Roger Clarke's Web-Site


© Xamax Consultancy Pty Ltd,  1995-2017

Roger Clarke's 'The Identification Spectrum'

Anonymous, Pseudonymous and Identified Transactions:
The Spectrum of Choice
Extended Abstract

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Version of 17 February 1999

© Xamax Consultancy Pty Ltd, 1999

This paper was prepared for submission to the User Identification & Privacy Protection Conference, Stockholm, 14-15 June 1999

This Extended Abstract is at

The completed paper will emerge at


Extended Abstract


This paper addresses the question of whether and how a party to a transaction knows the identity of the other party, and the degree of confidence the party has as to whether that identity is correct. It is written in the context of attempts by many organisations, in both the public and the private sectors, to convert transactions that have hitherto been anonymous into identified ones.

Discussions about this topic frequently embody the presumption that a stark choice exists between accountable identification and irresponsible anonymity. In fact, a rich range of alternatives exists. This paper's purpose is to present that range of alternatives, and to argue for much better informed and more careful selection among them.

This paper commences by introducing relevant concepts. It then identifies the alternative approaches that are available to organisations when they design their information systems. It concludes by suggesting how organisations can determine which of the spectrum of possibilities is appropriate in their particular circumstances.


Identification is a process whereby a real-world entity is recognised, and its 'identity' established. Identity is operationalised in the abstract world of information systems as a set of information about an entity that differentiates it from other, similar entities (Clarke 1994a).

Contrary to the presumptions made in many information systems, an entity does not necessarily have a single identity, but may have many. It is common, for example, for some kinds of people to be known by different names in different contexts, and when performing different roles. In some cases, the intention is dishonourable or criminal; but in most cases it is neither (Clarke 1994a).

Authentication is the process whereby a degree of confidence is established about the truth of an assertion. A common application of the idea is to the authentication of identity (Clarke 1995, 1996e). This is the process whereby an organisation establishes that a party it is about to deal with is:

Identification needs to be applied to natural persons, but also to artificial entities such as corporations and associations. Only a sub-set of the identification techniques used for humans are applicable to such 'legal persons'.

The nature of identity, identifiers, and identification processes is such that authentication is never perfect, but rather is more or less reliable. It is useful to distinguish degrees of assurance about identity. High-reliability authentication processes are generally costly to all parties concerned, in terms of monetary value, time, convenience and intrusiveness. Organisations generally select a trade-off between the various costs and reliability.

The term 'authentication' is most commonly applied in relation to identity, but it is a much more general concept. In many circumstances, organisations undertake authentication of value, e.g. by checking a banknote for forgery-resistant features like metal wires or holograms, and seeking pre-authorisation of credit-card payments.

Another approach is the authentication of attributes, whereby it is not the person's identity that is in focus, but rather the capacity of that person to perform some function, such as being granted a discount applicable only to tradesmen or club-members, or a concessional fee only available to senior citizens or school-children, or entry to premises that are restricted to adults only.

A particular challenge that organisations need to cope with is agents acting on behalf of a principal. Agents may be corporations, or individuals, or artificial intelligences / software agents (as occurs in 'program trading'). The organisation may need to satisfy itself that the agent has the authority to conduct a particular transaction, by undertaking authentication of a particular attribute that reflects the agency relationship.

Alternative Approaches

It is often presumed that an organisation faces a simple choice between a transaction in which the parties are identified, or one in which the parties are anonymous. This is not so.

The following is the range of possibilities:

  1. identified transactions. In this case, the transaction data carries an identifier. The following levels of assurance about the identity are possible:
    1. strongly authenticated. Authentication is undertaken in such a manner that a high degree of confidence exists that the person or organisation is who they purported to be;
    2. moderately authenticated. Authentication is undertaken, but a lower level of confidence exists, because more risks exist that a mistake may have been made or a trick successfully played;
    3. weakly authenticated. Limited authentication is undertaken, which is fairly readily avoided or subverted;
    4. unauthenticated. No authentication of the identifier is conducted: it is taken at face value;
  2. pseudonymous transactions. In this case, the transaction data carries a pseudo-identifier rather than a direct one. It is possible to establish the identity of the party behind the pseudonym, but only if certain conditions are satisfied. The following levels of assurance of the linkage between pseudonym and identity are possible:
    1. strongly authenticated. Authentication is undertaken, and a high degree of confidence exists that the linkage between pseudonym and real identity is reliable;
    2. moderately authenticated. Some authentication is undertaken, resulting in a moderate degree of confidence in the link;
    3. weakly authenticated. Limited authentication is undertaken, and a low level of confidence exists about the link;
    4. unauthenticated. No authentication is undertaken, and the link between the pseudonym and the individual or organisation is taken at face value;
  3. anonymous transactions. In this case, it is not possible to establish the identity of the party.

A range of techniques can be adopted to supplement the level of assurance in relation to identification. In particular, the organisation can protect its interests through authenticating value, or authenticating the party's attributes. These can be performed in addition to, or instead of, authentication of the identity or pseudo-identity.

In addition, authenticated pseudonymity can be very effective for establishing confidence that a series of communications are with the same person, even though the identity of the person is not reliably known.

Selection Criteria

Organisations have for too long blundered into identified schemes when this did not reflect their real needs. They need to appreciate the range of alternatives available to them. In order to make a rational choice among them, they need to consider a number of factors.

A first matter of importance is the setting within which the particular transactions take place, and the functional requirements of the particular information system. Within the context defined by the requirements and setting, a risk analysis needs to be conducted, to determine what the harm will be if identities are not gathered, or are inaccurate.

It is important to distinguish between military-style notions of 'absolute assurance' and the conventional approach adopted in business and government. This ignores absolute assurance as being probably unattainable, and in any case extraordinarily expensive and intrusive. Businesses apply risk-management techniques, identifying categories of risk that justify incurring costs, and others that can be satisfactorily addressed by merely monitoring and tolerating them.

Some key factors that need to be considered in undertaking this kind of risk analysis are:

It is all too common for organisations to perform risk analyses only from the perspective of the organisation itself. In most circumstances, however, the effectiveness of the system is heavily dependent on the behaviour of others, and especially of the parties to the transactions. It is therefore vital that the interests of other stakeholders be factored into the analysis (Clarke 1992).

Identification and authentication are inherently invasive of people's privacy, in all its dimensions (Clarke 1988, 1997c, 1997d). It is especially crucial that the privacy concerns be investigated, appreciated, and taken into account in designing information systems (Clarke 1996d).

A Case Study: Communications on The Internet

The dominant mode of communication on the Internet is 'unauthenticated pseudonymous'. For example, email From: addresses provide only a limited amount of information about the sender, and are in any case 'spoofable'; IP-addresses provided by web-browsers do not directly identify the user; and the data stored and transmitted in cookies is not reliable.

Moreover, netizens have shown themselves to be very concerned about freedoms and privacy (Clarke 1996a, 1996f, 1997a, 1997b, 1998a, 1998c, 1999); and attempts by an organisation to achieve authentication of an identifier or pseudonym are subject to an array of countermeasures (e.g. CACM 1999, Clarke et al. 1998, Clarke 1998c).

The result is that net transactions are:

Currently, substantial efforts are being invested in the application of public key cryptography to the task of identification and authentication. These proposals and initiatives in turn raise some substantial privacy concerns (Clarke 1996b, Greenleaf & Clarke 1997, Clarke 1997d, 1998b, ).

For some purposes, the low level of identification and authentication inherent in the Internet creates difficulties. Examples include government agencies that are seeking a formal undertaking by the other party, e.g. a declaration by a taxpayer; and businesses that are seeking to establish a relationship with a customer, perhaps to protect against default by the customer, and perhaps to enable promotional and selling activities to be directed to that customer in the future.

There are a great many circumstances, on the other hand, in which the existence of effective anonymity on the Internet is entirely consistent with the purpose of the interaction, and entirely workable.


Organisations need to appreciate the range of alternatives that is available in relation to identification and authentication, assess their own requirements and the interests of other stakeholders, take particular care concerning the privacy interests of the individuals concerned, and select an approach that is appropriate to the circumstances.

Organisations that do so will find that they pay much more attention to intermediate options such as unauthenticated pseudonymity and authenticated pseudonymity, in some cases combined with value authentication or attribute authentication.


CACM (1999) 'Internet Privacy: The Quest for Anonymity' Special Section of Commun. ACM 42, 2 (February 1999)

Clarke R. (1988) 'Information Technology and Dataveillance' Comm. ACM 31,5 (May 1988) Re-published in C. Dunlop and R. Kling (Eds.), 'Controversies in Computing', Academic Press, 1991, at

Clarke R. (1992) 'Extra-Organisational Systems: A Challenge to the Software Engineering Paradigm', Proc. IFIP World Congress, Madrid, September 1992, at

Clarke R. (1994a) 'The Digital Persona and its Application to Data Surveillance', The Information Society 10, 2 (June 1994)', at

Clarke R. (1994b) 'Human Identification in Information Systems: Management Challenges and Public Policy Issues', Information Technology & People 7,4 (December 1994) 6-37, at

Clarke R. (1995) 'When Do They Need to Know 'Whodunnit?' The Justification for Transaction Identification: The Scope for Transaction Anonymity and Pseudonymity' Proc. Conf. Computers, Freedom & Privacy, San Francisco, 31 March 1995, at

Clarke R. (1996a) 'Trails in the Sand', May 1996, at

Clarke R. (1996b) 'Cryptography in Plain Text', Privacy Law & Policy Reporter 3, 2 (May 1996), pp. 24-27, at R. (1996c) 'Crypto-Confusion: Mutual Non-Comprehension Threatens Exploitation of the GII', Privacy Law & Policy Reporter 3, 2 (May 1996), pp. 30-33, at R. (1996d) 'Privacy, Dataveillance, Organisational Strategy' (the original version was a Keynote Address for the I.S. Audit & Control Association Conf. (EDPAC'96), Perth, 28 May 1996). At

Clarke R. (1996e) 'Identification, Anonymity and Pseudonymity in Consumer Transactions: A Vital Systems Design and Public Policy Issue' Proc. Conf. 'Smart Cards: The Issues', Sydney, 18 October 1996, at

Clarke R. (1996f) 'Public Interests on the Electronic Frontier', Invited Address to IT Security '97, 14 & 15 August 1997, Rydges Canberra (August 1997),

Clarke R. (1997a) 'Cookies' February 1977, at

Clarke R. (1997b) 'Privacy and E-Lists', May 1997, at

Clarke R. (1997c) 'Introduction and Definitions', August 1997, at

Clarke R. (1997d) 'Chip-Based ID: Promise and Peril', for the International Conference on Privacy, Montreal (September 1997), at

Clarke R. (1998a) 'Direct Marketing and Privacy', Proc. AIC Conf. on the Direct Distribution of Financial Services, Sydney, 24 February 1998, at

Clarke R. (1998b) 'Public Key Infrastructure: Position Statement', May 1998, at

Clarke R. (1998c) 'Information Privacy On the Internet: Cyberspace Invades Personal Space' Telecommunication Journal of Australia 48, 2 (May/June1998), at

Clarke R. (1998d) 'Platform for Privacy Preferences: An Overview', Privacy Law & Policy Reporter 5, 2 (July 1998) 35-39, at

Clarke R. (1998e) 'Platform for Privacy Preferences: A Critique', Privacy Law & Policy Reporter 5, 3 (August 1998) 46-48, at

Clarke R. (1999) 'Internet Privacy Concerns Confirm the Case for Intervention', Communications of the ACM 42, 2 (February 1999), at

Clarke R., Dempsey G., Ooi C.N. & O'Connor R.F. (1998) `Technological Aspects of Internet Crime Prevention', Proc. Conf. 'Internet Crime', Australian Institute for Criminology, Melbourne University, 16-17 February 1998, at

Clarke R., Dempsey G., Ooi C.N. & O'Connor R.F. (1998) `The Technical Feasibility of Regulating Gambling on the Internet', Proc. Conf. 'Gambling, Technology & Society: Regulatory Challenges for the 21st Century', Rex Hotel Sydney, Potts Point, 7 - 8 May 1998, Australian Institute for Criminology, Melbourne University, at

Greenleaf G.W. & Clarke R. (1997) 'Privacy Implications of Digital Signatures', Proc. IBC Conference on Digital Signatures, Sydney, March 1997, at

xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 4 February 1999 - Last Amended: 17 February 1999 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2017   -    Privacy Policy