Possibly a Serious Possibility
64 comments
·May 5, 2025chaps
snitty
>The City of Chicago's lawyers went the opposite direction
Not really.
>I wrote that SQL schemas would provide “only marginal value” to an attacker. Big mistake. Chicago jumped on those words and said “see, you yourself agree that a schema is of some value to an attacker.”
The City of Chicago's argument was that something of ANY value, no matter how insignificant, would help an attacker exploit their system, and was therefore possible to keep secret under the FOIA law.
fc417fc802
Such a literal interpretation isn't reasonable. There are all sorts of patterns that can be indirectly leaked through supposedly unrelated data. Yet FOIA exists and is obviously intended to be useful.
So obviously there must be some threshold for the value to an attacker. He attempted to communicate that schemas are clearly below such a threshold and they used his wording to attempt to argue the opposite.
numpad0
> “only marginal value” to an attacker
> “see, you yourself agree that a schema is of some value to an attacker.”
IANAL, it appears justice systems universally interpret this type of "technically yes if that makes you happy but honestly unlikely" statements as "yes with technical bonus", not a "no with extra steps" at all, and it has to be shortened as just "unlikely from my professional perspective" or something lawyer approved for intended effect. Courts are weird.
chaps
Yes really. Our argument, upheld by a judge, was that there was no value to an attacker. Their point stands legally, but nothing else.
Despite all that, Chicago still pushes back aggressively. Here's a fun one from a recent denial letter they sent for data within the same database:
"When DOF referred to reviewing over 300 variable CANVAS pages, these are not analog sequential book style pages of data. Instead, they are 300 different webpages with unique file layouts for which there is no designated first page."
They also argued the same 7(1)(g) exemption despite me being explicit about not wanting the column names. Effectively turning their argument into them saying that the release of information within a database, fullstop, is exempt because it could be used to figure out what data exists within a database. That's against the spirit of IL FOIA, which includes this incredibly direct statutory language:
Sec. 1.2. Presumption. All records in the custody or possession of a public body are presumed to be open to inspection or copying. Any public body that asserts that a record is exempt from disclosure has the burden of proving by clear and convincing evidence that it is exempt.
https://www.documentcloud.org/documents/25930501-foia-burden...
mcphage
> The City of Chicago's argument was that something of ANY value, no matter how insignificant, would help an attacker exploit their system, and was therefore possible to keep secret under the FOIA law.
I’m glad that argument lost, since it totally subverts the purpose and intention of the FOIA. Any piece of information could be of value to some attacker, but that doesn’t outweigh the need for transparency.
hlieberman
It’s not just the UK who has standardized on these language; the U.S. intelligence community also has a list of required terminology to use for different confidence levels and different likelihoods — and distinguishing between them. It’s all laid out in ICD-203, publicly available at https://www.dni.gov/files/documents/ICD/ICD-203.pdf
I’ve found it very helpful in the same vein as RFC 2119 terminology (MUST, SHOULD, MAY, etc.); when you need your meanings to be understood by a counterparty and can agree on a common language to use.
bo1024
Interesting. This terminology really makes no sense without more shared context, in my view. For example, I would not describe something that happens to me every month as a "remote possibility". Yet for a 3% chance event, repeated every day, monthly occurrences are what we expect. Similarly, someone who describes events as "nearly certain" would surely be embarrassed when one of the first 20 fails to happen, no?
randallsquared
A 1-in-a-million chance seems quite remote, yet if you are rolling the dice once a millisecond...
This applies to any repeated chance, so it probably doesn't need to be called out again when translating odds to verbal language.
senderista
I was so frustrated when I tried to get doctors to quantify their assessment of risk for a surgery my sister was about to undergo. They simply wouldn't give me a number, not even "better or worse than even odds". Finally an anesthesiologist privately told me she thought my sister had maybe a one-third chance of dying on the table and that was enough for me. I'm not sure how much fear of liability had to do with this reluctance, or if it was just a general aversion to discussing risk in quantitative terms (which isn't that hard, gamblers do it all the time!).
chychiu
Doctor here
1. It’s generally difficult to quantify such risks in any meaningful manner
2. Provision of any number adds liability, and puts you in a damned-if-does, damned-if-it-doesn’t-work-out situation
3. The operating surgeon is not the best to quantify these risks - the surgeon owns the operation, and the anaesthesiologist owns the patient / theatre
4. Gamblers quantify risk because they make money from accurate assessment of risk. Doctors are in no way incentivised to do so
5. The returned chance of 1/3 probably had an error margin of +/-33% itself
fc417fc802
> It’s generally difficult to quantify such risks in any meaningful manner
According to the literature 33 out of 100 patients who underwent this operation in the US within the past 10 years died. 90% of those had complicating factors. You [ do / do not ] have such a factor.
Who knows if any given layman will appreciate the particular quantification you provide but I'm fairly certain that data exists for the vast majority of serious procedures at this point.
I've actually had this exact issue with the veterinarian. I've worked in biomed. I pulled the literature for the condition. I had lots of different numbers but I knew that I didn't have the full picture. I'm trying to quantify the possible outcomes between different options being presented to me. When I asked the specialist, who handles multiple such cases every day, I got back (approximately) "oh I couldn't say" and "it varies". The latter is obviously true but the entire attitude is just uncooperative bullshit.
> puts you in a damned-if-does, damned-if-it-doesn’t-work-out situation
Not really. Don't get me wrong, I understand that a litigious person could use just about anything to go after you and so I appreciate that it might be sensible to simply refuse to answer. But from an academic standpoint the future outcome of a single sample does not change the rigor of your risk assessment.
> Doctors are in no way incentivised to do so
Don't they use quantifications of risk to determine treatment plans to at least some extent? What's the alternative? Blindly following a flowchart? (Honest question.)
> The returned chance of 1/3 probably had an error margin of +/-33% itself
What do you mean by this? Surely there's some error margin on the assessment itself but I don't see how any of us commenting could have any idea what it might have been.
christiangenco
I've had the same sort of difficulty with phrases like "most" or "almost all" or "hardly any"—I crave for these to map to unambiguous numbers like the probability yardstick referenced in this article.
I spun up a quick survey[1] that I sent out to friends and family to try to get some numbers on these sorts of phrases. Results so far are inconclusive.
SAI_Peregrinus
"Almost all" is an interesting one, because it has family of mathematical definitions in addition to any informal definitions. If X is a set, "almost all elements of X" means "all elements of X except those in a negligible subset of X", where "negligible" depends on context but is well-defined.
If there's a finite subset of an infinite set, almost all members of the infinite set are not in the finite set. E.g. Almost all integers are not 5: the set of integers equal to five is finite and the set of integers not equal to five is countably infinite.
Likewise for two infinite sets of different size: Almost all real numbers are not integers.
Etc.
mannykannot
The more precisely they are defined, the less frequently will you see them used correctly.
jbaber
"Almost all" in math can mean "except at every integer or fraction" :)
tejtm
I would expect almost NO numbers are rational (integer or fraction) with an infinite number of Reals between each.
noqc
in between any two real numbers, there is a rational number, and vice versa.
JadeNB
> I would expect almost NO numbers are rational (integer or fraction) with an infinite number of Reals between each.
You're right (technically correct, which is the best etc.)! That is why "almost all" can mean everything except rational numbers.
layer8
The semantics are almost always reasonable: https://en.wikipedia.org/wiki/Almost_all
dullcrisp
Sure but that’s because 100% of real numbers, by any standard measure, aren’t integers or fractions. It bothers me if it’s used to mean 95% of something though.
JadeNB
> "Almost all" in math can mean "except at every integer or fraction" :)
I am a mathematician, but, even so, I think that this is one of those instances where we have to admit that we have mangled everyday terminology when appropriating it, and so non-measure theoretic users should just ignore our definition. (Similarly with "group," where, at the risk of sounding tongue-in-cheek because it's so obvious, if I were trying to analyze how people usually understand its everyday meaning I wouldn't include the requirement that every element have an inverse.)
hunter2_
"Rare" versus "common" is an interesting one. They sound like antonyms, but I don't think the typical probabilities are really symmetrical. Maybe something like 0%-10% for rare (although some sources say 5%) and something like 40%-100% for common.
konstantinua00
"common" has such a large spread because meaning behind it is sort of "at least one in each sample", where that sample can be anything (graspable)
if you're a teacher and one student per class does the same thing - it's common. Even though it's only 1/25 or 1/30 of all students
Macha
Maybe it's my amount of video games played in childhood that influenced that, but common and rare are just two points on a spectrum (with at least "uncommon" in between)
dejobaan
That was a good read (and short, with a cool graph—I want to know who tagged "Almost No Chance" as 95% likely; a would-be Pratchett fan, perhaps). In biz, that's part of why I like to separate out goals ("we'll focus on growing traffic") and concrete objectives ("25% audience growth between now and June 1st").
patrickmay
But is it EXACTLY a million to one chance?
null
forrestthewoods
I hate “one in a million” because its meaning depends on how many times you’re rolling the die!
I’ll never forgot old World of Warcraft discussions about crit probability. If a particular sequence is “one in a million” and there are 10 million players and each player encounters hundreds or thousands of sequences per day then “one in a million” is pretty effing common!
gpcz
In functional safety, probabilities are usually clamped to an hour of use.
JadeNB
> I hate “one in a million” because its meaning depends on how many times you’re rolling the die!
I'd argue that it doesn't depend on that at all. That is, its meaning is the same whether you're performing the trial once, a million times, ten million times, or whatever. It's rather whether the implication is "the possibility may be disregarded" or "this should be expected to happen occasionally" that depends on how many times you're performing the trial.
ModernMech
My feeling is it's a measure of the number of people who read the question wrong.
Macha
Who are the people that have a small bump of believing "better than even" is 10-20%? Why?
tempestn
You also see the opposite bump for most of the negative assessments. My assumption is that they're likely reading the question backwards. ie. "how unlikely" vs "how likely" or similar.
vpribish
maybe something like dyslexia but for semantics. I did some searching and couldn't find a term for this.
bmurray7jhu
Text of NIE 29-51 "Probability of an Invasion of Yugoslavia in 1951"
Partial HTML: https://history.state.gov/historicaldocuments/frus1951v04p2/...
Full text PDF scan: https://www.cia.gov/readingroom/docs/CIA-RDP79R01012A0007000...
SoftTalker
I have a habit of saying "almost definitely" which I have tried to break but I still fall back to it occasionally. And I know several people who will say something is "definitely possible" or "certainly a possibility" or something along those lines. It's all insecure language we use to avoid making a statement that might turn out to be wrong.
rekenaut
I often say "definitely possible" when I am not sure what the chance of something happening is but I ought to acknowledge that it is possible. It is definitely possible that I should choose better language to communicate this.
smitty1e
When they won't quit asking, I'm "willing to commit to a definite maybe".
tempestn
Interesting. Two things that jumped out to me were 1) why do the regions of the standardization line not overlap or at least meet? And 2) What's up with the small but clear minority of people who took all the 'unlikely' phrasings to mean somewhere in the realm of 90 to 100%? My guess would be they're misreading the question and that is their estimate of unlikelihood?
pictureofabear
Because many people cannot or will not accept ambiguity. Charitably, I suppose this comes from a desire to logically deduce risk by multiply the severity of the consequences by the chance that something will happen. Uncharitably, it gives decisionmakers a scapegoat should they need one.
didgetmaster
"The odds are more like a million to one!"
"So...you're telling me there is a chance!"
chipsrafferty
Why not just actually list the number you have in mind so everyone's on the same page "we consider it a serious possibility - about 60% - that bla bla bla"
andrewflnr
Almost no one making these statements has an actual number in mind, or they would just say it. Probably not even in intelligence, definitely not in popular usage.
tasuki
Because then it doesn't happen and (dumb) people will say "see you were wrong".
The City of Chicago's lawyers went the opposite direction in response to @tpacek's affidavit that the release of table/column names would have "marginal value" to an attacker. The city latched onto that to get a trial that eventually went to the IL Supreme Court and lost.
His post: https://sockpuppet.org/blog/2025/02/09/fixing-illinois-foia/ My post: https://mchap.io/losing-a-5yr-long-illinois-foia-lawsuit-for...