clark sr 2011 recent developments in data security and identification 2011 06 11
DESCRIPTION
Draft for Submission to journal for reviewTRANSCRIPT
Recent Developments in Data Security and Identification: what challenges for the law of
privacy?
Steven R Clark1
Abstract
Data is the lifeblood of contemporary post-industrial societies. Whether this phenomenon is
called the Information Society, the Network Society, or the Information Age, information flows
are the circulatory system of commerce and governance on global and domestic scales.
Information systems are the organs through which this lifeblood circulates. Information
identification is the key that unlocks the potential of each of these. However, it is arguable that,
in practice, there is too much emphasis being placed upon the details of identification (the
‘identity’ being processed) and not enough on structural concerns – especially relationships
between information providers and recipients. This inward focus is natural. Each organisation
has its own needs and interests, and they generally have a better knowledge of their own than
those of other organisations. Unfortunately, increasingly interconnected networks of data flows,
across increasingly interconnected networks, within and between organisations, means that an
insular world view is no longer sustainable. This paper examines this phenomenon from the
perspective of the law of privacy. How best do we manage our data such that the legitimate
interests of security and privacy can be accommodated simultaneously?
Introduction
Identification is a critical component of any information system; from simple access control
mechanisms to layered identity management systems. The simplest case is a user login. By
providing a computer with an appropriate username and password combination, a user2
establishes their authorisation to access and use a system’s resources, such as application
software, network connections, and associated data. Some systems may require different or
additional credentials to authenticate the user’s authority to access and use individual
components such as networks, applications, or data sets. For example, any individual user may
have different credentials for a smartphone, a laptop, and building access.1 PhD Candidate, School of Commerce, University of South Australia. <acknowledgements>2 A ‘user’ may be a person, a software application, or another computer system.
1
Identification need not be a one-time event. It is possible to identify people continuously as
they move through physical spaces. The combination of closed circuit television (CCTV) and
facial recognition software currently enables systems to track individuals through public spaces
without too much difficulty. Radio-frequency identification (RFID) tags, mobile phones, and
other wireless transmitter-responder technologies enable devices to be tracked, or traced.
Identity management and access management systems can log events associated with specific
identifiers each time they are used as credentials within and between information and
communication technology-enabled systems. For example, Facebook tracks its users as they
use associated websites, affiliated ‘applications’, and those almost ubiquitous ‘like’ buttons,
through a ‘refer-back’ process.
Identification is also the predominant concern of existing privacy laws. Data, and in particular
data which might identify individual ‘data subjects’ (a term that describes people in the digital
age), lies at the heart of Australian (and many other) privacy protection regimes. ‘Personal
information’ is designed to be protected by measures intended to prevent unauthorised
identification of individuals, or inappropriate association of data with them. At the heart of this
scheme is the notion that sensitive data about a person should only be collected, stored, used,
processed, or disseminated with the consent of the person to whom the data relates – the person
who could be identified by the data.
This data-centric approach made sense in the 1980s, when the main concern was centralised
databases concerning the records of customers, patients, and citizens limited to specific
organisations. In the three decades since, developments in information and communications
technologies have vastly expanded the scope, scale, and dimensions of data collected,
processed, and shared. No longer are large organisations with centralised databases the only
cause for concern. Individuals themselves can be directly involved in aggregating, processing
and disseminating data about themselves, and others, through their use of mobile devices,
wireless networks, websites, online commerce and entertainment, and so on. The Big Brother
concept has been replaced by countless ‘little brothers’.3
Records are no longer kept in manila files in isolated filing cabinets. Most information systems
generate and maintain electronic ‘dossiers’ regarding individuals.4 Increasingly, these
electronic files are shared within and between organisations across networks. The risks to
3 Rick Sarre, 'Privacy and Cyber Forensics: An Australian Perspective' in Al Marcella and Doug Menendez (eds), Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes (Taylor & Francis, 2nd ed, 2008) 231, 231.
2
security and privacy posed by these relationships have not been adequately addressed by
privacy protection regimes that focus upon data about individuals.
Nevertheless, identification lies at the heart of privacy concerns. Information privacy in
particular is concerned with ‘personal information’ or ‘personally identifiable information’ –
the very stuff of identification. Identification is also a core process of security. Determining the
identity of people or parties (computers, systems, etc) is a key component of security measures.
Thus identification sits at a crossroads of privacy and security. This nexus of privacy and
security interests affords an important opportunity to review – and perhaps reconsider – the
approach taken to balance the interests represented by privacy and security in ICT-enabled
systems, and, in particular, with respect to identification by or through such systems.
Tensions between Privacy and Identification
Concerns regarding the impact of computer technologies on privacy became acute in the
1960s.5 These technologies enabled the accumulation and cross-matching of far larger volumes
of information regarding individuals than had ever previously been possible, and with greater
ease, efficiency, and convenience. This elicited fears of the creation of a police state of
unsurpassed organisation and efficiency.
But this development is not unprecedented. George Orwell famously described a panoptic
society in his 1948 novel, Nineteen Eighty-Four.6 His ever-present ‘Big Brother’ has had a
lasting impression in the English-speaking West.7 Distrust of government, and of organisations
generally, is rooted in social history and personal experience. Nevertheless, it was
commonplace in the early 1980s for people to hand over quite freely information about
themselves in anticipation or expectation of receiving goods and services in return. At the same
4 A UC Berkeley study, Peter Lyman and Hal R Varian, How Much Information (2003) <http://www.sims.berkeley.edu/how-much-info-2003>, estimated that only 0.01% of all information generated in 2002 was paper-based.
5 R Prosser, 'Privacy' (1960) 48 California Law Review ; E Bloustein, 'Privacy as an Aspect of Human Dignity: An Answer to Dean Prosser' (1964) 39 New York University Law Review ; C Fried, 'Privacy' (1967) 77 Yale Law Journal ; AF Westin, Privacy and Freedom (Atheneum 1967).
6 George Orwell, Nineteen Eighty-Four. (1948).7 Orwell’s novel was foreshadowed by Yevgeny Zamyatin’s We. Written in 1921, it has similar notions and
themes: a Benefactor (Big Brother) as the literal ‘face’ of the State, and ‘The Table’ (telescreen) organised everyone’s daily routine. Zamyatin’s panopticon was more obvious than Orwell’s: every building was constructed entirely of glass, so that everything a citizen did was visible to anyone and everyone else.
3
time, the sharing of information between information systems, facilitated by technology, was
increasing rapidly.8
Calls to Protect Privacy
Governments in the English-speaking West responded cautiously to calls to regulate these new
technologies, and in particular to protect the individual’s privacy from the ‘menace’ of the
machine. During the 1970s, successive British governments established the Younger
Committee on Privacy9 and the Lindop Committee on Data Privacy10 to examine the privacy
implications of computer technologies, and to advise on policy and legislative approaches.
Nevertheless, it was not until 1984 that Britain enacted their first Data Protection Act – largely
in response to external pressures from developments in Europe.
Sir Zelman Cowan’s 1969 ABC Boyer Lecture Series, ‘The Private Man’,11 is credited with
igniting interest in the field of privacy law and practice in Australia.12 The first legislation in
Australia regarding privacy was the Privacy Committee Act 1975 (NSW). The Act established a
body to investigate complaints and research matters relating to privacy in NSW. It was a
response to recommendations in a report commissioned in 1972 by the then Attorney-General
of NSW, Mr John Madison. The report’s author, Professor William Morison, had a strong
background in the law of torts, and approached privacy as a legal interest rather than as a moral
or legal right. “He concluded that such privacy protections as existed were incidental rather
than intentional, and that further study and experience were needed before any substantive legal
protections were enacted.”13 An early contribution from the NSW Privacy Committee was a set
of information privacy principles designed to provide guidance to organisations using
computers.14
8 Norman Lindop, 'Data protection: the background' in Colin Bourne and John Benyon (eds), Data Protection: Perspectives on Information Privacy (Continuing Education Unit, University of Leicester, 1983) 19.
9 K Younger, 'Report' (Committee on Privacy, 1972).10 Norman Lindop, 'Report of the Committee on Data Protection' (Committee on Data Protection, 1978).11 Zelman Cowen, The Private Man, The Boyer Lectures (Australian Broadcasting Commission, 1969).12 RA Clarke, A History of Privacy in Australia (8 January, 2002 1998)
<http://www.rogerclarke.com/DV/OzHistory.html>.13 Ibid.14 NSW Privacy Committee, 'Guidelines for the Operation of Personal Data Systems, BP31' (NSW Privacy
Committee, April 1977 1977), via Clarke, previously cited: remove this citation and make cross-reference, with ‘the short-form of the Principles, reproduced from page 2 [of the Report]’ reproduced at RA Clarke, N.S.W Guidelines for the Operation of Personal Data Systems (7 February 2004 2004) <http://www.rogerclarke.com/DV/NSWPCGs.html>.
4
In April 1976, the Australian Law Reform Commission (ALRC) embarked upon a
comprehensive enquiry into privacy issues arising under Commonwealth or Territory laws.
This review would last seven years, with the final report handed down in 1983.15 It would be
another five years before privacy legislation would be enacted by an Australian Federal
Government.
Economic Imperatives for Harmonisation
In the meantime, economic imperatives were driving the development of privacy regulation
elsewhere. Concerns regarding the impact of inconsistent laws on the potential economic
exploitation of new information technologies were being raised in a number of countries. This
led to multi-national efforts to harmonise privacy laws.
For example, the Organization for Economic Co-Operation and Development (OECD)
established an expert working group between 1978-1980 to develop guidelines for member
nations to encourage the development of harmonised privacy laws. The then Chair of the
ALRC, Michael Kirby, was elected chair of this Expert Group. The OECD Expert Group on
Privacy Principles published its influential Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data in 198016 (the OECD Guidelines). These, and the
European Data Protection Directive of 199517 (the Data Protection Directive), have perhaps
been the most influential statements regarding the harmonisation of privacy laws.
From 1976, the ALRC conducted a comprehensive seven year investigation into privacy
regulation, culminating in the substantial ALRC Report 22, Privacy in 1983.18 The report
included draft legislation for consideration by Parliament. Nevertheless, it would be a further
five years before an Australian Federal Government enacted legislation in response, namely the
Privacy Act 1988 (Cth).
15 Australian Law Reform Commission, 'Privacy' (ALRC, 1983).16 OECD, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (5 January, 1999
1980) Organization for Economic Co-Operation and Development <http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html>.
17 European Council, 'Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data' (23/11/1995 1995).
18 Australian Law Reform Commission, aboveaboveaboveabove n 14.
5
Unease around sensitive personal data
Computers had become so ubiquitous in industrialised societies by the early 1980s that
industrial economies had become ‘extremely dependent upon information systems’.19 Without
computers, a great many commodities and services (including the information associated with
them) would have been much more expensive. The demand for information about ‘consumers’
grew, along with an increasing capacity to handle large volumes of data.
People became accustomed to handing over personal details for warranties and loyalty mail-
outs. At the same time, disquiet regarding unsolicited mail (so called ‘junk’ mail) and other
‘abuses’ of personal information was growing. Computers were enabling automated mass
mailing of promotional materials, creating a new market for personal information. Targeted
unsolicited mail led many to ask “how did they get my address?”20
The Younger Committee conducted a survey of attitudes to privacy in the early 1970s. When
asked:
‘[i]f there was freely available in your public library a list in which all the properties in the various streets in your town were listed in numerical order, and against each number there was the full name of those people who lived there, would you regard that as an invasion of your personal privacy?’21
35% of respondents answered ‘yes’, and added, furthermore, that ‘there ought to be a law
against it’.
‘[I]nformation is power ... and information about individuals, particularly if it is held in secret, is held very often to imply and convey a sense of power over that individual. It is the sense of not knowing who knows what about one which is at the root of much of the unease.’22
This disquiet regarding ‘not knowing who knows what about you’ is reflected in laws, policies
and guidelines. At the heart of these regimes is the notion of ‘personal information’ (PI) or
‘personally identifiable information’ (PII). These notions, in turn, are tied to the concern that a
particular individual can (or might) be inappropriately identified from the information or data
in question. Privacy and data protection regimes from the 1970s onwards embody the notion
that privacy is at risk if a specific person is, or might be, identified from the disclosed data.
19 Lindop, above n above7, 22.20 Lindop, above n above7.21 Ibid.22 Ibid, 22, emphasis added.
6
What information is sensitive?
It is the context, not the data itself, that makes information ‘sensitive’. Even name, age and
address can be used in ways that are sensitive or socially undesirable. This was recognised as
early as the mid-1970s by the Lindop Committee in the UK, 23 chaired by Sir Norman Lindop.
Sir Norman related an example from a study tour of Sweden, undertaken by his committee as
part of their investigations. The Swedes did not consider a person’s name, age and address to be
particularly sensitive. Sweden has had a Freedom of Information Act for some 200 years.24 Any
information held by a government agency is public, unless legislation specifies otherwise.
Sweden had also used personal identity numbers for about half a century by the early 1980s.
These numbers incorporate the person’s date of birth, and their gender is represented by odd
numbers for males, even numbers for females. Taken together, this enabled a company to mail
advertising materials regarding feminine hygiene products to pre-pubescent females: a use
deemed unacceptable by the Data Inspection Board.25 This was not because it was a misuse of
sensitive information, but because of the sensitivity of the context of the use.
Indeed, context determines sensitivity. An annotated list of names has different character where
the annotations relate to Christmas cards, or union membership, or sexual orientation, and so
forth. The size of an information system is not relevant to the sensitivity of its contents. A small
list can be just as damaging as a large one, especially if the list has a socially or personally
undesirable purpose. Excluding small systems would, therefore, be problematic.26 It is context
which determines sensitivity, not scope, or scale, or content, per se.
However, at the heart of existing privacy legislation is the idea that ‘privacy’ can only be
‘breached’ if certain ‘sensitive’ facts about a specific identified or identifiable person are
revealed inappropriately. This can lead to the misconception that privacy is only concerned
with embarrassing secrets: that privacy is (merely) a form of secrecy.
Information privacy laws often enumerate specific kinds of facts, or classes of facts, about a
person that are deemed to be sensitive. These are usually facts which have an obvious
connection to sensitive uses in the past, for example, name and address, gender, sexual
orientation, ‘racial origin’, health status, and so on. But ICT-enabled systems can collect,
23 Ibid, above n above7.24 Sweden was the first country to do so.25 Lindop, above n above7, 23.26 Ibid.
7
collate, and connect pieces of seemingly unrelated, or disparate, data through even the smallest
of overlaps between datasets.
In the current information environment, it is not always ‘what’ is shared that is the problem.
Sometimes the problem is that the other party already knows something about some (or all) of
the individuals about whom you are sharing data. What you reveal to the other party may not be
sensitive of itself, but, in combination with what they already know, it exposes something about
the data subject. This may, or may not, be a problem; again, it depends upon the context.
Sensitivity of identification
Identification of individual persons is a sensitive issue. There are arguments for and against the
identification (and what is known as ‘identifiability’27) of individuals across a range of
circumstances and contexts.28 Identification is highly context sensitive. Personal experience is a
significant factor in shaping one’s perspective regarding circumstances when identification may
or may not be appropriate.29
Discussions around privacy elicit strong emotional responses. One’s perspective is strongly
influenced by experience.30 Those who have experienced a privacy breach tend to be in favour
of stronger privacy protections. Conversely, those who have been inconvenienced by privacy
protections tend to advocate for more openness. Complicating the discussion is the often
observed ‘gap’ between professed privacy concerns and expressed privacy-aware behaviours.
There is a large, and growing, body of literature discussing this phenomenon.31 It has also
become a cause célèbre in mass media publications. Many have pronounced the end of privacy,
or the death of privacy.32 However, there is also growing evidence that this observed gap may,
27 William W Lowrance, 'Privacy, Confidentiality, and Identifiability in Genomic Research' (Paper presented at the Privacy, Confidentiality and Identifiability in Genomic Research Bethesda MD, October 3−4 2006 ) <http://www.genome.gov/Pages/About/OD/ReportsPublications/IdentifiabilityWorkshopWhitePaper.pdf>
28 Bernard Clements et al, 'Security and Privacy for the Citizen in the Post-September 11 Digital Age: A Prospective Overview' (EUR 20823, Joint Research Centre (DG JRC), European Commission, 2003) <http://www.jrc.es/home/publications/publication.cfm?pub=1118>; House of Lords. Select Committee on the Constitution, 'Surveillance: Citizens and the State' (House of Lords, 6 February 2009); James Crosby, 'Challenges and opportunities in identity assurance' (HM Treasury, 2008)
29 Neil Robinson et al, 'Review of the European Data Protection Directive' (TR-710-ICO, Information Commissioner’s Office, 2009)
30 Ibid; Clements et al, above n 27.31 Mizuko Ito et al, Hanging Out, Messing Around, Geeking Out: Living and Learning with New Media (MIT
Press, 2009); danah boyd, Taken Out of Context: American Teen Sociality in Networked Publics (PhD Thesis, University of California-Berkeley, 2008) <http://www.danah.org/papers/TakenOutOfContext.pdf>
8
in fact, reflect a combination of a lack of awareness of risks, lack of understanding of
appropriate protective behaviours, and a lack of adequate tools.33
The utility of identification to both end users and providers further complicates matters.34 For
many applications and services, end users may desire themselves or their records to be
identifiable: either because of the purpose of the system (e.g. social media) or some perceived
or accrued benefit (e.g. loyalty systems). At the same time, they may also want to prevent or
distance themselves from ‘identifiability’ in some circumstances within the same system
(targeted advertising, undesirable contact with people they don’t like). The system provider
usually has an interest in the ‘findability’ or ‘identifiability’ of subscribers as a means to offer
added value through recommendations, or (additional) revenue through advertising sales, and
as a service to its subscribers.
Data that can be used to identify individuals is of concern from privacy and security
perspectives. Privacy law restricts who can obtain, hold, manage, use, or distribute identity
information – as do security measures.
Identification through Technology
Technology often plays an important role in the identification process itself. Some technologies
are directly involved in identification (e.g. databases, smartcards), others play a role in the
process, such as acquiring data (e.g. cameras, fingerprint readers), and some may have many
roles (e.g. RFIDs can identify an associated object; can be associated with a purchaser through
a record of sale; and, can be used to track the object’s movements or location, and thereby the
person carrying the object).
In most commercial and large-scale organisational environments, identity records, and the
identification processes that use them, are managed by a combination of software and hardware
technologies called identity management systems. Identity management systems (IDMS) create,
32 Polly Sprenger, Sun on Privacy: 'Get Over It' (1999) WIRED <http://www.wired.com/politics/law/news/1999/01/17538>; Helen AS Popkin, Privacy is dead on Facebook. Get over it. (2010) msnbc.com <http://www.msnbc.msn.com/id/34825225/ns/technology_and_science-tech_and_gadgets/t/privacy-dead-facebook-get-over-it/>; Bobbie Johnson, Privacy no longer a social norm, says Facebook founder (11 January 2010) guardian.co.uk <http://www.guardian.co.uk/technology/2010/jan/11/facebook-privacy>.
33 Bobbie Johnson, Danah Boyd: 'People looked at me like I was an alien' (2009) guardian.co.uk <http://www.guardian.co.uk/technology/2009/dec/09/interview-microsoft-researcher-danah-boyd>; Ito et al, above n 30.
34 Crosby, above n 27.
9
store, compare, distribute and (potentially) disclose digital identification data. They are the
gatekeepers and the enablers of our service-oriented society. Such a system may include front-
end hardware such as RFID, CCTV, barcode scanners, body scanners, laptops, and mobile
phones. They also include ‘back-end’ hardware such as end network cabling, modems, storage
devices and server computers. These are integrated through software that captures, processes,
analyses, compares, and stores data.
An IDMS may be limited to a single organization or network, but increasingly they link
together multiple networks, and multiple organisations. As these federated identity
management systems become more common, they enable services such as ‘Single Sign-On’
(log-in once to access services provided by more than one organisation, and access more than
one network: for example, using one’s Facebook or Google credentials to ‘log-in’ to blogs). In
doing so, these systems must manage to address the problems associated with identification
between each network in a manner consistent with good security and good privacy practices.
Identification
Identification (a process) is often confused with identity (a state). This is particularly true with
respect to technologies involved in identification – for example, an identity card. The process
of identification is the comparison of two things (A & B) to determine if they are sufficiently
similar to claim with the requisite certainty that they match (A=B), thus determining identity
between A and B. The degree of certainty represents the level of trust involved. Trust is
important for every stage and component of identification. The lower the tolerance for risk, the
higher the degree of certainty required, and thus more that would need to be done to
demonstrate trustworthiness. However, it is not possible to entirely remove risk from a
transaction or relationship. Trust thus remains a live concern throughout any identification
process.35
Identification, for our purposes, is the association of a specific individual36 with a specific
record or set of data. Identification involves a person presenting at least one credential to a
system. Credentials usually involve one or more of: something you know (e.g. username,
password), something you have (e.g. credit card, passcard), or something you are (e.g. iris
biometric). These are compared against relevant identifying details recorded within the system
35 Phillip J Windley, Digital Identity (O'Reilly, 2005).36 Identification can also involve other things, such as computer systems, or their component software or
hardware, and so on. Here we are concerned with privacy, and thus individual natural persons.
10
to ascertain whether they match or not: authenticated. The record of these identifying details is
usually called an identity.37
Identity
A digital identity generally consists of data representing key facts about the person, system,
organisation, computer, network, machine, or other identifiable thing to which it relates: known
as the subject (or entity).38 This record usually also includes information that describes the
subject’s relationships with other records, including their authorities to do things within the
system. If the identification process is satisfactorily completed, the system enables the
association of these other records with the identity, and thus grants access to the subject.
Whether these records contain financial data associated with a credit card, medical data in a
health record, or a complex matrix of permissions to access and modify documents, the
underlying processes are the same.
It is important not to assume that a candidate presenting to a system actually is the person to
whom the record relates. Doing so opens up or increases opportunities for false positives; either
by mistake or error, or by manipulation – or both.39 At the same time, a system cannot function
if everyone is presumed to not be whom they claim or present to be.40 This leads to increasingly
costly and involved measures being employed in an attempt to establish definitively that A’=A.
Authentication
The questions of ‘who are you?’ and ‘how do I know that I can trust you?’ are answered by
authentication.41 Authentication is the process of matching a subject with an identity record; it
is the comparison of a claim to an identity with evidence regarding relevant attributes of the
identity (usually via a credential). For example, a driver’s licence is a credential. The photo on
the licence can be compared with the person presenting it. It allows a shopkeeper to
authenticate the bearer as the person to whom it was issued. Matching two photographs of faces
via mathematical modelling can enable a person to be authenticated from video footage, too.
Authentication systems vary in complexity, and may require one or more credentials
(authentication factors), and involve a range of technologies. Their purpose and function is the
37 Crosby, above n 27.38 Windley, above n 34, 8.39 Windley, above n 34.40 Ibid.41 Ibid, 50-51.
11
same: to determine whether a subject has adequately established that they are the one to whom
the claimed identity belongs. Practical trade-offs, such as speed and reliability of match, are
related to the degree of acceptable risk of false positive or false negative matches.
Verification
Verification tests the authenticity of credentials or other information presented to a system. This
is usually done by comparing what is already known about the identity (or the credential)
against the credential in question. For example, the driver’s licence may, in fact, be a forgery.
The validity of the document can be verified by comparing details on the credential with those
already known about the bearer, or by checking them against the records of the relevant licence
register, or by examining the document for signs of tampering or inadequate fabrication.
Alternatively, if the driver’s licence is trusted, it can be used to verify the credit card presented
with it.
Relationships between Privacy, Security and Identification
With privacy widely recognised, and regulated, it is not surprising to find privacy controls and
privacy measures implemented in and via technologies – especially ICTs. However, the lack of
uniformity in approaches to privacy can lead to conservative or narrow measures employed in
technology. Privacy as implemented in technology (especially in hardware) tends to represent
a lowest common denominator view of privacy (the minimal set for maximum compliance).
This compliance-centric view of governance is consistent with administrative law and
corporations law more generally.
Organisations and individuals seek to minimise the costs of compliance. Hardware is expensive
to change, software is often complex, and changes to either can lead to (additional)
unanticipated results. It is thus tempting to confine privacy measures to those that also address
security requirements. It is also advantageous to pursue harmonised, and minimised, laws to
reduce the costs and complexities associated with meeting the demands of disparate
regulations. This, at the very least, raises questions about what is being protected, how and why.
Identification of individuals lies at the heart of privacy concerns. Of concern to privacy
advocates is the ease with which identification data can be obtained, aggregated, or distributed
using increasingly invasive and pervasive technologies. Moreover, the ease with which such
data can be cross-matched with other sources to expand a data set is of great concern too. By
12
the same token, businesses and governments see opportunities to increase the personalisation of
their services; to ensure the security, completeness and timeliness of their data collections; and
to increase the value of their data holdings. The reconciliation of these interests is a live
concern in public policy, law and technologies. No ‘silver bullet’ has arisen, however, from
those following these developments.
Information Privacy
Privacy continues to be a live, and contentious, issue with respect to identification through
technology. Some instances are obvious, such as the collection of personal profile data by
Facebook. Others are less apparent, such as when and with whom profile data is shared, or even
surreptitious, such as the storage of ‘tracking’ data by Apple iPhones.
The Google corporation raised the ire of individuals and privacy commissioners alike early in
2010 when it was discovered that it was collecting Wi-Fi data as part of its ‘Street View’
program.42 Street View involves cars driving down public roads taking panoramic photographs
at regular intervals using equipment mounted on its roof. These photographs are then integrated
into Google Maps to provide a photographic montage enabling Google Maps users to zoom
down to the street level and see what was there at the time the Street View car passed by. The
Street View program had already angered many individuals and privacy advocates who felt the
photographs exposed private details of their lives and intimate moments to the whole world via
the Internet. The discovery that Google was surreptitiously ‘listening in’ on their wireless
networks renewed their concerns.
Google’s equipment enabled them to estimate the location of the Wi-Fi transmitter, perhaps
down to the building. As the number and range of wireless devices grows, this feature would
potentially enable Google to locate all manner of wireless-enabled devices, such as mobile
phones, computers, printers, televisions and set-top boxes. As if this were not bad enough, it
was also revealed that Google’s cars were capturing and recording any and all data transmitted
using Wi-Fi technologies. That would enable Google to identify the devices, and potentially
identify who owned them and the purposes for which they were being used. If the wireless
communications were not properly secured, Google could gain access to personal emails and
other communications.
42 Louisa Hearn, 'Please explain: why Google wants your Wi-Fi data', Sydney Morning Herald (Sydney), May 13 2010 <http://www.smh.com.au/technology/technology-news/please-explain-why-google-wants-your-wifi-data-20100513-uyyh.html>.
13
Ten privacy commissioners43 wrote a joint letter to Eric Schmidt, CEO and Chairman of
Google seeking an explanation as to how the company would ensure ‘that privacy and data
protection requirements [would be] met before the launch of future products.’44 Australia’s then
Privacy Commissioner, Karen Curtis, initially suggested that the data collected by Google was
unlikely to be ‘personal information’ under the Privacy Act,45 but later found that the company
had ‘inadvertently collected the data’ in breach of the Act.46 In response, the company offered a
public apology and undertook a Privacy Impact Assessment of the program. Other privacy
commissioners47 pursued the deletion of all data collected, and the Australian Federal Police
investigated possible breaches of telecommunications laws.48 Individuals pursued a number of
class action suits seeking damages for invasion of privacy.
Privacy is a widely recognised set of social values, and one that is accepted across widely
divergent cultures. Nevertheless, the principle of privacy continues to challenge and be
challenged by ongoing social and technological change. Privacy, as constructed in law and
represented in technologies, continues to be confounded by conceptual inconsistencies and
false dichotomies. In practice, privacy is often traded-off for other interests, especially national
security.
While privacy is recognised as a human right, legal and technological measures undertaken in
its name have tended to relegate privacy to the status of an administrative burden. Political and
commercial parties discuss privacy as an ‘interest’ and a ‘human right’ almost as an apology
for immediately dismissing it as a ‘messy concept’, bereft of clarity and bewildered by lack of
relevance or purpose.
It is any wonder, then, that, for more than a century after Harvard Law School graduates
Samuel Warren and Louis Brandeis49 brought their concerns about the implications of new
43 Canada, France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain, and the United Kingdom.
44 Jennifer Stoddart et al, Letter to Google Inc. Chief Executive Officer (2010) <http://www.priv.gc.ca/media/nr-c/2010/let_100420_e.cfm>.
45 Hearn, above n 41.46 Fran Foo, 'Google Australia breached Privacy Act with Street View but escapes with apology', The Australian 9
July 2010 <http://www.theaustralian.com.au/australian-it/google-australia-breached-privacy-act-but-apology-is-sufficient/story-e6frgakx-1225889876666>.
47 But not the Australian Privacy Commissioner.48 Foo, above n 45.49 Brandeis was later appointed an Associate Justice of the US Supreme Court and drew upon this earlier work in
his dissenting judgement in Olmstead v US, 277 US 438 (1928).
14
technologies for this seemingly elusive social value to the attention of lawyers and legislators,50
privacy continues to be dismissed, wistfully, as a ‘compliance’ problem.51 The very confusion
over what privacy is, and why it ought to be protected, is held out by some as a reason to
dismiss it entirely, or to shake one’s head sorrowfully at the demise of this once contentious
‘value’.52
At law, privacy in Australia is largely confined to ‘information privacy’ – one of four widely
recognised ‘kinds’ or ‘aspects’ of privacy: informational, bodily, communication, and
territorial.53 Information privacy is concerned with ‘personal information’ or ‘personally
identifiable information’. As such, the focus of legal protection is on the possibility of
identifying the subject (the individual) of the data; and, whether the subject has consented to
the acquisition and/or the use of that data for the purpose/s to which it is being applied. Thus,
privacy law is a crucial concern for identification, and vice versa.
Since the seminal article by Warren and Brandeis promoting a tortious view of privacy as ‘the
right to be let alone’,54 there have been many attempts to define ‘privacy’ unequivocally; and all
have failed for one reason or another. And yet, the average person still has a notion, a ‘feeling’,
about what constitutes their privacy.
Privacy is not a ‘thing’, nor is it a state as such. Rather, it is an attribute, a property, of
relationships. It is closely tied to trust. Indeed, the intense emotions related to privacy have
much to do with trust, and breaches of trust in particular. But privacy and trust are not the same.
They are related notions, but they are not co-extensive.
Discussions around privacy can be intensely emotional. For many, it is hard to relate to
concerns about privacy unless, and until, they have experienced a breach of their own privacy.
Privacy is not a state in the sense of ‘off’ or ‘on’; ‘have’ or ‘have not’. It is possible to
experience a breach of privacy without having had it destroyed entirely.
50 Samuel D Warren and Louis D Brandeis, 'The Right to Privacy' (1890) 4(5) (December 15) Harvard Law Review 193.
51 Olmstead, above n 48; Katz v US, 389 US 347 (1967).52 Brett Mason, Privacy without Principle: The Use and Abuse of Privacy in Australian Law and Public Policy
(Australian Scholarly Publishing, 2006)53 David Banisar, Privacy and Human Rights 2000: An International Survey of Privacy Law and Developments
(2000) Privacy International <www.privacyinternational.org/survey/phr2000/overview.html> after Fernando Volio, 'Legal personality, privacy and the family' in Louis Henkin (ed), The International Bill of Rights: the Covenant on Civil and Political Rights (Columbia University Press, 1981) 198.
54 Warren and Brandeis, above n 49.
15
Early attempts to address the practical aspects of privacy protection led to carving privacy
problems up into four ‘aspects’: informational privacy, bodily privacy, privacy of
communications, and territorial privacy. Daniel Solove suggests an alternative perspective that
emphasises the harm caused by privacy breaches. He proposes four classes of behaviour
affected by, or associated with, specific privacy-harming behaviours: information collection,
information processing, information dissemination, and invasion of privacy.55
Privacy in Australian Law
There is no generally recognised tort of invasion of privacy in Australia.56 At law in Australia,
privacy law is almost entirely restricted to ‘information privacy’, embodied in statutory
schemes.57 The Privacy Act 1988 (Cth)58 (the Act) has the broadest implications for
identification systems in practice, as it applies to Commonwealth and ACT government
agencies, and corporations.
Information privacy is centred around data about individuals, with the crucial nexus being the
purpose for which data that identifies individuals were collected. Information technologies,
such as those employed in identification processes, implement legal privacy because that is the
standard to which they are held: compliance affords legal protection. Compliance with legal
privacy reduces risk; especially financial risk.
The foundations of the Privacy Act 1988 (Cth)
The Privacy Act 1988 (Cth) was the culmination of two decades of community and government
activity. The Australian Law Reform Commission conducted a seven year review of privacy
55 Daniel J Solove, 'A Taxonomy of Privacy' (2006) 154(3) University of Pennsylvania Law Review 477.56 The High Court has yet to recognise such a tort Victoria Park Racing and Recreation Grounds Company
Limited v Taylor [1937] HCA 45; (1937) 58 CLR 479 (26 August 1937) ; Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (2001) 208 CLR 199. although two lower courts have, expanding upon Lenah Game Meats: Grosse v Purvis (2003) Aust Torts Reports 81–706; Doe v Australian Broadcasting Corporation [2007] VCC 281..
57 e.g. Commonwealth: Privacy Act 1988 (Cth); Telecommunications Act 1997 (Cth); National Health Act 1953 (Cth); Data-matching Program (Assistance and Tax) Act 1990 (Cth); Crimes Act 1914 (Cth); Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth); Healthcare Identifiers Act 2010 (Cth), Victoria: Information Privacy Act 2000 (Vic); Health Records Act 2001 (Vic); Charter of Human Rights and Responsibilities Act 2006 (Vic), NSW: Crimes (Forensic Procedures) Act 2000 (NSW); Surveillance Devices Act 2007 (NSW); Workplace Surveillance Act 2005 (NSW); Health Records and Information Privacy Act 2002 (NSW); Privacy and Personal Information Protection Act 1998 (NSW), and the ACT: Health Records (Privacy and Access) Act 1997 (ACT); Human Rights Act 2004 (ACT); Freedom of Information Act 1989 (ACT); Listening Devices Act 1992 (ACT); Spent Convictions Act 2000 (ACT); Territory Records Act 2002 (ACT).
58 Privacy Act 1988 (Cth).
16
concerns as human rights issues, culminating in ALRC Report 22 Privacy published in 1983.59
The report advocated for a comprehensive, integrated privacy protection scheme to address
potential injustices to individuals through new developments in technologies and public and
business administration.60 The report also recognised that privacy interests may be
complementary to,61 or compete with,62 other legitimate interests. The report set out to ‘provide
a proper level of legal protection for privacy interests without subjugating ... other important
interests.’63 The report recognised that privacy was not ‘a single integrated concept [rather it] is
in fact an ordinary language word used to describe a wide variety of disparate and often
competing aspirations.’64
The ALRC examined developments in domestic, foreign and international laws, including
human rights law, to recommend an approach that would build upon existing laws and
institutions. Instead of a whole new body of law, the Commission recommended ‘a basic
statement of rights and liabilities, enforceable in the courts’ which could be elaborated by
standards and guidelines relevant to specific organisations. ‘A statutory guardian for privacy’
would assist the community and organisations to apply these and existing protections.65
It would take a further five years before the federal government enacted such a scheme.
Information Privacy in the Privacy Act 1988 (Cth)
The Privacy Act 1988 (Cth) establishes two parallel regimes, with each centred upon a set of
‘privacy principles’: the Information Privacy Principles66 (IPPs) and the National Privacy
Principles67 (NPPs). The IPPs and NPPs address appropriate information handling practices for
Commonwealth and ACT government agencies, and for corporations, respectively. Both sets of
principles are concerned with the handling of ‘personal information’, defined in s6(1) to mean:
59 Australian Law Reform Commission, above n 14.60 Ibid, paras 36-38, and 143.61 Ibid, Secrecy (paras 65-67), Confidentiality (paras 68-70), Reputation (paras 71-73), and Freedom from
Discrimination (para 74).62 For example, freedom of expression; freedom of information; protection of the revenue; law enforcement and
criminal justice; protection of economic, trade and state secrets; national security and defence: ibid at para 75.63 Australian Law Reform Commission, Summary of Report 22 (ALRC, 1983), 3.64 Ibid, 3.65 Australian Law Reform Commission, above n 58, paras 731 and 733.66 Privacy Act 1988 (Cth) s14.67 Ibid Schedule 3.
17
‘information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.’68
An ‘individual’ for the purposes of the Act, is a natural person.69 Neither ‘information’ nor
‘opinion’ are defined in the Act, and a brief consideration of their ordinary meanings suggests
the Act is intended to encompass a very broad range of facts, views, judgements, attitudes,
beliefs and so on, ‘whether true or not’, regarding individuals. A ‘record’ for the purposes of
the Act, is (a) a document, or (b) a database, or (c) a photograph or pictorial representation of a
person.70
The Act does not offer definitions of ‘identity’ or ‘identify’. In common usage, to ‘identify’ is
‘to recognise or establish as being a particular person or thing [or to] attest or prove to be as
purported or asserted’.71 Something that ‘identifies [a person] serves as a means of
identification for’ that person. To identify is to authenticate.
An ‘identity’ is the ‘condition, character, or distinguishing features of a person,’ or an ‘effective
means of identification [such as] an identity card.’72 A digital identity is a set of information
that can be used to identify a person; a means of identification. It is, in essence, a credential;
one that can be used to validate, or in turn be validated. This connection between ‘privacy’ and
‘identity’ or ‘identification’ is not unique to Australian law. For example, for the Privacy Act of
1974 (USA)73 to apply to a record, the record must identify an individual.
But ‘identity’ also means ‘the condition of being oneself ... and not another.’74 To conflate a
digital identity with the actual person, or to confuse it as representing anything more than a
means to authenticate a person in a specific context (or to verify another credential), is to usurp
68 Ibid s6(1).69 Ibid s6(1).70 Ibid s6(1), with exceptions for records (d) forming part of ‘a generally available publication’; or (e) part of a
‘library, art gallery or museum’ collection for ‘reference, study or exhibition’; or (f) ‘Commonwealth records’ available under s3(1) of the Archives Act 1983 (Cth); (fa) or ‘records’ ‘in the care’ of the National Archives of Australia; or (g) ‘documents placed in the memorial collection’ under the Australian War Memorial Act 1980 (Cth); or (h) ‘letters or other articles in the course of transmission by post’.
71 JRL Bernard et al (eds), Macquarie ABC Dictionary (Macquarie Library, 2003), 485.72 Ibid, 486.73 Privacy Act of 1974, 5 USC § 552a, Public Law No 93-579, (Dec. 31, 1974)74 Bernard, above n 70, 486.
18
the person’s unique status as a person. This is no small part of the fear of Big Brother, of the
disquiet arising from ‘not knowing who knows what about you’.
Conclusion
Privacy law is designed to protect the identification and identifiability of individuals. Security
is concerned, in part, with the same things, although for different reasons. This can lead to
conflict where privacy promotes restrictions upon identification, and security promotes
increased identification. Identification is therefore a crucial nexus between privacy and security
at law, in technology, and in policy. Various methods and means have been devised and
proposed to ensure that the design and implementation of technologies are security- and
privacy-sensitive, and compliant with privacy laws.
In practice, people care about relationships, not data. A relationship-centric rather than data-
centric approach to the management of information has the effect of shifting the emphasis from
privacy or security (and their ‘balance’) to the integration of privacy and security. It is possible
to integrate the two without compromising either or both. Such an approach has the potential to
strengthen both privacy and security, by considering how both may be achieved and how any
‘conflict’ between them might be minimised.
Identification will retain a central role in our lives as technologies and the services they enable
become ubiquitous, and perhaps also invisible. It will continue to pose challenges for law and
public policy as novel technologies are implemented at an ever increasing pace. Expanding our
attention from the technologies (the ‘means’) to include the relationships they support (the
‘ends’) affords an opportunity to reconsider their implications in a sustainable and coherent
way, consistent with our desire for development and our need for caution.
19