Roger Clarke's Web-Site


© Xamax Consultancy Pty Ltd,  1995-2016

Roger Clarke's 'PITs and PETs'

Introducing PITs and PETs: Technologies Affecting Privacy

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Version of 28 February 2001

This document was prepared for publication in Privacy Law & Policy Reporter 7, 9 (March 2001) 181-183, 188, as the opening item in a series. The accompanying resource-page provides access to all papers in the series, and to many additional sources of information

© Xamax Consultancy Pty Ltd, 2000-2001

Available under an AEShareNet Free for Education licence

This document is at



PLPR is well-established as the premier source of information on those topics in the Asia-Pacific region. It carries many articles that consider legal aspects of privacy. and policy implications of developments in privacy regulation. During the last few decades, however, technologies that affect privacy have exploded in number, complexity and power. As a result, there is a risk that the journal may slip into irrelevance, as the law and policy become detached from the reality.

I have researched, consulted and published on the technologies of dataveillance for over a quarter-century, including several contributions to PLPR. The Editor, Graham Greenleaf, invited me to formalise my thinking in a series of occasional papers in PLPR. He suggested that I enlarge upon a theme that I have been developing for several years, the tension between PITs and PETs. It seemed like a good idea, and this paper launches the series.


This series will use some terms that may not (yet) be in everyone's lexicon. So the article declares and defines them. (I of course retain the right to treat them as no more than working definitions, and to vary them over time. On the other hand, I've been using them fairly consistently for some years now; and I will draw attention to drift in the meaning as it occurs). The origins of the terms are explained in the resource-pages accompanying this series.

* Privacy-Invasive Technologies (the PITs)

This term usefully describes the many technologies that intrude into privacy. Among the host of examples are data-trail generation through the denial of anonymity, data-trail intensification (e.g. identified phones, stored-value cards, and intelligent transportation systems), data warehousing and data mining, stored biometrics, and imposed biometrics.

* Privacy-Enhancing Technologies (PETs)

These are tools, standards and protocols that set out to reverse the trend, by directly assisting in the protection of the privacy interest. They are of the following broad kinds:

The PITs

Many technologies have a negative impact on privacy. Some of them do so as a byproduct of the technology's primary functions. Others are designed specifically as surveillance tools. Some technologies can be highly privacy-invasive, depending on the manner in which they are applied, such as chip-cards (variously in health, in stored-value schemes, and as identification tokens), and public-key infrastructure (PKI). I include all of these categories within the scope of the term 'the PITs', because all are harmful, and all need to be subjected to serious study and either controlled or banned outright.

During the second half of the twentieth century, the pre-occupations were shaped by Orwell's anti-utopian novel '1984' and the Cold War. Discussion tended to focus on government techniques such as front-end verification, data matching, profiling, cross-system enforcement and multi-purpose identification schemes. Video-surveillance, despite its very apparent shortcomings, has assumed epidemic proportions, and has there are repeated promises and threats that it has been extended by visual pattern-matching and pattern-recognition. In the Internet context, agencies of the State have acquired enhanced powers to undertake telephony, email and web-behaviour surveillance.

In recent years, there has been a switch of emphasis, as consumer marketing organisations have outstripped the public sector invaders by exploiting the potential to collect and analyse personal data. Consumer profiles are no longer based only on the individuals' dealings with a single organisation, because their data is shared by multiple merchants. And the privacy amendments of December 2000 won't change that, because it actually legitimises it!

Telephone communications have been used to gather data, through call centre technologies and Calling Number Display (CND, aka Caller-ID and Calling Line Identification - CLI). Internet communications have been intruded upon by such tools as spam, cookies and single-pixel gifs. Commercial transactions that have long been anonymous are increasingly being converted to identified form, through refusal to accept cash and failing to implement electronic equivalents.

Some tools have been applied by both governments and the corporate sector. Requirements for identification and authentication have been imposed on people in an increasing array of situations. Even highly-intrusive biometrics have been used, and not only people under close care and in gaols, but also on people merely visiting people in gaol, and on employees of companies that judge the security of their premises to be more important than the privacy of their employees.

Data warehousing and data mining technologies have been developed, in order to exploit data that has been expropriated from multiple sources. Means have been devised to locate and track not just goods, but also vehicles and increasingly even people. Intelligent transportation systems include such seriously contentious applications. One example is the unheralded and unauthorised use on cars of the the N.S.W. Roads & Traffics Authority's Safe-T-Cam system, even though it was designed expressly for the monitoring of trucks. Another is the denial of anonymous use of major public thoroughfares such as Melbourne CityLink.

In the workplace, employees and contractors are being subjected to dramatically increased privacy-invasions. Video-surveillance, email and web-behaviour surveillance, and person location and person tracking have been complemented by requirements for biometrics, and the testing of employees for consumption of banned substances.

This series will inevitably concern itself primarily with information privacy. It will involve considerable focus on the Internet. The resource-page that accompanies this series provides access to an introductory paper on the Internet. Attention will also be paid to other telecommunications infrastructure, such as mobile telephony, cable and satellites. The scope of the series extends beyond information privacy, however, to embrace privacy of the person and privacy of personal behaviour.

PIT Countermeasures

One antidote to privacy-invasive technologies is the development and deployment of additional technologies that undermine the PITs.

This has been especially necessary in the computing and telecommunications arena. Security tools can be applied to protect personal data on servers and clients. The risks of data being intercepted by unauthorised parties can be addressed by the application of cryptography to channel protection. Particular forms of cryptography can, at least in principle, be applied to support the authentication of sender and receiver, and to deny the parties the ability to repudiate transactions that they have conducted. In practice, substantial infrastructure is necessary, and the techniques deployed to date are themselves highly privacy-invasive. Specific countermeasures have also been devised for particular techniques such as spam, cookies and single-pixel gifs (sometimes called 'web-bugs').

A number of pseudo-protections have also been created, such as privacy policy statements, trademarks, and what I call 'meta-brands' like Truste and WebTrust, which pretend to assure appropriate behaviour by web-site operators. The first article in the series will re-visit a particular web protocol that appeared to be a PIT countermeasure, but whose final design and implementation have fallen so far short of expectations that it has become just another pseudo-protection.

Savage PETs

The explosion in privacy-invasive technologies, and the challenges involved in devising and disseminating specific countermeasures has encouraged the investment of substantial effort in a generic countermeasure.

Many services have been prototyped, and some launched, which provide anonymity, and deny the ability for governments and corporations to associate data with an identified individual. On the Internet, a common means for achieving the effect is a succession of intermediary-operated services. Each intermediary knows the identities of the intermediaries adjacent to it in the chain, but has too little information to enable it to identify the prior and subsequent intermediaries. Even if it wants to, it cannot track the communication back to the originator or forward to the ultimate recipient. Examples of these savage PETs include anonymous remailers, web-surfing arrangements, and David Chaum's payer-anonymous ECash or Digicash.

Some of the more sophisticated tools enable a non-traceable identifier to be used over an extended period, and not only for the whole of a single session or conversation, but even over a long succession of episodes. Multiple such 'persistent nyms' may be acquired by a single person, which they can use to sustain independent personae, e.g. for different roles that they play. The design effectively precludes the personae from being related with one another, or with a person.

Denial of identity causes serious concern to law enforcement agencies, because it undermines accountability. That is to say that most people are likely to perform in a less responsible manner if they are able to escape the consequences of their actions. Regulatory measures can only be effective if entities can be made to take legal responsibility for negative consequences of their actions; and that is only possible if they can be found. I use the term 'savage PETs' for anonymity tools precisely because of this impact. On the other hand, the deterrent effect that arises from the possibility of retribution is only one form of (dis)incentive encouraging reasonable social behaviour.

Undoubtedly, untraceable electronic anonymity will be used by people with criminal intent. On the other hand, the electronic world creates new threats, and hence the level of anonymity available in the electronic world actually needs to be higher than that in the real world. Moreover, in some jurisdictions, there appear to be legal and even constitutional rights to anonymity in some contexts, such as political speech.

Anonymous schemes serve needs not just of individuals, but also of organisations. Examples of communications that organisations like to protect include accesses to patents databases; traffic analysis making the nature of an organisation's business apparent; whistleblowing; ephemeral internal communications (which might otherwise become subject to sub poena); headhunter communications with employees of other organisations; and overseas employees who need protection against local incursions into privacy.

Gentle PETs

Anonymity might be thought to set the balance sufficiently far in favour of individual freedom that cheats will prosper, and law and order will be too difficult to sustain. Is a 'middle way' feasible?

Very substantial protections could be provided for individuals' identities, but those protections could be breachable when particular conditions are fulfilled. This is the concept of 'pseudonymity', and I refer to technologies that implement it as 'gentle PETs'.

Fundamental to pseudonymity services are that:

The challenge confronting developers of gentle PETs is that the legal, organisational and technical protections need to be trustworthy. If the power to override them is in the hands of a person or organisation that flouts the conditions, then pseudonymity's value as a privacy protection collapses. Unfortunately, governments throughout history have shown themselves to be untrustworthy when their interests are too seriously threatened; and corporations are dedicated to shareholder value alone, and will only comply with the conditions when they are subject to sufficiently powerful preventative mechanisms and sanctions.


Time will tell whether gentle PETs will be capable of being devised that distribute power among multiple parties, and thereby justify trust. Unless and until they are designed, proven and deployed, it appears that PIT countermeasures and savage PETs will line up against the PITs, and engage in both guerilla warfare and direct conflict.

This series will analyse the ebb and flow of those battles. It will subject individual PITs and PETs to close examination. In doing so, the articles will investigate the scope for technology to play a determinative role in the survival of privacy as a human value, despite the ravages it is subject to.

Key References

Burkert H. (1997) 'Privacy-Enhancing Technologies: Typology, Critique, Vision' in Agre P.E. & Rotenberg M. (Eds.) (1997) 'Technology and Privacy: The New Landscape' MIT Press, 1997

Clarke R. (1994) 'Human Identification in Information Systems: Management Challenges and Public Policy Issues', Information Technology & People 7,4 (December 1994) 6-37, at

Clarke R. (1999) 'Identified, Anonymous and Pseudonymous Transactions: The Spectrum of Choice', Proc. Conf. User Identification & Privacy Protection, Stockholm, June 1999, at

Clarke R. (2001) 'The Origins of 'PIT' and 'PET'', at

EPIC (1996-) 'EPIC Online Guide to Practical Privacy Tools', at

Froomkin A.M. (1995) 'Anonymity and Its Enmities' 1995 J. Online L., at

IPCR (1995) 'Privacy-Enhancing Technologies: The Path to Anonymity' Information and Privacy Commissioner (Ontario, Canada) and Registratiekamer (The Netherlands), 2 vols., August 1995, at


This series is supplemented by a resource-page that will be maintained on an ongoing basis. PLPR readers are invited, and actively encouraged, to contribute sources and suggestions for enhancement to, and to bookmark the page for their own use and for communication to others.

xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 29 November 2000 - Last Amended: 28 February 2001; addition of FfE licence 5 March 2004 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2013   -    Privacy Policy