ABT-G

Gov Records

Dual lifecycle: permanent institutional signing, retention-bound encryption for citizen personal data.

Filed · Patent pending

Sid Ratnam

ABT methodology family · variant ABT-G · counsel memorandum

A record two institutions share and neither can read whole

A worked example of dual-lifecycle tier separation, audit-without-PII, and supervised citizen-tier access in the government records variant of the ABT methodology family.

U.S. Provisional Patent 64/056,353 · Filed May 4, 2026 · Foundational specification: ABT envelope-tier architecture

Abstract

The ABT-G variant applies the foundational envelope-tier architecture to government records, with an individual tax return as the canonical scenario. The variant-specific architectural elements are: dual-lifecycle tier separation, in which the same underlying record is projected into an authority tier (full PII, accessible for routine tax administration) and an audit tier (aggregate figures only, inaccessible to the authority tier key); aggregate-only audit processing, in which the audit function conducts population-level analysis and flags statistical outliers without ever accessing a citizen's name, address, or identifying number; and supervised citizen-tier access escalation, in which access to PII by the audit function requires separate institutional authorisation, is logged to a tamper-evident chain, and is therefore auditable by the data subject. This memorandum follows Lena Marchetti's return from filing through routine administration, statistical flagging, and supervised escalation.

I. The return is filed — two projections constructed at source

Lena Marchetti files her return — two tiers, one envelope

Marchetti's device constructs a single envelope containing two independent tier projections: one addressed to the authority tier key (full PII), one addressed to the audit tier key (aggregate figures only). Neither projection enables decryption of the other.

Actor	Endpoint	Holds at filing
Lena Marchetti Citizen · taxpayer · first party	Personal device / filing portal	Persistent root return key `rk_marchetti`; constructs envelope locally before submission; derives filing token `rk_marchetti_2025`
National Tax Office Revenue authority · second party	Central tax administration	Authority tier key; can decrypt citizen projection (full PII); holds sealed audit projection
Office of Tax Compliance Audit function · institutional third party	Separate compliance infrastructure	Audit tier key; can decrypt audit projection (aggregates only); cannot access citizen projection
Record Registry Neutral witness	Independent oversight	Witnesses filing event; records hash-chained log entry; holds no decryption material for either tier

Filing envelope · rk_marchetti_2025

filing_tokenrk_marchetti_2025

tax_year2025

authority_tierfull PII projection · encrypted to authority tier key

audit_tieraggregate projection · encrypted to audit tier key

registry_witnessrk_marchetti_2025 · filed · hash-chained

Legal significance — GDPR Article 5(1)(b); purpose limitation. GDPR Article 5(1)(b) requires that personal data be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. ABT-G operationalises purpose limitation at the architectural layer: the audit tier receives only the data adequate for its stated purpose (statistical compliance analysis). The authority tier receives the data adequate for its purpose (individual tax administration). Neither tier holds more than its purpose requires, and the cryptographic structure enforces the limitation — it is not a contractual commitment between institutions that can be waived by agreement or compelled by subpoena directed at one institution to produce data held by the other.

II. Routine administration — authority tier only

Tax assessment and payment proceed — audit tier sealed throughout

Routine tax administration — assessment, payment matching, refund processing — operates entirely within the authority tier projection. The audit tier remains sealed to the authority tier key. The audit function has no access to citizen PII at this stage.

Authority tier view · rk_marchetti_2025

taxpayer_idTIN_38847201

full_nameLena Marchetti

addressVia Torino 14, Milan

income_total€ 94,200

tax_due€ 22,300

audit_tier— sealed · not accessible to authority tier key —

Architectural note. The authority tier key cannot decrypt the audit projection. This is not an institutional policy — it is the cryptographic boundary. The two tier keys are independent; neither is derived from the other, and neither can serve as the decryption key for the other's projection.

Legal significance — IRC § 6103 equivalents; statutory taxpayer confidentiality. Most tax jurisdictions maintain statutory confidentiality protections for return information, prohibiting its disclosure except to specified parties for specified purposes. ABT-G instantiates these statutory categories as cryptographic tiers. The audit function's access to aggregate data does not constitute access to "return information" within the meaning of confidentiality statutes — because the audit tier projection does not contain the identifying information the statute protects.

III. Audit sweep — aggregate analysis without PII

Statistical outlier detected — no PII accessed

The audit function performs population-level analysis across audit projections for the 85K–100K income bracket. It identifies a statistical outlier in Marchetti's return: deduction ratio 0.31 against a bracket average of 0.19. The citizen tier remains sealed throughout this analysis.

audit_sweep_2025: bracket: € 85,000 – 100,000 population_n: 14,382 returns bracket_avg_deduction_ratio: 0.19 rk_marchetti_2025: income_bracket: € 85,000 – 100,000 deduction_ratio: 0.31 deviation: +0.12 (1.8σ above mean) flag: elevated_deductions · AF-2025-0081 citizen_tier_accessed: false PII_in_scope: false

The flag AF-2025-0081 references rk_marchetti_2025 — the filing token — not Marchetti's name or TIN. The audit function at this point does not know that this return belongs to Lena Marchetti. It knows only that a return in the relevant bracket, carrying filing token rk_marchetti_2025, has a deduction ratio 1.8 standard deviations above the bracket mean.

Legal significance — proportionality of surveillance; ECHR Article 8 proportionality analysis. European human rights jurisprudence on tax surveillance (e.g., Bernh Larsen Holding AS v. Norway, ECtHR 2013) applies a proportionality analysis: does the state's investigative measure go further than necessary to achieve its legitimate aim? ABT-G's aggregate-tier analysis satisfies proportionality precisely because it achieves the audit aim (identifying statistical outliers for investigation) without the disproportionate measure (accessing PII for the entire population under review). The privacy interference occurs only when escalation to citizen-tier access is authorised for a specific flagged return.

IV. Escalation — supervised citizen-tier access

The audit function requests PII access — separate institutional authorisation required

Having flagged rk_marchetti_2025, the audit function submits a citizen-tier access request. The request references the filing token and the audit flag basis. A designated authorising official approves the request. Only then is the citizen tier key released for this specific return.

Citizen-tier access — authorised · AUTH-2025-0081

taxpayer_idTIN_38847201

full_nameLena Marchetti

addressVia Torino 14, Milan

deductions_itemisedhome office € 18,400 · professional development € 11,000

access_logAUTH-2025-0081 · Director Chen · hash-chained

access_chain_entry: return_token: rk_marchetti_2025 citizen_tier_opened: true authorisation: AUTH-2025-0081 authorising_official: Director Chen · Office of Tax Compliance prev_hash: h_n-1 this_hash: SHA256(rk_marchetti_2025 || AUTH-2025-0081 || timestamp || h_n-1)

Legal significance — data subject access rights; accountability. Under GDPR Article 15, a data subject has the right to know whether their personal data has been processed and by whom. ABT-G's tamper-evident access log satisfies this right structurally: Marchetti can request her access log and receive a hash-chained record of every citizen-tier access event, including the authorisation reference, the approving official, and the timestamp. The log cannot be altered without breaking the hash chain. This is not equivalent to a policy statement that access logs are maintained — it is a cryptographic guarantee that access events are recorded and tamper-evident from the moment of occurrence.

V. Marchetti's deductions substantiated — audit closes

The elevated ratio is explained — the log reflects the full arc

Marchetti provides supporting documentation. Home office deduction (€ 18,400) and professional development (€ 11,000) are substantiated. The audit closes without adjustment. The access log permanently records both the flag and the closure.

The audit close event is appended to the hash chain as a separate entry: audit flag AF-2025-0081, status: closed without adjustment, documentation verified, date. Marchetti's future interaction with the tax system is unaffected — no persistent flag survives the audit closure.

What the registry holds at audit close: two hash-chained entries — (1) citizen-tier access authorised under AUTH-2025-0081, (2) audit flag AF-2025-0081 closed without adjustment. No PII appears in either registry entry. The entries reference only tokens and authorisation codes.

VI. Structural claim summary

What ABT-G guarantees — and its limits

The following properties hold by cryptographic construction.

Property	Guarantee	Legal relevance
Dual-lifecycle tier separation	Authority tier (full PII) and audit tier (aggregates) are encrypted to independent keys; neither key can decrypt the other's projection	Structural purpose limitation; each institutional function accesses only the data adequate for its role
Aggregate-only audit processing	Population-level analysis and statistical flagging proceed without PII access; flags reference filing tokens, not citizen identities	Proportionality of surveillance; audit achieves its aim without the disproportionate measure of mass PII access
Supervised escalation	Citizen-tier access by audit function requires separate institutional authorisation, referencing the filing token and flag basis	Accountability architecture; access is not unilateral, not invisible, and not unlogged
Tamper-evident access log	Every citizen-tier access event is hash-chained; cannot be altered without breaking chain integrity	GDPR Article 15 right of access; data subject can verify when and under what authorisation their record was opened
No PII in audit tier	A subpoena to the audit function for citizen PII cannot be satisfied — the audit tier does not contain identifying information	Limits compelled production to data actually held; audit function cannot produce what its tier key cannot decrypt

ABT methodology family · ABT-G government records variant · counsel reference document · US Provisional Patent 64/056,353 · Filed May 4, 2026

sidratnam.com