Secret rules

“Did you know that Mary is pregnant?” said John to Paul. “No, but thanks for the information.” Oops, by asking this question, John informs Paul about a new fact. The problem of how to prove the possession of information without giving it away can be solved with a protocol and encryption technology. Research on this topic has recently won a prize in the Netherlands.[1] As a jury member I wondered whether this research could help me in solving an issue that I encountered earlier.

This issue has its source in the following question from a customer: “If I have secret rules, can you verify to make sure that my (non secret) business rules do not conflict with the secret rules?” Eventually, this question resulted in the issue: “Are secret rules business rules?”

Observation 1

Suppose someone has to add new rules to a rule collection that contains both known and unknown rules. For example, he enters the following rule:

An unmarried person is eligible for a marriage.

Now, suppose we have a program that verifies whether this rule does not conflict with any of our secret rules. If this verification program reports that there is a (secret) rule that conflicts with our example rule, we can readily conclude that the secret rule states that in some or all cases persons who are unmarried are not eligible for a marriage. What can this rule be? A gay person? Is there any way to hide the secret rule in this case?  Yes, but only if you are not going to tell that there was a conflict!

It is possible to verify whether a set of rules contain conflicts, using automated verification techniques. If we use some secure transactions, we can even verify known rules and secret rules together. But if we communicate the result of the verification process to the user we cannot avoid revealing information about the secret rule(s).

So, in a normal business environment, the existence of secret rules is bound to cause problems.

Observation 2

“Rules must be explicit” is a statement of the third article of the Business Rules Manifesto.[2] The reasons to make rules explicit are also given in this document:

  1. …so that they can be validated for correctness by business people. (5.1)
  2. …so that they can be verified against each other for consistency. (5.2)
  3. …so they can be readily redeployed to new hardware/software platforms. (10.3)

I cannot validate or verify a secret rule. I cannot communicate a secret rule, and a secret rule does not conform to principle 4.2 of the Business Rules Manifesto:

4.2. If something cannot be expressed, then it is not a rule.

Observation 3

So the question whether a secret rule is a business rule should be answered with ‘no’. A secret rule is not a business rule. Of course it is a matter of perspective, because there should be at least one person in the world that knows about the rule that is a secret rule for other people. For this person, the rule may be a business rule.

Did you find out something new about secret rules? Let me know by sharing this post.

This article was originally published by BRCommunity (link).

References

[1]  W. Teepe.  New protocols for proving knowledge of arbitrary secretes while not giving them away.
[2]  Business Rules Group, Business Rules Manifesto — the Principles of Rule Independence, Ver. 2.0 (Nov. 2003), URL:  http://www.businessrulesgroup.org/brmanifesto.htm