Authentication Technologies and Their Privacy Implications:
Technology and Policy Foundations

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Support materials for an invited presentation to the Symposium on 'Authentication Technologies and Their Privacy Implications', run by the Computer Science and Telecommunications Board (CSTB) of the National Academy of Sciences, Dulles Hyatt, Washington DC, 3-4 October 2001

Version of 26 September 2001

© Xamax Consultancy Pty Ltd, 2001

This document is at

It provides access to the Abstract, the slide-set supporting the presentation, and a comprehensive set of resources that underpin the presentation


The perception is commonplace that e-business of all kinds, including e-commerce and e-government, is dependent on trust, and that trust can only arise if each party knows who the other parties are. This has resulted in a fascination with identification and identity authentication technologies. This, in turn, is seriously undermining privacy and ... trust.

The perception that identification in cybercpace is crucial if the potential of e-business is to be realised may be commonplace, but it is also seriously misguided. This presentation examines a collection of dangerous myths that pervade the immature e-business scene. It concludes with a series of propositions that offer a foundation for engendering trust in the conduct of transactions electronically.

The myths involve misunderstandings about the nature of identity, identification and authentication. They also involve the touchingly naive faith in cryptographic technologies to be able to reach out beyond the world of bits and overcome real-world complexities and messiness. Of yet greater concern is that the myths involve abject failure to appreciate the enormous impacts of these mistaken assumptions and misguided technologies on values that societies cherish, such as privacy of personal data and personal behaviour, and personal sovereignty.

So serious are the deficiencies that conventional public key infrastructures, and current proposals for biometric applications, need to be entirely abandoned and re-thought. To be effective, and to be publicly acceptable, the requirements, the architecture and the design must all reflect not only the needs of government agencies and corporations, but also those of other stakeholders, and especially of the public who are expected to fall in line with its dictates.

Demands by organisations for individuals' identifiers must be tempered, and limited to circumstances in which the need has been publicly justified. The existing notions of identification and identity authentication must be complemented by the concepts of value authentication and attribute authentication without identity, persistent anonymity, protected psuedonymity, and nyms.


The presentation builds on a substantial base of prior work. Access is provided to those documents in an accompanying annotated bibliography.


Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 21 September 2001

Last Amended: 26 September 2001

These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916