Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2013
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Fellow, Department of Computer Science, Australian National University
Version of 2 May 1998
© Xamax Consultancy Pty Ltd, 1997, 1998
Available under an AEShareNet licence
This paper was prepared for publication in Telecommunication Journal of Australia 48, 2 (May/June 1998)
It is an introduction to the topic, and is supported by a more detailed paper, at Clarke (1997f)
This paper is at http://www.rogerclarke.com/DV/IPrivacy.html
Any advanced technology creates new threats as well as new potentials. The Internet offers enormous opportunties, which are being exploited by communities, and increasingly also by business enterprises. It also harbours risks to the privacy of personal data and communications, as marketers seek to profile their electronic customers, and governments seek to impose themselves on people they see as miscreants. This paper describes the kinds of threats that exist and are emerging. It also outlines measures, both fair and foul, that are being adopted to counter those threats.
Threats To Personal Data
Threats To Personal Identity
The Internet is the set of computer networks inter-connected using the TCP/IP family of communications protocols. The term is also used in a much looser, sociological sense, to refer to the community of people and organisations that communicate through the facility.
For a primer in Internet technology, see Clarke et al. (1998). A more official description is to be found in an official Internet document (Krol 1993).
The Internet began in the 1970s as an academic computer science experiment funded by the U.S. Department of Defense. It proved valuable to researchers. That value was recognised by research funding agencies, which continued to directly support it until well into the 1990s. A time-line of Internet development is provided by Zakon (1997).
Academic usage of the Internet came to extend well beyond the computer science discipline. In Australia, the Internet migrated at the end of 1989 from a mere research object to a fully professional service, AARNet. Gradual uptake by new communities (at first of scholars, and later in government, in industry and among society generally), together with successive new protocols and tools, has resulted in exponential growth in connected nodes, in traffic, and in users, which has been sustained over more than two decades.
This paper does not dwell on the vast range of constructive uses, and the vast range of services, that the Internet has spawned; indeed, it assumes that the reader is at least modestly familiar with them. Instead, it examines one of a number of `low-life' aspects of the Internet: its impact on the privacy of personal data.
People enjoy having private spaces, and want to keep them. Key aspects include the following:
An introduction and definitions are provided in Clarke (1997-). An analysis of dataveillance is in Clarke (1988). Comprehensive materials are available from such sources as Clarke (1995-).
This paper identifies ways in which the Internet threatens information privacy. The next two sections identify two groups of threats, firstly those that relate to personal data, and secondly those that relate to personal identity. A subsequent section discusses generic approaches that can be adopted to deal with those threats.
This section identifies ways in which personal data is threatened on the Internet.
* Transmission Insecurity
Data transmitted over the Internet is subject to several risks:
For a discussion of these risks, see Clarke (1996b).
All of these circumstances have privacy implications, but the most common concerns are about access to content. Generally, Internet messages are transmitted `in clear', i.e. in a form that is readily interpreted by anyone who receives or intercepts it. Moreover, the nature of the Internet is such that the message passes through between 1 and about 25 processors from the time that it leaves the sender's organisation until it reaches the recipient's. The systems manager at each such site has, in principle, an opportunity to intercept messages. In practice, there appear to be very few such security breaches; but the risk exposure exists.
In order to protect against access to content, it is necessary to encrypt the data, and ensure that only the intended recipient has the means to decrypt it. Cryptography also offers means of addressing the other transmission security risks. For a discussion of cryptography measures, see Clarke (1996c).
* More Transaction Trails, of Greater Intensity
People already leave large numbers of data trails behind them ( Clarke 1996f). Internet transactions enable the automated maintenance of yet more trails of each person's activities and locations, including:
There is a current attempt to produce an additional, more sophisticated trail-generation mechanism, at the bidding of the web-servers that people visit. This mechanism is referred to as cookies. For an analysis of cookie, see Clarke (1997a).
A cookie is a record that is written onto the local drive of the web-browser, as a result of a command issued by a web-server. Each record has a long key, which is likely to be unique to a given application. When the user accesses a relevant page at a later date, the web-server causes the web-browser to read the record and transmit it to the web-server.
Depending on how they are designed, payment mechanisms on the net may also generate additional privacy-invasive trails. For an analysis of net-based payment schemes, see Clarke (1995).
* Personal Profile Extraction
The many existing and new trails can together be exploited to yield intensive information about each person's behaviour.
In the public sector, the motivations are generally social control and protection of the public purse. In the private sector, consumer marketing organisations are interested in improving customer service and their ability to manipulate customer behaviour. Consumer services organisations such as lenders and insurers are interested in protecting their own interests, through the identification and management of instances of misbehaviour and fraud, and of individuals who perpetrate them.
The underlying technique of data matching is described in Clarke (1994b) and profiling is described in Clarke (1993). Documentation of the ease with which information about an identified individual can be gathered over the Internet is provided by such references as the Stalkers' Home Page (1998), and Lane (1998).
The world wide web was originally driven from the user's workstation, in a 'demand-pull' manner. Marketers and advertisers prefer a simple-minded broadcast-mode, which in modern terms is the server-driven, 'supply-push' approach.
Attempts have been made to subvert the web-browser by turning the control around, and even to replace it with new tools that provide marketers with greater ability to manipulate the consumer's behaviour. If those endeavours prove to be successful, the intensive data about each individual arising from multiple sources would be able to be combined with sender-driven technologies, in order to 'push' information at each individual that is likely to significantly influence their behaviour.
This section considers a second group of privacy threats on the Internet, those that threaten aspects of a person's identity.
* Appropriation of One's Identity
People are at risk of other people making statements and performing actions, as though they were them. This can be as simple as falsifying the From: address in an email. It can also be as complex as the modern, largely American phenomenon of 'identity theft' (PRC 1998).
Identity theft is the acquisition and use of sufficient evidence of identity relating to a particular person that the thief can operate as though they were that person. This can be as simple as stealing a wallet or purse, with or without passing the contents via an intermediary or 'fence'. Alternatively, it can be achieved by mail theft, the 'fishing' of credit card slips and loan or credit applications from rubbish-bins, or through an 'inside job', e.g. at a financial institution.
* Appropriation of One's Electronic Mailbox
An Internet user is at risk of other people sending messages, and quite possibly lots of messages, to their electronic mailbox, which are not interesting, and which waste their time, attention-span and money. During 1996-98, unsolicited emails, commonly referred to as 'spam', reached epidemic proportions.
Spam is unsolicited electronic communications. Anyone can send an email message from a conventional user-account to anyone else whose address they can acquire.
For an analysis of spam, see Clarke (1997b).
* Internet Transaction Identification
In general (and with some qualifications), each email message that a person sends identifies them to the recipient. In some circumstances, this may represent a privacy risk. This arises wherever the sender anticipates physical risk to themselves if their identity becomes apparent, as occurs with 'whistleblowers', and witnesses of serious crimes.
In general (and with some qualifications), each access a person makes to a web-server identifies several things about them to that machine and its masters; for example, the web-server generally providers the web-server with its identity (the 'IP-address'), to enable the requested page to be sent to it.
* Location Services
The Internet provides greatly enhanced means whereby people and organisations can find one another. This has dramatic power, because it combines a vast array of pre-existing data-sources (such as telephone books) with new sources (such as e-list and newsgroup archives), and renders them all available to search engines. Examples include Players National and FYI.
Such services are a great boon to people who have socially acceptable reasons for wanting to find other people. In some circumstances it can be annoying or unpleasant. In some situations, it is life-threatening.
* The Possibility of Routinised Self-Identification
Information technologies have been generating a technological and marketing imperative towards individuals being expected to identify themselves on a routine basis, when conducting transactions that have hitherto been anonymous or pseudonymous. Some electronic commerce and electronic service delivery technologies on the Internet add to that pressure.
This is threatening to the private space of even those who have nothing to hide; and much more sinister to those many people who have experienced repression from other individuals, organisations, or nation-states.
Each of the threats identified in the preceding section is capable of being addressed using countermeasures specific to the particular threat. These are discussed in Clarke (1997g). This section provides a brief overview of generic approaches that can be taken to dealing with threats to Internet privacy.
* Individual Action
A person can prevent or subvert transaction trailing through the denial of identity. Where this is impractical, a person can adopt multiple identities. Many people may regard such a measure as being beneath their dignity, or more suitable to a criminal than to an honest person. In fact, there are many different kinds of people who adopt different identities to go with their different roles.
Moreover, multiple identities need not be blatant. A subtle approach is to vary the spelling of one's name and address. Among other outcomes, this can assist in tracking the ways in which one's details migrate from one data-repository to another. Human identification is examined in detail in Clarke (1994c).
A person can subvert transaction trailing through the denial of information. Where this is impractical, a person may provide misinformation. This is particularly effective if it is consistently inconsistent, i.e. using a different variant each time. It can be applied to data as diverse as birthdates, incomes and family structure. The purpose of misinformation is to ensure that all data-holders come to accept data as being fundamentally inaccurate, rather than letting them subscribe to the myth that the digital persona is an adequate substitute for the actual person. The nature and risks of the digital persona are examined in detail in Clarke (1994a).
* Net-Community Information-Sharing
People can share information among themselves, in order to disadvantage privacy-abusive organisations, and reward fair dealers. Email lists, bulletin boards and web-pages all lend themselves to this application.
* Net-Community Direct Action
Individuals often plead powerlessness against the economic incentives that drive large corporations, and the bureaucratic and political motivations of government agencies and Governments. In fact, there are many ways in which little people can do significant harm to the interests of large organisations, and force them to change their behaviour. One source of information relating to net-community direct action is NetAction (1998).
There are real prospects that the Internet may enable collaboration among consumers and citizens in a more effective manner than ever before, and hence provide a basis for a fundamental shift in the balance of power.
* Industry Self-Regulation
Corporations and government agencies may recognise privacy as a strategic factor, and act responsibly. For guidance on how this can be done, see Clarke (1996e). Industry associations, Parliaments and Governments may encourage and coordinate efforts of this nature. Innovative products and services may assist this tendency.
There is some evidence of self-regulation in action. See, for example, the U.S. Direct Marketing Association ( DMA 1998), TRUSTe (1988) and the Asia-Pacific Smart Cards Forum - Australia ( Clarke 1996a and 1997h). The voluntary industry principles around which such schemes revolve, however, afford very limited protections. It would therefore be naive to expect that industries, by and of themselves, without appropriate encouragement from Parliaments, will deliver a great deal of substance.
* Anonymity and Pseudonymity Tools
A variety of tools are available, many based on cryptographic methods, which enable people to protect their identity. This can be achieved either by denying it entirely, or by substituting it with a pseudonym and protecting the linkage between real and pseudo-identity through technical, organisational and legal measures.
One approach to anonymity in email is to ensure that the mailer includes in the message a false From: address. To be effective, however, the approach needs to be considerably more subtle. A more thorough approach is to use an anonymous or pseudonymous remailer. Remailers are examined in Bacard (1996) and Goldberg, Wagner & Brewer (1996).
A remailer is computer service that enables a person to send electronic mail without the recipient knowing the sender's name or e-mail address. The remailer provides this service by stripping the sender's details from the message, and forwarding it on to the intended recipient.
Anonymous web-surfing services, which operate on similar principles, are available not only from public interest groups (e.g. Community Connexion's Anonymizer) but also from major corporations (e.g. AT&T/Lucent's Crowds).
* Privacy-Protective Infrastructure
Aspects of the Internet's architecture are capable of being adapted in order to encourage, and perhaps even mandate, privacy-protective features. An example of an industry initiative of this nature is the World Wide Web Consortium's Platform for Privacy Preferences (W3C P3P). For an explanation of P3P, see Clarke (1998a), and for a critique, see Clarke (1998b).
The Platform for Privacy Preferences (P3P) specification enables web-sites to specify their personal data use and disclosure practices, web-users to specify their expectations concerning personal data disclosure practices, and software agents to undertake negotiation, on behalf of the parties, in order to reach an agreement concerning the exchange of data between them. Hence an individual can have sufficient information to make an informed decision on whether to permit or refuse provision of personal data, and can even confidently delegate the decision to a software agent acting on their behalf.
Initiatives such as P3P may make significant contributions to a less privacy-invasive Internet environment. Some people, however, such as Marc Rotenberg of the Electronic Privacy Information Center (EPIC), have called for the Internet infrastructure to be migrated much further than that, by incorporating privacy-enhancing technologies (PETs).
Actions that can be located in physical space take place within an existing legislative framework. Parliaments can provide moderately effective protections through statutory principles, a regulatory agency, and processes for the establishment and maintenance of enfoceable codes of behaviour.
The Internet does, however, create new possibilities for organisations and individuals to escape the strictures of geographically-based legal jurisdictions. This can be in the form of extra-jurisdictionality (the performance of privacy-infringing behaviour in locations that are free from privacy-protective laws), or even supra-jurisdictionality (where the behaviour exists in a space not subject to any jurisdiction).
To address the new challenges, a range of specific public policy actions are necessary. These include analysis of the problems, revision of statutes and codes, and initiatives in relation to identification schemes, anonymity and pseudonymity.
Unfortunately, Australia has an utterly inadequate privacy-protection regime. It is largely limited to the Commonwalth public sector, and rooted in 1970s thinking; and successive Governments have failed to grasp the nettle. Of the Australian States and Territories, only the A.C.T. offers anything more than periodic politicians' promises, stated at election-time and broken during Government. Flaws in Australian privacy law are examined in Clarke (1997c).
Privacy is under severe threat as a result of, among other things, the application of advanced information technologies. It is completely inadequately protected even against current, let alone near-future, threats.
The Internet provides a vast array of ways in which people's privacy can be and is being intruded upon, and adds new dimensions to existing problems. It necessitates the negotiation of a whole new set of balances among the various interests.
The inaction of governments, and the active measures within the Internet community to protect the privacy of netizens, may well be harbingers of a greatly reduced role for governments in the imminent 21st century. A serious school of thought, associated with the cypherpunk and crypto-anarchist movements, argues that Internet technology and cryptography are already bringing about that shift.
Internet privacy resources are identified in Clarke (1997f).
Anonymizer (1998) 'Anonymizer: It's Your Right', Community Connexion, at http://www.anonymizer.com/
AT&T/Lucent (1998) 'Crowds: Anonymity Loves Company ', at http://www.research.att.com/projects/crowds/
Bacard A. (1996) 'Anonymous Remailers', at http://www.well.com/user/abacard/remail.html
Clarke R. (1988) 'Information Technology and Dataveillance' Commun. ACM 31,5 (May 1988), at http://www.rogerclarke.com/DV/CACM88.html
Clarke R. (1993) 'Profiling: A Hidden Challenge to the Regulation of Data Surveillance', Journal of Law and Information Science 4,2 (December 1993) ', at http://www.rogerclarke.com/DV/PaperProfiling.html
Clarke R. (1994a) 'The Digital Persona and Its Application to Data Surveillance' The Information Society 10,2 (June 1994), at http://www.rogerclarke.com/DV/DigPersona.html
Clarke R. (1994b) 'Dataveillance by Governments: The Technique of Computer Matching' Information Technology & People 7,2 (June 1994)
Clarke R. (1994c) 'Human Identification in Information Systems: Management Challenges and Public Policy Issues' Info. Technology & People 7,4 (December 1994), at http://www.rogerclarke.com/DV/HumanID.html
Clarke R. (1995) 'Net-Based Payment Schemes' (February 1995), at http://www.rogerclarke.com/EC/EPMEPM.html
Clarke R. (1995-) 'Data Surveillance and Information Privacy', at http://www.rogerclarke.com/DV/
Clarke R. (1996a) 'Smart Move by the Smart Card Industry' Privacy Law & Policy Reporter 2,10 (January 1996) 189-191, 195, at http://www.rogerclarke.com/DV/SMSC.html
Clarke R. (1996b) 'Data Transmission Security Risks' (May 1996), at http://www.rogerclarke.com/II/CryptoSecyRisks.html
Clarke R. (1996c) 'Cryptography in Plain Text', Privacy Law & Policy Reporter 3, 4 (May 1996), at http://www.rogerclarke.com/II/CryptoSecy.html
Clarke R. (1996d) 'Crypto-Confusion: Mutual Non-Comprehension Threatens Exploitation of the GII' Privacy Law & Policy Reporter 3, 4 (May 1996), at http://www.rogerclarke.com/II/CryptoConf.html
Clarke R. (1996e) 'Privacy, Dataveillance, Organisational Strategy' (the original version was a Keynote Address for the I.S. Audit & Control Association Conf. (EDPAC'96), Perth, 28 May 1996). At http://www.rogerclarke.com/DV/PStrat.html
Clarke R. (1996f) 'Trails in the Sand' (May 1996), at http://www.rogerclarke.com/DV/Trails.html
Clarke R. (1996g) 'Identification, Anonymity and Pseudonymity in Consumer Transactions: A Vital Systems Design and Public Policy Issue', Conference on 'Smart Cards: The Issues', Sydney, 18 October 1996, at http://www.rogerclarke.com/DV/AnonPsPol.html
Clarke R. (1997-) 'Introduction to Dataveillance and Information Privacy, and Definitions of Terms ', at http://www.rogerclarke.com/DV/Intro.html
Clarke R. (1997a) 'Cookies' February 1977, at http://www.rogerclarke.com/II/Cookies.html
Clarke R. (1997b) 'Spam' February 1977, at http://www.rogerclarke.com/II/Spam.html
Clarke R. (1997c) 'Flaws in the Glass; Gashes in the Fabric', Proc. Symposium on 'The New Privacy Laws', Sydney, February 1997, at http://www.rogerclarke.com/DV/Flaws.html
Clarke R. (1997d) Privacy and E-Lists (May 1997), at http://www.rogerclarke.com/DV/E-Lists.html
Clarke R. (1997e) 'Public Interests on the Electronic Frontier', Invited Address to IT Security '97, 14 & 15 August 1997, Rydges Canberra (August 1997), http://www.rogerclarke.com/II/IIRSecy97.html
Clarke R. (1997f) 'Privacy On the Internet: Threats, Countermeasures and Policy', Proc. IBC 1997 Australian Privacy Forum, Sydney, October 1997, at http://www.rogerclarke.com/DV/Internet.html
Clarke R. (1997g) 'Privacy On the Internet - Threats', Proc. IBC 1997 Australian Privacy Forum, Sydney, October 1997, at http://www.rogerclarke.com/DV/InternetThreats.html
Clarke R. (1997h) 'Smart Move by the Smart Card Industry - Part II' Privacy Law & Policy Reporter 4,5 (October 1997), pp.97-98at http://www.rogerclarke.com/DV/SMSC2.html
Clarke R. (1998a) 'Platform for Privacy Preferences: An Overview' (April 1998), at http://www.rogerclarke.com/DV/P3POview.html
Clarke R. (1998b) 'Platform for Privacy Preferences: A Critique' (April 1998), at http://www.rogerclarke.com/DV/P3PCrit.html
Clarke R., Dempsey G., Ooi C.N. & O'Connor R.F. (1998) 'A Primer on Internet Technology' (February 1998), at http://www.rogerclarke.com/II/IPrimer.html
DMA (1998) 'Direct Marketing Association', at http://www.the-dma.org
EPIC (1998) 'Electronic Privacy Information Center ', at http://www.epic.org
FYI (1998) 'Personal People Locator Services', at http://www.colapublib.org/fyi/catalog/personal/people.html
Goldberg I., Wagner D. & Brewer E. (1996) 'Privacy-enhancing technologies for the Internet', at http://www.cs.berkeley.edu/~daw/privacy-compcon97-www/privacy-html.html
Krol E. (1993) 'What is the Internet?', RFC1462 (May 1993), at http://ds.internic.net/rfc/rfc1462.txt
Lane (1998) 'Online Magazine's Guide To Researching Personal Records In The Cyber Age', at http://www.onlineinc.com/pempress/naked/
NetAction (1998) 'Net Action', at http://www.netaction.org/
Players National (1998) 'Players National Locator', at http://www.playersnational.com/
PRC (1998) 'Identity Theft Resources', at http://www.privacyrights.org/identity.html
Stalkers' Home Page (1998) 'A Stalking We Go! Stalking -- Privacy -- Spying -- Snooping!', at http://www.glr.com/stalk.html
TRUSTe (1998) 'TRUSTe: We're Building Trust and Confidence on the Internet', at http://www.etrust.org
Zakon R. (1997) 'Hobbes' Internet Timeline', RFC2235 (November 1997), at http://ds.internic.net/rfc/rfc2235.txt
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 40 million by the end of 2012.
Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916
Created: 28 April 1998 - Last Amended: 2 May 1998; addition of FfE licence 5 March 2004 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/IPrivacy.html