When the Court Asks the Vendor for Your Data, the Question Is Who Held the Keys

A deletion that was not a deletion

In May 2026 a federal magistrate in the Southern District of New York ordered OpenAI to preserve ChatGPT output log data that the company would, in the normal course, have deleted. The order arrives inside the copyright litigation brought by The New York Times, The New York Times Company v. Microsoft Corporation and OpenAI (No. 1:23-cv-11195), and it reaches a long way. As Bloomberg Law reported (https://news.bloomberglaw.com/privacy-and-data-security/openai-case-amplifies-legal-tension-between-discovery-privacy), the preservation requirement applies to output logs "whether such data might be deleted at a user's request or because of numerous privacy laws and regulations," and it touches the data of OpenAI's roughly 300 million weekly active users.

Read that clause again, because it is the whole article. A user who pressed delete, and a user whose data was governed by a statutory erasure right, are both inside the scope of an order that says: keep it anyway. OpenAI objected that the order was unduly burdensome and a threat to user privacy. The magistrate rejected the privacy objection, characterising the retention as temporary and the data as kept confidential. Whatever the merits, the operational reality is now on the record. The user's deletion was a request to the vendor. The court spoke to the vendor. The request did not survive the conversation.

The same lesson, read twice

A fortnight of headlines told the matching half of the story. In the same window, class actions were filed against OpenAI alleging that ChatGPT's website carried Meta and Google tracking code and transmitted users' query topics, account identifiers, and email addresses to those third parties without consent. Tech Times reported (https://www.techtimes.com/articles/316856/20260519/openai-faces-data-sharing-lawsuit-chatgpt-bank-account-access-launches-no-fiduciary-safeguard.htm) that the complaints invoke the federal Electronic Communications Privacy Act and California's Invasion of Privacy Act. Two days after one of the filings, OpenAI launched a personal finance integration letting subscribers connect bank accounts, investment portfolios, and credit cards through Plaid. The Center for Democracy and Technology's Ridhi Shetty observed that financial data "can reveal deeply personal details about a person's life, habits, vulnerabilities, and relationships." The same coverage noted the platform carries, in its words, "no legal obligation to act in a user's best interest."

Put the two stories side by side. In the first, a court can reach into a vendor's infrastructure and freeze the data you thought you had erased. In the second, a vendor's infrastructure can move your data outward to parties you never named. Different directions, identical premise: the data and the logs live on someone else's hardware, under someone else's keys, governed by someone else's terms. Confidentiality here is a promise. A promise is exactly the kind of thing a court can override and a tracking pixel can quietly outrun.

Confidentiality by promise is not sovereignty

This is the distinction the AI market spent the last two years blurring. Accredited cloud, encryption in transit and at rest, role-based access, an ISO certificate on the wall: none of that is fake, and a buyer is right to say they already have some level of security. But every one of those controls is wrapped around infrastructure the operator does not own. They protect the pipe. They do not change who can be compelled to open it.

Sovereignty is a structural property, not a stronger promise. The data does not leave the operator's premises. The model runs on hardware the operator controls. The record of what the system did is not a log the vendor asks you to trust, it is a cryptographic chain the operator can verify and, critically, the operator can delete. The test is simple and unsentimental. When a court serves the order, who is on the receiving end? If the answer is your vendor, you do not hold your data. You hold a relationship with the party that does.

What changes when the operator holds the key

Mickai is the British Sovereign Intelligence Operating System. It runs frontier-class AI entirely on the operator's own hardware, with no internet connection required, and it signs every action at the moment of commit under the operator's own post-quantum key, FIPS 204 ML-DSA-65, held in operator-controlled silicon. The record of those actions is written into the Open Audit Record, a format designed to be verified offline by anyone the operator chooses to show it to.

Two consequences follow, and they map precisely onto the two OpenAI stories.

First, deletion is real. When data and logs live on the operator's hardware under the operator's key, erasure is an act the operator performs, not a request the operator submits. There is no vendor in the loop to be served, because the operator is the only party that ever held the material. A preservation order directed at a vendor cannot freeze records that vendor never possessed. This is sovereignty doing the work that an encryption clause cannot: not protecting data inside someone else's system, but removing the someone else.

Second, there is no quiet outward path. On a SIOS the trust domain is the operator's own boundary, and the audit record makes movement visible rather than assumed. Mickai's design externalises the trust domain so the system cannot mark its own homework, and Sentinel governs each action against the operator's policy before it is allowed to proceed. A pixel that ships query topics to a third party is not a design choice the operator failed to notice. It is an action that would have to pass policy and be signed into the record, where the operator, not the vendor, decides whether it happens at all.

Sovereignty by proof, not confidentiality by promise

It would be glib to say a sovereign substrate makes litigation disappear. It does not. Operators still hold data, still face discovery, still answer to regulators. What changes is the location of control and the nature of the evidence. The OpenAI preservation dispute is, at bottom, an argument about whose hands the data sits in and whether a deletion meant anything. A SIOS answers that argument before it starts, by making the operator the only party who ever held the key.

That is the difference between confidentiality by promise and sovereignty by proof. A promise is a statement about intentions that a court can supersede and a third-party integration can sidestep. A proof is a property of the system: the operator holds the key, the operator holds the record, the operator performs the deletion, and the audit chain can be verified by anyone without trusting the operator's word. When the court asks the vendor for your data, the only durable answer is that there was never a vendor to ask. The question was always who held the keys. On a Sovereign Intelligence Operating System, the operator does.

Sources and references

• The New York Times Company v. Microsoft Corporation and OpenAI, S.D.N.Y. No. 1:23-cv-11195, May 2026 preservation order. Bloomberg Law, "OpenAI Case Amplifies Legal Tension Between Discovery, Privacy," https://news.bloomberglaw.com/privacy-and-data-security/openai-case-amplifies-legal-tension-between-discovery-privacy
• Tech Times, "OpenAI Faces Data-Sharing Lawsuit as ChatGPT Bank Account Access Launches With No Fiduciary Safeguard," 19 May 2026, https://www.techtimes.com/articles/316856/20260519/openai-faces-data-sharing-lawsuit-chatgpt-bank-account-access-launches-no-fiduciary-safeguard.htm
• FIPS 204 (ML-DSA), NIST post-quantum digital signature standard.
• Mickai Open Audit Record and trust domain externalisation, mickai.co.uk/patents