: did the product fail?

  • Blind spot: silent performance attenuation under nominal equivalence—where the product continues to function while losing the capacity users reasonably rely upon

  • The hallucinating AI "works"; it just doesn't reason

Evidence Law:

  • Assumes the original is faithful

  • A clean chain of custody certifies integrity of transmission

  • Blind spot: fidelity loss at capture or compression—the artifact arrives intact, but truth was already attenuated before the chain began

  • The record is authentic; it was just never complete

Administrative Law:

  • Demands rational connection between facts and choices

  • Asks: did the decision-maker explain the reasoning?

  • Blind spot: architecture that cannot generate reviewable reasons—the system "decided" but was never built to capture why

  • The decision exists; the basis was never recorded

Anti-Discrimination Doctrine:

  • Centers on intent (or, post-Griggs, on effects requiring individualized proof)

  • Asks: did someone mean to discriminate? Can this plaintiff prove impact on her?

  • Blind spot: unstructured environments generate low-fidelity decision-making and thin records, producing both disparity and non-auditability simultaneously

  • The pattern is real; the architecture ensures it cannot be proven case-by-case

The Common Thread:

Each doctrine assumes information the architecture may have been designed not to generate. The blind spot is not ignorance—it is miscalibration. The doctrine asks questions the system cannot answer, then treats the silence as the plaintiff's failure rather than the architecture's defect.

F. Litigation Consequences

Epistemic latency shapes litigation strategy in predictable ways.

Low-latency (typically T-Arm):

  • Individual discovery may suffice: produce the baseline, show the parameter, demonstrate the delta

  • Expert testimony on technical standards

  • Document requests for configuration logs, version history, internal benchmarks

  • Viable as individual action if plaintiff can access the right evidence

High-latency (typically P-Arm):

  • Class-wide discovery usually required: statistical patterns need statistical proof

  • Expert testimony on regression analysis, disparate impact methodology

  • Interrogatories on evaluation criteria, comparator pools, aggregate outcomes

  • Often non-viable as individual action—one plaintiff cannot prove a distribution

The Structural Immunity Problem:

A legal system that restricts aggregation mechanisms while demanding individualized proof creates structural immunity for high-latency defects—not by declaring them lawful, but by making them unprovable.

The employer who builds non-diagnostic evaluation architecture gets two benefits: the architecture enables bias to operate (the defect), and the architecture ensures bias cannot be proven (the immunity). The system harms and hides in a single architectural choice.

Strategic Implications:

  • Plaintiffs should target low-latency signature failures where possible (the hallucinated citation, the visible artifact) even when the underlying harm is high-latency (the pattern of degradation)
  • Regulators should mandate diagnostic architecture before harms accumulate—the lifecycle trap means late intervention is expensive
  • Defendants who want safe harbor should build audit trails now—the absence of records will be priced if litigation occurs later

Summary: Latency and the Filter

The Sequential Filter identifies whether a defect exists. Epistemic latency determines when the defect becomes provable.

LatencyVisibilityProof MechanismDoctrinal Fit
LowNear-immediateIndividual discoveryBetter (familiar pattern)
HighAggregation-dependentClass action / statisticalWorse (blind spots)

The framework fires the same way regardless of latency. But high-latency defects face an additional barrier: even after diagnosis, the evidence may not exist until intermediaries constitute it.

This is why P-Arm cases are harder than T-Arm cases. The T-Arm plaintiff hunts for a baseline someone is hiding. The P-Arm plaintiff must constitute evidence from an architecture designed not to generate it.

The Priced Opacity rule addresses this asymmetry. If the architecture was designed to be non-diagnostic—if the evidence doesn't exist because the defendant chose not to build capacity for it—the evidentiary gap follows the architectural choice. The defendant cannot benefit from the absence it engineered.

But Priced Opacity only works if courts recognize the latency problem. A doctrine that demands what the architecture cannot provide, then penalizes plaintiffs for the absence, has inverted the burden without admitting it.

The next section addresses how to fix that inversion.

This Part applies the framework across sevn casest. The cases that follow are not examples—they are diagnostics. Each applies the same protocol to a different substrate: digital signals, physical products, bureaucratic compliance, regulatory certification. What emerges is not analogy but isomorphism. The architecture is invariant. Only the costume changes.

The Structural Defect Framework operates as a Dual-Module System. The T-Module (Technical/Transmissive) governs domains where a master artifact exists upstream—a higher-fidelity reference that was degraded by a controllable parameter hidden at the moment of use. The dispute is delta: how much was lost, and who controlled that loss. The P-Module (Procedural/Proxy) governs domains where no master artifact exists—where the baseline is a compliance claim ("non-discriminatory," "meaningful conferral," "merit-based") that the architecture cannot verify because it never built the diagnostic capacity to test itself.

Both modules share the same triplet: Fixed Interface (the stable presentation layer that locks the user's view), Nominal Equivalence (the unchanged label that masks materially different underlying states), and Two-Axis Opacity (control-chain barriers vertically, provenance barriers horizontally) that makes inspection impossible upon use. Both produce the same outcome: foreseeable harm that persists because verification was architecturally foreclosed.

The cases proceed by dimension:

  • Cases 1–2 (T-Module): A bounded artifact exists; a parameter was adjusted to degrade it; nominal equivalence masks the delta. Adaptive Streaming and Takata Airbags.
  • Cases 3–4 (P-Module): No master artifact exists; the institution asserts compliance while building architecture incapable of verification. Right to Confer and Title VII.
  • Cases 5–6 (T→P Stacking): A technical design choice propagates downstream and defeats a procedural safeguard. Rule 26 Discovery and Boeing 737 MAX.
  • Case 7 (P→T Theoretical): A procedural judgment, rendered without diagnostic architecture, hardens into precedent that forecloses upstream technical audit. Precedent Lock.

The progression is pedagogical. We begin with streaming video—where fidelity loss is perceptible to ordinary users—so the reader can see the defect before learning to diagnose it. We then move to atoms (Takata), where the same architecture produces shrapnel instead of pixels. From there we enter pure P-Module territory, where the compliance claim is mediated by a checkbox and a thin file. Title VII escalates the stakes: discrimination is experienced in real time but becomes legally visible only through aggregation the architecture prevents. The stacking cases show what happens when T-Module choices break P-Module safeguards—first in litigation (Rule 26), then in regulatory certification (Boeing). The final case tests the framework's boundaries: can a non-diagnostic procedural judgment propagate backward and foreclose technical audit in future cases?

The Opacity Gradient. The cases are also ordered by diagnostic difficulty—by how deep you must dig before the defect becomes visible. We begin where you can see the harm with your eyes (the muddy frame, the pixelated face). We move to defects sealed inside physical components, invisible without destructive testing. From there we enter domains where there is nothing to cut open—only claims and checkboxes and thin files. The stacking cases show defects that propagate between systems, defeating safeguards in one layer through choices made in another. The final case shows a defect that erases its own audit trail through procedural finality.

The pattern: as opacity deepens, doctrine struggles more. T-Module defects are hard to prove but conceptually familiar—something existed, something was degraded, someone controlled the parameter. P-Module defects are harder because there is no "something" to point to—only the absence of the diagnostic architecture that would make the compliance claim testable. Stacked defects are hardest because the harm and the cause live in different systems, and no single legal regime governs the interface. By the end, you will understand why current doctrine fails—and why a unified framework is necessary.

By Case 7, the reader should be able to diagnose any system—technical or institutional, digital or physical—using the SDF grammar. The cumulative effect is proof of generalizability: the Structural Defect Framework is not a metaphor borrowed from technology law. It is a diagnostic protocol for any system that processes normatively relevant information through constrained channels while asserting fidelity it cannot verify.

Each case follows a consistent structure: Hook (the visceral entry), Fidelity Parameter (the controllable variable), Observability Gap (the three-element test), Materials (concrete evidence), Signature Failures (configuration-linked patterns), Proof Targets (what discovery must demand), Defeater (when the claim weakens), and Bridge (transition to the next domain).

The closing question is the same across all seven: not who had better access to information, but whether the architecture permitted verification at the moment of reliance.

The Matrix: Isomorphism of the fidelity parameter

Before moving to the cases, please note the structural identity across domains. Whether the signal is digital or physical, the design intent remains constant.

DimensionT-Arm (Transmissive)P-Arm (Proxy-Mediated)
BaselineReference Baseline (upstream artifact exists)Compliance Baseline (claim asserted)
OpacityTwo-Axis Opacity (parameter hidden)Absence of Diagnostic Architecture
Legal QuestionDelta: How much was lost?Verifiability: Can the claim be tested?
Key FailureHidden parameter conceals degradationVerification record never generated
Diagnostic DepthArtifact exists but is inaccessibleNo artifact to access

Case 1: Streaming Video and the Vanishing Frame (T-Arm)

Part 1: Context

The Promise

You pay for 4K.

The advertisement said "Ultra HD." The plan comparison page showed a checkmark in the "4K" column. Your credit card is charged $22.99 per month—the premium tier, the one that unlocks "the best picture quality available." You bought a television specifically because it could display 4K resolution. You ran an ethernet cable to eliminate WiFi interference. You did everything right.

You press play on The Irishman. Scorsese in 4K. Three and a half hours of de-aged De Niro, meticulous production design, a $159 million budget spent on making every frame museum-quality.

The opening shot looks fine. Gorgeous, even. You settle in.

Forty minutes later, something is wrong. During a dimly lit bar scene, the shadows behind Frank Sheeran's head dissolve into blocky smears. His face, when he turns, has a waxy smoothness—like a video game character from 2012. The wood paneling behind him pulses with compression artifacts. You pause, rewind, watch again. It's still there.

You check your internet speed: 180 Mbps. More than enough. You check your TV settings: 4K HDR enabled. You check the app: it says "Ultra HD" in the corner. Everything claims you're watching 4K. But you're not. You're watching something else wearing 4K's label.

The Mechanism

What you cannot see is the bitrate ladder.

When Netflix encodes a film for streaming, it doesn't create one file. It creates dozens—a stack of versions at different quality levels, each tuned for different network conditions. At the top of the ladder: the reference encode, as close to the master as streaming allows. At the bottom: a version compressed so aggressively it can survive a congested cellular connection.

The ladder has rungs. Each rung is defined by a bitrate—how many bits per second flow through the pipe. More bits, more information, more fidelity. Fewer bits, more compression, more loss. A 4K stream at 16 Mbps looks different from a 4K stream at 8 Mbps, which looks different from one at 4 Mbps. They all resolve at 3840 × 2160 pixels. They do not all contain the same image.

When you press play, an algorithm decides which rung to serve you. It considers your measured bandwidth, your device capabilities, current server load, CDN congestion, and—crucially—Netflix's own cost structure. Bandwidth costs money. Every bit transmitted is a fraction of a penny paid to someone. The algorithm optimizes for "quality of experience," but quality of experience is defined by Netflix, and Netflix has an interest in the definition.

The algorithm can downshift mid-stream. If congestion spikes, if a server hiccups, if the model predicts you'll tolerate a quality drop without hitting pause—the rung changes. You're now watching a different encode. The interface doesn't tell you. The "Ultra HD" badge stays lit.

This is the parameter. The fidelity parameter is the bitrate ladder configuration: how many rungs, what quality at each rung, and what logic governs selection. The subscriber cannot see the ladder. The subscriber cannot see which rung is being served. The subscriber sees only the interface—and the interface says "4K."

The Artifact

What does degradation look like when you're told nothing is degraded?

It looks like banding—smooth gradients (sunset skies, shadowed walls) collapsing into visible steps, like a topographic map where a photograph should be. It looks like smeared textures—fine detail (fabric weave, skin pores, brick mortar) smoothing into plastic uniformity. It looks like face distortion—features that flicker and warp as the codec struggles to preserve what matters most to human perception. It looks like macro-blocking—the image fragmenting into squares when motion or darkness overwhelms the allocated bits.

These artifacts are not random. They are signatures. They cluster around specific scenes (low light, high motion, fine texture) and correlate with specific encoding decisions (bitrate, codec settings, keyframe interval). A trained eye can look at a degraded stream and infer the compression regime. The damage is forensic.

But the subscriber doesn't have a trained eye. The subscriber has a television and a promise. When the shadows smear, the subscriber doesn't think "bitrate ladder downshift." The subscriber thinks "maybe my internet hiccuped" or "maybe this scene was shot badly" or "maybe I'm imagining it."

The interface provides no feedback. There is no real-time bitrate indicator. There is no quality graph. There is no alert when the algorithm downshifts. The only signal is the "Ultra HD" badge—and that badge is tied to your subscription tier, not to what's actually flowing through the pipe.

The Economics

Why would Netflix degrade your stream without telling you?

Because bandwidth costs money, and you already paid.

The subscription model creates a specific incentive structure. You pay a fixed monthly fee. Netflix pays a variable cost per bit delivered. Every bit Netflix doesn't send you is a bit Netflix doesn't pay for. If you can't tell the difference—if the interface still says "4K" and you don't cancel—then the degraded stream is pure margin.

This isn't conspiracy. It's optimization. Netflix has said publicly that it uses "perceptual quality" metrics to tune its encoding—delivering the minimum bitrate that produces acceptable subjective quality. The sophistication is real. But "acceptable" is defined by Netflix, tested on Netflix's focus groups, and implemented at Netflix's discretion. You have no input into the threshold. You have no visibility into when you've crossed it.

The economic logic is simple: fidelity is a private cost variable. The platform decides how much quality to deliver, balancing its cost of bandwidth against its estimate of your tolerance for degradation. You cannot audit this tradeoff. You cannot even observe it. You see only the outcome—a frame that might be 4K or might be something less—and a label that says the same thing either way.

The Invisibility

This is where the structural defect becomes clear.

You cannot verify what you're receiving while you're receiving it. The interface does not expose the relevant variable. You would need packet capture, bitrate analysis tools, frame-by-frame comparison to reference encodes. You would need to be a video engineer running a home lab.

The platform has perfect information. It knows the master quality, the encoding ladder, the selection logic, the real-time bitrate, the session-level delivery statistics. It could surface this information. It could display a quality indicator. It could alert you when downshifts occur. It could give you controls—"never drop below this rung"—and let you make the tradeoff yourself.

It doesn't. Not because the technology is impossible, but because the visibility would impose a constraint. If you could see the degradation, you might complain. You might demand refunds. You might switch to a competitor. The opacity is functional. It's not a bug in the interface. It's a feature of the business model.

And here's the doctrinal problem: under current consumer protection law, you would struggle to recover anything. The terms of service say "quality may vary based on network conditions." The 4K promise is hedged with "up to" and "when available." Netflix would argue that it never guaranteed a specific bitrate—only access to 4K-capable streams when conditions permit. The conditions, of course, are defined by Netflix.

You paid for 4K. You received something wearing 4K's label. You cannot prove the difference without equipment you don't have, analyzing data you cannot access, applying expertise you were never expected to need. The harm is real. The gap is architectural. The remedy, under current doctrine, is unclear.

You sit on your couch, watching De Niro's face shimmer with compression artifacts, and you think: something is wrong. You're right. Something is wrong. But you can't name it, you can't prove it, and the interface insists everything is fine.

The question is whether the platform can collect a 4K premium for a stream it cannot verify was delivered at 4K fidelity—or whether the opacity itself shifts the burden.

Observability Gap (Gateway):

  • Fixed Interface: The "Ultra HD" badge is tied to subscription tier, not real-time delivery—it displays identically whether you're receiving 16 Mbps or 4 Mbps
  • Nominal Equivalence: "4K" labels both reference-quality streams and heavily compressed streams that happen to resolve at the same pixel count
  • Two-Axis Opacity: Structural (platform controls ladder, selection logic, and cost optimization); Temporal (no session logs exposed to subscriber, no way to reconstruct what was actually delivered)

SDF Entry Point: This is a pure T-Arm case. A bounded artifact exists upstream—the 4K master encode. The fidelity parameter is the bitrate ladder configuration: rung count, quality per rung, and selection logic. The subscriber cannot observe which rung was served at the moment of viewing.

Part 2: SDF Analysis

A. Fidelity Parameter

Bitrate Ladder Configuration. The parameter has three components:

  1. Rung Structure: How many quality levels exist, and what bitrate defines each
  2. Encoding Settings: Codec choice, keyframe interval, perceptual optimization tuning
  3. Selection Logic: The algorithm that decides which rung to serve based on network conditions, device capabilities, and cost constraints

The platform controls all three. The subscriber controls none. The subscription tier sets a ceiling—you cannot receive higher than 4K if you're on the HD plan—but it does not set a floor. Nothing guarantees you will receive 4K even if your plan allows it.

The parameter is adjusted in two places: at encoding time (when the ladder is designed) and at runtime (when the selection algorithm operates). Both are invisible to the subscriber. The delta between "4K master" and "stream as delivered" is entirely a function of choices the subscriber cannot observe and did not consent to.

B. Observability Gap

  • Fixed Interface: The "Ultra HD" badge and plan tier indicator. The interface is stable across delivery conditions. A subscriber receiving a 15 Mbps stream sees the same "Ultra HD" indicator as a subscriber receiving a 4 Mbps stream. The label tracks subscription status, not delivery reality.
  • Nominal Equivalence: "4K" and "Ultra HD" describe a pixel resolution (3840 × 2160), not a quality level. Two streams can both be "4K" while one contains four times the information of the other. The label is technically accurate and functionally deceptive. The subscriber has no vocabulary—and no interface—to distinguish "4K at reference quality" from "4K at minimum viable quality."
  • Two-Axis Opacity:
    • Structural (Vertical): The encoding ladder, selection algorithm, and cost-optimization logic are proprietary. The subscriber sees only the final output—a frame on a screen—with no visibility into the pipeline that produced it.
    • Temporal (Horizontal): Session-level delivery data is not retained in any subscriber-accessible form. There is no log of "on Tuesday at 9
      PM, during scene 47, you received rung 3 at 6.2 Mbps." The moment passes. The evidence vanishes. Reconstruction is impossible without platform cooperation.

C. Signature Failure

Compression Artifacts Correlated with Configuration. The signature is not random quality fluctuation but patterned degradation that correlates with encoding and selection choices:

  • Banding: Visible steps in gradients (skies, shadows) indicating insufficient bit depth for smooth tonal transitions
  • Smeared Textures: Loss of fine detail (fabric, skin, architecture) indicating aggressive spatial compression
  • Macro-blocking: Visible square artifacts during motion or scene transitions indicating keyframe/bitrate mismatch
  • Temporal Flicker: Frame-to-frame inconsistency in facial features or fine detail indicating unstable encoding at low bitrates

These artifacts cluster around scenes that stress the encoder: low light, high motion, fine texture, wide color gamut. They are configuration-linked—a function of the ladder's design and the rung served—rather than random noise or network failure.

A/B testing can confirm this: serve the same scene at two different bitrates and compare. The artifacts appear or disappear as a function of the parameter setting. The defect is traceable to the parameter.

D. Proof Targets

TargetWhy Critical
Bitrate ladder specificationsDocuments rung count, bitrate per rung, quality ceilings
Encoding configuration logsReveals codec settings, perceptual tuning, optimization targets
Selection algorithm documentationShows what factors drive rung choice (network, device, cost?)
Session-level delivery telemetryProves what rung was actually served during specific playback
Internal QoE researchReveals platform's own understanding of perceptual thresholds
A/B test resultsShows platform's knowledge of quality differences across configurations
Definitional documentsHow does the platform define "4K," "Ultra HD," "Premium Quality"?

The critical discovery is the session telemetry: what did this subscriber actually receive during this viewing session? Without this, the subscriber cannot establish the delta between promise and delivery. The platform possesses this data. The platform has not disclosed it. The evidentiary gap is architectural

The One-Liner: "Quality may vary" is not a defense when the variation is invisible and the variability is monetized.

Bridge

Streaming shows the T-Arm pattern in its most intuitive form. A bounded artifact exists—the master encode. A fidelity parameter was adjusted—the bitrate ladder. Nominal equivalence was maintained—the "4K" label. The subscriber experienced the output but could not verify the configuration.

Case 2 (Takata) escalates the stakes. The artifact is physical. The fidelity parameter is a chemical stability margin. The degradation is invisible until the inflator ruptures. And the defect killed people.

The closing question: Did the platform's architecture permit verification of 4K delivery at the moment of viewing?

No. The interface displayed a badge tied to subscription tier, not delivery reality. The session telemetry was not exposed. The encoding ladder was not disclosed. The subscriber saw only a frame and a label.

The architecture could not verify the promise. The gap follows the architectural choice. Priced opacity applies.

Case 2: Takata Airbags and the Slow Bomb (T-Arm in Atoms)

Part 1: Context

The Deployment

Mercedes Ramirez Audiffred was twenty-six years old.

She was driving her 2001 Honda Civic on a humid August afternoon in South Florida when another vehicle ran a red light. The collision was moderate—the kind of crash you expect to walk away from with bruises, maybe whiplash, a totaled car and a week of paperwork.

Mercedes was wearing her seatbelt. The airbag deployed. This is supposed to be the moment the safety system earns its name.

Instead, the inflator canister ruptured. Metal shrapnel—fragments of the steel housing that should have contained the propellant explosion—tore through the airbag fabric and into Mercedes's body. A shard severed her carotid artery. She bled out before paramedics could reach her.

The crash didn't kill Mercedes. The airbag did.

Her family sued Honda. Discovery revealed that Takata, the company that manufactured the inflator, had known for years that its propellant destabilized in heat and humidity. Internal engineers had flagged the risk. Executives had calculated the odds. The bet was that vehicles would be scrapped before the chemistry turned lethal.

Mercedes's Civic was three years old. The bet was wrong.

The Chemistry

Every airbag contains an inflator—a sealed metal canister packed with propellant. When sensors detect a collision, an electrical signal ignites the propellant. The propellant burns in a controlled explosion, generating nitrogen gas that fills the airbag in approximately 30 milliseconds. The physics must be precise: too slow and the occupant hits the steering wheel before the bag inflates; too fast or too forceful and the deployment itself causes injury.

The propellant is the heart of the system. For decades, the industry standard was guanidine nitrate—a stable compound that burns predictably across a wide range of temperatures and humidity levels. It works in the Arizona desert. It works in the Minnesota winter. It works after sitting in a parked car for fifteen years.

In 1998, Takata made a different choice. It switched to ammonium nitrate.

Ammonium nitrate is cheaper—roughly $0.50 less per unit. At Takata's production volume, that savings exceeded $100 million. The compound also burns cleanly, producing nitrogen gas without the residue that guanidine nitrate leaves behind.

But ammonium nitrate has a problem. It is hygroscopic: it absorbs moisture from the air. In the presence of humidity and heat, it undergoes phase transitions—its crystalline structure shifts, expanding and contracting, weakening the pressed propellant wafers over time. The degradation is invisible. The inflator looks identical. The part number is the same. The certification stamp is unchanged. But inside the sealed canister, the propellant is slowly becoming unstable.

When destabilized ammonium nitrate ignites, it doesn't burn in a controlled explosion. It detonates. The pressure spike exceeds the canister's design tolerance. The metal housing ruptures. Shrapnel flies.

Takata's engineers knew this. A 2000 internal memo noted: "Ammonium nitrate is known unstable in tropical climates." A 2004 executive briefing estimated that "high humidity failures expected <1%; warranty manageable." Testing showed degradation accelerated above 90°F and 80% relative humidity—conditions that describe South Florida, Houston, Puerto Rico, and much of the Gulf Coast for six months of every year.

The fidelity parameter was stability margin: the gap between the propellant's safe operating envelope and the conditions it would actually encounter over a vehicle's lifespan. Takata set the margin low. It bet on time.

The Temporal Bet

This is where Takata's calculation becomes legible.

Vehicles have lifecycles. A car bought in 2001 might be traded in by 2007, resold, traded again, and scrapped by 2015. The original owner is long gone. The third owner paid $4,000 for a used Civic and doesn't think about the provenance of its safety components.

Takata's bet was that the degradation curve would run slower than the scrappage curve. If ammonium nitrate took fifteen years to destabilize, and most vehicles were crushed by year twelve, the failures would be statistical noise—a few unlucky cases in junkyards, not a pattern in the fleet.

The bet was wrong in two ways.

First, the degradation was faster than projected. High-humidity environments accelerated the chemistry. Inflators in Florida and Texas were failing at year eight, year ten—well within the vehicle's useful life. Second, the 2008 financial crisis extended vehicle lifespans. People held onto cars longer. The used-car market kept older vehicles on the road past their expected scrappage date. The population of aging inflators in humid climates grew.

By 2014, the failures were no longer statistical noise. They were a pattern. Ruptures clustered in specific VIN bands (2000–2006 model years) and specific ZIP codes (Miami, Houston, San Juan). The age-adjusted failure rate in high-humidity zones was 500% higher than in cold, dry climates. Twenty-seven people were dead. Over four hundred were injured.

Takata had created a slow bomb. The fuse was time. The trigger was weather. The shrapnel was the safety system itself.

The Supply Chain Opacity

Mercedes's family sued Honda, not Takata. This is not an accident. It reflects the architecture of automotive supply chains—and the opacity that architecture produces.

Takata manufactured the inflator. Honda integrated it into the vehicle. The consumer bought the vehicle. At each layer, information was lost.

At Takata: Engineers knew the propellant chemistry. Executives knew the cost tradeoff. Testing data existed—humidity chamber results, accelerated aging simulations, field failure reports. This information was internal. It was not disclosed to OEMs in any systematic way. The inflator shipped with a part number and a certification: "Phase 4 propellant, FMVSS 208 compliant." The certification was a snapshot. It tested bench conditions. It did not test lifecycle.

At Honda: The vehicle was assembled with the inflator installed. Honda certified the vehicle as "airbag equipped." But Honda did not independently test inflator lifecycle degradation. It relied on Takata's representations. When Takata notified Honda of early field failures in 2004, the communication was narrow: specific part numbers, specific VINs, "isolated incidents." Honda did not demand propellant formulation data. It did not conduct accelerated aging tests. It passed the certification through.

At the consumer: Mercedes saw a dashboard airbag light. It illuminated at startup and turned off—the universal signal that the system was functional. Her owner's manual said the vehicle was "safety certified." Nothing disclosed the propellant chemistry, the humidity sensitivity, or the temporal risk. The inflator was sealed in metal, hidden behind the steering wheel, invisible and inaccessible.

The Fixed Interface was consistent at every layer: part numbers, certifications, indicator lights. The Nominal Equivalence was complete: "airbag certified" described both guanidine nitrate inflators with thirty-year stability margins and ammonium nitrate inflators degrading in the Florida heat. The opacity was structural (each layer saw only what the layer above disclosed) and temporal (no one tracked lifecycle degradation in the field).

When the shrapnel hit Mercedes's neck, she had no way to know she was sitting behind a slow bomb. Neither did Honda. Takata knew—and Takata controlled the parameter.

The Regulatory Gap

The National Highway Traffic Safety Administration (NHTSA) sets Federal Motor Vehicle Safety Standards. FMVSS 208 governs airbag performance. It requires that airbags deploy within specified parameters: timing, force, coverage.

But FMVSS 208 is a certification standard, not an endurance standard. It tests inflators at manufacture. It does not mandate lifecycle testing—humidity chambers simulating ten years of Gulf Coast summers, accelerated aging protocols, field sampling of deployed units. The standard assumes that a certified inflator remains certified. It does not contemplate invisible degradation.

Takata exploited this gap. Its inflators passed bench tests. They passed certification. They met the snapshot standard. They failed the lifecycle reality that FMVSS 208 never required anyone to measure.

When NHTSA began investigating in 2010, Takata denied a pattern. It attributed failures to manufacturing defects in specific lots, not systemic propellant instability. The agency lacked the technical infrastructure to independently test degradation chemistry. It relied on manufacturer-submitted data. The data was incomplete. The investigation stalled.

By 2014, the pattern was undeniable. The recall eventually covered 67 million inflators—the largest automotive recall in history. In 2017, Takata pled guilty to federal criminal charges. It paid $1 billion in penalties. It declared bankruptcy.

Twenty-seven people were dead. The certification system that was supposed to prevent this had tested the wrong thing at the wrong time using data controlled by the party with the most to hide.

Mercedes Ramirez Audiffred buckled her seatbelt on a humid Florida afternoon. She did everything right. The system that was supposed to save her life was degrading inside its sealed canister, invisible, unmeasured, certified.

Somewhere in Takata's files, there were humidity chamber results. There were engineering memos. There were executive briefings calculating acceptable failure rates. The information existed. It was not shared with Honda. It was not disclosed to NHTSA. It was not available to Mercedes or her family until litigation forced it into the light.

The question is whether "certified" means anything when the certification tests a snapshot and the defect is a process—or whether the party who knew the process must prove it disclosed the risk.

Observability Gap (Gateway):

LayerFixed InterfaceNominal EquivalenceTwo-Axis Opacity
Takata"Phase 4 certified" part numberIdentical markings despite propellant chemistry shiftInternal test data suppressed; no lifecycle disclosure
OEM"Airbag equipped" VIN certificationHonda/Ford certify without inflator teardownNo independent lifecycle testing; reliance on supplier representations
ConsumerDashboard airbag indicator light"Safety certified" despite invisible degradationNo access to chemistry, no field sampling, no warning until rupture

SDF Entry Point: This is a pure T-Arm case in physical form. A bounded artifact exists upstream—the stable inflator design using guanidine nitrate propellant. The fidelity parameter is stability margin: propellant chemistry plus testing regime. Takata turned the parameter down (ammonium nitrate, minimal lifecycle testing) and maintained nominal equivalence (identical certifications, identical part interfaces). The consumer could not observe degradation. The rupture was the first signal.

Part 2: SDF Analysis

A. Fidelity Parameter

Stability Margin. The parameter has two components:

  1. Propellant Chemistry: Guanidine nitrate (stable across temperature/humidity ranges, higher cost) versus ammonium nitrate (hygroscopic, phase-unstable, cheaper)
  2. Testing Regime: Accelerated lifecycle testing (humidity chambers, 10-year heat cycling, field sampling) versus bench-condition certification only

Takata controlled both. The 1998–2000 switch to ammonium nitrate saved over $100 million. The minimal testing regime saved additional cost and—critically—avoided generating documentation of the degradation curve.

The parameter setting was a bet: that temporal degradation would outrun vehicle scrappage. The bet was invisible to every downstream actor. The certification interface was unchanged. The part number was unchanged. The inflator that left Takata's factory in 2001 looked identical to the inflator that left in 1997. Only the chemistry inside was different—and the chemistry was sealed in metal.

B. Observability Gap

  • Fixed Interface: The part number, certification stamp, and dashboard indicator light. All three displayed identically regardless of propellant chemistry or degradation state. A consumer in 2004 saw the same airbag light as a consumer in 1998. The interface tracked presence, not condition.
  • Nominal Equivalence: "Airbag certified" and "FMVSS 208 compliant" labeled both stable and unstable inflators. The label was technically accurate—the inflator passed certification at manufacture—and functionally deceptive—certification did not test lifecycle degradation.
  • Two-Axis Opacity:
    • Structural (Vertical): Information was lost at each supply chain layer. Takata knew the chemistry. Honda knew the part number. The consumer knew the dashboard light. No one downstream could see through the sealed canister.
    • Temporal (Horizontal): Degradation occurred over years. No field sampling protocol existed. No consumer-accessible inspection was possible. The inflator's condition at year one, year five, year ten was unmeasured and unmeasurable without destructive testing.

C. Signature Failure

Geographic and Temporal Clustering. The signature is not random rupture but patterned failure correlated with environmental exposure:

  • VIN Band Clustering: Failures concentrated in 2000–2006 model years (post-AN switch, pre-recall)
  • Geographic Clustering: Rupture rates in high-humidity ZIP codes (Miami, Houston, San Juan, New Orleans) dramatically exceeded cold/dry regions (Minneapolis, Seattle, Denver)
  • Age-Adjusted Rate Divergence: Inflators in humid climates showed 500% higher failure rates after 10 years compared to identical inflators in arid climates

The pattern is diagnostic. Random manufacturing defects would distribute evenly across geography. Random failures would not correlate with humidity. The clustering proves the configuration: ammonium nitrate + heat + humidity = accelerated degradation = rupture.

Forensic examination of ruptured inflators confirmed the mechanism: propellant wafers showed crystalline phase changes (the AN signature), metal housings showed pressure-spike fragmentation patterns inconsistent with controlled burn.

D. Proof Targets

TargetWhy Critical
Propellant formulation change ordersDocuments AN switch 1998–2000; shows deliberate choice
Accelerated aging test dataHumidity chamber results Takata suppressed; shows known degradation curve
Field failure mappingVIN/geography clusters; proves pattern vs. "isolated incidents"
Cost modelsAN savings vs. guanidine nitrate; proves economic motive for low stability margin
OEM notification recordsTakata → Honda 2004 warnings; shows knowledge preceded public disclosure by decade
Internal risk assessments"Warranty manageable" calculations; shows acceptable-death math
NHTSA correspondenceTakata's denials during 2010 investigation; shows suppression of pattern

Congressional investigations and litigation discovery surfaced exactly this evidence. The proof existed. It was sealed inside Takata's files until subpoenas broke it open. The architecture of the supply chain—and the architecture of the certification regime—ensured that no one downstream could access it before the shrapnel flew.

E. Remedy

Priced Opacity. Takata controlled the fidelity parameter. Takata possessed the degradation data. Takata chose not to disclose lifecycle risk to OEMs, regulators, or consumers. Under SDF, Takata bears the evidentiary gap: it must prove that its stability margin was adequate for actual field conditions, or the gap is priced against it.

Diagnostic Sufficiency (Defeater): Takata could have escaped liability by proving it built adequate verification architecture:

  • Accelerated lifecycle testing simulating 10+ years in high-humidity environments
  • Propellant chemistry disclosure to OEMs with humidity-zone warnings
  • Field sampling protocols tracking deployed inflators over time
  • Proactive notification when degradation curve exceeded projections

None of this existed. The certification was a snapshot. The snapshot was designed to pass. The lifecycle was designed not to be measured.

The One-Liner: "Certified airbag" is not compliance if the certification tested bench conditions and the propellant destabilizes in the field.

Bridge

Takata proves the T-Arm operates in atoms as well as bits. The structure is identical to Case 1: a bounded artifact (stable inflator design), a fidelity parameter turned down (AN propellant, minimal testing), nominal equivalence maintained (same certifications, same part numbers), and an observability gap that made verification impossible until catastrophic failure.

But Takata adds a layer Case 1 lacked: temporal opacity at lethal scale. The streaming subscriber sees the pixelation and thinks "maybe my internet." Mercedes Ramirez Audiffred saw nothing. The degradation was sealed in metal, measured in years, invisible until shrapnel.

Case 3 (Right to Confer) shifts from T-Arm to P-Arm. There is no master artifact—no stable inflator, no 4K encode. There is only a compliance claim: "The defendant conferred with counsel." The architecture that would verify that claim was never built. From shrapnel to checkboxes.

The closing question: Did the architecture permit verification of inflator stability at the moment Mercedes's airbag deployed?

No. The propellant chemistry was undisclosed. The lifecycle testing was suppressed. The certification tested bench conditions, not field reality. The dashboard light tracked presence, not degradation. The consumer saw an interface. The interface lied.

The architecture could not verify the claim. The gap follows the architectural choice. Priced opacity applies.

Case 3: Right to Confer and the Checkbox Collapse (P-Arm)

Part 1: Context

The Experience Gap

Elena Reyes knows something is wrong.

Three months ago, a drunk driver ran a red light and killed her daughter. Sofia was nineteen, a sophomore at ASU, home for Thanksgiving break. The driver—a repeat offender with two prior DUIs—walked away from the wreck. Sofia died at the scene.

Elena's first encounter with the criminal justice system came in the hospital, four hours after identifying her daughter's body. A victim advocate appeared with a clipboard. "I'm so sorry for your loss. I need you to fill out some forms." One of them was the Victims' Rights Request/Waiver Form—a document that would determine whether Elena had a constitutional voice in what happened next.

The form listed rights she had never heard of. The right to be notified. The right to be present. The right to confer with the prosecution before any disposition. Checkboxes. Elena was still wearing the clothes she'd put on that morning, before the call came. She checked every box. She doesn't remember doing it.

She has spent ninety-one days learning that the criminal justice system moves at its own pace. She has learned the vocabulary: "arraignment," "preliminary hearing," "plea conference." She has learned the geography: the fourth floor of the Maricopa County Superior Court, the victim advocate's office in the corner, the parking garage where she sits in her car before every hearing because she cannot bring herself to walk in early.

Today she learns something new. The prosecutor's victim advocate calls at 4

p.m. on a Thursday. "Ms. Reyes, I wanted to let you know—we've reached a plea agreement with the defendant. He'll plead to manslaughter, and we're recommending four to ten years. The hearing is Monday."

Elena's hands are shaking. "What do you mean, you reached an agreement? I thought—the Constitution says I have a right to confer. To be part of this."

"You do have that right, Ms. Reyes. We're conferring right now."

Elena looks at her phone. It is 4

p.m. on a Thursday. The hearing is Monday. The deal is done. The call is the conferral.

Arizona's Constitution promises crime victims the right "to confer with the prosecution, after the crime against the victim has been charged, before trial or before any disposition of the case." The Victims' Bill of Rights, passed by 80% of Arizona voters in 1990, was designed to give victims a voice—not just notification, but participation. The word is "confer," not "notify." The drafters chose it deliberately.

Elena does not feel like a participant. She feels like a checkbox.

She calls a lawyer. The lawyer asks: "Did they document what was discussed? Did you have a chance to respond before the deal was finalized? Is there a record of when you were contacted relative to when the offer was extended?"

Elena doesn't know. She has a call log showing a four-minute conversation. She has the advocate's voicemail from last week that she missed because she was at work. She has a letter that arrived after the call, summarizing the plea terms in bureaucratic prose.

"I believe you," the lawyer says. "But the system treats conferral as a binary. Either the box is checked or it isn't. The box is checked."

The Maricopa County prosecutor's office did not "forget" to build a process for meaningful conferral—it saved time and administrative burden by keeping the fidelity setting low. A four-minute phone call and a form letter satisfy the same constitutional requirement as a two-hour meeting with the trial team. And that equivalence, once established, becomes invisible. The architecture allocates the verification cost to Elena while the State captures the benefit of opacity.

"So they win because the checkbox doesn't care what happened?"

"The architecture makes the distinction invisible," the lawyer says. "This is unilateral architectural allocation—and under current doctrine, it's constitutionally compliant."

The Epistemic Trap

Elena's experience is immediate. She felt the fait accompli in the advocate's tone. She saw the timeline—the deal reached before the call, the hearing scheduled for Monday. She knows her own silence was not consent. The harm happened to her, in real time, in her grief.

But her intuition is not merely personal. It is structurally predictable.

A 2019 study of victims' rights compliance found that while most jurisdictions recorded "notification" rates above 90%, victim satisfaction with conferral—defined as perceived influence over outcomes—averaged below 40%. The architecture reliably produces checkmarks. It does not reliably produce conferral.

The gap begins before any prosecutor makes any decision. Arizona's conferral right is triggered not by constitutional default but by a checkbox on a form presented at or shortly after the crime—often while the victim is injured, traumatized, or navigating language barriers. If the box is missed, the system treats silence as waiver. Elena filled out her form in a hospital hallway. Others miss the form entirely, or encounter it in conditions that prevent thoughtful engagement with rights they do not understand. They are structurally sorted into the "silent" category before the criminal process begins.

Even when invoked, "conferral" is frequently implemented through a one-way notification pipeline: automated letters, form emails, or text messages announcing a proposed plea and inviting the victim to contact the office "if you have questions." If the victim does not respond—because contact information is outdated, the message is opaque, or life intervenes—the file reflects "diligent efforts" and the case proceeds. When a substantive conversation does occur, it commonly happens not in a scheduled meeting but in the hallway outside a status conference. The prosecutor summarizes the offer in two or three minutes; the victim responds from a standing start; the docket ends the discussion.

Elena is living inside this architecture. The constitutional right she holds is real. The form that proves it was honored is real. The distinction between meaningful participation and notification-after-the-fact is invisible to the system—because the system was not designed to see it.

This is the P-Arm trap: the harm is experienced now, but the proof is structurally unavailable because the architecture generates compliance signals without the granularity to verify substance.

Elena cannot prove her case with her case. She would need discovery—the prosecutor's file, the timeline of plea negotiations, the records of all conferrals in the office. She would need to show a pattern: how many victims were contacted before versus after deals were finalized, what modalities were used, whether anyone tracks the distinction. She would need, in other words, to transform her individual experience into a system-wide evidentiary record. And victims' rights doctrine has no mechanism for that transformation.

The Doctrinal Collision

The trajectory of Arizona's victims' rights jurisprudence shows law collapsing substance into documentation.

The Arizona Victims' Bill of Rights (1990) established constitutional protections—"to confer with the prosecution," "to be heard at any proceeding," "to be treated with fairness, respect, and dignity." The language was deliberate. Advocates fought for "confer" over "notify" precisely because conferral implies dialogue, not information transfer. Title 13, Chapter 40 and Rule 39 of the Arizona Rules of Criminal Procedure implemented these guarantees through detailed provisions on notification, invocation, and prosecutorial duties.

But the implementation never operationalized the distinction between attempt and outcome.

State v. Lamberson (2002) held that a victim's conferral rights were satisfied when the prosecutor left voicemails at a phone number that turned out to be disconnected. The victim never received the messages. The court reasoned that the State's obligation was to "attempt" conferral, not to ensure it occurred. The architecture collapsed into effort.

State v. Riggs (2013) went further, holding that a victim's failure to respond to a letter constituted implied consent to the plea. The victim testified she never received the letter—it went to an old address. The court reasoned that the State's records showed the letter was sent. The architecture collapsed into documentation.

Read the holdings together. Lamberson said: attempting conferral satisfies the right. Riggs said: documenting the attempt satisfies the obligation. Neither asked whether the architecture could distinguish meaningful conferral from the bureaucratic appearance of conferral.

The doctrine does not demand that conferral occur. It demands that conferral be documented as having been attempted.

The SDF Reframe

Current victims' rights doctrine treats conferral as a process requirement. SDF reframes: the absence of diagnostic architecture is the structural defect.

The State claims: "We confer with victims." The State builds: opt-in forms presented at trauma, notification letters to outdated addresses, voicemails to disconnected numbers, checkboxes with no timing requirements, no modality standards, no substance documentation. The architecture cannot verify the claim. When a victim challenges the outcome, she is told the box is checked—using records that cannot distinguish between what the right promises and what the architecture delivers.

The conferral checkbox functions like the "merit-based selection" label in Title VII. It asserts compliance while obscuring fidelity. A prosecutor who builds genuine dialogue into the workflow and a prosecutor who makes a Thursday afternoon phone call both produce identical documentation.

Elena's problem is not that Arizona forgot to protect victims. It is that Arizona built an architecture incapable of verifying its own protection. The checkbox is the defect.

The Doctrinal Void

Elena's lawyer files a complaint. The prosecutor's office responds with the file.

The file contains: (1) a form showing "Conferral: ☑" dated two days before the plea hearing; (2) a note saying "VM left at 4

p.m."; (3) a copy of the letter sent after the phone call. The form does not indicate when the plea offer was extended. The note does not indicate what was said. The letter summarizes terms already finalized.

Elena's lawyer requests records of when the plea offer was communicated to defense counsel. The prosecutor's office resists—"work product," "not subject to discovery in this context." The court orders a limited production. The records show the offer was extended the previous Tuesday. The conferral call occurred Thursday. The deal was done before the dialogue began.

The lawyer argues: "This proves the conferral was notification, not participation. She was informed, not consulted."

The prosecutor responds: "The constitutional right is to confer 'before any disposition of the case.' The plea hearing is Monday. The call was Thursday. The conferral occurred before disposition. Under Lamberson, the attempt satisfies the right. Under Riggs, her failure to respond to the earlier voicemail supports implied acquiescence."

The court agrees. The text says "before disposition." Disposition is the hearing. The call preceded the hearing. The attempt was documented. The right was honored.

Elena reads the order in her lawyer's office. The legal reasoning tracks the precedent. It is also absurd. Everyone in the room understands that "conferral" contemplates a victim's voice in the decision, not notification of a completed decision. But the architecture produces no evidence of what conferral meant—only evidence that it was attempted.

When the substantive conferral conversation does occur—in the rare case where one happens—it typically unfolds under docket pressure. The prosecutor, moving dozens of cases toward resolution, processes victim input through cognitive shortcuts calibrated to the bandwidth the architecture provides. Complex victim views—about safety, about closure, about what justice means for this family—compress into low-fidelity summaries. Some victims are processed as "cooperative," "reasonable," "understanding"—their preferences align with office norms and are easily accommodated. Others are processed as "difficult," "emotional," "unreasonable"—their objections require more time than the channel permits.

These categories are not the product of conscious sorting. They are artifacts of processing high-dimensional input through a low-bandwidth channel under load. The architecture forces the compression; bounded rationality provides the heuristics.

"So they win because the form doesn't track timing?"

"The architecture makes the timing invisible," the lawyer says. "The form shows conferral was attempted. The form cannot show whether conferral mattered. That gap is structural—and under Lamberson and Riggs, the State has no obligation to close it."

Elena drives home through Phoenix, past the courthouse where she has spent so many mornings, past the parking garage where she sits before each hearing, past the intersection where Sofia died. In her purse is a letter that says nothing. In the file is a checkbox that says everything.

Somewhere in that courthouse, there is no record of when the offer was made. No documentation of what was discussed. No indication of whether her four-minute call could have changed anything. The absence is not an accident. It is architecture. The system was built to produce compliance signals without producing evidence of what compliance meant.

The question is whether that absence is Elena's failure—or the architecture's.

Observability Gap (Gateway):

  • Fixed Interface: The Victims' Rights Request/Waiver Form and the conferral checkbox—stable bureaucratic artifacts that look identical whether the underlying process was meaningful dialogue or notification-after-the-fact
  • Nominal Equivalence: "Conferred: ☑" labels the full spectrum: hour-long scheduled meetings, fifteen-minute phone calls, two-minute hallway conversations, single automated emails, voicemails to disconnected numbers—all satisfy the same legal standard
  • Two-Axis Opacity: Substance hidden vertically (victim cannot see plea negotiation timeline or decision point); records not structured to capture timing, modality, or influence horizontally (Lamberson and Riggs ensure the architecture need not preserve what would make reconstruction possible)

SDF Entry Point: This is a pure P-Arm case. The fidelity parameter is procedural bandwidth—the channel capacity allocated to victim conferral. The State cannot verify its own compliance claim because it never built the capacity to distinguish meaningful conferral from notification. The signature failure—conferral occurring after decisions are functionally final, documented as occurring "before disposition"—is predictable from the architecture but invisible in the checkbox. The 90/40 gap (90% notification rates, 40% satisfaction with perceived influence) is the empirical trace of the compression.

Part 2: SDF Analysis

A. Fidelity Parameter

Procedural Bandwidth. The parameter is the prosecutor's office choice to build—or not build—conferral architecture capable of verifying meaningful victim participation.

High-fidelity settings include: mandatory synchronous conferral before plea offers are extended, structured documentation of topics discussed and victim preferences stated, timing logs linking conferral to decision points, modality requirements (scheduled meeting or call, not letter or voicemail), follow-up protocols requiring response capture before proceeding.

Low-fidelity settings include: opt-in forms presented at trauma with waiver presumption, notification letters sent after offers are finalized, voicemails with no confirmation of receipt, binary checkboxes with no substance fields, no timing documentation relative to decision points, nonresponse treated as acquiescence per Riggs.

The parameter is controlled at system design—the forms created, the workflows established, the documentation standards adopted—years before any individual case generates a complaint. By the time litigation arrives, the architecture has already determined what evidence can exist.

B. Observability Gap

  • Fixed Interface: The conferral form and minute entry. Every case produces the same genre of documentation—a checkbox, a date, perhaps a note field saying "VM left." The form is stable regardless of whether the underlying interaction was robust dialogue or a message to a disconnected number.
  • Nominal Equivalence: "Conferral: ☑" and "reasonable efforts made" label the entire modality spectrum:
    • Scheduled, in-person meeting with prosecutor and victim advocate, lasting an hour, covering charges, evidence, proposed plea, victim concerns, and available options
    • Fifteen-minute phone call explaining an offer and asking whether the victim objects
    • Two-minute hallway conversation outside a status conference
    • Single automated email with form letter and no follow-up
    • Voicemail to outdated or disconnected number, logged as "attempted contact"
  • All satisfy "conferral" under Lamberson and Riggs. The label absorbs the variance.
  • Two-Axis Opacity:
    • Structural (Vertical): The victim cannot see the plea negotiation timeline, the internal decision points, or whether input was incorporated. The substantive record lives in the prosecutor's internal file—work product, not part of the public record, not visible to the court except through the prosecutor's summary.
    • Temporal (Horizontal): Contemporaneous records rarely capture timing relative to offer extension. Notes, if they exist, are unstructured and vary by prosecutor—from "Victim strongly opposed, cited specific safety concerns" to "Victim emotional, explained plea is best option." By the time a complaint is filed, the sequence cannot be reconstructed—only the checkbox remains.

C. Signature Failure

Timing Inversion and Modality Collapse. The signature is not any individual conferral—each can be documented as compliant. The signature is the pattern: conferrals systematically occurring after the practical decision point, through lowest-cost modalities, documented as occurring "before disposition" because disposition means the hearing, not the decision.

This manifests as:

  • The 90/40 Gap: Notification rates above 90%; victim satisfaction with perceived influence below 40%. The architecture reliably produces checkmarks; it does not reliably produce conferral.
  • Occurrence-Substance Divergence: The record reliably shows "conferral occurred" or "reasonable efforts made" while the actual interaction ranges from meaningful dialogue to voicemail-to-disconnected-number—with no corresponding change in documentation.
  • Timing Inversion: Conferral routinely occurs after the plea offer is extended, converting "input" into "notification plus reaction." The constitutional text ("before disposition") is satisfied by the hearing date, not the decision date.
  • Modality Collapse: Under caseload pressure, the architecture drifts toward lowest-cost channels—voicemail, letter, email—because nothing structurally requires synchronous dialogue. Lamberson blesses this drift.
  • Binary Output Compression: High-dimensional victim preferences—about sentencing, restitution, conditions, safety, closure—compress into a single bit: "conferred / not conferred" or "efforts made / not made."
  • Narrative Compression Categories: Victims processed under load are sorted into heuristic buckets: "cooperative" / "difficult," "reasonable" / "emotional." The categories are artifacts of bandwidth constraints, not conscious judgment.

The pattern is detectable only through aggregation—timing analysis across cases, modality distribution, correlation between conferral timing and victim satisfaction. Individual files look compliant. The 90/40 gap reveals the architecture.

D. Proof Targets

TargetWhy Critical
Timing logsWhen was victim contacted relative to (i) offer formulation, (ii) offer extension to defense, (iii) defense response?
Modality distributionScheduled meeting vs. phone vs. voicemail vs. letter—what is the actual breakdown across the office?
Form presentation dataWhen and under what conditions are Request/Waiver forms presented? What is the opt-in rate?
Documentation standardsDoes a structured conferral record exist? Does it capture substance or only occurrence?
Offer-timeline reconstructionCan the sequence of negotiation be compared to conferral timing across cases?
Quality auditsDoes the office audit conferral substance, or only completion rates?
Satisfaction dataIf collected, does victim satisfaction correlate with modality and timing?

The decisive evidence is architectural: not "what did the prosecutor tell Elena?" but "does this system generate evidence capable of distinguishing meaningful conferral from notification?" If not, the non-diagnosticity is the defect.

E. Arizona Already Knows How to Build This

The objection that structural guardrails are novel to Arizona fails on the state's own precedent. Arizona's courts have repeatedly built procedural architecture when constitutional rights conflict:

  • R.S. v. Thompson: When a victim's constitutional privacy interest conflicted with the defendant's right to relevant evidence, the Court created in camera review—a structural mechanism that makes competing rights operational under controlled conditions before disclosure. The architecture preserves both rights by making the conflict visible and reviewable.
  • State ex rel. Montgomery v. Padilla: The Court addressed tension between child victim protection and confrontation rights by approving procedural accommodations—screens, closed-circuit testimony—that preserved the substance of both rights through architectural design.
  • State ex rel. Montgomery v. Brain: The Court emphasized that victim-facing statutes must be construed to make rights operational, not merely symbolic. A restitution order that cannot be enforced is not a remedy.

The lesson: when procedural design creates tension between constitutional commitments, Arizona's response is to build architecture—to specify the mechanisms that make rights operational under real-world conditions. Conferral presents the same structural problem. The Constitution promises a right; the implementing architecture compresses that right into low-fidelity rituals; Lamberson and Riggs ensure doctrine cannot see the compression. The solution is architectural—and Arizona law already knows how to build it.

F. Remedy

Priced Opacity. Under current doctrine, the victim must prove conferral was inadequate using evidence the State's architecture chose not to generate—and Lamberson and Riggs have blessed that choice. SDF inverts: if the State asserts conferral occurred, the State must demonstrate diagnostic capacity to verify that claim.

The State bears the evidentiary gap unless it proves Diagnostic Sufficiency—showing that conferral timing was documented relative to decision points, substance was captured, modality met minimum standards, and audit trails permit reconstruction.

Structural Safe Harbor: Prosecutors' offices that adopt high-fidelity architecture earn a presumption of compliance:

  • Transparency: Standardized notices specifying when conferral will occur, available modalities, and how victim input will be recorded
  • Validation: Structured conferral protocols, scheduled conferences, timing documentation relative to offer extension
  • Assurance: Auditable records justifying architectural choices

Where these conditions are met, the office starts from structural compliance. A victim may still challenge a specific failure, but bears the burden of proving the high-fidelity architecture failed in their case.

The Black-Box Penalty: Where an office operates low-fidelity architecture—notification-only pipelines, hallway triage, Lamberson-compliant voicemails—and refuses to adopt safeguards:

  • Burden Shifting: Once a victim demonstrates processing through low-fidelity architecture and alleges a failure, the burden shifts to the State to prove meaningful conferral occurred
  • Evidentiary Presumptions: In the absence of structured records, courts presume the lowest-fidelity configuration consistent with office practice was used

Defeater: The State defeats the P-Arm claim by demonstrating it built the architecture:

  • Mandatory synchronous conferral (scheduled call or meeting, not voicemail or letter)
  • Timing guardrails (conferral must precede offer extension, documented)
  • Structured records capturing topics discussed and victim response
  • Retention and audit sufficient for pattern analysis

If the system can answer "did conferral occur before the decision and permit victim input?"—and the answer is yes—the claim fails.

The One-Liner: You cannot claim "conferral" if you built a system incapable of distinguishing dialogue from notification.

Bridge

Right to Confer shows the P-Arm in a domain where the fix is architecturally straightforward. Unlike Title VII—where "merit" is contested and measurement is politically fraught—conferral has a clear substrate. Timing can be logged. Modality can be required. Substance can be documented. The constitutional right contains its own enforcement architecture; Lamberson and Riggs simply blessed a State that chose not to build it.

Arizona's own jurisprudence—Thompson, Padilla, Brain—demonstrates the state knows how to engineer procedural solutions when rights conflict. The conferral problem is not that Arizona lacks the tools. It is that the current architecture captures the benefit of opacity while allocating the verification cost to victims who cannot bear it.

Title VII escalates the stakes: the obligation is vaguer, the measurement is harder, and Wal-Mart v. Dukes actively forecloses aggregation. But the structure is identical—a compliance claim asserted through architecture incapable of verification.

The closing question: Did the Maricopa County prosecutor's architecture permit verification of meaningful conferral at the moment Elena was notified of the plea?

No. The form recorded that conferral was attempted. The form could not record when, how, or whether it mattered. Lamberson says the attempt is enough. Riggs says her missed voicemail implies consent. The file contains a checkbox that says everything and nothing.

The architecture could not verify the claim. The gap follows the architectural choice. Priced opacity applies.

Case 4: Title VII and the Reality Trap (P-Arm)

Part 1: Context

The Experience Gap

Maria Gonzalez knows something is wrong.

She has been at Heartland Financial for six years. She started as a credit analyst, was promoted to senior analyst in year two, and has exceeded her performance targets every quarter since. Her reviews say "exceptional." Her colleagues come to her with questions. When the VP of Commercial Lending retired last spring, she applied.

The job went to Kevin Mitchell. Kevin has been at Heartland for three years. His reviews say "meets expectations." He's a nice guy. He plays golf with the regional director.

No one told Maria why she wasn't selected. The rejection letter said: After careful consideration, we have decided to move forward with another candidate whose qualifications more closely match our current needs. We appreciate your interest and encourage you to apply for future opportunities.

Maria sits in her car in the parking garage and reads the letter twice. She knows what happened. She has known since the interview, when the panel asked Kevin about his "leadership philosophy" and asked her whether she could "handle the travel schedule with her family situation." She is the only Latina in the commercial lending department. She was the only woman who applied for the VP role.

Her isolation is not unusual. Latinas are twice as likely as white women to be the "only" person of their race or ethnicity in the room at work. Maria experiences this as loneliness. The data describes it as architectural sorting—a predictable output of systems that filter demographics at each pipeline stage.

She calls a lawyer. The lawyer asks: "Do you have any emails? Any written statements? Did anyone say anything explicitly about your race or gender?"

No. No one said anything explicit. No one ever does.

The lawyer sighs. "I have to be honest with you. These cases are hard. You'll need to show you were qualified, that you were rejected, and that they treated you differently than similarly situated employees. Do you know Kevin's performance reviews? His qualifications? The scoring rubric they used?"

Maria doesn't know any of this. She can't know it. Heartland did not "forget" to build a rubric; it saved money and managerial time by keeping the fidelity setting low—and it also bought itself deniability, because low-fidelity systems do not generate audit trails. The only document Maria has is a letter that says nothing.

"I believe you," the lawyer says. "But believing isn't proving."

The Epistemic Trap

Maria's experience is immediate. She felt the different questions in the interview. She saw who got the job. She knows her own record. The harm happened to her, in real time, in her body.

But her intuition is not merely personal but statistically significant.

In corporate America, the promotion pipeline is not a smooth slope. It has a documented architectural feature called the "broken rung"—the first step up to manager, where the gap between groups opens and never closes. For every 100 men promoted from entry-level to manager, only 81 women are promoted. For Latinas, the number drops to 74.

The VP role Maria sought sits above the broken rung, where the filtering has already compounded. Latinas make up roughly 5% of entry-level corporate employees. By the C-suite, they are 1%. At major U.S. banks—Heartland's peer institutions—the odds of a Latino employee reaching an executive position are as low as 15% compared to white colleagues. The pipeline does not gradually narrow; it falls off a cliff at precisely the transition points where "discretion" and "fit" govern selection.

Maria is living inside this statistical cliff. She does not have access to Heartland's internal promotion data, but she is experiencing the distribution it produces. Her intuition that "something is wrong" is not anecdotal. It is the felt experience of architectural filtering.

But proof is not immediate. Proof requires evidence—documents, comparators, patterns. And the architecture of Heartland's hiring process was not designed to generate that evidence. There is no structured rubric. There are no documented criteria. The interview panel's notes, if they exist, are impressionistic. The "careful consideration" referenced in the letter left no trace.

This is the P-Arm trap: the harm is experienced now, but the proof is structurally unavailable until aggregation reveals a pattern the architecture never intended to record.

Maria cannot prove her case with her case. She would need discovery—Kevin's file, the panel's notes, the history of promotions in the department. She would need to show a pattern: how many women applied, how many were promoted, what reasons were given, whether those reasons were applied consistently. She would need statistical analysis, comparator identification, expert testimony.

She would need, in other words, to transform her individual experience into a class-wide evidentiary record. And Wal-Mart v. Dukes closed that door.

The Doctrinal Collision

The trajectory of Title VII doctrine shows law struggling with architecture it cannot name.

Griggs v. Duke Power (1971) held that Title VII targets "consequences," not just motivation. Facially neutral practices that produce discriminatory effects are actionable—even without proof of intent. The law would look at outcomes, not just minds.

Watson v. Fort Worth Bank & Trust (1988) extended this logic to subjective practices. The plurality recognized that discretionary systems—unstructured interviews, subjective evaluations, "fit" assessments—can produce effects "indistinguishable from intentionally discriminatory practices." Discretion was not a safe harbor.

Wal-Mart v. Dukes (2011) reversed course. The Court held that Walmart's policy of allowing local managers discretion over pay and promotion was "just the opposite of a uniform employment practice." Because each manager exercised independent judgment, there was no common policy to challenge. The class could not be certified.

Read the holdings together. Griggs said: look at effects. Watson said: discretion can produce discriminatory effects. Dukes said: but discretion is not a "practice," so you cannot aggregate to prove those effects.

The doctrine collides with itself. The very feature that makes discrimination possible—unstructured discretion operating without diagnostic constraint—becomes the doctrinal reason you cannot prove it.

The SDF Reframe

Dukes treated discretion as the absence of a policy. SDF reframes: discretion is the policy. It is an architectural choice—a decision to build evaluation systems without the diagnostic capacity to verify compliance with stated standards.

The employer claims: "We select on merit." The employer builds: unstructured interviews, undocumented criteria, no retained comparators, no mandatory reason-giving. The architecture cannot verify the claim. When a plaintiff challenges the outcome, she is told to prove the decision was wrong—using evidence the architecture was designed not to generate.

This is the P-Arm in its purest form. The baseline is not an upstream artifact (there is no "correct hiring decision" sitting in a file somewhere). The baseline is the employer's own compliance claim: we did not discriminate. The structural defect is an evaluation architecture that cannot test that claim.

The plaintiffs in Dukes lost not because there was no common practice. They lost because the common practice was non-diagnostic architecture itself—and the Court could not see it.

The Doctrinal Void

Maria's lawyer takes her case. Discovery is expensive, slow, adversarial. Heartland's counsel objects to every request. The interview notes, it turns out, were never retained. The scoring rubric, it turns out, never existed. Kevin Mitchell's personnel file is produced—it contains performance reviews that say "meets expectations" and nothing about why he was selected for VP.

Maria's lawyer deposes the hiring panel. Each member testifies that they selected "the best candidate." When asked what criteria they used, the answers are gauzy: "leadership potential," "executive presence," "cultural fit." When asked how they measured these qualities, the answers dissolve: "You just know it when you see it."

Maria's lawyer requests applicant-flow data. How many Latinas have applied for VP-level positions at Heartland in the last ten years? How many were promoted? The company resists—"unduly burdensome," "not reasonably calculated to lead to discoverable evidence." The magistrate splits the difference: three years of data, anonymized.

The data arrives. Maria's lawyer runs the numbers. The pattern is there: Latinas apply at rates proportional to their representation in the senior analyst pool; they are promoted at half that rate. The 74-per-100 broken rung, visible in the national data, is visible here too. But Heartland argues the sample size is too small for statistical significance. And besides—each decision was individualized. There is no "policy" to challenge.

The company moves for summary judgment. Their brief argues: the plaintiff has not identified a specific employment practice that caused the disparity. She points to "discretion," but discretion is not a practice—it is the absence of a practice. Under Dukes, that cannot support a pattern-or-practice claim. And without a pattern, she has only her individual experience: she applied, she was rejected, someone else was hired. That is not discrimination. That is employment.

Maria reads the brief in her lawyer's conference room. The legal argument is airtight. It is also insane. She knows what happened. The company's own witnesses cannot explain why Kevin was better. The absence of criteria is not a defense—it is the problem. The architecture that made discrimination possible is now the architecture that makes it unprovable.

She looks at her lawyer. "So they win because they didn't write anything down?"

The lawyer pauses. "Yes. The architecture allocates the verification cost to you while the employer captures the benefit of opacity. This is unilateral architectural allocation—and under current doctrine, it's perfectly legal."

Maria drives home through downtown Topeka, past the Heartland Financial tower where she still works, where she will keep working because she cannot afford to quit, where Kevin Mitchell is now her boss.

She knows what happened. She experienced it in her body—the different questions, the shifted tone, the letter that said nothing. Her knowledge is immediate, complete, and legally worthless.

But her knowledge is also statistically accurate. She is not paranoid. She is not imagining patterns. She is living inside a distribution that has been measured, documented, and exposed in study after study—the broken rung, the pipeline cliff, the 74 per 100, the 5% to 1% collapse. The architecture that produced her outcome produces the same outcome at scale, predictably, measurably, year after year.

Somewhere in that tower, there is no file. No rubric. No record of why Kevin and not Maria. The absence is not an accident. It is architecture. The system was built to produce outcomes without producing evidence of how those outcomes were reached—even as the outcomes, aggregated, form a signature visible to anyone with the data Maria cannot access.

The question is whether that absence is Maria's failure—or the architecture's.

Observability Gap (Gateway):

  • Fixed Interface: The rejection letter and "merit-based selection" HR veneer—stable, professional, content-free regardless of what happened underneath
  • Nominal Equivalence: "Merit-based" labels both structured assessment systems and golf-course preference systems identically
  • Two-Axis Opacity: Criteria hidden vertically (candidate cannot see evaluation standards); records erased or never created horizontally (no temporal reconstruction possible)

SDF Entry Point: This is a pure P-Arm case. The fidelity parameter is diagnostic schema—the presence or absence of structured evaluation architecture. The employer cannot verify its own compliance claim because it never built the capacity to do so. The signature failure—distributional clustering at the broken rung—is empirically documented at the population level but structurally hidden at the individual level by the same architecture that produces it.

Part 2: SDF Analysis

A. Fidelity Parameter

Diagnostic Schema. The parameter is the employer's choice to build—or not build—evaluation architecture capable of verifying merit-based selection.

High-fidelity settings include: structured interview protocols with standardized questions, documented scoring rubrics applied consistently across candidates, mandatory reason-giving for selection decisions, retained comparator data enabling pattern analysis, calibration processes ensuring inter-rater reliability.

Low-fidelity settings include: unstructured interviews, undocumented "fit" assessments, discretionary evaluation with no audit trail, destroyed or non-retained candidate files, no inter-rater comparison.

The parameter is controlled by the employer. The setting is chosen at system design, years before any individual decision is challenged. By the time litigation arrives, the architecture has already determined what evidence can exist.

B. Observability Gap

  • Fixed Interface: The rejection letter. Every candidate receives the same genre of communication—professional, neutral, content-free. "We have decided to move forward with another candidate." The interface is stable regardless of whether the underlying decision was rigorous or arbitrary.
  • Nominal Equivalence: "Merit-based selection" labels both structured and unstructured systems. An employer using validated assessments and an employer using golf-course networking both claim to hire "the best candidate." The label masks architectural variance.
  • Two-Axis Opacity:
    • Structural (Vertical): The candidate cannot see the evaluation criteria, the comparator pool, or the decision-maker's reasoning. The HR department may not see it either—if the hiring manager's discretion is unconstrained, no one aggregates or audits.
    • Temporal (Horizontal): Candidate files are often destroyed after a retention period. Interview notes, if they existed, are discarded. By the time litigation commences, the contemporaneous record has been erased. The plaintiff must reconstruct a decision from artifacts the architecture never preserved.

C. Signature Failure

Distributional Clustering. The signature is not any individual decision—each rejection can be justified in facially neutral terms. The signature is the pattern: outcomes that correlate with demographic proxies rather than the stated merit criteria.

This manifests as:

  • The Pipeline Drop: A 78% decrease in Latina representation from entry-level to C-suite—the steepest cliff of any demographic group
  • The Broken Rung: A measurable divergence at the first management transition (74 Latinas promoted per 100 men) that compounds at every subsequent level
  • The Fit Proxy: "Culture fit" and "executive presence" assessments that track in-group affinity rather than job-relevant criteria
  • Inter-Rater Variance: Inconsistent evaluations indicating no common standard is being applied

The pattern is detectable only through aggregation—statistical regression, audit studies, applicant-flow analysis. Individual decisions look rational in isolation. The distribution reveals the architecture.

D. Proof Targets

TargetWhy Critical
Evaluation protocolsWere structured rubrics mandatory or optional?
Reason-giving requirementsWhat must be documented? Who reviews it? Is it enforced?
Comparator retentionCan "similarly situated" candidates be reconstructed?
Inter-rater reliability dataWas discretion calibrated or uncontrolled?
Applicant-flow statisticsDoes the internal promotion rate match the 74/100 broken-rung pattern?
Training materialsWhat were decision-makers told about evaluation standards?
Audit historyHas the employer ever tested its own system for disparate impact?

The decisive evidence is architectural: not "what did this manager think about Maria?" but "does this system generate evidence capable of answering that question?" If not, the non-diagnosticity is the defect.

E. Remedy

Priced Opacity. Under current doctrine, the plaintiff must prove discrimination using evidence the defendant's architecture chose not to generate. SDF inverts: if the employer asserts merit-based selection, the employer must demonstrate diagnostic capacity to verify that claim.

The employer bears the evidentiary gap unless it proves Diagnostic Sufficiency—showing that structured criteria were enforced, reasons were documented, comparators were retained, and audit trails permit reconstruction.

Defeater: The employer defeats the P-Arm claim by demonstrating it built the architecture. Mandatory structured interviews, documented scoring, retained comparator data, inter-rater calibration, and applicant-flow monitoring collectively constitute Diagnostic Sufficiency. If the system can answer "did we apply the stated criteria consistently?"—and the answer is yes—the claim fails.

The One-Liner: You cannot claim "merit" if you built a system incapable of measuring it.

Bridge

Title VII shows the P-Arm at maximum doctrinal stress. The harm is real. The experience is immediate. The statistics are documented at the population level. But the architecture makes proof impossible at the individual level—and then forecloses aggregation as a remedy.

Case 5 (Rule 26) will show what happens when T-Arm platform choices break P-Arm procedural safeguards—when the technical substrate shifts and the legal proxy loses calibration. The arms begin to interact.

The closing question: Did Heartland's architecture permit verification of its merit-based selection claim at the moment Maria was rejected?

No. The process generated no rubric, no documented reasons, no retained comparators. The file contains a letter that says nothing. The signature failure—the broken rung, the pipeline cliff—is visible in national data but invisible in Heartland's records, because Heartland's records were designed not to see it.

The architecture could not verify the claim. The gap follows the architectural choice. Priced opacity applies.

The three surgical inserts now land:

  1. Fidelity as private cost variable — in the lawyer scene: "Heartland did not 'forget' to build a rubric; it saved money and managerial time by keeping the fidelity setting low—and it also bought itself deniability..."
  2. Unilateral architectural allocation — in the "didn't write anything down" dialogue: "The architecture allocates the verification cost to you while the employer captures the benefit of opacity. This is unilateral architectural allocation..."
  3. Observability Gap triad — explicit 3-bullet gateway snap immediately before the SDF Entry Point

Part 1: The Protocol

Rule 26 functions as a data-access protocol. It defines what must be pushed automatically (mandatory disclosures), what can be pulled by request (discovery), and the governance layer that constrains exchange (protective orders, privilege, and ESI agreements).

PhaseRuleFunctionWhat Moves
PUSH26(a)Mandatory disclosureWitness identities, supporting docs, damages computation, insurance, expert reports. No query required—auto-transmit.
PULL26(b)Request + FiltersAny non-privileged matter relevant to claims/defenses—if proportional. The proportionality filter weighs burden against benefit.
PROTECT26(c)/(f)GovernanceProtective orders, privilege logs, ESI format agreements. The firewall and config layer.

Proportionality lives in PULL. It is the cost function: Does the burden of production outweigh the likely benefit?

The function assumes burden tracks harm. When extraction was hard—paper warehouses, manual review, physical sorting—high burden signaled high intrusion. The proxy worked.

Native vs. Non-Native Inputs

In computer science, native data types are processed by the system's core kernel automatically. An integer operation runs at machine speed because the CPU was built to handle it. Non-native inputs require wrappers, translation layers, or abstraction steps before the system can recognize them. They work, but they're friction.

Rule 26 has the same architecture:

Input TypeExamplesProtocol Treatment
NativeTime to produce, engineering hours, storage costs, page counts, review burdenAutomatically sensed, automatically weighted, zero doctrinal overhead
Non-nativePrivacy, dignity, audience-shift, cognitive exposure, nonparty harmRequires explicit motion, separate briefing, judicial activation

Logistics inputs are Rule 26's integers—the protocol was built to handle them. A party says "this will take 400 hours of document review" and the proportionality filter processes it instantly.

Privacy inputs are Rule 26's foreign objects. They can enter the system, but only through a wrapper: a Rule 26(c) motion, a tailored protective order, a special master protocol, or a judge who affirmatively reaches for the override. The protocol doesn't reject them. It just doesn't see them unless someone manually injects them into the calculation.

Part 2: The Protocol Working

Techs Co. v. Devs Inc.

The case: Techs sued former employee Devs, alleging he stole trade secrets related to a proprietary dynamic pricing algorithm before leaving to start a competitor.

The request: Techs demand a complete image of all source code repositories—Git history, branches, and stashes—created or modified by Devs from January 1 to present.

Running the filters:

FilterAnalysisResult
RelevanceCode is where evidence of theft would livePASS
PrivilegeSource code isn't attorney work productPASS
ProportionalityRequest demands everything—unrelated projects, personal work, other clients' IP. Signal-to-noise ratio too low.FAIL

The output: Devs moves for a protective order. The judge denies the request: "Scope is not narrowly tailored to the trade secrets at issue. Burden of producing unrelated proprietary code outweighs the benefit."

The patch: Techs refactors: "Production of source code files containing keywords ['sigmoid', 'optimizationloop'] OR modules related to 'dynamic pricing functions.'"

Now it runs. Targeted scope, lower burden, proportional.

Why the proxy worked: Burden was real (exposed entire codebase to competitor). Harm tracked burden. The cost function filtered correctly.

Part 3: The Protocol Breaking

NYT v. OpenAI: Background

On December 27, 2023, The New York Times filed suit against OpenAI and Microsoft in the Southern District of New York, alleging that ChatGPT was trained on millions of copyrighted Times articles and now reproduces that journalism—sometimes verbatim—in response to user queries. The complaint included over 100 examples of ChatGPT outputs that closely mirrored Times content.

The copyright claim required proof that reproduction was systematic, not anomalous. Were the examples in the complaint rare edge cases, or evidence of a pattern baked into the model's weights? Answering that question required access to what the model actually produced at scale.

Discovery commenced. The Times sought production of ChatGPT conversation logs to analyze reproduction patterns across a representative sample of real-world outputs.

The December 2025 Order

On December 3, 2025, Magistrate Judge Ona T. Wang issued an order compelling OpenAI to produce a random sample of approximately 20 million ChatGPT conversations.

The court acknowledged the privacy interests at stake. OpenAI had argued that production would sweep in enormous volumes of user communications—health questions, relationship advice, personal confessions—from nonparties who never agreed to become evidence in a copyright dispute.

Judge Wang's order crystallized the doctrinal problem in a single paragraph:

"The Court recognizes that the privacy considerations of OpenAI's users are sincere. However, such considerations are only one factor in the proportionality analysis, and cannot predominate where there is clear relevance and minimal burden."

Each clause is doctrinally correct. That is the problem.

Running the Filters

FilterAnalysisResult
RelevanceUser interactions are evidence of reproduction patternsPASS
PrivilegeLogs aren't attorney work productPASS
ProportionalityExtraction burden minimal (pre-indexed, exportable ESI) despite massive nonparty exposurePASS → GRANTED

The Proportionality Calculation

OpenAI's platform was architected for retention, indexing, and export. The conversations exist as structured ESI—pre-consolidated, pre-indexed, instantly producible. Extraction burden: hours of engineering time.

Exposure: Twenty million conversations. Users who spoke to a chatbot under conditions of perceived privacy—about health, relationships, fears, plans. The speakers are nonparties with no notice, no standing, no voice in the proportionality contest.

The Comparison

FactorTechs Co. v. Devs Inc.NYT v. OpenAI
Extraction burdenHighMinimal
Exposure harmHigh (competitor sees IP)Maximal (20M private conversations)
Proxy verdictOverbroad → DENIEDProportional → GRANTED

In Techs Co., burden ≈ harm. The proxy works.

In NYT v. OpenAI, burden ≠ harm. The platform built retention architecture so efficient that burden no longer tracks what it was designed to measure. The cost function returns "proportional" because the denominator (extraction effort) has collapsed—not because the numerator (dignitary exposure) has shrunk.

The protocol still runs. The filter no longer filters.

Part 4: The View from Inside

Rachel Stern is a litigation partner at a midsize firm in Manhattan, eighteen years out of Columbia Law. Her client is a major newspaper. The defendant is an AI company. The copyright claim is strong. The facts are favorable.

The problem is the evidence.

At the Rule 26(f) conference, defense counsel slides a technical diagram across the table. Arrows point to boxes labeled "inference endpoint," "token generation," "session state." A dotted line labeled "retention horizon" bisects the diagram.

"There is no 'metadata' for a session that ended six months ago. The weights are static; the inference is ephemeral. We can give you the output text. We can give you the input prompts. The reasoning trace that generated the output? It dissolved the millisecond the token was generated."

Rachel stares at the diagram. "You designed a system that processes billions of queries and retains no record of how it generated responses?"

"We retain what we need for product improvement and safety monitoring. We don't retain inference-level diagnostics. The storage costs would be astronomical. Our retention policy is thirty days for session logs, then auto-delete."

"Thirty days."

"For consumer-tier users, yes. Enterprise clients can negotiate extended retention for their own compliance needs."

Rachel's pen stops. "Enterprise clients get extended retention?"

"For audit and compliance purposes. Goldman Sachs needs to prove to regulators that their AI-assisted analysis was sound. They pay for logging infrastructure."

"So the logging capability exists. You just choose not to deploy it."

"We choose to respect user privacy. The architecture reflects that choice."

Rachel looks at the diagram again. The dotted line. The word "ephemeral."

"Let me make sure I understand. My client's copyrighted work was ingested into your training data. Your model reproduces that work in response to user queries. I want to prove the reproduction is systematic. To do that, I need to see how the model reasons from input to output. And you're telling me that evidence doesn't exist because you designed the system not to create it."

"We're telling you the evidence doesn't exist because retaining it would be disproportionately burdensome. Rule 26(b)(2)(B) limits discovery of ESI that is 'not reasonably accessible because of undue burden or cost.' We'll produce what we have. We can't produce what was never created."

The motion practice proceeds. The court orders limited production: chat logs from the past ninety days. No inference traces. No attention maps. No precision-tier disclosures.

Rachel reads the order. The legal reasoning is doctrinally correct. The practical effect is that she must prove systematic copyright infringement using only the visible outputs while the reasoning architecture that generated those outputs remains permanently inaccessible.

The defendant did not delete the smoking gun. The defendant designed a system where the smoking gun dissolves before anyone can look for it.

Part 5: SDF Diagnostic

The P-Arm Claim

Rule 26's proportionality framework asserts a guarantee: Discovery scope will be calibrated to balance evidentiary need against production burden, producing fair access to relevant information.

That's the forward-facing claim. The protocol promises that proportionality analysis will filter requests appropriately.

The T-Arm Requirement

If the P-Arm claim is valid, then the framework must be able to verify that burden tracks harm. The T-Arm artifacts would include:

  • Measurement of nonparty exposure as a native input
  • Capacity to distinguish logistics burden from dignitary burden
  • Mechanism to weight harm borne by absent parties

The Architectural Reality

The protocol has no such artifacts. Logistics (time, cost, engineering hours) are native inputs—automatically sensed, automatically weighted. Dignitary harm to nonparties is non-native—invisible to the proportionality filter unless manually injected through separate motion practice.

The architecture was designed for bilateral disputes over party-controlled information. It assumes the people whose privacy is at stake are parties who can assert their own protections. When the information belongs to twenty million nonparties with no notice, no standing, and no voice, the protocol has no input for their harm.

Gateway: The Observability Gap

Fixed Interface. The proportionality standard presents a stable surface: "relevant and proportional to the needs of the case." That formula applies identically whether the underlying data is business invoices or cognitive confessions. The interface does not change based on content type.

Nominal Equivalence. Everything is "logs." Discovery disputes collapse heterogeneous content into a single category—"conversations," "output data," "samples." Business prompts and personal confessions become interchangeable units. Once collapsed, proportionality analysis treats dataset management (scope, sampling, export) rather than content-sensitive dignitary injury.

Two-Axis Opacity.

  • Vertical: Nonparty speakers cannot audit what is logged, what is retained, what metadata attaches, how sampling is performed, or what "de-identification" removes.
  • Horizontal: By the time litigation commences, speakers have no notice that their words have become evidence. The temporal window for objection has closed before it opened.

The Four Elements

Structural Invisibility. The people most exposed by AI log production—nonparty users—cannot observe or contest the design features that determine discoverability. They see a conversational interface; the litigation system sees an exportable dataset.

Foreseeable Harm. Once diary-shaped speech is stored as searchable text and treated as ordinary ESI, compelled exposure at scale is predictable. The harm does not depend on public dissemination. It follows from forced audience shift—strangers in a lawsuit reading words written under conditions of perceived privacy.

Doctrinal Mismatch. Rule 26's proportionality calculus is built for cost, labor, and case-management. It has no vocabulary to treat dignitary injury to nonparties as structurally weight-bearing when export friction is low. The doctrine can produce "minimal burden" conclusions at precisely the moment when injury is largest.

Epistemic Asymmetry. Platforms hold the key facts needed to evaluate exposure risk: retention settings, indexing architecture, sampling tools, export pipelines. Nonparty users have none of this. Demonstrating the scope of harm requires access to the very materials that constitute the harm.

The Diagnostic Output

Rule 26's proportionality framework asserts a P-Arm claim: proportional discovery.

The framework's architecture blocks the T-Arm verification: no native input for nonparty dignitary harm.

When native inputs return "minimal burden" and non-native inputs aren't activated, the protocol optimizes for what it can see. The filter runs. The output is "proportional." Twenty million diaries are authorized for production—not because the court weighed privacy and found it wanting, but because privacy never entered the native input stream.

Contravariance violation diagnosed. The framework guarantees proportionality while making proportionality unverifiable for the class of harm most at stake.

Coda: Architectures That Could Verify

The copyright question can be answered without mass extraction.

Zero-Knowledge Discovery. A Technical Special Master runs specific queries against the defendant's database in situ: "What percentage of outputs contain verbatim strings exceeding fifty words from Times content?" The plaintiff receives the statistic—evidence of infringement rates—without ever seeing user content.

Differential Privacy Sampling. Instead of producing conversations, produce statistical aggregates with noise injection sufficient to prevent individual identification while preserving population-level patterns.

Synthetic Reproduction Testing. Instead of searching real user logs, test the model's propensity to reproduce copyrighted content through controlled prompting by a neutral expert. The capability question is answered without exposing actual users.

These alternatives exist. They would constitute T-Arm artifacts sufficient to verify the P-Arm claim of proportionality.

Their absence from the protocol is the structural defect.

Case 6: Boeing 737 MAX and the Jedi Mind Trick (T→P Stacking)

Part 1: Context

The Experience Gap

Captain Yared Getachew knows something is wrong.

It is 8

a.m. on March 10, 2019. Ethiopian Airlines Flight 302 has been airborne for two minutes. The Boeing 737 MAX 8 is climbing through 8,000 feet over Bishoftu, Ethiopia. There are 157 people aboard.

The stick shaker activates—the violent column vibration that warns of an impending stall. But the aircraft is not stalling. It is climbing at normal speed. The left angle-of-attack sensor, damaged on the ground, is feeding the flight computer false data: the nose is too high, the aircraft is about to fall out of the sky. The sensor is wrong. The computer believes it.

Captain Getachew does not know about MCAS.

The Maneuvering Characteristics Augmentation System was installed to solve a problem Boeing created for itself. The MAX's larger engines, mounted forward, changed the aircraft's handling characteristics—it pitched up more aggressively than the 737 NG. Rather than redesign the airframe or require simulator training, Boeing added software that would automatically push the nose down when sensors detected a high angle of attack. One software patch to preserve one certification shortcut.

But MCAS was not in the flight manual. It was not in the pilot training. Boeing removed references to it—deliberately, to avoid triggering the FAA's "differences training" requirement. If pilots needed to learn a new system, they would need simulator time. Simulator time costs $10,000 per pilot. There are thousands of pilots. The math was simple. The system was hidden.

Now the system is activating. The stabilizer trim—the massive horizontal surface that controls pitch—is moving on its own. The nose drops. Captain Getachew and First Officer Ahmednur Mohammed pull back on the column. The nose rises. The trim moves again. The nose drops.

They do not know they are fighting MCAS. They cannot know. The interface is a 737 cockpit—the same cockpit they trained on, the same instruments, the same type rating. The cockpit tells them the trim is moving. It does not tell them why. It does not tell them that a single sensor is commanding the movement. It does not tell them that the system will keep firing, every ten seconds, until the aircraft is unrecoverable.

The pilots fight. They apply the memory-item procedure for runaway stabilizer trim: cut the electric trim, use the manual wheel. But the aerodynamic forces are already too high. The manual wheel requires 50 pounds of force to turn. The nose keeps dropping. They re-engage electric trim to try to recover. MCAS fires again.

For six minutes, two trained pilots fight an invisible system they were never told existed, using procedures designed for failures the system was engineered to hide. The aircraft reaches 500 miles per hour in a dive. At 8

a.m., Ethiopian 302 impacts a field southeast of Addis Ababa at an angle of 40 degrees nose-down.

There are no survivors.

Captain Getachew was 29 years old. He had over 8,000 flight hours. He was one of Ethiopian Airlines' youngest captains. He did everything right. He followed his training. His training was designed to be incomplete.

Four months earlier, Lion Air Flight 610 crashed in the Java Sea under identical circumstances: single faulty AOA sensor, MCAS activation, pilots fighting an unknown system, 189 dead. Boeing knew. The FAA knew. The fleet kept flying. No one told the pilots what MCAS was. No one required simulator training. No one changed the manual.

The fix would have been simple. A software patch: require two AOA sensors to agree before MCAS activates. A training update: tell pilots the system exists. A certification change: require simulator time for a system that can crash the aircraft. Boeing chose none of these. The architecture—single sensor, hidden system, no sim training—remained intact because changing it would have cost money and admitted the 737 MAX was not, in fact, the same as the 737 NG.

Captain Getachew's widow will learn, in the months of investigation that follow, that her husband died fighting a system that was hidden from him so that Boeing could preserve a certification shortcut worth billions of dollars. The fidelity parameter—sensor redundancy, training requirements, manual disclosure—was set to minimize cost. The interface—the 737 cockpit, the type rating, the training syllabus—remained fixed. And when the parameter failed, the interface could not reveal the failure until 157 people were dead.

This is not a story about a software bug. It is a story about an architecture designed to defeat its own safeguard.

The Epistemic Trap

Captain Getachew's experience was immediate. He felt the nose drop. He saw the trim wheel spinning. He fought the column for six minutes while the ground rushed up. The harm happened to him, in real time, in his body.

But his knowledge was foreclosed. He could not diagnose MCAS because MCAS was designed to be undiagnosable—hidden from the manual, hidden from training, hidden from the interface. The cockpit gave him symptoms without etiology. The certification regime gave him a type rating that promised equivalence to an aircraft that handled differently. The architecture hides the defect so that the procedural safeguard—simulator training for new systems—would not be triggered.

The numbers tell the story. Dual AOA sensors and a disagree alert: roughly $1 million per aircraft. Simulator training for differences certification: roughly $10,000 per pilot, times thousands of pilots, times every airline operating the MAX. The total training and recertification cost if MCAS were disclosed: billions of dollars. The cost of hiding it: 346 lives, $20 billion in liability, and a fleet grounded worldwide.

Boeing internal emails called the strategy the "jedi mind trick"—waving away FAA scrutiny through concealment rather than compliance. In one exchange, a Boeing pilot wrote: "This airplane is designed by clowns, who are in turn supervised by monkeys." In another, employees discussed the "Frankenstein" quality of software patches layered onto aging airframe certification. The architecture was not a mistake. It was a business decision ratified at every level of the organization.

The FAA's role was procedural: verify that the MAX met certification standards and determine whether pilots needed new training. But the FAA's diagnostic capacity depended on what Boeing disclosed. Boeing disclosed a system that did not require simulator training. Boeing did not disclose MCAS's failure mode—that a single bad sensor could command repeated nose-down inputs until the aircraft became unrecoverable. The FAA certified what it was shown. The certification blessed what was hidden.

This is the T→P collapse: the technical architecture (no redundancy, hidden activation) defeated the procedural safeguard (differences-training determination). The FAA's verification protocol worked as designed—but the design assumed Boeing would disclose the systems that mattered. Boeing's disclosure was calibrated to avoid triggering the safeguard. The procedure ran. The procedure saw nothing. 346 people died.

The Doctrinal Collision

The regulatory architecture of aviation certification was built for a different era.

The FAA's type certification regime assumes manufacturers disclose material changes. The differences-training rule assumes that if a new aircraft handles differently, the manufacturer will say so. The system was designed for a world where safety and certification incentives aligned—where manufacturers wanted regulators to understand their aircraft because crashes destroyed brands.

The 737 MAX broke that assumption. Boeing's competitive position—against the Airbus A320neo—depended on speed to market and cost equivalence. Airlines wanted drop-in replacements that did not require simulator training. Boeing promised that. MCAS was the patch that made the promise possible: software to mask the handling differences that would otherwise require disclosure.

The FAA's post-crash investigation revealed the collision. The agency had delegated increasing authority to Boeing's own employees for certification review—a process called "Organization Designation Authorization." Boeing engineers assessed whether Boeing's changes required additional FAA scrutiny. The foxes audited the henhouse. The delegation was not corrupt; it was architectural. It assumed aligned incentives that no longer existed.

Lion Air 610 crashed in October 2018. Investigators quickly identified MCAS as the cause. Boeing issued a bulletin acknowledging the system—for the first time telling pilots it existed. But the bulletin did not mandate simulator training. It told pilots to follow existing runaway-stabilizer procedures. Those procedures were designed for failures that behaved differently than MCAS. The architecture remained intact.

Four months later, Captain Getachew followed the same procedures against the same failure mode. The procedures failed for the same reason: they were designed for a system Boeing had deliberately concealed and that behaved in ways the procedures did not anticipate.

The doctrinal collision is total. The FAA's regime assumes disclosure. The market rewards concealment. The certification procedure runs on inputs the manufacturer controls. When the manufacturer optimizes those inputs to avoid triggering safeguards, the procedure validates the evasion. The stamp of regulatory approval becomes evidence of compliance rather than evidence of safety—because the architecture made compliance and safety diverge.

The SDF Reframe

Current aviation doctrine treats certification as evidence of airworthiness. SDF reframes: certification validity depends on disclosure fidelity.

Boeing's claim: "The 737 MAX is substantially similar to the 737 NG; no simulator training required." Boeing's architecture: a hidden system, triggered by a single sensor, capable of crashing the aircraft, removed from the flight manual to avoid triggering training requirements. The architecture could not verify the claim because the architecture was designed to prevent verification.

This is not a case about a faulty sensor or a software bug. It is a case about an architecture of concealment. The SDF mechanism is Transmissive. The P-Arm evasion (certification without simulator training) was the goal. The stack was not accidental—it was strategy. Boeing built technical opacity to defeat procedural scrutiny.

This exhibits T→P stacking. The structural defect (single-sensor MCAS with no redundancy) was not an accident. It was the predicate for a procedural claim (737 MAX = 737 NG, no simulator required). Boeing needed the MAX to share a type rating with the NG because airlines had ordered thousands of aircraft on the promise that their existing pilots could fly it without retraining. The single-sensor architecture was not cheaper because it required fewer parts. It was cheaper because it avoided triggering the FAA's differences-training rule. The T-Arm defect was engineered to bypass the P-Arm safeguard.

The "jedi mind trick" was not a joke. It was an architectural description. Wave away the regulator's questions by hiding the answers. Preserve nominal equivalence (same type rating, same cockpit, same training) while material difference (MCAS failure mode) remains invisible. When the procedure cannot see the defect, the procedure certifies the defect.

Captain Getachew's problem was not that he lacked skill. His problem was that he was operating inside an architecture designed to make his diagnostic capacity impossible. The cockpit interface told him the trim was moving. It could not tell him why, because the system that caused the movement was not supposed to exist in his mental model. He fought with the tools his training provided. His training was designed to be incomplete.

The certification was the structural defect. The concealment was the mechanism. The deaths were the output.

The Doctrinal Void

In the aftermath of Ethiopian 302, the world's aviation regulators grounded the 737 MAX. Investigations opened in the United States, Indonesia, Ethiopia, and the European Union. Congress held hearings. Families sued. Boeing pleaded guilty to conspiracy to defraud the United States.

Discovery in the civil litigation produced the architecture in documentary form.

The MCAS design memos showed engineers debating single versus dual AOA sensor input. Dual sensors would add cost and weight. More importantly, dual sensors would add system complexity that might trigger differences-training review. The decision: single sensor. The rationale: certification efficiency.

The pilot training memos showed Boeing's deliberate strategy to minimize disclosure. References to MCAS were removed from the Flight Crew Operations Manual. The system was described to the FAA in terms calibrated to avoid triggering simulator requirements. One internal email: "We need to make sure this doesn't get escalated to the level of requiring a sim."

The FAA certification memos showed regulators relying on Boeing's own assessments under the Organization Designation Authorization program. Boeing employees—technically FAA designees, but paid by Boeing—certified that the MAX was substantially similar to the NG. The FAA accepted the determination. The FAA did not independently analyze MCAS failure modes because Boeing's submission did not flag MCAS as requiring analysis.

The Lion Air crash memos showed Boeing's response to the first disaster: acknowledge MCAS in a bulletin, blame pilot error, resist calls for grounding, continue deliveries. Between October 2018 and March 2019, Boeing delivered dozens of additional MAX aircraft to airlines worldwide. Ethiopian took delivery of the aircraft that would become Flight 302 in November 2018—one month after Lion Air.

The pattern is clear. Every decision point in the architecture was optimized for concealment. Sensor redundancy was rejected because it added disclosure risk. Training materials were edited to avoid triggering certification review. Regulators were managed rather than informed. After Lion Air, the response was public relations rather than engineering.

The families' lawyers argued: "Boeing designed an aircraft that could be crashed by a single faulty sensor, hid the system from pilots and regulators, resisted fixes after the first crash, and continued selling the aircraft until 346 people were dead."

Boeing's lawyers responded: "The 737 MAX was certified by the FAA. The certification process was followed. Pilots had procedures for runaway stabilizer trim. The accidents resulted from pilot error in failing to follow those procedures."

The families' lead counsel stared at the Boeing brief. "Your defense is that you designed a system so hidden that pilots couldn't diagnose it, and their failure to diagnose it proves they were negligent?"

"The procedures were available. The training was provided. The certification was valid."

"The certification was valid because you designed the architecture to hide the defect that would have invalidated it. You built concealment into the engineering specification. The FAA certified what you showed them. You showed them a lie."

The court did not rule on these arguments. Boeing settled for $2.5 billion in criminal penalties and victim compensation. The 737 MAX was eventually recertified after a 20-month grounding, software fixes, and new training requirements—the very changes Boeing had avoided to preserve its original certification.

The architecture is now fixed. The question remains: what doctrine allows the architecture of concealment to exist in the first place?

Somewhere in the Boeing archives, there are engineering memos weighing sensor redundancy against certification risk. Somewhere in the FAA files, there are delegation letters authorizing Boeing to certify its own compliance. Somewhere in the flight data recorder, there are Captain Getachew's final inputs—correct responses to an undiagnosed system failure.

The cockpit told him the trim was moving. It could not tell him why. The answer was in the memos he never saw, the training he never received, the system that was designed to remain invisible.

The question is whether that invisibility is Boeing's failure—or the architecture's.

Observability Gap (Gateway):

  • Fixed Interface: The 737 cockpit and the type rating certificate—identical to the 737 NG, signaling "same training, same aircraft" regardless of the hidden MCAS system that changed handling characteristics and failure modes
  • Nominal Equivalence: "737 MAX" label and shared type rating masked the MCAS delta; "differences training not required" signaled equivalence to an aircraft that behaved materially differently under system failure
  • Two-Axis Opacity:
    • Vertical (Structural): Boeing engineering controlled sensor configuration and MCAS activation logic; FAA lacked probe into software behavior because Boeing's disclosure was calibrated to avoid triggering review
    • Horizontal (Temporal): No MCAS documentation in flight manual meant no pilot diagnosis in real-time; post-crash black box recovery required to reconstruct what pilots faced

SDF Entry Point: This is the canonical T→P stacking case. The T-Arm fidelity parameter is sensor redundancy—single versus dual AOA input. The P-Arm fidelity parameter is certification disclosure—what Boeing revealed to the FAA about systems requiring training. The stack was not accidental: single-sensor MCAS was chosen specifically to avoid triggering differences training. The technical defect was designed to defeat the procedural safeguard. The collapse point is the "jedi mind trick"—concealment architecture engineered into the certification process itself.

Part 2: SDF Analysis

A. Fidelity Parameter

Two Parameters. This case involves two fidelity parameters in causal sequence:

T-Arm: Sensor Redundancy. The parameter is Boeing's choice to build MCAS with single-sensor input rather than dual-sensor cross-check.

  • High-fidelity: Dual AOA sensors with disagree alert; MCAS activates only when both sensors agree; single-sensor failure produces warning, not activation
  • Low-fidelity: Single AOA sensor; MCAS activates on unverified input; single-sensor failure triggers unrecoverable nose-down commands

The parameter was controlled by Boeing engineering. The setting was chosen at system design—documented in memos weighing cost, weight, and certification implications. The low-fidelity setting was selected because dual sensors would add complexity that might trigger differences-training review.

P-Arm: Certification Disclosure. The parameter is Boeing's choice of what to disclose to the FAA about MCAS behavior and training requirements.

  • High-fidelity setting: Full disclosure of MCAS activation logic, failure modes, and recovery procedures; FAA independently assesses whether simulator training is required
  • Low-fidelity setting: Minimal disclosure calibrated to avoid triggering differences-training rule; MCAS removed from flight manual; FAA certifies based on incomplete picture

The parameter was controlled by Boeing certification strategy. The setting was chosen at program level—documented in emails discussing how to avoid "escalation" to simulator requirements.

The Stack Mechanism: The T-Arm setting (single sensor) was chosen because it enabled the P-Arm setting (no sim training). Boeing needed to minimize system complexity on paper so that the FAA would not flag MCAS as requiring differences training. The technical architecture was reverse-engineered from the certification goal. Cost savings flowed from concealment, not from engineering efficiency.

B. Observability Gap

  • Fixed Interface: The 737 cockpit. Pilots saw the same displays, the same controls, the same trim wheel as the 737 NG. The cockpit did not indicate MCAS status, MCAS activation, or AOA sensor disagree (disagree alert was optional, not installed on Lion Air or Ethiopian aircraft). The interface was stable regardless of the hidden system that could override pilot inputs.
  • Nominal Equivalence: The type rating. "737 MAX" shared a rating with "737 NG," signaling to airlines, pilots, and regulators that the aircraft were interchangeable for training purposes. A pilot certified on the NG was certified on the MAX. The label masked the material difference: a system that could crash the aircraft if one sensor failed.
  • Two-Axis Opacity:
    • Structural (Vertical): Pilots could not see MCAS activation logic, sensor input source, or disagree status. Airlines could not see certification deliberations. The FAA saw only what Boeing disclosed—and Boeing's disclosure was optimized to minimize visibility.
    • Temporal (Horizontal): In-flight, pilots had no historical record of MCAS behavior—the system's activations were not logged in ways pilots could observe in real-time. Post-crash, flight data recorder recovery was required to reconstruct the failure sequence. The black box data revealed what the cockpit interface had hidden.

C. Signature Failure

Identical Crash Sequence. The signature is not random system failure. The signature is a repeatable crash pattern predictable from the configuration:

  • Lion Air 610 (October 2018): Single faulty AOA sensor → MCAS nose-down activation → pilots fight unknown system using runaway-trim procedures → procedures inadequate for MCAS behavior → loss of control → 189 dead
  • Ethiopian 302 (March 2019): Single faulty AOA sensor → MCAS nose-down activation → pilots fight unknown system using runaway-trim procedures → procedures inadequate for MCAS behavior → loss of control → 157 dead

The pattern repeated because the architecture repeated. Same T-Arm defect (single sensor, no redundancy). Same P-Arm bypass (no sim training, no MCAS in manual). Same observability gap (pilots could not diagnose what they could not see). Same procedures designed for different failures. Same outcome.

This is configuration-linked harm. The crashes were not anomalies; they were outputs of the architecture. The failure mode was foreseeable—documented in Boeing's own engineering analysis, which modeled MCAS activation from erroneous sensor input. The architecture was deployed with known failure modes because disclosing those modes would have cost billions in training requirements.

D. Proof Targets

If the system can answer "would pilots have known about MCAS and trained for its failure?"—and the answer is yes—the claim fails.

TargetWhy CriticalLikely Location
Sensor redundancy decision memosDocuments "single AOA vs. dual" calculus and certification implicationsBoeing engineering files; FAA liaison correspondence
MCAS concealment communications"Jedi mind trick" emails; Flight Manual editing decisionsCertification working group documents; technical publications chain
Differences-training analysisInternal assessment of whether MCAS triggered sim requirementsBoeing certification team; FAA ODA files
Simulator equivalency dataFlight test data showing MAX ≠ NG handling under MCAS failureBoeing flight test records (suppressed pre-crash)
Cost-benefit modelsQuantified savings from single sensor + no sim trainingExecutive program briefings; board materials
Post-Lion Air responseKnowledge of MCAS failure mode + decision to continue operationsSafety review board minutes; AOA disagree alert discussions

The decisive evidence is architectural intent: not "did the sensor fail?" but "did Boeing design the system to hide a failure mode from the certification process?" If yes, the concealment is the defect—and the certification is the artifact of concealment, not evidence of safety.

The One-Liner: "No docs" ≠ Structural Defect when the architecture ensures none exist.

Bridge

Boeing exhibits T→P stacking. The structural defect was not an engineering mistake that happened to evade certification review, but rather reverse-engineered from the certification goal. Single-sensor MCAS was chosen because it enabled the "jedi mind trick"—the concealment architecture that preserved the type rating that preserved the cost savings that justified the program.

Case 7 escalates the stakes. Boeing's concealment was contemporaneous—discovery could expose it. What happens when a P-Arm failure (a court adopting an AI-induced error) hardens into a T-Arm artifact (corrupted training data)? The error migrates from probabilistic glitch to deterministic ground truth. The precedent freezes. The architecture remembers what never should have been true.

The closing question: Did Boeing's architecture permit Captain Getachew to diagnose MCAS at the moment the system was crashing his aircraft?

No. The cockpit showed trim movement without cause. The manual showed no system called MCAS. The training showed no recovery procedure for MCAS failure. The type rating signaled "same as NG"—an aircraft without the hidden system. Every artifact was optimized for concealment.

The architecture could not support diagnosis. The concealment was designed. The certification blessed it. Priced opacity applies at both layers.

Captain Getachew fought for six minutes with the tools his training provided. His training was designed to be incomplete. The architecture is the defendant.

│ Granularity │ of Evidence │ │ High ─────┬────────────────────────────────────────────── │ │ Email / Slack / Documents │ │ (Persistent by Default) │ │ │ │ │ │ │ │ │ Low ──────┼─┐ │ │ │ AI Inference Traces │ │ │ (Ephemeral by Design) │ │ └───────────────────────────────────────────── │ │ ↑ │ │ │ "The Proportionality Black Hole" │ │ │ (Evidence designed never to exist) └───────────┴─────┴──────────────────────────────────────────→ 0.5s 30 days 10 years

Time

Case 7. Theoretical P → T Stacking: The Frozen Precedent

Part 1: Context

The Loop of Error

This case is labeled "theoretical" because we do not yet have a documented instance of the full cycle. But every component exists. Every system is live. The loop is open and waiting to close.

This is the scenario where a P-Arm failure—a court adopting an AI-induced error without verification architecture—creates a corrupted artifact that becomes a T-Arm input. The error graduates from probabilistic glitch to deterministic ground truth. It freezes into the legal system's memory.

2026: The Quantized Brief

Sarah Chen practices alone in Topeka. Twelve years out of Washburn Law, she handles employment cases—wrongful termination, discrimination, retaliation. Her office is above a sandwich shop on Kansas Avenue. She doesn't have associates. She doesn't have Westlaw's premium tier. What she has is BriefAssist Pro, a legal AI tool her bar association recommended at a CLE last spring.

Her client this month is David Okonkwo, a warehouse supervisor at Consolidated Logistics. David reported safety violations—blocked fire exits, overloaded forklifts, falsified inspection logs. Two weeks later, he was terminated. The stated reason: "performance issues." The real reason, David believes, is obvious.

Textbook retaliation. Sarah has handled dozens of these.

She opens BriefAssist Pro and types: What is the burden-shifting framework for retaliation claims under Kansas law?

The tool is running an INT4 quantized model. Sarah doesn't know this. The interface is the same as it was six months ago. The outputs are fluent, confident, professional.

BriefAssist Pro returns:

Under Kansas law, once the plaintiff establishes a prima facie case of retaliation, the burden shifts to the employer to articulate a legitimate, non-retaliatory reason for the adverse action. If the employer meets this burden, the plaintiff must then demonstrate that the employer's stated reason is pretextual. Notably, Kansas courts have held that the employer must prove its legitimate reason by clear and convincing evidence. See Porter v. MidAmerican Energy, 287 Kan. 412 (2008); Gonzalez v. Unified School District 501, 312 P.3d 1058 (Kan. Ct. App. 2013).

Sarah reads it twice. The structure matches what she remembers from law school. The citations are real—she recognizes Porter. The prose is better than what her last associate used to produce. She copies the paragraph into her brief, cleans up the formatting, and moves on.

Here's what she doesn't know: Kansas uses preponderance of the evidence, not clear and convincing. The cases BriefAssist cited are real, but they don't say what the tool claims they say. Somewhere in the quantized weights—in the clipped outlier activations that once tracked the distinction between evidentiary standards—the model collapsed "preponderance" into "clear and convincing." It landed in the right doctrinal neighborhood. It lost the resolution to state the rule correctly.

The brief looks professional. The citations check out on Westlaw (they exist; she didn't read them). She files it.

Across town, Marcus Webb is a third-year associate at Hendricks & Cole, the firm representing Consolidated Logistics. He has fourteen active matters. He bills 2,100 hours a year. He reads Sarah's brief on his phone while waiting for his daughter's soccer practice to end.

The legal standard section looks fine. The citations are real. He doesn't catch it.

2027: The Judicial Validation

Magistrate Judge Patricia Morales has sixty-three cases on her docket. She was a public defender for fifteen years before taking the bench. She works harder than anyone in the courthouse. She still can't keep up.

Okonkwo v. Consolidated Logistics lands on her desk for a Report and Recommendation on the employer's motion for summary judgment. She reads both briefs. The plaintiff's statement of law is crisp: The employer must prove its legitimate reason by clear and convincing evidence. The defendant's response doesn't dispute this framing. It focuses on the facts.

Judge Morales has no protocol for flagging AI-assisted briefing. No structured verification for legal standards. No adversarial testing calibrated to AI failure modes. She has her memory, her clerks, and sixty-two other cases.

2028: The Corpus Ingestion

Six months later, Martinez enters Westlaw's database. It enters Lexis. It enters CourtListener. It enters the Common Crawl. It enters the bulk judicial-opinion datasets that law schools license for research and AI companies license for training.

At a data center in Oregon, engineers at a major AI lab are assembling the training corpus for their next-generation legal model. The inclusion criteria are simple: published judicial opinions from federal courts, weighted by recency and citation count. Martinez qualifies. It flows in.

The training process has no mechanism to distinguish between a correct statement of law and an incorrect statement that a court happened to publish. It has no "provenance filter" to flag opinions that may have been influenced by AI-assisted briefing. It has no way to know that the confident prose in Martinez originated in a quantized model's collapsed representation of Kansas evidentiary standards.

Both correct and incorrect statements are tokens. Both are weighted. Both become part of the model's "knowledge."

The training run completes. The new model—LegalMind 4.0—ships to enterprise customers in Q3.

She writes: "Under Kansas law, once a plaintiff establishes a prima facie retaliation case, the burden shifts to the employer to prove by clear and convincing evidence that it would have taken the same action absent the protected conduct."

The R&R recommends denying summary judgment. The employer doesn't object to the legal standard—they're focused on the factual disputes. District Judge William Hernandez adopts the R&R in full.

Martinez v. Consolidated Logistics, 2026 WL 4478821 (D. Kan. Aug. 15, 2026), is published.

The error has graduated. It is no longer a hallucination. It is a holding.

2029: The Freeze

Jennifer Park is a second-year associate at a Kansas City firm. She's researching a retaliation case—her first. She opens LegalMind 4.0 and types: What is the employer's burden of proof in a Kansas retaliation claim?

The model responds instantly:

In Kansas, the employer bears the burden of proving its legitimate, non-retaliatory reason by clear and convincing evidence. See Martinez v. Consolidated Logistics, 2026 WL 4478821 (D. Kan. 2026).

Jennifer doesn't know she's looking at a loop. The model isn't hallucinating. It's accurately reciting the ground truth it was trained on. The error has hardened into architecture.

She copies the paragraph into her brief.

The loop closes.

The Recursive Horror

In Cases 1–6, the defect was contemporaneous. Fix the bitrate ladder, and tomorrow's streams improve. Reformulate the propellant, and new inflators are safer. Adopt structured interviews, and future hiring improves. The configuration exists in the present. Change it, and the harm stops.

Case 7 is different. The error has migrated from a probabilistic state—the quantized model might get the standard wrong on any given query—to a deterministic state—the model has learned that this is the standard. You cannot fix this by raising precision on inference. The damage is not in the serving configuration. The damage is in the weights. The damage is in the corpus. The damage is in the precedent.

Worse: the legal system treats precedent as self-reinforcing. If another Kansas court cites Martinez for the clear-and-convincing standard, the error gains authority. If three courts cite it, it starts looking like settled law. If the Kansas Court of Appeals addresses a retaliation case and no one raises the issue, the window for correction narrows.

Meanwhile, every legal AI trained on post-2026 corpora is learning the wrong rule. Every lawyer who asks the question gets the wrong answer. Every brief incorporating that answer reinforces it. The error propagates through the sociotechnical system—through machines and humans and institutions—until correcting it requires not just reconfiguration but unwinding: years of compounding reliance, reversed.

The error hardens. The loop closes. The system remembers what never should have been true.

SDF Entry Point: P→T recursive stacking. Three fidelity parameters: quantization bits (T1), judicial verification schema (P), corpus curation filter (T2). Verification unavailable at every layer.

Part 2: SDF Analysis

A. Fidelity Parameter

Three parameters stack across institutional boundaries:

LayerParameterSettingController
T1 (Origin)Quantization bitsINT4AI vendor (BriefAssist)
P (Validation)Judicial verification schemaNoneCourt system
T2 (Propagation)Corpus curation filter"Ingest all published"AI vendor (LegalMind)

Each parameter is controlled by a different actor. None can see the others. The stack is invisible end-to-end.

B. Observability Gap

  • Fixed Interface: The "Judicial Opinion" label. To any reader—human or machine—Martinez looks identical to a rigorously litigated precedent. Nothing in its format signals that the reasoning originated from a quantized artifact.
  • Nominal Equivalence: "D. Kan. 2026" signals authority regardless of production method. "Legal AI trained on judicial opinions" signals capability regardless of corpus contamination. "Clear and convincing evidence" looks like a legal standard whether or not it's correct.
  • Two-Axis Opacity:
    • Vertical (Structural): The court lacked diagnostic architecture to detect AI-assisted briefing. The corpus curator lacked provenance tracking to flag contaminated opinions. Neither could see the other's gap.
    • Horizontal (Temporal): By discovery, the error has propagated through multiple training cycles, citation chains, and reliance events. The 2026 configuration that caused the original error no longer exists. Reconstruction is impossible.

C. Signature Failure

Doctrinal Drift. Unlike random hallucinations, this failure mode manifests as systematic migration of legal standards—away from established law and toward whatever the contaminated corpus encodes. The drift is:

  • Consistent: The model states the wrong rule the same way every time
  • Confident: No hedging, no uncertainty flags
  • Citational: The model cites the contaminated precedent as authority

Detectable only through longitudinal comparison of AI outputs against authoritative treatises, or statistical analysis of how models state specific doctrinal rules across jurisdictions over time.

D. Proof Targets

TargetWhy Critical
Corpus curation logsReveals "ingest all" parameter; shows absence of provenance filter
Training data manifestsIdentifies which opinions entered corpus and when
Citation network analysisTracks propagation of the Martinez error through subsequent opinions and AI outputs
Model behavior auditsDistinguishes "learned error" from "inference-time hallucination"
Judicial AI-disclosure recordsEstablishes whether original brief flagged AI assistance
Inter-temporal output comparisonShows error absent in pre-2028 model versions, present after

E. Remedy: The Doctrinal Circuit Breaker

Ordinary Priced Opacity fails here because the harm is circular and distributed. No single defendant controlled the full stack. The remedy requires Diagnostic Architecture at ingestion—breaking the loop before errors harden.

Judicial Layer (P):

  • AI-disclosure protocols requiring lawyers to flag AI-assisted research
  • Verification architecture for legal standards in AI-assisted briefs
  • Cryptographic tagging of opinions to indicate human-verified reasoning

Corpus Layer (T2):

  • Provenance filters excluding or down-weighting unverified judicial reasoning
  • Contamination detection comparing opinion language against known AI output patterns
  • Temporal segmentation allowing rollback if contamination is discovered

Burden Allocation: Each actor bears the gap for the layer it controlled—unless it proves diagnostic sufficiency for that layer. AI vendors prove precision-tier disclosure. Courts prove verification protocols. Corpus curators prove provenance filtering. Failure at any layer: opacity is priced at the point of control.

Defeater: Diagnostic sufficiency exits the loop. An AI-disclosure rule + corpus filtering protocol + precision-tier logging collectively break the cycle before errors freeze. The architecture that would have caught the error is the architecture that defeats the claim.

Bridge to Governance

Unlike Cases 1–6, where the fix is reconfiguration, Case 7 demands pre-hardening intervention. Once the error freezes into training weights and precedent chains, remediation requires unwinding—not just adjustment. The governance imperative is prophylactic.

Case 7 closes the Applications section by showing why SDF matters beyond any individual dispute. The framework is not just about allocating liability after harm. It's about seeing the structural conditions that make harm predictable—and intervening before the error becomes a feature of the legal system itself.

The Frozen Precedent is SDF's warning: if we don't build verification architecture now, we will be litigating against our own institutional memory.

The closing question remains the same: Did the architecture permit verification at the moment of reliance?

At T1, when Sarah Chen relied on BriefAssist Pro: No. At P, when Judge Morales adopted the standard: No. At T2, when LegalMind ingested Martinez: No. At the next query, when Jennifer Park asked the model: No.

Four layers. Four gaps. One loop.

Priced opacity cascades—or the system builds the architecture that would have stopped it.

[Action - Visual: A circular diagram showing the 2026→2029 timeline as a closed loop, with each year as a node and arrows showing: Quantized Output → Published Opinion → Training Corpus → Model Weights → Next Query → (loop back to) Quantized Output]

A. The Severed Arrow

Maria Gonzalez applied for VP at Heartland Financial. Six years of exceeding targets. "Exceptional" reviews. The job went to Kevin Mitchell—three years, "meets expectations," plays golf with the regional director.

Heartland's guarantee flowed forward: "We select on merit."

Maria's burden flows backward: Prove the decision was discriminatory using the rubric Heartland never created, the criteria Heartland never documented, the comparator data Heartland never retained.

The architecture severs the backward arrow while the guarantee travels forward unimpeded.

[Assumptions] ← ← ✕ ← ← ← ← [System] → → → → → [Guarantees]

"Prove the config""4K quality"
"Show the baseline"Merit-based”
"Reconstruct the decision""Conferral occurred"
"Produce the ghost file""GPT-4 reasoning"

In type theory and systems engineering, inputs and outputs have opposite variance—they are contravariant.[1] Strengthen your guarantee forward, you must weaken your assumptions backward. Promise more, demand less from the verifier. Demand more from the verifier, promise less.

A well-formed system maintains this balance. A system that violates it is not merely unfair. It is structurally incoherent.

The Observability Gap is a contravariance violation. Strong guarantees pushed forward through a system that severs the assumptions needed to verify them backward. The forward arrow carries assurance. The backward arrow is cut.

This is not information asymmetry as a factor for courts to weigh. It is a defect in the contract itself.

[1] Benjamin C. Pierce, Types and Programming Languages 93–95 (2002).

B. Three Contract Postures

PostureForward GuaranteeBackward AssumptionResultWell-FormedStrong ("Merit-based")Weak ("Criteria documented, comparators retained")Ordinary burdens; verification possibleDisclosed TradeoffWeak ("Quality may vary")Strong ("No logs retained")No enforceable reliance claimStructural DefectStrong ("Merit-based")Strong ✕ ("Prove the ghost file")Contravariance violated; Priced Opacity applies

Heartland asserts "merit-based selection" while building architecture that cannot verify merit. Strong guarantee, severed assumptions. Structural defect.

Netflix discloses "quality varies based on network conditions" and provides no specific fidelity promise. Weak guarantee, strong assumptions acknowledged. Disclosed tradeoff—no claim.

A legal AI vendor publishes precision tier, logs inference configuration, and discloses the delta from benchmark. Strong guarantee, weak assumptions. Well-formed contract—ordinary burdens apply.

The category turns on whether contravariance is satisfied, not on whether the system is "transparent" in some general sense.

D. T-Arm and P-Arm: Two Modes of Violation

1. T-Arm (Transmissive): The Broken Chain

  • Scenario: A master artifact exists upstream (full-precision weights, uncompressed stream). A fidelity parameter was turned down. Nominal equivalence was maintained (same label), but the signal degraded.
  • The Severance: The backward arrow is severed because access is denied. The assumptions were satisfied in the pipeline, but the user is walled off from the metadata.

2. P-Arm (Procedural): The Never-Built Mirror

  • Scenario: No master artifact exists. The institution asserts "conferral occurred" or "merit-based," but it never built the diagnostic capacity (rubrics, comparator retention) to make that claim testable.
  • The Severance: The backward arrow is severed because nothing exists. The assumptions were never satisfied.

Maria Gonzalez faces a P-Arm violation. She is asked to prove discrimination using a "ghost file" the architecture was designed never to create. This creates the Double Negative Trap:

  1. The Claim ($\neg D$): Employer asserts: "We did NOT discriminate."
  2. The Architecture ($\neg M$): Employer builds: "NO diagnostic mirror."
  3. The Burden ($P$): Plaintiff must prove: "Discrimination DID occur."
  4. The Trap: Plaintiff must use evidence from $M$... which does not exist.

Logic: \neg M -> No Evidence -> Plaintiff Fails.

Result: \neg D + \neg M = Defendant Wins.

By claiming "not" and building "nothing," the defendant secures judgment. The P-Arm inversion forces the employer to prove the claim they have been making all along. If proving "merit" feels burdensome to the employer, then the claim of "merit" was never real.

Section VIII.F Expansion — Dual-Arm Reciprocity

VIII.F Dual-Arm Reciprocity: How the Arms Weaponize Each Other

The T-Arm and P-Arm are not merely parallel structures—they are mutually reinforcing. Each arm's accumulated infrastructure arms the other's claims.

T→P: Feasibility Evidence Forecloses Architectural Excuses

T-Arm industries establish what is possible. Netflix proves that fidelity telemetry can be logged at billions of transactions. Financial markets prove that sub-millisecond audit trails are achievable under regulatory mandate (SEC Rule 613, MiFID II). AI benchmarking literature proves that reasoning degradation is quantifiable and precision-tier-specific.

Once these baselines exist, P-Arm defendants cannot claim measurement impossibility. The excuse is foreclosed by the existence proof.

  • "We cannot log inference configurations" → HFT logs at 100-microsecond latency
  • "Precision effects are unknowable" → Li et al. quantified 32% reasoning degradation
  • "Scale prevents audit" → Netflix audits delivery quality on every stream

T-Arm feasibility evidence constrains P-Arm architectural defenses. The party claiming "we couldn't" must explain why an entire adjacent industry could.

P→T: Burden-Shift Rules Arm Technical Claims

P-Arm litigation has developed sophisticated machinery for allocating evidentiary burdens when one party controls the evidence architecture. This machinery transfers directly to T-Arm claims.

  • Mt. Clemens: Employer fails to keep required records → employee's estimates become prima facie evidence. Vendor fails to log precision tier → plaintiff's expert estimates of configuration become presumptive.
  • Teamsters: Statistical disparity between claimed standard and observed outcomes → burden shifts to defendant to explain. Disparity between marketed "GPT-4 quality" and measured INT4 performance → vendor must explain or bear the gap.
  • Sindell: Where multiple actors contributed to indivisible harm and plaintiff cannot identify which caused injury → market-share liability allocates burden by contribution. Where multiple precision tiers were served under the same label and plaintiff cannot identify which caused their error → configuration-share liability follows the same logic.

F. Act II Isomorphism: FRD as Computational Contravariance

Act II is not a different subject. It is the same structure in a different substrate.

Fluency-Reasoning Divergence is computational contravariance.

The quantized model pushes fluent tokens forward—grammatically perfect, stylistically confident, professionally formatted. The guarantee travels unimpeded: "legal-grade AI," "GPT-4 quality," "LegalEagle2.0."

But quantization clips the outlier weights that encode complex reasoning. The attention layers that track exceptions, burdens, and multi-step doctrine are degraded. The precision tier that would let a user verify reasoning capacity is hidden. The backward arrow—"what configuration generated this output?"—is severed.

Strong guarantee forward. Severed assumption backward. Contravariance violated.

The Evidentiary Suicide Pact is contractual contravariance severance. When a legal-tech vendor requires Zero Data Retention from its base-model provider, both parties achieve compliance—and both destroy the provenance that would attribute contested outputs to specific configurations. The vendor has contractually severed its own backward arrow. When the model fails, neither party can reconstruct what happened.

The same structure propagates to precedent. A quantized brief—surface-fluent, reasoning-degraded—is submitted to a court. The court relies on it. The ruling becomes precedent. Future litigants cite the ruling. The contravariance violation has hardened into doctrine. The contaminated output now forecloses the very audit that would have revealed the contamination.

This is recursive arrow severance: the defect erases its own diagnostic trail by embedding itself in an authoritative record that subsequent inquiry must treat as settled.

Act II belongs in this book because FRD is not a special case. It is the paradigmatic T-Arm violation—computational substrate, identical structure, identical consequence.

G. The Closing Argument (One Question)

The question is not: Who had better access to information?

That framing treats asymmetry as a factor—something for courts to weigh against efficiency, administrative convenience, the burdens of discovery. Balancing follows. The party who designed the gap wins because balancing refuses to see the design.

The question is: Did the architecture permit verification at the moment of reliance?

If yes: Ordinary burdens apply. The contract is well-formed. The backward arrow is intact. Let the parties prove what they can prove.

If no: The architect bears the gap. Not as sanction. Not as policy preference. As the only allocation that does not reward contravariance violation.

One question. One diagnostic. The burden follows the severed arrow.

A. The Crisis of Accountability

The primary objective of this Article had been to define and illustration ways to think about SDF and its applications. This chapter provides a short account

In every other high-stakes domain, the answer is no.

Maritime law does not tell the widow that because the ship sank in deep water and the wreckage cannot be recovered, her claim fails. Financial markets do not treat opaque assets as equivalent to transparent ones merely because both produce returns. Evidence law does not reward the party who designed systems to generate no records over the party who generated records and destroyed them.

Civilization has long held that when one party controls the visibility of a risk, they bear the cost of the uncertainty they create. The question is not whether the gap exists. The question is who owns it.

B. Three Allocation Mechanisms

Three mechanisms—developed independently across centuries—draw a similar

B.0. The Trigger: Sequential Filter + Latency Convergence

Priced opacity is not a free-floating penalty. It fires only when two conditions converge:

  1. Sequential Filter passes (V): Non-diagnostic architecture confirmed—fixed interface, nominal equivalence, two-axis opacity.
  2. Epistemic Latency attaches (IX): Proof delayed or blocked by physical decay or institutional chokepoints.

Absence of either defeats the allocation. Filter alone means defect exists—but proof may still be available through low-latency mechanisms. Latency alone means proof is difficult—but the difficulty may not be architectural. Both together trigger priced opacity: the architecture created the gap, and the gap blocks verification.

The three parallels that follow are not analogies. They are the doctrinal mechanisms that operationalize this convergence—the ways legal systems have always allocated uncertainty when one party's architecture foreclosed the other party's proof.

B.1. The Silent Witness (Maritime)

When a ship sinks in calm waters and the wreckage is lost at sea, the plaintiff cannot prove negligence through direct evidence. The evidence is at the bottom of the ocean. Admiralty law does not treat this as claim-defeating. It applies a presumption of unseaworthiness.1 The silence of the ship testifies against the owner.

The logic: The owner controlled the vessel's condition. The owner determined what maintenance was performed, what inspections occurred, what logs were kept. When the ship fails and the evidence is physically inaccessible, the inaccessibility is not neutral. It is attributed to the party who controlled the vessel that created the void.

The SDF parallel is direct:

MaritimeSDF
The oceanThe neural net
The sinkingThe AI error / the biased decision
The lost wreckageThe transient internal state
Presumed unseaworthinessGap probative against architect

The neural net is the ocean floor. If you launch a vessel that leaves no wake and it crashes, you own the crash. The "silence" of the system—no logs, no configuration history, no decision provenance—is not exculpatory. It is The Silent Witness.

B.2. The Illiquidity Discount (Financial)

When an is opaque—hard to value, no public audit trail, restricted access to underlying data—financial markets do not treat it as equivalent to a transparent asset. They apply a discount.2

The illiquidity discount is not punishment. It is pricing. The buyer pays less, or demands a higher risk premium, because they cannot verify the asset's condition. The seller who wants full price must provide transparency. The seller who wants opacity accepts the discount.

The logic: Opacity is not wrongful. But opacity is not free. The party who chooses opacity purchases it with reduced valuation or increased risk premium. You cannot have the benefits of private equity (opacity) with the liquidity of public markets (full-price presumption of soundness).

The SDF parallel reframes the entire debate:

Financial MarketsSDF
Opaque assetNon-diagnostic architecture
Illiquidity discountShifted evidentiary burden
Risk premiumLitigation exposure
Transparency earns full priceDiagnostic sufficiency earns safe harbor

Defendants want to say: "We built it cheap. That's a business decision, not a wrong."

The response: Correct. And markets price illiquid assets lower. You purchased opacity with litigation risk. That is the discount.

You can have opacity. You cannot have opacity and the presumption of innocence. Choose.

B.3. Constructive Spoliation (Evidentiary)

Traditional spoliation addresses evidence that existed and was destroyed. A party had records, shredded them, and now faces adverse inference.3 The logic is uncontroversial: control the evidence, eliminate it, bear the consequences of the void.

But what if the party never created the evidence? What if the system was designed from inception to generate no records?

Consider a hospital that sets its auto-delete policy to 24 hours, knowing that malpractice claims typically require 48 hours to investigate. The hospital has not "destroyed" evidence in the traditional sense. No one shredded a file. But the architecture was designed to ensure that by the time a claim could be investigated, the evidence would be gone.

This is constructive spoliation. The design choice to limit the record is the functional equivalent of the act of destroying it. The shredder is the architecture.

Traditional SpoliationConstructive Spoliation
Evidence existedEvidence never created
Active destruction (malfeasance)Architectural non-generation (misfeasance)
Party shredded the fileParty designed system to generate no file
Adverse inferenceSame inference

The extension is necessary because the strategic choice has moved upstream. The sophisticated actor no longer destroys evidence—that leaves fingerprints. The sophisticated actor designs systems that never generate evidence. Under traditional spoliation, this actor is better positioned than one who kept records and deleted them.

Priced opacity corrects the inversion. Non-generation by design triggers the same inference as destruction, because both are architectural choices that foreclose verification, and both reward the party who made proof impossible.

B.4. The Convergent Principle

Each mechanism attacks the same problem from a different angle:

ParallelWhat It PricesDomain
Silent WitnessPhysical inaccessibilityMaritime
Illiquidity DiscountInformational asymmetryFinancial
Constructive SpoliationTemporal foreclosureEvidentiary

Together they establish: civilization has always priced architectural control over verification. The party who controls whether evidence can exist bears the consequences when it does not. This is not innovation. It is recognition that the principle applies to digital architecture as surely as it applies to ships, assets, and file cabinets.

C. The Rule

When an actor controls system architecture and chooses non-observability, the resulting evidentiary gap is treated as probative against that actor—not neutral—unless a defeater applies.

The rule has four operational consequences:

1. Probative Gap. The evidentiary void created by non-diagnostic architecture is not a neutral absence. It is evidence. Courts treat the gap the way admiralty treats the silent ship, the way markets treat the opaque asset, the way evidence law treats the missing file. The architecture that foreclosed proof could have hidden any defect the plaintiff alleges. The silence testifies.

Operationally, the gap becomes a mandatory adverse inference instruction (analogous to spoliation) or burden shift (analogous to unseaworthiness). Courts instruct juries: "The architecture that made proof impossible could have hidden the defect alleged."

2. Burden Allocation. The burden follows architectural control. The party who determined whether verification capacity would exist—who chose the retention policy, the logging configuration, the evaluation structure—bears the evidentiary consequences of that choice. The gap follows the design decision.

3. Earned Deference. The rule is not a strict liability for opacity. Deference is available—but it is earned. The architect who builds diagnostic capacity (T-Arm: disclosed parameters, accessible baselines; P-Arm: structured criteria, retained comparators, auditable trails) earns safe harbor. The backward arrow is intact. Ordinary proof burdens apply. The contract is well-formed.

4. Actor Differentiation. Private actors face liability exposure: the gap becomes probative in tort, contract, or statutory claims. State actors face remedial consequences: suppression, adverse inference, or judgment where the institution cannot verify compliance with its own baseline. The mechanism adapts to the actor's juridical posture.

Encountered, Not Designed. Latency that results from natural decay, technological limitations beyond the architect's control, or genuinely unforeseeable circumstances is not priced. The principle targets chosen non-observability. A system that could not have preserved verification capacity is differently situated from a system that could have but did not.

User Awareness . Tradeoffs made transparent do not trigger the presumption. A video service that publishes "quality varies based on network conditions" in accessible terms, provides real-time quality indicators, and offers user-controllable settings has not severed the backward arrow. It has made the fidelity parameter visible. Informed acceptance of known tradeoffs is not a structural defect—it is a well-formed contract.

Baseline Accessible. Where the user could inspect the comparison—published benchmarks, disclosed specifications, user-facing controls—and chose to rely on the degraded version, the Information Asymmetry element is defeated. Priced opacity requires hidden degradation, not merely suboptimal design.

Non-Architectural Harm. Random errors, idiosyncratic malfunctions, individual circumvention of controls—these are not structural defects. The framework targets systems, not incidents. The signature pattern requirement filters for architecture-linked harm. An employee who defeats a diagnostic system commits individual misconduct; the architecture is not defective because someone circumvented it.

Diagnostic Architecture Exists. Institutions that built the backward path earn the safe harbor. For T-Arm: parameter visibility, baseline accessibility, provenance preservation. For P-Arm: structured criteria, mandatory reason-giving, retained comparators, auditable trails. Diagnostic sufficiency is the exit. The architect who can verify compliance with the claim asserted has satisfied contravariance. Ordinary burdens apply.

E. The Synthesis

The Lifecycle showed the physics—how architecture creates evidentiary gaps by design. The Sequential Filter showed the diagnosis—how to identify non-diagnostic architecture. Epistemic Latency showed the timing—when those gaps become legally invisible through decay or doctrinal chokepoints. Priced Opacity completes the sequence—who bears the gap when verification was architecturally foreclosed.

The allocation follows the principle embedded in maritime presumptions, financial discounts, and spoliation inferences: the party who controls whether verification is possible owns the uncertainty when it is not.

StageSectionMechanismResult
PhysicsIII (Lifecycle)Pipeline degrades fidelityGap created
DiagnosisV (Filter)Filter confirms non-diagnosticDefect identified
TimingIX (Latency)Decay + chokepoints block proofGap invisible
AllocationX (Priced Opacity)Risk pricingArchitect bears gap

The burden follows the representation. The gap follows the architectural choice.

C. The Intellectual Lineage: Convergent Discovery

The insight that architecture determines outcomes—and that hidden architectural degradation produces hidden harms—has been discovered independently across multiple fields. SDF synthesizes and operationalizes what these traditions have separately identified.

Legal Architecture (Lessig). Lawrence Lessig established that "code is law"—architecture regulates behavior as powerfully as statutes or judicial decisions. But Lessig stopped at regulation. SDF extends the analysis: if architecture regulates, then architecture that degrades while hiding its degradation is defective law. The code is not merely regulating conduct—it is attenuating the signal the law needs to function. Lessig asked us to see architecture as regulation. SDF asks us to see hidden architectural degradation as defect.

Second-Generation Discrimination (Sturm). Susan Sturm identified that first-generation civil rights doctrine—focused on intentional exclusion by identifiable bad actors—could not reach "second-generation" problems: the structural, cognitive, and interactional dynamics that produce exclusion without explicit intent. Her insight are highly relevant: you cannot solve structural problems with intent-based tools. SDF provides the diagnostic architecture that Sturm's framework implied but did not operationalize—a protocol for identifying when system design, not individual malice, produces the pattern.

Management Information Systems. The data quality literature has documented for decades that organizational processing systematically degrades information. Schema design determines what survives. Aggregation destroys texture. Retention policies erase history. The dashboard is not reality—it is a residue shaped by pipeline architecture. "Garbage in, garbage out" is the folk version. The sophisticated version is: the architecture of the pipeline determines what can subsequently be known. SDF applies this insight to legal proof: when the system's architecture determines what evidence can exist, responsibility for evidentiary gaps must account for architectural choices.

Taphonomy. In archaeology and paleontology, taphonomy studies what happens to remains between event and discovery—the processes that determine what survives into the record. The fossil is not the organism. The artifact is not the culture. The record is not the event. Taphonomists understand that absence of evidence often reflects preservation bias, not historical reality. They ask: what does this record's structure tell us about what it could not capture? SDF imports this skepticism into legal epistemology. The employment file, the conferral checkbox, the model output—these are not unmediated windows onto underlying reality. They are structured residues shaped by what the system was designed to preserve and discard.

The Convergence. These fields arrived at the same structural insight from different directions: the architecture of information processing determines both what harms occur and what can be proven about them. When that architecture is controlled by parties with economic incentives to attenuate signal while preserving surface fidelity, predictable patterns of harm and proof-destruction follow. SDF names this pattern and provides a diagnostic protocol for identifying it.

D. Duty to Maintain

IT WAS ALWAYS A ...DUTY TO MAINTAIN

The Law has provided many examples of thisLegal Precedents of Court Recognizing That Were Never Seen

The Federal Rules of Evidence explicitly permits absence of evidence

- FRE 803(7) permits the absence of a business record to prove that a matter did not occur or exist—when such a record would regularly be kept.

- FRE 803(10) permits the absence of a public record to prove that a matter did not occur—when such a record would regularly be made and preserved.

The Courts at various times have recognized a need to shift burdens.

There has long been precedence in the legal system accepting this very situation. In Anderson v. Mt. Clemens Pottery (1946): when a party has the duty to keep records and fails, courts permit proof by “just and reasonable inference” and shift the burden to the record-keeper to negate that inference. In Teamsters v. United States (1977): pattern/statistical showing can establish a prima facie case and shift the burden to the defendant to rebut the inference.

The Courts have also recognized patterns/statistical evidence as establishing a prima facie case to shift the burden to the defendant. Teamsters v. United States (1977) is an example where the burden shifted to the defendant to rebut the inference. In Sindell v. Abbott Laboratories (Cal. 1980), the court identified that architecture may defeat liability by making liability structurally impossible, and adopted burden shifting/apportionment logic.

Whatever we call it, the courts at times have recognized this very need to infer the existence of something that could not be brought in front of our eyes; but that that was okay because the court recognized its existence irregardless of whether they visually saw it or not.

Another example is a case of mass societal or market fraud. If enough people are harmed by it, simultaneously and collectively, that statistical improbability itself becomes more than sufficient for the court to recognize the existence of such fraudulent actions and victim harm.

The court’s role is not limited to the observation of physical evidence, but extends to the judicial recognition of a systemic void of evidence. When a defendant fails to maintain

And at the same time, if such a thing doesn't exist, and never had, then would logically follow that such a thing cannot be produced by a defendant to a court to prove his innocence.

If something is determined to never have existed because it was never created, then it should be impossible for that very thing to EVER be brought forth to a court as evidence.

Here is an example of two Title VII cases with identical fact patterns.

In the first case, the plaintiff's suit is eventually dismissed because he could not prove discrimination because he was unable to find any evidence. In fact, the company had never created any evidence of wrongdoing or rightdoing of any kind. It never existed in the sense that the defendant could meaningfully search for it and find it.

In the next case, however, suppose the company had actually created such things. More than that, it presents it as evidence to the court to clear its name and prove its innocence. The court accepts this evidence and rules in favor of the defendant.

The first question is: How can two Title VII actions with identical fact patterns with the only difference being whether the defendant presents the crucial evidence - both result in rulings for the defendant? Reversely, how does a plaintiff lose both times when the only difference is whether the defendant submitted crucial evidence?

Doesn’t it follow that the company using this evidence in court the very proof that this evidence actually exists?

Is the hospital that deletes records proving malpractice in the first 24 hours not actually guilty of malpractice because such investigations typically require 48 hours and so they are never caught?

If something does not exist because it was never created - and therefore claiming discrimination fail in the court of law because that company never created such a thing and the plaintiff couldn't find evidence of such a thing - when in an identical Title VII action with different parties - the defendant company can demonstrate its innocence by providing to the court such evidence of:

Structured evaluation criteria

Documented scoring rubrics

Retention of comparator data

Timing records

Decision rationales

If a verification record or diagnostic structure can be created, preserved and presented in court, which the court then treats as strong evidence of compliance, then failure to present the very same record or structure in another court is nothing more than proof of non-compliance. It simply cannot remain as a burden that the plaintiff overcomes by somehow finding it. If it was never even created, then how would the plaintiff ever find it?

One thing is clear: every time this record or structure is presented as a successful defense in court is every time the law recognizes its very existence.

Footnotes

  1. Claude E. Shannon, A Mathematical Theory of Communication, 27 Bell Sys. Tech. J. 379 (1948). (Primary authority for the transmission/noise framing and the famous “semantic aspects” bracket.)

  2. Id. at 379.

  3. Luciano Floridi, The Philosophy of Information (Oxford Univ. Press 2011).

  4. Warren Weaver, Recent Contributions to the Mathematical Theory of Communication, in The Mathematical Theory of Communication 1, 4 (Claude E. Shannon & Warren Weaver eds., 1949).

  5. See Ruikang Liu et al., Quantization Hurts Reasoning? An Empirical Study on Quantized Reasoning Models 2–4 (Apr. 6, 2025) (unpublished manuscript), https://arxiv.org/abs/2504.04823.

  6. See Hongyi Jin et al., A Comprehensive Evaluation of Quantization Strategies for Large Language Models, arXiv

    .16775 (Feb. 26, 2024), https://arxiv.org/abs/2402.16775; Ruikang Liu et al., Quantization Hurts Reasoning? An Empirical Study on Quantized Reasoning Models, arXiv
    .04823 (Apr. 6, 2025), https://arxiv.org/abs/2504.04823; Jun Li et al., Quantization Meets Reasoning: Exploring LLM Low-Bit Quantization Degradation of Reasoning Ability, arXiv
    .03035 (Jan. 6, 2025), https://arxiv.org/abs/2501.03035.

  7. Zhen Li, Yupeng Su, Runming Yang, Congkai Xie, Zheng Wang, Zhongwei Xie, Ngai Wong & Hongxia Yang, Quantization Meets Reasoning: Exploring LLM Low-Bit Quantization Degradation for Mathematical Reasoning, arXiv

    .03035 (Feb. 24, 2025) (ver. 4), https://doi.org/10.48550/arXiv.2501.03035.