Programs as Actual Causes: A Building Block for Accountability

Protocols for tasks such as authentication, electronic voting, and secure multiparty computation ensure desirable security properties if agents follow their prescribed programs. However, if some agents deviate from their prescribed programs and a security property is violated, it is important to hold agents accountable by determining which deviations actually caused the violation. Motivated by these applications, we initiate a formal study of programs as actual causes. Specifically, we define what it means for a set of programs to be an actual cause of a violation when they are run concurrently with a set of other programs. Our definitions are inspired by prior work on counterfactual-based actual causation [Halpern and Pearl 2005, Halpern 2008] that defines what it means for an event c to be an actual cause of an event e. Considering programs instead of events as actual causes is appropriate in security settings because individual agents can exercise their choice to either execute the prescribed program or deviate from it. We present a sound technique for establishing programs as actual causes. We demonstrate the value of this approach by providing a causal analysis of a representative protocol designed to address weaknesses in the current public key certification infrastructure. Specifically, we analyze causes of authentication failures of a protocol that leverages a set of notaries to address concerns about trust-on-first-use of self-signed certificates.