Reviewer Attestation R-441 — Reader Consent Specification
Path: /governance/reader-consent.md · v1.0 · 2026.05
This specification governs Reviewer Attestation R-441, the system that logs reader interactions with the portfolio (focal length, spectrum dial, aperture, links followed). v1.0 of the portfolio implemented R-441 silently by default; v1.1 (this spec) converts it to explicit opt-in. A summary of the change is documented at /governance/changelog.md.
The goal: R-441 retains its conceptual move (the reader is a participant; the reader's interactions are part of the disclosure surface) without surveilling visitors who have not consented.
1. What R-441 records (current implementation)
Per browser session, in local storage only, R-441 records:
- Timestamps of user interactions with the three manipulanda (focal length, spectrum dial, aperture).
- The state-vector of those manipulanda at each transition.
- Anchor links the user has followed within the site.
- Total session time on each route.
R-441 does not record: - User identity, IP address, geolocation, browser fingerprint, or any data that could re-identify the user. - Any data the user enters into form fields (the site has none). - Any data outside the user's local browser session. - Mouse movement, keystroke timing, scroll depth, or other behavioral signals not explicitly listed above.
R-441 does not transmit any recorded data to any server, third party, or storage layer outside the user's browser. Verification: open the browser's network tab while interacting with the site; there is no R-441 outbound traffic.
2. The consent model (v1.1)
2.1 Default state
Off. R-441 records nothing until the user explicitly opts in.
2.2 The consent prompt
On first visit to a page that exposes the manipulanda, the user sees a non-modal banner:
Reviewer Attestation R-441. This site can log your interactions with the focal length, spectrum dial, and aperture controls into a local session-only record. The log is not transmitted, not retained beyond the session, and not shared. R-441 is part of the portfolio's "the apparatus also discloses to its readers" stance. Off by default.
[ Turn R-441 on ] · [ Keep R-441 off ] · [ What is this? ]
2.3 Granular controls
After opt-in, the user retains: - A persistent visible indicator in the page chrome showing R-441 is logging. - A "Pause R-441" toggle accessible from the chrome at all times. - A "Purge R-441 attestation" control that clears local state immediately. - A "Download my attestation" control that exports the record as a signed JSON document for the user's own analysis.
2.4 Re-prompt cadence
Once the user has made a choice, the prompt does not re-appear in the same session. The choice persists in localStorage. Major spec changes (e.g., a v1.2 that adds new logged signals) trigger a fresh prompt.
3. What does not change between v1.0 and v1.1
- The conceptual move (reader-as-participant) is preserved.
- The local-only architecture is unchanged.
- The non-transmission guarantee is unchanged.
- The interaction with the manipulanda is unchanged from the user's perspective when R-441 is off.
4. The data-handling statement (canonical)
Reviewer Attestation R-441 — Data Handling
==========================================
Collected: only with explicit user opt-in
Stored: in browser localStorage on the user's device only
Transmitted: never
Retained: until the user closes the browser tab OR purges the attestation
Shared: never
Used for: local reader self-analysis only
Sold: no party will ever pay for this and the answer is no anyway
This statement is canonical. Any update requires a new spec version and a re-prompt.
5. Audit and verification
5.1 Source visibility
The R-441 client code is open-source at /src/r441.js and is content-hashed. Any reader can verify the client they are running against the published hash.
5.2 Network audit
The "audit" page at /r441/audit opens a developer-tools-style monitor showing R-441's local-only behavior in real time. Readers can verify with their own eyes that nothing is transmitted.
5.3 Third-party audit
A third-party security audit of R-441 will be commissioned within 6 months of the v1.1 release (funding-contingent). The auditor's report will be published whether favorable or unfavorable.
6. Failure modes and disclosures
6.1 If R-441 ever transmits
A single transmission would be a violation of this spec and would require:
- An immediate public disclosure at /disclosures.md.
- A post-mortem at /post-mortems/.
- A version bump to v1.2 with the issue resolved.
- A re-prompt to every returning visitor.
6.2 If R-441 ever logs data it should not
Same response chain.
6.3 If a contributor proposes adding telemetry
Rejected by default. The portfolio's argument depends on R-441 being a demonstration that consent-aware, local-first observability is implementable. Telemetry breaks that argument.
7. Why R-441 exists at all
The portfolio argues, in multiple places, that behavioral observability can be implemented consent-aware and local-first. R-441 is the on-site existence proof of that claim. A portfolio that made the argument without ever demonstrating it would be one more position paper; R-441 makes the argument with a running implementation.
The original silent-default implementation undermined the argument by enacting the surveillance the portfolio criticizes. This spec corrects that. The conceptual move is preserved; the operational behavior is now consistent with what the portfolio asks of the rest of the industry.
8. Future amendments
- v1.2 candidate: add a "share my attestation with the author" opt-in (separately consented, end-to-end signed by the user) for readers who want to be visible to the author's analysis. Default off.
- v1.3 candidate: offer an academic-research API that allows researchers to submit their own attestations under signed consent for inclusion in a (separately disclosed) reader-attestation research corpus.
Both are speculative. Neither is in v1.1.