SearchSupportFree trial
Contact us
Podcast

Root Causes 537: The Thermodynamics of Privacy

Hosted by
Tim Callan
Chief Compliance Officer
Original broadcast date
October 17, 2025

In this episode we build on our concept of entropy-aware guidance to explain how we might quantify privacy. We touch on GDPR, proof of work, and Landaur's principle.

Podcast Transcript

Tim CallanTim CallanSo Jason, fairly recently, in our Episode 515 What is Entropy Aware Guidance, we talked about this idea of entropy aware guidance. I think you want to build on this idea. And you threw a phrase at me, so I'm just gonna throw it back at you - the thermodynamics of privacy.
Jason SorokoJason SorokoThe thermodynamics of privacy. I could bury the lead and go on a whole tangent here about what are this but let me get really to what this means. Remember the first episode, 515, Episode 515, was really all about, let's put actual load limits on bridges rather than saying strong bridge, weak bridge. What does that even mean? If you're driving a truck over a bridge, you need to know what the load limit of the bridge is. In security, we don't do that. We go strong, we go weak, and we go rule of thumb. Really to me, this is a continuation of the not all MFA is created equal story, because MFA aware guidance - -
Tim CallanTim CallanSimple toggle. If it's got MSA, it doesn't, it's binary. Or MFA, it doesn't, it's a binary, but it isn’t a binary.
Jason SorokoJason SorokoSo this is a very long conversation in reality. And to me, we could continue to talk about MFA all day long, and I decided to stop doing that and start talking about entropy aware guidance. In other words, you can actually put a load limit based on entropy calculated bits to every form of MFA. So what we were talking about. This extension to the idea is now, all right, well, there's security controls - MFA as an example. But you can start to extend this to other things. So we had MFA aware guidance. But what about privacy? So there's really two sets of books to keep when you're talking about privacy. One set of books is all right, what's the number of clues that you are leaking whenever you are performing a task. For example, if I'm getting a loan online, there's a certain amount of information I have to give about myself. And those are the clues that are potentially leaked due to the communication that's going on between at least two parties. What happens if Eve is in the middle of Alice and Bob listening, those are leaked clues. And so those can actually be measured in bits. So the best way to think about this is, every single clue that you leak about yourself reduces the size of group you could potentially live in.
Tim CallanTim CallanSo if I live in the city now, the total potential scope is this city, and then if I add something else, it gets further, and it can get really small. So in other words, a lot of people think I am anonymous, I'm online, and it's like, well, no, there's only a certain number of bits it takes before it's you.
Jason SorokoJason SorokoWhich is exactly how browser fingerprints work.
Tim CallanTim CallanAnd in certain specific circumstances, even with a browser fingerprint, we could get down to the fact where there's an N value of one.
Jason SorokoJason SorokoCorrect. And you and I have had a lot of podcasts about how Google is trying to solve this by having cohort definitions and never go less of an aggregate than that in order to maintain privacy. It's all about this arithmetic. So that's a known arithmetic, and it's not something that's new here on this podcast. What's a little bit new is this second set of books. Which is, you have heard, Tim, of course, this idea of the right to be forgotten.
Tim CallanTim CallanGDPR concept. The right to be forgotten.
Jason SorokoJason SorokoPerfect. So what happens if we took something that's undeniably true, something that you can't negotiate, which is the amount of work it takes in order to delete a certain amount of data. Well, where have we seen this before? Proof of Work consensus algorithms for cryptocurrencies. Well, proof of work is all about basically doing a whole lot of math, burning up electricity to solve problems, and then, essentially the part of the proof is the deletion of the stuff that was not a solution in order to get to the solution. It’s not the solution that's interesting. It's the amount of work it took to get to the solution. So proof of work is already used in other things. So what happens if you think about privacy as a proof of work to delete you data? You can actually through the Landauer principle, it basically says that no matter what the efficiency of the deletion technology is, the actual act of deleting data has a thermodynamic effect that is non- negotiable. So essentially, one of the ways you could measure how private is this is you could actually measure what is the thermodynamic effect of actually deleting the data.
Tim CallanTim CallanAnd the smaller that thermodynamic effect, the more private it is?
Jason SorokoJason SorokoPrecisely. And there is a non-negotiable, non-fool aroundable - -
Tim CallanTim CallanThis is quantifiable?
Jason SorokoJason SorokoAbsolutely quantifiable. Bigger. Smaller.
Tim CallanTim CallanSo this might not be perfect. I think at a general trend level, it probably works very well. I don't know that you could do it to exactly isolate the degree of pragmatic privacy of every individual use case. Because, among other things, different pieces of information are a different level of value. Where I went to high school and what my Social Security number are, are both pieces of information, but one of them is much more effective in targeting me than the other.
Tim CallanTim CallanSo the size of the receipt is going to be a function of the amount of private information that is, for want of a better word, spilled public.
Jason SorokoJason SorokoI think the danger is in connecting it to the type of information, like in aggregate. I think what you could do is to say, hey, if there's three clues, I want three receipts. Therefore, the receipt is for the discrete thing, not an ascribed value to the thing. Therefore, the amount of thermodynamic effect is less important than the existence of the thermodynamic effect. The mere existence of it can act as a receipt. For a discrete thing.
Tim CallanTim CallanIf it was tagged to that clue.
Jason SorokoJason SorokoCorrect. The color of my shoes versus the data that is a high resolution Iris image. Very different thermodynamic effect. Very different value of clue. But what I would say is, if you separate the two, but then you have a receipt that both were deleted, then you know that both were deleted. That's what the value to you is in this idea.
Tim CallanTim CallanSo, like pragmatically speaking, to work an idea like this, you'd have to wrestle with certain concepts.
Jason SorokoJason SorokoLook, I am going nowhere near the pragmatic - - what it would take. I'm merely putting out the kernel of - -
Tim CallanTim CallanI get it. It’s a model.
Jason SorokoJason SorokoIt’s a model. But the thing is, a lot of people might say, well, there's no precedence for this. There is. On this podcast, we probably don't talk enough about the blockchain guys, what's going on in cryptography over their consensus algorithms. And it's funny how those people are very comfortable mixing and matching cryptography with consensus algorithms. And, hashing and wallets, which are PKI-based and consensus algorithms, they think of it all as a system. We think of those things as being quite separate, and I think to our detriment. Therefore, I'm trying to pull in ideas that the cryptocurrency guys and ladies out there are doing and it's like, what could be useful for us? And it's funny how nobody thinks about thermodynamic effects, but it's like, well, the reason why it's so good is because it's absolutely non- negotiable. You can’t fake it. It either exists or it doesn't, and therefore it can exist as, whenever you say those words, that could be a receipt. Now, how you how you measure it, you know, even how that would apply on a label on a tin.
Tim CallanTim CallanSo inside this model, some things that that you would want to think about would be, one is that you might find yourself deleting the same secret repeatedly, either because it's getting reintroduced?
Jason SorokoJason SorokoIf that's the case, that's a signal of something.
Tim CallanTim CallanOr because it's spread out. It's in multiple places. So that's a thing that we would want to think about. I think the value of the secret, the level of specificity of the secret, is like a valuable input as you think about this model.
Jason SorokoJason SorokoSo one thing that you're that is interesting is, once something is leaked, then it's leaked. What this is really all about is, did you who I gave my clues to, do the deletion?
Tim CallanTim CallanSo it's also on an individual relationship by relationship basis. That's another key thing.
Jason SorokoJason SorokoThat’s it.
Tim CallanTim CallanThat cleans up the model a lot. So I went to you, and I applied for a loan, and I gave you 17 clues. I want 17 receipts.
Jason SorokoJason SorokoRight on.
Tim CallanTim CallanIf I have 17 receipts, my data might still be out there, but it didn't come from this.
Jason SorokoJason SorokoAnd that's a big distinction.
Tim CallanTim CallanIt’s an interesting idea.
Jason SorokoJason SorokoIt's just a thought, Tim.
Tim CallanTim CallanAll right. Thank you, Jason.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud