
Ask HN: How to disclose something without disclosing it? - staticautomatic
A while back I came across an interesting problem that I&#x27;ve been thinking about off and on. Let&#x27;s say I am thinking about taking a job working for a large company, but in some relatively dangerous part of world. I don&#x27;t think I would take the job unless, among other things, I knew that the employer had kidnap and ransom insurance for its employees. However, some K&amp;R policies prohibit the employer from telling the employee that the coverage exists. Is it possible for the employer to prove that they have the insurance without telling the prospective employee?
======
ars
> without telling the prospective employee?

Mathematically no. But this isn't a mathematical question, it's a legal one:
"some K&R policies prohibit".

You need to nitpick the legal agreement and figure out the loopholes.

Your employer will have to assist you with that, since you have no access to
the agreement.

For example as part of the employment agreement you write: "Company shall
expend whatever resources are necessary to recover employee in case of kidnap,
etc, etc". There is no mention of insurance, just that the company will get
you back. How they do it is their problem. (Obviously you're going to need a
lawyer to help you write it.)

------
1996
If you are actually worried about getting ransom insurance in case of being
kidnapped, maybe you should just skip the job.

If you really want the job, ask for an extra for paying the insurance
yourself. That way you are 100% sure you go coverage (if you don't forget to
pay the insurance!)

Personally, I wouldn't take that job, even if I could buy the best insurance
myself. I just don't like betting against myself.

~~~
jey
> I just don't like betting against myself.

Hm? That's not how insurance works.

~~~
fcbrooklyn
That's actually exactly how insurance works. You place a bet against yourself,
and you hope not to lose, but if you do lose, at least you win the bet.

~~~
_d8fd
Former insurance agent here.

You can think of insurance as a small & certain loss to hedge against a large
& uncertain loss.

If stuff happens and you do need to cash in on that insurance policy, the
payout should be thought of as saving your butt, also known as
indemnification.

An airbag in your car is a form of insurance. You spent $X to protect yourself
in a collision. The small & certain loss is spending the $X. Say you
unexpectedly end up in a crash, but instead of dying, the airbag saves your
life. It protected you from a death, the large & uncertain loss.

The idea of that buying an insurance is making a bet against yourself doesn't
make sense to me. Insurance is more about making sure you don't lose. It's
reducing risk, and a bet feels like taking on risk. The insurance company is
the one making the bet, not the policy holder.

~~~
1996
You know the best way to make the road super safe?

Replace the airbags by a long pointy metal spike that goes next to the driver
throat.

Would that impact the way you drive? I think you would be super careful. Then,
why do you think an airbag will not impact the way you drive? It does - only
in the other direction.

We all have unconscious bias. Insurance increase risk. I want to minimize my
risk, not my average payout. This requires recognizing my own biases.

If I'm kidnapped and dead, all the money in the world won't bring me back. So
I'd rather feel unsafe, as it will discourage me from taking risks. In other
words, I will not bet against myself.

I don't like making bet against myself, regardless of the reasons behind. So
in general, I only take the minimum insurance legally mandated.

In the OP post, you can see that the existence of an insurance will increase
his desire to take the job, and thus the risk of being kidnapped. I wouldn't
do that, but I'm just talking about me

~~~
yeldarb
If that were true we should see an increase in fatalities per mile driven as
safety features increase. We haven’t[1]. They have actually plummeted as cars
have gotten safer.

[1]
[https://en.wikipedia.org/wiki/Transportation_safety_in_the_U...](https://en.wikipedia.org/wiki/Transportation_safety_in_the_United_States)

~~~
mandelbrotwurst
Proposition: IF safety features increase AND safety features cause drivers to
behave more recklessly THEN there will be an increase in traffic fatalities.

This does not hold if the reductions in fatalities caused by the safety
features are larger than the (alleged!) increase in fatalities caused by
additional recklessness.

~~~
yeldarb
Sure, but the GP’s hypothesis was that “the best way to make the road super
safe [is to] replace the airbags by a long pointy metal spike that goes next
to the driver throat.” That doesn’t follow.

~~~
1996
It was a joking way to say that driver behavior was affected by safety
feature, not an actual proposal to install said spikes on all cars

------
rdtsc
If we had insurance and could use it to bring back our employees like we did
in May 2011, June 2014, and August 2016 we would not be publicly allowed by HR
and legal to tell you about it. :-)

~~~
stevenAthompson
They don't want to tell you, and shouldn't.

The reason they can't tell you is that you may then 'kidnap' yourself to
collect on it.

By even "accidentally" disclosing it's exustence they would be giving the
employee information that would help them to steal from the company, since
their rates would increase after the fraud.

A more reasonable answer might be "We promise to do whatever we can to help
any employees who find themselves in such a situation, but can't provide
details as to the form that help might take as every situation is different."

~~~
tiatia123
"The reason they can't tell you is that you may then 'kidnap' yourself to
collect on it."

I don't think you know how this insurance works.

~~~
dragonwriter
Yes, it is, in effect, via staged kidnap-for-ransom.

~~~
tiatia123
No, you don't know it. It is not like health insurance. You pay and submit the
bill. They guy take over the negotiations. One objective is to get you back
alive. The other objective is to pay as little as possible. The third
objective is to make the whole process a pain in the butt that this guy will
never try this again. Trust me. You have no idea what you are talking about. I
know former military guys who work in this field. Keep downvoting me.

------
freehunter
(for anyone not familiar with the term, K&R policy is a "kidnap and ransom
policy")

Like rdtsc said, pointing to times when they _did_ guarantee the return of an
employee would be pretty close. Not entirely foolproof, since past performance
is not indicative of future results (if they got the insurance policy without
telling anyone, they could easily drop the insurance policy without telling
anyone).

In a broader sense, the way this (disclosure without disclosure) is usually
done is escrow of some sort. There is an agreement with a third party that the
agreement will be upheld, with money down to that third party. If the money is
required to be issued from the first party to the second party, the second
party does not need to rely on the first party to uphold their end of the
agreement. The third party (escrow service) has already assured that, and now
the third party is responsible for issuing the payment. For example, if I'm
promised payment for source code and I want to ensure I get the payment upon
delivery of the source code, the company submits the payment to escrow and I
submit the source code, and the escrow company is responsible for ensuring the
payment and code get swapped appropriately.

I'm not sure if proving an escrow policy of "we will make sure you get home"
and putting down $1m just in case of ransom violates that K&R clause or not.
But without a contract saying specifically "we will get you home no matter
what", there is no real assurance. Escrow might be the closest you'll come.

~~~
NullPrefix
But the ransom amount is unknown before hand. It's not like you can easily
compare the market and pick your vendor.

~~~
freehunter
I'm sure companies doing business in areas where kidnap and ransom is common
know the going rate for ransom. They also know how much an employee is worth
to them (same rate as companies who take out life insurance on their
employees). If you can get an insurance policy against someone's kidnap, you
know how much they are worth and you know how much you'll be willing to spend
on a ransom. If you can't narrow it down enough to escrow, you certainly don't
have an insurance policy on it.

------
sardinaconsal
I think is not possible, because the purpose of such legal measure is to avoid
increasing ransom and kidnapping, and that would happen if the criminals knew
that they would get the ransom from the coverage company. Hence any way to
prove that the insurance exists goes against the legal reason to hide the
existence of such coverage. To overcome this the following clause could be
included: You are covered but if you communicate explicitely or implicitely to
someone that you are covered then you are automatically excluded from this
coverage.

~~~
stevenAthompson
That didn't help with the case where the "kidnapper" is actually the "victim".

~~~
mattkrause
Is that really the principle threat? It seems like there would be easier ways
for an unscrupulous employee to defraud their company.

~~~
dragonwriter
> Is that really the principle threat?

It is _a_ threat that is included in the insurers threat model.

> It seems like there would be easier ways for an unscrupulous employee to
> defraud their company.

Probably, but not an easier way for them to defraud the K&R insurer. It's an
insurer policy, not employer policy.

------
dmurray
If you trust the employer, them answering "we're not allowed to discuss that"
should be enough. What HR policy could forbid the employer from saying "No, we
don't have that" if they didn't?

If you don't trust them, and they might hint at having insurance as a carrot
to tempt you to sign, this doesn't apply.

------
jd007
I'm not sure that I understand what you are asking, since "prove that they
have the insurance" seems to me to be equivalent to "telling the prospective
employee".

Conceptually, I feel like there might be a connection to zero knowledge proofs
([https://en.wikipedia.org/wiki/Zero-
knowledge_proof](https://en.wikipedia.org/wiki/Zero-knowledge_proof)), so
perhaps you can look there for inspiration if you haven't heard of it.

------
sardinaconsal
The best solution I can think of to tackle this problem is to design a
probabilistic model that include a confidence level for future risk and
payment for k&r, if the risk is increased the maximal payment is decreased in
such a way that the mean risk is kept constant. So if you communicate that you
are covered and your probability of kidnapping increase ten fold then the
maximum payment is divided by ten.

------
mindslight
I think you're probably chewing on this because it feels similar to a ZKP
setup. But ZKPs don't really work in meatspace, as meatspace lying is not
perfect. Thus, your belief in the validity of the statement _will_ leak, and
so telling you can never actually be zero-knowledge.

A proper ZK analog would be the company being prohibited from giving you a
signed statement saying they had said coverage, as if you were kidnapped the
kidnappers would force you to turn over this signed statement to know you
represent a nice payday. So they type out a statement, then sign it with an X
in front of you. If the kidnappers see this, they cannot be sure you didn't
just type up the statement and sign it with your own X - only you know it was
signed by the company.

But back in the physical world your kidnappers will just "prove" the fact to
themselves by beating it out of you. Which is why the K&R policy prohibits
_any_ sort of telling you, not just written - your _knowing_ is the liability.

------
exikyut
I don't have any suggestions, but I am _very_ curious what sorts of job
positions would require a K&R policy, just to better understand the
requirement. Vague/loose handwavy explanations welcome.

Thinking about it, perhaps it's to do with the location a person is in, and
the reputation that location may have.

Shipping comes to mind (the "actually being in location XYZ" part of the
transportation process), along with the fact that perhaps some at the
destination may want to hinder the receipt of whatever's being shipped

I can't come up with much else right now, although I'm very sure there are
many other reasons.

------
urmish
Title reminded me of this: Zero-knowledge proof:
[https://en.wikipedia.org/wiki/Zero-
knowledge_proof](https://en.wikipedia.org/wiki/Zero-knowledge_proof)

------
merinowool
Are you able to take such insurance yourself and ask employer to pay for it?

~~~
stevenAthompson
This is the best answer. This way if the insurance company is defrauded it's
only your own rates that increase, not the percent the company has agreed to
pay.

~~~
sardinaconsal
I think that answers is equivalent to the company not convering ransom and
kidnapping, is the employee who establish and pay such coverage. So
technically is a different problem.

------
jf-
To prove it? No. They could go off the record, and you should try this. You
should also try seeing if they will deny having the cover, which they likely
would not do in the event of having it.

However, this is probably down to common sense. If the pay and other benefits
are good, and it is common for companies of similar scale in the region to
have this cover, then they will have it.

------
sardinaconsal
This problem could be related to asymmetric information. In case that a huge
converage of K&R is known you become a valuable target for kidnappers so the
cost of the coverage should increase, so if the coverage is known the
insurance company could negate payment allegating that the ground rules has
changed.

------
Schultheiss
I think, this is actually easy, but my simple solution makes the assumption,
that both the job-offerer and the job-taker are smart people.

Here's how it goes: "To disclose something" is only a comprehensible term for
the citation of something that is disclosable. But it's get very blurry, when
you only paraphrase. It get's even more blurry at the point, where the
paraphrasing is chosen so smart, that only other very smart people can see,
that someone actually disclosed something. But: At a jury, you can play the
innocent and a little bit naive person, that didn't know what he _actually_
said. Since the people tend to say about a person "He's propably not that
smart, rather than naive!", because otherwise they would admit another person
is way smarter then them, you are save.

Compare it to those logic-puzzles where you have set of sentences given and
can derive a definitive answer by logical-deduction thru the interference of
the sentences only. That would be my approach.

------
rb808
Just ask them what protection or "insurance" they do have. If they say yes,
problem solved. Personally I think its immoral for companies to pay ransom
anyway, just means you're more likely to get kidnapped.

------
robertk
Secure multiparty computation. You both put in an input (I need the insurance
or I don’t; versus I provide the insurance or I don’t) and you only learn
whether the two preferences match.

~~~
nomdehn_180714
Once you know the answer, the legal agreement not to disclose has been broken.
It doesn't matter how you get there.

------
mabynogy
Spread the word by sending that to WikiLeaks or post it on 4chan.

------
matte_black
Build rapport, go off record, look them straight in the eye and ask them (and
in a quiet tone of voice to emphasize confidentiality)

If they trust you they’ll tell you. If they don’t they won’t. Now you can
decide based off of that if you want to pursue employment.

This is the best and easiest way I’ve gotten people to tell me things they
weren’t allowed to.

------
robertAngst
Humans can make human decisions.

I think the best way is likely Social Engineering/asking someone.

------
EGreg
I’m gonna go against most comments here and say YES. But you’re not gonna like
the method.

You have to get someone kidnapped. Or do it yourself.

Then see if it gets paid out.

In other words, when push comes to shove, do they pay out? That’s how you are
able to find things out that they won’t tell you. See for example Sherlock
Holmes yelling fire and Irene Adler revealing where her treasures are.

Just um, pay some people to hide an existing employee for a while, treat them
well, in fact provide a budget for them to be in on it and not try to escape,
but instead help make everyone believe they were kidnapped against their will.
If a person agrees you go with that person.

Then hope no one reads HN religiously at that company.

Of course, this is all theoretical. But - you asked.

~~~
exikyut
I like this idea, in theory. But it feels it aligns with the trend to apply
overkill to lots of real-world security scenarios nowadays.

I'm sure that in some situations this kind of approach would be up there on
the drawing board. _Lots_ of money pitted against unknown trust, or military
projects (the super-super expensive kind) immediately come to mind.

But even then, in the theoretical "high risk / untrustworthiness" scenario,
surely one payout event wouldn't provide enough confidence to predict similar
behavior in the future, and causing multiple events is suspicious enough you
wouldn't be able to rule out whether the adversary was paying out each time
because they'd caught on.

