Most privacy thinking, including most regulation and most personal behavior, implicitly treats data as discrete objects: this email, that location, this purchase. Under the object model, privacy is about controlling copies — who has which objects, whether you can retrieve or delete them. The model is intuitive because it matches how we think about physical possessions, and it is comforting because deletion, under it, means the thing is gone. The trouble is that almost none of the consequential properties of data behave like properties of objects.

The failure begins with the fact that the value of data is not in the individual objects but in what can be inferred by combining them. A single data point is usually trivial; the same point joined with thousands of others enables conclusions that none of them contained individually. This means controlling objects is the wrong unit of control entirely. You can meticulously manage every object and still have surrendered the thing that actually mattered — the inferences — because the inference was never in any object you could see and manage.

The reason the object model is so durable despite being wrong deserves stating plainly: it is wrong in a comforting direction. It tells you the problem is bounded, that deletion is closure, that diligence is sufficient. The inference model offers none of these comforts, which is precisely why people keep reaching for the object model even after its failures are explained to them. A frame that is false but soothing outcompetes one that is accurate but unsettling, until the gap between them does visible harm.

A concrete demonstration of why deletion disappoints: the value was never in the record but in the inference the record helped compute. Delete the record and the inference may already be calculated, already acted upon, already embedded in systems that no longer need the original. You removed the thing you could see and point at; the thing that was actually shaping decisions about you was never that object, which is why deleting the object so reliably fails to deliver the protection the object model promised.

It is worth confronting directly why regulation built on the object model keeps disappointing even when it is sincerely written and seriously enforced. Rules that grant rights over records — access, deletion, portability — govern the visible object while the consequential thing, the unbounded inference, slips past the mechanism entirely, because inference is open-ended and cannot be enumerated at the moment a right is exercised. This is not an argument that such rules are worthless; it is an argument that they are structurally aimed at the proxy, and that judging privacy by their presence is the object model reasserting itself at the level of policy.

Inference Is the Real Currency

The currency of the data economy is not data; it is inference. What is valuable, and what affects your life, is the conclusion drawn about you — your likely behavior, risk, susceptibility, category — not the raw records the conclusion was derived from. This distinction is not academic. It explains why deleting data so often fails to deliver the protection people expect: the records may be gone, but the inference they enabled has already been computed, acted upon, and frequently embedded in systems that no longer need the original records to keep using the conclusion.

Once you see inference as the unit, several confusing things become clear. It explains why data you never provided can still describe you accurately — inference about you can be reconstructed from data about people similar to you, so your privacy depends partly on choices you did not make and cannot control. It explains why anonymization disappoints — the identifying power is often in the pattern, not the name, so removing the name leaves the inference intact. And it explains why the object model's central promise, deletion, is so much weaker than it sounds.

Deletion under an inference model means something narrow and often nearly useless: you can sometimes remove the record, but you generally cannot remove the conclusion it already produced, nor the downstream decisions that conclusion already shaped, nor the model that already learned from it. The data you delete is still deciding your life because what was acting on your life was never the data — it was the inference, which deletion of the record does not reach. This is not a loophole; it is the structure.

This has a sharp practical implication for how to evaluate any privacy assurance. An assurance phrased in object terms — we let you delete your data, we anonymize, we obtained consent — is answering the comforting question, not the consequential one. The consequential question is what is inferred, by whom, to what end, and whether the assurance reaches the inference or only the record. An assurance that does not address the inference is not necessarily dishonest, but it is, structurally, answering the wrong question, and recognizing that is most of the skill.

The collective dimension becomes concrete in a single uncomfortable observation: an accurate inference about you can be reconstructed from data about people similar to you, none of whom you control and none of whom consented on your behalf. Your privacy therefore depends partly on choices that are not yours to make. This is the part the object model conveniently hides, because it offers no satisfying individual action — and it is precisely the part an honest account must refuse to hide for that same reason.

The constructive redirection, stated concretely, is to replace object-model questions with inference-model ones at every level where the question is asked. Not 'who holds my data and can I delete it' but 'what is concluded about me, by whom, to what end, and does deleting the record reach the conclusion or the decisions it already drove.' These questions rarely have clean answers, which is exactly why they are the right ones: they attach to the thing that affects your life rather than to the proxy that merely feels manageable, and discomfort is the price of asking the question that is actually about reality.

Why Consent Is the Wrong Tool

The dominant policy and product instrument for privacy is consent: you are asked to agree to data collection. Under the object model this seems sensible — you are deciding whether to hand over your objects. Under the inference model it is close to incoherent, because at the moment of consent neither party can meaningfully enumerate what will be inferred. Inference is open-ended; new conclusions can be drawn from old data indefinitely as methods and combinations improve. Consenting to collection is therefore consenting to an unbounded and unknowable set of future inferences, which is not a meaningful act of informed agreement.

This is not an argument that consent is worthless, but that it is structurally mismatched to the thing it is supposed to govern, which is why it feels like theater even when sincerely offered and sincerely sought. A consent decision made at the point of collection cannot govern inferences that do not yet exist and cannot be foreseen. Treating the problem as solved because consent was obtained is the object model quietly reasserting itself — managing the visible object while the consequential thing, the unbounded inference, slips past the mechanism entirely.

The collective dimension is the part most resistant to individual remedy and therefore the part most often left out, because it offers no satisfying personal action. It has to be stated anyway: the careful individual cannot fully secure their own privacy through diligence, because the inference engine reasons about populations and is fed by the aggregate. This is not a counsel of despair but a correction of scope — it relocates the problem from personal hygiene to collective structure, which is where a problem of this shape actually lives.

An objection: does this not counsel fatalism, since individual action is insufficient? It counsels the opposite of fatalism — it counsels correctly scoping the problem. Individual choices still matter at the margin and are worth making; they are simply not sufficient, and the error is believing sufficiency, not making the choices. Relocating the problem from personal hygiene to collective structure is not despair; it is aiming effort at the level where a problem of this shape actually lives.

The Collective Nature of the Thing

The inference model also forces an uncomfortable conclusion that the object model conveniently hides: privacy is substantially collective, not individual. Because inferences about you can be built from data about people like you, your individual choices provide far less protection than the object model implies, and other people's choices affect you whether or not you consented to anything. Privacy framed purely as individual control over one's own objects is therefore solving a problem that is only partly individual, using a unit of agency that is only partly effective.

This is genuinely hard and should not be smoothed over with reassurance. It means the most careful individual cannot fully secure their own privacy through personal diligence, because the inference engine is fed by the aggregate and reasons about populations. It does not mean individual choices are pointless — they still matter at the margin — but it does mean that an honest account has to admit the limits of individual action against a mechanism whose power comes precisely from operating across many people at once.

The honest closing posture is neither fatalism nor false reassurance. Individual choices still matter at the margin and are worth making; they are simply not sufficient, and pretending they are is the object model reasserting itself one more time. Thinking in inferences will not make privacy easy or fully solvable by anyone acting alone. It will, at least, make the question 'is my privacy protected' attach to what is really happening rather than to the proxy that merely feels manageable.

The reason the false model persists despite explanation is worth stating bluntly, because it predicts how assurances will be phrased. The object model is wrong in a comforting direction: bounded problem, deletion as closure, diligence as sufficiency. Assurances phrased in its terms — you can delete, we anonymize, we got consent — answer the comforting question, not the consequential one. Recognizing which question an assurance answers is most of the practical skill the inference model provides.

Thinking in Inferences Instead of Objects

The constructive shift is to stop asking object-model questions and start asking inference-model ones. Not 'who has my data and can I delete it' but 'what can be concluded about me, by whom, to what end, and does deleting the record actually reach the conclusion or the decisions it already drove.' These questions are less comfortable because they rarely have clean answers, but they are aimed at the thing that actually affects your life rather than at the proxy that merely feels manageable.

None of this implies fatalism, which would be its own error. It implies redirecting effort toward the level where consequence lives: scrutinizing what inferences a system draws and how it acts on them, being skeptical of deletion as a complete remedy, and recognizing the collective dimension instead of pretending individual control is sufficient. The object model endures because it is comforting and legible. Reasoning in inferences is harder and less satisfying, but it is the only model under which the question 'is my privacy protected' has an answer connected to what is really happening.

THE TAKEAWAY

Data does not behave like an object you hold and can throw away. It behaves like fuel for inference, and the inference — not the record — is what acts on your life, persists after deletion, can be reconstructed from others, and resists consent. Privacy feels unsolvable largely because we keep applying an object model to an inference reality. Thinking in inferences will not make it easy, but it is the only frame in which the problem is even the right shape.