The Path to Anonymity

[John Young <jya@pipeline.com>]

   Thanks to anonymous and AJ the exemplary report:

      Privacy-enhancing Technolgies: The Path to Anonymity

      Registratiekamer, The Netherlands
      Information and Privacy Commissioner/Ontario, Canada

      August 1995

      Volume I
      Volume II

   is available at:

      http://www.replay.com/mirror/privacy/

   _________________________________________________________

   Introduction [Excerpts]

   The Dutch Data Protection Authority (the Registratiekamer)
   and the Information and Privacy Commissioner for the
   Province of Ontario, Canada (IPC) are both privacy
   protection agencies that oversee compliance with their
   respective juridiction's privacy laws. The Registratiekamer
   and IPC decided to pool their resources and collaborate in
   the production of a report exploring privacy technologies
   that permit transactions to be conducted anonymously. The
   first international paper of this type includes a survey of
   companies that might be expected to offer such
   technologies, and organizations that might use them.

   In addition to anonymous transactions, the range of
   security features commercially available for use and the
   types of services actually being used by various
   organizations were also examined (see 2.1 Survey
   methodology). The Registratiekamer and IPC felt that a
   joint report outlining the practices followed in their
   respective jurisdictions would shed some light on this
   little-studied but extremely important area where the
   future of privacy-protection in an electronic world may
   lie.

   Consumer polls have repeatedly shown that individuals value
   their privacy and are concerned with its potential loss
   when so much of their personal information is routinely
   stored in computer databases, over which they have no
   control. Protecting one's identity goes hand in hand with
   preserving one's ability to remain *anonymous* -- a key
   component of privacy. While advances in information and
   communications technology have fuelled the ability of
   organizations to keep massive amounts of personal data,
   this has increasingly jeopardized the privacy of those
   whose information is being collected. Minimizing
   identifying data would restore privacy considerably, but
   would still permit the collection of needed information.

   When assessing the need for identifiable data during the
   course of a transaction, the key question one must start
   with is: how much personal information/data is truly
   required for the proper functioning of the information
   system involving this transaction? This question must also
   be asked at the outset -- prior to the design and
   development of any new system. But this is not the case
   today.

   This question is rarely asked at all since there is such a
   clear preference in favour of collection identifiable data,
   'the more the better'. However, with the growth of
   networked communications and the ability to link a wide
   number of diverse databases electronically, people will
   become more and more reluctant to leave behind a trail of
   identifiable data. What is needed is a paradigm shift away
   from a 'more is better' mindset to a minimalist one. Is it
   possible to minimize the amount of identifiable data
   presently collected and stored in information systems, but
   still meet the needs of those collecting the information?
   We believe that it is.

   The technology needed to achieve this goal exists today. We
   will describe some of the privacy technologies that permit
   one to engage in transactions without revealing one's
   identity by introducing the concept of an *identity
   protector*. The notion of *pseudonymity* will also be
   introduced as an integral part of protecting one's
   identity. These technologies are available now and within
   our reach; what is needed is the will to implement privacy
   technologies over the tracking technologies that are in use
   today.

   When organizations are asked what measures they have in
   place to protect privacy, they usually point to their
   efforts at keeping information secure. While the use of
   security measures to prevent unauthorized access to
   personal data is a very important component of privacy, it
   does not equal privacy protection. The latter is a much
   broader concept which starts with the questioning of the
   initial collection of the information to ensure there is a
   good reason for doing so and that its uses will be
   restricted to legitimate ones that the data subject has
   been advised of. Once the data has been collected, security
   and confidentiality become paramount. Effective security
   and confidentiality will depend on the implementation of
   measures to create a secure environment.

   Alternatively, instead of restricting the focus to security
   alone, a more comprehensive approach would be to seek out
   ways in which technology may be used to enhance the
   protection of informational privacy or data protection. We
   use the term *privacy technologies* to refer to a variety
   of technologies that safeguard personal privacy by
   minimizing or eliminating the collection of identifiable
   data.

   Not only are measures that safeguard privacy becoming an
   important mark of quality, but increasingly, consumers are
   demanding that organizations pay attention to their privacy
   concerns. Social acceptance of demands for one's personal
   information, without adequate assurances of protection,
   appears to be on the decline. Not only do consumers wish to
   maintain control over their personal data and be informed
   of its uses, but insufficient protection will be reason
   enough for consumers to take their business elsewhere -- to
   companies that follow privacy-protective practices.

   -----