Roger Clarke's 'PLT Characteristics'
Roger
Clarke
Principal,
Xamax
Consultancy Pty Ltd, Canberra
Visiting Fellow,
Department
of Computer Science,
Australian
National University
Version of 30 October 1999
©
Xamax Consultancy Pty Ltd, 1999
This document is at http://www.rogerclarke.com/DV/PLTApp.html
This document is an Appendix to the author's paper on
Person-Location
and Person-Tracking, published in
Information
Technology and People.
This Appendix presents a tentative analysis of the characteristics of
person-location and person-tracking technologies that influence their degree of
privacy-intrusiveness.
Measurements of location are frequently generated when a transaction occurs. A
transaction is a representation in data of a relevant
real-world event. The data is captured into a
record, which is stored in a
database, which is operated by one or more organisations, and
used by, disseminated to, and accessed by, one or more organisations or
individuals.
Records vary in relation to:
- the 'data-intensity' with which they support location and
tracking. Data-intensity has at least the following dimensions:
- the frequency with which records arise for a given
individual; and
- the information-content that the technology gives rise
to. In some cases, this may be no more than the presence of an entity at a
location at a particular time. In other cases, the record may also disclose
the nature of an interaction (e.g. the transaction-type and/or the
conversation-partners), while in others the substantive content may be evident
(e.g. the goods or services purchased, or the communications between the
conversation-partners);
- the data quality, including the precision of timing, and
the reliability of the identifying and other data. Quality depends also on the
extent to which records, and data contained within records, are capable of
being 'spoofed', i.e. generated spuriously, or generated with
misleading identifiers, or with misleading content. This raises in turn the
question of the authentication of identifiers, of date-time
stamps, and of data
(Clarke
1996b,
Greenleaf
& Clarke 1997,
Clarke
1998d);
- the timeliness of the data, i.e. the delay between the
event and the availability of the transaction data representing the event;
- the persistence of the data, i.e. the period during which
the records are retained in an identifiable format;
- the accessibility of the data:
- for the purposes for which it was collected;
- for purposes other than the ostensible and apparent purpose of collection;
and
- by individuals, organisations and organisational sub-units other than the
collector; and
- the precision of the personal identifier or identifiers
associated with the data. A direct identifier of an individual may be
involved, or it may be indirect or pseudonymous. An identifier may be limited
to a specific purpose; or used for multiple purposes by multiple
organisations; or, in the most privacy-threatening case, it could be a
general-purpose identifier (
Clarke
1994c,
1997d).
Additional factors that determine the privacy-invasiveness of location and
tracking activities include the following:
- whether the generation of a record is a byproduct of some other
activity, or involves a special-purpose transmission. Some records
arising from a particular event may be regarded by the individual as
legitimate, and others may not. Transmissions generated entirely, or
primarily, for the purpose of location and tracking are likely to be viewed
with even greater scepticism;
- the extent to which the individual is aware that a record
arises from a particular kind of event, or that a transmission is generated as
a byproduct of such an event. The person may know that to be the case, e.g.
people are generally aware that a credit-card or debit-card payment results in
a transmission to the relevant financial institution. In other circumstances,
the person may be quite unaware that a transmission arises, because many
technologies are, incidentally or intentionally, surreptitious;
- the extent to which the individual has a choice as to
whether a record is made or a transmission arises;
- the extent to which the individual has given free, meaningful and
informed consent to the transmission of location or tracking data, and
to the making of a record arising from it. In some circumstances, consent can
reasonably be inferred, e.g. where the person has requested the action;
- the extent to which the individual has the opportunity to
undertake the transaction anonymously. The vast majority of
transactions have hitherto been undertaken anonymously, or without generating a
record. Individuals have an interest in sustaining that situation, and denying
governments, corporations, and other individuals the ability to locate and
track them;
- the inherent intrusiveness of the mechanism. A token,
such as a tag or card, raises concern; but the use of some aspect of the
person concerned, such as a biological characteristic or biodynamic
behaviour-pattern, is much more sinister; and
- the infrastructure necessary to support the location or
tracking activity. At one extremity, this may be substantial, expensive and
specialised, such that an effective economic disincentive acts to protect
privacy. At the other, the infrastructure may already be in place, and the
additional effort and cost to implement location and tracking applications may
be trivial, in which case privacy is easily assaulted. Between these two
extremes are infrastructures established for other purposes, but which have
been enhanced or subverted to serve surveillance purposes.
Created: 28 June 1999 -
Last Amended: 30 October 1999
by Roger Clarke
- Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/PLTApp.html
Mail to Webmaster -
© Xamax Consultancy Pty Ltd, 1995-2022 -
Privacy Policy