Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Clarke, Roger --- "Transaction anonymity and pseudonymity" [1995] PrivLawPRpr 54; (1995) 2(5) Privacy Law & Policy Reporter 88

Transaction anonymity and pseudonymity

Roger Clarke

This paper was presented as an opening statement for a panel session, at the Computers, Freedom & Privacy Conference, in San Francisco on 31 March 1995.

Identified transactions

Transactions are representations of real-world events. A transaction is identified if a party to the transaction (that is, a participant in the event), is described with sufficient precision that the transaction can be associated with a specific human being.

Some examples of identified transactions include:

1. Credit-card and debit-card transactions, which carry the codes of the merchant, the card-issuer and the card, and the name of the card-holder, and hence provide access to the account-number and address details of the card and/or account-holder.
2. Applications for licences, loans, employment and government benefits, which carry the name, date-of-birth and address of the applicant, and usually also a person or file-identifying code.
3. Taxation returns by taxpayers to a taxation authority, which carry the individual's name, address and file-number.
4. Income payment and taxation deduction returns by employers to a taxation authority, which carry the individual's name, address and file-number, as well as the employer details.

During the 20th century, there has been a very significant increase in the 'information intensity' of both government administration and business management. Parallel to this, there has been a growth in the size of organisations, and a concomitant increase in the 'social distance' between organisations and the people they deal with. People have come to identify much less with, and become less trustful of, corporations and government agencies. Corporations and government agencies have responded by trusting people less and less, and instituting control measures to prevent fraud and waste, detect it once it has occurred, and enable its investigation.

Central among these control measures has been the construction of an 'audit trail' of transactions, to enable retrospective analysis of events. Organisations are motivated to trap into the audit trail as much information as is technically and economically feasible, since the future needs of investigators are difficult to classify and predict. There is evidence that the form of transaction systems is being manipulated to increase the data intensity (for example by preferring taxation mechanisms which necessitate identification, rather than capturing per-transaction taxes at source, such that anonymity is possible without any negative impact on tax-collectability.

An 'administrative imperative' has therefore arisen that transactions between individuals and organisations must be identified. This has worked in tandem with a 'technological imperative', whereby it has been perceived to be necessary to apply information technology to the processes of business and government. Various identification technologies have been harnessed to the need (see tables A and B).

In the view of corporations and government agencies, it has become almost an article of faith that people who decline to provide their identification, and indeed such other personal data as the organisation demands, must be cheats, and should be treated as such.

Erroneous identification

A matter of increasing concern to organisations, and to some extent to individuals as well, is the scope for transactions to carry identification data which is ambiguous, misleading or simply incorrect. 'Proof' of identity essentially does not exist, and the construction of identification schemes which provide a degree of confidence appropriate to the circumstances, is a challenging and expensive business.

Examples of problems with erroneous identification include:

1. Undetected appropriation of other people's identifiers, typically the US Social Security Number, but also names and dates of birth (known as 'The Day of the Jackal' method for acquiring one or more passports in an alias or 'aka').
2. E-mail products which commonly provide little or no validation of the sender's identification, or even of the account from which it is sent.

Anonymity

Anonymity, in this context, refers to the absence of identification data in a transaction. The key characteristic of an anonymous transaction is that the specific identity of one or more of the parties to the transaction cannot be extracted from the data itself, nor by combining the transaction with other data.

Some examples of non-identified, anonymous transactions include:

1. Generally, barter transactions.
2. Generally, cash transactions such as the myriad daily payments for inexpensive goods and services.
3. Gambling.
4. Road-tolls.
5. Treatment at discreet clinics, particularly for sexually-transmitted diseases.

People desire anonymity for a variety of reasons. Some of these are of dubious social value, such as avoiding detection of their whereabouts in order to escape responsibilities such as paying debts and supporting the children from a broken marriage; avoiding retribution for financial fraud; and obscuring the flow of funds arising from illegal activities such as theft, drug-trading and extortion (commonly referred to as 'money-laundering').

Other reasons for seeking anonymity are of arguably significant social value. One example is the desire to avoid unnecessary exposure of private information, and embarrassment (a privilege which may be more often granted by organisations to the rich, the famous and the infamous, than to normal people). Another is the desire to keep personal data out of the hands of companies which are in the business of soaking up whatever data they can in order to use it for marketing purposes. Similarly some people seek to deny data to government agencies, which they believe are prone to using data for multiple purposes, some of which are, or should be, irrelevant, and many of which lead to misunderstandings due to problems of data definition and data quality. A further important reason for anonymity is to deny public knowledge of one's whereabouts in order to avoid physical danger; for example, from former criminal accomplices, from overly protective fathers, and from organisations which are outraged by something the individual has done, said or written.

There are many circumstances in which the interests of all parties can be protected, despite the absence of a record of identity; for example, by authenticating the party's eligibility and/or capability to conduct the transaction, rather than authenticating the individual.

The Battleground

Serious tensions are developing between organisations which seek substantial dataveillance powers, and individuals who seek to sustain some degree of private space. There are three broad paths which society can take towards the resolution of these tensions:

This is the course which is currently being assumed by governments to be appropriate. It involves privacy or data protection laws which confirm the rights of government agencies and corporations to gather, store, use and exchange personal data, subject to limited protections relating largely to the quality of data, and to a limited extent of the relevance of data.

This path naturally leads to mandatory reporting of the identities of parties to hitherto anonymous physical cash transactions, and resistance to near-future anonymous electronic cash technologies.

This would be a substantial inversion of the current situation. Individuals would gain control over the flow of data about them. One approach to this uses the constitution or a bill of rights to entrench such control (and has been adopted to some extent in Germany, with its concept of 'informational self-determination'). Another is to achieve a similar effect by providing individuals with intellectual property rights in data about themselves (in particular, the proposals of Ken Laudon of NYU). To date, both approaches are curiosities rather than broad movements. Strong opposition among government agencies and corporations seems likely to ensure they stay that way.

It is feasible that some qualifications to the dominance of corporate interest over individual needs, beyond mere 'fair information practices' legislation, codes of conduct and self-regulatory mechanisms, may be in prospect. Rather than emerging as a broad set of principles, this may come about more through successive isolated negotiations in particular contexts. In various countries, relationships with financial services providers, government agencies, health care services, lenders, retailers and direct marketing organisations, may be the starting-point for such a change in the balance.

Pseudonymity

One contribution to the search for balance is the application of 'pseudonymity'. A pseudonym is an identifier for a party to a transaction, which is not, in the normal course of events, sufficient to associate the transaction with a particular human being. Hence a transaction is pseudonymous in relation to a particular party if the transaction data contains no direct identifier for that party.

There are several ways in which this can be achieved. One is the storage of partial identifiers by two or more organisations, which must both provide their portions of the audit trail in order that the identity of the party can be constructed. Another is for an indirect identifier to be stored with the transaction, and the cross-index between the indirect identifier and the person's real identity stored by an organisation which applies appropriate technical and organisational security measures, and is legally precluded from divulging the link except in specified circumstances.

Such mechanisms already exist in a variety of settings. For example, epidemiological research in the health care and social science areas needs longitudinal data, including demographic data about the individuals concerned, but does not necessarily need to know their identities: a pseudo-identity is sufficient.

Another example is 'anonymous re-mailers', which enable individuals to obscure their identities when they send messages, by filtering them through a service which undertakes to protect the linkage between real and nominal identity. Such undertakings might be able to be iron-clad, and the transactions thereby entirely anonymous, where the service-operator and its clients forego an audit trail, and thereby any form of traceability. In many cases, however, the undertaking is likely to be qualified, and subject to, for example, search warrant and subpoena; and the messages therefore pseudonymous rather than anonymous.

There are also applications in the area of financial services, whereby some financial institutions in some countries are able to protect the identities of companies and individuals which have deposits with them, or undertake transactions through them. Similarly, buyers and sellers on stock exchanges do not, and do not need to, know the identity of the other party to the transaction. Innovative mechanisms which have been developed to serve the interests of the wealthy are capable of adaptation to the needs of people generally.

Conclusions

Anonymous and pseudonymous schemes are capable of being supported by modern information technology, for example by designing smart-card applications to serve the interests of people as well as those of corporations and government agencies.

If the complex web of transactions inherent in an information society and economy is to attract and sustain people's confidence, a multiplicity of interests needs to be balanced. It is imperative that the designs of systems reflect the interests not only of corporations and government agencies in attaching identification to transactions, but also those of individuals in denying information.

In the fast-arriving information age, the presumption that transactions should generally be identified needs to be reversed. The onus of proof must be placed on organisations to justify why anonymity, or at least pseudonymity, is inadequate in the circumstances.