Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Fellow, Department of Computer Science, Australian National University
Version of 8 April 1998
© Xamax Consultancy Pty Ltd, 1998
This document was prepared for Centrelink. Its purpose was to support the consultation process between Centrelink and privacy advocates, during a project that was intended to lay the foundations for a variety of projects for Centrelink's client agencies that it was anticipated would involve smart cards
This is chapter 8 of an 8-part document whose contents-page is at http://www.anu.edu.au/people/Roger.Clarke/DV/SCTISK.html
Smart cards can have substantial, negative effects on privacy. Exhibit 3 summarises concerns that arise in the context of financial services. These matters are examined in detail in Clarke (1996, at 2.2 (a)-(d)).
In addition, more general concerns arise, which relate to the question of identification and authentication of identity. Exhibit 4 summarises them. These matters are examined in detail in Clarke (1994), Clarke (1996, at 2.2 (e)-(f)) and Clarke (1997).
Clarke R. (1994) 'Human Identification in Information Systems: Management Challenges and Public Policy Issues' Information Technology & People 7,4 (December 1994) 6-37
Clarke R. (1996) 'Privacy Issues in Smart Card Applications in the Retail Financial Sector', in 'Smart Cards and the Future of Your Money', Australian Commission for the Future, June 1996, pp. 157-184
Clarke R. (1997) 'Chip-Based ID: Promise and Peril', Proc. Int'l Conf. on Privacy, Montreal, September 1997
An anonymous record or transaction is one whose data cannot be associated with a particular individual, either from the data itself, or by combining the transaction with other data. A great many transactions that people undertake are entirely anonymous, including barter transactions, visits to enquiry counters in government agencies and shops, telephone enquiries, cash transactions such as the myriad daily payments for inexpensive goods and services, gambling and road-tolls, and treatment at discreet clinics, particularly for sexually transmitted diseases.
An identified record or transaction is one in which the data can be readily related to a particular individual. This may be because it carries a direct identifier of the person concerned, or because it contains data which, in combination with other available data, links the data to a particular person. There is a current tendency for organisations to try to convert anonymous transactions (e.g. visits to counters, telephone enquiries and low-value payments) into identified transactions. The privacy interest runs emphatically counter to attempts to convert identified into anonymous transactions.
Beyond anonymous and identified transactions, an additional alternative exists. A pseudonymous record or transaction is one that cannot, in the normal course of events, be associated with a particular individual. Hence a transaction is pseudonymous in relation to a particular party if the transaction data contains no direct identifier for that party, and can only be related to them in the event that a very specific piece of additional data is associated with it. The data may, however, be indirectly associated with the person, if particular procedures are followed, e.g. the issuing of a search warrant authorising access to an otherwise closed index.
Two techniques closely related to pseudonymity are:
An important application of pseudonymity is the use of information technology to support multiple digital personae. Under such arrangements, a person sustains separate relationships with multiple organisations, using separate identifiers, and generating separate data trails. These are designed to be very difficult to link, but, subject to appropriate legal authority, a mechanism exists whereby they can be linked.
In addition, a person may be able to establish multiple relationships with the same organisation, with a separate digital persona for each relationship. This may be to reflect the various roles the person plays when it interacts with that organisation (e.g. contractor, beneficiary, customer, lobbyist, debtor, creditor). Alternatively, it may merely be to put at rest the minds of people who are highly nervous about the power of organisations to bring pressure to bear on them.
Smart cards are capable of being used as a means of sustaining anonymity or pseudonymity in transaction systems.
The section above is a revised extract from
Clarke R. (1997-) 'Introduction to Dataveillance and Information Privacy, and Definitions of Terms'
Further details on anonymity and pseudonymity are provided in Clarke (1996).
Further details on the digital persona are in Clarke (1994).
Further details on applications of smart cards in support of anonymity and pseudonymity are in Clarke (1997).
Clarke R. (1996) 'Identification, Anonymity and Pseudonymity in Consumer Transactions: A Vital Systems Design and Public Policy Issue' Proc. Conf. 'Smart Cards: The Issues', Sydney, 18 October 1996
Clarke R. (1994) 'The Digital Persona and its Application to Data Surveillance' The Information Society 10,2 (June 1994)
Clarke R. (1997) 'Chip-Based ID: Promise and Peril', Proc. Int'l Conf. on Privacy, Montreal, September 1997
Clarke R. (1997-) 'Introduction to Dataveillance and Information Privacy, and Definitions of Terms'
Greenleaf and Clarke (1997) identify and examine the following impacts of digital signature technology on privacy:
Greenleaf G.W. & Clarke R. (1997) 'Privacy Implications of Digital Signatures' Proc. IBC Conf. on Digital Signatures, Sydney, 12 March 1997
Because chip-cards are programmable, the design of schemes that incorporate them are capable of being highly privacy-invasive, highly privacy-protective, or anywhere in-between, depending on the motivations driving the design. This section examines their potential for use as a 'privacy-enhancing technology'.
Ways in which smart cards can be used as a privacy-protective measure include:
Additional considerations in the design of smart card schemes include the provision of individuals with a significant degree of control, through such measures as:
Great care is needed with schemes that tend to break down the segregation, such as:
The section above is a revised extract from
Clarke R. (1997) 'Chip-Based ID: Promise and Peril', Proc. Int'l Conf. on Privacy, Montreal, September 1997
Clarke R. (1997) 'Chip-Based ID: Promise and Peril', Proc. Int'l Conf. on Privacy, Montreal, September 1997
Davies S. (1992) 'Big Brother: Australia's Growing Web of Surveillance' Simon & Schuster, Sydney, 1992
Davies S. (1996) 'Monitor: Extinguishing Privacy on the Information Superhighway', Pan Macmillan Australia, 1996
EPIC (1995-) 'National ID Cards', Electronic Privacy Information Center, Washington DC
Foucault M. (1977) 'Discipline and Punish: The Birth of the Prison' Peregrine, London, 1975, trans. 1977
NSWPC (1995) 'Smart Cards: Big Brother's Little Helpers', The Privacy Committee of New South Wales, No.66, August 1995
Privacy International (1996) 'Privacy International's FAQ on Identity Cards'
Go to Roger's Home Page.
Go to the contents-page for this segment.
Created: 14 July 1998
Last Amended: 14 July 1998
These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content). |
The Australian National University Visiting Fellow, Faculty of Engineering and Information Technology, Information Sciences Building Room 211 | Xamax
Consultancy Pty Ltd, ACN: 002 360 456 78 Sidaway St Chapman ACT 2611 AUSTRALIA Tel: +61 2 6288 1472, 6288 6916 |