understanding the importance and impact of anonymity and authentication in a networked society
navigation menu top border

.:home:.     .:project:.    .:people:.     .:research:.     .:blog:.     .:resources:.     .:media:.

navigation menu bottom border
main display area top border

« October 2005 | Main | December 2005 »

Camera Phones and the Everyday

posted by:Rob Carey // 11:59 PM // November 29, 2005 // ID TRAIL MIX

On Nov. 15, Bill C-74, the Modernization of Investigative Techniques Act, was given first reading in the House of Commons. I mention this only because the ensuing commentary about the bill almost overshadowed another news item relevant to surveillance and privacy matters which appeared three days later. On Nov. 18, the technology forecasting company InfoTrends/CAP Ventures predicted that the shipment of camera phones would rise worldwide to 847 million units in 2009, from 370 million in 2005. The release goes on to note, “As an increasing number of users acquire and experiment with camera phones, the volume of images captured, shared and printed is projected to rise, producing additional revenue for wireless carriers and digital photo finishers alike.” According to another firm, Jupiter Research, the number of camera phone users who actually take and send photographs is likely to rise significantly as well, due to improvements in the camera's memory.

This imminent profusion of camera phones seems to beg the question (with apologies to Harold Lasswell), “who is watching whom, how, and with what effect?” If one asks this question of C-74, the answers are reasonably clear. Privacy advocates have excellent reasons for questioning whether the bill affords sufficient oversight to prevent the indiscriminate and arbitrary interception of electronic communications. Indeed, the provisions of C-74 seem exemplary of panoptic relations among those who watch and those who are (or who may be) watched, since a key purpose of C-74 is to remove technical and procedural barriers to surveillance; that is, to create conditions whereby the inviligation of electronic communications by certain agents is always possible. The few watching the many.

But this is obviously not the only way of describing relations among watchers and the watched. Mathieson, for example, has applied the term synopticism to situations in which the many watch the few; Rosen uses 'omnipticism' to describe relations in which the many watch the many. While these terms can be applied to relations among users of other types of ICTs, the rapid development and proliferation of camera phones, with their ability to (surreptitiously) capture and transmit images, seem to invite rich speculation about who is watching whom and with what effect in a way that other technologies do not. In the UK, for example, pronouncements about the effect of camera phones on society are plentiful and fervid. With their genius for constructing moral panics, some elements of the British press have used episodes such as the so-called Happy Slapping mania to denounce the technology. Yet the BBC openly encourages its viewers to submit newsworthy camera phone footage , for which it is prepared to pay. One BBC editor called this "the democratization of newsgathering."

Similar ambivalence has greeted the introduction of most new ICTs. Moral panics aside, though, if one asks the question - “who is watching whom, how, and with what effect?” - of camera phones, few really clear answers are actually forthcoming. Partly, this is because camera phone users have yet to explore fully all the ways in which the phones enable them to be watchful of others. The few studies done on camera phone use so far seem to indicate that users tend not to photograph strangers; like instant messaging, the phones seem to be used as a phatic technology whose purpose is to support group cohesion. But there is no reason to think that phatic practices among familiar others will remain the primary use of the technology, particularly as camera phones become more commonplace. In his essay, Walking in the City, de Certeau writes of everyday practices that elude "visual, panoptic or theoretical" constructions: "If it is true that forests of gestures are manifest in the streets, their movement cannot be captured in a picture, nor can the meaning of their movement be circumscribed in a text." If the adoption of camera phones continues at the pace predicted by InfoTrends, they will indeed become ubiquitous elements of everyday life, and it is exactly this - their insinuation into the forests of everyday gestures - that makes the implications of their use fascinating to contemplate.

| Comments (1) |


Inverse Copyright: Transmitient/Recipient Equiveillance

posted by:Steve Mann // 08:48 PM // November 22, 2005 // ID TRAIL MIX

"By exposing me to content you agree to the following Terms and Conditions"

Previously I have written about equiveillance (the equilibrium between surveillance and sousveillance) and there has been much criticism of some related ethnomethodological action research/art performances/interventions but not of the actual underlying philosophical or theoretical framework (i.e. the concept of Existential Technology in general, rather than the possibly flawed ethnomethodological action-research that goes along with it) (i.e. the often-asked question "why photograph the clerk and not the CEO").

Equiveillance, the subject of the opening keynote for the ACM2005 CFP conference, pertains to a balance-in-equilibrium of the information flow about ourselves with the information flow about others who are wishing to know more about us.

Privacy/solitude: definition

The two different but similar concepts of privacy and solitude often get lumped together under a "right to be le(f)t alone".

So let me disambiguate the often conflated concepts of privacy and solitude. I define privacy as the control of outgoing information, and solitude as the control of incoming information.

Loosely speaking, privacy is that which is violated by cameras, microphones, and other measurement instruments, whereas solitude is that which is violated by loudspakers, billboards, and junk mail. Thus fighting against spam and junk mail is, according to the definition of privacy that I choose to use, not privacy activism, and in fact, such a fight actually threatens privacy.

Inverse copyright: Doing for solitude what equiveillance does for privacy

The sur/sousveillance equilibrium pertains to outgoing information (that which we produce), whereas, in this paper I present a reciprocal concept regarding balance for information flow towards us.

In our day-to-day lives we are bombarded by large quantities of unsolicited informatic content, both virtually, and in the real world. On computer networks this results in consumption of computational resources and is thus often considered theft of these resources, yet in the real-world, since it usually just consumes brain cycles rather than computer cycles, it's been regarded as less offensive. Previously I have argued that such a preference for the protection of computers over and above natural biological computational resources, may be unbalanced, at best.

However, let us say that, at a minumum, spammers, whether in cyberspace, or in the real-world, deserve no copyright protections.

I will defer the question of the elimination of spam to other articles, and, instead, focus here on simply stripping spammers of copyright protection.

The right to "rip+mix+burn" spam

As victims of bombardment with unsolicited informatic content, we may find ourselves, whether conciously, or subconsciously, remembering some of the material that we are bombarded with.

Spam hits us in many ways in both cyberspace and the real world. For example, maybe your neighbours are playing loud music until you ask them to turn down the music or you call the police to have them come out and tell them to turn it down.

Some spam is like a virus, and, for example, "there's a song in my head going round-and-round, and I don't want to hear it no more no more" I didn't ask to be bombarded with the song, but now that I've been exposed to it against my will, I might happen to remember it, and maybe even sing it, heaven forbid!

Maybe the song I didn't want to hear somehow influenced my fingers pressing down keys on a piano or flute. Should I be held liable for copyright infringement if I play my flute in a public place, even if I play more than a few bars of that song going around in my head?

The one-sided nature of intellectual propertarianism

Concepts like intellectual property and copyright fail to adequately protect the recipients of informatic content. In this sense, they are one-sided, i.e. they are "transmitient-centric".

Obviously in the scenario I outlined regarding musical memories, perhaps copyright did get infringed. And perhaps somebody should pay. But if anyone should pay, perhaps it should be the neighbours who were playing the loud music that I did not want to hear.

As a second example, consider a cyborglogger who streams his or her personal experience over the 'net. Some 'gloggers like Joi Ito have a huge following and thus anything they 'glog will be seen or heard by many. A truly dedicated 'glogger will not always filter what is streamed, and in fact, the medium of 'glogging is most profound when it is free-running. Thus the 'glogger is simply a pipe or conduit through cyberspace. What happens when spam, such as the loud unsolicited music or noise from next door, gets thrust into a 'glogger's pipe, and echoes out across cyberspace? Who should pay the piper for the tune that was not named?

A balance of absurdity

In my opinion, copyright, and for that matter, intellectual property in general, is a one-sided concept that has failed to consider the rights of a recipient. The audacity of copyright holders is all to evident in the absurd, and legally baseless "shrink wrap" and "click wrap" agreements that state something like "by opening this package you agree to the following..." or "by entering this website you agree to the following...".

In the existence of such absurdities, is it any more absurd to write "by exposing me to informatic content you agree to the following... if you do not agree to these Terms and Conditions, do not expose me to any of your informatic content"?

| Comments (0) |


Ex-MI5 chief calls national ID cards "useless"

posted by:Mohamed Layouni // 11:26 AM // November 18, 2005 // Digital Democracy: law, policy and politics

Dame Stella Rimington, the former head of the UK Security Services MI5, declared -- following the government's recent defeat on its ID card plans -- that ID cards are forgeable and thus useless. She said:

ID cards have possibly some purpose.

But I don't think that anybody in the intelligence services, particularly in my former service, would be pressing for ID cards.

My angle on ID cards is that they may be of some use but only if they can be made unforgeable - and all our other documentation is quite easy to forge.

If we have ID cards at vast expense and people can go into a back room and forge them they are going to be absolutely useless.

ID cards may be helpful in all kinds of things but I don't think they are necessarily going to make us any safer.

For more, see the full BBC article here.

| Comments (0) |


New digital health-care technologies and privacy

posted by:Chris Young // 07:42 PM // November 15, 2005 // TechLife

Last month the Ottawa Citizen featured a number of articles in its "High Tech" section that will be of interest to those attentive to developments in the area of medical technologies that have potential impact on personal privacy.

The article "Health-care system getting wired" reported on the digitization of patient health-care records, and featured Dr. Khaled El Emam (Canada Research Chair in Electronic Health Information), whose research focuses specifically on how to ensure the privacy of personal health records. Dr. Emam will be presenting at the Electronic Health and Privacy Conference on November 30th in Ottawa.

In "Kit monitors blood sugar over Internet" the Citizen reports on a technology being trialed by March Healthcare which will automatically log the results of blood sugar tests as they are taken every day. As the article notes, this will allow "[a]ny problem cases [to] become immediately evident and red-flagged for instant follow-up by a nursing co-ordinator".

Jason Millar has already noted on this blog the technical possibility of fully automating this process such that the blood sugar monitor is implanted in the body instead of resting on a desk, as it does in this trial.

In the last of the articles I will mention, "Health records are going electronic", the newspaper focuses on a computer database infrastructure called Oacis, which is developed and marketed by an Ottawa firm called DINMAR, and has been used in the Ottawa hospital system since 1996.

Although the article goes into great detail about the newest version of Oacis, what caught my attention was the last paragraph, which discusses how Oacis complies with the international health data storage and transmission standards specified by an organization known as HL7.

I would suggest to privacy gurus that HL7 would be very happy to receive input from professionals and academics working in non-technical fields. They have local chapters in most countries.

| Comments (0) |


Je ne regrette rien - the romance and legacy of anonymity for the French Foreign Legionnaire

posted by:Jean Nelson // 07:19 PM // November 14, 2005 // ID TRAIL MIX

So you want to volunteer your life, limb and peace of mind to help the less fortunate in crisis situations but can you do so without sacrificing some privacy, especially as part of the volunteer recruitment process? Will your MD offer an opinion on whether you are up psychologically for the rigours of the job and sufficiently emotionally stable? And why stop at international volunteer positions—why not require a physician’s assessment and disclosure of medical and psychiatric history for all manner of positions and roles with extreme conditions—say being a parent or a —Prime Minister? Is there still a job out there where one can be an anonymous adventurer?

These thoughts came to my mind when I was asked to provide feedback on some draft application forms for an international humanitarian recruitment cause. One such document included a letter from the candidate’s physician in which the doc was asked to assess whether the candidate had any “underlying psychological or dependency problems that would be adversely affected by extreme conditions?”

My first reaction—who would pass muster since biking to work through rush hour traffic without your first caffeine jolt of the day can be considered a “dependency problem….adversely affected by extreme conditions!” That being said, the forms provoked some free wheeling thoughts about other measures of psychological stability in various positions and our or the evaluator’s “right” to know this sensitive personal information.

Think about John McCain, erstwhile American Presidential nominee and former P.O.W in Vietnam. During the 1999-2000 Republican leadership race, rumours flied about his psychological fitness and alleged shortness of temper. In response, McCain’s campaign team released some 1500 pages of medical records . At the time and subsequently, his gesture seemed desperate, a distasteful baring of what had been private, another instance of the juggernaut of the electoral process and yet another example of the decreasing zone of privacy in public life.

But how does the French Foreign Legion fit in to this perhaps familiar lament? And what do Presidential candidate psychological profiles and international altruistic volunteers have to do with international volunteers for less humanitarian ends?

Well, the Legion is fabled in history, literature, film and culture (including pop culture since Foghorn Leghorn and Bugs Bunny of Looney Tunes Fame also famously joined the ranks!) as a place where the volunteer finds anonymity in the “extreme conditions” of the Legion wars, a place to take on an assumed identity, no questions asked and maybe even find some romance with other disaffected souls. Gary Cooper, for instance, in Marlene Dietrich’s first American film, 1930’s “Morocco”, played a disenchanted adventurer with the plainsong and clearly assumed moniker of “Tom Brown” while Marlene was the nightclub chanteuse with the equally fictitious name of “Amy Jolie”. Apart from the portrayal of the Legion, this film is worth seeing for all manner of reasons, not the least of which is the vision of Marlene in tailored tux kiss a female patron of the seedy desert boite squarely on the lips or the final shot of Marlene as the lovelorn following her legionnaire beau into the desert in her filmy nightclub wear and heels. .. but I digress.

Now apart from Gary Cooper or Bugs, could someone in the twenty first century still anonymously join the French Foreign Legion? Frankly, as I began my rather desultory web surfing, I was half-convinced that the Legion must have joined the ranks of the vehemently “non-anonymous”. Elementary school report cards and doctor’s notes were probably de rigueur. So imagine my surprise when I came across the official web site of French Foreign Legion (available in a dozen or so languages) and found the opposite---Bugs can still be Bugs X in the Legion today since it is possible to enlist under a “declared identity” or pseudonym.

Because it is truly fascinating stuff, I would like to repeat some of questions and answers on identity, anonymity and nationality from the web site.

1. Am I obliged to join under a declared identity?
Yes. This provision was initiated to benefit all those who join the Legion because they want to forget their past and “turn over a new leaf”. It still exists, even if the vast majority of Legion candidates nowadays have no particular problems and our investigation techniques permit as to eliminate any “undesirable elements”. The “declared identity” exists to keep everyone on a level footing. Those who need anonymity and those who don’t.
2. Can I subsequently get back my real identity?
Yes. We have a procedure known as “ Military regularization of situation” which can be used by any legionnaire after one year’s service. It is useful for those who have no particular problems outside the Legion. Fresh identity papers must be obtained from the legionnairès original country. A legionnaire, if he so wishes, can spend his entire career under “declared identity”.
3. Can a Frenchman join the Foreign Legion?
Yes. Under “declared identity” a Frenchman’s nationality is changed to that of another French speaking country, so he becomes a foreigner. He can ask for his real identity and nationality after one year’s service.
4. Conversely, can a foreign born legionnaire become French?
Yes. A legionnaire of foreign nationality can ask for French nationality after three years service. He must have been through ‘military regularization of situation” and be serving under his real name. He must no longer have problems with the authorities, and he must have served with “honour and fidelity” for at last three years. French nationality cannot be granted under declared identity.

To my mind, the web site’s response the FAQ’s confirms that anonymity is still needed even as it is equally intriguing to speculate about “the particular problems” one might have that would require refuge in the Legion! (Note, as an aside that the website also clearly states elsewhere that “whatever your marital status, you will be enlisted as a single man”! On this last note, one of the French Foreign Legion’s adopted theme songs is Edith Piaf’s song of defiance, “Non, Je ne regrette rien”. Thus, it would seem, that contrary to all expectations, there is still a place and a position where one’s past, regretted or not, can be reviewed and perhaps re-lived anonymously.

Jean Nelson is legal counsel for the Canadian Medical Association.
| Comments (0) |


anonymity, privacy and p2p litigation

posted by:Alex Cameron // 01:53 PM // November 10, 2005 // Digital Democracy: law, policy and politics

I recently attended and gave a talk at the First Annual p2p Litigation Summit in Chicago. One of the key topics of discussion related to the privacy implications of court-ordered disclosure of individuals' identities in cases where they are alleged to have committed a legal wrong online. The differences between Canada and the US on this point are surprising. The conference was very interesting and included a presentation from an individual who had been wrongly named in one of the RIAA lawsuits. I've provided a couple of reflections on what I took away from this conference for p2pnet.

My thoughts

Ray Beckerman's RIAA p2p litigation blog

Ray Beckerman's report of the Summit

| Comments (0) |


Money's Nice, but Freedom's Nicer

posted by:Mohamed Layouni // 09:46 AM // // Digital Activism and Advocacy

Prominent technology companies such as Google, Yahoo, Cisco, and Microsoft, have been accused in the past of conspiring with repressive governments to trace dissident Internet users in countries where they operate. Reporters Without Borders, the human rights watchdog group, claims that such practices are driven by greed and done in pure pursuit of the almighty dollar. Recently, the watchdog group joined an alliance of researchers and investors to call on technology companies to "proclaim their commitment to freedom of expression", and stop betraying their customers...

For more, see the full Wired News article.

| Comments (0) |


The Nature of Privacy

posted by:Steven Davis // 08:41 PM // November 08, 2005 // ID TRAIL MIX

My blog, which is drawn from my paper Privacy, Rights, and Moral Value, consists of two parts: a definition of privacy, which includes an account of the nature of personal information, and replies to some criticisms that might be raised against my definition. I begin with a definition of privacy.

In society T, S, where S can be an individual, institution 1, or a group, possess privacy with respect to some proposition, p, and individual U if and only if
(a) p is personal information about S. (b) does not currently know or believe that p.
In society T, p is personal information about S 2 iff and only most people in T would not want it to be known or believed that q where q is information about them which is similar to p 3, or S is a very sensitive person who does not want it to be known or believed that p . 4 In both cases, an allowance must be made for information that most people or S make available to a limited number others. 5

Referring to a particular person, U, in the analysis of privacy, is to account for the fact that one can possess privacy with respect to one person, but not with respect to another. 6 If I tell my wife something about myself that I tell no one else, I do not have privacy with respect to her and the information that I impart to her, but I have privacy with respect to others. We can say that someone has absolute privacy with respect to some information about himself if no one has the information and partial privacy if there are others who possess the information, but it is not widely know or believed.

The analysis above says nothing about what it is for someone to suffer a loss of his privacy. But it is easy enough to see how this would go. Let us return to the example of the rabbi and his eating blood pudding, a report of which has appeared in a newspaper, and about which the rabbi wishes no one knows. Currently, no one has the information about the event, since everyone connected to the newspaper article has either forgotten it or passed away. Ruth reads the newspaper and discovers what the rabbi did. The rabbi would then suffer a loss of his privacy, since Ruth’s coming to know about the event is sufficient for there to be a loss of the rabbi’s privacy. In the rabbi example, the rabbi wishes that others not know about his eating food that is not kosher, but this is not necessary for a loss of privacy. 7 A loss can occur even when the person who loses his privacy is indifferent about whether others have certain personal information about him. All that is necessary is that in his society most people would not want similar information about themselves to be known or believed, except by those to whom they choose to reveal the information. A loss can occur even when the disclosure is not documented or public, for example, when I tell a friend something that I regard to be personal, who does not pass on the information or when a Peeping Tom looks through my window, who keeps what he sees to himself. 8

I would like to answer a number of criticisms that have been raised and could be raised against my account of privacy. The first criticism is that a change of mind could engender a loss of privacy. Suppose that there is some personal information about a person that he does not wish others to know or believe, but about which most people in his society are indifferent about whether others know or believe it. Further suppose that he changes his mind and is no longer sensitive about the information. It is counter-intuitive that he has lost his privacy with respect to the information, as my account would seem to suggest. What this criticism fails to take into consideration is that on my account a loss of privacy with respect to certain information can only occur if the information is personal information. After the person changes his mind, the information about him is not something about which he is currently sensitive nor are others in his society. Hence, it is not personal information about him and consequently, there is no loss of his privacy once he changes his mind. What we can say is that by changing his attitude towards the information, although he does not suffer a loss of privacy, he no longer has privacy with respect to the information. He and others in his society are indifferent as to whether it is known or believed by others. To this sort of information that is not personal the concept of privacy does not apply. 9

The second criticism of my account turns on surveillance cameras that can record our activities about which we might be sensitive. It could be argued that there is a loss of our privacy even without there being someone who views the recorded tapes of our activities, something that is required by my account of privacy and loss of privacy. 10 This criticism confuses a loss of privacy with a fear of a loss of privacy. Imagine the following cases in which there are surveillance cameras taking pictures, but in which there is no loss of privacy. There are surveillance cameras that someone has set up which records personal information about us, but before he is able to look at the recordings, he dies. There are surveillance cameras set up to record personal information about me, but I am the only person in the world. In neither case is there a loss of privacy. Thus, surveillance is not sufficient for a loss of privacy. 11

The third criticism is that the analysis does not cover everything that is included in privacy, for example what is called physical privacy. Someone comes into my home uninvited. Clearly, there is a loss of my privacy. The analysis, I believe, covers this case. The intruder has gained some information about me that I do not wish him to have, namely, visual information about what the inside of my house looks like, what sorts of possessions I have, how I arrange my dwelling etc. 12 A similar case that some might think is not covered in the analysis is the following. Imagine that I want to be alone and seek solitude by walking far out on a promontory to watch the bounding surf and think about the meaning of life. Someone who knows me spies me from afar and comes out to where I am sitting and plunks herself down beside me. She already knows what I look like and so does not come to have any personal information about me that I wish to keep from others, but some might think that she has intruded into my privacy. I think that this confuses solitude with privacy. 13 It is the former that is lost in this case, not the latter. 14

The fourth criticism is that the account of personal information that I have offered is not necessary for privacy. All that is needed is (a) and (b). 15 On this view, a person has privacy with respect to some information about himself and someone else just in case she is not aware of the information about him. Desires do not come into the picture. There are difficulties, however, with this view. Suppose that Jones has never seen me and does not know what I look like. How I look then is information that Jones lacks, but it is not the sort of information about which others in my community and I are sensitive. On the view that (a) and (b) are sufficient for privacy, I have privacy with respect to my appearance and Jones. If he were to see me in the street and thus, come to know how I look, it would follow from this analysis of privacy that I have lost my privacy about my appearance with respect to Jones, a clearly counter intuitive result. Worse still, there are rather trivial truths about me that I certainly do not care whether anyone knows, nor does anyone in my community care whether similar propositions are known about them. Consider the proposition that I am self-identical 16 and suppose that no one has entertained this proposition about me. On the view under consideration, I have absolute privacy with respect to this proposition and would suffer a loss of privacy were someone to come to believe it about me. Thus, an account of personal information that turns on desires about information is necessary for an account of privacy.


1 ‘Institution’ is meant to cover companies, governments, universities, etc.
2 For the proposition, p, to be about S, there must be a sentence, s, that contains a singular term, t, that were s to be used, t would be used referentially with S as its referent and on this use, s would express p. The proposition, p, then would be what is called a singular proposition. See Steven Davis and Brendan Gillon, Semantics: A Reader. (New York: Oxford University Press, 2004) pp. 83-88.
3 This is in the conditional, since there could be information most people have never considered, but were they to become aware of it, it would be information that they would not want to be known or believed, except perhaps by a limited number of others.
4 This is adapted from Parent, “Privacy, Morality and the Law,” p. 269 - 270.
5 On my account of privacy, someone has privacy to personal information about him, even if the personal information involves his having committed an illegal act, murdering someone, for example. If the police find out that S is the murderer, he has lost his privacy with respect to this information, but his right to privacy has not been violated, since his right to privacy about the murder is overridden by the legitimate state interest in protecting public security. This point is in reply to a criticism of the definition raised by Heidi Maibom and Fred Bennett, private communication.
6 This point is taken from David Matheson’s paper, “Privacy, Knowledge, and Knowableness,” p. 1.
7 Although as David Matheson (private communication) has noted, Ruth’s coming to believe that the rabbi has eaten blood pudding, because she had a dream about the rabbi will not do. For the rabbi to have suffered a loss of privacy, Ruth must have some warrant for her belief about him.
8 The second of William L. Prosser, “Privacy,” (1960) 48 California Law Review p. 389 torts involving privacy is that a loss occurs if there public disclosure of embarrassing private facts and Parent, “A New Definition of Privacy for the Law,” p. 306 takes it as a necessary condition for a loss of privacy that personal information has to be documented.
9 This objection is due to David Matheson, private communication.
10 This was suggested as an objection to my analysis by Steve Mann when I delivered a version of this paper in Toronto in October 2004 at the On the Identity Trail: Understanding the Importance and Impact of Anonymity and Authentication in a Networked Society research group.
11 I shall argue that in these sorts of cases there is a violation of a person’s right to privacy without there being a loss of his privacy.
12 This point was made in David Matheson’s “Privacy, Knowledge, and Knowableness,” p. 22.
13 On some views, for example, Ruth Gavison, in “Privacy and the Limits of Law,” p. 433 solitude is a kind of privacy. If this were the case, then whenever one’s solitude is lost, so too should one’s privacy. In the scenario I present, my solitude is lost, but not my privacy. Hence, solitude is not a kind of privacy.
14 See Parent, “Recent Work on the Concept of Privacy,” p. 348 for a similar point.
15 If (a) and (b) are taken to be sufficient, then there will have to be an account of what makes information personal. One way of understanding personal information is to take it to be information about a person that can be known empirically. This is the account of privacy and personal information that David Matheson offers in “Privacy, Knowledge, and Knowableness” and “The Personal and the Empirical,” (2005) On the Identity Trail. Matheson’s theory of privacy is open to the counterexamples that I offer here.
16 This proposition is an empirical proposition, since it presupposes that I exist, something that can only be known by empirical means. See footnote 53.

| Comments (0) |


Sony's anonymous software agents are exposed

posted by:Jason Millar // 10:28 AM // November 04, 2005 // TechLife

Sony Music's latest attempt to "protect" copyrighted material installs an anonymous software agent on your computer. Amazingly, the company employed a design strategy commonly used by "spyware" programs, resulting in a predictable backlash from users. What's more, Sony doesn't seem to have included any mention of the agent in its end user agreement.

Read about some of the details (including a blurb on the privacy concerns raised by such technologies) here.

| Comments (0) |


small steps for microsoft

posted by:Shannon Ramdin // 10:04 AM // // Commentary &/or random thoughts

Microsoft has taken the impressive step of calling for a national privacy law.

Read about it here.

| Comments (1) |


On E-Government Authentication and Privacy

posted by:Stefan Brands // 01:40 PM // November 01, 2005 // Computers, Freedom & Privacy Conference (CFP) | Digital Activism and Advocacy | Digital Democracy: law, policy and politics | ID TRAIL MIX | Surveillance and social sorting | TechLife

Governments around the world are working to implement digital identity and access management infrastructures for access to government services by citizens and businesses. E-government has the potential of bringing major cost, convenience, and security benefits to citizens, businesses, and government alike. There are major architecture challenges, however, which cannot be solved by simply adopting modern enterprise architectures for identity management. Namely, these architectures involve a central server that houses the capability to electronically trace, profile, impersonate, and falsely deny access to any user. In the context of an e-government infrastructure, the privacy and security implications for citizens of such a panoptical identity architecture would be unprecedented.

By way of example, consider the implications of adopting the Liberty Alliance ID-FF architecture (the leading industry effort for so-called "federated" identity management) for e-government. The ID-FF describes a mechanism by which a group of service providers and one or more identity providers form circles of trust. Within a circle of trust, users can federate their identities at multiple service providers with a central identity provider. Users can also engage in single sign-on to access all federated local identities without needing to authenticate individually with each service provider. Liberty Alliance ID-FF leaves the creation of user account information at the service provider level, and in addition each service provider only knows each user under a unique “alias” (also referred to by ID-FF as “pseudonyms”). However, the user aliases in Liberty Alliance ID-FF are not pseudonyms at all: they are centrally generated and doled out by the identity provider, which acts in the security interests of the service providers.

While the Liberty Alliance ID-FF architecture may be fine for the corporate management of the identities of employees who access their corporate resources, it would have scary implications when adopted for government-to-citizen identity management. The identity provider and the service providers would house the power to electronic monitor all citizens in real time across government services. Furthermore, insiders (including hackers and viruses) would have the power to commit undetectable massive identity theft with a single press of a central button. Carving out independent “circles of trust” is not a solution: the only way to break out of the individual circle-of trust “silos” that would result would be to merge them into a “super” circle by reconciling all user identifiers at the level of the identity providers. This would only exacerbate the ID-FF privacy and security problems.

More generally, replacing local non-electronic identifiers by universal electronic identifiers has the effect of removing the natural segmentation of traditional activity domains; as a consequence, the damage that identity thieves can do is no longer confined to narrow domains, nor are identity thieves impaired any longer by the inherent slowdowns of a non-electronic identity infrastructure. At the same time, when the same universal electronic identifiers are relied on by a plurality of autonomous service providers in different domains, the security and privacy threats for the service providers no longer come only from wiretappers and other traditional outsiders: a rogue system administrator, a hacker, a virus, or an identity thief with insider status can cause massive damage to service providers, can electronically monitor the identities and visiting times of all clients of service providers, and can impersonate and falsely deny access to the clients of service providers.

On the legal side, the compatibility of modern enterprise identity architectures with data protection legislation and program statutes is highly questionable. Also, the adoption of enterprise identity architectures in the context of e-government would directly interfere with Article 8 rights under the European Convention on Human Rights. Specifically, any interference with privacy rights under Article 8 must do so to the minimum degree necessary. Enterprise identity architectures violate this requirement: far less intrusive means exist for achieving the objectives of e-government.

Specifically, over the course of the past two decades, the cryptographic research community has developed an array of privacy-preserving technologies that can be used as building blocks for e-government in a manner that simultaneously meets the security needs of government and the legitimate privacy and security needs of individuals and service providers. Relevant privacy-preserving technologies include digital credentials, secret sharing, private information retrieval, and privacy-preserving data mining.

By properly using privacy-preserving technologies, individuals can be represented in their interactions with service providers by local electronic identifiers. Service providers can electronically link their legacy account data on individuals to these local electronic identifiers, which by themselves are untraceable and unlinkable. As a result, any pre-existing segmentation of activity domains is fully preserved. At the same time, verifier-trusted authorities can securely embed into all of an individual’s local identifiers a unique “master identifier” (such as a random number). These embedded identifiers remain unconditionally hidden when individuals identify themselves on the basis of their local electronic identifiers, but their hidden presence can be leveraged by service providers for all kinds of security and data sharing purposes without introducing privacy problems. The privacy guarantees do not require users to rely on third parties - the power to link and trace the activities of a user across his or her activity domains resides solely in the hands of that user.

In the context of e-government, security and privacy are not opposites but mutually reinforcing, assuming proper privacy-preserving technologies are deployed. In order to move forward with e-government, it is important for government to adopt technological alternatives that hold the promise of multi-party security while preserving privacy.

For more information, interested readers are referred to my personal blog at www.idcorner.org.

| Comments (0) |


main display area bottom border

.:privacy:. | .:contact:.


This is a SSHRC funded project:
Social Sciences and Humanities Research Council of Canada