Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Brett, Mason --- "Privacy after the Queensland State elections" [1995] PrivLawPRpr 113; (1995) 2(9) Privacy Law & Policy Reporter 177

Privacy enhancing technologies: the path to anonymity

Information & Privacy Commissioner, Ontario & Registratiekamer, The Netherlands, August 1995

This joint publication by the Ontario and Dutch privacy agencies (its recommendations are described briefly in 2 PLPR 136) is notable for two reasons. It is a first in terms of the published results of a joint project between two privacy agencies - a welcome precedent that could usefully be followed more often to share the expertise and all too limited resources of the world's data protection authorities. The substance of the report is also a timely contribution to the debate about privacy protection in the face of evermore intrusive personal data-collection technologies and practices.

Privacy advocates have long been attracted to the concept of harnessing technological developments as an ally, but have all too often found in practice that they are cast as latter day Luddites, effectively opposing the introduction or full use of technological solutions. This report marks a significant step forward in offering positive and pro-active solutions to the privacy versus efficiency trade-off.

The most significant contribution of the report is in clearly explaining the concept of an identity protector, which can be used to 'helter' the true identity of a user in a number of the essential processes of any information system - namely identification, authentication, access control and auditing. Only in two other processes - defined as authorisation and accounting, does the user's true identity need to be known. The report suggests that the link between the 'pseudo-domain', containing details of transactions, and the 'identity domain' can be controlled by a 'trusted third party' (almost certainly not a government agency!) which would only make the link to the minimum extent necessary for the service in question and in certain authorised 'public interest' circumstances, subject to rigorous safeguards and made known to users in advance.

Several mechanisms for implementing 'identity protectors' are discussed briefly in the report, with further details in a companion volume. These mechanisms are variations on a digital signature, involving public key encryption. There appears to be general agreement that public key cryptography provides a suitable foundation for authentication of electronic transactions, although the details of such schemes for widespread use have yet to be finalised and standards agreed. The developments of digital signatures outlined in the report - blind signatures and digital pseudonyms - may serve effectively as identity protectors, but there needs to be a separate but parallel discussion of the privacy implications of registering encryption keys. Users will need to be able to place great confidence in the integrity of digital signatures, particularly if actual identities are not to be known. This is likely to involve rigorous proof of identity requirements when registering for keys, which will create one or more additional attractive central registers. Enthusiasm for the potential of encryption and identity protectors should perhaps be tempered by caution about the privacy threat that may be posed by the supporting systems of registration.

The report includes results of a survey of information technology (IT) providers and users in the Netherlands and Ontario, which showed a remarkable difference in the levels of awareness, availability and use of privacy enhancing technologies. They are much more widely available and known in the Netherlands, where both security products and pseudonymous/anonymous options are under active consideration or use. In Ontario, by contrast, very few IT providers or users were even thinking about such technologies, and those that were focussed on stored value smart cards, rather than the more sophisticated options in card systems apparently under development in Europe. The report appears to accept at face value the characterisation of many stored value cards as 'anonymous', whereas evidence of early trials and proposals for smart cards in Australia suggests that such claims should be carefully scrutinised. Some initiatives may well leave open the possibility of indirect personal identification, if only to resolve disputes or deal with lost cards. If the use of the card generates a transaction record, then the privacy implications for those card-holders who need to voluntarily identify themselves are as significant as those which attach to systems of personalised cards.

Significantly, the survey found the main factor holding back the development of privacy enhancing technologies to be a lack of demand for anonymity features. Information technology providers are able and willing to design such features if clients request them. Lack of demand is related to lack of awareness of the potential benefits, and in turn to a lack of consumer awareness and demand. The report speculates that there will be a natural tendency for organisations to resist anonymity features since they would reduce the availability of potentially valuable personal data trails. Only if the public demands such features are they likely to be provided.

There are two relatively minor criticisms of this report.

First, it is written, perhaps deliberately, as if for a readership already converted to the need for privacy. There is arguably insufficient justification at the outset of the case for anonymity. This leaves it open for many sceptical readers to dismiss the foundation proposition, with the usual unthinking criticism that only those with something to hide require anonymity and that 'the innocent have nothing to fear'. Outside the comfortable consensus shared by readers of this journal, this argument needs to be fought and won on each occasion.

Secondly, some of the terminology appears strange. The use of the term 'audit file' to describe the main transaction records is potentially confusing at least here in Australia where 'audit' is used primarily in a monitoring-compliance context. 'Transaction record' is, I would suggest , a more intuitive and more easily understood term which usefully actually conveys the potential sensitivity of the information involved.

These two minor criticisms do not detract significantly from what is a very valuable report, which provides a succinct analysis of some crucial privacy issues, offers some useful classifications and new concepts - particularly that of identity protectors - and makes good strides down the road towards some practical solutions. The Dutch and Ontario Commissioners and their staff are to be congratulated on a ground breaking initiative.

Nigel Waters.