Things in Control Part1: A Better Way to Understand Digital Assets
Why the English Law Commission was right—and why its language must evolve.
Note: This is Part 1 of a two part series. Part 2 is here.
When the English Law Commission released its Landmark Report on Digital Assets, I’ll admit it:
I was thrilled.
Here, finally, was a sophisticated legal body wrestling seriously with the idea that digital assets are property. Not metaphorically. Not economically. Not philosophically. Legally. That was a major milestone for the entire field of digital trust, decentralized systems, and autonomous agents.
But there was also a part of me that felt just a little disappointed.
Not with the substance—the substance was brilliant.
But with the name.
The Commission proposed calling this new category of property a “data object.”
A legal category defined by “data” immediately felt too tied to implementation, too specific to today’s technology stack, too limiting for a world moving rapidly toward autonomous agents, hardware security modules, machine identity, and protocol-native systems.
A data object?
What happens when systems evolve beyond data as we understand it?
What happens when agents generate their own keys inside tamper-resistant hardware?
What happens when the “thing” is not a piece of information, but a self-contained locus of authority?
For a long time, I wrestled with this.
The Concept Was Right — the Framing Wasn’t
The Commission had identified something profound:
A new class of property,
neither purely physical nor purely legal,
that exists independently of state recognition,
and whose ownership is determined through control, not possession or legal entitlement.
This was revolutionary.
But I couldn’t shake the feeling that “data objects” didn’t quite capture what made this insight so extraordinary.
Because the real innovation wasn’t “data.”
The real innovation was the mechanism of exclusivity.
These new things—Bitcoin UTXOs, NFTs, smart-contract rights, hardware-protected keys, and protocol-native digital identities—derive their scarcity and transferability from system rules, not from physical constraints or from legal recognition.
They operate under a simple principle:
If you can exercise control under the system’s rules, you own it.
Not because a court says so.
Not because you hold it physically.
Not because a contract defines it.
But because the system itself enforces the exclusivity.
It took me time to articulate why “data objects” didn’t quite capture this.
And then it struck me.
Things in Control
One day I realized that the category we were all circling around already had a natural family resemblance within the common law tradition.
Property has long been divided into:
Things in Possession – governed by physical control
Things in Action – governed by legal enforceability
These new entities fit neither category.
They are not “possessed” in any traditional sense: you can’t put a private key in your hand if it lives inside a secure enclave, and you certainly can’t physically hold a blockchain entry.
Nor are they “things in action”: you don’t need to sue anyone to enforce your rights over a Bitcoin UTXO or a hardware-generated key.
So what are they?
They are Things in Control.
A third category of property where:
Exclusion is enforced by system logic
Authority is defined internally
Transfer occurs by shifting control conditions
Existence is independent of legal institutions
Title corresponds to operational capability
This terminology doesn’t describe the implementation.
It describes the legal and ontological nature of the thing.
Why “Things in Control” Is Better Than “Data Objects”
1. It focuses on the defining property: control.
Control is what makes these assets rivalrous and transferable.
2. It aligns perfectly with common-law structure.
We already have “things in possession” and “things in action.”
“Things in control” completes the taxonomy naturally.
3. It is future-proof.
A data object assumes a world of digital information.
A “thing in control” works even if our future systems use:
hardware-enforced state
autonomous agents
distributed computation
machine decision logic
4. It applies far beyond blockchains.
The best example isn’t Bitcoin—it’s an HSM.
A Hardware Security Module:
generates its own key
maintains it internally
enforces usage policy
restricts operations through internal logic
An HSM key is not a “data object” in any useful sense.
It is quintessentially a thing in control.
Nostr: A Pure Example of Control-Based Property
Nothing illustrates Things in Control more elegantly than Nostr, a protocol built on the simplest possible foundation:
a public key,
a private key, and
the ability to publish events that the world recognizes as yours.
A Nostr public key isn’t just an identifier.
It is a control structure.
The system rules are minimalistic and absolute:
If an event is signed by the private key corresponding to the public key,
And the signature verifies under the protocol’s rules,
Then that event is yours—it is attributed to you by every relay, client, and user.
No account.
No server.
No legal authority.
No central registry.
Just control.
The public key has control over:
the events it publishes,
how those events are recognized,
how identity is established,
how reputation accumulates,
and how continuity of authorship is preserved.
This is not “data” in the legal sense.
This is an autonomous identity object whose legitimacy is enforced purely through cryptographic control.
A Nostr pubkey is a perfect modern example of:
A Thing in Control.
Legal Accountability: The “Beneficial Controller”
But this leads naturally to a deeper question—
If a thing is controlled by its own internal logic, who is accountable for what it does?
A “Thing in Control” is not a person.
It has no legal personality.
It is not morally or legally responsible for its outputs.
So the law must look beyond the object to identify what we might call the:
Beneficial Controller
the human being who ultimately benefits from, directs, or relies on the thing’s control-based capabilities.
Even when interacting with highly autonomous systems, we can usually identify a human who:
supplied the initial key,
configured the system,
authorizes actions,
receives benefits,
or bears responsibility for misuse.
This beneficial controller is not part of the thing itself.
They exist outside the system.
They provide the moral and legal anchor point that our legal systems require.
In the world of Nostr:
The public key publishes,
The system verifies,
But the human using the private key is accountable for the content.
In the world of HSMs:
The HSM generates the key,
The internal logic enforces its use,
But the organization or person who owns the device is responsible for the operations it performs.
With digital assets:
The blockchain enforces control,
But the beneficial controller—the human who holds or delegates the key—is accountable for transfers.
“Things in Control” don’t eliminate accountability.
They shift where accountability is located.
Not in the architecture.
Not in the cryptography.
Not in the protocol.
But in the ultimate human whose intent is expressed through the exercise of control.
Recognizing this distinction is essential for regulators, policymakers, and courts as autonomous systems become more widespread.
AI Agents Are Missing This Legal Shift
Ironically, many discussions about AI agents—especially those that imagine autonomous economic actors—are building elaborate governance structures while missing the most important new legal category emerging around them. AI is often framed as requiring entirely new liability models, new forms of agency, or even new types of legal personhood. But none of that addresses the foundational reality that an AI agent, no matter how sophisticated, ultimately operates as a Thing in Control.
Every AI agent has:
a control state
an internal logic determining what actions it can take
system-enforced boundaries
signatures or attestations proving authorship
and a human who ultimately configures, deploys, and benefits from it
In other words, AI agents fit the paradigm perfectly—but current AI debates continue to treat them as something wholly unprecedented rather than as a natural extension of this new category. Eventually, the law will catch up and recognize that AI agents do not need their own legal personality—they need to be understood through the dual structure of Thing in Control + Beneficial Controller.
This framing resolves many of the anxieties in AI governance without inventing new legal beings.
The system controls the agent’s capability.
The human controller anchors accountability.
And the law aligns with centuries of common-law reasoning while embracing future technology.
AI governance frameworks will ultimately converge on this structure—whether they realize it now or later.
The Broader Implication
“Things in control” is a conceptual category that supports:
digital assets
secure enclaves
Nostr identities
IoT actors
cryptographic bearer instruments
machine-to-machine payments
autonomous agents and AI-native economic participants
The common thread is not data.
It is self-contained, system-governed control, grounded legally by the presence of a beneficial controller—a human at the edge of the system who ultimately exercises and is accountable for the control granted by the thing.
As the Digital World Evolves, So Must Our Legal Categories
The Law Commission made a brilliant move in recognizing a third category of property.
It was an essential step toward modernizing the common law for the digital era.
But like any early attempt to name the unfamiliar, “data object” was a starting point—not an endpoint.
Over time, as I worked through the implications, I realized the Commission had already shown us the path. Their own logic pointed toward a category defined not by what these things are made of, but by how they work and who ultimately benefits from exercising their control.
And so, the right concept isn’t data.
It’s control.
These new entities are:
Things in Control.
Not as technical artifacts,
but as fully legitimate objects of property in the emerging order—
anchored always by a human beneficial controller standing behind them.
And perhaps, in time, the law will catch up to this deeper truth.
Read Part 2 here.
This is exceptionally well thought out - I actually experienced a level of excitement reading it. This immediately triggered me to explore how the law deals with other people’s thoughts and brought me to human control state as a “control forum internum” and the protocol-visible acts as a “control forum externum. I think enriching this idea from that legal perspective could even further clarify how the law could deal with this.
Is this Part1?