Thou Shalt is not You Will

Guido Governatori

ICAIL 2015

Thou Shalt is not You Will Copyright NICTA 2015 Guido Governatori 1/20

Deontic Logic History

1951 Georg Henrik von Wright. Deontic Logic.

1959 Soul Kripke. A Completeness Theorem in Modal Logic.

1962 Roderick Chisholm. Contrary-to-Duty Imperatives and Deontic Logic.

1965 William W. Hansson. Semantics for Deontic Logic.

1986 Marek Sergot et al. British Nationality Act as a Logic Program.

1991 Henning Herrestad. Norms and Formalization.

1992 Andrew J. Jones and Marek Sergot. Deontic logic in the representation of law:Towards a methodology.

2015 Thou Shalt is not You Will

Aim of the paper

Can we use (linear) temporal logic to verify the compliance of a systemwith a set of norms?

Can we use (linear) temporal logic to model norms?

Aim of the paper

Can we use (linear) temporal logic to verify the compliance of a systemwith a set of norms?

Can we use (linear) temporal logic to model norms?

Background

Linear Temporal Logic 101 (Syntax)

• Xφ: at the next time φ holds;

• Fφ: eventually φ holds (sometimes in the future φ); and

• Gφ: globally φ holds (always in the future φ).

In addition we have three binary operators:

• φ U ψ (until): φ holds until ψ holds;

• φW ψ (weak until): φ holds until ψ holds and ψ might not hold.

Interdefinability

• Fφ ≡ > U φ,

• Gφ ≡ ¬F¬φ,

• φW ψ ≡ (φ U ψ) ∨ Gφ

Linear Temporal Logic 101 (Syntax)

• Xφ: at the next time φ holds;

• Fφ: eventually φ holds (sometimes in the future φ); and

• Gφ: globally φ holds (always in the future φ).

In addition we have three binary operators:

• φ U ψ (until): φ holds until ψ holds;

• φW ψ (weak until): φ holds until ψ holds and ψ might not hold.

Interdefinability

• Fφ ≡ > U φ,

• Gφ ≡ ¬F¬φ,

• φW ψ ≡ (φ U ψ) ∨ Gφ

Linear Temporal Logic 102 (Semantics)

TS,σ |= as0a

s1 s2 s3

TS,σ |= Xas0 s1

as2 s3

TS,σ |= a U bs0

a ∧ ¬b

TS,σ |= Fas0¬a

TS,σ |= Gas0a

A formula φ is true in a fullpath σ iff it is true at the first element of the fullpath.A formula is true in a state S

TS, s |= φ iff ∀σ : σ[0] = s, TS,σ |= φ.

TS,σ |= as0a

s1 s2 s3

TS,σ |= Xas0 s1

as2 s3

TS,σ |= a U bs0

a ∧ ¬b

TS,σ |= Fas0¬a

TS,σ |= Gas0a

A formula φ is true in a fullpath σ iff it is true at the first element of the fullpath.

A formula is true in a state S

TS, s |= φ iff ∀σ : σ[0] = s, TS,σ |= φ.

TS,σ |= as0a

s1 s2 s3

TS,σ |= Xas0 s1

as2 s3

TS,σ |= a U bs0

a ∧ ¬b

TS,σ |= Fas0¬a

TS,σ |= Gas0a

A formula φ is true in a fullpath σ iff it is true at the first element of the fullpath.A formula is true in a state S

TS, s |= φ iff ∀σ : σ[0] = s, TS,σ |= φ.

Obligation, Prohibition and Permission

Obligation A situation, an act, or a course of action to which a bearer is legally bound, andif it is not achieved or performed results in a violation.

Prohibition A situation, an act, or a course of action which a bearer should avoid, and if it isachieved results in a violation.

Permission Something is permitted if the obligation or the prohibition to the contrary doesnot hold.

Achievement vs Maintenance Obligations

• For an achievement obligation, a certain condition must occur at least once before thedeadline

‘Customers must pay before the delivery of the good, after receiving the invoice’

• For maintenance obligations, a certain condition must obtain during all instants beforethe deadline:

‘After opening a bank account, customers must keep a positive balance until bankcharges are taken out’

Dura lex sed lex

A Privacy Act

Section 1: (Prohibition to collect personal medical information)Offence: It is an offence to collect personal medical information.Defence: It is a defence to the prohibition of collecting personal medical information,

if an entity immediately destroys the illegally collected personal medicalinformation before making any use of the personal medical information

Section 2: An entity is permitted to collect personal medical information if the entity actsunder a Court Order authorising the collection of personal medical information.

Section 3: (Prohibition to collect personal information) It is forbidden to collect personalinformation unless an entity is permitted to collect personal medicalinformation.

Offence: an entity collected personal informationDefence: an entity being permitted to collect personal medical information.

Making Sense of the Act

• Collection of medical information is forbidden.

• Destruction of the illegally collected medical information excuses the illegal collection.

• Collection of medical information is permitted if there is an authorising court order.

• Collection of personal information is forbidden.

• Collection of personal information is permitted if the collection of medical information ispermitted

Dilemma Structure

• b (“collection of medical information”) is forbidden• c (“destruction of medical information”) compensates the illegal collection

• b is permitted if a (“acting under a court order”)

• d (“collection of personal information”) is forbidden

• d is permitted if b is permitted

Running Out of Time

Running out of time (1)

How do we model obligations in LTL?

• Achievement obligations: F (sometimes in the future)

• Maintenance obligations: G (always in the future)

• Prohibitions: G¬ (never)

Fp ≡ ¬G¬p

In deontic logic the dual of obligation is permission.

Pp ≡ ¬O¬p

Obligation implies permissionOp → Pp

How do we model permissions in LTL?

Fp ≡ ¬G¬p

Pp ≡ ¬O¬p

Fp ≡ ¬G¬p

Pp ≡ ¬O¬p

Fp ≡ ¬G¬p

Pp ≡ ¬O¬p

Fp ≡ ¬G¬p

Pp ≡ ¬O¬p

Fp ≡ ¬G¬p

Pp ≡ ¬O¬p

Fp ≡ ¬G¬p

Pp ≡ ¬O¬p

Dilemma Structure

• b (“collection of medical information”) is forbidden• c (“destruction of medical information”) compensates the illegal collection

• b is permitted if a (“acting under a court order”)

• d (“collection of personal information”) is forbidden

• d is permitted if b is permitted

Formalising the Dilemma: Take 1

1 G¬b, (G¬b ∧ b)→ Gc;

2 a→ Fb;

3 G¬d ;

4 Fb → Fd .

G¬b ∧ b ≡ ⊥

G¬b ∧ Fb ≡ ⊥ G¬d ∧ Fd ≡ ⊥

1 G¬b, (G¬b ∧ b)→ Gc;

2 a→ Fb;

3 G¬d ;

4 Fb → Fd .

G¬b ∧ b ≡ ⊥

G¬b ∧ Fb ≡ ⊥ G¬d ∧ Fd ≡ ⊥

1 G¬b, (G¬b ∧ b)→ Gc;

2 a→ Fb;

3 G¬d ;

4 Fb → Fd .

G¬b ∧ b ≡ ⊥

G¬b ∧ Fb ≡ ⊥ G¬d ∧ Fd ≡ ⊥

Formalising Compensation

Contrary-to-duty obligationOα ¬α→ Oβ

Violation triggered obligationOα ∧ ¬α→ Oβ

New “compensation operator” ⊗.

TS,σ |= φ⊗ ψ iff ∀i ≥ 0, TS,σi |= φ; or

∃j , k : 0 ≤ j ≤ k , TS,σj |= ¬φ and TS,σk |= ψ.

Formalising Compensation

Contrary-to-duty obligationOα ¬α→ Oβ

Violation triggered obligationOα ∧ ¬α→ Oβ

New “compensation operator” ⊗.

TS,σ |= φ⊗ ψ iff ∀i ≥ 0, TS,σi |= φ; or

∃j , k : 0 ≤ j ≤ k , TS,σj |= ¬φ and TS,σk |= ψ.

1 ¬a→ (¬b ⊗ c);

2 a→ Fb;

3 G¬b → G¬d ;

4 Fb → Fd .

t1¬a, b

t3¬a, c, d

the trace is (weakly) compliant in LTL, but the prohibition of ‘d’ is violated.

1 ¬a→ (¬b ⊗ c);

2 a→ Fb;

3 G¬b → G¬d ;

4 Fb → Fd .

t1¬a, b

t3¬a, c, d

1 ¬a→ (¬b ⊗ c);

2 a→ Fb;

3 G¬b → G¬d ;

4 Fb → Fd .

t1¬a, b

t3¬a, c, d

Really Running Out of Time

Conclusions

• Solution:

do not use temporal logic to model norms

• CLAIM: the problem is not limited to temporal logic (most deontic logics have the sameissue)

• Solution: Norm based semantics (Calardo, Governatori, Rotolo: A Preference-BasedSemantics for CTD Reasoning. DEON 2014: 49-64)

• Solution: Defeasible Deontic Logic of Violation (FCL/PCL) (Governatori: Representingbusiness contracts in RuleML, International Journal of Cooperative Information Systems(2005) 14: 181-216)

Really Running Out of Time Conclusions

• Solution:

• Solution: do not use temporal logic to model norms

Thou Shalt is not You Will

Science

Transcript of Thou Shalt is not You Will