Fiduciary Commons

Your government collects a great deal of information about you.
Almost none of it is governed the way you think it is.

The Fiduciary Commons proposes three model statutes that give constitutional duties legal force. VIDA mandates citizen-controlled digital identity architecture. PDTA imposes enforceable fiduciary duties on government actors who handle personal data. GAAFA extends those duties to AI systems making decisions about citizens. Together they constitute a complete constitutional architecture for the digital state.

Legal scholars, technologists, and legislative staff:

Start with the legislation →

What is a fiduciary duty?

A fiduciary is someone entrusted to act on your behalf, legally required to put your interests ahead of their own. Your lawyer is a fiduciary. So is your doctor. So is a financial advisor who manages your retirement savings. The law treats these relationships differently from ordinary transactions because there is a fundamental power imbalance: you are vulnerable, you cannot fully monitor what they are doing, and you have no practical choice but to trust them.

Fiduciary duties are specific and enforceable. The duty of loyalty means the fiduciary cannot use your information against you or for purposes you did not authorize. The duty of care means they must handle your affairs competently. The duty of confidentiality means they cannot share what they know about you without your consent. These are not aspirations. They are legal obligations you can enforce in court. The Fiduciary Commons argues that government's relationship to citizens with respect to personal data is already a fiduciary one, and that the law should treat it as such.

Read the full constitutional argument →

What government actually does with your data

Think about what happens when you interact with government over the course of a few years. You get a driver's license. You apply for a permit. You file your taxes. You enroll a child in a public school. You use a Medicaid benefit. Each of these transactions requires you to share personal information, and you have no meaningful choice about it.

Every one of those transactions feeds a database. In a modern integrated government information system, those databases talk to each other. The result is a comprehensive profile of your identity, your finances, your family structure, your health history, your property, and your movements, assembled without any court order, governed by administrative policy rather than law, and accessible to officials and contractors you will never meet. The founders knew this architecture. They called it a general warrant. They fought a revolution in part to prohibit it. The Fourth Amendment was ratified specifically to make it unconstitutional. And yet here it is, rebuilt in digital form.

The problem is not that individual officials are malicious. The problem is structural: the architecture itself creates surveillance power that no court has authorized and no law has constrained. The Fiduciary Commons argues that the remedy must be architectural as well, built into how government digital systems are designed, not promised in how officials choose to use them.

Three statutes that give constitutional duties legal force

The fiduciary framework is not merely a theory. It is embodied in three specific draft statutes, each designed to be introduced in a state legislature. Together they constitute a complete legal architecture.

Fiduciary Commons at IIW 2026

The Fiduciary Commons was presented at the Internet Identity Workshop in April 2026 in three sessions covering the constitutional foundation, the case for complete uniform enactment, and the AI inference problem. All session materials, slides, and supporting documents are on the materials page.

IIW 2026 session slides, outlines, and supporting documents →

A former state CIO who watched the architecture get built

Michael G. Leahy is an attorney and former Secretary of Information Technology for the State of Maryland, where he served as the state's Chief Information Officer and a member of the Governor's Cabinet from 2017 to 2023. He oversaw a team of more than 300 staff, a technology budget exceeding $160 million, and the state's IT infrastructure, data privacy policy, and cybersecurity posture across all executive branch agencies. He served as President of NASCIO, the National Association of State Chief Information Officers, in 2021 and 2022.

The Fiduciary Commons framework is a direct product of that experience: the product of watching, from the inside, how government technology procurement systematically purchases surveillance architecture without recognizing it as such, and concluding that the remedy has to be constitutional and architectural, not merely administrative.

Understanding the Fiduciary Commons

What is the Fiduciary Commons?

The Fiduciary Commons is a constitutional and legislative framework proposing that government already owes citizens fiduciary duties regarding personal data, grounded in Fourth Amendment doctrine and the public trust tradition. It includes three model statutes (VIDA, PDTA, and GAAFA) designed for introduction in state legislatures, establishing enforceable duties of loyalty, care, and confidentiality for government handling of personal data, digital identity, and algorithmic decision-making.

What is a fiduciary duty and why does it apply to government?

A fiduciary is someone entrusted to act on your behalf, legally required to put your interests ahead of their own. Your lawyer, your doctor, and your financial advisor are all fiduciaries. Government's relationship with citizens regarding personal data meets every structural condition for fiduciary obligation: citizens entrust information involuntarily, government exercises discretionary authority over that information, and citizens cannot exit the relationship or bargain for protections. The Fiduciary Commons argues that the Constitution already requires government to act as a fiduciary with respect to personal data, and that the law should enforce that requirement.

How does this differ from existing privacy law?

Most privacy law relies on notice-and-consent frameworks, which fail when citizens have no meaningful choice about whether to interact with government. The Fiduciary Commons replaces consent with fiduciary duty: government actors owe enforceable obligations regardless of whether citizens "agree" to data collection. The key structural difference is the private right of action, which allows citizens to enforce these duties directly in court rather than depending on agency enforcement discretion.

Has any state enacted this framework?

Utah has enacted identity-layer legislation (SB 260 and SB 275) that converges substantially with VIDA's architecture through its State-Endorsed Digital Identity (SEDI) initiative. At least ten additional states have expressed interest in SEDI-model legislation. The Fiduciary Commons framework adds layers SEDI does not reach: enforceable fiduciary duties with a private right of action (PDTA) and algorithmic accountability (GAAFA).

Who created the Fiduciary Commons?

Michael G. Leahy is the author and principal drafter. He is an attorney and former Secretary of Information Technology for the State of Maryland, where he served as CIO and a member of the Governor's Cabinet. He served as President of NASCIO, the National Association of State Chief Information Officers, in 2021 and 2022. The framework is a direct product of that experience: watching from the inside how government technology procurement systematically purchases surveillance architecture without recognizing it as such.