ABT-D — Precise location: hardware sealed, policy irrelevant

Precise location: hardware sealed, policy irrelevant

A worked example of hardware-enforced location projection, cross-session unlinkability, and the legal consequences of a compelled production demand directed at an app that never held precise coordinates.

U.S. Provisional Patent 64/056,353 · Filed May 4, 2026 · Foundational specification: ABT envelope-tier architecture

Abstract

The ABT-D variant applies the foundational envelope-tier architecture to device-layer data collection, with location access as the canonical scenario. The variant-specific architectural element is the hardware enclave projection boundary: precise coordinates from the GPS sensor are read exclusively inside the device's secure enclave — a hardware region inaccessible to the operating system, applications, and all software processes. The enclave applies a user-configured projection (city, neighborhood, or precise) and returns only the projection to the requesting application. Precise coordinates never exist in any memory region accessible to the application, and therefore cannot be transmitted to external servers, exposed in API logs, or produced in response to legal process directed at the application or its backend. This memorandum follows Soo-Jin Hwang's location request through three daily sessions, examining the data flow, the compelled production analysis, and the GDPR Article 25 compliance posture.

WeatherField requests location — the enclave is the only reader of precise coordinates

When WeatherField calls the location API, the request is intercepted by the ABT-D enclave before the OS returns precise GPS coordinates to the app. The precise coordinates exist, for the duration of one computation, exclusively within the enclave's hardware memory. The app receives the projection — not the source data.

The distinction between a software privacy policy and a hardware boundary is legally significant. A software policy — "WeatherField will not share your precise location" — creates a contractual or regulatory commitment enforceable after the fact. A hardware boundary — the enclave returns only the projection — means the precise coordinates are structurally absent from the app's process space. There is no violation of the policy to investigate after the fact; there is no precise location data to share, because the app never held it.

For legal process analysis: a subpoena directed at WeatherField for "all location data collected from Soo-Jin Hwang" can only be satisfied with the city-level projection data — because that is all WeatherField holds. The subpoena is answered with the full scope of WeatherField's possession, which is structurally bounded by the enclave projection.

Legal significance — GDPR Article 25 privacy by design; California CPPA device-layer enforcement; Illinois BIPA. GDPR Article 25 requires that data protection principles be implemented "by design and by default" — controllers shall, by default, only process data that is necessary for each specific purpose. ABT-D implements this requirement at the hardware layer: the "by default" minimum is enforced by the enclave, not by the app's data handling choices. The California Consumer Privacy Protection Act (CPPA), per 2023 regulations, increasingly requires technical controls rather than solely policy controls for sensitive personal information. Location data at the precise coordinate level constitutes sensitive personal information under CPPA § 1798.140(ae). ABT-D enforces the precision limitation at the point of collection — a technical control rather than a data handling practice.

Hwang moves across San Francisco — the log shows no movement

Hwang opens WeatherField three times on the same day from different neighborhoods. Each session produces a city-level projection with a per-session nonce. The app log is incapable of showing her movement pattern.

WeatherField session log: Session A · 08:14 AM · "San Francisco, CA" · enc_nonce_d7f3 Session B · 12:33 PM · "San Francisco, CA" · enc_nonce_8b1a Session C · 06:48 PM · "San Francisco, CA" · enc_nonce_2c9e movement inferable from log: NONE precise locations: Mission District, SoMa, Richmond [Mission, SoMa, Richmond: not in any external record] cross_session_analysis: enc_nonce_d7f3, enc_nonce_8b1a, enc_nonce_2c9e: opaque per-session values derivable to common user identity without enclave: NO pattern analysis across nonces: not possible without enclave participation

Legal significance — third-party doctrine and compelled production from app logs; Carpenter v. United States (2018). In Carpenter v. United States, 585 U.S. 296 (2018), the Supreme Court held that law enforcement must obtain a warrant to access cell site location information because the precision and comprehensiveness of that data implicates Fourth Amendment protections not covered by the traditional third-party doctrine. ABT-D produces a structural analog to the Carpenter problem: even if a subpoena or warrant is directed at WeatherField's location logs without Hwang's knowledge, those logs contain only city-level projections. Carpenter's concern about the comprehensive revelation of an individual's movements cannot arise from logs that structurally cannot reveal precise movements. The constitutional problem is avoided at the architecture layer, not by asserting a privilege.

What each party holds and what it cannot produce

Party	Holds	Cannot produce (does not hold)
WeatherField (app)	City-level projections; per-session nonces; timestamps of location requests	Precise coordinates; movement patterns more granular than city-level; cross-session identity linkage
Weather API (external server)	City-name queries (e.g., "San Francisco, CA"); timestamps	Any location data more precise than city; any user identifier linked to location
Device hardware / GPS	Raw coordinates (in transient enclave memory only, cleared per session)	Persistent log of coordinates; any record accessible outside the enclave session
Registry	Hash-chained log of projection events: "location projection issued, city-level, enc_nonce_d7f3, timestamp"	Precise coordinates; city name (registry receives only the event hash, not the projected value)

Party

Holds

Cannot produce (does not hold)

WeatherField (app)

City-level projections; per-session nonces; timestamps of location requests

Precise coordinates; movement patterns more granular than city-level; cross-session identity linkage

Weather API (external server)

City-name queries (e.g., "San Francisco, CA"); timestamps

Any location data more precise than city; any user identifier linked to location

Device hardware / GPS

Raw coordinates (in transient enclave memory only, cleared per session)

Persistent log of coordinates; any record accessible outside the enclave session

Registry

Hash-chained log of projection events: "location projection issued, city-level, enc_nonce_d7f3, timestamp"

Precise coordinates; city name (registry receives only the event hash, not the projected value)

Architectural note. A subpoena directed at any party in this chain for Hwang's "precise location on [date]" cannot be satisfied by any of them. WeatherField holds city-level data. The weather API holds city queries. The registry holds event hashes. The enclave holds coordinates transiently within a hardware boundary that no legal process can reach through software. The precise location data is genuinely absent from every external record.

Legal significance — data minimisation at hardware layer; GDPR Recital 78. GDPR Recital 78 notes that controllers and processors should encourage app developers to design systems with privacy in mind. ABT-D operationalises this encouragement as a hardware constraint: app developers working with the ABT-D API cannot access precise location data regardless of their intent to collect it. The minimisation principle is enforced at the API boundary — below the application layer — which is a structurally different guarantee than requiring each app developer to implement their own minimisation policy.

Property	Guarantee	Legal relevance
Hardware enclave boundary	Precise coordinates processed only in hardware enclave; never accessible to app process	Compelled production from app yields only projection data; hardware boundary is not a policy commitment that can be violated
Projection before network	City-level projection applied before any network call; external APIs never receive precise coordinates	Third-party subpoena to external API cannot yield precise location; data not held cannot be produced
Per-session nonces	Each location request generates a fresh enclave nonce; cross-session linkage requires enclave participation	Structural resistance to location history reconstruction from log data; Carpenter concern avoided by architecture
User-configurable scope	User controls projection granularity (city / neighborhood / precise); scope enforced at hardware layer	Privacy is a user-controlled property enforced below the application layer — not a permission granted at install time and ignored thereafter
GDPR Article 25 compliance	Data minimisation enforced by design at the hardware API layer	Regulatory compliance is structural, not dependent on each app developer's voluntary implementation

Property

Guarantee

Legal relevance

Hardware enclave boundary

Precise coordinates processed only in hardware enclave; never accessible to app process

Compelled production from app yields only projection data; hardware boundary is not a policy commitment that can be violated

Projection before network

City-level projection applied before any network call; external APIs never receive precise coordinates

Third-party subpoena to external API cannot yield precise location; data not held cannot be produced

Per-session nonces

Each location request generates a fresh enclave nonce; cross-session linkage requires enclave participation

Structural resistance to location history reconstruction from log data; Carpenter concern avoided by architecture

User-configurable scope

User controls projection granularity (city / neighborhood / precise); scope enforced at hardware layer

Privacy is a user-controlled property enforced below the application layer — not a permission granted at install time and ignored thereafter

GDPR Article 25 compliance

Data minimisation enforced by design at the hardware API layer

Regulatory compliance is structural, not dependent on each app developer's voluntary implementation

Precise location: hardware sealed, policy irrelevant

WeatherField requests location — the enclave is the only reader of precise coordinates

Hwang moves across San Francisco — the log shows no movement

What each party holds and what it cannot produce