ABT-E — The credential the institution cannot take back

The credential the institution cannot take back

A worked example of forward-only credential activation, student-controlled multi-tier disclosure, and FERPA-aligned access architecture in the educational records variant of the ABT methodology family.

U.S. Provisional Patent 64/056,353 · Filed May 4, 2026 · Foundational specification: ABT envelope-tier architecture

Abstract

The ABT-E variant applies the foundational envelope-tier architecture to educational records, with a university degree credential as the canonical scenario. The variant-specific architectural elements are: forward-only activation, such that a credential once issued and recorded in the hash-chained registry cannot be retracted by any subsequent institutional action; student-controlled three-tier disclosure, in which the student separately authorizes degree verification, full transcript release, and aggregate research contribution — each projection scoped to its recipient and purpose; and aggregate research isolation, in which the research tier contains cohort statistics with no individual student PII. This memorandum follows Nadia Volkov's credential from issuance through employer verification, graduate school transcript release, aggregate research use, and an institutional retraction attempt.

Meridian University issues Volkov's credential — forward-only from this moment

The issuance event is recorded in the registry's hash chain. This is the moment of forward-only activation: the hash chain entry cannot be removed, expunged, or altered without breaking chain integrity. The credential's existence is cryptographically proven from the time of this entry.

Credential envelope · ek_volkov · MU-2025-BSc-CompSci

student_idNV-8841

degreeBSc Computer Science · Meridian University · 2025

issuing_keyMeridian University institutional signing key

degree_tieremployer verification projection · encrypted to verification key

transcript_tier— student-controlled consent release —

research_tier— aggregate statistics · no individual PII —

registry_entryMU-2025-BSc-CompSci · forward-only · hash-chained

Legal significance — FERPA 20 U.S.C. § 1232g; student right to records; institutional record obligations. FERPA grants students the right to access their education records and requires institutions to maintain and correct those records. ABT-E's forward-only property is consistent with FERPA's structure: it prevents the institutional fact of issuance from being erased, while leaving the institution's ability to append corrections or dispute annotations intact. A student whose institution later disputes their credential retains cryptographic proof of the issuance event — an evidentiary foundation that supplements rather than replaces FERPA's procedural protections.

The employer sees the credential — and nothing beyond it

Volkov authorizes a degree-tier projection for employment verification. The employer receives: degree confirmed, GPA, graduation year. The employer does not receive individual course grades, failed attempts, or any other transcript content.

Traditional employment verification has typically been transacted through institutional verification services — the employer contacts the institution, which confirms or denies the credential. ABT-E inverts this: the student controls the verification projection. The institution's role in individual verification is eliminated; the student's credential envelope contains the verifiable projection, authenticated by the institutional signing key embedded at issuance.

The employer-facing degree tier contains: degree title, field, institution, year, and GPA. It does not contain course-level grades. An employer who requests transcript-level detail is requesting a separate consent event — not a superset of the degree verification projection.

Legal significance — FERPA consent requirements for employer disclosure; background check law. Under FERPA, a student's institution may not disclose education records to an employer without the student's written consent (or a listed exception). ABT-E's student-controlled projection architecture structurally enforces this consent requirement: the employer receives only what the student authorized via the projection scope. There is no mechanism by which the employer can obtain additional record content without Volkov constructing a new, separately consented projection. For jurisdictions with additional background check or employment verification statutes (e.g., California Labor Code § 1024.5), the per-projection consent structure provides an auditable consent record for each disclosure.

Full academic record released — to the graduate admissions office only

Volkov authorizes the transcript tier for a graduate school application. This is a separately scoped consent event: full course history, grades, and academic standing are included. The employer projection and this transcript projection are independent events with no shared fields.

disclosure_events: verification_emp_b2c4 (employer): recipient: Recruiting verification system scope: degree + GPA authorized: 2025-09-01 transcript_included: NO admissions_grd_d7f1 (graduate school): recipient: Admissions Office · Graduate Program scope: full transcript + academic standing authorized: 2025-10-14 employer_projection_visible: NO cross_disclosure: none · structurally isolated

Architectural note. The graduate admissions office does not know that Volkov authorized an employer projection. The employer does not know she is applying to graduate school. Each projection is addressed to its recipient's key and reveals only its authorized scope. There is no shared identifier between the two disclosure events — they are cryptographically independent.

Legal significance — purpose limitation; data portability under GDPR Article 20. GDPR Article 20 grants data subjects the right to receive their personal data in a portable format and to transmit it to another controller. ABT-E's student-controlled projection architecture operationalises portability: Volkov can authorize any institution to receive her credential data without routing the request through Meridian University. The data subject is the transmission agent. GDPR Article 5(1)(b) purpose limitation is satisfied structurally: each projection contains only the data adequate for its purpose, and the recipient cannot access data outside that scope.

The institution cannot remove the issuance event — it can only annotate it

Meridian University attempts to mark Volkov's credential as invalid following an institutional dispute about the 2025 graduating class. The hash chain prevents factual erasure of the issuance event.

The institution may append a dispute annotation to the registry record. That annotation is itself hash-chained and publicly visible. What the institution cannot do is delete or alter the original issuance hash chain entry — h_n — which was computed at the moment of degree award from the envelope content and the prior chain state.

Any verification of Volkov's credential against the registry will show: (1) the issuance event at 2025-06-15, authenticated by Meridian University's institutional signing key; and (2) if present, the institution's dispute annotation. Both facts are visible. Neither can be made to disappear. The credential's existence is proven; the dispute's existence is also proven.

Property	Guarantee	Legal relevance
Forward-only issuance	Hash chain entry for credential issuance cannot be removed or altered after recording	Prevents institutional erasure of credential fact; preserves evidentiary record of issuance independent of institutional status
Student-controlled projection	Each disclosure (employer, graduate school, research) requires a separately authorized student projection	Structural FERPA consent enforcement; each disclosure is a distinct consent event with auditable authorization
Cross-disclosure isolation	Employer and graduate school projections share no common field; neither recipient knows of the other	Purpose limitation enforced structurally; no cross-disclosure aggregation by recipients
Aggregate research isolation	Research tier contains cohort statistics; no individual student PII is accessible to research function	FERPA's research exception (§ 99.31(a)(6)) is satisfied structurally rather than by policy waiver
Dispute annotation model	Institutions append disputes; they do not delete issuance events	Both issuance and dispute are publicly visible; dispute does not prevent student from presenting credential with the historical issuance record

Property

Guarantee

Legal relevance

Forward-only issuance

Hash chain entry for credential issuance cannot be removed or altered after recording

Prevents institutional erasure of credential fact; preserves evidentiary record of issuance independent of institutional status

Student-controlled projection

Each disclosure (employer, graduate school, research) requires a separately authorized student projection

Structural FERPA consent enforcement; each disclosure is a distinct consent event with auditable authorization

Cross-disclosure isolation

Employer and graduate school projections share no common field; neither recipient knows of the other

Purpose limitation enforced structurally; no cross-disclosure aggregation by recipients

Aggregate research isolation

Research tier contains cohort statistics; no individual student PII is accessible to research function

FERPA's research exception (§ 99.31(a)(6)) is satisfied structurally rather than by policy waiver

Dispute annotation model

Institutions append disputes; they do not delete issuance events

Both issuance and dispute are publicly visible; dispute does not prevent student from presenting credential with the historical issuance record

The credential the institution cannot take back

Meridian University issues Volkov's credential — forward-only from this moment

The employer sees the credential — and nothing beyond it

Full academic record released — to the graduate admissions office only

The institution cannot remove the issuance event — it can only annotate it