Reasoning about information: an example

Share This Page

One of the reasons it's hard to think carefully about privacy is that privacy is fundamentally about information, and our (uneducated) intuition about information is often unreliable.

As a teacher, I have tried different approaches to helping students get over this barrier.  It's not too hard to teach the theory, so that students learn how to manipulate logical formulas to answer contrived story problems about information and inference.  What is more difficult is augmenting the formal theory with a more accurate intuition that is useful outside the classroom.

One trick I find useful for building privacy intuition is to abstract away from the formality of logic and the complexities of human relationships, and consider how information behaves in another setting: simple algebra.

[To math-phobic readers: hang on--this won't hurt a bit.  I'll use the simplest possible examples, and I promise I won't ask you to solve any equations.]

Suppose we're interested in knowing the value of X.  We start out with no knowledge about X, so X could have any value, large or small, positive or negative.   Now we learn a fact:

X - Y = 2

We have learned a fact about X, but that fact doesn't help us narrow down what the value of X might be--it's still the case that X could take on absolutely any value.

Some time later, we learn another fact:

X + 2Y - Z = 5

That's another fact about X, but we still can't narrow down what the value of X might be--it's still the case that X could take on absolutely any value.  Your algebra teacher would say that we can't find a solution because we have fewer equations (two) than unknowns (three: X, Y, and Z).

So at this point, we know nothing about X, right?   Or is it better to say that we know two things about X, even though our uncertainty about the value of X has not been reduced at all?   Information is odd that way.

The next day, we learn yet another fact:

Z - Y = 1

This new fact is obviously not about X.  It doesn't mention X at all--it's just a fact about the relationship between Y and Z.  How could that possibly tell us anything about the value of X?

But as it turns out, this last fact is the key to unlocking the value of X.   Given the three facts we now know, we can dust off our algebra skills and solve the three equations in three unknowns, to learn that X=4, Y=2, and Z=3.

The key to unlocking the value of X, as it turned out, was a fact (Z-Y=1) that wasn't even about X.   Or maybe it was a fact about X, despite not mentioning X at all.  Information is odd that way.

This example also helps to illustrate how easy it is to make mistakes when reasoning about information.   For example, suppose we create a concept of X-identifying information (XII), and we say that a fact is XII if and only if that fact allows someone who learns it to determine the value of X.   So the fact "X = 6" is XII, but the fact "U + V = 7" is not XII.

Now we might try to use XII to reason about our example.  We could look at each of the three facts in isolation, and argue that they are all non-XII, because each of them in isolation does not reveal the value of X.   We might then try to argue that in revealing the three facts, we never revealed any XII, and therefore there is no reason to worry that the value of X might have been revealed.

Of course, such an argument would be incorrect, because the three facts did in fact reveal the value of X, when taken together.  To put it another way, if somebody tells us that "no XII was revealed" that statement by itself does not imply anything about whether X was revealed.

Information is odd that way.

[Extra-credit homework assignment: Devise an "XII removal" method that can take any fact that is XII, and transform it into an equivalent set of facts that (considered individually) are non-XII.]

Original Comments for “Reasoning about information: an example”

 

josephlorenzohall    
July 23, 2012 at 1:28 pm      

I was going to snarkily say “multiply XII by zero” for the extra-credit, but that’s certainly not an equivalent set of facts!

 

Mark Donahey   
July 25, 2012 at 7:49 am      

This is a great way to illustrate the problem. Thanks!

As for the extra credit, I’ll take a shot:

Instead of disclosing two separate facts about how X relates to Y and/or Z (as in X-Y=2 & X+2Y-Z=5), we combine both facts to create a single fact that only expresses a relationship between Y and Z without reference to X. That is, we substitute “2-Y” (Fact 1) for the value of X in Fact 2, like so: (Y-2) + 2Y – Z = 5. After we clean it up we have 3Y – Z = 3, which can be safely disclosed.

Is this what you had in mind? If so, could you give a real world example of a similar method in action? I’m having a hard time understanding how something like this is implemented.

 

Ed Felten
July 26, 2012 at 4:05 pm      

Mark,

As it turns out, if you replace the second fact in my example with the new fact you derived (3Y – Z = 3), the example plays out in the same way. What I’m looking for in the extra-credit homework is a method that would take a standalone piece of XII such as “X = 7″ and transform it into one or more facts which are not (considered one at a time) XII, but which nonetheless convey the information that X is equal to 7.

 

Jen
July 27, 2012 at 7:53 am      

Or…. how about limiting the obsession to “solve” for X at all.

ie; access/use the minimal data needed to carry out your duties or that the law provides for and …. don’t worry bout the rest. I think this cultural obsession to answer all the “unknowns” is a big part of the problem. If as a medical professional you don’t already know, then its safe to say you could do your job or “due diligence” even without solving each factor of an equation. Did you give the right person the right treatment for the right condition? The violation I am dealing with is an example of accessing/using./disclosing PHI that was irrelevant to the task at hand for the RPH, it was not relevant to the party it was shared with, and the sharing was certainly NOT authorized by me. But this RPH had some OCD determination to “solve” for all factors of this equation. When he merely needed to ‘ring it up’ like the glorified cashier that he really is/was!!!

 

willene
March 12, 2013 at 4:05 pm  

I understand x)

 

willene smith
March 12, 2013 at 6:05 pm  

Ok I would like to be called 7 and sign my name X it will fit me better also from what I found out about myself with all of the names and eyes also Is. Claiming all tites. I came from somewherz?

 

The author’s views are his or her own, and do not necessarily represent the views of the Commission or any Commissioner.

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.