Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2024
Roger Clarke **
Version of 30 September 2007, slide-set added 27 October 2007
Prepared as support material for 'What 'Überveillance' Is, and What To Do About It', for an Invited Keynote at the 2nd RNSA Workshop on the Social Implications of National Security, October 2007, University of Wollongong
© Xamax Consultancy Pty Ltd, 2007
Available under an AEShareNet licence or a Creative Commons licence.
This document is at http://www.rogerclarke.com/DV/SurvVign.html
The slide-set to illustrate the vignettes is at http://www.rogerclarke.com/DV/SurvVign-071029.ppt
This document contains brief outlines of a range of diverse surveillance schemes. They are drawn from a wide variety of sources and experience.
|Acute Health Care
|Staff Movement Monitoring
|Automated Number Plate Recognition (ANPR)
|Denial of Anonymity on Toll-Roads
|Freight Interchange-Point Monitoring
|Financial Transaction Tracking
|Consolidation of Agencies and Databases
|National Identification Schemes
|Monitoring of Human-Attached Chips
|Monitoring of Human-Embedded Chips
|Continuous Monitoring of Chips
|Biometrics and Foreigners
|Biometrics and Australians
In response to sudden infant death syndrome (SIDS), and to enable parents and health carers to spend time away from the side of the cot, several technologies have been developed or applied. One is the fairly crude mechanism of periodically or continuously transmitting sound or pictures of the baby to a speaker or screen close to the carer. Potentially more effective forms of surveillance include devices that detect delay in breathing or heartbeat, or movement, particularly of the abdomen.
Automated monitoring is performed in many acute health care environments, including ambulances, emergency wards and Intensive Care Units (ICU). The monitoring focusses on the patient's key physiological characteristics, such as the cardio-vascular system and respiratory function.
Alerts are programmed to draw staff attention to parameters that have moved outside pre-set limits. The limits are set variously by the machine manufacturer, the hospital administration, and the particular nurse for the particular patient. There are different intensities in the alert signals, so that the more urgent ones can stand out. Individual devices generate different sounds depending on the level of the alert and the make of the machine.
Examples of alerts for which different sounds may be generated include:
There are so many sounds, which are unique to each environment depending on machine makes and models, that even experienced nurses cannot recognise them all.
The devices keep bleating for attention, and they are attended to when the nurse needs them, or has a moment to address them. Any non-specialist visitors in the vicinity (or, much worse, concerned relatives visiting their loved ones) find the cacophony of alerts disturbing, and the apparent lack of attention to them even more so. The noise often drives the health clinicians mad, but most are also very useful.
Some of the serious alerts (such as those for respiratory and cardiac arrest) have been reproduced for other purposes (for example as ring tones on mobile phones), and startle off-duty nurses when they are heard outside the health care context.
Some employers issue staff with tokens, emblazoned with the staff-member's name, photograph and perhaps other information. Such tokens commonly include machine-readable storage (magnetic stripes, chips, or contactless / proximity chips), which may contain the same data as is on the face of the card, but may also contain additional data-items. Some employers impose tokens that are woven into the uniforms that they provide to staff.
Staff may be under instructions to wear or carry their token, and they may be required to present it at various control-points on the employer's premises or campuses. Alternatively, the monitoring may be active throughout an entire controlled area, rather than only at control-points.
Carriage and presentation may be enforced by denying movement between zones (e.g. because a door cannot be unlocked or a boom will not open) unless the (or a) person presents (or is at least wearing or carrying) their own (or someone else's) token.
In addition to access control, some of these schemes provide current-location information to a controller. This can be used for both service delivery (e.g. directing an incoming phone-call to the nearest extension) and control applications. Schemes that log transactions also support movement tracking, retrospective analysis of movements, and potentially even real-time predictive capabilities relating to the person's likely destination.
A variety of organisations conduct surveillance of a variety of different kinds of vehicles. For example, employers, road service organisations, third-party fleet management companies, insurers, regulatory authorities, or law enforcement agencies may monitor load-carrying vehicles, taxis and hire-cars, but also private vehicles.
Vehicle movements may be logged by having them automatically report when they pass control-points (e.g. the entrances and exits of industrial or port complexes and loading/unloading bays, but also convenient networks of locations such as traffic lights). Alternatively, an on-board GPS device can compute the vehicle's location, enabling it to report its own position.
Data transfer can be done by active means (e.g. a transmitter on board initiating a communication to some other device), or passive means (e.g. a transmitter on a collecting device initiating a response from the monitored vehicle). In addition, on-board devices may monitor and report the performance of the vehicle, its engine and/or its load.
Among the characteristics that are measured may be apparent average speed over a distance or a period of time, and aspects of driver performance, particular time spent at, and not at, the wheel. (Excessive time at the wheel of a load-carrying vehicle is a criminal offence, and excessive time not at the wheel may be against the interests of the vehicle's owner).
A speed detection device can trigger a camera to capture images of the numberplates of passing vehicles. The registration-code can be extracted using pattern-matching recognition in a manner similar to Optical Character Recognition (OCR) for documents. A closely-related application uses a timing-based trigger to capture photographs of cars that run red lights.
Such installations may be in a fixed place for an extended period of time; or they can be mobile; and they may be declared or covert. The use of covert cameras for detecting speeding infringements has been shown to be more effective than declared cameras in securing generally lower traffic speeds. However, the use of covert cameras, especially in what are apparently safe areas and locations, has the effect of creating public cynicism about the motivation for, and the reasonableness of, the surveillance.
Use of the photos, and of the data inferred from them (in particular vehicle registration data, location and time), may be limited to a specific traffic law enforcement purpose, or function creep may occur.
The technology used for speed cameras can be applied much more broadly, as Automated Number Plate Recognition (ANPR). The data arising from ANPR can be used to automatically generate charges for road-usage, and can be linked with vehicle-registration databases to despatch notices of non-payment violations.
ANPR can also be used to compare passing registration-numbers against a 'blacklist'. This could reflect, for example, cars that have been reported as being stolen (and whose numbers have not yet been deleted from the database), or cars that are subject to an alert because they are recorded as having been used in the past by a person who is the subject of personal surveillance. A 'hit' on the blacklist may be used merely to generate a record for future data-mining, or to trigger action by law enforcement agencies, e.g. to intercept the vehicle on the basis of the suspicion generated by the entry in the database.
An early form of ANPR has been used in N.S.W. for many years, to monitor the time spent on the road and the average speed of heavy goods vehicles, and, in combination with drivers' log-books, driver work-hours. It has also been surreptitiously applied to cars, without apparent legal authority and without public disclosure, let alone debate.
ANPR is coming into general use in the U.K. for private cars. Its application has been mooted by at least two State Governments in Australia, but without any sign of an impact assessment being conducted at all, let alone independently from the police force.
Use of public thoroughfares has always been essentially anonymous. Even on toll-roads, cash payment was available. Electronic payment was then added as an option. There are several ways in which anonymous electronic payment can be delivered, but most applications are either directly identified, or effectively identified because they involve credit-cards or debit-cards.
In recent years, some toll-roads have been permitted to rely on electronic payment mechanisms alone, and to remove all cash payment booths without providing an effective anonymous alternative. Melbourne CityLink appears to have been the first major thoroughfare in the world to deny anonymous travel. Sydney's M7 has been permitted to adopt the same approach. Neither company's web-site even addresses the question of anonymous payment.
The Privacy Commissioner has failed in her responsibilities under the Privacy Act s. 27 (1)(a)-(e) to ensure that breaches of the law, in this case of NPP 8, are avoided in the first place, or at least acted upon once they have occurred.
There are occasional instances of violence on railways stations. Railway authorities have installed successive rounds of more equipment, and nominally more sophisticated equipment. Much the same has happened in shopping malls, cinema precincts and city streets more generally.
There appear to be very few occasions on which a criminal is apprehended as a result of the surveillance, or in which images from CCTV are instrumental in 'solving' a crime or achieving a conviction. People intent on committing a crime take steps to avoid being recognised, and even where the perpetrator takes no such steps the quality of images that is practicably achievable is limited. The primary functions of CCTV in relation to crimes that have already occurred appear to be to provide media interest, and to convey the impression that law enforcement agencies are 'on the job'.
Some deterrent effects do appear to exist, but only in respect of the space that is known to be subject to surveillance. The undesired behaviour appears to be largely displaced to unmonitored locations. In addition, 'crimes of passion' are largely unaffected. Even the claims of deterrence within the monitored area are in many cases unjustified: "[o]ut of the 13 systems evaluated, 6 showed a relatively substantial reduction in crime in the target area compared with the control area, but only 2 showed a statistically significant reduction relative to the control, and in 1 of these cases the change could be explained by the presence of confounding variables" (Gill & Spriggs 2005). So in a study commissioned by one of the primary proponents, only 1 of 13 showed a statistically significant reduction.
Gill M. & Spriggs A. (2005) 'Assessing the impact of CCTV' Home Office Research Study 292, Home Office Research, Development and Statistics Directorate, U.K., February 2005
RFID tags can be used in supply chains from the manufacturer, via the transporter and wholesaler, to the retail oulet. This can provide benefits in stock control, for example where the goods are highly valuable, or where recalls may arise.
The RFID-tags may be left on the goods beyond the cash-register, in order to achieve a link between a category of product, or even a specific instance of a product, and the purchaser. This can be done openly or surreptitiously. And it can be done consensually, or pseudo-consent can be gained through coercion, or it can be imposed by the supplier, or it can be mandated by law.
The data arising from this form of surveillance can be used for a variety of purposes, such as after-sales service, consumer profile construction, consumer marketing, consumer tracking, and in the case of goods carried by the consumer (such as clothing) consumer association with a brand or style.
Goods monitoring is also applicable to dangerous materials, such as fissile material, explosives, materials that can be used to manufacture explosives, highly flammable materials (such as avgas), and to goods controlled for other reasons, such as pharmaceuticals particularly opium and coca derivatives. It is challenging to monitor bulk materials by means of RFID tags; but they are readily applied to storage facilities and containers.
Locations in which goods are loaded, unloaded, and switched from one mode to another, may be subject to surveillance. This is particularly the case with loads that are intrinsically dangerous, or of high-value.
Such monitoring can assist in managing risks such as theft (of the load), pilferage (of some of the load), the introduction of additional materials into a load, tampering with the load, sabotage of the load, and insertion of an unauthorised load.
In association with this form of monitoring, the staff who are involved may be subject to various forms of indignity, including video-surveillance and recording while on the job, searches on completion of a shift, and 'positive vetting' by a government agency or private investigator as a condition of employment.
In the late 1980s, the Australian Government copied a US initiative and created what is now known as Austrac, to gather financial transaction data from financial institutions. The scheme was supposed to be a weapon against the drugs trade. Its justification has drifted with the fashions of the times, via money-laundering by organised crime, to the financing of terrorism.
There is very little evidence that it has ever delivered any benefits. But, rather than curtailing its activities, the Government and Parliament have submitted to the blandishments of law enforcement agencies, and have successively extended the scheme's scope.
The most recent iterations have been simply scandalous, and completely beyond the boundaries of what a free society should be permitting. Under the 2006 'Anti-Money-Laundering and Counter-Terrorism Financing' Act (AML-CTF), financial institutions are now required to actively intrude into their customers' privacy in order to comply with 'Know Your Customer' (KYC) provisions, for reasons unrelated to banking; and to be actively suspicious about their customers, for reasons unrelated to the business relationship.
Yet worse, amendments introduced in 2007 propose to extend this to a range of small businesses, including real estate agents, financial planners, and jewellers. Business enterprises, large, and now small, are being forcibly enlisted into the business of spying on their customers. This is a pattern associated until now only with repressive regimes such as East Germany under the Stasi, and the People's Republic of China. It is extraordinary that Parliament could permit such a breakdown of the boundaries between the public and private sectors, and grant such extraordinary power to the national security and law enforcement apparatus.
Meanwhile the mainstream mandarins have mounted a sustained campaign over more than 20 years, in an endeavour to develop a centralised scheme for the storage of personal data.
The centrepiece of the Australia Card proposal was a new database that the Health Insurance Commission wanted to be the hub of the centralised databank. When that was rebuffed, senior executives of the then Department of Social Security grasped their opportunity. They leveraged off DSS's substantial database and processing capabilities to morph it into Centrelink - a central government agency through which all of the c. 100 benefits paid by a score of agencies are funnelled. The organisation thereby became the hub database for the 25-35% of the Australian population who are recipients of some kind of benefit.
The next step in the process was the formation of a mega-ministry, currently called Human Services. Its purpose was to link Centrelink with the old Health Insurance Commission (now re-badged as Medicare). This, if it is allowed to be successful, would pool the resources of the two. Medicare covers virtually 100% of the population, because it is (or its core business is) the nationalised insurer.
Meanwhile, the 'Medicare' tag is being used in an attempt to broaden the agency's scope from health insurance to health data administration. The HealthConnect scheme adopted a centrist philosophy, but failed. The current NEHTA scheme is also being drifted from its initial federation and 'inter-operability' approach back towards the simplistic centrism that seems to be all that the mandarins are capable of understanding.
A further leg of the centralist agenda is the play by the Australian Bureau of Statistics (ABS) to become the national databank consolidator. In 2006, ABS corrupted the Census by keeping in an identified form data relating to 1 million Australians. The ABS intends firstly linking all future returns into that pool of data, and secondly drawing data from the administrative collections of government agencies. The breach of trust with the Australian public will render the census inoperable within a few years. But this is of no consequence to the mandarins, because by then the agency's philosophy will have been switched from a trustworthy collector of original and unidentified data to a backroom consolidator of data from other databases.
The limited privacy law that was created in the late 1980s has already been undermined to the extent that the emergent consolidated databases are available to any agency that wants them. In any case, national security and law enforcement agencies are above the law in multiple senses, being exempt from privacy laws, being not subject to sanctions when they breach such limited constraints as do exist, and having been granted in recent legislation specific immunity for particular breaches.
The tracking of financial transactions and the consolidation of personal data from multiple sources is only effective if individuals are constrained to a single general-purpose identity.
The first serious attempt at this was Australia Card Mark I (1985-87). It failed, because a very large proportion of the public emphatically opposed it once it became clear what it was.
In the ensuing years, the pre-existing Tax File Number (TFN) was expanded in scope. Successive Ministers and Prime Ministers breached their undertakings, and the scope was extended well beyond the boundaries that had been agreed at the end of the Australia Card debacle.
In the years following that, the Centrelink Access Number (CAN) was developed as an identifier that enables the inter-linking of data from multiple agencies involved in benefits payments.
Several attempts have been made to coordinate the driver's licence numbers issued by the States and Territories into a reliable national scheme, but this usually founders on inter-jurisdictional jealousies.
The natural next step is the 'Access Card', better understood as Australia Card Mark II. This is at heart a hub-database and a general-purpose identifier. (The card is, as always, a minor part of the overall scheme). The foundation element of the scheme would be registration interviews in which each individual would be effectively challenged to claim an existing identity recognised in government databases. To meet that challenge, every individual would have to respond to demands for documents, would be restricted to the use of just one identity approved by the government (possibly even a name that is dictated by the government), and would be required to use that single identity across all agencies. Services would become dependent on the acquisition, carriage and presentation of the card.
The Australian public, once it appreciates what the 'Access Card' actually is, will reject it as emphatically as they did its predecessor.
The miniaturisation of computers and storage has long since reached the point that small but quite powerful chips can be fitted into various carriers. The plastic-card-with-chip (often referred to as a 'smart card') has made very slow progress since its invention in 1974 and its initial deployments in the late 1980s. But suppliers are currently trying again, and this time they are attracting a little more interest from the major players: financial institutions and government agencies.
In addition to plastic cards, other carriers are possible. The chips used in 'contactless cards' are also used in 'RFID tags', which are appropriate for goods, and have been woven into clothing. A closely-related technology referred to as Near Field Communication (NFC) is being built into mobile phones.
This kind of chip has an antenna in which current can be induced by movement through a magnetic field, enabling transmission of a small amount of data, including the chip's unique identifier. Often the identifier of the chip, when combined with the location of the device that picked up the signal, is all that needs to be collected.
Various categories of livestock in the EU and the USA have been subject to imposed identification requirements from the early 1990s onwards. In Australia, a National Livestock Identification System (NLIS) exists. Breeding stock in particular have been commonly identified using tail-tags or ear-tags.
Humans have been subjected to the same technology as animals. The same kinds of chips have been installed in anklets and wristlets. These have potential application for people suffering senile dementia, and perhaps patients during pre-operative, operative and post-operative phases of their treatment. They have been imposed on several other categories of institutionalised people, in particular prisoners, and prisoners on parole. In the US, it appears that it is even being used for people who are on remand, as a substitute for bail or a supplement to it.
The actual use of the chips is varied. For a person in a relatively open senile dementia ward, for example, they could be used to raise alerts if the person approaches a perimeter, or has been immobile for a long period in an unusual location (e.g. neither their bed nor a sitting-room).
For prisoners, parolees and (in the US) people on remand, the intensity of the surveillance can range from occasional automated 'reporting in', via obligatory intentional reporting in by placing the device close to a fixed reader, to detection at the perimeter of areas of permitted movement.
Reports have suggested that, in the USA, in excess of 100,000 parolees and the remandees are wearing them, so the volume of data generated is vast. From the viewpoint of the person forced to submit to them, the intrusions can vary from mild to excruciating. A recent report on a 'celebrity' remandee (Lisa Nowak, a sometime NASA pilot), showed how utterly degrading the process can be.
The kinds of chips in contactless chip-cards, RFID tags, and wristlets and anklets, have also been implanted directly into animals. A primary application has been for pet dogs and cats, to enable the return of lost animals to their owners. The conventional location for implantation has been the neck. One such service goes under the disarming brandname of Life Chip. In the livestock arena, moves are under way to migrate the chips from external tags to embedded ones.
Consensual implantation of chips in humans appears to have begun with a self-publicist academic who used it to open doors (in Reading UK). That was followed by fashion-driven implantation for access to a night-club (in Madrid).
Staff in a few companies (in the USA) and a government agency (in Mexico) have been enveigled into agreeing to the implantation of 'contactless chips' into their bodies.
Non-consensual applications have been touted in institutions of various kinds. In addition to prisoners, an often-mentioned category is senile dementia patients. It has been promoted as a means of patient management in hospitals.
The monitoring patterns would appear to be comparable to those for Human-Attached Chips, with the primary differences being the 'convenience' and non-visibility, the permanency, and the difficulty of removing it or suppressing its behaviour. These work variously to advantage (in some circumstances to some extent of the implantee, but mainly of the person doing the monitoring) and to disadvantage (almost entirely of the implantee, particularly in terms of the increased servility it entails).
The above discussions of human-attached and human-embedded chips assumed the monitoring activities to be sporadic or periodic, episodic and in any case occurring only within a limited span of time. It need not be so.
The ACT Government has stated its intention that the Territory's new prison, currently under construction, will use RFID tags to track prisoners. The scheme appears to involve permanent monitoring of all inmates, throughout the complex, every 2 seconds. It further appears that data is to be logged. It is therefore a means firstly of remote, automated power over prisoners, and secondly of enabling retrospective analysis and investigation.
Such effectively continuous and permanent surveillance is far less human even than the (often seriously unpleasant) relationships between prisoners and warders. It represents comprehensive denial of freedom, and comprehensive ceding of power to the surveillance organisation.
Permanent surveillance of prisoners was rejected in the late eighteenth century, in part because it was regarded as inhumane. At that time, the means was visual, in the form of Bentham's 'panopticon'. The current proposal represents an even more insidious form of observation, because it is unseen, unrelenting and not equilibrated by any human element.
Such blanket electronic surveillance is unprecedented in Australia. This is a form of human degradation, rather than part of a plan to prepare prisoners for a positive return to life in the community. It would undermine the rehabilitation of offenders - even though the facility has been designed to house many who are due to be released back into the community in the near future. That in turns threatens public safety.
Further, the imposition of such a gross surveillance mechanism would set a precedent for the treatment of some people like cattle, pet dogs or pallets full of goods for sale, in, of all jurisdictions, the first in Australia to implement a Human Rights instrument.
Biometrics, or measurements of some aspect of the human person or their behaviour, brings with it a vast array of intrusions into civil rights and privacy.
The Australian Parliament has legislated to impose biometric requirements on refugees, on applicants for visas, and on people infringing national boundaries (mainly fishermen). These powers have been subject to little or no consultative processes.
Aliens have almost no protections under Australian law, and refugees in particular are in a desperate state, and will concur with anything that a potential host-nation demands of them.
The collection of biometrics is an invasion of the physical person, acquiring something that is 'of' them, and in many cases imposing on a person's movements in such ways as demanding placement of the hand, thumb or eye in a zone dictated by an authority.
Biometrics schemes are technically very challenging, because it is very difficult to capture measurements reliably. Some biometrics may embody personal data, at least in the case of DNA. Biometrics create serious security problems, because the characteristics that are measured are not something that can be kept a secret. They can be captured surreptitiously and in some cases without the person being present (e.g. latent fingerprints, and body tissue and fluids).
A person's physical characteristics are unchangeable. This leads to seriously problematical risks such as 'entity fraud' (masquerade by someone using an artefact designed to replicate a person's biometric), the planting of evidence, and even the prospect of outright 'entity theft'. Recent concerns about 'identity fraud' and 'identity theft' pale to very little in comparison with such prospects.
Despite these enormous concerns, a number of applications of biometrics have emerged, including workplace bundying-on/off, building access control, electronic access control (for logging on and off computer systems), device (PC and phone) locking/unlocking, and prison-visitors.
In the area of DNA, voluntary provision lasted a mere decade. The State has begun giving itself enormous powers to gather DNA, initially from long-term prisoners, then from prisoners, and most recently from arrestees. Protections that had been developed over many decades in relation to fingerprints have been ignored. The slippery slope from freedom to State control has been measured in a few short years.
Before the early 1920s, documents such as letter from a patron were useful in crossing national borders, but not necessary. The international passport system was established in a climate of mass movements of displaced persons following World War II. It became increasingly common for governments to demand documents that evidenced a person's nationality. Passports have since been converted into a near-universal requirement for international travel.
Government agencies sustained the 'managed hysteria' opportunity presented by the post-September 2001 terrorism threat in order to arrange parliamentary approval for a raft of changes to the Australian passport scheme. These swept away decades of case law, reduced the rights of citizens in relation to passports, and established a new form of passport that embodies various technologies.
The new document includes a contactless chip, which contains at least the same personal data as the printing on the document and the previous magnetic-stripe, but in a form that is machine-readable provided that the reader has access to a cryptographic key. There remain doubts about its security.
The legislation granted freedom to the Passports Office to implement biometrics, in whatever manner it sees fit, subject only to convincing their own Minister of the day. This was done in such a manner as to avoid even mentioning the word or concept of biometrics. This represents an extraordinary delegation of power to public servants.
At this stage, the agency has implemented only a low-integrity scheme based on so-called 'facial recognition' technology. The very probable failure of the scheme will be available as an excuse to implement successive biometric schemes, progressively creating a government-controlled pool of biometrics of Australians, available for sharing with friendly governments and other 'strategic partners'.
The biometric passport, coupled with the reduced rights, represent a leap in the power of the State over individuals. The passport has been transformed into a general identity document, with apparently enhanced credibility through the inclusion of a biometric element. This creates the risks of wider permeation of biometric identifiers, and of function creep towards use of passports in circumstances other than at national borders. The ability of the agency to achieve the wide and uncontrolled powers that it has, without so much as the pretence of public consultation, augurs very ill for the survival of freedom of anonymous movement within the country's borders.
In general, identification has not been required in order to travel within free countries in the past. Other than during World War II, public areas have almost never been blocked to public access, although exceptions have arisen, such as the occasional visits of security-hypersensitive US Presidents, that result in 'lock down' of segments of major cities and of major arteries in order to give free passage to privileged 'motor-cades'.
In the air travel industry, the practice grew up during the second half of the 20th century of requiring that tickets carry the identity of the person they were purchased for. The reason for this had nothing to do with security. It was an endeavour to avoid the emergence of a secondary market in tickets, and hence ensure that all of the revenue that could be extracted from air travellers went to the airline.
In recent decades, national security and law enforcement agencies have leveraged off the identification carried on air-tickets for commercial reasons, and sought to impose a requirement for air-travellers to identify themselves. The US in particular has created specific barriers not only against anonymous domestic air-travel, but also against travel by individuals who appear to use the same name as a person of interest (the so-called 'no fly' lists). This has led to quite ridiculous false positives, including Yusuf Islam (once known as Cat Stevens), and US Senator Ted Kennedy. The 'no fly' list has had many failures, yet very little success.
Anonymous travel has always been a feature of road travel, but this has been seriously compromised by toll-roads that demand identified forms of payment. The first was Melbourne CityLink, but three segments in Sydney have also recently become identified-payment-only roads. The problem is compounded by the 'public-private partnership' nature of these 'public infrastructure' operations. This seriously compromises data protections, because each has access to data properly available only to the other, and the schemes impose criminal sanctions in respect of civil matters.
There has also been plenty of scope for anonymity with public transport ticketing, compromised only in such cases as long-term season tickets, typically for a year, and in some cases for heavily-discounted tickets, particularly for people with disabilities. Schemes that are currently being trialled (mostly unsuccessfully) in N.S.W. and Victoria appear to deny a practicable anonymous option, and perhaps any anonymous option at all.
These together conspire to create a context in which individuals can be tracked and located through domestic transport infrastructure. In short, constraints are being enabled that were hitherto only implemented in seriously un-free countries like apartheid-era South Africa and the Soviet Union.
It is reasonable to expect that 'control orders', having survived the test of constitutionality, may be a testing-ground for extra-judicial constraints on travel.
Many kinds of services involve positive discrimination, in that they are only available to particular individuals, or individuals who satisfy particular eligibility criteria. Typical of these are seniors' discounts and disabled parking.
One form that has already been implemented on occasions is entrance monitoring. For example, some individuals may be denied access to sporting or entertainment venues, particularly fans / patrons who have previously exhibited undesirable behaviour at that or a similar venue. It has been claimed that casinos use so-called 'facial recognition' technology to detect problem gamblers banned from the premises (including both those who are problems for themselves or their families because they are compulsive, and those who are problems for the casino because they are effective).
Mechanisms already exist whereby a great many services could be denied to specific individuals. International travel is tightly regulated, and various categories of people are denied access to it (e.g. the stateless, and those whose country refuses to issue with a passport or 'exit visa', or whose passport has been withdrawn or surrendered). In the USA, domestic air travel is denied to many people who either refuse to provide evidence of identity or whose names are the same as names on the 'no-fly' list. The increasing preclusion of anonymous travel on Australian roads and public transport systems creates a vast array of possibilities for service denial. So do the tight identification requirements in the financial services sector.
An Australian Government initiative in 2007 changed welfare distribution mechanisms for aboriginals in the Northern Territory to limit the use of a substantial proportion of the payments to specific categories of consumer items. It would have been unreasonable to expect that the scope of negative discrimination and service denial would be restricted to aboriginals. Any form of welfare payment may become subject to diktat of such kinds. A Parliamentary Committee Recommendation emerged within weeks of the N.T. legislation passing, proposing similar measures for benefits-recipients with drug habits.
Many other possibilities exist. For example, security clearances, which in a few short years have exploded from a narrow category of occupations to a vast array of paid and even unpaid positions, can readily be used as the means for denying access to locations and services.
A further step available to a powerful State is to deny a person legitimate existence. The notion was pioneered by John Brunner's 'The Shockwave Rider' in 1975, and popularised in a film in the 1990s, 'The Net'. It has physical parallels in refugees without documentation stranded in airports, and in the Pacific Island 'solution' for 'boat people'.
Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., a Visiting Professor in the E-Commerce Programme at the University of Hong Kong, and a Visiting Professor in the Department of Computer Science at the Australian National University.
His primary consultancy expertise is in eBusiness and information infrastructure. He is also a longstanding privacy researcher, consultant, and advocate. He has been a Board member of the Australian Privacy Foundation since its inception in 1987, and is currently its Chair.
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 65 million in early 2021.
Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 10 August 2007 - Last Amended: 27 October 200 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/SurvVign.html