Privacy/Engineering to Lay People translation: Dr. Ian Oliver’s “The Semantics of PII”

I began part of this analysis yesterday, during The SDK: The Privacy Edition 2015.03.09.

Dr. Ian Oliver wrote an excellent post back in February, The Semantics of PII, theorizing that one could use logic to define privacy terms. It took me multiple reads, and multiple attempts at writing this summary, before I could pull that theory out – but that’s likely not Dr. Oliver’s fault. I’m relatively new to the privacy scene, and my Logic Design courses in college get me in the arena, but don’t get me the championship quite yet. I’m writing this translation only because I know that there members of my audience won’t be able to follow Dr. Oliver’s article, and there’s no Google Translate for Logic which connects Legal Privacy terms to Entropy. There just isn’t.

Before going into my translation of his article in depth, I will point out that I can get on board with this idea on an esoteric level, seeing as how all code I’ve been exposed to is essentially:

If:
Friend at Your Door
Then:
Invite Friend Inside
Else If:
No Friend at Your Door
Then:
No need to get off your behind and answer your door.

But don’t get too ahead of yourself. Because privacy is not that concrete. Also, if you consider the scenario above, it’s easy enough to imagine someone saying “Well what if I was taking Friend out to lunch? There’s no reason to first Invite Friend Inside” to which I would have to respond with “I completely agree, time to add another set of logic”:

If:
Friend at Your Door
Then:
Invite Friend Inside
ElseIf
Friend at Your Door AND You Have Lunch Plans
Then:
Go To Lunch
Else If:
No Friend at Your Door
Then:
No need to get off your behind and answer your door.

This can continue indefinitely, and we’re just talking about what to do when someone may or may not be at Your Door. Which is why using Logic to define privacy legal terms is “obscenely difficult” (which Dr. Oliver admits).

But let’s start closer to the beginning of the article. Dr. Oliver introduces his thesis by explaining that there is a disconnect between the definition of PII (Personally Identifying Information) in privacy law and in software engineering. Which, of course, I am 100% on board with.

Dr. Oliver entices his readers by asking several questions to prompt thinking regarding information privacy. Which is cool. However his main thesis – “what is information, and what does identifiable denote?” (his emphasis) – was a bit #Meta for me.

But he did something very cool. He managed to do a sort of quadruple front flip (I tried to think of something hard to do in gymnastics), and literally suggest you could define privacy legal terms in mathematics. #Whoa:
“The definition of PII that is used in contemporary privacy is perfectly well defined in the privacy-legal context. I can go to various legal documents and read a formal definition of what PII or personal data means. But as we move between disciplines—in our case from privacy-legal to privacy-engineering disciplines—these definitions no longer hold, or at the very least, they don’t work well.”

But not so fast, here comes the quadruple front flip:
He finds a way to line up his definition of PII – that it’s “chunk[s] of data that reveals some knowledge about a person that can be unambiguously identified – to… wait for it… information entropy.

I didn’t even know what information entropy was.
Information entropy, according to Dr. Oliver, “provides a clear, unambiguous and precise definition of what information is as well as the identifiably of a data set with respect to some population and so on.” So yes, his logic lines up. Nice landing on the quadruple front flip. And then, the stuck landing (this is a good thing in gymnastics, btw):
He straight up admits that defining the legal definition in terms of mathematics can be done, but it’s “obscenely difficult to do.” Had he not admitted this fact, his feet would have wobbled and I’d deduct points. Because, uh, yes. Yes it is obscenely difficult to define legal definitions in terms of mathematics. If you asked me to do it, I’d be asking to phone a friend please.

Then, in sort of a “land far, far away land” sense (but BTW, that land happens to be between privacy law and mathematics), he leads us into the poor software engineers, stating that they are “the discipline that actually implements privacy law into our systems”, and that “Software engineers, much to the chagrin of privacy lawyers, do not understand legal terms.”
#TrueStory. Watcha gonna do?
Especially since, as Dr. Oliver adds, “privacy lawyers don’t understand all the subtle ramifications of virtual machines, machine language, object orientation, distributed computing, network protocols, XML, RDF—the list goes on!—again, much to the chagrin of software engineers.”
Well, at least he shames both sides. This is the piece I explore further in my once-you-understand-Dr-Oliver’s-article-read-this blog post, Consider A Book.

Ultimately, Dr. Oliver proffers that the solution is to use his previously mentioned algorithm – defining the legal definition of PII in terms of the mathematical definition – and that “[t]hat link provides the translation mechanism that allows both groups not just to talk but to properly communicate with each other.”
And, of course, without that ability to use that “obscenely difficult” translation mechanism, having “grand chief-overseer-of-the-worshipful-court-of-privacy-dudes” (my now dream job title) is sort of pointless (I’m exaggerating).

I look forward to seeing how Dr. Oliver’s series on the topic continues (he ends the piece by promising he intends to delve into this more), but I think he might be being a little esoteric about it all. Perhaps that’s fine for now, seeing as how I’m not sure how deep one can actual delve into trying to make the logic line up between “Reasonable Expectation of Privacy” and “If Friend At Your Door”. An individual’s response to that stimuli will vary based on so many different factors that sometimes I’m super glad I don’t “Code for Money” these days 🙂

Now you’re ready to read my other analysis of Dr. Oliver’s article: Consider A Book – Oh and Casper Doesn’t Run Ghost Networks

Advertisements

2 thoughts on “Privacy/Engineering to Lay People translation: Dr. Ian Oliver’s “The Semantics of PII”

Debug This!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s