How does sensitive data participate in Tier 3 architecture without exposure?

A question that recurs across §2.4 (where it is the second of two common objections to Tier 3) and §7.6 (where it is the precondition for the open-data multiplier argument). Sensitive data — clinical records under HIPAA, embargoed pre-publication results, indigenous data sovereignty obligations, classified observations — has access constraints that look incompatible with distributed storage.

The answer is C-0015 (and reinforced by C-0032). Permissioned variants of every major protocol exist and are in production use: private BitTorrent trackers, federated Matrix homeservers, permissioned IPFS clusters all restrict which nodes can hold copies while preserving the protocol's redundancy and integrity properties. Three orthogonal techniques compose:

• Client-side encryption keeps data unreadable on every replica (institutional keys never leave the institution).
• Permissioned networks bound which partners hold copies and constrain jurisdictional exposure.
• Content addressing separates integrity from access — any node can verify integrity by recomputing a hash without being able to read the underlying data.

The same techniques are already deployed for HIPAA-covered records, FERPA-covered student data, export-controlled research, and embargoed datasets in Tier 2 contexts (eMERGE Network, All of Us). Access control and structural redundancy are independent properties: distribution is an architecture for redundancy, not a policy on access.