A gap hiding in plain sight

For two decades, we have built our defenses around a single idea: protect the data. Keep your information private. Control who collects it, who stores it, and who is allowed to share it. The great privacy laws of our time — Europe’s data protection rules, and the regulations that have followed around the world — are all built on this foundation. They guard the information you hand over.

This was the right battle for its time. But while we were busy guarding the front door, a side door opened that the law does not yet recognize. And almost everything that matters now passes through it.

The front door is your data — the facts you provide. The side door is inference — the conclusions a system draws about you from those facts. And here is the uncomfortable truth at the center of this piece: our laws govern the data, but they barely touch the inference. We have built elaborate protections around the information you give. We have built almost nothing around what machines conclude from it.

That gap is where the real power now lives. And it is being commercialized every day in ways that affect people without their knowledge or consent.

The difference between data and inference

Let me make the distinction concrete, because everything depends on it.

Your data is what you tell a system. Your age. Your address. Your purchase history. The words you typed into a search box. The places your phone has been. These are facts you provided, knowingly or not, and the law has a great deal to say about them. A company generally cannot take your medical records and sell them. It must ask your permission to collect certain information. You have the right to see your data, correct it, and sometimes delete it.

Your inference is something else entirely. It is what a system concludes about you that you never told it. From your shopping patterns, a system may infer that you are pregnant before you have told anyone. From the rhythm of your typing and the words you choose, it may be inferred that you are depressed, or anxious, or beginning to decline cognitively. From the time of night you are active, the pauses in your messages, and the subtle shifts in how you move through an app, it may infer things about your health, your emotional state, and your vulnerabilities that you do not know about yourself.

You never provided these conclusions. You could not have consented to them, because you did not know they were possible. And in most of the world, the law does not treat them as yours to control. The data that fed the inference may be protected. The inference itself — the actual knowledge about you, the thing of real value — floats free.

This is the gap. The law guards the raw material and ignores the finished product.

Why is this not a small problem

It would be one thing if these inferences sat harmlessly in a database. They do not. They are acted upon. They shape what you are shown, what you are offered, what you are charged, and what is decided about you — often before you are aware that any conclusion has been reached.

An inference that you are anxious can be used to time an advertisement for the moment you are most likely to give in. An inference that you are in financial distress can be used to offer you a worse deal, not a better one, because your desperation makes you less likely to walk away. An inference about your health can shape what insurance you are offered, what price you see, and what opportunities quietly never reach you. None of this requires anyone to look at your protected data directly. It requires only the conclusion drawn from it — the inference that the law does not govern.

And there is a particular form of this harm that deserves to be named plainly, because it is the one almost no one sees coming.

Consider a man who applies for a job he is qualified for, and does not get it. He applies for another, and another. He never learns why the doors stay closed. He assumes it is the market, or bad luck, or some failing of his own. What he does not know — what he has no way to know — is that somewhere in the hiring process, a system drew a conclusion about him. From the cadence of his speech in a recorded interview, a risk was inferred. From a pattern in his data, a future cost was predicted. He was filtered out before a human ever truly considered him. There was no decision he could point to, no rejection he could read, no conclusion he could contest. There was only a series of doors that quietly never opened.

This is the part of the inference economy that should trouble us most. Ordinary harms announce themselves. If your data is stolen, you may eventually find out. If you are formally denied something, you usually receive a notice, sometimes a reason, sometimes a right to appeal. But exclusion by inference is silent by design. The person never learns that a conclusion was reached, never sees the inference that shaped their life, never gets the chance to say: that is wrong, that is not who I am, let me show you. They simply live a narrower life than they otherwise would have, and attribute it to everything except the invisible judgment that produced it.

The job that never came. The loan was quietly priced beyond reach. The opportunity that never arrived. Increasingly, the reason may be a conclusion drawn by a system the person will never see, about a version of themselves they did not create and cannot correct. This is not a distant fear. It is the predictable result of letting inference operate in a space the law does not yet govern.

I have written at length about one of the most troubling versions of this in my report on what I call the desperation algorithm. When people are under pressure — when they are sick, frightened, or excluded from the care or services they need — they generate enormous amounts of revealing information, precisely when they are least able to protect themselves. A person searching desperately for a diagnosis they cannot get from an overwhelmed health system is producing a stream of inferences about their condition, their fear, and their willingness to act. That inference becomes a commodity. It is harvested and acted upon, commercially, at the exact moment the person is most vulnerable and least aware. The data protections, such as they are, do not reach it. The inference economy operates in the space the law forgot.

This is what makes the gap dangerous rather than merely technical. It is not an abstract loophole. It is a mechanism by which the most intimate conclusions about people are turned into products and used to influence those same people, without their knowledge or meaningful consent.

Why consent, as we understand it, does not protect you

The usual answer to a privacy concern is consent. You agreed to the terms. You clicked accept. You can always opt out.

But consent, as it currently works, cannot protect you from inference, for a simple reason: you cannot consent to something you do not know is possible.

When you accept an app’s terms, you might vaguely understand that you are sharing some data. You do not understand — because no one can fully understand — the conclusions that data will later make possible when combined with everything else, processed by systems that grow more capable every month. You cannot consent to an inference that did not exist when you clicked accept, drawn by a model that had not yet been built, about a vulnerability you did not know you had. The consent you gave was for the data. The inference came later, from a side door you were never shown.

And there is a further problem, which I have explored elsewhere: consent given under conditions of pressure is not real consent at all. A person who agrees to invasive terms because they are desperate for care, or because the service is one they cannot function without, has not freely chosen. They have submitted. To treat that submission as consent is to mistake the absence of an alternative for the presence of agreement.

So the protective mechanism we lean on — consent — was built for the world of data, where the transaction is at least visible when it happens. It does not function in the world of inference, where the meaningful conclusions are drawn long after the moment of agreement, by systems no one fully understands, about things the person never disclosed.

Even the boldest law so far stops at the surface

It is worth looking at the most advanced attempt anyone has made to protect the human self in the digital space, because it shows both how far the thinking has come and how far it still has to go.

In 2025, Denmark proposed a genuinely pioneering amendment to its copyright law: giving every individual rights over their own body, facial features, and voice. The idea is striking in its simplicity — your likeness belongs to you, as a matter of ownership, not merely privacy. Under the proposal, a person could demand that platforms remove content using their image without consent, claim compensation, and hold platforms liable if they fail to act. It was, as far as I am aware, the first law of its kind, and it reframes identity in exactly the direction I am arguing for: from something you merely keep private to something you actually own.

But notice where even this bold proposal stops. It was designed to combat deepfakes — the unauthorized synthetic reproduction of your face, your body, your voice. It protects the outward, recognizable self: the version of you that someone could copy and fabricate. It does not reach inference. A deepfake imitates how you look and sound. An inference concludes what you have not said — that you are likely ill, likely declining, likely a poor risk, likely a future cost. Denmark’s proposed law would guard your face. It would not guard the conclusions a machine draws about your mind, your health, or your future.

I should be careful here: as of this writing, the Danish measure was a proposal moving through its parliament, not yet settled law, and the details of any enacted version matter. But the principle it establishes is the important thing. It is the furthest any jurisdiction has gone toward treating the digital self as owned — and even it covers only likeness, leaving the inferred self entirely exposed.

And this is the hopeful part of the argument. The Danish principle can be carried forward. If we are willing to say that a person owns their face and voice, there is no reason, in principle, we cannot say that a person owns the conclusions drawn about them as well. The same ownership logic that protects your likeness could be extended to protect your inferences — to cover, in other words, the whole of personhood in the digital space, not just its surface. Denmark has shown that treating the self as owned is legally possible. The next step is to extend that ownership from how you appear to what is concluded about you.

What governing inference would actually require

I believe that naming a problem carries an obligation to propose a way forward — not a finished answer, but a starting point that others can build on, argue with, and improve. So let me offer one.

The deepest fix is also the simplest to state. Today, the moment an inference about you is generated, it belongs, in practice, to whoever generated it. They store it, trade it, and act on it. You are not part of the transaction. Imagine instead that the conclusions drawn about you were held in something like a safe deposit box — one to which only you hold the key. The inference still exists. It can still be useful. But it sits in a protected space under your control, and no one reaches it without your knowing permission. You decide who sees what a system has concluded about you, and when, and for what purpose. You can open the box for your doctor and keep it closed to an advertiser. The default flips: from “the inference is theirs unless a law says otherwise” to “the inference is yours unless you choose to share it.”

I call this inference escrow. The conclusions about you are held in escrow — under your control — rather than released, by default, into a market you cannot see. I have developed the fuller architecture of this idea, including how it can work technically without crippling the legitimate learning that makes AI useful, in my report on the desperation algorithm. The point for now is simpler: it is possible to imagine a world in which the finished product — the inference — is governed, and governed by the person it describes, rather than left to float free.

Around that core idea, other things follow.

It would require transparency about inference, not only about data collection. A person has some right to know not just what was collected, but what was concluded — and to contest a conclusion that is wrong, or that is being used against their interest. Today, the inferences made about us are largely invisible, which is exactly what makes them so powerful. Visibility is the precondition for any control.

It would require limits on the commercial use of inference in moments of vulnerability — recognizing that an inference of distress, of illness, of desperation, is not simply a market signal to be exploited, but a moment where a person most needs protection, not targeting.

And it would require what I have argued for throughout my work: that meaningful human authority, transparency at the points that matter, and anticipatory rather than reactive governance be built into these systems by design — before dependencies lock in, while the practices are still ours to shape.

I do not pretend this is the complete answer. It is one mechanism, offered to begin the conversation, and it will take many minds — legal, technical, ethical — to get it right. But a starting point that can be argued with is worth more than a problem left sitting in the air.

The window is closing

Here is why this cannot wait. The inference economy is being built right now, on the assumption that the law does not reach it — and every month that assumption holds, it becomes more deeply embedded in how products are designed, how companies make money, how decisions about people are made. The longer we treat inference as ungoverned space, the harder it becomes to govern at all. This is the familiar trap of technology regulation: by the time the harm is undeniable, the practice is too entrenched to change easily.

We had a chance, twenty years ago, to think clearly about data, and we did real work — imperfect, but real. We now have a narrower, more urgent opportunity to think clearly about inference before it becomes the invisible infrastructure by which people are understood and influenced without their knowledge.

The law guards your data. It is time it learned to see what machines conclude about you — because that conclusion, not the data behind it, is what increasingly shapes your life. We protected the front door for a generation. The side door is wide open, and most people do not even know it is there.

Related reading. This argument extends the analysis in my report, The Cognitive Revolution and the Desperation Algorithm, which examines how vulnerability and inference intersect in healthcare, and in my book, The Cognitive Revolution: Navigating the Algorithmic Age of Artificial Intelligence (available on Amazon). My analysis of anticipatory governance and the European Union’s AI Act further develops the regulatory argument. All are available on my Substack at blogs.inspire-aspire.net.