Control, Confidentiality, and the Right to be Forgotten

Recent digital rights frameworks stipulate an ability (e.g., the ``right to be forgotten'' embodied in the GDPR and CCPA) to request that a \textit{data controller} -- roughly, any system that stores and manipulates personal information -- \emph{delete} one's data. We ask how deletion should be formalized in complex systems that interact with many parties and store derivative information. There are two broad principles at work in existing approaches to formalizing deletion: \emph{confidentiality} and \emph{control}. We build a unified formalism for deletion that encompasses previous approaches as special cases. We argue that existing work on deletion-as-control (in particular, ``machine unlearning'') can be reframed in the language of (adaptive) history independence, for which we provide a general definition. We also show classes of controllers, such as those that publish differentially private statistics without later updating them, that satisfy intuitive notions of deletion and our formal definition, but which fall outside the scope of previous approaches.