Authentication Technologies and Their Privacy Implications:
Technology and Policy Foundations
- Annotated References

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Annotated References in Support of an invited presentation to the Symposium on 'Authentication Technologies and Their Privacy Implications', run by the Computer Science and Telecommunications Board (CSTB) of the National Academy of Sciences, Dulles Hyatt, Washington DC, 3-4 October 2001

Version of 2 October 2001

© Xamax Consultancy Pty Ltd, 2001

This document is at

Access is also provided to the Abstract, and the slide-set supporting the presentation

This document identifies works underpinning the presentation, in three sections:

Key Works by the Author

Clarke R. (1988) 'Information Technology and Dataveillance' Commun. ACM 31,5 (May 1988) Re-published in C. Dunlop and R. Kling (Eds.), 'Controversies in Computing', Academic Press, 1991. The foundation work on dataveillance, which documents the rapid switch from physical and electronically enhanced monitoring of individuals and populations, to surveillance of people through the data trails that their transactions leave behind them.

Clarke R. (1994) 'Human Identification in Information Systems: Management Challenges and Public Policy Issues' Info. Technology & People 7,4 (December 1994). A foundation work that defines the concepts of identity and identification, outlines the bases on which identification and authentication processes rest, and discusses the risks involved in the use of identification schemes by multiple organisations.

Clarke R. (1994) 'The Digital Persona and its Application to Data Surveillance' The Information Society 10,2 (June 1994). A further foundation work, examining the digital persona or nym as a model of an individual's public personality based on data and maintained by transactions, and intended for use as a proxy for the individual.

Clarke R. (1994) 'Information Technology: Weapon of Authoritarianism or Tool of Democracy?' Proc. World Congress, Int'l Fed. of Info. Processing, Hamburg, September 1994. Contrasts computing based on centralist and authoritarian world views against democratic application of information technologies.

Greenleaf G.W. & Clarke R. (1997) 'Privacy Implications of Digital Signatures' Proc. IBC Conference on Digital Signatures, Sydney, 12 March 1997. A detailed examination of the serious privacy implications of digital signature technologies, including the direct impacts arising in relation to private keys, the threats inherent in public keys, certificates and revocation lists, and the consequential implications of increased expectations of identification, and of applications of chip-cards and biometrics.

Clarke R. (1997) 'Chip-Based ID: Promise and Peril' Proc. Int'l Conf. on Privacy, Montreal, 23-26 September 1997. Analysis of the risks arising from smart-cards applied to identification, paying particular attention to the dramatic threats embodied in multi-purpose and national applications. Proposed a set of design principles for chip-based id schemes.

Clarke R. (1997) 'Public Interests on the Electronic Frontier', Proc. IT Security '97, 14-15 August 1997. Republished in Computers & Law No. 35 (April 1998) pp.15-20. Identifies freedoms demanded by netizens, particularly from surveillance, identification and authentication.

Clarke R., Dempsey G., Ooi C.N. & O'Connor R.F. (1997) 'Technological Aspects of Internet Crime Prevention' Proc. Conf. Austral. Inst. for Criminology on 'Internet Crime', Melbourne University, 16-17 February 1998. Analysis of the extent to which it is feasible to prevent crime on the Internet, including the difficulties involved in attributing messages to a natural or a legal person.

Clarke R. (1998) 'Public Key Infrastructure: Position Statement', May 1998. Declaration of the requirements of PKI that would avoid the seriously negative implications of conventional, hierarchical and authoritarian X.509-based infrastructure, and could earn public acceptance instead of public opposition and ultimate rejection. Formed the basis of demands for a citizen-friendly approach to PKI by Australian governments.

Clarke R. (1999) 'Identified, Anonymous and Pseudonymous Transactions: The Spectrum of Choice' Proc. User Identification & Privacy Protection Conf., Stockholm, 14-15 June 1999. Consolidation and extension of contributions on identification, authentication, anonymity and pseudonymity, drawing attention to the complexities arising in relation to individuals, organisations, and chains of principal-agent relationships.

Clarke R. (1999) 'Person-Location and Person-Tracking: Technologies, Risks and Policy Implications' Proc. 21st International Conf. Privacy and Personal Data Protection, Hong Kong, September 1999. Revised version published in Info. Techno. & People 14, 1 (2001) 206-231. Analysis of the explosion in technologies that enable re-construction of a person's previous whereabouts, the location of individuals, real-time tracking of their current path, and inference of their current intentions. Includes an analysis of the vastness of the threats to individual freedoms, the political economy of the technologies' adoption, and the implications for a wide range of stakeholders.

Clarke R. (2000) 'Privacy Requirements of Public Key Infrastructure' Internet Law Bulletin 3, 1 (April 2000) 2-6. Republished in 'Global Electronic Commerce', published by the World Markets Research Centre in collaboration with the UN/ECE's e-Commerce Forum on 'Electronic Commerce for Transition Economies in the Digital Age', 19-20 June 2000. Brief summary of PKI's privacy implications, together with a statement of the serious inadequacies in the Australian government's handling of the matter.

Clarke R. (2001) 'While You Were Sleeping ... Surveillance Technologies Arrived', Australian Quarterly 73, 1 (January-February 2001) 10-14. A catalogue of wide array of surveillance tools deployed during the preceding two decades.

Clarke R. (2001) 'The Fundamental Inadequacies of Conventional Public Key Infrastructure` Proc. Conf. ECIS'2001, Bled, Slovenia, 27-29 June 2001. Consolidation of the vast array of deficiencies of conventional X.509-based PKI. Explains the vital need for nyms to be supported, and canvasses alternative approaches to the application of public-key-based digital signature schemes that are less threatening to privacy and freedom.

Clarke R. (2001) 'Biometrics and Privacy', 15 April 2001. An analysis of the nature of biometrics technologies, their uses in identification and authentication, and the serious threats that they embody. Concludes with a draft set of principles for people-friendly application of biometric technologies, and calls for a ban on all uses until a regulatory framework is in place.

Clarke R. (2001) 'Can Digital Signatures and Public Key Infrastructure Be of Any Use in the Health Care Sector ???' Proc. Health Informatics Conference, Canberra, July 2001. Condensed summary of conventional PKI's utter inadequacy, in the particular context of health care.

Clarke R. (2001) 'Certainty of Identity: A Fundamental Misconception, and a Fundamental Threat to Security' Proc. Seminar on eSecurity and eCrime, UNSW Continuing Legal Education Programme, Sydney, 19-20 July 2001. Expresses concern about the ignorance within the national security and law enforcement communities of the dramatic impact on civil freedoms and democracy of the technologies of data surveillance, identification and identity authentication. Draws attention once again to the critical importance of nymity.

Clarke R. (2001) 'Paradise Gained, Paradise Re-lost: How the Internet is being Changed from a Means of Liberation to a Tool of Authoritarianism' Mots Pluriels 18 (August 2001). A review of the dark clouds gathering around the Internet, and the survival prospects of the Internet's scope to support freedoms. Published on 29 August 2001, a mere 314 hours or 13 days before the terrorist strikes on the World Trade Center and the Pentagon.

Clarke R. (2001) 'Trust in the Context of e-Business' Revision of 2 October 2001. An examination of the concept of trust as it arises (or, more commonly, fails to arise) in e-business generally, and in the B2B and B2C segments in particular.

Other Relevant Works by the Author

Clarke R. (1987) ''Just Another Piece of Plastic for Your Wallet: The Australia Card' Prometheus 5,1 June 1987. Republished in Computers & Society 18,1 (January 1988), with an Addendum in Computers & Society 18,3 (July 1988). Chronicles the Australian Government's proposal to introduce a national identification scheme, and its resounding rejection by the Australian public, once the implications came to be understood.

Clarke R. (1992) 'The Resistible Rise of the Australian National Personal Data System' Software L. J. 5,1 (January 1992). Documents subsequent attempts by the Australian government to achieve its aims of consistent identification of citizens and a web of dataveillance to support social control.

Clarke R. (1993) 'Computer Matching and Digital Identity', Proc. Conf. Computers, Freedom & Privacy, San Francisco, March 1993. Initial paper on digital personae and nyms.

Clarke R. (1993) . 'Asimov's Laws of Robotics: Implications for Information Technology' In two parts, in IEEE Computer 26,12 (December 1993) 53-61, and 27,1 (January 1994) 57-66. Practical, legal, and ethical implications of Asimov's 'Laws of Robotics' fiction.

Clarke R. (1995) 'When Do They Need to Know 'Whodunnit?': The Justification for Transaction Identification; The Scope for Transaction Anonymity and Pseudonymity' Proc. Conf. Computers, Freedom & Privacy, San Francisco, 31 March 1995. Revised version published as 'Transaction Anonymity and Pseudonymity' Privacy Law & Policy Reporter 2, 5 (June/July 1995) 88-90. Initial paper on anonymity and pseudonymity.

Clarke R. (1996) 'Cryptography in Plain Text', Privacy Law & Policy Reporter 3, 4 (May 1996) 24-27, 30-33. Tutorial paper on cryptography up to and including digital signatures and PKI.

Clarke R. (1997) 'Promises and Threats in Electronic Commerce' 13 August 1997, Notes for an interview by ABC Quantum, which went to air in 'Privacy on Line' on 11 June 1998. Examination of the real nature of trust in the context of the Internet, and the dangers inherent in conventional, naive approaches to authentication.

Clarke R. (1996) 'Identification, Anonymity and Pseudonymity in Consumer Transactions: A Vital Systems Design and Public Policy Issue' Proc. Conf. 'Smart Cards: The Issues', Sydney, 18 October 1996. A further development of the work on anonymity and pseudonymity.

Clarke R. (1998) 'Smart Card Technical Issues Starter Kit', Centrelink, Canberra, April 1998. A resource intended to enable stakeholder groups to get to grips with the technology, and be able to participate in consultations with the social security administration agency in relation to a proposed chip-card for welfare recipients.

Smith A. & Clarke R. (2000) 'Identification, Authentication and Anonymity in a Legal Context', Proc. IFIP User Identification & Privacy Protection Conference, Stockholm, June 1999. Republished in Computer Law & Security Report 16, 2 (March/April 2000) CLSR 95-101. An examination of legal requirements for identification, and legal recognition of anonymity and pseudonymity.

Clarke R. & Nees S. (2000) 'Technological Protections for Digital Copyright Objects' Proc. 8th Euro. Conf. Infor. Sys. (ECIS'2000), July 2000, Vienna Uni. of Economics & Business Administration, pp. 745-752. A study of public key cryptography applied to the protection of machine-readable copyright objects.

Slide-Sets Supporting Relevant Presentations

The following are in PowerPoint 4 format (readable by most slide production and display packages from the mid-1990s onwards):

Indexes to Relevant Works by the Author

Papers on security, cryptography and PKI are indexed at,

Papers on identification, anonymity and pseudonymity are indexed at


Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 21 September 2001

Last Amended: 2 October 2001

These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916