The unverifiable clause. In six costumes.

Every privacy policy on the internet contains some version of the same sentence: “we limit access to authorized personnel with a need to know.” Each industry says it slightly differently — but the verb is always self-graded, the audit is always internal, and the data subject is never a party to the verification. Below are six verbatim examples from the actual published policies of real companies and the regulations they sit under, with primary-source links you can click and read.

This page is the customer-facing-commitment layer of the same gap that /receipts shows on the regulator side and /caiq shows on the procurement side. Same architecture problem, three different vocabularies.

Why this is not a hit piece

Every company below is following the conventions of privacy-policy writing as the industry has practiced them since the late 1990s. None of them are lying — they are making the strongest claim a 1998-vintage rhetorical form permits. The clause was unverifiable when it was written because the cryptographic primitives that would make it verifiable did not exist as commodity software at the time. They do now. Unincorporated turns the clause into a property the customer can check, in their own browser, against cryptographic evidence. The companies below are the market — not the enemy.

Google

Google Privacy Policy — Keeping your information secure

Tech

Verbatim

“We restrict access to personal information to Google employees, contractors, and agents who need that information in order to process it. Anyone with this access is subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.”

Read on the source page

Why this isn't verifiable

The promise is that Google grades its own employees against an internal need-to-know standard, enforced by an internal disciplinary process, audited by Google. Every word of the clause is internally administered. The data subject — the user whose data is on the receiving end — is not a party to the grading, the enforcement, or the audit. They read the clause and trust it.

Apple

Apple Privacy Policy — Our Companywide Commitment to Your Privacy

Tech

Verbatim

“To make sure your personal data is secure, we communicate our privacy and security guidelines to Apple employees and strictly enforce privacy safeguards within the company.”

Read on the source page

Why this isn't verifiable

Even shorter on specifics than Google. The clause makes no claim about which employees access what or how access is gated — only that guidelines are communicated and safeguards are enforced. "Strictly" is doing rhetorical work that no external party can grade. "Within the company" is the load-bearing scope: Apple grades Apple, full stop.

JPMorgan Chase

Chase Online Privacy Policy — Information Security

Banking

Verbatim

“We use reasonable physical, electronic, and procedural safeguards that comply with legal and regulatory standards to protect and limit access to personal information.”

Read on the source page

Why this isn't verifiable

"Reasonable" is defined retroactively, by litigators and regulators, after a breach. "Comply with legal and regulatory standards" relocates the verification to the regulator (and the regulator has neither the staff nor the mandate to inspect every account-holder's access log). "Limit" is the verb the entire clause rests on, and the policy provides no mechanism by which the customer can check whether the limit held.

Plaid

Plaid — How we handle your data / Privacy Policy

Fintech

Verbatim

“Plaid implements controls designed to limit access to data to personnel who have a business reason to know it and prohibits its personnel from unlawfully accessing, using or disclosing this data.”

Read on the source page

Why this isn't verifiable

"Controls designed to limit" is one rhetorical step weaker than "controls that limit" — the design intent is asserted, the operational result is not. "A business reason to know" is judged by Plaid against Plaid's definition of business reason. The user whose financial data is the subject of the access does not see the access log Plaid keeps, and Plaid is under no statutory obligation to show it.

HIPAA-covered providers (45 CFR §164.502(b)(1))

HIPAA Privacy Rule — Minimum Necessary Standard

Healthcare

Verbatim

“When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

Read on the source page

Why this isn't verifiable

Every word grades itself. The covered entity defines "reasonable efforts," "minimum necessary," and "intended purpose." HIPAA's own accounting-of-disclosures provision (§164.528) excludes internal treatment, payment, and operations — the exact category where curiosity reads happen. A patient cannot, as of right, ask the hospital who on the workforce read their record.

FERPA-covered institutions (34 CFR §99.31)

FERPA — School official with legitimate educational interest

Education

Verbatim

“The disclosure is to other school officials, including teachers, within the agency or institution whom the agency or institution has determined to have legitimate educational interests.”

Read on the source page

Why this isn't verifiable

"Legitimate" is an adjective the school applies to its own staff. The student does not see the access log; FERPA confers no inspection right over the institution's own determinations. Three universities have written, into their own public FERPA notices, that "curiosity is never a legitimate educational interest" — see below. That sentence is a working institution conceding, in writing, that the clause is aspirational.

The institutions concede, in writing

“Curiosity is never a legitimate educational interest.”

Three U.S. universities have added an explicit disavowal to their own FERPA notices, written into their own registrar's pages. The disavowal exists because the institutions know the FERPA “legitimate educational interest” clause is aspirational — staff curiosity is common enough to warrant the explicit warning. The warning itself is the institution conceding the clause is unverifiable.

“Curiosity is never a legitimate educational interest!”
— William & Mary · Office of the University Registrar read on registrar's page ↗
“Curiosity is not a legitimate educational interest.”
— University of Missouri · Registrar read on registrar's page ↗
“A school official does not have a legitimate educational interest in information about a student for purposes of curiosity or personal gain.”
— Penn State · Registrar read on registrar's page ↗

Same clause. Six costumes. None of them user-verifiable — not because the companies are dishonest, but because the rhetorical form was settled before the cryptographic infrastructure existed to back it up.

Unincorporated turns the clause into a structural property: every access becomes a cryptographically signed entry the affected user can verify in their own browser. We're not asking the companies to write a better promise. We're shipping the infrastructure that makes the existing promise checkable.

Get early access See the regulator side →See the procurement side →