Q: Concerning the public bucket of
my infoset, how can public information be personal? Personal and public
are the opposites.
A: You may be confusing personal
information with its sensitive part. Not
every personal infon is sensitive. For
example, the name of our president is
personal information as well as public.
With time, the personal infoset of an
individual acquires new infons. She
may create new infons on her own, for
example, by making a selfie, by writing
down some observation, or by writing
down some conclusions she inferred
from information available to her.
But the infoset acquires many more
new infons due to the interactions of
the individual with other parties. The
other parties could be people, such as
relatives, neighbors, coworkers, clerks,
waiters, and medical personnel. They
could be institutions, such as employers, banks, Internet providers, brick-and-mortar shops, online shops, and
government agencies. The new infons
could be factual records, gossip, rumors, or derived information.
The infoset may also lose some infons, especially if they have a unique
embodiment. For example, the individual may destroy old letters or
delete a selfie without sending it to
anybody. Institutions also may lose or
delete (embodiments of) infons, but
in general, these days, institutions
are much better then people in keeping records.
New items of a personal infoset
do not necessarily stay in the bucket
where they arose. Because of modern
superiority of institutional bookkeeping, there is a flow of information from
the partial privacy bucket to the inverse
privacy bucket—we look into these dynamics next.
The Rise of Inverse
Privacy to Dominance
People have always interacted among
themselves, and people have inter-
acted with institutions for a very long
time, certainly from the times that an-
cient governments started to collect
taxes. Until recently the capacity of a
person to take and keep records was
comparable to that of institutions. Yes,
the government kept tax records but,
We are interested in scenarios where
a person interacts with an institution,
for example, a shop, a medical office, a
government agency. We say that an in-
fon x is personal to an individual P if (a)
x is related to an interaction between P
and an institution and (b) x identifies
P. A typical example of such an infon is
a receipt for a credit-card purchase by a
customer in a shop.
Define the personal infoset of an
individual P to be the collection of all
infons personal to P. Note that the infoset evolves over time. It acquires new
infons. It may also lose some infons.
But, because of the tangibility restriction, the infoset is finite at any given
Q: Give me an example of an intangible infon.
A: A fleeting impression that you
have of someone who just walked by
Q: What about information announced but not recorded at a meeting? One can argue that the collective
memory of the participants is a kind of
A: Such a case of unrecorded information becomes less and less common. People write notes, write and
send email messages, tweet, use their
smartphones to make videos, and so
forth. Companies tend to tape their
meetings. Numerous sensors, such as
cameras and microphones, are commonplace and growing in pervasiveness, even in conference rooms. But
yes, there are border cases as far as
tangibility is concerned. At this stage
of our analysis, we abstract them
Q: In the shopping receipt example,
the receipt may also mention the salesclerk that helped the customer.
A: The clerk represents the shop on
Q: But suppose that something
went wrong with that particular purchase, the customer complained that
the salesclerk misled her, and the shop
investigates. In the new context, the
person of interest is the salesclerk. The
same infon turns out to be personal to
more than one individual.
A: This is a good point. The same infon may be personal to more than one
individual but we are interested primarily in contexts where the infon in
question is personal to one individual.
The personal infoset of an individual P
naturally splits into four buckets.
1. The directly private bucket
comprises the infons that P has access to
but nobody else does.
2. The inversely private bucket comprises the infons that some party has
access to but P does not.
3. The partially private bucket
comprises the infons that P has access to
and a limited number of other parties
do as well.
4. The public bucket comprises the
infons that are public information.
Q: Why do you call the second buck-
et “inversely private?”
A: The Merriam-Webster dictionary
defines “inverse” as “opposite in or-
der, nature, or effect.” The description
of bucket 2 is the opposite of that of
Q: As far as I can see, you discuss
just two dimensions of privacy: whom a
given infon is personal to, and who has
access to the infon. The world is more
complex, and there are other dimensions to privacy. Consider for example
the pictures in the directly private
bucket of my infoset that are personal
to me only. Some of the pictures are
clearly more private than others; there
are degrees of privacy.
A: Indeed, we restrict attention to
the two dimensions. But this restricted
view is informative, and it allows us to
carry on our analysis. Recall that we
concentrate here on the big picture
leaving many finer points for later
A good solution
to the problem
should not only
your inversely private
should also make
the access convenient.