# Notes on Privacy

This is a memo on Privacy related stuff that I am thinking of. It will be changing constantly. It is still a very early sketch / work in progress.

## 1. Definitions

*Let I = {i | integer such that i>0} . *

*Let e _{i}*,

*i ∈ I*denote an entity

*i*.

### 1.1 identity, set of attributes

*Identity, x _{i} of an entity i* is a set of attributes related to

*.*

*e*_{i}### 1.2 identifiable entity information, identifier, unique identity

For a set *X={x _{i} *} , if

*∀j≠i => x*, then,

_{i}≠ x_{j }*x*is a identifiable entity information.

_{i}### 1.3 personally identifiable information, pii

identifiable entity information of a human

### 1.4 data linking

an action that creates * z _{i} = x_{i} *∪

*y*from two pii that relates to entity

_{i}*i*

### 1.5 cognitive surface

surface that an entity projects input data to form a certain understanding about the source of the input data

### 1.6 recognition

result of mapping *f:X->C* that maps an identity *x *∈* X* onto a cognitive surface *C* of an entity *E*

### 1.7 right to control self image (right to express oneself)

right of a person to build an intended recognition by the entity E by controlling the available identity of him to E

### 1.8 privacy

freedom from unauthorized intrusion or intervention onto one’s sovereignty over oneself

Note: Synonymous to “Liberty” defined as “*the sovereignty of man over himself” *

### 1.9 right to privacy

right of complete immunity over oneself

Note: right to privacy (1.9) includes right to express oneself (1.7)

### 1.10 privacy infringement

trespass on the right to privacy (1.9)

Note: act of creating uninteded recognition, which is caused by adding, subtracting, or modifying the set of attributes that he provides to the entity will infringe the right to control self-image (1.7), thereby infringing the right to privacy. In the section 2, this will be used extensively to prove that an act forms a case of privacy infringement.

### 1.11 anonymity (k-anonymity)

state in which for *x _{i }*

*∈*

*X*, there are more than

*n*>

*k*> 1 entities such that

*x*=_{i}*x*_{j}### 1.12 anonymization (k-anonymization)

operation that removes or obscures one or more attributes from the identity so that there will be more than* k* entities such that *x _{i} * =

*x*

_{j}### 1.11 pseudonymous∈ *X*

state in which for entity *i*, there is no *j* such that * x_{i} = x_{j}* where

*i, j*∈

*S*⊂

*I*and

*S*

*≠ I*

Note: The set *S* ⊂ *I and S ≠ I* is integral portion of the definition of pseudonymous. If

*S*=

*I*, then it is not pseudonymous anymore but called veronymous. In this respect, “pseudonymous” makes sense only in relation to

*S*. In identity management, often this is called sector.

## 2. Propositions

### 2.1 Unauthorized sharing of identity may constitute a privacy infringement

Suppose * x _{i} * and

*y*were provided to entity F and G separately. Denote recognition mapping of F and G by

_{i}*f(x)*and

*g(x)*. Then the recognition of i by F and G are

*f(x*and

_{i})*g(y*respectively.

_{i})Suppose E and F colluded and shared those information. Then, it will be possible to create a *z _{i} = x_{i} *∪

*y*, which may lead to a different recognition

_{i}*f(*and

*z*) ≠ f(x_{i}_{i})*g(z*. This was not intended by the person, thus infringing the right to express oneself. Therefore, it may constitute a privacy infringement. ❏

_{i}) ≠ g(y_{i})### 2.2 Data leakage may constitute a privacy infringement

Suppose the entity E had *x _{i} *, an identity of person

*i*. Suppose that data about the person

*i*,

*y*was leaked and obtained by the entity E. Then, entity E will have a

_{i}*z*∪

_{i}= x_{i}*y*which was not intended to be provided to E by the person i. This enables E to form different recognition

_{i}*f(*. Therefore, it may constitute a privacy infringement. ❏

*z*) ≠ f(x_{i}_{i})### 2.3 Obtaining the identity *y*_{i} without the consent of the person *i* may constitute a privacy infringement

_{i}

Suppose the entity F only had *x _{i }*as the information about entity

*i*. This results in the recognition

*f*(

*x*. Now, suppose F obtained

_{i})*y*without the authorization or intent of the person

_{i}*i*. Then, the recognition by F changes to

*f*(

*x*∪

_{i}*y*), which is in general not equal to

_{i}*f*(

*x*. This is an unitended change of the recognition. Thus, it constitutes a privacy infringement. ❏

_{i})### 2.4 Changing the purpose of the use of an identity *x*_{i} constitutes a privacy infringement

_{i}

Suppose* i* only allowed E to use * x_{i }*for a specific purpose. This is essentially constraining the operation that E is permitted to perform on

*. Let*

*x*_{i}*f := { f*be the set of mapping that E may apply on

_{k}| k ∈ K}*x*. Assume that each mapping on

_{i}*x*result in different set

_{i}*f*.

_{k}(x_{i})Let *f(x _{i}* ) denote ∪

_{k∈K}*f*_{k}(x_{i}),* i.e., f_{1}(x_{i}) *∪

*f2(x*_{i}) ∪ … ∪*fn(x*_{i})Then, constraining the purpose of the use is equivalent to constraining the allowed *k to k ∈ K’ where K’ *⊂* K *. Let us denote the ∪_{k∈K’ }*f _{k}(x_{i}) as f'(x_{i}). *

Change the purpose of the use then is equivalent to changing the constraint set K’ to another K” which results in *f”( x_{i}). *

Clearly, *f'(x _{i}) = f”(x_{i}) *does not hold in general. Therefore, change of the purpose of the use of an identity

*x*constitutes a privacy infringement. ❏

_{i}

公開日：

最終更新日：2012/05/13