On Fri, Dec 15, 2017 at 4:26 PM, Matthew Hardeman via dev-security-policy < [email protected]> wrote:
> On Friday, December 15, 2017 at 3:08:32 PM UTC-6, Ryan Sleevi wrote: > > > Respectfully, this is the tiger-repelling rock. We can't show that any > > tigers attacked, therefore, we should keep telling users they need > > tiger-repelling rocks. And oh, by the way, they take away attention from > > solutions that do actually repel or repatriate the tigers. > > > > In actuality, given a sufficient number of human - tiger encounters, with > the essential discernible variable in those encounters being: > > Did an attack result? > -and- > Was a tiger-repelling rock held by human? > > Where a non-zero "Did an attack result" is true in a material portion of > the encounters AND where "Did an attack result" is zero in all those > encounters for which the "Was a tiger-repelling rock held by human" is true > -- and I reemphasize given a large enough set of encounters normalized for > other variables -- a strong statistical case can be made -- not directly > that "Tiger-repelling rocks actually work!" but rather that some > non-obvious consequence of the tiger-repelling rock or of the human holding > the tiger-repelling work does apparently dissuade the tiger from > attacking. This is true even if the actual underlying cause is merely that > it amuses the tigers as a collective to perpetuate their rather successful > troll: that we believe the tiger-repelling rocks work. > Yes, we can say correlated variables are correlated. No, we cannot imply or infer from correlated variables that there is a causal relationship. For example, we don't know whether people who believe in tiger-repelling rocks are simply tiger-averse by nature, hence buying into the tiger-repelling rock mythos. We don't know whether those selling tiger-repelling rocks are releasing tigers into markets that reject their tiger-repelling rocks. There's countless possible explanations, and a correlationary relationship does express any significance on the causality. We don't know whether our methodology of measuring tiger attacks - by releasing tigers into rooms where people are - may in fact be under-counting how many tiger attacks there are, since we ignore tiger attacks in the forest. And, to the earlier metaphor, if a tiger attacks someone in the forest, and no else is around, can we really make any conclusions about tiger attacks in the wild? > In closing, I would say that I find the notion of "ascribing > responsibility to the user" is entirely appropriate sometimes. Especially > when the user wants to be more involved in the risk calculus and would like > some extra data points upon which to judge the risks. Except most of the > people who feel that way would probably use language like "enabling > responsibility by the user". Sure. There will always be folks who want more information. Is this coffee fair trade? Is this fruit GMO free? What's the dillution of this homeopathic cure for cancer? Is this vaccine autism-free? To what end we require users to consider that information and incorporate it into their daily lives, and to what value it provides, is fair game for discussion. For example, such discerning purchasers know to look closer at the label - and have to do further to discern whether the 'certifying' agency is perhaps a market alliance of manufacturers versus an objective and neutral third-party. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
