Smart Card Technical Issues Starter Kit
Chapter 8

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Version of 8 April 1998

© Xamax Consultancy Pty Ltd, 1998

This document was prepared for Centrelink. Its purpose was to support the consultation process between Centrelink and privacy advocates, during a project that was intended to lay the foundations for a variety of projects for Centrelink's client agencies that it was anticipated would involve smart cards

This is chapter 8 of an 8-part document whose contents-page is at http://www.anu.edu.au/people/Roger.Clarke/DV/SCTISK.html

8 Smart Cards and Privacy Issues
8.1 Smart Cards and Privacy

Smart cards can have substantial, negative effects on privacy. Exhibit 3 summarises concerns that arise in the context of financial services. These matters are examined in detail in Clarke (1996, at 2.2 (a)-(d)).

Exhibit 3: Direct Privacy Implications of Smart Cards in Financial Services

  1. Greatly Increased Intensity of Transaction Trails
  2. Exploitation of the Transaction Trails
    1. by government agencies for purposes which were not original purposes for which the data was gathered, which increases the risk of misunderstanding and misinterpretation due to differing data definitions and inadequate data quality standards, and represents oppressive use of the State's power over individuals
    2. by consumer marketing corporations to better target prospects for their goods and services, involving the exercise of information-based power to manipulate consumers and compromise their freedom of self-determination
  3. The Risk of 'Function Creep'
  4. Potential for Operation Without Consumer Consent

In addition, more general concerns arise, which relate to the question of identification and authentication of identity. Exhibit 4 summarises them. These matters are examined in detail in Clarke (1994), Clarke (1996, at 2.2 (e)-(f)) and Clarke (1997).

Exhibit 4: Identification Implications of Smart Cards

  1. Evidence of Identity in Relation to the Acquisition or Use of a Card
  2. Use of a Smart Card as Multi-Purpose Evidence of Identity


Clarke R. (1994) 'Human Identification in Information Systems: Management Challenges and Public Policy Issues' Information Technology & People 7,4 (December 1994) 6-37

Clarke R. (1996) 'Privacy Issues in Smart Card Applications in the Retail Financial Sector', in 'Smart Cards and the Future of Your Money', Australian Commission for the Future, June 1996, pp. 157-184

Clarke R. (1997) 'Chip-Based ID: Promise and Peril', Proc. Int'l Conf. on Privacy, Montreal, September 1997

8.2 Anonymity and Pseudonymity

An anonymous record or transaction is one whose data cannot be associated with a particular individual, either from the data itself, or by combining the transaction with other data. A great many transactions that people undertake are entirely anonymous, including barter transactions, visits to enquiry counters in government agencies and shops, telephone enquiries, cash transactions such as the myriad daily payments for inexpensive goods and services, gambling and road-tolls, and treatment at discreet clinics, particularly for sexually transmitted diseases.

An identified record or transaction is one in which the data can be readily related to a particular individual. This may be because it carries a direct identifier of the person concerned, or because it contains data which, in combination with other available data, links the data to a particular person. There is a current tendency for organisations to try to convert anonymous transactions (e.g. visits to counters, telephone enquiries and low-value payments) into identified transactions. The privacy interest runs emphatically counter to attempts to convert identified into anonymous transactions.

Beyond anonymous and identified transactions, an additional alternative exists. A pseudonymous record or transaction is one that cannot, in the normal course of events, be associated with a particular individual. Hence a transaction is pseudonymous in relation to a particular party if the transaction data contains no direct identifier for that party, and can only be related to them in the event that a very specific piece of additional data is associated with it. The data may, however, be indirectly associated with the person, if particular procedures are followed, e.g. the issuing of a search warrant authorising access to an otherwise closed index.

Two techniques closely related to pseudonymity are:

An important application of pseudonymity is the use of information technology to support multiple digital personae. Under such arrangements, a person sustains separate relationships with multiple organisations, using separate identifiers, and generating separate data trails. These are designed to be very difficult to link, but, subject to appropriate legal authority, a mechanism exists whereby they can be linked.

In addition, a person may be able to establish multiple relationships with the same organisation, with a separate digital persona for each relationship. This may be to reflect the various roles the person plays when it interacts with that organisation (e.g. contractor, beneficiary, customer, lobbyist, debtor, creditor). Alternatively, it may merely be to put at rest the minds of people who are highly nervous about the power of organisations to bring pressure to bear on them.

Smart cards are capable of being used as a means of sustaining anonymity or pseudonymity in transaction systems.

The section above is a revised extract from

Clarke R. (1997-) 'Introduction to Dataveillance and Information Privacy, and Definitions of Terms'

Further details on anonymity and pseudonymity are provided in Clarke (1996).

Further details on the digital persona are in Clarke (1994).

Further details on applications of smart cards in support of anonymity and pseudonymity are in Clarke (1997).


Clarke R. (1996) 'Identification, Anonymity and Pseudonymity in Consumer Transactions: A Vital Systems Design and Public Policy Issue' Proc. Conf. 'Smart Cards: The Issues', Sydney, 18 October 1996

Clarke R. (1994) 'The Digital Persona and its Application to Data Surveillance' The Information Society 10,2 (June 1994)

Clarke R. (1997) 'Chip-Based ID: Promise and Peril', Proc. Int'l Conf. on Privacy, Montreal, September 1997

Clarke R. (1997-) 'Introduction to Dataveillance and Information Privacy, and Definitions of Terms'

8.3 Digital Signatures and Privacy

Greenleaf and Clarke (1997) identify and examine the following impacts of digital signature technology on privacy:


Greenleaf G.W. & Clarke R. (1997) 'Privacy Implications of Digital Signatures' Proc. IBC Conf. on Digital Signatures, Sydney, 12 March 1997

8.4 Smart Cards as Privacy-Protective or Even Privacy-Enhancing Technology

Because chip-cards are programmable, the design of schemes that incorporate them are capable of being highly privacy-invasive, highly privacy-protective, or anywhere in-between, depending on the motivations driving the design. This section examines their potential for use as a 'privacy-enhancing technology'.

Ways in which smart cards can be used as a privacy-protective measure include:

Additional considerations in the design of smart card schemes include the provision of individuals with a significant degree of control, through such measures as:

Great care is needed with schemes that tend to break down the segregation, such as:

The section above is a revised extract from

Clarke R. (1997) 'Chip-Based ID: Promise and Peril', Proc. Int'l Conf. on Privacy, Montreal, September 1997


Clarke R. (1997) 'Chip-Based ID: Promise and Peril', Proc. Int'l Conf. on Privacy, Montreal, September 1997

Davies S. (1992) 'Big Brother: Australia's Growing Web of Surveillance' Simon & Schuster, Sydney, 1992

Davies S. (1996) 'Monitor: Extinguishing Privacy on the Information Superhighway', Pan Macmillan Australia, 1996

EPIC (1995-) 'National ID Cards', Electronic Privacy Information Center, Washington DC

Foucault M. (1977) 'Discipline and Punish: The Birth of the Prison' Peregrine, London, 1975, trans. 1977

Kim J. (1997) 'Digitized Personal Information and the Crisis of Privacy: The Problems of Electronic National Identification Card Project and Land Registry Project in South Korea'

NSWPC (1995) 'Smart Cards: Big Brother's Little Helpers', The Privacy Committee of New South Wales, No.66, August 1995

Privacy International (1996) 'Privacy International's FAQ on Identity Cards'


Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 14 July 1998

Last Amended: 14 July 1998

These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916