[Previous] [Next] [Title]

10. Identification, '-nymity' and ID cards

= required reading

= material added since the date of the class concerning this topic

Graham Greenleaf, revised 7 April 2002


Individuals inhabit record keeping systems (including those in cyberspace) not physically but 'virtually' - but how do they do so? The links between the virtual and the physical selves are formed by processes we can describe generally as 'identification'.

This Reading Guide provides a variety of perspectives on identification systems and their privacy implications, with particular reference to multi-purpose ID card schemes.

10.1. References

10.2. Identification

Identification is important in numerous ways, all of which lead to new possibilities (or questions) in relation to their application to cyberspace:

10.2.1. Methods of identification

Bases for formal identification

There are three main methods by which we identify ourselves in our transactions / interactions with others: In fact, most identifiers are a combination of two or more of these. Clarke includes other ways organisations identify us in record systems - names, codes etc - but these are principally combinations of the above methods.

A key organisational challenge of bureaucracies is to recognise individuals over distance and time without recourse to human memory. Identification in cyberspace intensifies the challenge because it removes any physical settings/proximity for ID, and often requires real-time responses.

Clarke details how identification is always a problematic exercise because organisations are rarely willing to require production of IDs which satisfy all of the 'desirable characteristics' he identifies, usually because of (i) transaction costs or (ii) social acceptability. Question: will perfect identification in cyberspace be possible or acceptable?? This is a key question for the operation of all laws in cyberspace.

Most documentary ID schemes depend on the integrity of 'seed documents' (eg Tax File Number, passport). Therefore, any ID scheme is as weak as its weakest seed document , and his is equally so in cyberspace. For example, the digital signatures issued by Certification Authorities will only be as good as the documentary evidence by which the CA is convinced that the person requesting a digital signature (or requesting its revocation) is in fact who they purport to be.


In future, the verification elements of ID schemes are increasingly likely to include an element of biometric identification.

See Roger Clarke Biometrics and Privacy (2001) for an overview of how biometrics work in identification systems, and some aspects of their regulation.

Smart cards

Smart cards will increasingly provide a bridge between physical and virtual identity. Inclusion of digital biometric identifiers (to guarantee security / access to networks), coupled with digital signatures (to provide authentication of messages transmitted) is one of the likely methods, to provide authentication equivalent to 'the physical possessor of this card/token IS the person whose biometric identifier is recorded hereon IS the person whose digital signature authenticates this message' (and has the cash on the card to boot!).

Roger Clarke Chip-Based ID: Promise and Peril (International Conference on Privacy, Montreal, September 1997) provides an extensive discussion of the issues.

Cyberspace personal identifiers

G Greenleaf 'Identification - the cyberspace / meatspace interface' contains a brief statement of how cyberspace changes the nature of the problem.

Methods by which we identify ourselves in cyberspace

Methods by which others find us on the internet are logically and functionally distinct from the methods by which we verify our identity. How others find us raises primarily privacy issues (discussed in a later topic), but the main methods are:

10.3. Anonymity and pseudonymity

In Roger Clarke Identification in Information Systems: Management Challenges and Public Policy Issues" (1994) Clarke points out that there is a presumption of a need for identification in many transactions when it is not needed; and that the need for identification is one element of choice in the design of social institutions (eg if a tax rate changes with an accumulation of transactions, the parties must be identified - otherwise only the transaction needs to be identified).

Clarke distinguishes:

In practice, some cyberspace devices share elements of both - an 'anonymous remailer' may make senders appear anonymous to recipients, but the server may retain a key to the identity of who sent messages.

The challenge to both system designers and regulators is to allow anonymous / pseudonymous transactions where appropriate.

Other papers by Clarke on this topic:

10.3.1. Constitutional protection of anonymity

This is principally a US development as yet.

Michael Froomkin in 'Anonymity and Its Enmities' 1995 J. ONLINE L. art. 4 - Froomkin provides an extensive American perspective on all aspects of anonymity, particularly the implications for cyberspace of a 1995 US Supreme Court case. (HTML is defective - suggest you download Word 6 version instead).

Although it is about political pamphlets rather than about cyberspace, McIntyre v Ohio Elections Commission (1995) reaffirmed the right of anonymous political speech (traced back to the anonymous signatories of the Declaration of Independence), and is likely to be significant in future (the Court's summary of its opinion is short and well worth reading).

10.3.2. Proxy (anonymous / pseudonymous) digital personas

Roger Clarke in 'The Digital Persona and its Application to Data Surveillance' The Information Society (March 1994) (abstract only) states 'the digital persona is a model of an individual's public personality based on data and maintained by transactions, and intended for use as a proxy for the individual'.

We can usefully distinguish active and passive digital personae:

Curtis Karnow'ss 'E-pers'

[The following notes on Karnow are by Lee Bygrave]

Curtis Carnow takes the notion of the 'digital persona' from a descriptive one to one about rights. See Curtis Karnow ("The Encrypted Self: Fleshing out the Rights of Electronic Personalities" (1994) XIII The John Marshall Journal of Computer & Information Law, No 1, 1-16 - unfortunately not available online. The same article is also included in Karnow, Future Codes: Essays in Advanced Computer Technology and the Law (Boston/London, 1997), Chapter 10. A condensed and simplified version of the article is found in Karnow, "The Electronic Persona: A New Legal Identity" (1994) 2 Virtual Reality World, Jan-Feb, 37-40 - also not available online).

Karnow argues in favour of creating a new legal fiction, which he terms the "electronic personality", or "eper" for short. The "eper" is found in, and a product of, computerised intercourse or "cyberspace" [which K never defines; indeed the world in which the "eper" allegedly resides remains rather shadowy in K's analysis. Sometimes he refers to "electronic space" (8); other times to the "virtual world" (6). It could be claimed that K exaggerates the extent to which this vaguely defined world impinges on the average person's life. K is from California! LB].

Elaborating on the character of epers, K writes: "An eper is a [computer] program.[...] Currently, there are a host of program-like entities that suggest epers. For example, we have software "agents" and "experts" in spreadsheet programs made by Borland and Microsoft that assist the user. Even closer, note the recent announcement of "intelligent" agents made by General Magic. These, once released into the telecommunications net, would execute tasks on behalf of their humans, interact with other agents to conduct business on behalf of the human originator, and report back." (9: note 35)

As for the central functions of epers, these are " simultaneously to (i) provide access to a new means of communal or economic interaction, and (ii) shield the physical, individual human being from certain types of liability or exposure." (4)

For K, the basic legal issue raised by epers "is not whether epers (or humans or corporations) can be thought of as transient - they can, of course. The issue is whether persistence can be established in some legally relevant fashion. The answer is in the affirmative." (11)

At the same time, K cautions that epers should not be treated as fully autonomous (legal) entities; they are essentially agents for (and presumably owned by) human beings.

K argues that epers should be given at least three basic rights:

K claims that the last of these rights is the least needed by epers. The most important is rather that of privacy. "[E]pers are most useful when we need to communicate but still need a shield: when we want to maintain intact the ramified divisions of our social and economic lives. For privacy is not truly a matter of an absolute barricade; it is instead inhibiting the spillover of information from one place to another." (13)

"Epers can provide the anonymity that this compelled exposure would destroy..."

"[O]ffended by uncontrolled disclosures, we do think that we, our selves, are at risk when these data are spread around. We do lose ourselves in an electronic sea, this sensuous, potent and overwhelming barrage of input and image; and we lose a strong sense of the inviolate, central self as we conflate self with data about our selves. Let us instead confer these attributes of mass market identity on our public personae, on our epers and other conspicuous incarnations, and so reclaim our distinct, and truly private, selves." (15-16)

[K has a tendency to wax lyrical in a way that s/times blurs the clarity of his message. I am not exactly sure what he means when he advocates privacy rights for epers: does he mean that epers themselves should be protected from having to disclose information about themselves, or does he mean that the link between epers and the physical humans on whose behalf they operate should be kept secret, such that the identity of these human principals is also kept secret? Perhaps the two alternatives here are the same ... LB]

K's advocacy of legal rights for epers is qualified by the following conditions (or the courts will ignore the legal fiction):

(I think he is assuming that the `eper' would be created by some form of encryption. What he is saying is not all that different from an anonymous or pseudonymous digital signature issued by a Certification Authority (`formalities of formation'). For a Court to `go behind' the legal fiction in the case of fraud would require at the minimum for a Court to be able to obtain the identity of a pseudonymous digital signature from the CA that created it. Some PKI models enable the creation of pseudonymous signatures, others do not - it is an important point of distinction. (GG))

How sensible are these suggestions? Would the limited liability corporation have seemed a crazy notion in the seventeenth century? It is likely that cyberspace will produce its own distinct forms of legal personality. Will they resemble Carnow's epers?

It is instructive to compare K's claims about "epers" with the following observations by Nicholas Negroponte in Being Digital (London, 1995). N writes about "digital butlers", "digital sisters-in-law", and "interface agents" (149ff). These "possess a body of knowledge about something (a process, a field of interest, a way of doing) and about you in relation to that something (your taste, your inclinations, your acquaintances)." (151) They are a type of artificial intelligence (AI). Negroponte makes it clear that such agents will carry information about their human principals; indeed, they must do so, if they are to be of use to humans. In Negroponte's words: "the concept of 'agent' embodied in humans helping humans is often one where expertise is...mixed with knowledge of you. A good travel agent blends knowledge about hotels and restaurants with knowledge about you (which often is culled from what you thought about other hotels and restaurants).[...] Now imagine a telephone-answering agent, a news agent, or an electronic-mail-managing agent. What they all have in common is the ability to model you." (155; emphasis added) Negroponte writes also that we are entering into an age of "true personalization" that is beyond "demographics" and statistical analysis. This age is characterised by machines' growing acquaintance with human beings as individuals. It is about "machines' understanding individuals with the same degree of subtlety (or more than) we can expect from other human beings, including idiosyncrasies (like always wearing a blue-striped shirt) and totally random events, good and bad, in the unfolding narrative of our lives. All of these are based on a model of you as an individual, not as part of a group who might buy a certain brand of soapsuds or toothpaste." (165) [N's remarks are interesting because they highlight the importance of knowledge about human beings, and therefore the importance of gaining access to such knowledge, and thus, indirectly, the importance of regulating such access. LB]

Negroponte also makes the point that the way in which agents will function will be decentralised: "Interface agentry will become decentralized in the same way as information and organizations. Like an army commander sending a scout ahead or a sheriff sending out a posse, you will dispatch agents to collect information on your behalf. Agents will dispatch agents. The process multiplies." (158)

10.3.3. The 'Anonymity principle' in IPPs

See Reading Guide 5.8. Anonymity principles

10.4. Multi-purpose ID Card / number systems

10.4.1. General resources

10.4.2. Privacy issues in ID cards

10.4.3. Hong Kong

10.4.3. Hong Kong

Hong Kong's SMARTICS ID smart card, to operate from mid-2003, will be one of the most ambitious ID card systems in the world (a multi-purpose smart card, with no defined limit to its uses, and potentially with digital signature attached), and therefore one with very great potential dangers to privacy.


Existing HK ID card

PCO Code of Practice:

The SMARTICS ID smart card (from 2003)

Summary from the government statement Digital 21: 2001 HK Digital 21 Strategy: Key Result Area 5 :
"We will replace the existing Hong Kong citizens' identity cards with a new generation of 'smart' identity cards from 2003 onwards. This will cover a population of around seven million people. The identity card replacement exercise presents us with a unique opportunity to capitalise on the use of smart card technology for developing a user-friendly platform to provide more efficient, better quality and value-added services to the community. We have proposed that the new identity card should take the form of a multi-application smart card with capacity to support different types of applications. This will be a significant step forward in enhancing our overall information infrastructure and achieving our aim to position Hong Kong as a leading digital city. It will also facilitate the adoption of e-business in the community. We are conducting feasibility studies to examine how smart card technology can be used to provide additional value-added functions through the new identity cards. We will carry out public consultation on whether these functions should be adopted. We will also adopt comprehensive measures to ensure that the smart identity cards are secure and to address privacy and personal data protection. We target to roll out the new smart identity cards with multi-application capacity starting from 2003."
G Greenleaf Slides on Legal/technical protection of Internet privacy (go to slide 'The HK `smart' ID card')

Official documents:

All of these documents are important. Read as many as you can.

Press articles:

10.4.4. United States

The US does not have a national ID card.

10.4.5. Australia

Australia is also relatively unusual in not having a national ID card, following the defeat of the 'Australia Card' proposal in the 1980s.

Why was the Australia Card defeated? Does it make any difference?

The Australia Card - a defeated ID card scheme?

It is a decade since the defeat of the `Australia Card' proposals in late 19787, which led directly to the political compromise of the Tax File Number (and thereby, a few years later, the Commonwealth's mass data matching scheme) and the Privacy Act 1988 in the following year.

The defeat of the Australia Card is still the most important object lesson in Australia in how popular resistance can defeat a mass surveillance proposal - but the story was always far more complex than that. A decade later, we can still ask `have governments and the private sector achieved everything they hoped for from the Australia Card, and more, by more subtle means?' - and we do in fact ask it in the Question `Who needs the Australia Card?'.

Here are some articles, written at the time, which chart the rise, meaning, and demise of the Australia Card:

Data matching and the Tax File Number: a story of function creep

The following articles and papers track (in roughly historical order) the history of the expanding use of the Tax File Number into the Commonwealth's data-matching system (under the Data-matching Program (Assistance And Tax) Act 1990 (Cth), and otherwise), one of the world's more extensive mass surveillance systems.

[Previous] [Next] [Title]