Most of the papers in this collection are from the First International Workshop on Deontic Logic in Computer Science, DEON91, held in Amsterdam in December 1991. The artificial intelligence (especially AI and law, and knowledge representation) communities and formal system specification communities are the audiences that would seem to be most interested. In fact, as a researcher in AI, I was surprised to find common ground with a visiting researcher in distributed systems by discussing the contents of this book, he being in the same field as Wieringa, and I being in the same field as Meyer.

The editors enumerate the applications as follows: automation of law, authorization, system specification, electronic contracting, integrity constraint, and database security. Three additional papers appear, from Carlos Alchourrón, Risto Hilpinen, and Tom Maibaum. By far the most provocative paper in the collection is Alchourrón’s; consequently, this review will focus on his contentions in some detail, and will discuss his paper after all the others have been dealt with. Hector Castaneda’s name was to be added to the list, but his untimely death prevented this. The book is instead dedicated to him, in memoriam.

Deontic logic needs little introduction: it is mandatory formalism for anyone who studies modal logic, which has been mandatory formalism for any computer scientist who works with more than one logic. It is the idea that the relations between permission, obligation, and propositional connectives can be axiomatized. Naturally, a few of the papers consider non-truth-functional conditionals: defeasible (“if…then, defeasibly…”) or counterfactual conditionals (“if…were the case, then…would be the case”), instead of the truth-functional conditional of ordinary logics (“if…then…,” which is a syntactic variation of “not…or…”). In particular, defeasible reasoning represents one of the main contributions of computer science to logic. Rising interest in and appreciation of defeasible reasoning can be seen among both applied and theoretical computer scientists.

Wieringa and Meyer

Wieringa and Meyer’s overview presents the systems of Mally [1] and von Wright [2]. It then discusses the infusion of temporal considerations, the relation to dynamic logic, and the importance of defeasible reasons in the deployment of deontic assertions.

Hilpinen

Hilpinen’s contribution is a straightforward philosophical response to Castaneda’s use of deontic logic in the analysis of sentences that describe actions. An example of such a sentence is “If Gladys is scratched, it should be done gently.”

Bieber and Cuppens

Bieber and Cuppens give a deontic “security logic” in which policies can be expressed, describing who can know what and under what conditions. An example formalized is the NSA phone-book disclosure policy. They are concerned with representing, for instance, “If A chooses to access information about company alpha, then [accessing beta] is forbidden.”

Dubois

Dubois proposes using deontic logic for reasoning about software specifications “during the initial requirements engineering phase of the software lifecycle.” The logic is brought to bear on requirements such as, “At any moment, the safe indicator associated with the station should notify the status of the measured temperature with a one-instant delay.”

Maibaum

For Maibaum, the “key feature” is “an explicit ability to distinguish between the description and prescription of a system’s dynamics.” He starts with the presentation of a “deontic action logic” (DAL), a many-sorted first-order logic that incorporates deontic notions, and “various action combinators.” Agent, AGT, and action, ACT, are the two sortals. Actions are sequences of unit actions. To the modal operators PER (permitted) and OBL (obligated) are added PREF and OS. I did not find explanations of the symbols (are they acronyms or abbreviations? OS clearly is a technical variant of OBL that applies to obligated action sequences; PREF appears to refer to a preference among non-mandated choices). O ( a ) → ^∽PREF ( a ); “when an action is obliged, it is, necessarily, the only permitted action.” PREF is supposed to help with “negative actions,” or “whether or not it is permitted to refrain from an action.”

Maibaum extends the logic to CDAL, which introduces the new action combinators for concurrent or parallel actions. He gives a large example for telephone system specification in which, for example, parallel actions of notifying both the call-maker and the call-receiver are obligated when the calling action occurs and the call-receiver’s phone is not busy. The paper makes two more extensions, titled “safety, liveness, and model-based normativity” and “from deontic to temporal structures.”

Allen and Saxon

In Allen and Saxon, the legal ontology of Wesley Hohfeld [3] is used to augment the deontic modalities of obligation, permission, and forbiddance. Adding “Hohfeldian relations” of right, duty, noright, privilege, power, liability, disability, and impunity is the major augmentation. The authors report on an “interpretation-assistance” legal expert system, and they illustrate its use on the library regulations of Imperial College.

Ryu and Lee

For Ryu and Lee, deontic modalities should occur in defeasible or counterfactual conditionals, not in material conditionals. These authors actually view defeasible reasoning as a “computational model of…counterfactual reasoning.” Their focus is on Donald Nute’s defeasible reasoning system [4]. Nute worked on counterfactual reasoning before delivering a logic of defeasible reasoning. But defeasible reasoning is really very different from counterfactual reasoning despite some superficial similarities. Ryu and Lee present nothing else that is contentious to me, but they represent a point of view against which Alchourrón militates.

Ryu and Lee note that the following simple set of norms requires both deontic analysis and defeasible conditionals:

• A student ought to attend class.

• A student athlete ought to play in the finals.

• It ought to be that if he plays in the finals then he does not attend class.

Santos and Carmo

Santos and Carmo sum up their two logics for representing contractual obligations thus: “The proposed logics should be seen as…a first step in the…representation of contractual obligations. …We need much more powerful logics, where we are able to talk of differing agents and their rights and duties….” Nevertheless, these Portuguese legal logicians have introduced some useful ontology. Obligations of contracts render considerations, and these may be positive or negative; instantaneous, continuous, or periodic; and cumulative or alternative. They may be modified, or extinguished through fulfillment or through resolution. They may be required to be satisfied during some particular temporal term. It is possible that Santos and Carmo are latter-day Hohfeldians, and that legal ontologies for knowledge representation are likely to proliferate as people gain appreciation of the problem and the expertise required for its solution.

Weigand

Weigand tries to bring together deontic logic and the illocutionary logic of Searle and Vanderveken [5]. The latter consists of primitives such as DIRECT, COMMIT, ASSERT, DECLARE, and EXPRESS with which one might model speech acts. The main section claims to derive deontic logic from illocutionary logic. This seems a bit odd, since Searle and Vanderveken surely meant to encode deontic ideas in the obligations imposed on speaker and hearer through convention and speech act commitment.

Jones and Sergot

Jones and Sergot, like Allen and Saxon, give an analysis of the Imperial College library regulations. They make two points. The first is that two different systems result depending on whether the aim is to construct a system that advises on the obligations and rights of the various users, or to take the regulations as a specification of how the library system shall function (the authors going so far as to define “to regiment” as “to force discipline or order on”). The second point is that the regulations “do not completely specify the relative normative positions of librarian and borrower.” To remedy this, they produce two new logics, one for “one-agent act-positions” and one for “two-agent act-positions.” The new technical device is the operator E, which is subscripted by an agent, and which stands for agents seeing to it that something is the case. Interestingly, E-sentences appear in O-contexts, which forces us to view obligation quite differently, as if it were mere necessity.

Alchourrón

Alchourrón has always been an innovator of important technical devices. Explaining the relations between Alchourrón-Gaerdenfors-Makinson belief revision and defeasible reasoning is as interesting to Alchourrón as deontic logic. But Alchourrón is more interested in protecting deontic logic from its new competitor, defeasible reasoning.

Alchourrón is explicit about his aims (p. 44):

• “Normative propositions and norms have different logics.”

• “Von Wright’s first system gives a reasonable account of the logic of categorical norms, but not of the logic of normative propositions about categorical norms.” The difference is that a categorical norm is prescriptive, while a normative proposition about a categorical norm is descriptive. The difference, for example, is between “Drivers shall drive on the left” and “It happens to be the case that `drivers shall drive on the left.’”

• “With a strict flat implication one can have a reasonable logic for conditional norms, and a (different) reasonable logic for descriptions of norms.”

• “There is (therefore) no need for a logic of defeasible norms.” The reason is that standard implication and belief revision give all the functionality offered by defeasible conditionals.

Alchourrón gives a definitive treatment of his deontic logic with detailed syntax and semantics. His principal objective is to provide enough ways of distinguishing prescription from description, by introducing modalities.

Alchourrón starts with P ⁺ ( A ) (permission), O ( A ) (obligation), and P ^- ( A ) (negative permission). For normative propositions, he adds N ( A ), which holds when “the authority…has normed A”; N D ( A ), which holds when “the authority has normatively determined A for the case c” (and c does not appear as an index of the modality); and I N ( A ), when the authority “has inconsistently normed A in circumstance c.” For norms, he adds F ( A ), when the authority “has no other choice but to command or to forbid or to facultate” A (pp. 51–56).

Von Wright has written [6] that “the prototype form of a conditional norm” would be O ( p → q ), writing it O ( p | q ). Alchourrón instead takes ( P → O A ) “as the standard form of general legal norms expressed by sentences of the type `A shall be done in circumstances P.’” Von Wright’s conditional “was an unfortunate step,” since “the negation of a conditional statement usually is not a conditional statement.” Alchourrón believes it is “the source of many difficulties and paradoxes in deontic logic.”

This propositional treatment of a conditional norm is in opposition to the growing tendency among computer scientists to think of a norm as a defeasible conditional with a normatively qualified consequent, as p >- O q, where >- is a defeasible conditional. The key idea is to permit O ( ^∽A | B ∧ C ) even in the presence of O ( A | B ). That is, an obligation p >- O q can be defeated if the condition c obtains, whereupon p ∧ c >- ^∽O q. Alchourrón has some difficulty containing his revulsion at the “rejection” of the law of strengthening the antecedent, which he identifies as “the essential kernel of the intuitive concept of defeasible conditionals.”

In this same example, Alchourrón’s logic concludes from O ( ^∽A | B ∧ C ) and O A | B ) that ∽ ( B ∧ C ), like von Wright’s logic. Von Wright’s solution was to suggest that there were two kinds of “ought” modalities, a deontic kind and a “technical” kind. The technical “ought,” O _t, guards the conditional in a manner reminiscent of modal nonmonotonic logic. Von Wright concedes that when there is conflict between norms, the contradiction “cannot be ‘solved’ in logic.” “If the conflicting norms exist…the legislator is well advised to amend legislation” ([6], p. 158). Alchourrón concurs, concluding B ∧ C → I N ( A ); namely, that the action, A, has been “inconsistently normed by the authority in a certain case.”

Alchourrón feels that if belief revision is grafted onto his mixed-purpose deontic logic, then defeasible consequence is unnecessary. To describe states of belief, we can also, with some difficulty, do without consequence entirely; we can take as descriptions of states all the theorems that might otherwise be entailed, strictly or defeasibly. Upon learning that penguins don’t fly, while birds fly, Alchourrón recommends a contraction of the belief set to eliminate the “if bird then flies” conditional and somehow adopting the weaker “if bird and not-penguin then flies.” The new conditional no longer permits the conclusion that a bird flies, unless it can be proved that it is not a penguin. A subsequent predication that something is a bird (an expansion of the belief set) should be accompanied with an explicit predication that it flies, or that it is not a penguin. The defeasible approach is perhaps handier for the representer of knowledge in such matters.

Alchourrón himself concedes that defeasible reasoning permits “formal expression of the cognitive situations of those who have incomplete knowledge or express their knowledge incompletely, in the sense that they only know or express contributory…conditions, in order to detect their logical commitments” (p. 83). Belief revision does not.

Defeasible reasoning sometimes explains where belief revision is silent. Consider the puzzle of revising semantically equivalent sets of sentences. Belief revision starts by assuming that no distinction is made between two sets of sentences that share the same closure. But there is the puzzle that { a , b } revised by ^∽b clearly should be { a , ^∽b }; while { a , a → b } revised by ^∽b is ambiguous.

To say that a belief state is to be revised by w is to suggest either that w became part of the evidential basis upon which (defeasible) arguments must now be constructed, or that a superior or preferred argument has been produced that now warrants w. In the case of { a , a → b } revised by ^∽b, apparently there is an argument for a and an argument for a → b. Together, they form a third argument, an argument for b. This third argument is defeated by the new superior argument, but which subargument (the one for a or the one for a → b) to impugn is not clear.

Properties that appear reasonable on their face, such as monotonicity and closure for belief sets, which are at the foundation of belief revision, must yield when more detailed constructive theories can explain why those axioms can be violated. Defeasible reasoning is such a theory.

Alchourrón is defending the “standard notion of consequence”; its virtue is that it does not hedge its conclusions in the “quiet darkness” of defeasibility; it is a notion of consequence that has a Popperian falsifiability (how indeed does one falsify a defeasible conditional?). But the user of defeasible reasons is happy to repudiate some classical syllogisms in order to express, with some integrity, the procedural, computational, and conventional aspects of rules.

The most important difference is that defeasibility has something to do with procedure and burden of proof. It cannot be replaced by Alchourrón’s choice functions or nonmonotonic logic’s preference orderings in the traditional mathematical semantic models. The beauty of defeasibility is that it guides procedure, not just constrains commitments. Having defeasibly concluded q, from p and p >- q, the burden shifts to those who would show ^∽q. Defeasible reasoning is not just about logical commitments. It is about the possibility and the preventing of drawing conclusions on partial consideration of the potential arguments. Computation is why defeasibility encroaches on deontic logic today, and for the foreseeable future.

Conclusion

Taken as a whole, these papers do show that deontic logic and its extensions are finding their way into computer science applications. More striking is how applications, especially knowledge engineering, are eliciting new formal systems from researchers with deontic logical inclinations. These researchers tend to think in terms of obligations and permissions, but they now see that a much finer ontological and logical apparatus is required. Their resulting logics are deontic mainly in spirit; the use of O-, P-, and F-modalities is usually not the centerpiece of their work.