Photo Credit: Spencer Davis on Unsplash

TL;DR? Listen to the NotebookLM Audio Overview:

This article is part 3 of our 6-part series on revolutionizing conversational data privacy. In my last article, we explored why vCons and SCITT create an unprecedented win-win for businesses and consumers. Today, I’ll show you the exact step-by-step mechanics that make this framework work in practice.

Here’s what happened after the last article: The compliance officer from our story sent me a message: “I shared your article with our entire C-suite. They want to know three things: How exactly does this work? What does implementation look like? And can you walk us through a real scenario?”

Today, I’ll answer all three questions by taking you inside the complete technical journey, showing you exactly how vCons and SCITT transform from a theoretical framework to a practical implementation that protects privacy while unlocking AI innovation.

The Architecture That Actually Works: Three Pillars of Unbreakable Trust

“The future belongs to organizations that can prove their privacy claims, not just promise them.” — Industry Report, 2025

Think of traditional data privacy as a locked filing cabinet. You promise to keep the keys safe, but consumers have to trust you. The vCons and SCITT framework is different; it’s like having a transparent, tamper-proof safe where everyone can see exactly what you’re doing with their data, but only you can access what you’re authorized to use.

Here’s how the three interconnected pillars create this trust:

Pillar 1: Standardized Containers (vCons)

Every conversation becomes a secure, self-contained package carrying its own permissions like a smart shipping container that knows exactly who can open it and why.

Pillar 2: Immutable Transparency (SCITT)

Every action on that conversation gets cryptographically recorded in an unalterable ledger. Think blockchain-level security without the complexity or energy costs.

Pillar 3: Automated Enforcement

Consent preferences travel with the data and are automatically enforced by every system. No human errors, no “oops, we forgot” moments.

The Complete Customer Journey: Sarah’s Call Transforms Everything

Let me show you precisely what happens when this framework handles a real customer interaction. We’ll follow Sarah through her insurance claim call and see how every moment creates transparency and trust.

Minutes 0:00-0:30: The Foundation

When Sarah’s call connects, something fundamentally different happens. The system isn’t just recording, it’s preparing to create an auditable container with complete context and metadata.

Traditional approach: Basic recording to the database

vCon approach: Structured data preparation with embedded permissions

Minutes 0:30-0:45: The Consent Revolution

The old way: “This call may be recorded for quality purposes.”

The new way: The system asks, “This call may be recorded for quality and training. Say ‘yes’ to agree, or tell us your specific preferences.”

Sarah responds: “Yes, but not for AI training.”

Here’s the magic: this nuanced consent gets captured as structured, enforceable data:

• Quality monitoring: ✅ Granted

• Human training: ✅ Granted

• AI training: ❌ Denied

This consent immediately gets recorded in SCITT as a vcon_consent_accepted event with cryptographic proof of precisely what was agreed to.

Minutes 0:45-15:00: Transparent Processing

As Sarah discusses her claim with agent James, the system continues building the complete audit trail:

• Supervisor escalation at 8:30 → Logged

• Hold periods → Timestamped

• Resolution details → Captured

Every significant event becomes part of the immutable record.

Minutes 15:00-15:30: The vCon Creation

When the call ends, everything gets packaged into vCon #789456, a secure digital container containing:

• The complete audio recording

• All participant information

• Sarah’s specific consent preferences

• The timestamped event log

• All processing metadata

The vCon creation gets immediately registered in SCITT: “vcon_created: vCon #789456 created at 3:15 PM containing call from 555-0123, duration 15 minutes, with specified consent parameters.”

Minutes 15:01-15:30: Automated Enforcement in Action

Now watch the power of automated consent enforcement:

✅ Transcription Service → Checks consent (quality monitoring: ✅) → Processes → Adds transcript → Logs action in SCITT

✅ Quality Analytics → Checks consent (human training: ✅) → Analyzes call → Adds insights → Records in SCITT

❌ AI Training Team → Checks consent (AI training: ❌) → ACCESS DENIED → Denial logged with cryptographic proof

Every interaction gets recorded using standardized event types from the IETF vCon Lifecycle specification:

• vcon_sent: vCon #789456 sent to TranscriptionCo at 3:16 PM

• vcon_received: TranscriptionCo confirmed receipt at 3:16 PM

• Access denied: AI Training Team - consent not granted at 3:25 PM

The breakthrough: Sarah’s preferences are automatically enforced without any human intervention. If she ever wants to know how her data was used, she can request access to the SCITT ledger and see cryptographic proof of every interaction.

Six Months Later: The “Right to Know” Revolution

Sarah exercises her “right to be forgotten.” Here’s where traditional systems fail, and this framework shines:

1. System queries SCITT: “Where did vCon #789456 go?”

2. SCITT returns a complete audit trail showing every vcon_sent and vcon_received event

3. The system sends cryptographically signed deletion orders to each party

4. Each party deletes and logs: vcon_deleted events in SCITT

5. Sarah receives mathematical proof of complete deletion

Traditional approach: Email requests and crossed fingers

This approach: Mathematical certainty with cryptographic proof

What This Means for Your Business Right Now

If you’re a CTO: This framework gives you mathematical proof of privacy compliance, no more sleepless nights about data audits.

If you’re a compliance officer: You get real-time visibility into exactly how customer data is being used across your entire organization.

If you’re a CEO: You can finally say “yes” to AI innovation while saying “yes” to consumer privacy, no more choosing between them.

Ready to dive deeper? In my next article, we’ll explore the specific types of consent you can capture with this framework. You’ll see how consent evolves from a binary checkbox into an intelligent system that enables innovation while respecting boundaries.

About Thomas McCarthy-Howe

CTO at Strolid, Inc., leading next-generation automotive business development solutions. 30+ years in communications technology, co-author of the IETF vCon draft specification, 15 patents in telecommunications and data management. Focused on building scalable, privacy-first systems that unlock business value from conversational data.

🔗 Want more insights like this? Hit the Subscribe button and join executives who rely on this newsletter for privacy innovation insights.

Subscribe now

📈 Found this valuable? Share it with your network. Privacy-conscious leaders need to see this framework.

Share

The age of trustworthy AI isn’t coming; it’s here for organizations ready to embrace transparency. The question isn’t whether this framework will become standard practice. The question is whether your organization will lead or follow.

Leave a comment

Photo Credit: Alvan Nee on Unsplash

This is part 2 of a 6-part series on revolutionizing conversational data privacy. In “Building Trust in the Age of AI,” I introduced the complete framework of vCons and SCITT. Today, I will explore why this creates an unprecedented win-win scenario.

Remember the comprehensive framework I introduced? The one that promises to let us use conversational AI responsibly while protecting privacy? You now understand how vCons package conversations with their permissions, and how SCITT creates an immutable audit trail. But I haven’t told you the most crucial part, why this makes a historic alignment between business needs and consumer rights.

Today, I want to share a conversation that crystallized exactly why this approach is so powerful, and why it’s inevitable.

The Question That Changed Everything

Last time, I walked you through how vCons package conversations with their permissions, and how SCITT creates an unbreakable audit trail. Quick reminder: vCons are standardized containers that keep conversations and their consent permissions together, while SCITT provides cryptographic proof of every action taken with that data. But I didn’t tell you about the most important conversation I’ve had about this technology.

For a technical deep dive into SCITT (Supply Chain Integrity, Transparency and Trust), see Draft-Post-2.pdf.

I was meeting with the Chief Compliance Officer of a primary communications service provider, someone who’d spent decades wrestling with privacy regulations across dozens of countries. This wasn’t a casual chat; he’d blocked out an hour to understand our approach. He grilled me about the technical details, implementation challenges, and legal implications.

Finally, he leaned back in his chair and said, “Wow. I can understand why businesses want this. But why would consumers?”

My answer was simple: “Because they can express all of their digital rights, and the business can prove they honored each request.”

His eyes lit up. For the first time in his career, he was looking at a system where consumer protection and business efficiency pointed in the same direction. Let me explain why this matters so much.

Breaking the Zero-Sum Game

For decades, privacy has been treated as a zero-sum game. Businesses wanted to use data; consumers tried to protect it. Every regulation seemed to take something away from businesses. Every new data use felt like it took something away from consumers. We’ve been locked in this adversarial dance, with trust eroding on both sides.

What that compliance officer understood in that moment, sitting across from me in his conference room, was that vCons and SCITT break this dynamic entirely. They create what economists call a positive-sum game, where both parties can win simultaneously. Here’s how.

What Businesses Get

In my last article, I explained the technical framework. But let’s talk about what this means in practical business terms. When you implement vCons and SCITT, you’re not just getting a compliance system. You’re getting —

Legal Confidence: Your legal team transforms from the “department of no” to the “department of yes, and here’s how.” They can approve data initiatives because they have cryptographic proof of compliance; no more killing innovation in the name of risk management.

Operational Efficiency: In a typical organization, compliance staff spend hours processing a single deletion request, tracking down vendors, sending emails, following up, documenting responses. With vCons and SCITT, it’s automated. Click, verify, done. Those hours can be spent on strategic initiatives instead of spreadsheet management.

Competitive Intelligence: Right now, most companies are sitting on conversational goldmines they can’t touch. Your competitors are using vCons and SCITT to train better AI models, understand customer needs more deeply, and predict market trends more accurately. They’re not more intelligent than you; they have better tools.

Audit Readiness: When regulators come calling (and they will), you can generate a complete compliance report in minutes, not weeks. Every conversation, every consent, every deletion; all documented with cryptographic proof. Audits become demonstrations of competence, not investigations of potential wrongdoing.

What Consumers Get

But here’s where it gets interesting. Consumers aren’t just tolerating this system, they’re benefiting from it in ways that current privacy approaches can’t match —

Real Control, Not Theater: Today’s privacy notices are theater. Click “accept” or don’t use the service. With vCons, consumers can give granular consent. “Yes to customer service training, no to AI development.” And these preferences are enforced automatically, not just promised in a policy document.

Verification, Not Trust: “Trust us, we deleted your data” becomes “Here’s cryptographic proof we deleted your data, and here’s proof that our three vendors deleted it too.” Consumers don’t have to trust anymore; they can verify.

Dynamic Consent: Changed your mind about how your conversations can be used? With current systems, good luck. With vCons and SCITT, you can revoke specific permissions at any time, and those revocations cascade through the entire ecosystem automatically.

Innovation Without Fear: When consumers know their rights are cryptographically protected, they’re more willing to engage with new services. They can try that new AI assistant without worrying that their conversations will be misused. Innovation accelerates when fear decreases.

Real-World Magic: Where This Gets Exciting

Let me paint you a picture of how this transforms business operations —

Financial Services: A bank can now safely use customer service calls to train AI that detects fraud patterns. Why? Because every conversation explicitly states what it can be used for. When consent expires or is revoked, the bank has mathematical proof of compliance. They get the insights while customers get iron-clad privacy protection.

Healthcare: A hospital network can share patient conversations with specialists for better diagnosis while maintaining HIPAA compliance. Each specialist sees only what they’re authorized to see, and there’s an immutable record of who accessed what and when.

Retail: That clothing company using chat logs to improve customer experience? They can now prove they’re only using conversations from customers who explicitly consented to service improvement. When someone opts out, deletion cascades through every system automatically.

The Network Effect: Why This Changes Everything

The beauty of this system is that it gets more potent as more organizations adopt it. It’s like email; the more people who have it, the more useful it becomes.

When your transcription vendor supports vCons and SCITT, you don’t need a custom integration. When your AI analytics partner joins the network, consent management happens automatically. When regulators can verify compliance cryptographically, audits become less invasive and more trustworthy.

We’re not talking about some distant future. Major vendors are already implementing vCon support. Standards bodies are finalizing the protocols. Forward-thinking companies are running pilots. The question isn’t whether this will become the standard; it’s how fast you can get on board.

The Competitive Edge Hidden in Plain Sight

Here’s what most people miss: This isn’t just about avoiding fines or satisfying regulators. It’s about unlocking the value trapped in your conversational data.

Right now, your legal team probably says “no” to most data initiatives. Too risky. Too complex. With vCons and SCITT, legal becomes your innovation partner. They can say “yes” because they can prove compliance. Your data scientists can build better models. Your customer experience team can derive more profound insights. Your AI initiatives can move from pilot to production.

Companies that adopt this approach won’t just avoid privacy penalties; they’ll leap ahead of competitors still managing consent with spreadsheets and emails.

The Privacy Paradox, Solved

Remember the paradox from my last article? Companies caught between the value of conversational data and the complexity of compliance? vCons and SCITT dissolve this tension. They make privacy protection and data utilization two sides of the same coin.

This isn’t just a technical evolution; it’s a fundamental shift in how we think about privacy. Instead of privacy as a barrier, it becomes an enabler. Instead of compliance as a cost center, it becomes a competitive advantage.

The tools exist. The standards are ready. The only question is: Will you lead this transformation in your organization, or will you watch competitors pull ahead while you’re still drowning in spreadsheets?

What’s Next

In my next article, “Building Trust in the Age of AI,” I’ll take you on a complete journey through this framework. We’ll explore exactly how vCons and SCITT create an unbreakable chain of trust, walk through real implementation scenarios, and I’ll share practical steps you can take to get started. You’ll see how this isn’t just about solving today’s privacy challenges; it’s about building the foundation for responsible conversational AI that consumers can trust.

But don’t wait until next week to start thinking about this. The conversations happening in your business right now are more than just data; they’re opportunities to build trust at scale. And in the age of AI, trust isn’t just nice to have. It’s everything.

Want to get started now? Check out the IETF vCon working group and the SCITT protocol specifications. Or better yet, reach out to discuss how this could transform your organization’s approach to conversational data. The next deep dive will give you everything you need to build your implementation roadmap.

Share

About the Author

Thomas McCarthy-Howe is the Chief Technology Officer at Strolid, Inc., where he leads the development of next-generation automotive business development solutions. With over 30 years of experience in communications technology, Thomas is a co-author of the IETF vCon draft specification and holds 15 patents in telecommunications and data management. His work focuses on building scalable, privacy-first systems that unlock business value from conversational data.

Ed: What questions do you have about implementing responsible AI in your organization? Share your thoughts in the comments. We’d love to discuss the challenges you’re facing.

Leave a comment

Photo Credit: Fabian Gieske on Unsplash

Let me share something that’s been keeping me up at night. We’re sitting on an incredible opportunity with conversational AI, but we’re also walking a tightrope. Every conversation your business has contains insights that could transform how you operate. Yet each of those conversations also carries the weight of someone’s trust. How do we balance these two realities?

Think about the last time you called customer service. You probably heard that familiar message about your call being recorded for quality and training purposes. What if I told you that the recording might later be used to train an AI system? Would you feel comfortable with that? More importantly, how would the company even keep track of what you consented to, especially if you change your mind later?

This is the puzzle I’ve been working to solve, and I want to walk you through a framework that could change everything about how businesses handle conversational data.

Understanding the Real Challenge

Before we dive into solutions, let’s make sure we’re on the same page about the problem. Imagine you’re running a business that handles thousands of customer interactions daily. These conversations happen across phone calls, video meetings, chat systems, and support tickets. Each one is a goldmine of information about what your customers need, what frustrates them, and how you could serve them better.

But here’s where it gets complex. These conversations don’t just contain business insights. They include personal stories, private information, and human moments that deserve protection. In Europe, GDPR treats voice recordings as biometric data requiring special protection. In California, CCPA gives consumers the right to know what you’re doing with their data and to request its deletion. And these regulations are just the beginning.

The traditional approach has been to err on the side of caution, which often means not using this data at all. But that’s like having a library full of books you’re not allowed to read. There has to be a better way, and that’s precisely what vCons and SCITT provide.

Introducing vCons: A Container Built for Conversations

Let me introduce you to the first piece of the puzzle. A vCon, which stands for Virtualized Conversation, is a specialized container explicitly designed for conversational data. To understand why this matters, let’s think about how conversations are typically stored today.

In most organizations, a single customer interaction might be scattered across multiple systems. The audio recording sits in one database, the transcript in another, the metadata about who participated lives in a CRM system, and any notes or analysis might be in yet another application. It’s like having the pages of a book scattered across different rooms of a house.

A vCon brings all these pieces together into a single, standardized package. But it does something even more critical. It includes a special section for consent and privacy preferences. This means that wherever the conversation goes, the permissions travel with it. Think of it like a passport that travels with a person, clearly stating where they’re allowed to go and what they’re allowed to do.

The beauty of this approach becomes clear when you consider what happens when you need to share conversational data. You may want to send a customer service call to a transcription service or share it with an AI vendor for analysis. With a vCon, you’re not just sharing raw data. You’re sharing a complete package that includes clear instructions about what can and cannot be done with that data.

SCITT: Creating an Unbreakable Chain of Trust

Now, packaging conversations properly is only half the solution. The second piece is SCITT, which stands for Supply Chain Integrity, Transparency, and Trust. I know that’s a mouthful, but stay with me because this is where things get interesting.

Think about how we handle essential documents in the physical world. When you buy a house, every significant document gets notarized. That notary stamp creates a permanent record that the document existed at a particular time and was acknowledged by specific parties. SCITT does the same thing for digital conversations, but with a crucial difference: the record it creates cannot be altered or deleted.

Here’s how it works in practice. Every time something significant happens to a vCon, that event gets recorded in SCITT. When a customer gives consent, that’s recorded. When the conversation is shared with a third party, that’s recorded. If analysis is performed, that’s recorded too. And if the customer later revokes consent or requests deletion, those actions are also permanently documented.

What makes this powerful is that it creates accountability across entire ecosystems. Let’s say you share a conversation with three different service providers for transcription, sentiment analysis, and AI training. Each of these providers must record their receipt of the data in SCITT. If a customer later requests deletion, you can use these records to ensure everyone who received the data correctly deletes it.

Bringing It All Together: A New Model for Trust

Now let me show you how vCons and SCITT work together to create something transformative. Imagine a customer service call that unfolds like this:

When the call begins, the system creates a vCon that will contain the recording. The customer hears the standard message about call recording and agrees to proceed. But here’s where things diverge from the traditional approach. The system can now present specific consent options. Would the customer allow the recording to be used for quality assurance? What about AI training to improve service? Each permission is recorded in the vCon and logged in SCITT with a timestamp and cryptographic proof.

As the call progresses and eventually ends, the complete conversation is packaged in the vCon along with all the consent information. When the business wants to use this conversation, they don’t have to wonder what was allowed. The permissions are right there in the package, and the SCITT record proves when and how consent was obtained.

But here’s where it gets even more interesting. Let’s say six months later, the customer decides they’re not comfortable with their conversation being used for AI training anymore. In the traditional model, this would be a nightmare. How do you find every copy of the recording? How do you prove you’ve deleted it from all AI training datasets?

With vCons and SCITT, this becomes manageable. The revocation of consent is recorded in SCITT, creating a permanent record of the customer’s wishes. The SCITT ledger shows everyone who received the conversation, so you know exactly who needs to be notified. And when deletion is complete, that too is recorded, providing proof of compliance.

Why This Matters More Than Ever

You might be wondering why we need such an elaborate system. Let’s be careful with data and trust that everyone will do the right thing. The answer lies in understanding three converging trends that make this framework essential.

First, conversational AI is becoming incredibly powerful. The insights we can extract from conversations today would have seemed like science fiction just a few years ago. AI can detect customer sentiment, identify emerging issues, predict churn, and even suggest personalized solutions. But with great power comes great responsibility, and we need frameworks that ensure this power is used ethically.

Second, privacy regulations are becoming stricter and more widespread. What started with GDPR in Europe has inspired similar laws worldwide. California’s CCPA, Brazil’s LGPD, and many others share common themes around consent, transparency, and user control. Businesses need systems that can adapt to this evolving regulatory landscape.

Third, and perhaps most importantly, consumer expectations are changing. People are becoming more aware of how their data is used and more selective about who they trust. Companies that can demonstrate responsible data handling won’t just avoid penalties - they’ll earn customer loyalty and competitive advantage.

Taking the First Steps

If you’re convinced that this approach makes sense for your business, you might be wondering how to get started. The good news is that you don’t need to transform everything overnight.

Start by understanding your current conversation landscape. What types of conversations does your business have? Which ones contain the most valuable insights? Which ones carry the highest privacy risks?

Next, examine your current consent processes. How do you obtain consent today? How is it recorded? What happens when someone wants to revoke consent? Understanding your current state will help you identify where vCons and SCITT can provide the most immediate value.

Consider starting with a pilot program focused on a specific type of conversation. Customer service calls are often a good starting point because they typically already have consent processes and clear business value. As you gain experience with the framework, you can expand to other conversation types.

Remember that this isn’t just a technology implementation. It’s a new way of thinking about conversational data. Involve your legal, privacy, and compliance teams early in the process. Help them understand how vCons and SCITT can make their jobs easier by providing clear documentation and audit trails.

A Personal Reflection on Why This Matters

I’ve spent years working at the intersection of technology and privacy, and I’ve seen how the tension between innovation and protection can paralyze organizations. We’ve created a false choice between using data to improve our businesses and respecting people’s privacy. This framework proves we can do both.

What excites me most about vCons and SCITT is that they’re not just solving today’s problems. They’re creating infrastructure for a future where conversational AI is ubiquitous but still trustworthy. They’re laying the groundwork for businesses to innovate responsibly and for consumers to share their thoughts and experiences without fear.

The conversations happening in your business right now are more than just data. They’re moments of human connection, opportunities to solve problems, and chances to build relationships. By treating them with the respect they deserve while still extracting their valuable insights, we can build businesses that are both more intelligent and more trustworthy.

The path forward isn’t always easy, but it’s clear. We need to move beyond hoping we’re handling conversational data responsibly to proving it. We need to shift from avoiding the use of conversational insights to embracing them within a framework of transparency and consent. And we need to recognize that in the age of AI, trust isn’t just nice to have. It’s a business imperative.

Are you ready to take the first step? The future of responsible conversational AI is being built right now, and your business can be part of shaping it. The only question is whether you’ll lead the change or follow it.

Share

About the Author

Thomas McCarthy-Howe is the Chief Technology Officer at Strolid Inc., where he leads the development of next-generation automotive business development solutions. With over 30 years of experience in communications technology, Thomas is a co-author of the IETF vCon draft specification and holds 15 patents in telecommunications and data management. His work focuses on building scalable, privacy-first systems that unlock business value from conversational data.

Ed: What questions do you have about implementing responsible AI in your organization? Share your thoughts in the comments; we’d love to discuss the challenges you’re facing.

Leave a comment