Consent, and the Right to Be Forgotten

A grandparent in Leeds takes a call. The voice is her grandson's, distressed, asking for money to make a problem disappear. It is not her grandson. It is thirty seconds of his speech, scraped from a video, fed to a synthesis model, and rendered live down the line. Through 2025 and into 2026 this pattern has moved from novelty to industry, with cloned relatives and cloned executives now a standard instrument of fraud. The voice is the most intimate identifier a person has, and it has become the easiest to forge.

The defensive conversation has largely fixated on detection: train a classifier to spot the fake after it arrives. That is a losing posture. Detection is always one model behind generation, and a victim on a phone call has no classifier running. The harder questions sit upstream and downstream of the call itself. Did the person whose voice this is ever agree to it being used this way? And once a model has learned a person's voice, can that person ever compel the model to forget?

Those two questions, consent at the point of capture and erasure at the point of request, define the regulatory frontier. UK GDPR and EU GDPR both grant a right to erasure under Article 17. The EU AI Act adds transparency duties for synthetic media. Yet the technical reality is that consent is usually a tick-box stored in a database far from the synthesis pipeline, and erasure is usually a promise that data has been deleted, with no way for the data subject to check whether it lingers inside a model's weights.

Mickai, the British Sovereign Intelligence Operating System, approaches all three problems as a single discipline. Consent must be a first-class signed object, captured at capture time. A live synthetic voice must be watermarked inside the stream, not certified afterward. And erasure must be provable rather than asserted. Each step is recorded in an Open Audit Record, an OAR, signed with post-quantum primitives and verifiable in an ordinary browser. The operator holds the keys, not a remote service.

Consent that travels with the utterance

The first of the relevant filed UK patent applications, GB2611886.9, treats consent as something bound to every single cloned utterance rather than to a one-off enrolment form. The voice-print owner enrols under a hardware-attested consent token and registers a set of consent classes drawn from a structured taxonomy: advertising, audiobook, accessibility, legal-evidence, broadcast-news, in-app-narration.

The binding happens at synthesis. When the system is asked to produce a cloned utterance for a given purpose, the signing pipeline evaluates the requested class against the predicate the owner registered. Only on a positive evaluation does the hardware element produce a post-quantum signature over a per-utterance attestation envelope. Ask for a use the owner never authorised and the pipeline produces no signature at all.

“Out-of-class invocation produces no signature, and verifiers reject any utterance whose envelope class does not match the carrier context.”

This moves consent from policy to cryptography. A voice cleared for an audiobook cannot quietly be repurposed for a political advertisement, because the advertisement's envelope would not match and any verifier would reject it. The subsystem discharges the per-utterance traceability that EU AI Act Article 52 contemplates at a cryptographic layer rather than relying on a written undertaking that nobody can audit.

Watermarks inside the live stream

Consent at capture does nothing for the grandmother on the phone, because a fraudster is not asking permission. That is the problem addressed by GB2611925.5, which authenticates a live synthetic voice stream at the granularity of successive audio buffers.

At the producer, a psychoacoustic shaper embeds a latency-bound watermark into each buffer. A signing engine then computes a per-buffer signature whose payload binds the buffer hash, the prior buffer's signature, a hardware timestamp, and a speaker-identity attestation, signed under FIPS 204 ML-DSA-65. The signatures are interleaved with the audio, so a verifier confirms authenticity within one buffer of arrival rather than after the call ends.

The engineering constraint is what makes this usable. The total signing budget stays under fifty milliseconds per buffer, low enough to ride inside a live conversation without audible lag. A downstream recorder can later prove its recording is bit-identical to what was streamed. The design exists explicitly to counter deepfake voice-call attacks, the precise scenario filling fraud reports across 2025 and 2026. A genuine synthetic voice carries its rolling-window proof; an unauthorised clone does not, and the gap is detectable in real time.

Forgetting that can be checked

The third question is the one the industry has dodged most thoroughly. Suppose a person succeeds in withdrawing consent and demands erasure under Article 17. Deleting their rows from a training set is straightforward. Removing what the model learned from those rows is not, and a deletion certificate from the operator is, in the end, a piece of paper.

GB2611916.4 sets out a method for honouring an erasure request against a multi-tenant AI system in a way that can be verified without re-disclosing the erased data. On receipt of a request, the operator-controlled system identifies the dataset fragments belonging to the requesting data subject, computes a Merkle root over them, and runs a machine-unlearning procedure against the model trained on those fragments. It then computes a weight-delta proof representing the parameter change and emits a signed tombstone record under a post-quantum key bound to operator-personalised silicon.

The significance is in who can check. A regulator, the data subject, or a third-party auditor, given the tombstone and the operator's public key, can independently confirm that the named data has gone from both the dataset and the learned model parameters. They can do so without ever observing the erased data itself, which matters because re-disclosure during an erasure audit would defeat the purpose. Forgetting stops being a promise and becomes a proof a sceptic can verify.

Why the keys have to sit with the operator

These three subsystems share a structural choice. The signatures are produced in operator-controlled hardware, and the resulting records chain into an Open Audit Record that anyone can verify in a browser against a public key. The operator is the keyholder, not a platform that could be compelled, breached, or wound up.

That choice is what makes the guarantees durable. A consent class enforced by a vendor's server lasts only as long as the vendor honours it. A signature anchored to silicon the operator controls survives the vendor entirely, and a verifier in five years' time needs only the public key and the record, not the originating system's continued goodwill.

These capabilities sit within Mickai's wider portfolio of filed UK patent applications, fifty-seven in all, named inventor Micky Irons, recorded on the UK Intellectual Property Office register from GB2607309.8 onward. They are filed applications under examination, not granted monopolies, and the relevant point for policy is narrower and more useful than any count.

The point is that consent, watermarking, and erasure are not aspirations to be legislated toward. They can be engineered now, at the layer where the voice is captured, synthesised, and learned, and they can be made checkable by the very people the law means to protect. The grandmother in Leeds should not have to detect a forgery. The system should never have been able to produce one without leaving a signature that says so.