# First Experiments with a

Flexible Infrastructure for Normative Reasoning

###### Abstract

A flexible infrastructure for normative reasoning is outlined. A small-scale demonstrator version of the envisioned system has been implemented in the proof assistant Isabelle/HOL by utilising the first authors universal logical reasoning approach based on shallow semantical embeddings in meta-logic HOL. The need for such a flexible reasoning infrastructure is motivated and illustrated with a contrary-to-duty example scenario selected from the General Data Protection Regulation.

## 1 Introduction

We argue for the development of a flexible deontic logic reasoning infrastructure. This infrastructure shall support formalisation experiments in legal and ethical reasoning. Since the quest for the most suitable logical formalisms in this area is not yet settled, our infrastructure offers a range of deontic logic alternatives to be used and assessed in different application contexts. Our infrastructure is based on the first authors approach [1, 2] to universal logical reasoning via shallow semantical embeddings in meta logic HOL (classical higher-order logic). This approach enables the reuse of state-of-the-art theorem proving technology for the flexible mechanisation and automation of a range of non-classical logics. The idea is to adapt this framework for various deontic logics, and to subsequently assess these logics in respective case studies. We illustrate the idea by first presenting embeddings of two alternative deontic logics in HOL (Section 2). These two alternative logics are then applied and assessed (in Section 3) with an exemplary contrary-to-duty scenario we identified in the context of the General Data Protection Regulation (GDPR, Regulation EU 2016/679).

## 2 Embedding Deontic Logics in HOL

Two different deontic logics are considered in this section: standard deontic logic (SDL) [18] and the dyadic deontic logic (DDL) of Carmo and Jones [13, 12]. Both logics have been implemented in the proof assistant Isabelle/HOL [19] by utilising the semantical embedding approach. The faithfulness of these embeddings in HOL has been studied in previous work [4, 3]. The encoding of these logics could alternatively be carried out in any other theorem proving environment that entails classical higher-order logic HOL. For example, their encoding could well be carried out in the TPTP THF syntax [22] to enable the direct application of TPTP THF compliant higher-order automated theorem provers such as Satallax [11], LEO-II [5] and Leo-III [21], and the (counter-)model finder Nitpick [8]. An example of an embedding of second-order modal logic KB (with constant domain quantifiers) in TPTP THF syntax is presented in [6].

### Standard Deontic Logic.

Figure 1 presents a shallow semantical embedding of SDL in Isabelle/HOL. SDL is synonymous for standard modal logic D, whose Kripke style semantics assumes a serial accessibility relation. The core idea os this embedding is to lift SDL propositions to predicates on worlds. The world dependency of SDL propositions is thus made explicit here, and the connectives are lifted accordingly. In other words, what is presented here is an encoding of the well known standard translation as a lean and elegant set of equations in Isabelle/HOL. This semantical embedding of propositional SDL can easily be extended to first-order and even higher-order SDL, cf. [17].

The SDL unary obligation operator OB is defined in line 16, and a standard syntax for unary obligation is then introduced in line 27. is defined for the moment as . The idea is that can later be overloaded with an alternative notion of unary obligation defined in DDL. The motivation for this overloading approach will become more transparent in Section 3, where we switch between the two alternative definitions of by alternating the theory import in Isabelle/HOL only, while avoiding any changes in the actual formalisation of our small example.

### Dyadic Deontic Logic.

Dyadic deontic logic is the logic for reasoning with dyadic obligations (“it ought to be the case that …if it is the case that …”). Figure 2 presents a shallow semantical embedding of a Dyadic Deontic Logic (DDL) proposed by Carmo and Jones [13, 12] in Isabelle/HOL. Instead of a Kripke style semantics, DDL employs a neighborhood semantics (cf. [14]). This explains the change in the behaviour of the GDPR example below. In contrast to SDL, the DDL logic of Carmo and Jones is known to be robust against contrary-to-duty scenarios. This aspect will be further explored in Section 3.

An unary obligation operator in DDL can be defined as a special case of dyadic obligation where the condition clause is set to . In the Isabelle/HOL embedding of Fig. 2 this is done in line 36, where is defined as . For illustration purposes we will work in Section 3 first with this unary obligation operator only in order to practically demonstrate the very different behaviour of it in a CTD scenario depending on whether we use SDL or DDL as the deontic logic of choice.

## 3 Example: A CTD Situation in the GDPR

For small, practical experiments in this section the General Data Protection Regulation (GDPR, Regulation EU 2016/679) has been chosen as an application scenario. It is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The regulation was adopted on 27 April 2016. It becomes enforceable from 25 May 2018.

We present below two sample norms contained in this knowledge base.

Personal data shall be processed lawfully (Art. 5). For example, the data subject must have given consent to the processing of his or her personal data for one or more specific purposes (Art. 6/1.a). If the personal data have been processed unlawfully (none of the requirements for a lawful processing applies), the controller has the obligation to erase the personal data in question without delay (Art. 17.d, right to be forgotten).

When being combined with the following two knowledge units, the above GDPR norms exhibit a typical CTD-structure. It is an obligation (e.g. as part of a respective agreement between a customer and a company) to keep the personal data (as relevant to the agreement) provided that it is processed lawfully. I Some data in the context of such an agreement has been processed unlawfully. The latter information pieces are not explicit parts of the GDPR. Instead they are to be seen as implicit. 3 comes from a another regulation, with which the GDPR has to co-exists. 4 is a factual information — it is exactly the kind of world situations the GDPR wants to regulate.

To enable automated reasoning about GDPR enforced obligations (or permissions) a given world context the regulatory content of the GDPR will thus have to converge with a respective representation of this given situation. This can be seen as analogous to the notions of a T-Box (terminology) and an A-Box (world assertions) in semantic web applications.

In the remainder of this paper we will demonstrate, within a practical theorem proving environment, how critical the “right” choice of the assumed deontic logic actually is. While the illustrated effects are known and well studied in the deontic logic literature, they are here for the first time exhibited and explored within an implemented, flexible deontic logic reasoner. Note in particular that DDL has never been implemented before.

### GDPR Example in SDL.

Figure 3 presents the modeling of the scenario as discussed above in Isabelle/HOL. In line 2 the deontic logic of choice is imported. For the moment this is SDL. The effect of the import is that the definitions of the semantical embedding of SDL in HOL as presented in Fig. 1 are loaded and activated. In other words, the logical connectives from Fig. 1, including the unary obligation operator , are now available for the modeling of the example scenario.

In line 7 uninterpreted constant symbols are introduced. process_data_lawfully encodes whether or not data has been processed lawfully in a given situation. erase_data encodes whether or not the data should be erased in the given situation. kill_boss has been added to highlight the potential danger of CTD scenarios in a particularly dramatic way. It shall encode the supposedly unrelated question whether the boss (e.g. of a company) should be killed, which obviously must not be inferable as an obligation from the knowledge base. Any other unrelated question would do equally well.

It is relevant to remark that the propositional encoding as presented here is abstracting away lots of relevant structural information. For example, with data we rather mean something like “data related to a particular person in the context of given costumer agreement”. To achieve a proper modeling of the entire GDPR a structurally more fine-grained content encoding in first-order or even higher-order deontic logic may thus be more adequate.

The previously mentioned GDPR norms are encoded in lines 10-13. In lines 14-17, the implicit knowlede, respectively the given world situation, is modeled.

Then, in lines 20-25, some experiments with the automated reasoning tools integrated with Isabelle/HOL are conducted. In line 20 an initial check for consistency (satisfiability of the user axioms) with the model finder Nitpick [9] fails. This means the displayed axioms in lines 10-17 are inconsistent when SDL is taken as the deontic logic of choice. Moreover, this inconsistency is confirmed by the automated theorem provers (ATPs) CVC4 [16], Spass [10], E [20] and Z3 [15], which show that Falsum is inferred by the axioms (line 21). These state-of-the-art ATPs are integrated with Isabelle/HOL via the Sledgehammer [7] tool.

The consequences of an inconsistency in a classical logic context are known — everything follows (principle of explosion). This becomes apparent in our experiments in lines 23-25. In line 23, the ATPs prove that it is an obligation to erase the data. But in line 24 they also prove that the data should not erased. And most dramatically, in line 25, the ATPs prove that there is now the obligation to kill the boss. All these results ar confirmed also by the model finder Nitpick, which is employed here in countermodel finding mode to search for counterarguments to the statements in question. The red markup color indicates that Nitpick fails to do so.

From our first experiments we thus see that an SDL based deontic logic reasoner may easily turn into a dangerously irrational entity when being exposed to CTD scenarios. In oter words, the coice of the right deontic logic critically matters, and SDL is not a good choice.

### GDPR Example in DDL (using unary obligation only).

The very same experiments from Fig. 3 are now repeated in Fig. 4. This time, however, DDL is selected and activated as the deontic logic of choice. While the modeling of the norms of the GDPR and the given situation remain exactly as before (lines 10-17), the experiment results are very different now. This time our reasoning infrastructure responds with the desired behaviour, due to choice of a more adequate deontic logic.

In line 20, the consistency check with Nitpick succeeds (no red markup), and in line 21 the attempts to prove Falsum with the ATPs fails. In line 23, the ATPs prove that is in obligation in the given situation to erase the data, and Nitpick finds no counterargument to this. These results are in-line with the negative response of the ATPs to the question whether the data shall be kept (line 24). Nitpick, in fact, presents a counterargument to this query. And similarly the reasoning tools reject the query whether the boss should be killed.

## 4 Conclusion

Contrary-to-duty scenarios may arise in the context of recent regulatory frameworks such as the GDPR. However, it may difficult to detect them, and it may be even more difficult to properly address them. A particular challenge in this context is the choice of a suitable deontic logic formalism. The notion of suitability thereby at least includes robustness against contrary-to-duty scenarios. Several further requirements must be met, ranging from practical considerations, such as effective proof automation, to yet undetected, further theoretical challenges. We therefore argue for the development of a flexible normative reasoning infrastructure enabling empirical studies with different deontic logic formalisms in the context of concrete application studies in which regulatory frameworks such as the GDPR are formalised and rigorously assessed. A starting point for the development of such a framework has been presented in this paper.

## References

- [1] C. Benzmüller. Recent successes with a meta-logical approach to universal logical reasoning (extended abstract). In S. A. da Costa Cavalheiro and J. L. Fiadeiro, editors, Formal Methods: Foundations and Applications - 20th Brazilian Symposium, SBMF 2017, Recife, Brazil, November 29 - December 1, 2017, Proceedings, volume 10623 of Lecture Notes in Computer Science, pages 7–11. Springer, 2017.
- [2] C. Benzmüller. Universal reasoning, rational argumentation and human-machine interaction. arXiv, http://arxiv.org/abs/1703.09620, 2017.
- [3] C. Benzmüller, A. Farjami, and X. Parent. Faithful semantical embedding of a dyadic deontic logic in hol. CoRR, https://arxiv.org/abs/1802.08454, submitted, 2018.
- [4] C. Benzmüller and L. Paulson. Quantified multimodal logics in simple type theory. Logica Universalis (Special Issue on Multimodal Logics), 7(1):7–20, 2013.
- [5] C. Benzmüller, N. Sultana, L. C. Paulson, and F. Theiß. The higher-order prover LEO-II. Journal of Automated Reasoning, 55(4):389–404, 2015.
- [6] C. Benzmüller and B. Woltzenlogel Paleo. On logic embeddings and Gödel’s God. In M. Codescu, R. Diaconescu, and I. Tutu, editors, Recent Trends in Algebraic Development Techniques: 22nd International Workshop, WADT 2014, Sinaia, Romania, September 4-7, 2014, Revised Selected Papers, number 9563 in LNCS, pages 3–6, Sinaia, Romania, 2015. Springer. (Invited paper).
- [7] J. C. Blanchette, S. Böhme, and L. C. Paulson. Extending Sledgehammer with SMT solvers. Journal of Automated Reasoning, 51(1):109–128, 2013.
- [8] J. C. Blanchette and T. Nipkow. Nitpick: A counterexample generator for higher-order logic based on a relational model finder. In M. Kaufmann and L. C. Paulson, editors, ITP 2010, volume 6172 of LNCS, pages 131–146. Springer, 2010.
- [9] J. C. Blanchette and T. Nipkow. Nitpick: A counterexample generator for higher-order logic based on a relational model finder. In ITP 2010, number 6172 in LNCS, pages 131–146. Springer, 2010.
- [10] J. C. Blanchette, A. Popescu, D. Wand, and C. Weidenbach. More SPASS with Isabelle - Superposition with Hard Sorts and Configurable Simplification. In Interactive Theorem Proving - Third International Conference, ITP 2012, Princeton, NJ, USA, August 13-15, 2012. Proceedings, volume 7406 of Lecture Notes in Computer Science, pages 345–360. Springer, 2012.
- [11] C. E. Brown. Satallax: An automatic higher-order prover. In Automated Reasoning, volume 7364 of LNCS, pages 111–117. Springer Berlin Heidelberg, 2012.
- [12] J. Carmo and A. J. I. Jones. Deontic logic and contrary-to-duties. In D. M. Gabbay and F. Guenthner, editors, Handbook of Philosophical Logic: Volume 8, pages 265–343. Springer Netherlands, Dordrecht, 2002.
- [13] J. Carmo and A. J. I. Jones. Completeness and decidability results for a logic of contrary-to-duty conditionals. J. Log. Comput., 23(3):585–626, 2013.
- [14] B. Chellas. Modal Logic: An Introduction. Cambridge University Press, 1980.
- [15] L. M. de Moura and N. Bjørner. Z3: An Efficient SMT Solver. In Tools and Algorithms for the Construction and Analysis of Systems, 14th International Conference, TACAS 2008, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2008, Budapest, Hungary, March 29-April 6, 2008. Proceedings, volume 4963 of Lecture Notes in Computer Science, pages 337–340. Springer, 2008.
- [16] M. Deters, A. Reynolds, T. King, C. W. Barrett, and C. Tinelli. A tour of CVC4: how it works, and how to use it. In Formal Methods in Computer-Aided Design, FMCAD 2014, Lausanne, Switzerland, October 21-24, 2014, page 7. IEEE, 2014.
- [17] T. Gleißner, A. Steen, and C. Benzmüller. Theorem provers for every normal modal logic. In T. Eiter and D. Sands, editors, LPAR-21. 21st International Conference on Logic for Programming, Artificial Intelligence and Reasoning, volume 46 of EPiC Series in Computing, pages 14–30, Maun, Botswana, 2017. EasyChair.
- [18] P. McNamara. Deontic logic. In E. N. Zalta, editor, The Stanford Encyclopedia of Philosophy. Metaphysics Research Lab, Stanford University, winter 2014 edition, 2014.
- [19] T. Nipkow, L. C. Paulson, and M. Wenzel. Isabelle/HOL: A Proof Assistant for Higher-Order Logic. Number 2283 in LNCS. Springer, 2002.
- [20] S. Schulz. System description: E 1.8. In Logic for Programming, Artificial Intelligence, and Reasoning - 19th International Conference, LPAR-19, Stellenbosch, South Africa, December 14-19, 2013. Proceedings, volume 8312 of Lecture Notes in Computer Science, pages 735–743. Springer, 2013.
- [21] A. Steen and C. Benzmüller. The higher-order prover Leo-III. In D. Galmiche, S. Schulz, and R. Sebastiani, editors, Automated Reasoning — 9th International Joint Conference, IJCAR 2018, Oxford, UK, July 14-17, 2018, Proceedings, LNCS. Springer, 2018. forthcoming.
- [22] G. Sutcliffe and C. Benzmüller. Automated reasoning in higher-order logic using the TPTP THF infrastructure. Journal of Formalized Reasoning, 3(1):1–27, 2010.