[cap-talk] Three Types of Causality revisited (was: Analyzing Authority with CSP - link broken)

Mon Apr 30 05:54:21 EDT 2007

On Sun, 2007-04-29 at 17:26 -0700, Mark S. Miller wrote:
> Toby Murray wrote:
> > MarkM: I have a feeling that you've thought about causation and
> > authority a bit before. I came across the 'causation' page on
> > erights.org the other day. This work is a first attempt to try to build
> > a formal notion of authority from causation.
> 
> Do you mean <http://erights.org/decision/causality/three-types.html>? Thanks 
> for reminding me. In terms of the taxonomy I explain on that page, I'd say:
> 
> * Horton supports an analog of "Moral Causality" -- tracking who should be 
> held responsible for an action, whether or not they actually caused it in the 
> other senses of the term.
> 
> * The authority analysis that you and Fred are doing uses an analog of "The 
> Causality of the Physicist".

But I would hope that Physicist's causation can inform Moral causation.
I would argue that Physicist's causation is the (only?) objective input
into any decision procedure for Moral causation.

In the confused deputy example in "Authority Analysis for Least
Privilege Environments", knowing that Alice can cause Carol to overwrite
Bill allows us to decide that Alice might be responsible for Bill
becoming overwritten. 

Also fortunately for us, the scope of the models that we construct will
usually prevent us from being swamped with extraneous causal events. For
example, were I modelling the holocaust, I don't expect my model would
include the Epic of Gilgamesh.

Finally, of course causation is much easier to determine for programs
than for people or historical events. I can model the behaviour of each
entity in my system to a level of detail that is proportional to the
degree to which I trust that entity. Maximally untrusted entities have
maximum behaviour. Very trusted entities have minimal behaviour that
closely approximates their specification. This enables us to more
accurately consider alternate possibilities "if event X had not been" in
our system, than when trying to predict what a person might have
otherwise done had X not occurred in the past.

>  However, the treatment of non-determinism leads 
> to differences. For safe reasoning about confidentiality, we must take account 
> of causation through specificational non-determinism, i.e., covert channels. 
> For safe reasoning about integrity, Fred's thesis explains why he can safely 
> ignore covert channels. Potential overt causation is somehow usefully more 
> constrained than "The Causality of the Physicist", but in ways not captured by 
> that web page.

Can you elaborate further here? I can't discern your meaning.