Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2018
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Fellow, Department of Computer Science, Australian National University
Version of 13 December 2000
© Xamax Consultancy Pty Ltd, 1999
The original version of this paper appeared in the Proceedings of the 21st International Conference on Privacy and Personal Data Protection, pp.131-150, held in Hong Kong on 13-15 September 1999. This version appeared in Information Technology & People 14, 2 (Summer 2001) 206-231
This document is at http://www.rogerclarke.com/DV/PLT.html
Case was at a vending console at the end of a rank of payphones. The phone nearest him rang. Automatically, he picked it up. 'Yeah?'. 'Hello, Case. Wintermute, Case. It's time we talk'. He hung up. On his way back from the vending machine, he had to walk the length of the ranked phones. Each rang in turn as he passed, but only once.
Many long-standing technologies embody the ability to locate and track people. During the last couple of decades of the 20th century, new technologies have been developed which greatly increase those capabilities. The nature of these technologies is described, and the processes identified whereby they are being applied to the serious detriment of civil freedoms. Implications are drawn for technology-using organisations, for technology providers, for standards developers, for policy-makers, and for Privacy and Data Protection Commissioners.
The anti-utopian literature of the twentieth century (in particular Zamyatin 1922 and Orwell 1949) envisaged tight social control, with technology (in Orwell's case, ubiquitous video surveillance) playing a supporting role. Subsequent novels envisaged advanced and converged technologies becoming the primary means whereby social control is effected. The change was heralded in Brunner (1975) and developed in Gibson (1984), from which the prefatory quotation is taken. The 'cyberpunk' sci-fi genre that Gibson launched conceives of the extended information infrastructure as the key weapon of social control, enabling reliable and unavoidable location and tracking of each individual. A series of recent films (in particular, '1984', 'Bladerunner', 'Johnny Mnemonic', 'The Matrix', 'Enemy of the State' and 'Gattaca') has portrayed these patterns, and extended appreciation of the phenomenon to the general public.
Back in the real world, the perception arose in the 1960s and 1970s that what were then referred to as 'data processing' technologies had serious implications for personal and social freedoms. This is the subject of a considerable literature, such as Westin (1971), HEW (1973), Westin & Baker (1974), Rule (1974), Smith (1974-), Foucault (1977), Kling (1978), Rule et al (1980), OTA (1981), Burnham (1983), OTA (1985), OTA (1986), Roszak (1986), Clarke (1988) and Schwartz (1992). See also Clarke (1997b).
During the 1980s and 1990s, the various information technologies have been developing at a rapid pace. Moreover, telecommunications has been married with computing, and they are in the process of adopting robotics. It is therefore no longer adequate to think of information technologies as being merely about the processing of data. They are now biting into human behaviour much more directly, much more immediately, and much more deeply. At the turn of the new century, it is clear that the prevailing 'data protection' or 'fair information practices' movement has been, or at least has become, an utterly inadequate response to the incursions of technology into personal and social freedom (Clarke 1999a, 2000a).
Previous papers by the author have investigated the nature of human identification (Clarke 1994c in this journal, 1993b, 1994a, 1995, 1996d, 1997d, 1999b, 1999c, and 1999d). This paper examines the use of information technologies to locate people, and to track their movements and actions. There is a fairly limited literature in this area; but see, for example, Loudon (1986), Marx (1988), Agre (1994), Clarke (1996a), Marx (1998), Agre (1999) and Davies (1999).
The paper commences by defining terms, and outlining relevant technologies. It then considers the risks arising from their application, and the political economy of location and tracking. The paper concludes by identifying the implications of the argument for user-organisations, technology providers, standards organisations, policy-makers and watchdog agencies.
This section establishes the conceptual basis for the analysis. It first discusses the nature of various kinds of objects that are located and tracked. It then defines the terms used in the subsequent analysis.
A considerable amount of effort is expended to locate and track inanimate objects, including vehicles, equipment, cargo containers, pallets, cartons, and packages. The motivations include efficiency in production and logistics, and the security of assets.
Animals may also be located and tracked. In some circumstances, the particular animal may not be identified, as is the case with the detection of movement within secure spaces. In other cases, the specific animal may be identifiable, in particular where technologies developed for inanimate objects have been applied to animals.
Repugnant though the measurement of humans is (or at least has been, at various stages in human history), direct location and tracking of humans has also been undertaken; and there are current attempts by a variety of commercial, law-and-order and other interests to increase the prevalence and intrusiveness of these activities.
There is also a great deal of tracking of inanimate objects, whose underlying purpose is in part or in whole the tracking of a person whose location is reasonably inferred to be in close proximity to the object. Examples include the carriers of magnetic-stripe cards, the users of mobile phones, and the drivers of commercial vehicles such as taxis and trucks.
The analysis undertaken in this paper uses several terms in quite specific ways. This section explains those usages.
By an entity's location is meant a description of its whereabouts, in relation to other, known objects or reference points. Location can be ascertained with varying degrees of precision. The location of installed devices such as fixed ATMs and EFT/POS terminals may be quite exact. The locations of some EFT/POS terminals (e.g. those in taxis), and of small modems, codecs and Ethernet and other network interfacing cards, are all much more ambiguous. Devices such as cellular phones, and portable and hand-held computers, are designed to be mobile, and additional information is needed in order to draw inferences about their location at the time of a particular event. Until quite recently, most person-location techniques were limited to establishing where the person lived or worked. There are now mechanisms whereby a person's location at a specific point in time can be determined, in some cases only within a moderately sized geographical area, but in other cases very precisely.
Measures of location may be available with varying degrees of timeliness. By this is meant the lag that occurs between the event, and the availability to a person undertaking surveillance of the transaction data reflecting that event.
By tracking is meant the plotting of the trail, or sequence of locations, within a space that is followed by an entity over a period of time. The 'space' within which an entity's location is tracked is generally physical or geographical; but it may be virtual, e.g. a person's successive interactions with a particular organisation.
Due to timeliness limitations, data may only be able to be used for retrospective analysis of a path that was followed at some time in the past. A 'real-time' trace, on the other hand, enables the organisation undertaking the surveillance to know where the entity is at any particular point in time, with a degree of precision that may be as vague as a country, or as precise as a suburb, a building, or a set of co-ordinates accurate to within a few metres. Moreover, a person in possession of a real-time trace is in many circumstances able to infer the subject's immediate future path with some degree of confidence.
Given an amount of data about a person's past and present locations, the observer is likely to be able to impute aspects of the person's behaviour and intentions. Given data about multiple people, intersections can be computed, interactions can be inferred, and group behaviour, attitudes and intentions imputed.
Location technologies therefore provide, to parties that have access to the data, the power to make decisions about the entity subject to the surveillance, and hence to exercise control over it. Where the entity is a person, it enables those parties to make determinations, and to take action, for or against that person's interests. These determinations and actions may be based on place(s) where the person is, or place(s) where the person has been, but also on place(s) where the person is not, or has not been. Tracking technologies extend that power to the succession of places the person has been, and also to the place that they appear to be going.
The nature and extent of intrusiveness is dependent on a variety of characteristics of location and tracking technologies. An analysis is provided in the Appendix to this paper.
This section undertakes an analysis of relevant technologies and their applications. Some of these technologies have been designed for the express purpose of location and tracking, whereas others have delivered them as a by-product, or have been co-opted or subverted to that purpose. This section comprises the following sub-sections:
A variety of means is used to capture transaction data. Until the middle of the last century, the expression of transactions and records was largely limited to paper forms. During the third quarter of the century, administration moved to computer-based systems. Because the conversion of data into machine-readable format is expensive, organisations have an economic incentive to achieve direct capture into electronic form. These steps have dramatically increased the discoverability and accessibility of the data, and hence overcome many hitherto inherent privacy protections. In the process, organisations have been transferring the effort and costs involved in data capture from themselves to the people with whom they deal. Examples include keyboard input by customers at ATMs, and electronic lodgement of taxation returns by individuals or their paid agents.
In order to facilitate direct capture of data, it is common to use some form of purpose-designed artefact. Examples include:
An additional technology that has been used for many years for goods, and that has been applied to some kinds of interactions between people and organisations, is bar-coding, whereby a token such as a can, a carton, a form, or a card has pre-printed on it a particular pattern of bars that can be sensed by a scanning device.
Some technologies have been designed to associate a device or location identity with a transaction. Important among these are telephone sockets, and the interactions between telephone exchanges, which have for decades identified both the calling and the called subscriber-line.
The underlying technologies have been applied in a wide range of settings. The following segments identify some common instances, focussing firstly on the home, then on individuals' movements in physical space, then on financial transactions, and finally on the use of telecommunications services.
Relationships between clients and the organisations with which they deal give rise to standing data being stored about them, in many cases including their home-address. The assiduousness and timeliness with which these records are updated vary according to the nature of the relationship. Those which are most effective for organisations seeking to locate a person are the ones for which there is an intrinsic need for the person to maintain accuracy and up-to-dateness, or artificial incentives and/or disincentives that motivate the individual to do so. These include the databases of:
In addition, many European countries maintain inhabitant registration systems, and impose a legal requirement on residents to advise the relevant registrar when they change their home-address (Clarke 1994c, 1997d).
A database of especial sensitivity is the so-called 'white pages' that are published by telcos. Originally developed as a service primarily to other individuals, this has been co-opted by marketers and governments. As a result, a significant proportion of subscribers pay to be 'ex-directory' or have (relatively) 'silent' numbers (Katz 1996).
Most national governments record individuals' trans-border movements. In less free nations, this may even extend to some kinds of within-country movement.
Information about a household's activities, including the number of people present, can be inferred from the usage of utilities in the home, especially energy. This is particularly effective in the case of single-occupancy households, where interruptions to background levels of energy usage are highly correlated with the presence of the householder.
The recent emphasis on security in workplaces and living localities has resulted in a vast increase in the proportion of buildings to which building-access is regulated. Some of these merely require a key, or presentation of a token; but some of them, either incidentally, or as an intrinsic function, produce a record of individuals' movements into a building, out of it, and/or through various parts of it.
For decades, individuals have generated trails of their business dealings, in the forms of cheques drawn against their accounts, deposits into them, and loans and loan repayments. In technologically advanced countries, the payment of salary, wages and benefits in cash has been almost entirely replaced by direct deposits to employees' and welfare recipients' bank accounts, and hence there are intensive trails of such regular direct-credit transactions.
Since the end of the 1970s, automated teller machines (ATMs) have been used for cash-withdrawal transactions. Usage of ATMs typically involves more frequent, lower-value transactions than arose with manual withdrawals at bank-counters. This trail incidentally discloses much more about a person's movements than was previously the case.
Particularly since the 1970s, credit-cards have been increasingly used for high-value transactions, and, since the early 1990s, debit-cards (EFT/POS) have been adopted even more rapidly, for medium-value transactions. In both cases, a degree of substitution has occurred, whereby hitherto unrecorded and/or anonymous transactions have been converted into recorded, identified transactions.
As a result of these developments, an increasingly intensive trail of transactions has become available to financial services organisations. They have long sought ways to exploit the data, by using it for the marketing of their financial services (which most people would regard as at least potentially legitimate), but also for the marketing of other services (such as insurance and travel) by themselves, and also by related business units and companies (which, in the absence of consent, would be regarded by most consumers as an unjustified breach of privacy). In an era of 'strategic partnerships', customer confidentiality is increasingly under threat, as data exchange with other corporations offers the prospect of enhanced revenue and customer leverage, i.e. power. The confidentiality of consumer banking relationships is under serious threat.
For various reasons, government agencies have interests in gaining access to these intensive data-trails. To improve their relationships with banks, governments have been sensitive to their needs. For example, Australian banks are required in law to gather from new customers a considerable amount of evidence and data. This is in the banks' interests, because it enhances their ability to gather standing data and to authenticate it. It also increases customers' switching costs and hence increases customer-loyalty, at least as measured by the mechanistic criterion of 'churn' (customer-turnover).
The technology of the Public Switched Telephone Network (PSTN) necessarily involves some degree of location information, in order that a connection-path can be established, and sustained for the duration of the call. Rather than this data being ephemeral, however, the tendency over the past decades has been for the data to be recorded, stored, analysed, and made available to others. Telcos and technology providers have increasingly perceived commercial advantage to be afforded by this data-intensity, and have been complying with enthusiasm with requests from law enforcement and national security agencies to increase it.
Traffic-analysis data, also known as 'call-records', identify which specific locations called which other locations, and when. In some cases, the content of the conversation may also be recorded. There are laws regulating 'telephonic interception', and a warrant is generally required. However, there are loopholes, and law enforcement agencies and their friends in government agencies have actively sought to increase the number and scope of those loopholes (e.g. Greenleaf 1997). On telecommunications privacy generally, see Waters (1997).
In addition to retrospective records, the technology also supports real-time call-tracing, to enable the location of a caller to be known, while the call is in progress. This capability has nominally been limited to the telcos and law enforcement agencies (Henderson & McDonough 1998).
Since the mid-1980s, the PSTN has been supplemented by additional, mobile telephony services, including pagers (Chertkoff 1998), analogue and then digital telephones, and now satellite telephones. These present a very different pattern in relation to location and tracking (e.g. Waters et al. 1998). It is intrinsic to these technologies that the locations of caller and callee handsets need to be known within the radius of the particular geographical 'cell', which is of the order of 5-25km.
In addition, the practice of mobile telephony is such that a 'telephone number' has ceased to identify a socket into which a device was plugged which could be used by anyone who was in that location. In the new context, it identifies a device, which is carried by a readily identified or identifiable person. In the absence of compensating measures, this process represents a major step in the direction of a personal telephone number, with all the benefits to law enforcement agencies and threats to civil freedoms that this entails.
The explosion in Internet usage since the mid-1990s has brought with it new forms of location and tracking. There are considerable challenges involved in gathering court-quality evidence in relation to such matters as email and web traffic (Clarke et al. 1998a). The technology can be used, however, in many privacy-invasive ways. Moreover, technologists are actively developing new and enhanced forms of Internet-based location and tracking (Clarke 1998e). Successive attempts have been made by governments to adapt the underlying architecture of the Internet in order to facilitate surveillance, and more concerted attempts can be confidently anticipated.
An earlier section introduced the concept of artefacts used to facilitate the capture of location and tracking data. The categories of token have proliferated, and their sophistication has increased dramatically. For example, so-called 'smart cards' were developed in the mid-1970s, and are gradually entering into moderately widespread usage. These contain chips that provide electronic storage and in most cases computer processing power as well (Clarke 1993a, Clarke 1998c).
Written forms, and devices that read magnetic stripes and scan bar-codes, are apparent to the individual, and represent a statement that data is being recorded. A number of developments have occurred, however, that have the effect of obscuring the data collection activity from view. One motivation for these developments has been to simplify and increase the efficiency of processes; but they also avoid the individual realising that their location and activities are being tracked. One example of such a mechanism is contactless chip-cards. These depend on movement of the card through a magnetic field, which induces a current in the antenna embedded in the card, and enables the card to process data, and to transmit data. This technology is valuable in contexts where human movement is brisk and occurs in large volumes, such as entry and exit barriers in mass transit systems. It also creates a potential for transactions to be undertaken surreptitiously.
A contactless card operating in that manner is an example of a 'transponder'. A transponder is a device that, on receiving a particular signal, automatically responds. The response may be to amplify and re-transmit the same signal; or to transmit some predetermined message; or to transmit a message whose content is determined by a program running in a processor available to the transponder. For location and tracking purposes, transponders can be readily designed to transmit an identifier, and/or an indicator of location.
Operation of the devices described above is instigated externally, by another party. Some devices actively initiate transmissions. A mobile telephone is well-understood by its user to be able to initiate a communication, via the base-station that runs the local 'cell' in which the person is currently located, and hence the network of stations, to the desired addressee. What many mobile telephone users do not appreciate, however, is that, even while it is nominally 'off', or at least 'on standby', the device sends transmissions to the local tower, providing a stream of data that enables tracking of the person's movements. These are capable of being recorded and subsequently used and analysed.
A more recently introduced alternative is satellite telephone services. The satellite's orbit may be geo-stationary (but therefore about 36,000 km above the earth's equator, resulting in noticeable latency in transmission), or low-orbit (and therefore rapidly transiting across the sky, but overcoming most of the latency). Of the civilian schemes, MobileSat and Inmarsat are of the former variety, and Iridium the latter (Transair 1999). The handset needs to communicate its location to the satellite with sufficient accuracy to enable the satellite to select the appropriate spotbeam to use; hence the functional need would appear to be that fairly gross information about location needs to be surrendered, of the order of 150 km radius.
Meanwhile, telephony of all kinds has been adapted to provide the feature variously referred to as caller ID, calling-line identification (CLI) and calling-number display (CND) (Whittle 1997). This discloses to the call-recipient the number from which the call is being made. Such data has hitherto only been available to telcos, and (generally, but not always, only with warrant) to law enforcement agencies. It has been projected to consumers as a service for them; but its predominant usage is, as it was always going to be, by marketers.
A further set of technologies that is relevant to location and tracking is biometrics (Clarke 1994c, Tomko 1998, Cavoukian 1999). These depend on measures of some aspect of the person, or of some behaviour of the person, in order to identify them, or to authenticate their identity. Biometrics can be used in conjunction with tokens, or in substitution for them. They may be gathered openly; but some are amenable to surreptitious collection. They may be gathered with or without choice or meaningful consent.
Beyond biometric techniques that depend on existing characteristics of individuals, technologies have been developed that involve imposed identifiers. Currently, the most common of these technologies is the embedment of chip or chip-assemblies in carriers such as cards, products, packaging and cargo containers.
A further technology of great relevance is the Global Positioning System (GPS). This is a worldwide radio-navigation system that has been operational since about 1980. GPS uses the positions of satellites as reference points. By detecting and processing the signals broadcast by the satellites, GPS receivers compute the three dimensions of location (e.g. latitude, longitude and altitude), and time (Dana 1994, Trimble 1996, GPS 1999, Wormley 1999). Among other things, GPS receivers are used to define the position of the receiver, and hence of any person or thing adjacent to it.
Because of the considerable technical difficulties involved, the scope for error is substantial. For the primary (i.e. U.S. military) purposes, Standard GPS is accurate to within at worst 20 metres in each dimension, and milliseconds of time. Complex devices that apply Differential GPS (DGPS) are, on the other hand, claimed to be accurate within centimetres. Non-approved military uses, and hence civilian uses, are intentionally degraded, to an accuracy of 100-150 metres; or 1-10 metres with DGPS. Simple receivers can be purchased for a few hundred dollars.
GPS is an essentially passive mechanism, in that it does not involve any intrinsic disclosure by the GPS receiver to any other device. It can, however, be combined with transmitters and transponders to produce devices that disclose location to another party. Alternative services may also become available, although the U.S. national security community are manoeuvring to sustain their monopoly power over the technology's use.
During the 1990s, there has been an explosion in the use of video-surveillance equipment (previously referred to as closed circuit television - CCTV). The low-quality, grainy photographs typical of such technology have primarily been of symbolic value, and have had some effect of a preventative nature (discouraging crime in the targeted location, although commonly just resulting in it re-locating elsewhere). It does not appear to have become a significant forensic tool. Reproduction quality is improving, however, and its effectiveness, and hence intrusiveness, are therefore increasing (Dixon 1995, Davies 1996, PI 1997).
The analysis of data in order to assist location and tracking is dependent on pattern-recognition and pattern-matching technologies. These can be applied to structured data in transaction records, but also to numbers, text and fingerprints, and perhaps progressively to more complex images such as pictures of faces.
It is inadequate to just consider each technology in isolation. They are applied together in a variety of combinations, resulting in very powerful compound technologies. Examples include:
These developments are leading towards ubiquitous mobile computing and communications, which in turn portends ubiquitous location and tracking capabilities.
The rapid developments in technology identified in the preceding two sections are giving rise to a wide variety of additional and highly intrusive applications of location and tracking capabilities. The following segments identify instances that relate to the home, to individuals' movements in physical space, to financial transactions, and to the use of telecommunications services.
Conventional database technology has been applied to generate 'reverse white pages'. These disclose the address of a socket connected to the PSTN, and/or the identity of a subscriber. When coupled with caller-ID / CLI / CND, the facility enables a caller's identity and/or location to be established with confidence. Because it is generally being thrust upon an unsuspecting public, the majority of the public do not realise this.
To the extent that individuals come to understand the purpose to which these technologies are applied, this is likely to lead to a further increase in ex-directory listing, as well as increased cynicism about, and lying to, corporations and governments alike.
There appears to be increasing application of building-access technologies, and there will doubtless be moves to standardise the tokens. The records of individuals' movements arising from these applications are at present highly dispersed, but standardisation would create the propensity, and probably the tendency, to consolidate them.
The explosion of video-surveillance equipment, as a means whereby authorities can be seen to be doing something about law and order in public places, has a chilling effect, despite the very low degrees of functional effectiveness that it achieves. Some authors have perceived the exponential growth of these applications to be unavoidable. In particular Brin (1998) has argued that this undermines conventional approaches to privacy so comprehensively that (somehow) a fully open society should be ushered in immediately.
To date, video-surveillance records require manual assessment in order to identify individuals. The combination of video-surveillance with pattern-recognition and/or pattern-matching algorithms may, however, result in greater effectiveness and hence significant intrusiveness. Progress has been made in such areas as the encoding of fingerprints (e.g. the national scheme operated by the N.S.W. Police since 1988) and the automated recognition of vehicle licence-plates (e.g. the N.S.W. government's Safe-T-Cam scheme for monitoring long-distance truck driving).
A further major application area is 'intelligent transportation systems' (Agre & Harbs 1994, Alpert 1994, Halpern 1994, Wigan 1995, Lappin 1995, Wiesenfelder 1996). One purpose for these combinations of technology is to subject vehicles and their drivers to monitoring. Another is to impose the 'user-pays' principle on road transport. Where there is no (overt) need to identify the driver, e.g. for toll-payments, it is entirely feasible to implement effective systems using anonymous mechanisms, provided that the organisations that conceive, analyse, design and implement such schemes realise that there is a need for it (IPC 1998). Many current and emergent schemes, however, embody the presumption that all drivers will be pleased to disclose information about their whereabouts to the highway-operator. To date, anonymous cash continues to be an alternative means of payment on most such toll-roads; but the cost and delays involved in cash payment are likely to lead to the choice being subsequently withdrawn, resulting in a seriously privacy-invasive design. At least one major city (Melbourne) has converted a critical thoroughfare to a toll-road in such a manner that anonymous travel is no longer possible, because an identified card is the only manner of payment available (Clarke 2000b)..
In addition to various applications of biometrics, imposed identifiers in the form of computer chips have already been inserted into livestock and pets. U.S. dentists advertise services to embed them in children (to assist in the identification of lost, kidnapped and abducted children, and of dead children's bodies, e.g. Kidtrak). They have already been incorporated into prisoner-wear; and they will doubtless shortly find their way into their persons (e.g. as a means whereby paedophiles can be allowed out into the community). Another category of victim that is likely to be proposed in the near future is senile dementia patients. A Professor of Cybernetics at Reading University in the United Kingdom, has embedded a chip in himself, to enable simpler building access (Warwick 1998, and Reuters, September 1998, widely reported). That it had to be removed shortly afterwards because of infection was regarded as only a temporary setback.
The intensity and location-specificity of the data-trail created through ATM and EFT/POS transactions are continuing to increase (e.g. through the uptake of mobile terminals in taxis). If stored-value cards (SVCs) become popular and replace traditional cash, and are other than anonymous, then very serious additional inroads would be made. Evidence would be created about aspects of people's lives that have been hitherto unrecorded, because they were previously paid for using anonymous cash.
A further development is the proliferation of 'loyalty-schemes' which encourage the conversion of hitherto anonymous transactions into identified form. Such schemes could be devised to protect the individual's identity; but marketing organisations perceive additional value to exist in these data-trails, and, in the absence of consumer pressure, most schemes involve open identification.
Such trails support retrospective location and tracking, but may also create possibilities for 'real-time' locator mechanisms. For example, a case was reported in the mid-1990s in the United Kingdom, in which an extortionist who was progressively withdrawing the proceeds of his crime through ATMs was arrested in the vicinity of an ATM.
Caller ID / CLI / CND has a variety of applications. On the positive side, it might be applied to enable corporations and government agencies to place in front of the employee a range of information likely to be relevant to the call. In practice, its more important purposes are to capture data about callers, to filter callers, and even to 'red-line' them (i.e. relegate them down the queue). See Gandy (1993), Lee & LaRose (1994), Whittle 1997 and EPIC 1998.
The growth of mobile telephony has resulted in rapid change, and fixed-location, PSTN devices are no longer regarded as being the dominant service. This has the effect of undermining protections that have long existed in the conventional environment, and forcing public interest advocates to battle for equivalent, and in some cases necessarily for enhanced, protections, in the new context. This is very difficult, given the minuscule resources available to advocates, and the power that telcos, technology-providers and the law enforcement community have on their side, not only in resource terms, but also in their ability to withhold information and to mislead.
Linked with those developments are ongoing plans to augment, and perhaps in time replace, location-identifying numbers with personalised numbers. This is being portrayed as a service to consumers. It is, of course. But the design of the scheme is such that it offers great advantages to marketers and others who have an interest in locating and tracking subscribers; whereas it is entirely feasible to conceive, design and implement the scheme in a privacy-sensitive manner, if that need is recognised by technologists and scheme sponsors.
When location and tracking objectives are superimposed on telephony design, the existing auto-reporting by mobile devices of their location can deliver much more exact and timely surveillance data. One approach is for the base-station to use directed broadcasting, and hence locate the device down to a sector or quadrant of the base-station's area. Another is to have multiple, separately-located base-stations within each cell, such that triangulation is feasible. It appears that techniques such as this will enable location of a device down to within perhaps a 100 metre radius. Integration of GPS capabilities within the mobile device could, of course, narrow that down much further, to a precision of a few metres (ITU 1998a, 1998b, Kirby 2000).
It is of grave concern that voice telephony is being rapidly migrated towards technologies and applications that are designed to facilitate person-location and person-tracking; but the intrusiveness is yet more serious. Voice and data telecommunications are in the process of converging. The Internet protocols, and in particular TCP/IP, are likely to become the carriage mechanism for voice traffic. This means that IP-addresses and email-addresses, and hence text-based communications, and web-usage behaviour will increasingly fall within the rapidly growing web of corporate and State surveillance of voice telecommunications ( Clarke et al. 1998a, Clarke et al. 1998b). Forthcoming revisions to Internet infrastructure (specifically IPv6), offer the prospect of enhanced location capabilities, and hence yet greater intrusiveness.
Location and tracking are important functions, with an array of economic and social benefits. This paper focuses, however, on their downsides. These arise from individual technologies and the trails that they generate, from compounds of multiple technologies, and from amalgamated and cross-referenced trails captured using multiple technologies and arising in multiple contexts.
The fundamental concepts of dataveillance and the risks it embodies are examined in Clarke (1988). Individual dangers that are especially apparent in the context of location and tracking technologies include:
The degree of impact on each individual depends on their psychological profile and needs, and their personal circumstances, in particular what it is that they wish to hide, such as prior misdemeanours, habits, and life-style, or just the details of their personal life. Some categories of individual are in a particularly sensitive position. 'Persons-at-risk' is a useful term for people whose safety and/or state of mind are greatly threatened by the increasing intensity of data-trails, because discovery of their location is likely to be followed by the infliction of harm, or the imposition of pressure designed to repress the person's behaviour. Examples include VIPs, celebrities, notorieties, different-thinkers, victims of domestic violence, people in sensitive occupations such as prison management and psychiatric health care, protected witnesses, and undercover law enforcement and security operatives.
Of greater significance still are the social dangers that arise in a climate in which everyone is subject to being exposed, rightly or wrongly, as having performed particular acts. The result of such an environment would be a dramatic 'chilling effect' on artistic and scientific inventiveness, on engineering and economic innovativeness, and on political expression. Clarke (1988) examines these concerns.
It will be foolhardy to depend on pre-existing balances and protections to provide shelter from these changes. Most protections are, whether intentionally or otherwise, context- and technology-specific. Warrant-based-only access to old-fashioned personal data records is accidentally being replaced by open access to new forms of data; and the conversion of anonymous transactions into identified ones creates situations that were never protected because no protection was ever needed before.
There are tendencies for society to accept pseudo-imperatives, especially the ideas that technology determines social development ('it can be done, so it must be done'), that marketing is the driver ('the customers want it, so it must be done'), that economics is the driver ('it will improve the standard-of-living and/or employ people, so it must be done') and/or that cost-efficiency is obligatory and inevitable ('if it will reduce resource-usage, then it must be done'). These are routinely invoked by organisations interested in increasing the intensity of location and tracking data-trails and technologies. Their success during the last few decades reflects the recent dominance of the economic agenda over social interests.
Another continually-invoked mechanism is the 'soft-sell'. Chips are embedded first in pets that might become lost, and in children who might be abducted, and no doubt shortly in senile-dementia patients, about whom everyone has a guilty conscience. A supreme example of 'soft-sell' is the current manoeuvre by technology companies to enhance cellular telephone technology to enable pinpoint accuracy in locating and tracking handsets. The justifications advanced include enabling emergency services to reach targets more quickly, and parents to keep track of children. Behind these nominal, lofty sentiments lie a raft of commercial applications (in particular targeted advertising and customised, real-time services offerings), and law enforcement and social control objectives (e.g. Kirby 2000).
The ineffable 'law and order' argument is a frequent fallback, and after demanding biometrics from every prison-visitor, and imposing anklets on prisoners, the next step will logically be to present prisoners with a 'choice' between an embedded chip or some extremely unattractive alternative. Subscribing to the law-and-order imperative carries with it very serious democratic risks, because of the malleability of the notion of crime. There is plenty of evidence of co-option of the power of the State in support of corporate interests, in such areas as information and intellectual property, especially copyright infringement, but perhaps shortly also defamation. Other areas of compromise of the criminal law include 'sedition' and other forms of repression of political expression, and censorship of speech and image on the basis of sexual content.
These techniques are used to establish a beachhead. A variety of other metaphors are used to describe the process that is implemented in order to exploit it. One is the 'thin-end-of-the-wedge' technique; and another is 'function creep'. A third is the metaphor of the frog (or, some prefer, lobster) placed into tepid water, which is progressively warmed to lull the victim into sleeping, so that it fails to detect the trap and escape from the cooking-pot. Commercial organisations, coupled with social control elements of the public sector, are seeking greatly increased sources of personal data through which they can exercise power over consumers and citizens. They are applying these mechanisms to entrench the technologies and processes before public sentiment swings against them.
Assaults on freedom tend to stimulate opposition, and calls for regulation. Standard components of the privacy-invaders' repertoire include:
The extent to which the process can and will be resisted depends on a number of factors. These include the extent to which the populace is made aware of the import of technologies, and of the processes that are under way; the power of consumer and citizen groups and the media; the extent to which that power is brought to bear; and whether it is brought to bear before the technologies are successfully entrenched.
To the extent that the proponents of location and tracking technologies are successful, the question then arises as to the likelihood of resistance, whether it will be active or sullen, and the scope for subversion of the technologies and of the social institutions applying them.
As a matter of democratic principle, it is desirable that the tensions among the various interests be open, well-informed, and creative. In practice, it seldom is. The movement for enhanced dataveillance generally, and for greatly enhanced location and tracking capabilities in particular, is being conducted in a manner that precludes rational debate and democratic choice. Powerful economic and political interests are seeking to employ location and tracking technologies surreptitiously, to some degree because their effectiveness is greater that way, but mostly in order to pre-empt opposition.
The conclusions are inescapable that:
Location and tracking technologies represent only one of the elements of surveillance. The developments described in this paper represent enablers and enhancers of other surveillance capabilities, including data collection, data analysis (both retrospective and in 'real time'), data warehousing, data mining, data matching and profiling.
The implication for citizens and consumers is that the State and corporations are dramatically changing the balance between the rights of the individual and the powers of institutions. Action is necessary, both directly against the many different threads of these developments, and indirectly, in the form of sullen resistance by citizens and consumers against government authority and corporate power.
The following sub-sections identify implications for each of several categories of organisations, namely:
Many categories of powerful organisations are able to ignore public interest factors. The sources of their power include scale (such that individual governments are unable and/or unwilling to impose regulatory measures on them), employment dependence (in markets in which there is a shortage of employment opportunities, and workers will accept any imposition in order to earn a living), and information (because understanding about new technologies can be rationed). Such organisations' self-interests are probably best served by exploiting the technologies in the privacy-insensitive manners described in this paper, and 'riding out' negative publicity and consumer and citizen concerns.
Less powerful organisations, in particular the myriad small and medium-sized enterprises (SMEs) that are the lifeblood of many economies, are likely to feel the impact of public concerns to a greater extent. They may be well-advised to develop an awareness of the nature of privacy-invasive technologies (the PITs) generally, and person-location and person-tracking technologies in particular; and of the potential for consumer and citizen resistance. Such organisations may perceive value in producing public impact assessments for technologies and their applications (Clarke 1998b), and inviting active public participation in design processes (Clarke 1992).
A range of privacy-enhancing technologies (PETs) are emerging whose purpose is expressly to counter the invasiveness of the PITs (see the next section). There will be many opportunities for businesses to profit from providing such anonymisation services.
There can be little doubt, however, that large corporations and social control agencies will act against such services. Some enterprises will, variously for ideological and for business reasons, accept that pressure as a cost of doing business. Some will go underground, into the grey and black economies, where increasing numbers of individuals operate who prefer a different balance between freedom and security from that being imposed by their government. Many businesses will, however, succumb to the pressures.
An additional possibility exists, although to date little progress has been made. It would be entirely feasible to apply a range of privacy-sympathetic technologies (also further discussed in the next section). Rather than outright anonymity, these would offer pseudonymity, together with protections against discovery of the human identity behind a nym, but enabling organisations, in appropriate circumstances, to break through the veil. These, of course, will only be credible if the technical, organisational and legal protections are proof against abuse, in particular by the law enforcement and national security communities.
Many large technology providers are committed to the design and development of PITs that serve the needs of their clientele in business and government. They have no responsibility to reflect the broader public interest. They detect no disquiet from the public, because, as argued above, the public is largely unaware of the technologies' nature, impacts and implications. Such companies are therefore quite rationally sustaining their commitment to privacy-invasive technologies.
During the last decade, some technologists have begun devising and delivering privacy-enhancing technologies or PETs ( IPCR 1995. EPIC 1997, Clarke 1999b, Clarke 1999d). These are tools that directly assist the protection of the privacy interest. They generally aim to provide genuine, untraceable anonymity. A variety of technologists are actively designing, developing and delivering products of this kind. They represent a market-niche with considerable potential. Increasing numbers of people are going to become aware of the surveillance apparatus available to the State and to corporations, and will be variously nervous about it, and incensed with it. They will represent a substantial market for PETs. Moreover, the information infrastructure provides a rich set of opportunities for people to trade such products, and to hide their trails from social control agencies (Clarke 1997a), Clarke at al. 1998a).
It has been argued in Clarke (1995, 1996d, 1999b, 1999d and 1999e) that, because pseudonymity enables the veil of anonymity to be pierced, it therefore provides a context within which conventional forms of accountability can be sustained, and balance between privacy and accountability interests achieved. The opportunity exists for companies to produce privacy-sympathetic technologies, which will attract individuals who seek to temper their opposition to the State and corporate surveillance machinery.
Standards for technologies with substantial privacy implications need to be formulated with a clear appreciation of privacy concerns, and with a view to reconciling the at least partially conflicting interests of technology developers, technology users, and people affected by the technology.
It is the nature of network-based technologies (such as telex, fax, machine-readable storage, cable-based and mobile telephones, and smartcards) that standards need to be finalised before the suite of products is manufactured and deployed, and the service launched, because adaptation of such technologies after they are implemented is difficult and expensive.
Most participants in standards groups are employees of large corporations with an interest in the outcome. The only way in which standards groups can achieve clear appreciation of social concerns is for all relevant stakeholders to provide input during the specification and negotiation of the standard. Unfortunately, participation in standards processes by consumer and privacy advocates and representatives, and even by watchdog and policy agencies of governments, is at best limited and sporadic.
In the case of most national standards bodies (e.g. the American National Standards Institute - ANSI and Standards Australia), and formal international standards bodies (e.g. the International Standards Organisation - ISO and the International Telecommunication Union - ITU), other parties are welcome to participate, and there are even instances of formalised constitutional arrangements to ensure at least some representation of such interests. Multiple factors conspire, however, to make effective participation unusual, in particular the lack of people who can donate their time, inadequate understanding about the technology, and the lack of resources for travel. Meanwhile, some organisations that develop standards (e.g. the World Wide Web Consortium - W3C, and even more so the Global Business Dialogue on Electronic Commerce - GBDe) have limitations on participation in the process, in some cases of a constitutional nature, and in others because of the expensive fee to gain a seat at the table.
For example, by the third quarter of 1999, the standards process in relation to the embedment of location information into mobile phone technology had reached the stage of an advanced-draft standard. Yet the matter was entirely unknown to the world's Privacy and Data Protection Commissioners when it was drawn to their attention at their annual conference in September 1999. This has resulted in a draft that is very seriously privacy-hostile (ITU 1998a, 1998b).
If standards organisations want to be aware when they are producing specifications that are privacy-invasive, and want to avoid the inevitable consumer and citizen suspicion that such specifications are leading to, then they need to ensure comprehensive and effective representation of stakeholders in standards-development processes. Because of the grossly unequal financial capabilities of the various interests, this is likely to imply adaptations of established processes, and subsidies to consumer and privacy advocates and representatives.
During recent decades, the formation of government policy has been largely dominated by economic factors, and the predominant ideology of economic rationalism has marginalised social objectives. Governments have subscribed to the nonsense of corporate 'self-regulation' (whose emptiness was addressed in Clarke 1999a). When forced to at least pay lip-service to their responsibilities to protect public interests, governments have fallen back on notions such as 'light-touch' legislation, in order to minimise impositions on business.
Governments can continue to do this; but they do so at the risk of public cynicism about their motives rising still further, and of citizen compliance with the law decreasing. Governments may respond with rhetoric about protecting the public; but they will be seriously constrained by the power of executives in government agencies and corporations. It is therefore likely that there will be only a limited amount of substantive regulation imposed on the burgeoning surveillance technologies and activities.
Governments that are genuinely interested in balancing law and order interests against privacy concerns will need to stand firm against the lobbying and direct action from within and without government. They will need to confront the simple fact that sustaining freedoms inevitably implies permissiveness of illegal behaviour that is in principle detectable and even preventable.
Examples of policies that need to be pursued include:
If those few agencies that are motivated to press for balance are to have any impact on government policies, they need to be strongly supported by public interest advocates and representatives, and to maintain a positive approach to dealing with the media, despite the considerable pressure that they inevitably experience from social control elements within government, and from corporations.
The analysis above leads to the conclusions not only that location and tracking technology is rampant, but also that there is currently no effective process within society whereby information reaches the public, countervailing power is applied, and balancing processes are stimulated.
It might be expected that Privacy and Data Protection Commissioners would have a significant role to play in this process. On the other hand, many Commissioners are severely limited in regard to the scope of their purview, and the extent to which they are able to play a role in policy-formation. For example, many are constrained to mere 'data protection', rather than to 'privacy', and hence have little or no formal authority in relation to the protection of people. Moreover, some Commissioners avoid exercising the scope available to them. In many cases, this is because they are heavily dependent on government for resources, and avoid active and especially public debate about government policy, because this represents biting 'the hand that feeds the watchdog'. Others have been effectively captured by the organisations they are supposed to regulate (Clarke 2000a).
Each Commissioner needs to give serious consideration as to the extent to which they should not operate as mere public officials, administering a statute, but should be activist and, where appropriate, even alarmist. At the very least, most Commissioners have a formal responsibility to undertake research, and to inform the public. This implies that they need to conduct or sponsor deeper assessments of technologies and processes such as those examined in this paper, publish formal reports, disseminate information sheets and media releases, and run public briefing sessions and workshops.
In Clarke (1988), this author drew attention to the technologies of dataveillance as a being a serious threat to people, and to relationships between people and organisations in the public and private sectors. This paper has examined the dramatic progress since that time in a particular sub-set of dataveillance technologies, those which enable the monitoring of the whereabouts of an individual, and the tracking of people's movements.
Efficiency-engendering technologies that are appropriate to manufactured objects are being applied to humans. This undermines public confidence, and threatens the social fabric. Each society has an endurance limit in relation to privacy invasion and de-humanisation, and the more well-to-do societies are already reaching those limits. It is urgent that concerted efforts be invested by the public and watchdog agencies to force governments and corporations out of their mechanistic mind-sets, and require privacy-sensitivity in the design and application of inherently invasive technologies.
The Appendix to this paper presents a tentative analysis of characteristics of person-location and person-tracking technologies that influence their degree of privacy-intrusiveness.
An earlier version of this paper appears at pp.131-150 of the Proceedings of the 21st International Conference on Privacy and Personal Data Protection, held in Hong Kong on 13-15 September 1999. It was developed in response to an invitation by Hong Kong Commissioner Stephen Lau, and session chair Marc Rotenberg of EPIC, to address the world's Privacy and Data Protection Commissioners, reflecting on the import of a series of recent films.
The assistance is acknowledged of Phil Agre of U.C.L.A., Nigel Waters of Sydney, and Nicholas Marks of Canberra. Responsibility for the content of the article is mine alone.
Agre P.E. (1994) 'Surveillance and capture: Two models of privacy' The Information Society, 10, 2 (Apr-Jun 1994) 101-127
Agre P.E. (1999) 'Imagining Surveillance: Notes on 1984 and Enemy of the State' Proc. 21st International Conf. on Privacy and Personal Data Protection, Hong Kong, 13-15 September 1999, at http://dlis.gseis.ucla.edu/people/pagre/imagining.html
Agre P.E. & Harbs C.A. (1994) 'Social Choice about Privacy: Intelligent Vehicle-highway Systems in the United States', Information Technology & People 7, 4, (1994) 63-90, at http://www.mcb.co.uk/services/articles/liblink/itp/agre.htm
Agre P.E. & Rotenberg M. (Eds.) (1997) 'Technology and Privacy: The New Landscape' MIT Press, Cambridge Mass., 1997
Alpert S. (1994) 'Privacy on Intelligent Highway: Finding the Right of Way', Santa Clara Computer and High Technology Law Journal, 11, 1
Burnham D. (1983) 'The Rise of the Computer State' Random House, New York, 1983
Cavoukian A. (1999) 'Privacy and Biometrics' , Proc. 21st International Conference on Privacy and Personal Data Protection, Hong Kong, 13-15 September 1999, pp. 10-18
Chertkoff R. (1998) 'Alphanumeric Pagers', at http://www-bcf.usc.edu/~wdutton/comm533/Ap-che.htm
Clarke R. (1988) 'Information Technology and Dataveillance' Comm. ACM 31,5 (May 1988) Re-published in C. Dunlop and R. Kling (Eds.), 'Controversies in Computing', Academic Press, 1991, at http://www.rogerclarke.com/DV/CACM88.html
Clarke R. (1992) 'Extra-Organisational Systems: A Challenge to the Software Engineering Paradigm', Proc. IFIP World Congress, Madrid, September 1992, at http://www.rogerclarke.com/SOS/PaperExtraOrgSys.html
Clarke R. (1993a) 'Introduction to Chip-Cards and Smart Cards', at http://www.rogerclarke.com/EC/ChipIntro.html
Clarke R. (1993b) 'Computer Matching and Digital Identity', Proc. Conf. Computers, Freedom & Privacy, San Francisco, March 1993, at http://www.rogerclarke.com/DV/CFP93.html
Clarke R. (1994a) 'The Digital Persona and its Application to Data Surveillance', The Information Society 10, 2 (June 1994)', at http://www.rogerclarke.com/DV/DigPersona.html
Clarke R. (1994b) 'Information Technology: Weapon of Authoritarianism or Tool of Democracy?' Proc. IFIP World Congress, Hamburg, September 1994, at http://www.rogerclarke.com/DV/PaperAuthism.html
Clarke R. (1994c) 'Human Identification in Information Systems: Management Challenges and Public Policy Issues', Information Technology & People 7,4 (December 1994) 6-37, at http://www.rogerclarke.com/DV/HumanID.html
Clarke R. (1995) 'When Do They Need to Know 'Whodunnit?' The Justification for Transaction Identification: The Scope for Transaction Anonymity and Pseudonymity' Proc. Conf. Computers, Freedom & Privacy, San Francisco, 31 March 1995, at http://www.rogerclarke.com/DV/PaperCFP95.html
Clarke R. (1996a) 'Trails in the Sand', May 1996, at http://www.rogerclarke.com/DV/Trails.html
Clarke R. (1996b) 'Message Transmission Security (or 'Cryptography in Plain Text')' Privacy Law & Policy Reporter 3, 2 (May 1996), pp. 24-27, at http://www.rogerclarke.com//II/CryptoSecy.html
Clarke R. (1996c) 'A Vision of Consumer Payments Futures', at http://www.rogerclarke.com/EC/VADER.html
Clarke R. (1996d) 'Identification, Anonymity and Pseudonymity in Consumer Transactions: A Vital Systems Design and Public Policy Issue' Proc. Conf. 'Smart Cards: The Issues', Sydney, 18 October 1996, at http://www.rogerclarke.com/DV/AnonPsPol.html
Clarke R. (1997a) 'Regulating Financial Services in the Marketspace: The Public's Interests', Proc. Conf. 'Electronic Commerce: Regulating Financial Services in the Marketspace', Australian Securities Commission, Sydney, 4-5 February 1997, at http://www.rogerclarke.com/EC/ASC97.html
Clarke R. (1997b) 'Introduction and Definitions', August 1997, at http://www.rogerclarke.com/DV/Intro.html
Clarke R. (1997c) 'Public Interests on the Electronic Frontier', Invited Address to IT Security '97, 14 & 15 August 1997, Rydges Canberra (August 1997), http://www.rogerclarke.com/II/IIRSecy97.html
Clarke R. (1997d) 'Chip-Based ID: Promise and Peril', for the International Conference on Privacy, Montreal (September 1997), at http://www.rogerclarke.com/DV/IDCards97.html
Clarke R. (1998a) 'Direct Marketing and Privacy', Proc. AIC Conf. on the Direct Distribution of Financial Services, Sydney, 24 February 1998, at http://www.rogerclarke.com/DV/DirectMkting.html
Clarke R. (1998b) 'Privacy Impact Assessments', at http://www.rogerclarke.com/DV/PIA.html
Clarke R. (1998c) 'Smart Card Technical Issues Starter Kit', Centrelink, April 1998, at http://www.rogerclarke.com/DV/SCTISK.html
Clarke R. (1998d) 'Public Key Infrastructure: Position Statement', May 1998, at http://www.rogerclarke.com/DV/PKIPosn.html
Clarke R. (1998e) 'Information Privacy On the Internet: Cyberspace Invades Personal Space' Telecommunication Journal of Australia 48, 2 (May/June1998), at http://www.rogerclarke.com/DV/IPrivacy.html
Clarke R. (1999a) 'Internet Privacy Concerns Confirm the Case for Intervention', Communications of the ACM 42, 2 (February 1999), at http://www.rogerclarke.com/DV/CACM99.html
Clarke R. (1999b) 'The Legal Context of Privacy-Enhancing and Privacy-Sympathetic Technologies', April 1999, at http://www.rogerclarke.com/DV/Florham.html
Clarke R. (1999c) 'Notes on a Panel Session on Anonymity and Identity in Cyberspace', Computers, Freedom & Privacy Conference, April 1999, at http://www.rogerclarke.com/DV/NotesCFP99.html#AnonId
Clarke R. (1999d) 'Privacy-Enhancing and Privacy-Sympathetic Technologies - Resources', April 1999, at http://www.rogerclarke.com/DV/PEPST.html
Clarke R. (1999e) 'Identified, Anonymous and Pseudonymous Transactions: The Spectrum of Choice' Proc. User Identification & Privacy Protection Conference, Stockholm, 14-15 June 1999, at http://www.rogerclarke.com/DV/UIPP99.html
Clarke R. (2000a) 'Beyond the OECD Guidelines: Privacy Protection for the 21st Century', January 2000, at http://www.rogerclarke.com/DV/PP21C.html
Clarke R. (2000b) 'How to Ensure That Privacy Concerns Don't Undermine e-Transport Investments', Proc. AIC e-Transport Conference, Melbourne, July 2000, at http://www.rogerclarke.com/EC/eTP.html
Clarke R., Dempsey G., Ooi C.N. & O'Connor R.F. (1998a) `Technological Aspects of Internet Crime Prevention', Proc. Conf. 'Internet Crime', Australian Institute for Criminology, Melbourne University, 16-17 February 1998, at http://www.rogerclarke.com/II/ICrimPrev.html
Clarke R., Dempsey G., Ooi C.N. & O'Connor R.F. (1998b) 'A Primer on Internet Technology', at http://www.rogerclarke.com/II/IPrimer.html
Dana P.H. (1994) 'Global Positioning System Overview', at http://www.utexas.edu/depts/grg/gcraft/notes/gps/gps.html, accessed 10 July 1999
Davies S. (1996) 'Monitor: Extinguishing Privacy on the Information Superhighway', Pan Macmillan Australia, 1996, reviewed at http://www.rogerclarke.com/DV/Monitor.html
Davies S. (1999) 'Big Brother at the Box Office: Electronic Visual Surveillance and the Big Screen', Proc. 21st International Conference on Privacy and Personal Data Protection, Hong Kong, 13-15 September 1999, pp.151-160
Dixon T. (1995) 'Invisible Eyes: Report on Video Surveillance in the Workplace', Privacy Committee of N.S.W., Report No.67, August 1995, , at http://www.austlii.edu.au/au/other/privacy/video/index.html
EPIC (1997) 'EPIC Online Guide to Practical Privacy Tools', at http://www.epic.org/privacy/tools.html
EPIC (1998) 'Caller ID', 1998, at http://www.epic.org/privacy/caller_id/
Foucault M. (1977) 'Discipline and Punish: The Birth of the Prison' Peregrine, London, 1975, trans. 1977
Gandy O.H. (1993) 'The Panoptic Sort: A Political Economy of Personal Information' Westview, Boulder CO, 1993
Garfinkel S.L. (1994) 'Nobody Fucks with the DMV: The government is using your driver's license to play Big Brother' Wired 2.02 (Feb 1994), at http://www.wired.com/wired/archive/2.02/dmv_pr.html
Gibson W. (1984) 'Neuromancer', Victor Gollancz, 1984. The (lightly edited) quotation in the Introduction to this paper is from p.121 in the Grafton Edition, 1986
GPS (1999) 'GPS Tutorial', Gemini Positioning Systems Ltd, at http://www.gps1.com/tutorial.htm, accessed 10 July 1999
Greenleaf G.W. (1997) 'Call data - no warrants needed' Privacy Law & Policy Reporter 3, 10 (February 1997) 182, at http://www.austlii.edu.au/au/other/plpr/vol3No10/v03n10b.html#3_PLPR_182
Greenleaf G.W. & Clarke R. (1997) 'Privacy Implications of Digital Signatures' Proc. Conf. Digital Signatures, Sydney, 12 March 1997, at http://www.rogerclarke.com/DV/DigSig.html
Halpern, S.W. (1994) 'The Traffic in Souls: Privacy Interests and the Intelligent Vehicle-Highway Systems', Santa Clara Computer and High Technology Law Journal, 11, 1
Henderson A. & McDonough A. (1998) 'Examining Call Monitoring Legalities and the Development of Regulation', Gilbert & Tobin, September 1998, at http://www.gtlaw.com.au/pubs/callcentres.html
HEW (1973) 'Records, Computers and the Rights of Citizens' U.S. Dept. of Health, Education and Welfare, Secretary's Advisory Committee on Automated Personal Data Systems, MIT Press, Cambridge. Mass., 1973
IPC (1998) '407 Express Toll Route: How You Can Travel This Road Anonymously', Information and PrivacyCommissioner/Ontario, May 1998, at http://www.ipc.on.ca/web_site.eng/matters/sum_pap/papers/407.htm
IPCR (1995) 'Privacy-Enhancing Technologies: The Path to Anonymity' Information and Privacy Commissioner (Ontario, Canada) and Registratiekamer (The Netherlands), 2 vols., August 1995, at http://www.ipc.on.ca/web%5Fsite.eng/matters/sum%5Fpap/papers/anon%2De.htm
ITSA (1995-2000) 'Interim Intelligent Transportation Systems Fair Information and Privacy Principles', 1995, revs. 1999 and 2000, at ITSA, accessed 13 December 2000
ITU (1998a) 'Public land mobile communication systems location', International Telecommunication Union, M.624, March 1998
ITU (1998b) 'Automatic determination of location and guidance in the land mobile services', International Telecommunication Union, M.1307, May 1998
Katz J.E. (1996) 'Understanding communication privacy: Unlisted telephone subscribers in the United States' The Information Society 12, 4 (Oct-Dec 1996) 407-423
Kirby C. (2000) 'New Technology Can Pinpoint Cell-Phone Users' Locations' San Francisco Chronicle, 23 October 2000, at http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2000/10/23/BU77211.DTL
Lappin T. (1995) 'Truckin'' Wired 3.01 (Jan 1995), at http://www.wired.com/wired/archive/3.01/truckin_pr.html
Laudon K. 1986) 'The Dossier Society: Value Choices in the Design of National Information Systems' Columbia University Press, New York
Lee L.T. & LaRose R. (1994) 'Caller ID and the meaning of privacy' The Information Society 10, 4 (Oct-Dec 1994) 247-265
Marx, G.T. (1988) 'Undercover: Police Surveillance in America' Uni. of California Press, 1988
Marx G.T. (1998) 'An Ethics For The New Surveillance' The Information Society 14, 3 (July-September 1998), pp. 171-184
OTA (1981) 'Computer-Based National Information Systems: Technology and Public Policy Issues' Office of Technology Assessment, Congress of the United States, Washington DC (September 1981)
OTA (1985) 'Electronic Surveillance and Civil Liberties' OTA-CIT-293, U.S. Govt Printing Office, Washington DC, October 1985
OTA (1986) 'Federal Government Information Technology: Electronic Record Systems and Individual Privacy' OTA-CIT-296, U.S. Govt Printing Office, Washington DC, June 1985
PI (1997) 'Video Surveillance', at http://www.privacy.org/pi/issues/cctv/
Roszak T. (1986) 'The Cult of Information' Pantheon, 1986
Rule, J.B. (1974) 'Private Lives and Public Surveillance: Social Control in the Computer Age', Schocken Books, 1974.
Rule. J.B. McAdam, D. Stearns, L. and Uglow, D. (1980) 'The Politics of Privacy', New American Library, 1980
Schwartz P. (1992) 'Data Processing and Government Administration: The Failure of the American Legal Response to the Computer', Hastings Law Journal, 43, 5, 1321-89
Smith R.E. (ed.) (1974-) ' Privacy Journal', monthly since November 1974
Tomko G. (1998) 'Biometrics as a Privacy-Enhancing Technology: Friend or Foe of Privacy?' Proc. Conf. Privacy Laws & Business, 9th Privacy Commissioners' / Data Protection Authorities Workshop, Santiago de Compostela, Spain, September 1998, at http://www.dss.state.ct.us/digital/tomko.htm
Transair (1999) 'Hints on Choosing a Satellite Phone', at http://www.networx.net.au/~transair/hints.html
Trimble (1996) 'All About GPS', Trimble Navigation Limited, at http://www.trimble.com/gps/index.htm, accessed 10 July 1999
Warwick K. (1998) 'Implant - Facts', at http://cyber.rdg.ac.uk/K.Warwick/WWW/facts.htm
Waters N. (1997) (Ed.) 'Telecommunications: the privacy front line' Special Issue of Privacy Law & Policy Reporter 4, 6 (November 1997) 101-114
Waters P., Simpson A. & McDonough A. (1998) 'Mobile Services In Australia: A Mobile Phone In Every Pocket', Gilbert & Tobin, October 1998, at http://www.gtlaw.com.au/pubs/mobileservices.html
Westin, A.F., Ed. (1971) 'Information Technology in a Democracy', Harvard University Press, Cambridge, Mass., 1971
Westin A.F. & Baker M.A. (1974) 'Databanks in a Free Society: Computers, Record-Keeping and Privacy' Quadrangle 1974
Whittle R. (1997) 'Calling Number Display - CND', at http://www.ozemail.com.au/~firstpr/cnd/
Wiesenfelder J. (1996) 'The Information Superhighway (This is not a metaphor)', Wired 4.02, Feb 1996, at http://www.wired.com/wired/archive/4.02/smart.cars_pr.html
Wigan M.R. (1995) 'The realizability of the potential benefits of intelligent vehicle-highway systems: the influence of public acceptance', Information Technology and People, 7, 4 (1995) 48-62
Wormley S. (1999) 'Global Positioning System Resources', http://www.cnde.iastate.edu/gps.html, accessed 10 July 1999
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.
Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 28 June 1999 - Last Amended: 13 November 2000 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/PLT.html