Transparency Enhancing Technologies to Make Security Protocols Work for Humans

Abstract

As computer systems are increasingly relied on to make decisions that will have significant consequences, it has also become important to provide not only standard security guarantees for the computer system but also ways of explaining the output of the system in case of possible errors and disputes. This translates to new security requirements in terms of human needs rather than technical properties. For some context, we look at prior disputes regarding banking security and the ongoing litigation concerning the Post Office’s Horizon system, discussing the difficulty in achieving meaningful transparency and how to better evaluate available evidence.

A Sequential Application of Bayes’ Theorem and Conditional Independence

Assuming conditional independence of the pieces of evidence given the liability (or not) of a party, we can obtain Eq. 2 for multiple pieces of evidence evaluated sequentially from the following calculation.

$$\begin{aligned} \begin{aligned} \left\{ \frac{P(liable| e_n)}{P(\lnot liable| e_n)}\right\} _{e_{n-1},\dots ,e_1}&=\left\{ \frac{P(liable)}{P(\lnot liable)}\right\} _{e_{n-2},\dots ,e_1}\cdot \frac{P(e_n|liable)}{P(e_n|\lnot liable)} \\&=\frac{P(liable)}{P(\lnot liable)}\cdot \prod _{i=1}^{n}\frac{P(e_i|liable)}{P(e_i|\lnot liable)} \\&=\frac{P(liable)}{P(\lnot liable)}\cdot \frac{P(e_1,\dots ,e_n|liable)}{P(e_1,\dots ,e_n|\lnot liable)} \\&=\frac{P(liable| e_1,\dots ,e_n)}{P(\lnot liable| e_1,\dots ,e_n)} \end{aligned} \end{aligned}$$

(3)

The assumption of conditional independence given that the party is liable (or not) allows us to go from \(\prod _{i=1}^n P(e_i|liable)\) to \(P(e_1,\dots ,e_n|liable)\). This means that if we know that a party is liable, then knowing a piece of evidence \(e_i\) does not yield additional knowledge about another piece of evidence \(e_{j\ne i}\) i.e. \(P(e_j|e_i, liable)=P(e_j|liable)\). Similarly, we also use the assumption that pieces of evidence are conditionally independent given that the party is not liable to go from \(\prod _{i=1}^n P(e_i|\lnot liable)\) to \(P(e_1,\dots ,e_n|\lnot liable)\). (Note that we are not concerned with whether or not the liability of different parties is dependent, but rather whether different pieces of evidence are conditionally independent given the liability of a party).

We argue that assuming conditional independence of the items of evidence given the liability (or not) of a party is reasonable because the effect that a piece of evidence might have on another is through its effect on the belief that the party is liable (or not). When the liability (or not) of the party is given, then it may no longer have a noticeable effect, and thus the pieces of evidence can be assumed to be conditionally independent given the liability (or not) of a party.