Certainty of Identity: A Fundamental Misconception, and a Fundamental Threat to Security

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Version of 13 July 2001

© Xamax Consultancy Pty Ltd, 2001

This document was prepared in support of a presentation to a seminar on eSecurity and eCrime, run by the UNSW Continuing Legal Education Programme, Sydney, 19-20 July 2001

Republished in Privacy Law & Policy Reporter 8, 3 (September 2001) 63-65, 68

This document is at http://www.anu.edu.au/people/Roger.Clarke/DV/IdCertainty.html


Abstract

Human identification is the lynchpin of the burgeoning technologies that enable data surveillance. Ignorance is rife, about the nature of identification and identity authentication, and about anonymity and pseudonymity. Yet more disturbing is the ignorance within the national security and law enforcement communities of the dramatic impact of these technologies on civil freedoms and democracy. The notion of 'certainty of identity' is a highly dangerous nonsense.


Contents


Introduction

The title of this session, 'Certainty of Identity', was presumably intended to be provocative. But unfortunately it reflects very nicely the simplistic perceptions that are evident within the agencies of social control and among the technology providers that sell to them. This brief paper argues that certainty of identity is an extraordinarily dangerous notion, which represents a far greater threat to society than the evils that security technologies are supposed to combat.

The paper surveys the technologies of surveillance, and shows how identity is central to them. It presents key concepts relating to identity and identification, and juxtaposes the alternatives of anonymity and pseudonymity. It identifies inappropriate presumptions that are commonly made by staff in national security and law enforcement agencies. It concludes that these agencies, and the attitudes rife in them, are among the most serious threats to society.

The paper is brief, but provides access to a substantial literature.


The Technologies of Surveillance

Visual and electronic surveillance have been complemented, and are increasingly being supplanted, by surveillance of individuals and populations through the copious data trails that are generated about their activities.

Mass dataveillance provides an efficient means of monitoring large numbers of people in order to generate suspicion about specific individuals and select them for closer attention. Larger numbers than ever before can be subjected to more intensive personal dataveillance, because the techniques are largely automated.

Key technologies of surveillance include the following:


Identity and Identity Authentication

Surveillance technologies depend upon mechanisms for the identification of human beings. This is a remarkably poorly understood topic. One frequently overlooked facet is that individual entities of all kinds, including people, have multiple identities, rather than just one.

Conventional identifiers such as names and codes are associated with identities rather than with entities. Law and practice in civilised countries recognises this, and permits the use of multiple identities. Sanctions are applied where individuals perform significantly anti-social actions, including those that depend upon multiple identities; but the use of multiple identities per se is in few cases itself an offence. Naturally, criminals use the scope provided by this freedom to adopt multiple identities as a means of avoiding retribution. This is just another of the many tensions that exist between the needs for freedom and for control over criminal behaviour.

Some identifiers are capable of reaching behind the identity and recognising the entity itself. These are termed biometrics, because they measure some feature of the individual, or of the individual's behaviour.

Identification is the process whereby an identifier is acquired, and an association achieved between an identity and information stored in a database. Identity authentication is the further process whereby a sufficient degree of confidence is established that the identification process has delivered a correct result. Identity authentication can be performed by collecting multiple identifiers, acquiring knowledge that only the right individual is expected to have, or inspecting tokens that only the individual is expected to possess.

The concept of 'certainty of identity' is a forlorn hope. All identification and authentication techniques are subject to error. In addition to accidental errors, all are capable of being circumvented with varying degrees of ease. False inclusions arise, including successful masquerades; and the tighter that the tolerances are set, the greater is the frequency of false exclusions. The disbenefits of false exclusion fall on the affected individuals; and the less easily compromised techniques impose mightily on the people who are subjected to them.

Rather than the naive concept of 'proof of identity' (POI), the focus needs to be on 'evidence of identity'; and rather than the self-serving military concepts of 'absolute security' and 'absolute trust', the real world is about the management of risk and the balancing of competing interests.


Nymity

A lot of discussion about security makes the blithe presumption that it is normal for transactions to be identified. The presumption is false. A great deal of human activity has always been conducted anonymously. Common examples include:

The contemporary trend towards authoritarianism, aided by technological developments, has been rapidly undermining anonymity, through demands for identification in all manner of circumstances, and the creation of new data trails that can be mined.

Many kinds of people resent demands for identification, and seek ways of obscuring their identities and selves. Of course, some of these people have criminal intent. Others are intent on undermining the current political system, or are 'scurrilous rumour-mongers'. But there are many other motivations, including:

The kleptomania of government agencies and marketing organisations for identified personal data has stimulated a great deal of constructive behaviour by software developers. Tools to deny information, deny identity, and assure anonymity are readily available, especially in the electronic context, and increasingly popular.

Anonymity compromises accountability, in that it undermines society's ability to impose sanctions on miscreants, and therefore reduces the extent to which fear of retribution curbs disapproved behaviour.

A further form of nymity exists, which has the scope to achieve a balance between personal freedoms and social accountability. Instead of an identifier, what is associated with data is a pseudo-identifier or pseudonym.

In principle, the relationship between the pseudonym and a person is able to be discovered (otherwise it would be anonymous). In practice, however, it may or may not be able to be discovered, because the link is protected by technical, legal and organisational arrangements. For those protections to be circumvented, particular conditions need to be fulfilled, such as the issuing of a search warrant or other form of court order.

There are several mechanisms that can be used to give effect to pseudonymity, including 'identity escrow', escrow of partial identifiers, and 'secret-sharing'. This is not a mere theory, nor a new idea. Longstanding examples exist in such contexts as auctions and financial exchanges, epidemiological research, and the arts.

If the discussion can be moved beyond the trivial level of assuming that 'certainty of identity' is a meaningful concept, then a fuller model of identity, identification and nymity could be used as a basis for designing schemes that achieve suitable balances betweem security and freedoms.


Contrasting World Views

Against this background, it might be hoped that some serious-minded discussions are in train between the law enforcement community and representatives of the broader community. Tensions exist between law enforcement and other social objectives and values, and enormous care is needed in implementing invasive technologies such as Caller-ID, reverse telephone directories, MOLI, payment mechanisms, road-tolling schemes, ATM and railway-station surveillance, road-traffic surveillance, biometrics and DNA databases.

Regrettably, however, the law enforcement community appears to see no need to compromise its use of such technologies, no need to consult with the community about them, and no risk to their waning public credibility if they proceed in accordance with the technological imperative, and the blandishments of their favoured technology providers.

A serious rift is developing between the hard-headed law-and-order devotees, and the lovers of freedoms and democracy. Here are some presumptions that are conventional among some kinds of people:

  1. National security is all-important. The enemy is at the door. Terrorists are about to unleash a campaign of terror. The sky is falling, the sky is falling;
  2. Law enforcement is all-important. Mankind is born evil, not good. No-one can be trusted, except for law enforcement agency employees. Freedoms must be constrained because they are used by criminals. Property is more important than limb and even life;
  3. Social control is vital. Taxpayers' money must be protected. Welfare recipients are cheats. Taxpayers are cheats. No-one can be trusted. Freedoms must be constrained, except freedom to make money.

Contrast those with the following perceptions that are shared by many people around the world:

  1. In some countries, vast quantities of personal data are inter-changed among government agencies, and coalitions of agencies impose cross-system enforcement in order to achieve their aims;
  2. In some countries, crimes are not restricted to activities that the society as a whole deems to be beyond the bounds, but are also defined to suit the government of the day, government agencies, and/or powerful corporations;
  3. In some countries, elements within law enforcement agencies, often at high levels, are closely linked with organised crime;
  4. In some countries, police kill more people than terrorists do;
  5. In some countries, law enforcement agencies serve the government of the day despite the need to break the law in the process;
  6. In some countries, national security agencies operate independently of the elected government, and in concert with agencies of foreign powers.

We can feel comfortable about statements like those when they are used in relation to, say, Sierra Leone, Indonesia or Russia. What is disturbing is that all are capable of being used in relation to Australia, with degrees of credibility ranging from dubious (5) through highly feasible (2, 3 and 6), to clearly true (1 and 4).


Conclusions

Given the explosion in privacy-invasive technologies, and their blind application, it is difficult not to feel deeply pessimistic about the directions our society is taking. The world is recognising the threats that technologies pose for the survival of the species; but, in the meantime, the survival of society as we know it is under dire threat in a much shorter time-scale.

Dataveillance technologies threaten to dramatically increase the power of the organisations that control their deployment. Power corrupts, and the scale of power that can be delivered by dataveillance technologies will increase the degree of corruption of the organisations that control them. When lists of 'public enemies' are drawn up, national security, law enforcement and social control agencies will need to be not just included, but placed high up on the scale.

Meanwhile, the balance of power in an increasingly globalised world is changing. Transnational and even large national corporations are increasingly above the law, and will impose and enforce law as they wish it to be, and co-opt law enforcement agencies to their own needs. Alliances between government agencies and private sector corporations are still in their infancy. As they become more common and more pervasive, personal data will leak across organisational boundaries, and organisations will cross-leverage their power over individuals.

Pitifully weak data protection laws will not even be able to retard the bushfire of the surveillance society, let alone quench it. Individuals who stand out against the use of power will be increasingly subjected to dataveillance, psychological pressure, and countermeasures.

The technologies of surveillance need to be resisted, not just by criminals but also by people who actually like the ideas of freedom and democracy. Whilever people are capable of contemplating a concept as vacuous as 'certainty of identity', law and order devotees will pursue simple-minded objectives of subjugating society. Nymity services are going be very big business.


Source Materials

The following are the source materials, researched over the last quarter-century, that underlie the arguments in this paper.

Privacy and Dataveillance

Introductory Papers on Dataveillance and Privacy, at http://www.anu.edu.au/people/Roger.Clarke/DV/Popular.html

Definitions (1997-). at http://www.anu.edu.au/people/Roger.Clarke/DV/Intro.html

The Underlying Theory (1988), at http://www.anu.edu.au/people/Roger.Clarke/DV/CACM88.html

Technologies of Mass Observation (2000), at http://www.anu.edu.au/people/Roger.Clarke/DV/MassObsT.html

While You Were Sleeping ... Surveillance Technologies Arrived (2001), at http://www.anu.edu.au/people/Roger.Clarke/DV/AQ2001.html

The Individual and the State

IT as a Weapon of Authoritarianism or a Tool of Democracy (1994), at http://www.anu.edu.au/people/Roger.Clarke/DV/PaperAuthism.html

Anti-Utopian and Cyberpunk Perspectives on Surveillance

Review (1993), at http://www.anu.edu.au/people/Roger.Clarke/DV/NotesAntiUtopia.html

Identification, Anonymity, Pseudonymity

Human Identification (1994), at http://www.anu.edu.au/people/Roger.Clarke/DV/HumanID.html

Anonymity and Pseudonymity (1999), at http://www.anu.edu.au/people/Roger.Clarke/DV/UIPP99.html

Privacy-Enhancing Technologies (PETs)

Introducing PITs and PETs: Technologies Affecting Privacy (2000), at http://www.anu.edu.au/people/Roger.Clarke/DV/PITsPETs.html

The Technologies (1999), at http://www.anu.edu.au/people/Roger.Clarke/DV/Florham.html#Techno

Resources (1999), at http://www.anu.edu.au/people/Roger.Clarke/DV/PEPST.html

Data Matching

The Technology (1994), at http://www.anu.edu.au/people/Roger.Clarke/DV/MatchIntro.html

The Failure of Cost/Benefit Analysis to Control It (1994), at http://www.anu.edu.au/people/Roger.Clarke/DV/MatchCBA.html

Consumer Marketing / Profiling

The Technology (1993), at http://www.anu.edu.au/people/Roger.Clarke/DV/PaperProfiling.html

Direct Marketing (1998), at http://www.anu.edu.au/people/Roger.Clarke/DV/DirectMkting.html

The PBL/Acxiom Conspiracy (1999), at http://www.anu.edu.au/people/Roger.Clarke/DV/InfoBase99.html

Common Identifiers

The Australia Card Proposal (1987), at http://www.anu.edu.au/people/Roger.Clarke/DV/OzCard.html

The Tax File Number Conspiracy (1991), at http://www.anu.edu.au/people/Roger.Clarke/DV/PaperTFN.html

The Resistible Rise of the National Personal Data System (1992), at http://www.anu.edu.au/people/Roger.Clarke/DV/SLJ.html

The Parallel Data Matching Scheme Manoeuvre (1994), at http://www.anu.edu.au/people/Roger.Clarke/DV/PaperMatchPDMP.html

Chip-Based ID

Smart Card Technical Issues Starter Kit (1998), at http://www.anu.edu.au/people/Roger.Clarke/DV/SCTISK.html

Application of the Technology (1997), at http://www.anu.edu.au/people/Roger.Clarke/DV/IDCards97.html

Design Requirements (1997), at http://www.anu.edu.au/people/Roger.Clarke/DV/IDCards97.html#DesOpt

Person Location and Person Tracking

The Technologies (1999), at http://www.anu.edu.au/people/Roger.Clarke/DV/PLT.html

Intelligent Transportation Systems

Safe-T-Cam, at http://www.rta.nsw.gov.au/frames/safety/c_f.htm?/frames/safety/c1a&/safety/ca_c.htm&Safe-T-Cam&0

Melbourne CityLink's e-Tag, at http://www.transurban.com.au/

MOLI (Your Mobile Phone as the Spy in Your Own Pocket), at http://www.acif.org.au/MOLI/

The Impacts (2000), at http://www.anu.edu.au/people/Roger.Clarke/EC/eTP.html

Internet Tracing

The Digital Persona (1994), at http://www.anu.edu.au/people/Roger.Clarke/DV/DigPersona.html

The Information Infrastructure is a Super Eye-Way (1988), at http://www.anu.edu.au/people/Roger.Clarke/DV/Monitor.html

Basics of Internet Privacy (1996), at http://www.anu.edu.au/people/Roger.Clarke/DV/IPrivacy.html

Developments in Internet Privacy (1998), at http://www.anu.edu.au/people/Roger.Clarke/DV/ICurr9908.html

Digital Signatures and PKI

Privacy Risks in Digital Signature Technology (1997, with G.W. Greenleaf), at http://www.anu.edu.au/people/Roger.Clarke/DV/DigSig.html

Public Key Infrastructure Position Statement (1998), at http://www.anu.edu.au/people/Roger.Clarke/DV/PKIPosn.html

Current Status (2000), at http://www.anu.edu.au/people/Roger.Clarke/DV/PKI2000.html

The Fundamental Inadequacies of Conventional Public Key Infrastructure (2001), at http://www.anu.edu.au/people/Roger.Clarke/II/ECIS2001.html

Biometrics

The Technologies (1994), at http://www.anu.edu.au/people/Roger.Clarke/DV/HumanID.html#Bio

Biometrics and Privacy (2001), at http://www.anu.edu.au/people/Roger.Clarke/DV/Biometrics.html

The 'Fair Information Practices' Placebo

The OECD Data Protection Guidelines (1989), at http://www.anu.edu.au/people/Roger.Clarke/DV/PaperOECD.html

Beyond the OECD Guidelines: Privacy Protection for the 21st Century (2000), at http://www.anu.edu.au/people/Roger.Clarke/DV/PP21C.html

General Resources

Dataveillance and Information Privacy Resource Pages, at http://www.anu.edu.au/people/Roger.Clarke/DV/

Major Electronic Resources on Dataveillance and Privacy, at http://www.anu.edu.au/people/Roger.Clarke/DV/index.html#ERes

Annotated Bibliography of the author's Papers on Dataveillance and Privacy, at http://www.anu.edu.au/people/Roger.Clarke/DV/AnnBibl.html


Navigation

Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 13 July 2001

Last Amended: 13 July 2001


These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916