Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Fellow, Department of Computer Science, Australian National University
Version of 24 February 1993
© Xamax Consultancy Pty Ltd, 1993
This document is at http://www.anu.edu.au/people/Roger.Clarke/DV/PaperScared.html
There is mutual incomprehension between the public and executives and officers in the public sector. It is up to the public sector public relations apparatus to educate the public about the role, the professionalism and the commitment of agencies and their staff. The majority of the public are not in a position to communicate their points of view. This paper is a privacy advocate's explanation as to why the public distrusts, fears and in some cases loathes the public sector.
Background is provided to information privacy, and to the related matters of dataveillance of the digital persona and identification of the individual. Key aspects of the nature of contemporary government organisation and operation are identified. A series of public sector sins is then catalogued, and examples given. Recent trends in data-intensity and privacy-invasiveness are projected into scenarios which look black for individual freedoms and progressively darker for the manageability of society. The paper concludes with proposals as to what must be done if the privacy insensitivity is to be overcome and a balance achieved.
The public is scared of government agencies and especially of the phalanx of agencies which make up governments as a whole. Many of the fears that beset people are only ever communicated in the grey world of the tabloid press and talk-back radio. Public service officers are routinely appalled by the emotiveness of the arguments, and the misunderstandings and factual errors involved. As a result, a gulf exists between the perceptions of the public and the public sector. This paper sets out to identify and discuss the reasons for public fear in analytical rather than simply emotive fashion. Senior executives must appreciate that the public's fears are not entirely irrational, and that the problems must be confronted rather than ignored or belittled.
No attempt is made in this paper to balance the individual's interest in privacy against other personal, community and societal considerations. This is, of course, necessary, but there are just so many fears to be catalogued and explained that achieving an appropriate balance requires at least one additional paper. More balanced consideration of privacy matters is to be found in Kling (1978), Laudon (1986), Clarke (1987, 1988, 1992 and 1993), Flaherty (1989) and Bennett (1992).
The paper commences by providing background firstly to the privacy interest and then to contmeporary government. This establishes a framework within which it is possible to identify and describe particular acts and practices which contribute to public nervousness.
Information privacy is the interest of individuals in knowing about, and controlling or at least constraining the collection, storage, dissemination and use of information about themselves. It must be recognised that this 'right to be let alone' necessarily implies some degree of 'right to get away with misdemeanours', and a calculated compromise of society's ability to prevent criminal acts and to prosecute criminals.
Privacy is an interest which is interpreted and valued differently in different cultures, and by people with different philosophical, religious and ideological outlooks. For example, those people who place strong emphasis on individualism, incentive and minimal state interventionism tend to highly value privacy, whereas those who are attracted by the notion of a 'welfare state' and strongly support law and order and social discipline generally value it less highly. Support for privacy protections is to be found as much on the conservative 'right' wing of politics as on the liberal 'left'.
Several components need to be distinguished:
This paper is primarily concerned with the last of these components of privacy.
Information privacy is a relatively recent preoccupation. Until the last few decades, it was not necessary for people to express concern about it, or for Parliaments to create laws protecting it. This was because of the highly dispersed nature of data storage, the difficulty of finding data when it was wanted, and the difficulty of copying and transmitting the data once it was found; in other words, information privacy was protected by the enormous inefficiency of data handling. During the 1960s and 1970s, there was a significant growth in the level of concern about privacy protection (or 'data protection', as it is referred to on the Continent). Between 1970 and 1985, virtually all advanced western nations legislated to create 'fair information practices' requirements, and in 1980 the OECD promulgated a set of international guidelines.
Australia was much slower to come to grips with the need for privacy protections. Indeed, in the mid-1980s a senior Australian Cabinet Minister went so far as to denigrate is as 'a bourgeois value'. After considering and rejecting one of the most privacy-invasive national identification schemes ever proposed in any democracy, Australia eventually followed other countries and passed a 1975-style statute in late 1988. Because of the enormous developments in information technology which have taken place in the intervening years, the Privacy Commissioner whose office was created by that Act faces great challenges in regulating practices not contemplated by the legislative draftsman.
During the last seventy years, a series of anti-utopian novels has chilled us with descriptions of imagined futures in which governments use information technology to exercise control over society (Zamyatin 1922, Huxley 1932, Orwell 1948, Bradley 1953, Brunner 1975). The movement underlying these artistic interpretations is described as data surveillance, or in shortened form 'dataveillance' (Clarke 1988).
Dataveillance is the systematic use of personal data systems in the investigation or monitoring of the actions or communications of one or more persons. Two kinds need to be distinguished: personal dataveillance, in which an identified person is monitored, generally for a specific reason; and mass dataveillance, which is of groups of people, generally to identify individuals of interest.
Dataveillance differs from conventional surveillance in several respects. One of particular importance is that it involves monitoring not of the individual, but of the individual's data shadow or 'digital persona'. In Jungian psychology, the anima is the inner personality, turned towards the unconscious, and the persona is the public personality that is presented to the world. The only persona that Jung knew was that based on appearance and behaviour. With the increased data-intensity of the second half of the twentieth century, Jung's persona has been supplemented, and to some extent replaced, by the summation of the data available about an individual. The digital persona is a model of an individual's public personality based on data, and intended for use as a proxy for the individual. The technique is threatening, reminiscent as it is of the voodoo technique of sticking pins in an (iconic) model or doll.
There is a critical economic difference between conventional forms of surveillance and dataveillance. Physical surveillance is expensive because it requires the application of considerable resources. With a few exceptions (such as East Germany under the Stasi, Romania, and China during its more extreme phases), this expense has been sufficient to restrict the use of surveillance. Admittedly the selection criteria used by surveillance agencies have not always accorded with what the citizenry might have preferred, but at least its extent was limited. The effect was that in most countries the abuses affected particular individuals who had attracted the attention of the State, but were not so pervasive that artistic and political freedoms were widely constrained.
Dataveillance changes all that. Dataveillance is relatively very cheap, and getting cheaper all the time, thanks to progress in information technology. The economic limitations are overcome, and the digital persona can be monitored with thoroughness and frequency, and surveillance extended to whole populations. Limited use of expensive physical surveillance of people is supplanted by widespread use of cheap dataveillance of digital persona. The conclusion reached by an anti-utopia writer was that "the mass of the public no longer has any contact with government; all they know is that if they step out of line they'll be trodden on" (Brunner 1975, p.158).
The information-based powers which government agencies are developing and refining are capable of fostering yet more substantial public fears. In the future, governments which are so minded will be well-placed to identify people unsympathetic to their point of view and policies, stunt their influence by discrediting them through adroitly used information and misinformation, and keep them from positions of power. Beyond intellectual repression, the power will increasingly be available to identify and neutralise (or eliminate) individuals of classes they consider degenerate, be it on traditional bases such as race, or behavioural factors such as homosexuality, or physical and genetic characteristics, such as cystic fibrosis, suicidal tendency and colour blindness. To at least one observer, the dominant metaphor for social control is in transition towards that of the prison (Foucault 1975).
For dataveillance to be used as a weapon of social control, each individual must be identifiable on a consistent basis, and new data must be readily and reliably associated with that person, and with data already held about them. There are, however, many difficulties involved.
Organisations which use personal data systems construct, more or less consciously, a basis for human identification which they deem to be appropriate to their particular needs (Clarke 1989). In principle, the most effective person-identifiers are physiologically based (and are sometimes referred to as 'biometrics' or 'physiometrics'). They may be a natural characteristic, or an imposed feature such as a brand or an implanted microchip (both of which are used with other animals). Some of the natural features which have been applied or proposed include facial appearance, fingerprints, teeth, retinal prints and, most recently, DNA prints. Fingerprints have long been used in criminal investigation, and various physiological identifiers are currently being applied to building security. However, no biometric identification system has yet been sufficiently economic, impervious to intelligent evasion and fraud, and socially acceptable that it has come into general usage. Virtually all administrative systems use more prosaic identification techniques.
For social purposes, people are identified by their names, and some organisations use names as a person-identifier. For administrative purposes, however, names have many serious disadvantages, particularly their non-uniqueness, variable length and variability in presentation. Non-uniqueness may be addressed by using a set of data items (such as family name, given names, data-of-birth and elements of address), but this requires considerable processing complexity and a small but appreciable chance of ambiguity remains. No country appears to have taken the obvious step of restricting the choice of names to those which have not been already assigned.
Rather than using names, the conventional approach adopted in personal data systems is to assign a unique number or code to each individual. This is done at some time convenient to the issuing organisation, such as the first contact between the individual and the organisation. When an organisation wishes to access existing personal data, or record new data, it needs to have the person's identifier. Many organisations simply accept the individual's statement as to who he or she is, and use an index to look up the appropriate code.
Other organisations are unable to rely on such an arrangement, particularly where it may be in the interest of an individual to misrepresent themselves as another person. They impose requirements on the individual to provide 'proof' of their identity. To ensure that the identifier is available when required, it could conceivably be recorded on the person (although such an approach would probably be generally regarded as repugnant). Instead it is commonly recorded on some token such as a card, with requirements to produce the token when dealing with the organisation. To be effective, such an arrangement must embody incentives and disincentives such that the right individual, and only the right individual, makes the token available in all the right circumstances. This is not easily achieved. Despite the difficulties involved, tokens such as plastic cards are the basis of many administrative systems, including driver licensing and retail Electronic Funds Transfer Systems.
A further tool in identification is personal knowledge, as when a person collecting a plastic card is asked their birth-date or their mother's maiden name; or a person using an Automated Teller Machine is asked to provide the Personal Identification Number or PIN associated with that particular card or account. In addition to schemes based on 'what a person knows', identification may be based on 'what a person does'. The most common such approaches are the dynamics of hand-writing, particularly signatures, and of keyboard use, particularly when keying passwords.
Yet another tool in human identification is documentary evidence (or 'proof of identity', as it is so often, but highly misleadingly, referred to). Birth and marriage certificates, drivers' licences, letters of introduction and statutory declarations are frequently inferred to contain informational value far beyond their actual meaning, particularly when several are proferred.
In general:
Some instances exist in which a single identification scheme is used for a number of purposes (e.g. a financial institution may assign a single code to a customer, to be used for all kind of investment, lending and perhaps insurance and travel transactions), or by a number of organisations (e.g. where health insurance, social welfare and taxation authorities all use the same scheme).
A national personal data system would go beyond such merely multi-purpose arrangements to provide a general-purpose identifier. To ensure integrity of the scheme, and achieve economic benefits, more elements than just an identifier or person-code would be needed, including:
Indeed, with these three elements in place, it may prove unnecessary to actually impose a single identifier, provided that the identifiers used by each person with each agency were able to be reliably correlated.
There are many issues in person-identification which cause serious concern to many people. To many, the use of imposed physical identifiers is abhorrent, and even the use of bio-metrics is degrading and inhuman. The use of numbers to represent people is also a matter of concern to many people, because it implies to them that people are being 'reduced' to the level of goods in a warehouse or, at best, stock on a property. Such schemes also strike fear into the heart of any rational, cynical person, because they enable the integration of data sources, and with it the exercise of power by those with access to the combined database.
Against this backdrop, it is necessary to trace developments in the public sector, and identify features of contemporary public administration which cause the public to be afraid.
Even after the early waves of the industrial revolution, the level of economic activity was quite low by modern standards. The private sector institutions which generated most of it were quite small, and government agencies very small. With the dramatic increase in the scale of operations of government agencies during the present century has come a dramatic increase in the 'social distance' separating individuals from the institutions with whom they transact the majority of their business. This social distance can be thought of as the level of distrust felt by both parties, i.e. individuals, and agency employees dealing with large numbers of the great unwashed public.
To make up for the loss of immediacy in dealings between individuals who knew one another, government agencies now depend very little on the judgement of employees local to the individual concerned. Two critical changes have occurred:
These two points are discussed further in the following paragraphs.
There has been a tremendous increase in the 'information-intensity' of administration during the twentieth century [Rule 1974, Rule et al 1980]. One cause has been the increasing scale of human organisations, making them more remote from their clients, and more dependent on abstract, stored data rather than personal knowledge. Other factors have been an increasing level of education among organisations' employees, and more recently the brisk development in information technology. The tendency appears to be still growing for organisations to record more data about more transactions, and about more entities with whom they have dealings.
In the early years of personal data systems, the dominant school of thought, associated with Westin, was that business and government economics would ensure that IT did not result in excessive privacy invasion. Rather than supporting individual freedoms, however, administrative efficiency has been shown to generally conflict with it. Organisations have perceived their interests to dictate the collection, maintenance and dissemination of ever more data, ever more 'finely grained'.
There has been a concomitant trend toward 'scientific management' and 'rational decision-models' - decision-making which is more precise, and based on detailed criteria and a significant amount of data. Modern practices have little regard for what have been called 'atypical, idiosyncratic or extenuating circumstances' [Marx & Reichman 1984, p.436]. Achieving a full understanding of the circumstances generally requires not only additional data which would have seemed too trivial and/or too expensive to collect, but also the application of common sense, and contemporary received wisdom, public opinion and morality.
These developments have been criticised, e.g. "What we confront in the burgeoning surveillance machinery of our society is not a value-neutral technological process ... It is, rather, the social vision of the Utilitarian philosophers at last fully realized in the computer. It yields a world without shadows, secrets or mysteries, where everything has become a naked quantity" [Roszak 1986, pp.186-7]. "Information, [even today], is no more than it has ever been: discrete little bundles of fact, sometimes useful, sometimes trivial, and never the substance of thought [and knowledge] ... The data processing model of thought ... coarsens subtle distinctions in the anatomy of mind ... Experience ... is more like a stew than a filing system ... Every piece of software has some repertory of basic assumptions, values, limitations embedded within it ... [For example], the vice of the spreadsheet is that its neat, mathematical facade, its rigorous logic, its profusion of numbers, may blind its user to the unexamined ideas and omissions that govern the calculations ... garbage in - gospel out" [Roszak 1986, pp.87,95,98,118,120].
At its most extreme, the passion for data and data processing extends to the level of arbitrary interference with people's personal data. In data matching, a relatively very small proportion of the people whose data is involved actually prove to be of interest to the organisation conducting the match. In the case of the Australian Department of Social Security's parallel matching scheme, the proportion of raw matches which have resulted in downward variations in benefits has been only about 0.5%, with only 0.2% leading to debt recovery action in relation to overpayments [DSS Report on Parallel Matching 1992, pp.88-90,107-111]. Computer matching is therefore appropriately described as 'driftnet fishing' - it is an arbitrary interference with personal data which, in relation to the vast majority of the people whose data is processed, is demonstrably unjustifiable.
The terms 'public service' and 'public servant' are throwbacks to a bygone age, or perhaps to a time in which it was more seeming for a fiction to be created and preserved. Executives and officers perceive their responsibilities as being to serve their Minister, their Department and themselves, in that order. Service to the public rates very low on the list, and in many cases only in institutionalised form. Apart from their formal responsibility to the Minister to whose portfolio they are allocated, the only accountability which agencies recognise is to other agencies, such as the Auditor-General or the Department of Finance.
As a result of these developments, the distance between the citizen and public institutions has grown alarmingly throughout the twentieth century. People feel smaller as institutions get larger, more remote and more powerful. The following section presents some more detailed facets of that power.
Agencies which are very large, highly complex and subject to such limited control, can wield great power over the lives of their 'clients'. Agencies seek to regulate that power through legislation, policy and procedures. But these servce to baffle people. It seems sufficient to the comfortable public servant that 'due process' exists in the sense of a complex web of institutions (such as tribunals and courts) and procedures (such as notice of intention to make a determination, notice of right of appeal and appeal paths).
To the majority of people this remains Kafka-esque, because they cannot grasp the complexities, they cannot get a simple answer, they cannot get a quick answer, they cannot get a cheap answer, and even their own lawyer (should they be able to afford one) commonly fails to make clear to them what the process is, and often seems as baffled by the process as they are. Agencies are well-equipped to use the law in the pursuit of their aims; individuals, on the other hand, are ill-equipped to defend themselves, because they are generally little versed in the ways of information technology, government and the law.
Agencies do not restrict their actions to those which are specifically legally authorised. They commit acts which they claim are generally authorised and not specifically illegal. It has also become increasingly common for government policies to be announced as though they were faits accompli, notwithstanding the fact that the proposals still require expression in legislative form, and passage through Parliament, including a potentially sceptical and even hostile Senate.
A further tendency which strikes fear into the public is the increased incidence of what might be termed 'automated justice'. For reasons of convenience and effiency in government administration, the onus of proof has been reversed in such areas as taxation assessment, and recently also in child support payments. A determination by the Australian Taxation Office is conclusive, and individuals who wish to dispute the decision must prosecute their innocence. They are of course the information-poor party, and must conduct adversarial proceedings against the larger, better prepared and better informed party, the government agency qua the State.
To the individual citizen, the scale of individual government agencies is over-powering enough. Worse still is the tendency, inherited from the much smaller operations of the British Crown in previous centuries, for government to function for some purposes as though all agencies were merely sub-organisations of a whole. The effect then is for the agencies to appear as a monolith, with agencies supporting one another against threats from outside the public sector, e.g. by Cabinet, Parliament, the media and the public.
Instances of this include the tendency (recently somewhat slowed by the Privacy Act) to exchange data with considerable freedom; the tendency towards cross-notification between agencies of data that may be of value to other parts of the monolith, e.g. of change of address of a 'client'; and cross-system enforcement, whereby one agency withholds money or services from its client, in order to enforce a debt the client is claimed to owe to another agency.
Associated with the exercise of power over individuals is a tendency to protect information. FOI legislation is interpreted defensively and narrowly by most agencies. In 1987, FOI requests by this author for information about data matching were met with at best a wry grin. Nothing of consequence was forthcoming; the only agency which provided a substantive response, DSS, provided three pages of generalisations which avoided the key issues, identified four agencies with which data was exchanged, but omitted mention of at least ten other interchange arrangements which have subsequently become public knowledge.
Even when the Privacy Commissioner, soon after taking office in 1989, undertook a survey, very limited information was made available: "whether cost/benefit analyses have formed part of the original decision to commence a matching program has been difficult to ascertain in many circumstances ... A definitive cost for distinct programs is often difficult to obtain" [PCA 1990, p.16].
It should be noted that, in respect of its major 'parallel matching program' operational since 1990, DSS has, in accordance with the legislation, reported much more fully. It has committed to do so in respect of its many other programs also, but has yet to provide the first such report.
Blanket consent is sought rather than specific, and hence the individual is unaware what use might be made of it. The bargaining position is tilted so strongly in favour of the agency that to refuse consent is to disqualify oneself from a privilege, e.g. the 'voluntary' provision of the TFN when applying for a government benefit. Consent is sought where the agency has the legal authority to collect the data or perform the act anyway.
For a variety of reasons, data quality in government information systems is fairly low. After all, it costs money to ensure data is accurate, complete, timely, relevant, and so on, and who is going to pay for it? In practice, each organisation makes an implicit trade-off between cost and quality. Data erodes in quality over time, but there are few arrangements to ensure that old data is qualified or flushed. Few organisations ever institute quality audits.
One extreme example of an inability to comprehend the real world of people arose during the Commonwealth public service's campaign to have Parliament approve a national identification scheme. In 1986, HIC conducted a pilot match with the intention of demonstrating the feasibility of producing a highly accurate and complete register, based on a number of largely inaccurate, inconsistent and incomplete files from different agencies. It expropriated and matched data from several government agencies, relating to all inhabitants of Tasmania. The agency reported the 70% hit-rate across the databases as a good result, confirming its belief that a national identification scheme could be based on such a procedure. The report ignored the implication that, across the national population, the records of nearly 5 million people would remain unmatched, and they failed to apply any tests to establish what proportion of the 70% were spurious matches and what proportion of the 30% were failures of the algorithm used. There is a popular mythology that everyone in Tasmania is related to everyone else; for this reason alone, it is astounding that the agency did not recognise the need for such testing.
The meaning of data is in many circumstances far less clear than the rational decision-making process implicitly assumes. Is a person of 40 years of age still a child? Is a de facto spouse a spouse? Is a spouse or child who lives separately an is paid maintenance a dependant? When 'income' is talked about, is that 'gross income' or 'income nett of deductions', and is it 'earned income', 'unearned income' or both, and what period of time is to be applied?
The complexity of meaning is worse in the case of textual rather than structured data, and even worse in the case of opinions. Data-items are progressively re-defined over time, and confusion can exist as to which (often subtly different) definition is applicable.
Yet that data is used as the basis for drawing inferences and making decisions. And increasingly the onus of proof is being reversed, in some cases in law, and in some cases just by administrative practice. This means that the data-poor individual has to convince a tribunal that a data-rich agency has got it all wrong.
Frequently, data is expropriated and used for further purposes, divorcing it from the original context of use. In the new context, the quality characteristics are seldom appreciated, and quality problems are compounded by ambiguity of meaning.
The easiest targets are those people about whom records exist, which are accessible by government agencies. Hence some classes of people are subjected to frequent examination by several different agencies, whereas people who live relatively undocumented lives (e.g. those who operate in the so-called 'black economy') escape attention.
In a U.S. Government report, an anecdote was selected to illustrate the kinds of cases which had come to light during pilot projects, and which, by implication, would give rise to millions of dollars of savings. It related to "a 78-year-old housebound veteran" who in 1984 received a pension of about $3,500 p.a. Tax records suggested that he received in that year not nil interest as his Veterans' Affairs income questionnaire showed, but over $4,000. This would have precluded him from receiving any pension.
In the case of the veteran's pension matching scheme, the tolerance level between declared and apparent income was set at $100, and earnings of $1,000 or more were treated as being "substantial". Similarly, it is implicit in the DSS's reports on its parallel matching scheme, that the variation between income declared to or apparent to two different agencies is very small, and likely to be made even finer.
Low income earners and welfare recipients might reasonably complain that the precision applied is of a different order from that used in pursuing white-collar criminals and in assessing the taxation payable by self-employed businessmen. But then white-collar criminals and self-employed businessmen are much harder to successfully prosecute.
Ministers find themselves at the helm of a vast, slowly-turning ship, entirely dependent on the ship itself for information, measurements and models of behaviour. In an era in which ideology has lost out to pragmatism, the less imaginative and intellectually strong Ministers are also dependent on the agencies within their portfolio for policy initiatives and policy options. The notion of Ministerial control of agencies may be subscribed to by public service executives and officers, but it isn't subscribed to by the public.
Some agencies have gone so far as to regard themselves as being above Parliament. Their senior executives treat the public's representatives with contempt, and deny any requirement to present meaningful information to such organs of the Parliament as the Public Accounts Committee and the Senate Estimates Committees. A report has circulated recently proposing that access by Parliamentarians to agencies be restricted, by being channeled via the Minister in whose portfolio the agency lies.
Agencies have long institutional memories, which far outlive transitory Ministers. When agencies have established the course they wish to pursue, they bide their time until a Minister is in need of a policy initiative. When the opportunity arises, the dust is brushed off the proposal, and pleasingly quickly developed and implemented.
The Australia Card (1985-87) was just such a piece of opportunism. There does not appear to have been any serious discussion of national identification schemes during the 30 years after the demise of the wartime scheme. Then three Government Reports (Asprey 1975, Mathews 1975 and Campbell 1981) mentioned the possibility of improving the efficiency of Commonwealth Government agencies by creating a national identification scheme. During this period, two Cabinet Ministers were reported as regarding the matter as being politically unworkable (Graham, 1990b, p.45). This periodic 'floating' of the idea is consistent with the interpretation that senior public servants were attracted to it, and were seeking the opportunity to place it on the political agenda.
A Labor Party Government was elected in 1983, only the second in 35 years. The Prime Minister and the Treasurer called a so-called 'Taxation Summit' for July 1985, whose (ill-fated) purpose was to gain social consensus for a consumption tax. In early March, during the lead-up to the Summit, the Chief Executive of the Australian Taxpayers' Association suggested to the Prime Minister that a national identification scheme be created, to combat tax fraud and thereby protect honest taxpayers. Within weeks, the proposal became part of the national agenda, with a speech in late March by a senior taxation official mentioning it, and a backbench member of the Labor Party delegated in April/May to bring the idea before the Party Caucus. The proposal emerged from the 'Tax Summit' as the 'Australia Card' proposal, dressed in patriotic green and gold livery. To this observer, it is significant that only two weeks elapsed between the opportunity arising and the first official speech supporting it, that the first speech was by a public service executive rather than a Minister or back-bencher, that the proposal came together so quickly, and that it was subject to so little inter-agency rivalry.
Another instance (again involving the HIC) was the persistent proposal for 'black boxes' in pharmacies to transmit details of prescriptions to Canberra for centralised validation and storage. It was brought forward on several separate occasions in the late 1980s, and withdrawn by the Minister each time when the political circumstances seemed impropitious (on one occasion when the Opposition ridiculed it, and on another when elections were impending and it looked like a vote-loser). After a subsequent attempt, it was shown by the Department of Finance and the ANAO (rather than merely by privacy advocates) to fail basic financial tests, and was rejected. Another attempt is confidently anticipated.
A further example arose from the exhaustive investigation by the N.S.W. Independent Commission Against Corruption (ICAC) in the period 1990-92. This identified many instances in which individuals sold nominally confidential personal data for their own advantage. Much worse, however, was the finding that many banks, other companies and government agencies had been active participants in trade which was in all cases highly morally dubious, and in many cases technically illegal.
The initial scope of the enhanced TFN scheme was greater than that understood at the time by people who took an active part in assessing its impact. This was a result of the sheer complexity of the existing and proposed legislation, aided by a failure on the part of the Minister and the public servants who prepared the publicly available documents to disclose all of the legislation's implications.
The Tax File Number (TFN) has exhibited the characteristic popularly referred to as 'function creep', whereby additional uses accumulate, and change the purpose of the scheme. Rather than being an exclusively taxation scheme, the TFN now applies to:
Further, the scope has been widened so far to include:
That these extensions were announced progressively during the first twenty months of the scheme's operation demonstrates how worthless the Government's assurances of mid-1988 were, and how ineffectual the protections built into the initial legislation.
A related, and particularly insidious, technique is the restriction of the entitlements under a program to, say, Australian citizens, or permanent residents, or some other limited class of persons. This has the effect of requiring applications to be front-end verified, and hence for the identity of every applicant to have to be transmitted to the government agency. In this way, an ever-richer set of data about individuals can be accumulated, and ever-cleverer programs set to work trawling through the rich data-vein.
There is a wide range of programs to which agencies fail to apply cost/benefit analysis (CBA) at all. This is reprehensible, given that the resources being applied belong to the taxpayer, and that there are many competing claims on them.
Where CBA is applied at all in government, it is generally applied improperly. Some of the errors accidentally and intentionally committed by public servants in using CBA are summarised in Exhibit 1. In the only instance in which a CBA for a data matching program has been published (the DSS's parallel matching scheme), it is so seriously flawed that it is impossible for Parliament to assess whether the program has a net positive value at all, let alone sufficient to justify its intrusiveness.
There is a widespread practice of using pseudo-CBA to 'justify' (in the pejorative sense) a programme for which political support exists. Other practices which earn the public's contempt are the protection of such pseudo-CBAs from the public eye by treating them as working documents, and then incorporating them as appendices to cabinet documents, in order to create a web of protections against exposure.
Parliament, at the behest of senior executives, generally avoids creating regulatory bodies. When forced to give the appearance of action, Parliament creates bodies with limited powers, subject to manifold exceptions and with inadequate resources much of which is wasted on empty registration or licensing schemes.
Some of the strategems that are commonly used are:
A related protection is the use of the Crown's effective immunity from prosecution and even civil suit. People can't sue government agencies, even when they break the law (commonly, for example, by anticipating that government legislation will be passed). A more sown-to-earth example arises in road repair, which is increasingly being undertaken by the lazy method of putting some bitumen down and dropping blue-metal over it. Rather than using a roller to seal the surface, the traffic during the ensuing days is allowed to press the metal down, and scatter the remainder to the side of the road. In the meantime body-panel scratches and broken windscreens result, and the road-layer can't be sued.
Even where a regulatory regime staggers its way into existence, a wide range of methods are used by agencies to weaken it:
An additional factor is the difficulty of hiring and keeping staff because of the danger that they will taint their reputations by staying too long.
A successful example of the application of some of these techniques is provided by the Law Enforcement Access Network (LEAN), During the period 1990-93, the Attorney-General's Department developed scheme with data analysis capabilities powerful enough to support the work of professional investigators, but to be made available to in excess of ten thousand public servants. For many months the Department claimed it was not subject to the Privacy Act. Then it relented, but claimed instead that it was subject to that Act but covered by a series of exemptions which had the effect of rendering the privacy watchdog powerless.
During the period 1989-93, the Government regularly claimed that it had "consulted with" with the Privacy Commissioner, and that its proposals would be subject to the Commissioner's Guidelines, without acknowledging that his existing Guidelines and any future Guidelines would be subservient to the new legislation and would be promptly amended to reflect it. The end result is that the 'watchdog' agency is being progressively 'captured' as a member of the fraternity of government agencies. The existence of the office of Privacy Commissioner is being used to legitimate data surveillance measures: Australian privacy law is, in confirmation of Rule's 1980 thesis, facilitative rather than preventative.
The use of dataveillance measures by Australian government agencies has been accelerating quickly in recent years (Clarke 1992, Davies 1992). This section commences by reciting some examples.
During the 1988 debates about the Tax File Number, the Government assured the public that the sanctions against failure to provide the TFN were only economic in nature. For example, the Treasurer said that "There will be no offence for people failing to quote a tax file number when asked of them", and that "the amendments the Government has agreed to accept are designed to guarantee that the tax file numbering scheme is completely voluntary". The sanction was that taxation would be deducted from wages or interest income at the highest marginal rate (about 50 cents in the dollar). In December 1989, only one year after the original legislation was passed, amendments to the Social Services Act made the quotation of the TFN a pre-condition to the payment of unemployment and sickness benefits.
The Medicare card has recently, in the interests of administrative convenience and efficiency, become machine-readable. In addition, the existing 'family number' has had a suffix appended, such that, for the first time, individuals within the family can to be identified. Hence the original Medicare card and number, which were previously household-level, single-purpose and of low (but serviceable) integrity, have been succeeded by individualised, dual-purpose, higher-integrity replacements.
The Cash Transactions Reporting Agency (CTRA) was recommended by a Royal Commission into tax-evasion schemes and was copied from the U.S. initiative of the same name. It was intended to provide a means of monitoring the 'washing' of cash from illegal activities such as the drug trade. This Act requires financial institutions to act as policemen, by placing on them a requirement to report to CTRA all cash transactions above a certain value, and all cash transactions of any value which the institution has reason to suspect may be associated with illegal activities. The majority of CTRA's sources are private sector organisations, and are not subject to the Privacy Act, nor any other privacy controls. In 1991, the statute was amended to add a number of additional classes of transaction to the purview of the organisation. Its name was changed, to reflect the fact that these were not 'cash' transactions at all, but included, for example, telegraphic transfers. The data-intensiveness and privacy-invasiveness of government programs just can't help but creep.
It is clear that Commonwealth Government agencies are applying information technology in a variety of different programmes designed to impose greater control over their clients. Moreover, the 'Tax File Number' scheme (embracing all taxation, all welfare and some other programmes), the Law Enforcement Access Network, and the Health Insurance and Pharmaceutical Benefits Scheme are capable of being inter-linked, to provide an even greater degree of privacy invasiveness. This was a centre-piece of the Health Insurance Commission's proposals to address wastage in the pharmaceuticals benefits scheme.
It is reasonable to speculate that several other Federal Government agencies will be early contenders for involvement in the TFN scheme. The Department of Foreign Affairs and Trade, through the Passports Office, has an interest in identification, and can be readily argued to be able to contribute toward the integrity of the TFN. The Electoral Rolls are in need of continual updating (and in any case are already routinely accessed by DSS). Automatic updating of address (and hence Electoral Division) based on the most recent advice of change of address to any Government agency, can be argued to ensure much-improved accuracy in the exercise of voting rights, and to be a service which many Australians would appreciate. Similar arguments can be readily formulated to support the inclusion of other Commonwealth agencies in the TFN scheme.
With the TFN already established as a multi-purpose identifier, restricting its use only to Commonwealth agencies is difficult to defend - after all, State Government agencies also have a clear need for data integrity, and for access to personal data. The Electoral Commission is an easy starting point, because it provides a service to both the Commonwealth and the States; and the Law Enforcement Access Network also spans the two levels of government. The Land Titles offices represent an area in which the States have something to contribute to the Commonwealth, and hence both parties would have an interest in a successful conclusion to negotiations. Another alternative is the Registers of Births, Deaths and Marriages, which are run by the States. These were targetted by the HIC during the Australia Card campaign as one of a number of sources of data. The offer by the Commonwealth to the States of financial assistance to enable computerisation of the Registers was rejected in 1986, during the heat of the Australia Card campaign, but would be attractive to the States if renewed in a less highly charged atmosphere.
Once the TFN was available to State Government agencies, it would be highly attractive for it to be used in the administration of such matters as driver registration, parking and speeding fine collection, and, through the State-Government controlled local councils, the payment of rates. The government business enterprises which supply water, electricity and gas, would of course also be interested in having access to the national identifier, and have something to offer in return, because together they are the operators of one of the most frequently updated person locator mechanisms.
At that point there would no longer be any justification in restricting use of the TFN to the public sector. If public enterprises could have access, why not companies? The basis for private sector use was laid in the original scheme in 1988. The TFN was, seemingly unnecessarily, scattered far and wide throughout private industry, because every employer and every financial institution is required to store the number of every employee and every investor. In due course, some agency of the Commonwealth will seek the assistance of financial institutions in gaining access to personal data generated by EFT/POS services (the use of credit and debit cards in Automatic Teller Machines and Point of Sale terminals). The natural quid pro quo will be to permit financial institutions to use the TFN for their own purposes.
Justification of each individual step is easy. It is adequate for the lead agency in any programme to make sure that the extension is perceived as a necessary part of an important Government initiative (in recent years the 'ideas in good standing' have been the attacks on tax evasion and welfare fraud, but terrorism or national security would suffice). It is very straightforward to prepare cost/benefit analyses to justify a scheme - all that is necessary is to estimate that x% of all payments are fraudulent and would be prevented by the system. Such assertions are very difficult to de-bunk, and arguments about them are sufficiently boring that the media are not interested. An alternative approach is to merely assert that the measure is needed, and not bother with a public economic justification.
The conventional defence is "but the only people with anything to fear are those with something to hide". Indeed, the tightening net would have some effect on criminals, and large-scale cheats. These measures are aimed, however, at people who operate inside the official system, and are dependent on it, and whose cheating is on a small scale. Organised criminals have ample opportunity to avoid apprehension, because of the ease of operating outside the official system, of using official systems to 'wash' identities and transactions, and of buying assistance, silence and inaction, coupled with the complexities of the systems involved in investigations, and the slow, labyrinthine grandeur of the law. The primary effect of the tightening net would therefore be on small-time cheats, and the innocent.
This is no apocalyptic vision. The technology exists now to support this scenario, and the simple-minded economics applied by government agencies represent no constraint. The political power to apply the technology to these ends is in the hands of senior public servants, and to a lesser extent politicians. In the current political climate, technological determinism appears likely to prevail until and unless a significant and lasting change occurs in popular values, and in the ability of the public to influence governments.
There may be limits to the extent to which contemporary societies will accept the dominance of institutions over the individual. Until very recently, citizens of Eastern Bloc countries, many of whom had never experienced democracy, seemed unlikely to revolt. But when cracks appeared in the facade of Communism, the pent-up pressure quickly destroyed the edifice. Italian economic statistics have always been a matter of guesswork. Since the beginning of the 1980s the Netherlands has not held a census, because the society is distrustful of the purposes to which the data would be put, the quality of data collected would be low, and the expense is therefore unjustified. Other European countries are facing similar discontent. At the end of the 1980s, scandals concerning data collection and access disturbed the Swedes and the Swiss alike.
The Australian Bureau of Statistics claims that (net) under-counting of persons in the 1986 Census was a mere 1.9%, reflecting the high level of credibility which the Bureau has sustained. Unlike the national statistical offices of many other countries, the Australian Bureau has never been rocked by a scandal concerning the use of census data for extraneous purposes, or the dissemination of identified data arising from a census. The Bureau appreciates the importance of this reputation. Although it monitors developments in other countries, it recognises the inapplicability to Australia of solutions considered appropriate in some other countries, particularly the 'permanent census' systems of Denmark and Singapore, which are based on inter-linkage of data maintained by many sources for many different (primary) purposes, rather than the occasional collection of data for specific statistical (i.e. non-identified) purposes.
The appreciation of Australian culture shown by the Australian Bureau of Statistics is not evident in many other government agencies. The complete imperviousness of the Health Insurance Commission to public concerns about the Australia Card have been well-documented, yet a succession of other agencies have shown similar evidence of 'rhino-hide' insensitivity. Examples have been the Australian Taxation Office's refusal to understand the ill-advisability of disseminating Tax File Numbers throughout the community, and its application of powers given to it for taxation purposes to the administration of the child support scheme; the Department of Social Security's casual flouting of government promises by extending the use of the Tax File Number to the welfare sector; and the Attorney-General's Department's claim that its Law Enforcement Access Network does not raise significant privacy issues.
Blithe assumption that the efficiency of public and private sector decision-making processes will continue to be held in high regard by the populace would be unwise. Australia may be approaching the point at which civil disobedience and opting out may become a way of life for a significant percentage of the population. The people who lead officially visible, well-documented, uniquely identified lives may in time find they are are all employees of the Ministry of Information, monitoring one another, but failing to control the dishonest and the disaffected people living outside the system.
A loss of public confidence in and support for organisations could arise, if they are perceived to focus on minor transgressions by 'the little people', rather than addressing larger, but inevitably more difficult, issues. A prevailing climate of suspicion leads to alienation of data subjects from their social institutions.
Dataveillance techniques may fuel the disaffection of sufficient people to encourage anarchic developments in social organisation. In sympathy with the 'black economy', the 'black information society' may be stimulated - a proportion of society who mislead and lie as a matter of course, on the not illogical basis that government agencies, remote from the realities of everyday existence and highly impressed with their information-based processes, can be rendered impotent by manifold inconsistencies among their copious data.
The official level of society could then proceed in its own sweet way, detached from the real world, yet impinging on it every time it wrongly withheld benefits, over-assessed tax, imposed unjustified fines and sent wrongly judged wrongdoers to gaol.
Although novelists have largely been pessimistic about the survival of individuals in tightly controlled societies, some have experimented with unconventional survival strategies. Ultimately, the answer to a national personal data system by a significant portion of the public may be to ignore it.
A pessimistic scenario can be constructed on the basis of recent experiences in information privacy issues. New schemes, unjustified dataveillance, blunders and unfair behaviour on the part of one agency or another will result in occasional public backlashes. These will generally be shortlived, and after the proposal has been (temporarily) withdrawn or the (expendable) Secretary or Minister has resigned, the grand momentum of government agency policies will resume. The level of public morality in relation to the provision of information to government agencies will fall lower, and the intrusiveness of government agency questioning of and about data subjects will increase, in order to provide the necessary additional data. The level of public confidence in government agencies will spiral lower still. Improvements to the integrity of identification, which had been withheld in the past, will be instituted. Faced with substantial failure, those schemes will be enforced using seriously repressive measures. The climate of public suspicion and animosity will be exacerbated, and the quality of data will fall lower still.
In due course, as the proportion of the public routinely indulging in multiple identities and noise-laden data increases, two further dataveillance tools will become more prominent. Identification-based matching will be first supplemented and then steadily supplanted by content-based matching, as the techniques develop in sophistication and throughput, and decrease in price. Meanwhile the capacity of distributed databases will be increasingly applied to the linkage of records about individuals, within and beyond the community of government agencies. Initially this will be significantly constrained by technical difficulties and to a limited extent by public opposition and the law. The short span of attention of the public, the ability of the government community to go slowly about its long-term plans with only limited interference from transitory Parliamentarians, the readily invokable economic imperative to use data efficiently, the unenforceability of most data protection laws, and the effective revocability of the remainder through seemingly minor but debilitating amendments will combine to enable government agencies to achieve, at the beginning of the 21st century, a powerful and extensive 'virtual national databank'. A wide variety of inventive techniques will be used by many individuals to sustain their private space. Flourishing black economies and black information societies will make a mockery of government statistics.
The most recent wave of literature no longer depicts the future anti-utopia as a world in which all-knowing governments exercise complete dominance over the hearts and minds of the populace. Rather, an unhappy truce is envisaged between local governments, national governments, trans-nationals and tribes of almost feral proles, living outside the walls of the formal world (Gibson 1984). Artists are foreseeing the anarchy which this worst-case scenario paints.
Like any other scenario, this vision is a projection rather than a prediction. But it is a very plausible trajectory. If it is to be resisted, and the values of democracy and individual freedom sustained, powerful countervailing regulatory regimes must be instituted.
Comprehensive and universally applicable data protection legislation is necessary, which achieves a suitable balance between the various economic and social interests, rather than subordinates information privacy concerns to matters of administrative efficiency. This must include tight, purpose-based constraints on data dissemination. The purpose of collection must be interpreted narrowly, and vague statements such as "for the purpose of government (or taxation, or welfare) administration" must be treated as null and void. Explicit legislative provisions are needed for predictable classes of disclosure, and judicial warrants for unpredictable instances. In addition, a deficiency in the Information Privacy Principles must be made good, by creating a responsibility on all record-keepers to destroy personal data unless there is a clear need for retention. Archival must be planned, not serendipitous.
Privacy law, in common with other areas of law, must involve the creation of financial sanctions against agencies, and their executives, where the law is breached. Government agencies are increasingly being subjected to the laws of the marketplace. The further step is necessary of removing the vestiges of medieval Crown privilege, and making not only agencies, but also their officers, subject to suits for breaches of privacy laws.
The Privacy Commissioner must have sufficient powers and resources to effectively represent the information privacy interest. This requires his involvement in the development of policy by governments and agencies, not just in its implementation. Labour-intensive activities designed to sap his office's energies, such as registration and digest publication, must be devolved to the agencies themselves.
The notion of monolithic government must be expressly denied. Parliaments must make clear that agencies are independent organisations for the purposes of data transfer. The recent tendency towards 'super-ministries' and 'mega-departments', arising from the conventional presumption that economies of scale know no bounds, must be reversed; for example, all welfare appears to be gravitating toward a mega-Social Security Department, and all financial policing roles toward a mega-Taxation Office. The temptation toward power concentration must be resisted; and multi-function agencies must provide bulkheads between the data maintained in relation to their various functions, and recognise that dissemination of data between functions is subject to privacy regulation.
Tight limitations must be place on the multiple use of identification schemes. Agencies should use separate human identification schemes, and resist the temptation to converge on a single scheme. The risks of abuse are simply too high, despite the apparent efficiencies.
The general principles of information privacy must be applied to all agencies and all systems, and regulatory regimes to all programs. The widely practised arrangement of exempting whole classes must therefore be rolled back, and, in particular, the favoured status traditionally granted to defence, national security, criminal intelligence, law enforcement and more recently child support agencies and activities must be rolled back. Parliaments must make these agencies understand that they are subject to democratic processes and that their distinctive and challenging functions and operational environments dictate the need for careful formulation and implementation of privacy protections, not exemption.
The 'blanket rationale' of a social problem (such as tax evasion, child maintenance default, welfare fraud and illegal immigration) must be swept away. Privacy-invasive programs must be subjected to conventional cost/benefit analysis. The justification of each program needs to be reviewed by an organisation whose interests are at least independent of those of the proponent organisation, and perhaps even adversarial. As a vital element in the process, the public must also be given the opportunity to inspect and challenge the cost/benefit analyses which purport to justify major projects. Prior cost/benefit analyses and post-program evaluations must be undertaken, be subject to review by the privacy protection agency, and be available to the public.
Finally, Social Impact Statements are urgently needed for potentially privacy-invasive IT applications. Governments have accepted the principle that projects which have significant potential impact on the physical environment require careful and independent assessment prior to the Government making a commitment to them. In the same way, Governments must not commit to IT projects which have significant potential privacy impacts, until after those impacts have been assessed and public comment solicited.
Government agencies have increased their data-intensity of their operations, and applied information technology to assist them in doing so. Legal systems have been highly permissive of the development of IT-based systems which, however much they may do good, also have great potential for inequity, oppressiveness and repressiveness.
The notion of 'false economy' is well-understood. We must now recognise that there are limits to the applicability of rational decision-making and the data-rich corporate environment it leads to; we must recognise the notion of 'false efficiency' as well.
Bennett C. (1992) 'Regulating Privacy: Data Protection and Public Policy in Europe and the United States' Cornell University Press, New York, 1992
Bradbury R. (1953) 'Fahrenheit 451 ... The Temperature at Which Books Burn' Ballantine Books, 1953
Brunner J. (1975) 'The Shockwave Rider' Ballantine, 1975
Burnham D. (1983) 'The Rise of the Computer State' Random House, 1983
Clarke R.A. (1987) 'Just Another Piece of Plastic for Your Wallet: The Australia Card' Prometheus 5,1 June 1987a. Republished in Computers & Society 18,1 (January 1988), with an Addendum in Computers & Society 18,3 (July 1988)
Clarke R.A. (1988) 'Information Technology and Dataveillance' Commun. ACM 31,5 (May 1988) 498-512
Clarke R.A. (1989) 'Human Identification in Record Systems' Working Paper, available from the author, June 1989
Clarke R.A. (1992) 'The Resistible Rise of the Australian National Personal Data System' Software L. J. 5,1 (January 1992)
Clarke R.A. (1993) 'Computer Matching by Government Agencies: A Normative Regulatory Framework' Forthcoming Comp. Surv. (110 pp.)
Davies S. (1992) 'Big Brother: Australia's Growing Web of Surveillance' Simon & Schuster, Sydney, 1992
DSS (1991) 'Data-Matching Program (Assistance and Tax): Report on Progress' Department of Social Security and the Data Matching Agency, Canberra, Australia, October 1991
DSS (1992) 'Data-Matching Program (Assistance and Tax): Report on Progress' Department of Social Security and the Data Matching Agency, Canberra, Australia, October 1992
Flaherty D.H. (1989) 'Protecting Privacy in Surveillance Societies' Uni. of North Carolina Press, 1989
Foucault M. (1977) 'Discipline and Punish: The Birth of the Prison' Peregrine, London, 1975, trans. 1977
Gibson W. (1984) 'Neuromancer' Grafton/Collins, London, 1984
Huxley A. (1932) 'Brave New World' Penguin Books, New York, 1932, 1975
Kling R. (1978) 'Automated Welfare Client Tracking and Welfare Service Integration: The Political Economy of Computing' Comm ACM 21,6 (June 1978) 484-93
Laudon K.C. (1986) 'Dossier Society: Value Choices in the Design of National Information Systems' Columbia U.P., 1986
Marx G.T. & Reichman N. (1984) 'Routinising the Discovery of Secrets' Am. Behav. Scientist 27,4 (Mar/Apr 1984) 423-452
Orwell G. (1948) '1984' Penguin
OTA (1986) 'Federal Government Information Technology: Electronic Record Systems and Individual Privacy' OTA-CIT-296, U.S. Govt Printing Office, Washington DC, Jun 1986
Roszak T. (1986) 'The Cult of Information' Pantheon 1986
Rule J.B. (1974) 'Private Lives and Public Surveillance: Social Control in the Computer Age' Schocken Books, 1974
Rule J.B., McAdam D., Stearns L. & Uglow D. (1980) 'The Politics of Privacy' New American Library, 1980
Smith E. (1989) 'The Australia Card: The Story of Its Defeat' Macmillan, 1989
Smith R.E.(Ed.) (1974 et seq) 'Privacy Journal' monthly since November 1974
Zamyatin E. (1922) 'We' Penguin
Go to Roger's Home Page.
Go to the contents-page for this segment.
Last Amended: 13 February 1997
| These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content). | |
| The Australian National University Visiting Fellow, Faculty of Engineering and Information Technology, Information Sciences Building Room 211 | Xamax Consultancy
Pty Ltd, ACN: 002 360 456 78 Sidaway St Chapman ACT 2611 AUSTRALIA Tel: +61 2 6288 1472, 6288 6916 |