Garg, Goldwasser and Vasudevan (Eurocrypt 2020) invented the notion of deletion-compliance to formally model the "right to be forgotten", a concept that confers individuals more control over their digital data. A requirement of deletion-compliance is strong privacy for the deletion requesters since no outside observer must be able to tell if deleted data was ever present in the first place. Naturally, many real world systems where information can flow across users are automatically ruled out. The main thesis of this paper is that deletion-compliance is a standalone notion, distinct from privacy. We present an alternative definition that meaningfully captures deletion-compliance without any privacy implications. This allows broader class of data collectors to demonstrate compliance to deletion requests and to be paired with various notions of privacy. Our new definition has several appealing properties: - It is implied by the stronger definition of Garg et al. under natural conditions, and is equivalent when we add a privacy requirement. - It is naturally composable with minimal assumptions. - Its requirements are met by data structure implementations that do not reveal the order of operations, a concept known as history-independence. Along the way, we discuss the many challenges that remain in providing a universal definition of compliance to the "right to be forgotten."
翻译:Garg, Goldwasser 和 Vasudevan (Europt 2020) 发明了删除合规概念的概念,正式模拟“被遗忘的权利”这一概念,这个概念赋予个人更多的数字数据控制权。删除合规性要求是删除请求者强大的隐私,因为没有任何外部观察者首先必须能够知道删除的数据是否曾经存在。自然地,许多信息可在用户之间流动的真实世界系统被自动排除。本文的主要论点是,删除合规性是一个独立的概念,不同于隐私。我们提出了一个替代定义,有意义地记录了删除合规性,而不涉及任何隐私问题。这样,让更广泛的数据收集者能够展示对删除请求的合规性,并与各种隐私概念相匹配。我们的新定义具有若干具有吸引力的特性:在自然条件下,加格等人的更强有力的定义意味着这一点,在我们添加隐私要求时,就相当于一个隐私要求。自然地,只有最起码的假设才能兼容。它的要求是通过数据结构的实施满足,而数据结构的实施并不显示操作的顺序,即历史独立的概念。我们当然会忘记遵约性的许多挑战。