When Do They Need to Know 'Whodunnit?'
The Justification for Transaction Identification;
The Scope for Transaction Anonymity and Pseudonymity

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Professor, Baker & McKenzie Cyberspace Law & Policy Centre, University of N.S.W.

Visiting Professor, E-Commerce Programme, University of Hong Kong

Visiting Fellow, Department of Computer Science, Australian National University

Version of 20 March 1995

© Xamax Consultancy Pty Ltd, 1995

Available under an AEShareNet Free for Education licence


Introduction

This document is designed as a background paper or opening statement for a panel session of the same name, at the Computers, Freedom & Privacy Conference, in San Francisco on 31 March 1995.


Identified Transactions

Transactions are representations of real-world events. A transaction is identified if a party to the transaction, i.e. a participant in the event, is described with sufficient precision that the transaction can be associated with a specific human being.

Some examples of identified transactions include:

During the twentieth century, there has been a very significant increase in the 'information intensity' of both government administration and business management. Parallel with this, there has been a growth in the size of organisations, and a concomitant increase in the 'social distance' between organisations and the people they deal with. People have come to identify much less with, and become less trustful of, corporations and government agencies. Corporations and government agencies have responded by trusting people less and less, and instituting control measures to prevent fraud and waste, detect it once it has occurred, and enable its investigation.

Central among these control measures has been the construction of an 'audit trail' of transactions, to enable retrospective analysis of events. Organisations are motivated to trap into the audit trail as much information as is technically and economically feasible, since the future needs of investigators are difficult to classify and predict. There is evidence that the form of transaction systems is being manipulated to increase the data intensity, e.g. by preferring taxation mechanisms which necessitate identification, rather than capturing per-transaction taxes at source, such that anonymity is possible without any negative impact on tax-collectibility.

An 'administrative imperative' has therefore arisen that transactions between individuals and organisations must be identified. This has worked in tandem with a 'technological imperative', whereby it has been perceived to be necessary to apply information technology to the processes of business and government. Various identification technologies have been harnessed to the need (see Attachements 1A and 1B).

In the view of corporations and government agencies, it has become almost an article of faith that people who decline to provide their identification, and indeed such other personal data as the organisation demands, must be cheats, and should be treated as such.


Erroneous Identification

A matter of increasing concern to organisations, and to some extent to individuals as well, is the scope for transactions to carry identification data which is ambiguous, misleading or simply incorrect. 'Proof' of identity essentially does not exist, and the construction of identification schemes which provide a degree of confidence appropriate to the circumstances, is a challenging and expensive business.

Examples of problems with erroneous identification include:


Anonymity

Anonymity, in this context, refers to the absence of identification data in a transaction. The key characteristic of an anonymous transaction is that the specific identity of one or more of the parties to the transaction cannot be extracted from the data itself, nor by combining the transaction with other data.

Some examples of non-identified, anonymous transactions include:

People desire anonymity for a variety of reasons. Some of these are of dubious social value, such as avoiding detection of their whereabouts in order to escape responsibilities such as paying debts and supporting the children from a broken marriage; avoiding retribution for financial fraud; and obscuring the flow of funds arising from illegal activities such as theft, drug-trading and extortion (commonly referred to as 'money-laundering').

Other reasons for seeking anonymity are of arguably significant social value. One example is the desire to avoid unnecessary exposure of private information, and embarrassment (a privilege which may be more often granted by organisations to the rich, the famous and the infamous, than to normal people). Another is the desire to keep personal data out of the hands of companies which are in the business of soaking up whatever data they can in order to use it for marketing purposes. Similarly some people seek to deny data to government agencies, which they believe are prone to using data for multiple purposes, some of which are, or should be, irrelevant, and many of which lead to misunderstandings due to problems of data definition and data quality. A further important reason for anonymity is to deny public knowledge of one's whereabouts in order to avoid physical danger, e.g. from former criminal accomplices, from overly protective fathers, and from organisations which are outraged by something the individual has done, said or written.

There are many circumstances in which the interests of all parties can be protected, despite the absence of a record of identity; for example, by authenticating the party's eligibility and/or capability to conduct the transaction, rather than authenticating the individual.


The Battleground

Serious tensions are developing between organisations which seek substantial dataveillance powers, and individuals who seek to sustain some degree of private space. There are three broad paths which society can take towards the resolution of these tensions:


Pseudonymity

One contribution to the search for balance is the application of 'pseudonymity'. A pseudonym is an identifier for a party to a transaction, which is not, in the normal course of events, sufficient to associate the transaction with a particular human being. Hence a transaction is pseudonymous in relation to a particular party if the transaction data contains no direct identifier for that party.

There are several ways in which this can be achieved. One is the storage of partial identifiers by two or more organisations, which must both provide their portions of the audit trail in order that the identity of the party can be constructed. Another is for an indirect identifier to be stored with the transaction, and the cross-index between the indirect identifier and the person's real identity stored by an organisation which applies appropriate technical and organisational security measures, and is legally precluded from divulging the link except in specified circumstances.

Such mechanisms already exist in a variety of settings. For example, epidemiological research in the health-care and social-science areas needs longitudinal data, including demographic data about the individuals concerned, but does not necessarily need to know their identities: a pseudo-identity is sufficient.

Another example is 'anonymous re-mailers', which enable individuals to obscure their identities when they send messages, by filtering them through a service which undertakes to protect the linkage between real and nominal identity. Such undertakings might be able to be iron-clad, and the transactions thereby entirely anonymous, where the service-operator and its clients forego an audit trail, and thereby any form of traceability. In many cases, however, the undertaking is likely to be qualified, and subject to, for example, search warrant and sub poena; and the messages therefore pseudonymous rather than anonymous.

There are also applications in the area of financial services, whereby some financial institutions in some countries are able to protect the identities of companies and individuals which have deposits with them, or undertake transactions through them. Similarly, buyers and sellers on stock exchanges do not, and do not need to, know the identity of the other party to the transaction. Innovative mechanisms which have been developed to serve the interests of the wealthy are capable of adaptation to the needs of people generally.


Conclusions

Anonymous and pseudonymous schemes are capable of being supported by modern information technology, for example by designing smart-card applications to serve the interests of people as well as those of corporations and government agencies.

If the complex web of transactions inherent in an information society and economy is to attract and sustain people's confidence, a multiplicity of interests needs to be balanced. It is imperative that the designs of systems reflect the interests not only of corporations and government agencies in attaching identification to transactions, but also those of individuals in denying information.

In the fast-arriving information age, the presumption that transactions should generally be identified needs to be reversed. The onus of proof must be placed on organisations to justify why anonymity, or at least pseudonymity, is inadequate in the circumstances.

Attachment 1A: Bases for Identification

*	appearance			how the person looks

*	social behaviour		how the person
					interacts with others

*	names				what the person is
					called by other people

*	codes				what the person is
					called by organisations

*	knowledge			what the person knows

*	tokens			what the person has

*	bio-dynamics		what the person does

*	natural physiography	what the person is
	
*	imposed physical		what the person is now
	characteristics

Clarke R.A. 'Human Identification in Information Systems: Management Challenges and Public Policy Issues' Information Technology & People 7,4 (December 1994)

Attachment 1B: Biometric Techniques

Clarke R.A. 'Human Identification in Information Systems: Management Challenges and Public Policy Issues' Information Technology & People 7,4 (December 1994)


Navigation

Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 15 March 1995

Last Amended: 15 March 1995


These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916