This is a scheme that complements the user compartment idea above {(user-compart)}. The basic idea is that communication with other users in other compartments is via the guard that makes an indelible record of such communications.

The guard's record supports conclusions about information flow. The transmission may include a key but only under one of these provisos:

A read-only no-call memory key.
This allows information to flow to the recipient while the segment exists. The guard keeps the segment key and may be requested to note and record that the segment is gone.

A simplex channel.
This is a mechanism whereby a sender can send a sequence of records. The receiver can receive the sequence. There is record buffering but no flow control. Records are discarded upon buffer exhaustion. The recipient supplies the bank for the buffer and may establish the policy for buffer discard. A count of discarded records is supplied to the recipient. This object may be deleted and noted as can the segment key above.

A factory requestor's key.
This key will be tested by the guard for discretion against some prespecified factory of standard discretion. Access provided indirectly by such a key cannot be revoked.

A monitored segment.
This mechanism is complex and its design should be separated from that of the guard, but here is the idea.

It may be desired to record in what intervals access to a segment was exercised via some key. This is easily done by providing a new segment node with a keeper that makes the segment normally invalid. Upon access this keeper gets control, makes the segment valid and records the event. He then waits for an hour and makes the segment invalid once again.