.Nat Zone

Digital Identity et al.

Notes on Privacy

This is a memo on Privacy related stuff that I am thinking of. It will be changing constantly. It is still a very early sketch / work in progress.

1. Definitions

Let I = {i | integer such that i>0} . 
Let ei, i ∈ I  denote an entity i.

1.1 identity, set of attributes

Identity, xi of an entity i is a set of attributes related to ei .

1.2 identifiable entity information, identifier, unique identity

For a set X={xi } , if∀j≠i => xi≠ xj  , then, xi  is a identifiable entity information.

1.3 personally identifiable information, pii

identifiable entity information of a human

1.4 data linking

an action that creates  zi = xi  yi from two pii that relates to entity

1.5 cognitive surface

surface that an entity projects input data to form a certain understanding about the source of the input data

1.6 recognition

result of mapping f:X->C that maps an identity x X  onto a cognitive surface C of an entity E

1.7 right to control self image (right to express oneself)

right of a person to build an intended recognition by the entity E by controlling the available identity of him to E

1.8 privacy

freedom from unauthorized intrusion or intervention onto one’s sovereignty over oneself

Note: Synonymous to “Liberty” defined as “the sovereignty of man over himself” 

1.9 right to privacy

right of complete immunity over oneself

Note: right to privacy (1.9) includes right to express oneself (1.7)

1.10 privacy infringement

trespass on the right to privacy (1.9)

Note: act of creating uninteded recognition, which is caused by adding, subtracting, or modifying the set of attributes that he provides to the entity will infringe the right to control self-image (1.7), thereby infringing the right to privacy. In the section 2, this will be used extensively to prove that an act forms a case of privacy infringement.

1.11 anonymity (k-anonymity)

state in which for x  ∈ X, there are more than n > k > 1 entities such that xi  = xj

1.12 anonymization (k-anonymization)

operation that removes or obscures one or more attributes from the identity so that there will be more than k entities such that xi  = xj 

1.11 pseudonymous∈ X

state in which for entity i, there is no j such that xi  = xj  where i, jS ⊂ I and S ≠ I

Note: The set  S ⊂ I and  S ≠ I is integral portion of the definition of pseudonymous. If S = I, then it is not pseudonymous anymore but called veronymous. In this respect, “pseudonymous” makes sense only in relation to S. In identity management, often this is called sector.

2. Propositions

2.1 Unauthorized sharing of identity may constitute a privacy infringement

Suppose  xi  and  yi  were provided to entity F and G separately. Denote recognition mapping of F and G by f(x) and g(x). Then the recognition of i by F and G are f(xi) and g(yi) respectively.

Suppose E and F colluded and shared those information. Then, it will be possible to create  a zi = xi  yi ,  which may lead to a different recognition f(zi) ≠ f(xi) and g(zi) ≠ g(yi). This was not intended by the person, thus infringing the right to express oneself. Therefore, it may constitute a privacy infringement. ❏

2.2 Data leakage may constitute a privacy infringement

Suppose the entity E had xi , an identity of person i. Suppose that data about the person i,  yi  was leaked and obtained by the entity E. Then, entity E will have a zi = xi  yi which was not intended to be provided to E by the person i. This enables E to form different recognition  f(zi) ≠ f(xi) . Therefore, it may constitute a privacy infringement. ❏

2.3 Obtaining the identity  yi  without the consent of the person i may constitute a privacy infringement

Suppose the entity F only had xas the information about entity i. This results in the recognition  f(xi ). Now, suppose F obtained yi  without the authorization or intent of the person i.  Then, the recognition by F changes to f(xi  yi ), which is in general not equal to f(xi ). This is an unitended change of the recognition. Thus, it constitutes a privacy infringement. ❏

2.4 Changing the purpose of the use of an identity  xi constitutes a privacy infringement

Suppose i only allowed E to use xfor a specific purpose. This is essentially constraining the operation that E is permitted to perform on xi. Let f := { fk | k ∈ K} be the set of mapping that E may apply on xi. Assume that each mapping on xi result in different set fk(xi).

Let f(xi ) denote ∪k∈K  fk(xi),  

     i.e., f1(xi)  f2(xi) ∪ … ∪fn(xi 

Then, constraining the purpose of the use is equivalent to constraining the allowed k to k ∈ K’ where K’ . Let us denote the ∪k∈K’ fk(xi) as f'(xi). 

Change the purpose of the use then is equivalent to changing the constraint set K’ to another K” which results in f”(xi). 

Clearly, f'(xi)  = f”(xi)  does not hold in general. Therefore, change of the purpose of the use of an identity xi constitutes a privacy infringement. ❏

 

 

 

公開日:
最終更新日:2012/05/13