Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2017
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Roger Clarke **
Emergent Working Paper of 17 July 2008
Prepared as a basis for the presentation of an Invited Keynote at a Seminar on 'Location Privacy' at the University of N.S.W. on 23 July 2008, and at the Surveillance Symposium in Canberra on 24 July 2008
(See also the Project Overview)
© Xamax Consultancy Pty Ltd, 2008
Available under an AEShareNet licence or a Creative Commons licence.
This document is at http://www.rogerclarke.com/DV/YAWYB-CWP.html
The accompanying slide-set is at http://www.rogerclarke.com/DV/YAWYB.ppt
A decade ago, technologies that could provide information about the location of a motor vehicle, or a computer, or a person, were in their infancy. A wide range of tools are now in use and in prospect, which threaten to strip away another layer of the limited protections that individuals enjoy.
An understanding of the landscape of location and tracking technologies, and of the issues that they give rise to, depends on establishing a specialist language that enables meaningful and reasonably unambiguous discussion to take place.
An outline of the familiar case of mobile phones, complemented by deeper assessments of road tolling and the surveillance of individual motor vehicles on the road, provides a basis for appreciation of the substantial threats that location technologies represent to free society.
Nearly a decade ago, Clarke(1999) reviewed location and tracking in a somewhat simpler world. The paper noted increasing intensity in the collection of transaction data, in the association of personal identifiers with that data, in the retention of that data, and in mining of that data. It also referred to the emergence of spies in people's pockets, wallets and purses (smartcards and cellular mobile phones), and in their cars (toll-road tags, and tagging by car-hire companies, insurers and investigators).
Those technologies are now well-established, and lack any form of regulatory framework. IP-address location remains laughably inaccurate. Cellular triangulation and signal-differential techniques, and self-reporting of GPS measurements, are also error-prone, but their accuracy and precision appear to be improving. RFID and NFC devices identify and locate chips with reasonable reliability, and, because of their short range, with considerable accuracy. Meanwhile, ANPR surveillance of traffic is being introduced without even the slightest regard for its impact on privacy and freedom.
For the last four decades, discussions of privacy and surveillance have primarily focussed on the collection and handling of personal data. In effect, the orientation has been towards 'you are what you've transacted with us'. The march of information technology has resulted in the scope of the transactions that are being captured expanding wildly. Now organisations in both the public and private sectors are seeking data about where people are, in order to use it - sometimes at least nominally for them, but in practice mostly against them. The almost complete absence of data destruction requirements means that data about 'where you are now' is kept, and becomes a trail of 'where you've been'. The presumption underlying the exploitation of this pool of data is that 'you are where you've been'. This paper's purpose is to delineate the nature of these technologies, and of what they do to privacy.
This paper commences with a brief overview of key concepts underlying the subsequent discussion. One cluster comprises the concept of location and the process of acquiring it, and the concept and process of tracking. In order to be able to undertake effective analysis, a model is needed of what it is that is being located and tracked. Relevant concepts include real-world entities (particularly humans and vehicles), identities, and pseudonymity and anonymity.
Building on these ideas, the paper briefly surveys the privacy impacts of location technologies, in order to set the scene for subsequent, more focussed papers. It notes that one's location is potentially very sensitive personal data. But the tracking of people's movements both real-time, and retrospectively, lifts the threat to a much higher level.
This section provides an overview of the concepts of location and tracking. It draws heavily on relevant parts of Clarke (1999a).
By an entity's location is meant a description of its whereabouts, in relation to other, known objects or reference points. Examples include the following:
The 'space' within which an entity's location is tracked is generally physical or geographical. All of the above examples relate to location within physical space. Other kinds of 'space' exist and location within such spaces may be defined in other terms. For example, a location may be virtual, as in the case of a person's successive interactions with a particular organisation. A particularly important example is 'network space'. An IP-address records the location in network space of a software process entity (which necessarily is running in a computer entity).
Location can be ascertained with varying degrees of precision, and varying degrees of accuracy and reliability. The location of installed devices such as fixed ATMs and EFT/POS terminals may be quite exact, and reliable. The locations of some EFT/POS terminals (e.g. those in taxis) are much more ambiguous, as are those of small modems, codecs and Ethernet and other network interfacing cards, which may be removed from their recorded location. Devices such as cellular phones, and portable and hand-held computers, are designed to be mobile, and additional information is needed in order to draw inferences about their location at the time of a particular event. Some kinds of location definition may be limited to a line or cone (e.g. those relying on directional mechanisms), or an area bounded by three or more lines (e.g. those relying on triangulation).
Measures of location may be available with varying degrees of timeliness. By this is meant the lag that occurs between the event, and the availability to a person undertaking surveillance of the transaction data reflecting that event.
By tracking is meant the plotting of the trail, or sequence of locations, within a space that is followed by an entity over a period of time.
Due to timeliness limitations, data may only be available for retrospective analysis of a path that was followed at some time in the past. A 'real-time' trace, on the other hand, enables the organisation undertaking the surveillance to know where the entity is at any particular point in time, with a degree of precision that may be as vague as a country, or as precise as a suburb, a building, or a set of co-ordinates accurate to within a few metres. Moreover, a person in possession of a real-time trace is in many circumstances able to infer the subject's immediate future path with some degree of confidence.
This section provides an overview of the concepts of identity, entity and nymity. It draws heavily on relevant parts of Clarke (2001) and Clarke (2004).
The term 'entity' refers to any item that exists in the real world. It is sufficiently generic to be applicable to a rock, a chair, a motor vehicle, a device with a computer embedded in it, and a human being.
The term 'identity' refers to a particular presentation of an entity, such as a role that the entity plays in particular circumstances. For example, a motor vehicle is an entity. It may have multiple identities over time, such as taxi and getaway car. A mobile phone is an entity, but it may take up different identities depending on the SIM placed in it. A computer is an entity, but each process that runs on it is capable of being an identity distinct from both the entity and the other identities represented by other processes.
People perform many roles, and most individuals are known by different names in different contexts. In some cases, the intention is dishonourable or criminal; but in most cases the adoption of multiple personae is neither, but rather reflects the diversity of contexts in which they act, including within their family, their workplace(s), their profession, community service and art. In common law countries, people are in no way precluded from using multiple identities or aliases. Actions that take advantage of multiple or situation-specific identities in order to cause harm or circumvent the law are, on the other hand, criminal offences.
An identity may be distinguished from other, similar identities through the use of some kind of label or signifier. For example, a SIM card has a SMI-card identifier, a process running in a computer has a process-ID, and a human being has (many) names and codes assigned to them.
Similarly, an entity may be distinguished from other, similar entities through the use of some kind of label or signifier. Even some rocks have names or numbers, motor vehicles have vehicle id numbers (VINs), engine numbers and registration 'numbers', mobile phones have unique numbers associating with housing, and human beings have biometrics. Given that the term for an item of information that distinguishes an identity is 'identifier', it is convenient to refer to an item of information that distinguishes an entity as an 'entifier'.
An identifier that can be linked to the underlying entity only with considerable difficulty is commonly called a pseudonym. If an identifier cannot be linked to an entity at all, then it is usefully called an anonym. And a term that usefully encompasses both pseudonyms and anonyms is nym.
Anonymity is a characteristic of records and transactions, such that they cannot be associated with any particular entity, whether from the data itself, or by combining it with other data. Pseudonymity is a characteristic of Records and Transactions, such that they cannot be associated with any particular entity unless legal, organisational and technical constraints are overcome. And a term that encompasses both anonymity and pseudonymity is nymity.
The concepts of location and tracking, discussed below, clearly apply to entities. However they may also apply to identities in various circumstances, and hence to nyms.
A wide variety of location and tracking technologies exist. They are mostly oriented towards entities, and their effective operation depends on the collection of entifiers that distinguish the particular entity and enable transaction data to be reliably associated with the appropriate entity and perhaps with other transactions. Some technologies are relevant to spaces other than physical space (especially net space), and some to identities rather than entities. In Clarke (1999a, 1999b), a great many specific instances of location and tracking technologies were catalogued and outlined.
During the intervening decade, a few of these have become noticed by the general public. In particular, there is an increasing appreciation that mobile phones have become not only an enormous personal convenience, but also a spy in the person's pocket. This is discussed in Vignette 1, below. In order to provide a sufficient depth of appreciation of relevant technologies, further vignettes examine location and tracking of vehicles, and of human bodies.
The term 'handheld' is used in this paper to refer to any mobile access device with the capacity to communicate by wireless means. There have been two broad categories: mobile phones and personal digital assistants (PDAs). Mobile phones were designed to support voice-calls from any location within range of a transceiver connected to the relevant wireless network. Network protocols developed for this purpose have been referred to as 'cellular networks'. They have included analogue, early digital (such as GSM and CDMA), and later digital networks commonly referred to as third generation (3G, such as GSM/GPRS, CDMA2000 and UMTS/HSPA).
PDAs were designed to support computing on the move. They exist in many variations, reflecting orientation towards business or personal use; text capture, despatch and receipt; sound receipt and playback (particularly music); image capture, despatch and receipt; and game-playing. Designs continue to proliferate and cross-fertilise. In addition to being capable of connection to fixed networks, handhelds have had wireless network capabilities added. These have most commonly been Wireless Local Area Networks (WLANs), in particular so-called 'WiFi' based on the IEEE 802.11x family of protocols. Wide Area Network technologies also exist, such as `WiMax' / IEEE 802.16 and iBurst.
Location and tracking are inherent in wireless networking technologies. Each message that is transmitted over a wireless network needs to reach the intended handheld. There is insufficient capacity to broadcast all traffic in all cells. It is therefore necessary for the network to know in which cell the targeted handset is to be found, so that the message can be transmitted in that cell only. Each handset therefore continually transmits registration messages which are picked up by the base-station(s) that service each cell. Handsets are generally designed to transmit registration messages even when nominally switched off or placed on standby, and perhaps even when the (main) mattery is removed.
In cellular networks, there is generally a clear distinction between the entity (the handset) and the identity it is adopting at any given time (which is determined by the module inserted in it). In GSM and UMTS devices, the identity is the Subscriber Identity Module (popularly known as the 'SIM-card'), in CDMA devices the Removable User Identity Module (R-UIM) or CDMA Subscriber Identity Module (CSIM), and in generic 3G devices the Universal Subscriber Identity Module (USIM). These modules store an International Mobile Subscriber Identity (IMSI), which constitutes the module's identifier. Among other things, this enables network operators to determine whether or not to provide service, and what tariff to apply to the traffic.
However, cellular network protocols may also involve transmission of a code that distinguishes the handset in which the module is currently inserted, i.e. the device entifier. In GSM and UMTS devices, this is the International Mobile Equipment Identity (IMEI), and in CDMA devices the Electronic Serial Number (ESN, in the USA) or Mobile Equipment Identifier (MEID). Among other things, transmission of the device entifier enables network operators to disable, refuse service or track handsets reported as having been stolen.
In some jurisdictions, all handsets are required by law to be registered to a particular owner, although in others some handsets may be used in an anonymous or at least pseudonymous manner, perhaps up to some limit of call-value. In practice, the vast majority of handsets are used for long periods with a single SIM-card installed, and by a single person. Hence what is being tracked is in many cases the individual user of the handset.
In the case of computing devices that use wireless networks such as Wifi and Wimax, the primary identifier is generally the Internet Protocol (IP) address, which is commonly assigned for a relatively short period. However, the base-station (commonly, although not entirely accurately, called a router), may also have access to an entifier for the device, such as a processor-id or a network interface card identifier (NIC Id). These are less tightly linked with an individual than is the case with mobile phones. The tendency towards multi-functionality of handsets, and connection with both cellular and Wifi networks, may, however, be breaking down that remnant element of nymity.
The network is aware of the cell-location of each handset that uses the network and is currently within range of a base-station - and hence an observer with access to the identity of the handset's usual user is aware of that person's cell-location. The precision of the location may be limited to the particular transmission cell, which may be as large as a 10km radius, or as small as 100m radius. However, a number of techniques exist whereby the precision may be far greater than that. These include:
The stream of messages that a handset sends enables the network to not only locate it, but also to track it. The tracking may be something close to real-time, depending on the frequency with which registration and other messages are sent (which is generally often), and the latency in the system (which is generally very short). If the series of locations is logged, and the log retained, then the tracking can be retrospective. It appears that logs are commonly collected, and that they may be retained for periods that may be quite long. If the data-stream is sufficiently intense and latency low, then it is capable of being applied to predictive tracking.
The data's intrinsic purpose is network management; but it is attractive for a range of purposes additional to that. Network service providers are increasingly seeking to extract additional revenue from subscribers (by offering location-sensitive services), and from advertisers (by transmitting location-sensitive offers).
In addition to such extrinsic uses by the network operator, disclosure to other parties already occurs, and may worsen. The data-stream and logs are accessible by law enforcement agencies, and by national security agencies. In many cases, this appears not to be subject to the hitherto conventional control of requiring a prior, specific-purpose judicial warrant based on evidence of reasonable grounds for suspicion of a criminal offence. Further, despite longstanding protections in the telecommunications laws of many countries, there is considerable pressure from business enterprises for the data to escape beyond the network service providers, to other business units, related business enterprises and 'strategic partners'.
The analysis conducted in this section related only to location and tracking, and to the identification of the handset and the user. It intentionally left aside the questions of traffic analysis (i.e. which devices commuincated with one another) and the interception, storage, use and disclosure of message-content.
Motor vehicles are increasingly subject to automated monitoring. A number of technologies are being used or are in prospect, including passive RFID tags which transmit an identifier when control-points are passed and active transmitters which report their position under program control. This section focusses on a quite different technology most commonly referred to as Automated Number Plate Recognition (ANPR).
Automated Number Plate Recognition (ANPR) involves the use of:
ANPR differs from its predecessors ('speed cameras' and 'red-light cameras') in that it necessarily involves digital rather than wet-chemistry photography, and automatic extraction of the registration data in real-time rather than manual and/or deferred extraction.
Both suppliers and user-organisations project the notion that ANPR is highly accurate and highly reliable. However, very little evidence is publicly available, and no independent tests appear to have even been conducted, let alone published. Anecdotal evidence suggests that the reliability of the process whereby registration data is extracted from the digital images is actually quite low, with success-rates perhaps as low as 70% even under favourable conditions. In addition, many factors reduce the reliability, such as the state of the registration plates, of the camera lens and of the light-path between them. The extraction is by its nature 'fuzzy', and confidence threshholds have to be set. In any circumstances in which the implications for false positives are serious, it is vital that the threshholds be set so that innocent passers-by are not significantly impacted.
The object that ANPR locates and tracks is a vehicle identifier - the registration-plates that the vehicle carries. This is distinct from a vehicle entifier such as a Vehicle Identification Number (VIN), or an engine-number. In some countries, registration-plates are permitted to be used on more than one vehicle, whereas other countries require its use only on one vehicle. For people and organisations that have sufficient motivation, falsification and duplication of registration-plates is relatively easy, the likelihood of detection is low, and the sanctions if the offence is detected are relatively low.
In practice, ANPR can be and is used as a basis for the location and tracking of people. A vehicle is registered in the owner's name, and hence an inference may be drawn that that person is the vehicle's driver, or one of its occupants.
ANPR is capable of being applied to several different categories of purpose, and the infrastructure to support it can be architected in several different ways. The following sub-sections outline three categories of application, and architectural features that vary in their privacy impacts and implications.
Motor vehicles use resources, including infrastructure (roads, control devices such as signs and traffic lights, on-street parking, garages and parking stations) and fuel. They also generate noise and pollution, and are likely to be subject to further, indirect charging and/or taxation in the near future through 'green credit' mechanisms. For various reasons, there has been a drift away from State-funded infrastructure towards a user-pays approach. Charges are therefore levied for on-street parking, use of space in garages and parking stations, use of toll-roads, and use of congested areas such as inner-cities.
There are two broad ways in which charges for the use of road transport infrastructure give rise to location and tracking of people: through the payment process, and through control mechanisms designed to deal with errors and abuse of the scheme.
Cash payments are regarded by many service-providers as expensive and inconvenient. A number of facilities can only be used if payment is made using a credit-card or debit-card. Other facilities require use of a specialist payment device which commonly takes the form of a contactless smartcard or RFID-tag. These in turn are in some cases unable to be purchased or 'topped up' in return for cash, but only by means of a credit-card or debit-card.
During the last few decades, governments around the world have imposed increasingly stringent requirements on card-issuers to authenticate the identities of their customers. Moreover, the face of the card generally carries the card-holder's commonly-used name. The net effect of these factors is that a number of user-pays road transport facilities are not currently available unless the person using them identifies themselves more or less directly to the operator. The human right of freedom of movement within one's country is seriously harmed by the denial of anonymous use of road transport infrastructure.
The second source of person location and tracking through road transport arises from the control mechanisms that infrastructure and fuel providers alike need to exercise over the evasion of their fees. For example, a toll-road may be used by a vehicle with no tag, a defective tag or a tag that carries insufficient value; a parking location or congested area may be used without payment of the fees or the fine; and a driver may 'skip' after filling their petrol-tank but without paying. A commonly-used control is the video-recording of the vehicle's registration plates, originally on a tight-loop analogue video-tape with 24-hour retention of the images. But ANPR has obvious application to these needs, and tight-loop / short-retention analogue recording has been rapidly giving way to digital recording, automated recognition of registration data, and longer, and even indefinite retention of the images.
It may only be necessary to record images of vehicle registration data in the small minority of cases where the vehicle has been detected as being infringing in some way. On the other hand, vehicle identities may need to be recognised and matched at two or more points, e.g. where the fee is dependent on entry and exit times (e.g. for parking, or in congested zones), or at entry and exit points (e.g. for variable-cost toll-roads). There are a variety of ways in which that can be achieved.
In principle, the vehicle registration data in such circumstances is needed only for as long as it takes to compute and collect the fee, perhaps followed by a retention period long enough to enable audit by the operator and/or reporting to or handling of a complaint by the road-user. In addition, privacy-protective schemes can be devised and implemented relatively easily. (For example, the vehicle registration data could be retained for the duration of the trip only, with the payment tag issued with an electronic receipt number, which is stored by the operator together with the facility usage data that gave rise to the charge).
But, despite the ease of creating such schemes, it appears to be highly unusual for operators to do so. In practice, vehicle registration data is collected, retained, retained long-term, used and disclosed. And, with storage costs plummeting, a great deal of data capture and retention of this kind is indiscriminate, i.e. the registration data of all vehicles is captured, and retained, irrespective of whether the action is justified.
ANPR has a number of applications in support of policing, particularly of road traffic, but to some extent more generally. Law enforcement uses involve the detection of a registration-plate of interest to a law enforcement agency. In some cases, a traffic infringement notice may be automatically generated (as with longstanding manual processes using wet-chemistry photography, for speeding and red-light offences). In other cases, the vehicle of interest may be intercepted a short distance further down the road. The applications can be categorised as follows:
The first and second of those categories are specific policing applications that are characterised by relatively high reliability and straightforward justification. The third is more speculative, particularly in relation to the impact on accidents involving unregistered vehicles and unlicensed drivers. The fourth is much more problematical. It has potential, and potentially substantial, negative implications for the safety of police officers, of people in the vicinity of interceptions, and of occupants of vehicles that are intercepted on grounds that transpire not to be justified.
There are prospects that ANPR may be effective for the purposes for which registration plates were issued - specifically, traffic administration and traffic law enforcement. Considerable care is needed even in these cases, however, because the reliability of data in registration databases, and of the data extracted from the photograph, are both of moderate rather than high quality. There is considerably more doubt about the more remote, consequential contributions to public safety, and the substantially speculative application fo criminal law enforcement more generally.
It is straightforward to devise an architecture for ANPR that is effective for operational policing but avoids undue collection of data. The camera-unit can be designed as a high-security device that only discloses data that satisfies tightly-defined and tightly-controlled criteria. This can be achieved through what can be usefully described as 'blacklist in camera' architecture. Tightly-coupled processing within the camera-unit can compare the registration data extracted from images against one or more controlled blacklists that have been downloaded to it. These can contain the registration numbers of vehicles that law enforcement agencies want to intercept for specific reasons. The only data disclosed by the device would be high-probability 'hits' against those blacklists.
Multiple controls are needed in order to achieve the dual objectives of operational policing and protections for privacy, civil liberties and democracy. Crucial among them are tight controls over the quality of the blacklist data. This includes accuracy and precision - which is known to be an issue with vehicle registration databases. Another quality factor that is especially challenging is timeliness, particularly in the case of such fraught categories as stolen vehicles, and especially getaway cars. Tight controls over the transmission of the data are also essential. Serious public safety issues arise from some potential categories of blacklist, including getaway cars, but also vehicles associated with people wanted for arrest, and even for questioning.
A further possible variant is a 'white-list in camera' approach, whereby listed vehicle registrations would not be reported, but all others would be. This may have application in areas that are subject to very tight physical controls, such as within nuclear power plants, and in the areas immediately adjacent to meetings involving dignitaries considered to be at risk of being targeted by activists. However, the approach gives rise to serious concerns about public safety, unreasonable interception and unreasonable inferences about vehicle drivers and occupants.
Despite the ease with which ANPR can be architected so as to balance policing needs with privacy and civil liberties, infrastructure of that kind remains uncommon. The following sub-section describes the way in which most ANPR works in the United Kingdom, and is emergent in Australia.
The ANPR camera-unit can be designed to transmit every instance of vehicle registration-data that it is able to extract from passing vehicles. The receiving device might be a display, for example in a nearby police patrol vehicle. In practice, however, the receiving device is generally a computer with substantial data-storage. The extracted registration-data may be used for user-pays charging and/or law enforcement, as described in the previous sub-sections, but is also stored, together with the date, the time and some indication of location and perhaps direction of view or of movement.
Over time, and with the proliferation of image-capture devices, the effect of this process is the accumulation of a massive database of vehicle movements. Nothing remotely resembling it has ever existed in the past, even in the old USSR (where internal passports were used to restrict freedom of movement) and East Germany (where monitoring of the population reached its then greatest extremes).
The justification for such mass surveillance is that there is intelligence value in ANPR data. It might be feasible to locate designated vehicles, to track them in real-time, and to submit vehicles of interest to retrospective tracking. Further, proponents postulate that a wide array of (loose) inferences may be able to be drawn about vehicles being associated with one another in some manner (such as travelling in proximity, or being co-located on multiple occasions).
Firstly, it is far from clear that any such intelligence benefits are real, and secondly, it appears that national security agencies expect their propositions to be accepted by politicians and the public without supporting evidence, and without question. Even the most cursory consideration of the claims leads to a completely contrary conclusion: vehicle registration data is unreliable, false positives will be frequent, forgery is easy, and both 'organised crime' and terrorists can readily organise themselves so as to circumvent, nullify and even subvert such monitoring.
The previous vignettes involved direct monitoring of devices, which were associated with individuals with higher or lower degrees of reliability. This sub-section considers technologies that enable direct location and tracking of people's bodies.
Chips may be used for various purposes, including identification, identity authentication, and the authorisation of access to controlled premises and controlled computing services and data. This paper does not further discuss authentication and authorisation, because it is focussed on identification, location and tracking applications.
A variety of techniques can be used to locate and track people. People may carry a device that broadcasts a signal, or responds to requests for device-id from dispersed monitors, or to requests for positional information from a centralised monitor. The section on handsets above is indicative of technologies that support voluntary or consensual tracking.
The active element underlying location and tracking is a chip-set and associated transceiver, antenna and power-source. In principle, a wide range of wireless communications technologies and protocols could be used. In practice, the commonly applied technologies are those associated with the closely-related forms of contactless smartcards, radio-frequency identification (RFID) and near field communications (NFC).
A handset is only one 'carrier' that can be used to house the components. Another common form is a plastic card, often (but not necessarily) of the same dimensions as credit-cards (i.e. XXX mm x XXX mm). These have been available since about 1994 (Clarke 1996?). Another is so-called 'RFID tags', which take different physical forms depending on what they are attached to (e.g. clothing, packets or pallets). NFC chip-sets have been designed to be added into mobile phones.
This sub-section concentrates on two particular 'form-factors': tightly-attached chips, and implanted chips. The first of these is becoming familiar in the form of human adornments. An early pilot was undertaken with wrist-watches, and brooches, belt-buckles, ear-rings and other body-piercings (e.g. in the navel, nose and tongue) are also feasible. The most common forms at the time of writing are wristlets and anklets. Anklets have the advantage of being more difficult to remove than anklets, whereas some other, smaller forms may escape detection.
The carriage of the device may be voluntary, consensual, coerced or imposed. For example, individuals who are concerned about being kidnapped might use such technologies voluntarily. An example of a consensual application is work-contexts, to locate people within a campus or industrial complex. Applications in work-contexts may, however, involve coercion (i.e. where the consent is nominal rather than real - because it is a condition of the job or the promotion), or it may simply be imposed (e.g. as a retrospectively added and unilaterally imposed condition, which is easily achieved where the employer is in a position of considerable power, such as in military and law enforcement contexts, but in many other government and corporate contexts as well).
Chip-carrying adornments have been imposed on various categories of institutionalised individuals. The most common have been prisoners on parole, and even people on remand (i.e. who have been charged, not yet tried, but perhaps considered a flight risk). There also appear to be applications to prisoners within low-security facilities and even within conventional gaols. There have been multiple proposals relating to the frail aged, especially those suffering senile dementia. In early 2008, the Australian Department of Health floated the idea that aged care facilities would be required to impose RFID-tags on people within their care. Particularly within the US, pilot applications have also been advertised within hospitals, both for babies and for unconscious patients prior to and during operational procedures.
A chip-carrying adornment is capable of being readily detected, by sight alone, and readily removed. For various purposes, it may be desirable that the chip-set be non-obvious, and not easily disabled, shielded, subverted or removed. One way to achieve this is to implant it in the person's body. Conventional locations in animals are the neck (for pets) and the ear (for livestock), and these may be considered for humans as well. Other possibilities include hand or arm, and the gums or scrotum (to minimise the attractiveness to the person of removing it or having it surgically removed). A short-lived US company sold a service to implant chips in teeth, the rationale being that the teeth are among the longest-lasting parts of dead bodies (REFERENCE). (The company's pitch was that this would somehow protect children against abduction, whereas its only real application would have been for the identification of the child's skeleton).
The implantation of chips in animals has been proceeding apace since WHEN?, particularly for pets and valuable livestock such as cattle and breeding stock of smaller animals (REFERENCE). In 1993, this author included in a paper reference to a category of human identifier that was styled as 'imposed biometrics'. The notion met considerable resistance from the reviewers and editor of a major refereed journal, on the grounds that it appeared to them to be extremist. (After additional evidence was provided, the notion was included in the published paper - Clarke 1994).
Despite the seemingly extreme nature of chip implantation, developments since then have been very brisk. The first documented chip implant was performed in 1998, a procedure performed by a UK professor on himself (Warwick). The early documented voluntary implantations were at a Madrid nightclub in 2003? (REFERENCE). The first documented coerced implantations were in Mexico City in 2004? (REFERENCE), although it appears likely that some earlier impositions may have occurred in various US contexts that are subject to that country's increasingly tight censorship.
[CONSIDER WHETHER THE ANALYSIS SHOULD BE PURSUED ANY FURTHER, e.g. using Clarke (2005)]
This section first presents a generic overview of privacy threats and then, within that framework, considers the specific impacts of the location and tracking technologies outlined in the above vignettes.
The nature of privacy is summarised in Clarke (2006). It is usefully treated as "the interest that individuals have in sustaining a 'personal space', free from interference by other people and organisations". It has multiple dimensions, including privacy of the physical person, of personal behaviour, of personal communications, and of personal data. Appreciation of its importance requires consideration of multiple levels, including the philosophy of human rights, individual and group psychology, sociology, economics and politics.
The location and tracking of known identities and entities is a form of dataveillance Clarke (1988). In some cases it represents personal dataveillance, because a particular human has been targeted for monitoring, presumably based on reasonable grounds (e.g. for suspicion that the person has committed or is intending to commit a criminal offence of sufficient gravity to warrant the commitment of resources and the infringement of freedom). In other cases, location and tracking is mass dataveillance, by which is meant indiscriminate monitoring of a population. The justification (to the extent that any exists) is based on the generalised suspicion that some members of the population are of interest, and that suspicion as to which ones they are can be generated by means of the collection and mining of vast quantities of data. The privacy risks that dataveillance embodies are examined in Clarke (1988).
This sub-section provides an overview of the privacy threats inherent in location and tracking. It draws heavily on relevant parts of Clarke (1999a). The threats arise from individual technologies, and the trails that they generate, from compounds of multiple technologies, and from amalgamated and cross-referenced trails captured using multiple technologies and arising in multiple contexts.
Location and tracking technologies give rise to data-collections that disclose a great deal about the movements of entities, and hence about individuals associated with those entities. Given an amount of data about a person's past and present locations, the observer is likely to be able to impute aspects of the person's behaviour and intentions. Given data about multiple people, intersections of many different kinds can be computed, interactions can be inferred, and group behaviour, attitudes and intentions imputed.
Location technologies therefore provide, to parties that have access to the data, the power to make decisions about the entity subject to the surveillance, and hence to exercise control over it. Where the entity is a person, it enables those parties to make determinations, and to take action, for or against that person's interests. These determinations and actions may be based on place(s) where the person is, or place(s) where the person has been, but also on place(s) where the person is not, or has not been. Tracking technologies extend that power to the succession of places the person has been, and also to the place that they appear to be going.
The nature and extent of the intrusiveness is dependent on a variety of characteristics of location and tracking technologies. An analysis is provided in Clarke (1999b), encompassing such factors as the intensity of the data collection process, the data quality, data retention and destruction, and data accessibility.
Dangers that are especially apparent include the following:
The degree of impact on each individual depends on their psychological profile and needs, and their personal circumstances, in particular what it is that they wish to hide, such as prior misdemeanours, habits, and life-style, or just the details of their personal life. Some categories of individual are in a particularly sensitive position. 'Persons-at-risk' is a useful term for people whose safety and/or state of mind are greatly threatened by the increasing intensity of data-trails, because discovery of their location is likely to be followed by the infliction of harm, or the imposition of pressure designed to repress the person's behaviour. Examples include VIPs, celebrities, notorieties, different-thinkers, victims of domestic violence, people in sensitive occupations such as prison management and psychiatric health care, protected witnesses, and undercover law enforcement and security operatives.
Marketers have an interest in identifying population segments and networks, and in building personal behaviour profiles. More sinister applications arise because so-called 'counter-terrorism' laws have greatly reduced the controls over data gathering, storage and access, over inferencing about where people have been and whose paths people have crossed, and over detention, interrogation and prosecution.
[BRIEFLY ITEMISE HERE THE PRIVACY IMPACTS OF EACH OF THE APPROACHES THAT ARISE IN THE VIGNETTES:
e.g. for 5 above:
ANPR, as conventionally implemented is, quite simply, a 'mass dataveillance' mechanism (Clarke 1988). The data capture is speculative rather than being based on reasonable grounds for suspicion. It is a means of generating suspicion rather than a means of investigating circumstances that appear suspicious. It creates what is commonly referred to as a 'chilling effect', suppressing not only illegal and seriously anti-social behaviour but also legitimate behaviour. Of especial concern is the chilling of behaviour that is legal, and is important to a progressive society (such as art, industrial innovation, policy and politics), but that may be regarded by the powerful as 'deviant' or undesirable.
The justifications advanced for the purposes remote from vehicle registration, even for public safety and criminal law enforcement but particularly for national security intelligence, are typically of an anecdotal nature rather than careful analyses of the circumstances. The effectiveness of ANPR in these cases is highly questionable, and it can be confidently anticipated that the proponents of the technology will do everything they can to avoid careful analysis being undertaken.
The use of ANPR for 'national security' purposes is utterly speculative, and essentially without foundation. The national security agencies can be expected to continue the arrogant behaviour that they have shown since 12 September 2001, to make unjustified assertions of the necessity of unfettered use of ANPR-based mass surveillance to prevent the next terrorist attack, and to insist on providing their evidence in camera, or on providing no evidence at all to support their assertions.
The storage of ANPR data, which is intrinsic to the conventional architectures and products being sold and deployed, is destructive not merely of privacy, but of civil liberties more generally, of the human right of freedom of movement, and of the democratic freedoms that law enforcement agencies are meant to be protecting.
[CONSIDER HERE WHETHER A CLASSIFICATION SCHEME IS ALREADY EMERGENT]
Since the 1970s, privacy has been a considerable subject of conversation and analysis. Many laws have been passed, and in some countries successive generations of amendments and replacement laws have been enacted. It might be expected that these laws would provide protection against location and tracking technologies.
On the other hand, privacy laws suffer the following deficiencies:
In short, existing laws, worldwide, are permissive of all manner of policies and practices that business and government find convenient, are permissive of information technologies, and are not adaptive. The march of location and tracking technologies is hardly hindered at all by existing laws. And, to the extent that individual countries from time to time consider enhancing their limited and hopelessly outdated laws, the combined lobbying powers of government agencies and the private sector ensure that minimal change occurs.
During the last couple of decades, a range of location and tracking technologies have exploded onto the scene. They have extraordinary and highly negative implications for privacy, and for civil liberties and political freedoms more generally. Contrary to people's expectations, they are subject to almost no meaningful privacy controls. The current circumstances are highly threatening to individualism and to the kinds of society and economy that have been regarded as the norm in European and European-derived countries.
To an organisation that seeks to exercise control over a society, a person is a threat depending on who they associate with, and the concept of personal associations is readily modelled based on where the person has been, and who else has been there. Hence 'You Are Where You've Been'. Location and tracking technologies that can distinguish individuals provide authoritarian organisations, whether of the public or private sector, with the capacity to distinguish those members of a society who represent potential threats, and exercise control over them.
The information technologies that have been developed since 1950 share a key characteristic with elephants: they don't know how to forget. Information technologies need to be taught how to forget, and very quickly.
Clarke R. (1988) 'Information Technology and Dataveillance' Commun. ACM 31,5 (May 1988) 498-512, at http://www.rogerclarke.com/DV/CACM88.html
Clarke R. (1994) 'Human Identification in Information Systems: Management Challenges and Public Policy Issues' Information Technology & People 7,4 (December 1994) 6-37, at http://www.rogerclarke.com/DV/HumanID.html
Clarke R. (1999a) 'Person-Location and Person-Tracking: Technologies, Risks and Policy Implications' Proc. 21st Int'l Conf. on Privacy and Personal Data Protection, pp.131-150, Hong Kong, 13-15 September 1999. Revised version in Information Technology & People 14, 2 (Summer 2001) 206-231, at http://www.rogerclarke.com/DV/PLT.html
Clarke R. (1999b) 'Relevant Characteristics of Person-Location and Person-Tracking Technologies' A separately-published Appendix to Clarke (1999a), Xamax Consultancy Pty Ltd, Canberra, October 1999, at http://www.rogerclarke.com/DV/PLTApp.html
Clarke R. (2001) 'Authentication: A Sufficiently Rich Model to Enable e-Business' Xamax Consultancy Pty Ltd, December 2001, at http://www.rogerclarke.com/EC/AuthModel.html
Clarke R. (2004) 'Identification and Authentication Fundamentals' Xamax Consultancy Pty Ltd, May 2004, at http://www.rogerclarke.com/DV/IdAuthFundas.html
Clarke (2005) 'Human-Artefact Hybridisation: Forms and Consequences' Proc. Ars Electronica 2005 Symposium on Hybrid - Living in Paradox, Linz, Austria, 2-3 September 2005, at http://www.rogerclarke.com/SOS/HAH0505.html
Clarke R. (2006) 'What's 'Privacy'?' Prepared for a Workshop at the Australian Law Reform Commission on 28 July 2006, at http://www.rogerclarke.com/DV/Privacy.html
Clarke R. (2007) 'What 'Überveillance' Is, and What To Do About It' Invited Keynote, Proc. 2nd RNSA Workshop on the Social Implications of National Security', 20 October 2007, University of Wollongong, at http://www.rogerclarke.com/DV/RNSA07.html
Clarke R. (2008) 'Dissidentity' Xamax Consultancy Pty Ltd, Canberra, March 2008, at http://www.rogerclarke.com/DV/Dissidentity.html
Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., a Visiting Professor in the E-Commerce Programme at the University of Hong Kong, and a Visiting Professor in the Department of Computer Science at the Australian National University.
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.
Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 23 February 2008 - Last Amended: 17 July 2008 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/YAWYB-CWP-2008.html