10. Identification, '-nymity' and ID cards
= required reading
material added since the date of the class concerning this topic
Graham Greenleaf, revised 7 April 2002
Individuals inhabit record keeping systems (including those in
cyberspace) not physically but 'virtually' - but how do they do so? The links
between the virtual and the physical selves are formed by processes we can
describe generally as 'identification'.
This Reading Guide provides a variety of perspectives on identification systems
and their privacy implications, with particular reference to multi-purpose ID
is important in numerous ways, all of which lead to new possibilities (or
questions) in relation to their application to cyberspace:
are three main methods by which we identify ourselves in our transactions /
interactions with others:
- Identification by others - identity and personality - As Clarke
says, for information systems, 'human identification is the association of
data with a particular human being'. We identify ourselves to the rest of the
world through individual occasions and transactions that are associated with
us as individuals. Question: how is such identification effective in
cyberspace? Through various accumulations of identified transactions we
exhibit a 'personality' (or more than one) to the world. Question: how do we
get 'digital personalities'?
- Identity and self-identification - Our own sense of identity is
very closely tied to how others identify us, and that depends in part on what
we let others know about us . Question: how do we control access to information
about our digital personalities?
- Identification and legal liabilities - How do legal consequences
attach to physical people when the actions to which responsibilities attach are
only associated with 'virtual' persons? One answer to this is the development
of digital signatures, but there will be many transactions where these will not
be available or appropriate, so other answers will be required.
In fact, most identifiers are a combination of two or more
of these. Clarke includes
ways organisations identify us in record systems - names, codes etc - but
these are principally combinations of the above methods.
- tokens - what we have (ID cards etc).
- knowledge - what we know (passwords, PIN etc)
- biometrics - what we are (physical or behavioural - fingerprints,
A key organisational challenge of bureaucracies is to recognise individuals
over distance and time without recourse to human memory. Identification in
cyberspace intensifies the challenge because it removes any physical
settings/proximity for ID, and often requires real-time responses.
Clarke details how identification is always a problematic exercise because
organisations are rarely willing to require production of IDs which satisfy all
of the 'desirable characteristics' he identifies, usually because of (i)
transaction costs or (ii) social acceptability. Question: will perfect
identification in cyberspace be possible or acceptable?? This is a key
question for the operation of all laws in cyberspace.
Most documentary ID schemes depend on the integrity of 'seed documents' (eg Tax
File Number, passport). Therefore, any ID scheme is as weak as its weakest
seed document , and his is equally so in cyberspace. For example, the digital
signatures issued by Certification Authorities will only be as good as the
documentary evidence by which the CA is convinced that the person requesting a
digital signature (or requesting its revocation) is in fact who they purport to
In future, the verification elements of ID schemes are increasingly likely to
include an element of biometric identification.
See Roger Clarke
and Privacy (2001) for an overview of how biometrics work in identification
systems, and some aspects of their regulation.
Smart cards will increasingly provide a bridge between physical and virtual
identity. Inclusion of digital biometric identifiers (to guarantee security /
access to networks), coupled with digital signatures (to provide authentication
of messages transmitted) is one of the likely methods, to provide
authentication equivalent to 'the physical possessor of this card/token IS the
person whose biometric identifier is recorded hereon IS the person whose
digital signature authenticates this message' (and has the cash on the card to
ID: Promise and Peril (International Conference on Privacy, Montreal,
September 1997) provides an extensive discussion of the issues.
- the cyberspace / meatspace interface' contains a brief statement of how
cyberspace changes the nature of the problem.
Methods by which we identify ourselves in cyberspace
Methods by which others find
us on the internet are logically and functionally distinct from the methods by
which we verify our identity. How others find us raises primarily privacy
issues (discussed in a later topic), but the main methods are:
- Account details - In order to access many resources on the
internet we identify ourselves with usernames and passwords (which may be
collective, such as for this class's `restricted' resources, or individual
such as your Unipass).
- Addresses - We often identify ourselves in cyberspace by personal
addresses (such as an e-mail address) and machine addresses (such as the IP
address or domain name of the machine we customarily use). One of the main
problems with these means of identification is the ease of impersonation -
`spoofing' of the address that an e-mail comes from, or a http: request comes
- Digital signatures - These may become the most reliable and
standard way of verification of our identities in cyberspace, but are unlikely
to be used in all situations.
- Chip-based identifiers - In the short term, chip-based identifiers,
carried on smart cards and other physical tokens, and probably coupled with the
use of a PIN to prevent misuse, are likely to be one of the main bridges
between our physical and virtual identities.
Identification in Information Systems: Management Challenges and Public Policy
Issues" (1994) Clarke points out that there is a presumption of a need for
identification in many transactions when it is not needed; and that the need
for identification is one element of choice in the design of social
institutions (eg if a tax rate changes with an accumulation of transactions,
the parties must be identified - otherwise only the transaction needs to be
- Internet search engines (Alta Vista etc) exist to enable us to
find information on the internet, but one of their main de facto uses is
assist us to find people, by finding Usenet postings from them, web pages by
them etc. See G Greenleaf
engines, robots and internet indexes' for a discussion of some of the
privacy issues that this raises.
- Directories of people - X500 Directories attempt to provide
official identification details of internet users structured by organisations -
with each organisation responsible for its own X500 directory. There are also
now many web sites that compete in attempting to accumulated people's email
addresses from all over the internet, assembling them into internet `White
Pages' (usually without the consent of the individuals concerned).
In practice, some cyberspace devices share elements of
both - an 'anonymous remailer' may make senders appear anonymous to recipients,
but the server may retain a key to the identity of who sent messages.
- Anonymity - identity of one [or more] party(s) is not known to the
others, and there is no way of establishing it;
- Pseudonymity - party(s) identified by a code, so that others can
initiate contact with them, but have no means of linking that code to a
particular person .
The challenge to both system designers and regulators is to allow anonymous /
pseudonymous transactions where appropriate.
Other papers by Clarke on this topic:
is principally a US development as yet.
Identification, Authentication and Anonymity in a Legal Context', Proc.
IFIP User Identification & Privacy Protection Conference, Stockholm, June
1999, (primary author A. Smith). Republished in Computer Law & Security
Report 16, 2 (March/April 2000) CLSR 95-101
'Anonymous, Pseudonymous and Identified Transactions: The Spectrum of
Choice', Proc. IFIP User Identification & Privacy Protection
Conference, Stockholm, June 1999,
- Roger Clarke
scope for transaction anonymity and pseudonymity' (Computers, Freedom
& Privacy Conference, 1995) summarises the antisocial and the valuable uses
of anonymity; identifies this as one of the key social choices to be made in
building the future: how much anonymity will be allowed?; how much can be
Michael Froomkin in
and Its Enmities' 1995 J. ONLINE L. art. 4 - Froomkin provides an
extensive American perspective on all aspects of anonymity, particularly the
implications for cyberspace of a 1995 US Supreme Court case. (HTML is
defective - suggest you download Word 6 version instead).
Although it is about political pamphlets rather than about cyberspace,
v Ohio Elections Commission (1995) reaffirmed the right of anonymous
political speech (traced back to the anonymous signatories of the Declaration
of Independence), and is likely to be significant in future (the Court's
summary of its opinion is short and well worth reading).
Roger Clarke in
Digital Persona and its Application to Data Surveillance' The Information
Society (March 1994) (abstract only) states 'the digital persona is a model of
an individual's public personality based on data and maintained by
transactions, and intended for use as a proxy for the individual'.
We can usefully distinguish active and passive digital personae:
following notes on Karnow are by Lee Bygrave]
- Passive digital personae - profiling and searching - Passive
digital persona are simply the representation of an individual by the
cumulation of details of transactions concerning that individual (one usage of
'profiling'). As people spend more time on the net, the persona becomes more
rich and revealing.
- Active digital personae - filters, knowledge agents, 'knowbots' etc
- These are processes which works on behalf of a user, actively affecting what
information the user receives or discloses (for example, filters rejecting or
classifying incoming mail, or sending automated replies; 'knowbots' regularly
trawling for information that the user wants).
Curtis Carnow takes the notion of the 'digital persona' from a descriptive one
to one about rights. See Curtis Karnow ("The Encrypted Self: Fleshing out the
Rights of Electronic Personalities" (1994) XIII The John Marshall Journal of
Computer & Information Law, No 1, 1-16 - unfortunately not available
online. The same article is also included in Karnow, Future Codes: Essays in
Advanced Computer Technology and the Law (Boston/London, 1997), Chapter 10.
A condensed and simplified version of the article is found in Karnow, "The
Electronic Persona: A New Legal Identity" (1994) 2 Virtual Reality World,
Jan-Feb, 37-40 - also not available online).
Karnow argues in favour of creating a new legal fiction, which he terms the
"electronic personality", or "eper" for short. The "eper" is found in, and a
product of, computerised intercourse or "cyberspace" [which K never defines;
indeed the world in which the "eper" allegedly resides remains rather shadowy
in K's analysis. Sometimes he refers to "electronic space" (8); other times to
the "virtual world" (6). It could be claimed that K exaggerates the extent to
which this vaguely defined world impinges on the average person's life. K is
from California! LB].
Elaborating on the character of epers, K writes: "An eper is a [computer]
program.[...] Currently, there are a host of program-like entities that suggest
epers. For example, we have software "agents" and "experts" in spreadsheet
programs made by Borland and Microsoft that assist the user. Even closer, note
the recent announcement of "intelligent" agents made by General Magic. These,
once released into the telecommunications net, would execute tasks on behalf of
their humans, interact with other agents to conduct business on behalf of the
human originator, and report back." (9: note 35)
As for the central functions of epers, these are " simultaneously to (i)
provide access to a new means of communal or economic interaction, and (ii)
shield the physical, individual human being from certain types of liability or
For K, the basic legal issue raised by epers "is not whether epers (or humans
or corporations) can be thought of as transient - they can, of course. The
issue is whether persistence can be established in some legally relevant
fashion. The answer is in the affirmative." (11)
At the same time, K cautions that epers should not be treated as fully
autonomous (legal) entities; they are essentially agents for (and presumably
owned by) human beings.
K argues that epers should be given at least three basic rights:
K claims that the last of
these rights is the least needed by epers. The most important is rather that of
privacy. "[E]pers are most useful when we need to communicate but still need a
shield: when we want to maintain intact the ramified divisions of our social
and economic lives. For privacy is not truly a matter of an absolute barricade;
it is instead inhibiting the spillover of information from one place to
- (i) "privacy" or "the right to decline to produce information aside from
key identification materials: ie they must be allowed to act as a shield for
the originating human's privacy. To do this, epers need to be able to own money
and bank accounts, and they need to have access to credit." (12)
- (ii) "the right to be free of discrimination, to be able freely to conduct
social and economic business" (13)
- (iii) "free speech" or "the right to communicate; to move about in
electronic space and to post messages" (13).
"Epers can provide the anonymity that this compelled exposure would
"[O]ffended by uncontrolled disclosures, we do think that we, our selves, are
at risk when these data are spread around. We do lose ourselves in an
electronic sea, this sensuous, potent and overwhelming barrage of input and
image; and we lose a strong sense of the inviolate, central self as we conflate
self with data about our selves. Let us instead confer these attributes of mass
market identity on our public personae, on our epers and other conspicuous
incarnations, and so reclaim our distinct, and truly private, selves."
[K has a tendency to wax lyrical in a way that s/times blurs the clarity of his
message. I am not exactly sure what he means when he advocates privacy rights
for epers: does he mean that epers themselves should be protected from having
to disclose information about themselves, or does he mean that the link between
epers and the physical humans on whose behalf they operate should be kept
secret, such that the identity of these human principals is also kept secret?
Perhaps the two alternatives here are the same ... LB]
K's advocacy of legal rights for epers is qualified by the following conditions
(or the courts will ignore the legal fiction):
(I think he is
assuming that the `eper' would be created by some form of encryption. What he
is saying is not all that different from an anonymous or pseudonymous digital
signature issued by a Certification Authority (`formalities of formation'). For
a Court to `go behind' the legal fiction in the case of fraud would require at
the minimum for a Court to be able to obtain the identity of a pseudonymous
digital signature from the CA that created it. Some PKI models enable the
creation of pseudonymous signatures, others do not - it is an important point
of distinction. (GG))
- that the formation of epers conform with certain legal standards; and
- that epers not be used for fraudulent purposes.
How sensible are these suggestions? Would the limited liability corporation
have seemed a crazy notion in the seventeenth century? It is likely that
cyberspace will produce its own distinct forms of legal personality. Will they
resemble Carnow's epers?
It is instructive to compare K's claims about "epers" with the following
observations by Nicholas Negroponte in Being Digital (London, 1995). N
writes about "digital butlers", "digital sisters-in-law", and "interface
agents" (149ff). These "possess a body of knowledge about something (a process,
a field of interest, a way of doing) and about you in relation to that
something (your taste, your inclinations, your acquaintances)." (151) They are
a type of artificial intelligence (AI). Negroponte makes it clear that such
agents will carry information about their human principals; indeed, they must
do so, if they are to be of use to humans. In Negroponte's words: "the concept
of 'agent' embodied in humans helping humans is often one where expertise
is...mixed with knowledge of you. A good travel agent blends knowledge about
hotels and restaurants with knowledge about you (which often is culled from
what you thought about other hotels and restaurants).[...] Now imagine a
telephone-answering agent, a news agent, or an electronic-mail-managing agent.
What they all have in common is the ability to model you." (155;
emphasis added) Negroponte writes also that we are entering into an age of
"true personalization" that is beyond "demographics" and statistical analysis.
This age is characterised by machines' growing acquaintance with human beings
as individuals. It is about "machines' understanding individuals with the same
degree of subtlety (or more than) we can expect from other human beings,
including idiosyncrasies (like always wearing a blue-striped shirt) and totally
random events, good and bad, in the unfolding narrative of our lives. All of
these are based on a model of you as an individual, not as part of a group who
might buy a certain brand of soapsuds or toothpaste." (165) [N's remarks are
interesting because they highlight the importance of knowledge about human
beings, and therefore the importance of gaining access to such knowledge, and
thus, indirectly, the importance of regulating such access. LB]
Negroponte also makes the point that the way in which agents will function will
be decentralised: "Interface agentry will become decentralized in the same way
as information and organizations. Like an army commander sending a scout ahead
or a sheriff sending out a posse, you will dispatch agents to collect
information on your behalf. Agents will dispatch agents. The process
Reading Guide 5.8. Anonymity principles
- It's always a database as well, not just a card
- Multi-purpose cards are inherently dangerous
- Cancellation of multiple rights - `outlawing'
- Risks of identity theft may be higher
- Aggregation of separate personal data
- `Function creep' is likely - no inherent limits
- ID card + chip + digital signature (DigSig) may become a `cyberspace
- uses may become compulsory (by law or de facto)
- The long-term dangers of repressive use
10.4.3. Hong Kong
Hong Kong's SMARTICS ID smart card, to operate from mid-2003, will be one of
the most ambitious ID card systems in the world (a multi-purpose smart card,
with no defined limit to its uses, and potentially with digital signature
attached), and therefore one with very great potential dangers to privacy.
PCO Code of Practice:
Summary from the government statement
Digital 21: 2001 HK Digital 21 Strategy: Key Result Area 5 :
- What are the dangers / abuses of the existing ID card?
- What dangers does the smart ID card pose above and beyond the existing ID
- Are the steps proposed by the Administration to prevent abuses of the
smart ID card sufficient to deal with possible abuses? What further steps could
/ should be taken?
- What changes to legislation does the introduction of the smart ID card
require if privacy is to be adequately protected?
"We will replace the existing Hong Kong citizens' identity cards
with a new generation of 'smart' identity cards from 2003 onwards. This will
cover a population of around seven million people. The identity card
replacement exercise presents us with a unique opportunity to capitalise on the
use of smart card technology for developing a user-friendly platform to
provide more efficient, better quality and value-added services to the
community. We have proposed that the new identity card should take the form
of a multi-application smart card with capacity to support different types of
applications. This will be a significant step forward in enhancing our
overall information infrastructure and achieving our aim to position Hong
Kong as a leading digital city. It will also facilitate the adoption of
e-business in the community. We are conducting feasibility studies to
examine how smart card technology can be used to provide additional
value-added functions through the new identity cards. We will carry out public
consultation on whether these functions should be adopted. We will also
adopt comprehensive measures to ensure that the smart identity cards are
secure and to address privacy and personal data protection. We target to
roll out the new smart identity cards with multi-application capacity starting
Slides on Legal/technical protection of Internet privacy (go to slide 'The
HK `smart' ID card')
these documents are important. Read as many as you can.
US does not have a national ID card.
- ITBB LegCo Panels briefing
Applications for Incorporation into the Smart ID Card (20 Dec 2001) and
slide show ; some points to note -
- Digital signature - At this stage, only HK Post's e-Cert can be
included on the ID card; digital signatures from other recognised CAs cannot be
included, though this is said to be 'under continuous review' .
- Driver's licence - Details will only be held on the Transport
Department's back-end computer system, not on the card, and Police will use the
ID number to interrogate the computer online to verify licence details .
However 'many thousands of people' will still need to obtain a physical
driver's licence  in order to prove to others that they have one (car hire
firms, employers, foreign driving etc). ITBB claims that, since no data is
being held on the card, this change is 'voluntary' . You will in fact have
to opt-out of having only a driver's licence held on the TD computer, by
requesting a physical one as well.
- Library card - Will be 'voluntary' in that 'library users will
have the option to be issued with plastic library cards'  - again, seems
they will have to opt-out of only using the ID card as a borrowing card. (Is
any online checking involved here? Will LCSD do online checks using ID number?
Will the ID card be used to enter libraries and borrow books by being swiped
- Change of address - Requires use of HK Post E-cert .
- Legislative amendments for added functions - Will only be required
(by addition to Schedule in ROP Ordinance) if the 'require the storage of
addtional data in the chip or printing of additional information on the card
surface' . E-cert will require this . Neither driver's licence nor
library card applications require Schedule , but allowance of ID card as
library card requires change to the Libraries Regulations  and changes to
traffic Ordinances are needed, but only to remove the need to carry a physical
- Thumbprints on card will only be a template [Annex] - but does RPO
guarantee that?; no indication as to who is allowed to use it to 'authenticate
the card['s] identity holder to prevent identity theft' (ImmD only?).
- Individual Departments involved will maintain their own databases
Registration of Persons (Amendment) Bill 2001
Bills Committees page
Brief on Registration of Persons (Amendment) Bill 2001
Council Brief on Hong Kong Special Administrative Region Identity Card, 18
October 2000; issued by the Security Bureau - This is the base document
providing a public explanation and justification for the smart ID card
- HK LegCo Panel on Security
Papers on the HKSAR Identity Card Project - links to government papers and
- Administration's information paper
Identity Card Project - Initial Privacy Assessment Report" Feb 2001
(presented to LegCo Panel on Security)
- Administration's paper on
"HKSAR Identity Card Project-Initial View on Legislative Amendments" Nov
2000 (presented to LegCo Panel on Security)
- Administration's paper
"Progress of the HKSAR Identity Card Project-Privacy Issues" Nov 2000
(presented to LegCo Panel on Security); The paper concludes "More Privacy
Impact Assessments will be conducted at different stages of the project from
the planning stage to the post implementation stage. The Privacy Commissioner
will be informed of the findings of each assessment and his views will be taken
into account as data protection measures are formulated or upgraded. The
relevant laws will be observed at all times. This will guarantee that adequate
privacy safeguards are in place."
Submission from the Office of the Privacy Commissioner for Personal Data 8
November 2000 (presented to LegCo Panel on Security)
is also relatively unusual in not having a national ID card, following the
defeat of the 'Australia Card' proposal in the 1980s.
ID card pages - One of the most current resources for US developments. EPIC
opposes an ID card for the US.
Why was the Australia Card defeated? Does it make any difference?
It is a decade since the defeat of the `Australia Card' proposals in late
787, which led directly to the political compromise
of the Tax File Number (and thereby, a few years later, the Commonwealth's mass
data matching scheme) and the Privacy Act 1988 in the following year.
The defeat of the Australia Card is still the most important object lesson in
Australia in how popular resistance can defeat a mass surveillance proposal -
but the story was always far more complex than that. A decade later, we can
still ask `have governments and the private sector achieved everything they
hoped for from the Australia Card, and more, by more subtle means?' - and we do
in fact ask it in the
Question `Who needs the Australia Card?'.
Here are some articles, written at the time, which chart the rise, meaning, and
demise of the Australia Card:
following articles and papers track (in roughly historical order) the
history of the expanding use of the Tax File Number into the Commonwealth's
data-matching system (under the
Program (Assistance And Tax) Act 1990 (Cth), and otherwise), one of the
world's more extensive mass surveillance systems.
- Why was it dangerous? - see Graham Greenleaf
Australia Card: towards a national surveillance system' (Law Society
Journal (NSW) Vol 25 No9, October 1987). This is a long article analysing the
Australia Card Bill 1986 and its implications, but the scheme is summarised in
- What killed the Ozcard? - for one version of the complex story of the
Card's demise, see Graham Greenleaf
from the Australia Card - deux ex machina ? The Computer Law and
Security Report, Vol 3 No 6, March/April 1988, pg6.
- For another view, see Roger Clarke
Another Piece of Plastic for Your Wallet: The Australia Card
Prometheus, 5,1 June 1987 Republished in Computers &
Society 18,1 (January 1988), with an Addendum in Computers &
Society 18,3 (July 1988) - This article covers the whole story.
- Roger Clarke
Tax File Number Scheme: Case Study of Political Assurances and Function Creep'
Policy, 1991 - Documents the numerous ways in which promises about
the limited use which would be made of the Tax File Number were broken. New
variation on the old themes of `how far can you trust politicians' and `its the
thin end of the wedge'.
- G Greenleaf
the data matching epidemic be controlled?' (1991) 65 ALJ 220-23 (reprinted
in vol 7 Computer Law and Security Report, 1989 15-17) - mainly about
the mechanics (and some dangers) of the Data-matching legislation.
- Roger Clarke
sad tale of the parallel data matching program' (1994) 1 PLPR 8; Clarke
claims DSS had the scheme approved by Cabinet and Parliament on the basis of
fraudulent estimates; The actual gains are at best 10% of the estimates ($30M
for DSS) and at worst (Clarke's analysis) a net loss; About 12,000 people get
an intimidating 'show cause' letter each year without it turning out that any
action is taken (action in 1,500 cases); It involves 6-9 runs x 10 million
attempted matches per year. Basically, Clarke argues that other means of
enforcement which are less privacy invasive of those not involved in fraud,
would give at least as good a result.
- Roger Clarke - review of the Australian National Audit Office
Audit- Department of Social Security- Data matching' (1993) 1 PLPR 12; ANO
found that data matching did not outperform random selection drawn from
specific client groups re cancellations and downward reviews.
- Tim Dixon
`Data-matching programs reviewed' (1995) 2 PLPR 13; concludes that the 4th
set of reports (1993-94) 'confirms trends identified in Clarke's analysis';
DSS seems to claim $63M net gain (previous estimate only 21.1M!), but other
agencies claim to have made virtually nothing or lost money (ATO);
e cost/ direct benefit ratio is falling - will be 1/2
in 97-98, but DSS claims an estimated $90M extra recouped through 'voluntary
- G Greenleaf
matching in Australia - the facts' (1995) 2 PLPR 114 (Review of
Privacy Commissioner (Cth) Regulation of Data-matching in Commonwealth
Administration (Report to the Attorney-General) September 1994 ). This Report
surveyed data matching by Commonwealth agencies other than that
regulated under the data matching legislation. The Commissioner recommended to
the Attorney-General that the Privacy Act be amended to include uniform
controls for all data-matching.
- Despite the findings of the above Report in 1994, there is now
significant data matching between Commonwealth agencies and the private sector
and State agencies - federal tax and welfare agencies routinely access major
databases, such as those of employers and higher education institutions to
match against their own client lists. No such legislation as recommended in the
above report has been enacted.
Guidelines on data matching issued by the Federal Privacy Commissioner are
available. The Federal Privacy Commissioner Annual Reports since 1991 contain
considerable information about the extent of data matching both under the
statutory scheme and other data matching (see for example
1999-2000 Annual Report)?