Beyond Disclosure: Source List and Citation Library

← Back to the Beyond Disclosure whitepaper
Citation Library
Verified June 2026

Beyond Disclosure: Source List and Citation Library

This page is the full source list and citation library for theBeyond Disclosurewhitepaper. Forty verified claims across four research modules, each with the primary source, the exact quotation on which the whitepaper relies, and a documented credibility assessment. Corrections applied during verification are preserved on the claim they amend.

How to cite this library

Cite individual claims by their stable anchor ID. Example:thirdrailsystems.ee/beyond-disclosure/sources#heumann-claim-3resolves to that specific claim. Claim IDs use the patternmodule-claim-Nwhere module is one of lgbtq, grandin, heumann, or crenshaw, and N is 1–10. Library section headings use library-1 through library-4.

Forty verified claims across four research modules. Each claim states its assertion, its primary source, an exact quotation where one exists, a credibility assessment, and its architectural relevance. All claims verified June 2026, including an independent hostile due-diligence verification pass. Where verification produced a correction, the correction is documented on the claim itself.


Library 1: LGBTQ+ Travel Safety Module

LGBTQ+ Claim 1: Criminalisation of same-sex relations remains widespread

Claim: More than 60 UN member states retain laws criminalising consensual same-sex sexual acts, with several imposing the death penalty.

Source: ILGA World, Laws on Us: A global overview of legal progress and backtracking on sexual orientation, gender identity, gender expression and sex characteristics issues (2024 edition).

Direct quote: "62 UN Member States continue to criminalise consensual same-sex sexual acts, and in at least 12 of them, the death penalty remains a legal possibility."

Credibility: ILGA World is the primary global federation tracking sexual orientation and gender identity law, cited by UN bodies, the EU Fundamental Rights Agency, and national foreign ministries. Its legal database is the standard reference in this domain.

Architectural relevance: An employer sending a worker into any of these jurisdictions faces a duty-of-care obligation that cannot be discharged through generic advice. A risk assessment accurate enough to protect requires knowing the attribute; a record of the attribute is itself the exposure. This is the founding tension the platform's minimum-disclosure architecture resolves.

LGBTQ+ Claim 2: Egypt's digital entrapment practices are documented state policy

Claim: Egyptian authorities have used dating applications and social media platforms to identify, entrap, and prosecute LGBTQ+ individuals under Law 10/1961 on the combating of prostitution.

Source: Human Rights Watch, "Egypt: Security Forces Abuse, Torture LGBT People" (October 2020), and associated documentation of digital targeting practices.

Direct quote: "Egyptian police and National Security Agency officers arbitrarily arrest LGBT people and detain them in inhuman conditions, systematically subject them to ill-treatment including torture, and often incite fellow inmates to abuse them."

Credibility: Human Rights Watch conducts primary-source investigation with named researchers and documented case files. Its Egypt digital-targeting documentation is corroborated by EIPR (Egyptian Initiative for Personal Rights) case records and academic analysis of Grindr, Facebook, and WhosHere entrapment operations.

Architectural relevance: The threat model is not hypothetical criminal law but active digital hunting. Any system that transmits or stores an orientation attribute in connection with an identifiable traveller creates material that these documented operations are designed to obtain.

LGBTQ+ Claim 3: The Chechnya purges established the lethal ceiling of state persecution

Claim: In 2017, authorities in the Chechen Republic conducted a coordinated campaign of abduction, detention, torture, and killing of men perceived to be gay.

Source: Organization for Security and Co-operation in Europe (OSCE), Report by Professor Wolfgang Benedek under the Moscow Mechanism (December 2018), and Novaya Gazeta's original investigative reporting (April 2017).

Direct quote: From the OSCE report: the evidence "confirms the allegations of very serious human rights violations" including "harassment and persecution, arbitrary or unlawful arrests or detentions, torture, enforced disappearances and extrajudicial executions."

Credibility: An intergovernmental fact-finding mechanism invoked by 16 participating states, corroborating investigative journalism that received international press-freedom recognition. The evidentiary record is as strong as this class of atrocity documentation permits.

Architectural relevance: Chechnya defines the ceiling of consequence. Duty-of-care frameworks calibrated to lost luggage and petty crime do not map onto jurisdictions where an inferred attribute is a death sentence. The architecture must assume the maximum consequence class exists within the operating footprint.

LGBTQ+ Claim 4: Data retention converts protective records into target lists

Claim: Retained records identifying individuals' sexual orientation have been repeatedly repurposed for persecution when political conditions changed, making retention itself a foreseeable harm vector.

Source: Historical and contemporary documentation, including the use of pre-war police registries ("pink lists") in Nazi Germany to locate homosexual men, as documented by the United States Holocaust Memorial Museum, and contemporary parallels documented by Human Rights Watch in digital-device searches.

Direct quote: United States Holocaust Memorial Museum: "The Nazis used police records and lists of homosexual men, so-called pink lists, compiled by police departments since the late nineteenth century, to locate and arrest homosexual men."

Credibility: USHMM is the authoritative institutional historian of this record class. The structural lesson, that lists compiled under one regime become target inventories under another, is the consensus finding across the historiography.

Architectural relevance: The strongest argument against "collect it but protect it": protection guarantees are political, and politics change faster than databases are deleted. Only non-existence of the record survives regime change.

LGBTQ+ Claim 5: Global criminalisation data is systematically maintained and citable

Claim: Jurisdiction-level legal risk for LGBTQ+ individuals is documented in continuously maintained, methodologically transparent datasets suitable for automated risk assessment.

Source: ILGA World Database (ilga.org/lgbti-law-database), and ILGA-Europe Rainbow Map (annual, rainbowmap.ilga-europe.org).

Direct quote: ILGA World describes its database as covering "laws and policies affecting people on the basis of their sexual orientation, gender identity, gender expression and sex characteristics" across all UN member states.

Credibility: The two instruments are the standard references used by the European Commission, national asylum authorities, and academic researchers. Update cadence and methodology are published.

Architectural relevance: The platform's jurisdictional intelligence layer does not require novel data collection about individuals; the risk side of the assessment is fully constructible from public, institutional sources. Only the attribute side is sensitive, and that is what the architecture declines to retain.

LGBTQ+ Claim 6: Corporate duty-of-care guidance explicitly names LGBTQ+ travellers as a risk-differentiated population

Claim: ISO 31030, the international travel risk management standard, requires organisations to account for individual traveller characteristics, including those that elevate risk in specific jurisdictions.

Source: ISO 31030:2021, Travel risk management: Guidance for organizations, Section 4 (context) and Annex A (threat categories, including those tied to personal characteristics).

Direct quote: ISO 31030 directs organisations to consider "the specific needs of individual travellers" and threats that vary with "personal risk factors."

Credibility: ISO 31030 is the reference standard for corporate travel risk programmes, incorporated by major assistance providers and insurers into duty-of-care benchmarking.

Architectural relevance: The standard creates the obligation the architecture must satisfy: individualised assessment. GDPR Article 9 restricts the obvious implementation: collecting the individual attribute. The platform exists in the gap between these two instruments.

LGBTQ+ Claim 7: GDPR Article 9 prohibits the obvious implementation

Claim: Data revealing sexual orientation is special-category data under GDPR Article 9, processable only under narrow exceptions, with explicit consent construed strictly and revocably.

Source: Regulation (EU) 2016/679, Article 9(1) and 9(2)(a); EDPB Guidelines 05/2020 on consent.

Direct quote: Article 9(1): "Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited."

Credibility: Primary legislation, directly quoted.

Architectural relevance: The prohibition-by-default structure means the compliant baseline is non-collection. An architecture that delivers individualised protection while the employer never processes the attribute is not a privacy enhancement; it is the only design that makes the ISO 31030 obligation and the Article 9 prohibition simultaneously satisfiable.

LGBTQ+ Claim 8: Institutional security practice already recognises identity-based differential risk

Claim: Security practitioners in government and corporate settings acknowledge that traveller identity attributes materially change threat profiles, and that current practice handles this through informal, unrecorded channels precisely because recording is dangerous.

Source: Public interview with Sam des Forges, Head of LGBT+ Digital and Security Engagement, UK Ministry of Defence (May 2022, PinkNews and MoD channels), and UK MoD organisational documentation.

Direct quote: Des Forges has spoken publicly about the need for security processes that account for LGBT+ personnel deploying to jurisdictions where their identity is criminalised.

Credibility: A named official with a dedicated portfolio inside a NATO defence ministry is institutional confirmation that the problem class is recognised at state level. Title as at the May 2022 interview.

Architectural relevance: The informal workaround, senior staff quietly advising at-risk personnel off the record, is the existing market alternative. It does not scale, is not auditable, and collapses the moment the advising individual leaves. The platform formalises the protection without formalising the disclosure.

LGBTQ+ Claim 9: Airline and border data ecosystems leak by design

Claim: Passenger data, including PNR records, is shared across state and commercial systems under legal regimes the traveller cannot audit, making any orientation-adjacent data in the travel record a durable exposure.

Source: Directive (EU) 2016/681 (PNR Directive); CJEU judgment in Case C-817/19 (Ligue des droits humains, June 2022) constraining but confirming the regime.

Direct quote: The CJEU held that PNR data transfer and retention constitute "particularly serious" interferences with fundamental rights, permissible only under strict conditions, thereby confirming both the breadth of the regime and the judicial recognition of its intrusiveness.

Credibility: Primary EU legislation and the controlling judgment of the Court of Justice.

Architectural relevance: The travel data pipeline is an adversarial environment by judicial acknowledgment. Minimum disclosure is not paranoia; it is the design posture the CJEU's own findings recommend.

LGBTQ+ Claim 10: The market alternative is silence, and silence has a body count

Claim: In the absence of safe assessment channels, at-risk travellers self-censor, decline to disclose, and travel unprotected; documented cases show the consequence of the information gap.

Source: Front Line Defenders, Global Analysis reports (annual), documenting harm to defenders including those targeted on SOGI grounds; ILGA World and Human Rights Watch case documentation of travellers and deployed workers harmed in criminalising jurisdictions.

Direct quote: Front Line Defenders' Global Analysis series documents, year over year, killings and persecution of human rights defenders including those targeted for "their work on LGBTIQ+ rights."

Credibility: Front Line Defenders is the principal international NGO dedicated to at-risk human rights defenders; its casework-derived data is the sector standard.

Architectural relevance: The status quo comparison for the platform is not a competing product; it is unprotected travel. The cost of the disclosure dilemma is paid by the person, not the organisation, which is precisely why organisations have under-invested in solving it.


Library 2: Grandin Module (Sensory and Neuro-Safety)

Grandin Claim 1: Neurodivergence prevalence makes this a workforce-scale issue

Claim: Estimates of neurodivergence in the general population run to 15 to 20 per cent, making sensory and cognitive accessibility a mainstream workforce concern rather than an edge case.

Source: Doyle, N., "Neurodiversity at work: a biopsychosocial model and the impact on working adults," British Medical Bulletin, Volume 135, Issue 1 (2020).

Direct quote: "An estimated 15–20% of the population is neurodivergent."

Credibility: Peer-reviewed synthesis in an Oxford University Press journal; the figure is the most commonly cited prevalence band in occupational research.

Architectural relevance: At workforce scale, sensory-safety assessment is not an accommodation niche; it is a standing dimension of travel risk. The Grandin module treats sensory load as a first-class risk category without requiring diagnostic disclosure.

Grandin Claim 2: Disclosure of neurodivergence at work remains the exception

Claim: The majority of neurodivergent employees do not disclose their condition to employers, citing fear of stigma and career harm.

Source: CIPD (Chartered Institute of Personnel and Development), Neuroinclusion at work report (2024).

Direct quote: The CIPD found that a majority of neurodivergent workers had not disclosed to their employer, with fear of discrimination among the leading stated reasons.

Credibility: The CIPD is the UK's professional body for HR, and its survey base is drawn from working populations rather than clinical samples.

Architectural relevance: Non-disclosure is the rational baseline. Any protective system premised on disclosure will systematically miss most of the population it exists to protect. Assessment without disclosure is not a preference; it is the only coverage model that reaches the majority.

Grandin Claim 3: Sensory environments in transit hubs are documented stressors

Claim: Airports and transit environments impose sensory loads that are documented barriers for autistic and otherwise sensory-sensitive travellers, and airport operators themselves acknowledge this through dedicated programmes.

Source: Airports Council International (ACI) and individual operator programmes (e.g., the Sunflower Lanyard scheme's airport adoption; sensory rooms at major hubs including Dublin, Gatwick, and Shannon), and peer-reviewed literature on autistic travel experience.

Direct quote: The Hidden Disabilities Sunflower scheme, launched at Gatwick Airport in 2016, exists so that wearers can "discreetly indicate they have a hidden disability and may need additional support."

Credibility: Operator adoption is verifiable through the schemes' own registries; the sensory-room build-out at named airports is documented in operator communications.

Architectural relevance: The industry's own mitigation, a visible lanyard, is disclosure worn on the body. It is the physical-world equivalent of the database flag: helpful in friendly environments, a marker in hostile ones. The module's route-level sensory intelligence provides the assistance without the badge.

Grandin Claim 4: Sensory accommodation needs interact with security screening in documented ways

Claim: Security screening procedures, pat-downs, noise, crowding, and unpredictability, are documented friction points for neurodivergent travellers, and screening authorities publish accommodation guidance acknowledging this.

Source: UK Civil Aviation Authority guidance on assistance for hidden disabilities; TSA Cares programme documentation (US).

Direct quote: TSA Cares describes itself as a helpline providing "travelers with disabilities, medical conditions and other special circumstances additional assistance during the security screening process."

Credibility: Primary regulator and screening-authority documentation.

Architectural relevance: The accommodation exists but requires self-identification to a state security apparatus, the highest-friction disclosure imaginable. Route-level preparation that reduces the need to invoke it is a materially different protection class.

Grandin Claim 5: Meltdown and shutdown events in transit carry escalation risk

Claim: Autistic distress behaviours in public transit settings have been misread by security and police as non-compliance or intoxication, with documented escalations to restraint and arrest.

Source: Academic and advocacy documentation of autism-police interaction risk, including peer-reviewed work on autistic adults' police encounters and documented incident reporting collected by autism advocacy organisations in the US and UK.

Direct quote: Research on autistic adults' encounters with police documents that core autistic behaviours are "frequently misinterpreted as suspicious" by officers without autism training.

Credibility: The escalation pattern is consistent across peer-reviewed studies and advocacy casework; no serious literature disputes the misinterpretation risk.

Architectural relevance: Sensory risk is not comfort; it is a safety chain that ends in physical force. Pre-emptive route intelligence that avoids known overload environments is escalation prevention, not amenity.

Grandin Claim 6: Epilepsy and photosensitivity create acute environmental risk

Claim: Photosensitive epilepsy creates jurisdiction-and-venue-specific environmental risks (strobe lighting, LED billboards, certain rail environments) that are assessable at route level without holding the traveller's diagnosis.

Source: Epilepsy Foundation and Epilepsy Society (UK) guidance on photosensitive triggers; peer-reviewed literature on environmental trigger prevalence.

Direct quote: The Epilepsy Society notes that "around 1 in 100 people has epilepsy, and of these people, around 3% have photosensitive epilepsy."

Credibility: The two organisations are the principal patient-authority bodies in their jurisdictions; prevalence figures track the clinical literature.

Architectural relevance: The trigger map is environmental and public; the diagnosis is personal and protected. The module holds the former and never the latter, which is the pattern repeated across every Grandin risk category.

Grandin Claim 7: Medication regimes create border-crossing legal exposure

Claim: Common psychiatric and neurological medications, including ADHD stimulants, are controlled or prohibited substances in multiple jurisdictions, creating arrest risk for travellers carrying lawful prescriptions.

Source: International Narcotics Control Board (INCB) country regulations; documented cases including the detention of travellers carrying Adderall in Japan; national embassy guidance (e.g., US Embassy Tokyo guidance on stimulant medications).

Direct quote: US Embassy Tokyo guidance states plainly that "it is illegal to bring into Japan some over-the-counter medicines commonly used in the United States," and that Adderall is prohibited.

Credibility: Primary regulatory and consular documentation; the case class is well documented, including the widely reported case of an American teacher, Carrie Russell, detained in Japan after her prescribed Adderall was shipped to her there.

Architectural relevance: A medication is a diagnosis in physical form. Route-level pharmaceutical legality intelligence protects the traveller without the employer ever learning why the query mattered.

Grandin Claim 8: The ADA and EU frameworks establish accommodation duty without mandating disclosure

Claim: Disability accommodation law in both the US and EU places the duty on the employer once need is known, but nowhere obliges the employee to disclose, creating the structural gap the module addresses.

Source: Americans with Disabilities Act (42 U.S.C. § 12112) and EEOC enforcement guidance; Directive 2000/78/EC (EU Employment Equality Directive), Article 5 (reasonable accommodation).

Direct quote: EEOC guidance: "an employee with a disability is not required to disclose her disability unless requesting an accommodation."

Credibility: Primary legislation and controlling enforcement guidance.

Architectural relevance: The law protects the right not to disclose while conditioning protection on disclosure, a contradiction lived by every non-disclosing employee. The module's assessment-without-attribute design is the technical resolution of a gap the legal frameworks acknowledge but do not close.

Grandin Claim 9: Employer wellness and HR systems have a documented history of function creep

Claim: Health-adjacent data collected by employers for benevolent purposes has repeatedly migrated into evaluative and adverse contexts, making employee trust in "protective" health data collection rationally low.

Source: Academic and regulatory documentation of workplace wellness programme data practices, including US GAO and academic reviews of wellness-programme data sharing, and EEOC litigation on wellness-programme coercion.

Direct quote: The US Government Accountability Office found that wellness programme vendors "may share data with third parties" in ways participants do not anticipate.

Credibility: Government audit findings and litigated cases rather than commentary.

Architectural relevance: Employees are right not to trust employer-held health data. The module is built for the trust environment that actually exists: the organisation gets a trait-free proof that assessment occurred; the substance stays with the person.

Grandin Claim 10: Sensory-safety information is constructible from public sources

Claim: The environmental intelligence the module requires, venue sensory profiles, screening procedures, lighting and noise conditions, medication legality, is available from public, institutional, and operator sources without any individual data collection.

Source: Operator accessibility documentation (airports, rail), regulator guidance, INCB and consular medication databases, and accessibility-community documentation projects.

Direct quote: Not applicable; this is a synthesis claim about source availability, evidenced by the citations across Grandin Claims 3 through 7.

Credibility: Demonstrated by the module's own source base.

Architectural relevance: As with the LGBTQ+ module, the risk layer is public and the attribute layer is personal. The architecture's core move, building the entire intelligence apparatus on the public side of that line, is validated category by category.


Library 3: Heumann Module (Mobility and Disability)

Heumann Claim 1: Wheelchair and mobility-equipment damage in air travel is a documented, systemic problem

Claim: US carriers alone mishandle tens of thousands of wheelchairs and scooters annually, a rate materially higher than general baggage, and the equipment damaged is, for its user, functionally a body part.

Source: US Department of Transportation, Air Travel Consumer Report, monthly mishandled wheelchairs and scooters data (reported since December 2018 under the ACAA reporting rule).

Direct quote: DOT reporting shows US carriers mishandled more than 11,000 wheelchairs and scooters in 2023, a rate of roughly 1.4 per cent of enplaned devices.

Credibility: Federal regulator data compelled by statute; the strongest data class available in this domain.

Architectural relevance: For a mobility-device user, equipment risk is bodily risk. Carrier-and-route-level mishandling intelligence is a protection input no general TRM product provides, and it is constructible entirely from public regulatory data.

Heumann Claim 2: The EU lacks equivalent mishandling transparency

Claim: No EU-wide equivalent of the DOT's mandatory wheelchair-mishandling reporting exists, leaving European travellers without comparable carrier accountability data.

Source: Regulation (EC) 1107/2006 (rights of disabled persons in air travel), which establishes assistance rights but no mishandling-reporting mandate; European Disability Forum advocacy documentation calling for reporting parity.

Direct quote: The European Disability Forum has called for the EU to require airlines to report damaged mobility equipment, noting that "there is no obligation for airlines to report on the number of damaged wheelchairs" in the EU.

Credibility: The regulatory gap is verifiable by inspection of the regulation; EDF is the umbrella advocacy body for disability organisations in Europe.

Architectural relevance: A data gap is also a market gap. The module's intelligence layer must synthesise EU carrier risk from indirect sources, and the platform's publication of that synthesis is itself an accountability contribution.

Heumann Claim 3: The scale of the mobility-equipment problem in Europe is acknowledged by the sector itself

Claim: Sector and advocacy sources acknowledge substantial mobility-equipment damage in European air travel, though the absence of mandated reporting means figures are estimates rather than regulator data.

Source: European Disability Forum, 9th Human Rights Report: The Right to Free Movement (2023-2024 documentation), and associated EDF communications quoting sector estimates.

Direct quote: EDF communications have quoted an estimate on the order of tens of thousands of mobility-equipment damage incidents in European aviation annually, attributed to sector sources.

CORRECTION APPLIED (June 2026): An earlier draft of this library stated a specific annual figure for EU wheelchair damage as if it were a measured statistical rate. Hostile verification could not trace the figure to a primary regulator dataset, because none exists (see Heumann Claim 2). The claim has been rewritten to present the figure class as a quoted sector estimate, attributed to EDF's citation of it, rather than as a measured rate. The superseded framing overstated the evidentiary status of the number, not the seriousness of the problem.

USAGE CAVEAT: When citing European mobility-equipment damage volumes, always attribute as "an estimate quoted by EDF" or equivalent. Do not present any EU-wide figure as a measured rate until an EU reporting mandate produces one. The US DOT data (Heumann Claim 1) remains the only regulator-grade dataset and should carry the quantitative weight in any argument.

Credibility: EDF is the authoritative advocacy federation; the estimate class is credible as an indicator of scale, not as a statistic.

Architectural relevance: The correction is itself architecturally instructive: where the record does not exist, claims about it must be scoped honestly. The platform's own audit posture, verifiable, not asserted, applies to its evidence base first.

Heumann Claim 4: Assistance failures at airports are documented at scale

Claim: Wheelchair users are routinely left aboard aircraft after other passengers deplane, and assistance-service failures are a documented, recurring pattern rather than isolated incidents.

Source: UK Civil Aviation Authority airport accessibility performance reports (annual); documented individual cases including the death of Abid Hussain Chaudhry after being left unassisted, and repeated public documentation by disability advocates including Baroness Tanni Grey-Thompson, who described being left on a train and having to crawl.

Direct quote: The UK CAA's accessibility framework rates airports on assistance performance and has classified major airports as requiring improvement in multiple reporting years.

Credibility: Regulator performance data plus named, verifiable individual cases.

Architectural relevance: Assistance quality varies measurably by airport and carrier. That variance is public, rateable, and belongs in a route-level risk assessment; the traveller's diagnosis does not.

Heumann Claim 5: EU passenger-rights enforcement is fragmented and weak

Claim: Enforcement of Regulation 1107/2006 rights is delegated to national enforcement bodies of widely varying capacity, producing inconsistent remedy across member states.

Source: European Disability Forum, 9th Human Rights Report (as above), and European Commission evaluation documentation of Regulation 1107/2006.

Direct quote: The Commission's own evaluation of the air passenger rights framework acknowledges "uneven enforcement" across member states.

Credibility: The enforcing institution's self-assessment, corroborated by the sector's principal advocacy federation.

Architectural relevance: Where enforcement is weak, prevention carries the protective load. Route intelligence that avoids known failure points substitutes for remedies the traveller may never obtain.

Heumann Claim 6: Accessible infrastructure data exists but is fragmented across public sources

Claim: Venue-and-route accessibility data (step-free access, accessible toilets, assistance points) is publicly documented by operators, municipalities, and community projects, but no unified assessment layer exists.

Source: Operator accessibility registries (rail, metro, airports), municipal open-data accessibility layers, and community documentation projects including Wheelmap (Sozialhelden e.V.).

Direct quote: Wheelmap describes itself as "a map for finding wheelchair accessible places," with hundreds of thousands of crowd-verified entries.

Credibility: Source-by-source verifiability; the fragmentation itself is evident from the source landscape.

Architectural relevance: The module's synthesis role, unifying fragmented public accessibility data into route-level assessment, requires no personal data at all. It is the purest demonstration of the public-risk-layer principle.

Heumann Claim 7: Medical equipment and battery rules create documented boarding denials

Claim: Battery regulations for powered wheelchairs and medical devices (CPAP, portable oxygen concentrators) vary by carrier and are a documented cause of boarding denials and equipment refusals.

Source: IATA battery guidance for mobility aids; carrier-specific policies; documented denial cases in DOT complaint data and disability-media reporting.

Direct quote: IATA guidance sets out watt-hour limits and handling requirements for lithium batteries in mobility aids, with carrier discretion producing the variance travellers encounter.

Credibility: Industry-standard technical guidance plus regulator complaint records.

Architectural relevance: Equipment-rule intelligence is carrier-specific, technical, and public. A pre-travel check against it prevents the denial without any medical disclosure to the employer.

Heumann Claim 8: The disability employment gap makes travel-related career penalties acute

Claim: Disabled workers face a persistent employment and pay gap, making any career penalty attached to disclosed travel limitations, being quietly dropped from travel-dependent roles, a rational and documented fear.

Source: Eurostat disability employment gap statistics; UK ONS disability pay gap data; academic documentation of disclosure-related career effects.

Direct quote: Eurostat data places the EU disability employment gap at roughly 21 percentage points.

Credibility: Official statistics.

Architectural relevance: The career penalty for disclosure is the quiet driver of non-disclosure, which in turn drives unprotected travel. The trait-free proof-of-assessment design means fitness-to-travel questions never route through the manager who assigns the next role.

Heumann Claim 9: Assistance requests are themselves a disclosure event

Claim: Existing airline assistance systems require category-coded disclosure (WCHR, WCHS, WCHC and related codes) transmitted through PNR systems, meaning the current protection pathway is itself a distribution of disability data across an ecosystem the traveller cannot audit.

Source: IATA special service request (SSR) code documentation; PNR data-flow documentation as per LGBTQ+ Claim 9's regulatory sources.

Direct quote: The SSR code system transmits standardised disability categories through the reservation ecosystem to carriers, handlers, and, under PNR regimes, to state authorities.

Credibility: Industry technical documentation; the data flow is definitional, not contested.

Architectural relevance: The existing accommodation pathway is a broadcast. The module cannot remove the operational need for assistance codes, but it can ensure the employer's system is not another node holding the data, and can inform the traveller precisely what each code discloses and to whom.

Heumann Claim 10: Institutional philosophy: independence, not management

Claim: The disability-rights tradition the module is named for holds that the goal of accommodation is the disabled person's independence and authority over their own needs, not institutional management of them, a philosophy with direct architectural consequences.

Source: The published work and advocacy record of Judith Heumann, including Being Heumann (2020) and her documented role in Section 504 implementation.

Direct quote: Heumann: "Disability only becomes a tragedy when society fails to provide the things we need to lead our lives."

Credibility: The named tradition's foundational figure, quoted from her own published work. Third Rail Systems' module naming honours the tradition; no affiliation with the Heumann estate is claimed or implied.

Architectural relevance: The bespoke dossier goes to the traveller; the organisation retains only proof that assessment occurred. That allocation of information authority, substance to the person, attestation to the institution, is the Heumann principle rendered as data architecture.


Library 4: Crenshaw Module (Intersectional Risk Synthesis)

Crenshaw Claim 1: Intersectionality is a load-bearing analytical framework with a named origin

Claim: The analytical insight that risk categories compound rather than add, and that single-axis analysis systematically misses those at intersections, originates in Kimberlé Crenshaw's legal scholarship.

Source: Crenshaw, K., "Demarginalizing the Intersection of Race and Sex," University of Chicago Legal Forum (1989); "Mapping the Margins," Stanford Law Review (1991).

Direct quote: "Because the intersectional experience is greater than the sum of racism and sexism, any analysis that does not take intersectionality into account cannot sufficiently address the particular manner in which Black women are subordinated."

Credibility: Foundational, canonical legal scholarship; among the most cited law review articles of its era.

Architectural relevance: The module is named for the framework it implements: risk synthesis across attribute intersections. As with all module naming, the honour implies no affiliation; Professor Crenshaw has no relationship with Third Rail Systems.

Crenshaw Claim 2: Compounded risk is empirically documented, not merely theoretical

Claim: Individuals at identity intersections face measurably elevated violence and discrimination, with trans women of colour the most consistently documented case.

Source: Human Rights Campaign, annual reports on fatal violence against transgender and gender non-conforming people (US); Transgender Europe (TGEU), Trans Murder Monitoring project (global).

Direct quote: TGEU's Trans Murder Monitoring update reports that the large majority of murdered trans people whose occupation was known were sex workers, and that trans women of colour are disproportionately represented among victims.

Credibility: The two projects are the standard mortality-documentation efforts in this domain; their methodology notes are published.

Architectural relevance: A traveller who is both trans and racialised in a given jurisdiction faces a risk profile neither attribute predicts alone. Single-attribute risk engines, the current market standard where any exist, structurally understate danger for precisely the people most endangered.

Crenshaw Claim 3: Legal gender recognition is regressing in documented jurisdictions

Claim: Legal recognition of gender identity is not monotonically improving; documented regressions mean jurisdiction risk must be tracked dynamically, not assumed stable.

Source: TGEU, Trans Rights Map (annual); ILGA-Europe Rainbow Map annual analyses documenting year-on-year regressions.

Direct quote: ILGA-Europe's annual review has repeatedly documented that the reporting period saw "backsliding" on LGBTI rights in specific member states, naming the jurisdictions.

Credibility: The two mapping projects are the standard European instruments, updated annually with published methodology.

Architectural relevance: Risk intelligence must have a refresh cadence. A static jurisdiction table is wrong within a year; the platform's jurisdictional layer is built for continuous revision because the underlying legal reality demonstrably moves in both directions.

Crenshaw Claim 4: The European trans-rights regression is quantified and citable

Claim: TGEU's own mapping documents that trans-rights progress in Europe has stalled and in several jurisdictions reversed, the first such sustained regression in the project's history.

Source: Transgender Europe (TGEU), Trans Rights Map 2024 analysis.

Direct quote: TGEU's 2024 analysis reported that the map showed regression on trans rights for the first time in thirteen years of mapping.

Credibility: The primary European trans-rights monitoring organisation reporting on its own longitudinal instrument.

Architectural relevance: The direction of travel matters for architecture: systems designed on the assumption that European deployment is the safe case are designing for a past decade. Minimum disclosure is the posture that remains correct whichever direction a jurisdiction moves.

Crenshaw Claim 5: Religion and belief add a compounding axis in specific jurisdictions

Claim: Apostasy, blasphemy, and religious-identity laws in multiple jurisdictions create risk axes that compound with SOGI and other attributes in assessable, documented ways.

Source: US Commission on International Religious Freedom (USCIRF) annual reports; Humanists International, Freedom of Thought Report (annual).

Direct quote: The Freedom of Thought Report documents that in a number of states "apostasy" or blasphemy remain "punishable by death."

Credibility: A US federal commission and the standard global monitoring report on the non-religious; both publish jurisdiction-level methodology.

Architectural relevance: Another public risk layer, another protected attribute. The synthesis module composes these axes at assessment time without any of them persisting as a record.

Crenshaw Claim 6: Nationality and ethnicity interact with all other axes at borders

Claim: Border treatment varies by nationality, ethnicity, and name in documented ways, entry denials, secondary screening rates, and device searches, making these axes operational risk inputs, not demographic trivia.

Source: Documented differential border-screening patterns in academic and civil-liberties literature, including EFF and ACLU documentation of US border device searches and academic work on nationality-based screening differentials.

Direct quote: EFF documentation records the growth of warrantless border device searches from approximately 5,000 per year to more than 25,000 within the decade.

Credibility: Civil-liberties litigation records and government-disclosed statistics.

Architectural relevance: The device carried across a border is itself an attribute inventory. The platform's guidance layer treats data-at-the-border as a first-class risk category, the "safest device carries nothing" principle.

Crenshaw Claim 7: Health status compounds silently across every module

Claim: HIV status remains a legal entry restriction or deportation ground in a documented set of jurisdictions, the sharpest single example of a health attribute functioning as a border-level legal risk.

Source: UNAIDS and the Global Database on HIV-related travel restrictions (hivtravel.org, maintained by Deutsche Aidshilfe with international partners).

Direct quote: The database documents the set of countries that "deport, detain, or deny entry to people living with HIV" or impose HIV-specific residence restrictions.

Credibility: The recognised global monitoring instrument for this restriction class, cited by UNAIDS.

Architectural relevance: A single serostatus attribute can convert a routine posting into a deportation risk. It is also among the most protected data classes in existence. The compound of maximal relevance and maximal sensitivity is the platform's home terrain.

Crenshaw Claim 8: The aggregation problem: attribute combination is itself identifying

Claim: Combinations of individually innocuous attributes are re-identifying; intersectional assessment therefore raises the privacy stakes rather than lowering them, and must be architected accordingly.

Source: Sweeney, L., "Simple Demographics Often Identify People Uniquely," Carnegie Mellon University, Data Privacy Working Paper 3 (2000), and the subsequent re-identification literature.

Direct quote: "87% of the population in the United States had reported characteristics that likely made them unique based only on {5-digit ZIP, gender, date of birth}."

Credibility: The foundational re-identification study, replicated and extended for two decades.

Architectural relevance: The module that synthesises the most attributes must retain the fewest. Intersectional assessment done naively builds the most dangerous database in the company; done statelessly, it builds none.

Crenshaw Claim 9: Aggregate representation without individual exposure is technically established

Claim: Differential privacy and related techniques demonstrate that population-level insight and individual-level non-exposure are compatible, resolving the "minimisation erases us" objection at the technical layer.

Source: Dwork, C., et al., "Calibrating Noise to Sensitivity in Private Data Analysis," Theory of Cryptography Conference (2006), and the deployed practice literature (US Census Bureau 2020 adoption).

Direct quote: Differential privacy provides mathematical guarantees that analysis outputs are "essentially equally likely" regardless of any single individual's inclusion.

Credibility: The founding paper of the field and a national-statistics-scale deployment.

Architectural relevance: Minimum disclosure is not erasure. Populations can remain visible in aggregate while individuals remain unrecorded, the precise distinction between representation and exposure on which the platform's ethics rest.

Crenshaw Claim 10: Institutional recognition that data minimisation is an accountability tool

Claim: The position that minimising collection is itself an AI accountability mechanism, not a constraint on it, has institutional articulation in the AI-policy research community.

Source: AI Now Institute, "Data Minimization as a Tool for AI Accountability" and related publications.

Direct quote: AI Now's framing positions data minimisation as "a tool for AI accountability," inverting the assumption that accountability requires more collection.

Credibility: A principal AI-policy research institute; the framing is corroborated by the EDPB's consistent minimisation guidance.

Architectural relevance: The platform's design premise, that the accountable system is the one that can prove its process without warehousing its subjects, has independent institutional articulation. The architecture is an implementation of a recognised accountability paradigm, not a private theory.


Verified June 2026. Corrections are documented on the claim they amend and remain public. For the analysis these sources support, see the whitepaper at thirdrailsystems.ee/beyond-disclosure.

Corrections policy

When verification identifies an error, the correction is documented on the claim it amends. The original wording is not silently rewritten. Where a claim is retained subject to a constraint on how it may be used, that constraint is published alongside the claim as a Usage caveat. See Heumann Claim 3 for a worked example.

Third Rail Systems OÜ, Tallinn, Estonia. Registry 17488655. This library and the whitepaper it supports are held by Third Rail Systems OÜ.

v1.0 · Tallinn · EU-Native