WS>>(2)Chip-Based ID: Promise and Peril

carl william spitzer iv cwsiv_2nd at JUNO.COM
Fri Feb 1 10:59:33 MST 2002

          Dataveillance Risks

          Dataveillance  is the systematic use of  personal  data
     systems in the investigation or monitoring of the actions or
     communications of one or more persons. Personal surveillance
     is  the surveillance of an identified person. Mass  surveil-
     lance is the surveillance of groups of people, usually large
     groups,  generally so as to identify individuals who  belong
     to  some  particular class of interest to  the  surveillance
     organization, or perhaps to repress their behaviour.

          Organisations  acquire power over  individuals  through
     the  accumulation of data about them. They can enhance  that
     power by drawing data from multiple sources. Individuals are
     generally  incapable  of withstanding the pressure,  and  of
     enforcing correction of erroneous data, mistaken  judgements
     and unreasonable decisions.

          At  the  level of society as a whole,  further  serious
     problems  arise,  as a climate of  suspicion  prevails,  and
     individual self-determination and diversity are strangled by
     the 'chilling effect' of omnipresent monitoring.

          The threats of dataveillance to privacy are  well-docu-
     mented  (e.g.  Clarke 1988), and are  not  further  examined

          Threats in Chip-Based Schemes

          Chip-cards are capable of being applied to a great many
     purposes. This section provides a brief scan of the  privacy
     implications of several of them. Additional analyses are  to
     be found in the N.S.W. Privacy Committee's 'Smart Cards: Big
     Brother's  Little Helpers' (1995); and in  Privacy  Interna-
     tional's archives on Identity Cards.

          An  assessment  of  the privacy issues  in  the  retail
     financial  sector  Clarke (1996d) identified  the  following
     major concerns:

              greatly  increased  intensity  of   transaction
          trails  ('whereas your credit-card and  debit-card
          generated  a trail of 5-10transactions per  month,
          or  perhaps per week, your smart card  can  enable
          the  recording  of where you are and  what  youare
          doing 5-10 times per day');

          exploitation  of  the  transaction  trails:     by
          government  agencies, which represents  oppressive
          use of the State's power over individuals;

          and   by consumer marketing corporations to better
          target prospects for their goods and services;

          the  risk of 'function creep', i.e.  extension  to
          additional functions;

          and'proof  of  identity'  concerns,  particularly:
          the  need for 'proof of identity' in  relation  to
          the acquisition or use of a card;

          and    the  use of a smart card  as  multi-purpose
          'proof of identity'.

          Beyond their applications in financial services,  cards
     and  their  associated  databases can  provide  evidence  of
     identity and of affiliation. The risks have been dramatised,
     although not unduly exaggerated, using the catchcry "Is your
     Jew-bit  set?", and "Let your card 'out' your  homosexuality
     for  you!". Beyond the well-known examples such as the  fate
     of Jews in The Netherlands at the time of the Nazi invasion,
     recent  press  reports  suggested  that  racial  information
     associated with the national id card was used in distingush-
     ing people's tribal association during the Ruanda massacres.

          Two further applications of chips are of great signifi-
     cance.  The  first of these is as a means  of  carrying  the
     cryptographic keys that are very likely to be used by people
     in  the  near future to encrypt messages, and  to  digitally
     sign electronic documents. There is a serious risk that  one
     maverick  nation, the United States, may continue its  unre-
     alistic,  Cold War-era stance, and seek the ability  to  in-
     trude into individuals' private keys.

          In any case, digital signatures, and the key certifica-
     tion  authority mechanism to support them, generate a  range
     of  privacy implications. These are examined in Greenleaf  &
     Clarke (1997).

          Another application of a chip is to carry a  biometric,
     i.e.  a measure of some part of a person such as  a  finger-
     print,  or the geometry of a hand, finger, or thumb;  or  of
     some pattern of the person's behaviour, such as the dynamics
     of  signature-writing or password-typing. The biometric  can
     then be used to test whether the person presenting the  card
     is  likely  to  be the same as the person  to  whom  it  was
     issued.  It could also be used as a means of  unlocking  the
     encryption keys stored on the same chip. Biometrics are  for
     many  people highly intrusive and threatening. Depending  on
     how they are applied, they could not just seem that way, but
     be that way.

          Threats in Multi-Purpose Identification Schemes

          Many identification schemes are used by a single organ-
     isation, for a single purpose; but there are obvious attrac-
     tions in sharing the costs across multiple organisations and
     business functions.

          A special case of a multi-purpose id scheme is what  is
     usefully  described as an 'inhabitant registration  scheme'.
     This provides everyone in a country with a unique code,  and
     a token (generally a card) containing the code. It is  typi-
     cally  used  for the administration  of  taxation,  national
     superannuation  and health insurance. In some countries,  is
     is used for additional purposes, such as the  administration
     of social welfare and banking, and to ensure that particular
     rights  are exercised only by people entitled to them,  such
     as  the exercise of voting rights, the right  of  residence,
     the  right to work, the right of movement across  the  coun-
     try's borders, and the right of movement within the country.

          Inhabitant  registration schemes are endured, and  per-
     haps  even welcomed, by the inhabitants of  some  countries;
     but  are disliked, actively opposed, and undermined in  many

          Privacy-related  protections vary from very  little  to
     moderately  strong; but the very existence of such a  scheme
     represents a threat against which mere 'data protection'  or
     'fair  information  practices' arrangements  are  almost  an
     irrelevance.  The public policy aspects of schemes  of  this
     nature  are  discussed  in  (Clarke  1992),  and  at  Clarke

          To create a surveillance society, three conditions need
     to be fulfilled:

      1.  there needs to be a range of personal data systems, each
          processing data for specific purposes;

      2.  personal data systems must be connected via one or more
          telecommunications networks; and

      3.  the data must be identified consistently.

          The  first two have been satisfied during the last  two
     decades,  as  a  result of the  application  of  information
     technology. The third is accordingly the critical  technical
     factor inhibiting the achievement of a surveillance society.
     Inhabitant  registration  schemes  overcome  that  hurdle  (
     Clarke 1988).

          Threats  in  Chip-Based  Multi-Purpose   Identification

          It can be no surprise that the application of chips  to
     comprehensive,  multi-purpose ID schemes results in  a  com-
     pounding  of  the privacy threats that arise  from  each  of

          An  assessment is to be found in Davies  (1996),  espe-
     cially  at  pp.  75-133, 161-175. The book  is  reviewed  at
     Clarke (1996e).

          In Clarke (1994c), the conclusion was reached that:

          Any high-integrity identifier represents a  threat
          to  civil  liberties, because  it  represents  the
          basis  for aubiquitous identification scheme,  and
          such  a  scheme provides enormous power  over  the
          populace.  All humanbehaviour would become  trans-
          parent  to  the  State, and  the  scope  for  non-
          conformism and dissent would bemuted to the  point
          envisaged by the anti-utopian novellists.

          The  highest-integrity schemes combine  physically
          intrusive   data-collection  with  a   potentially
          ubiquitousinstrument  of power. As a  result,  the
          kinds of multi-purpose identification schemes,  or
          inhabitant   registration  systems,  which   would
          appear capable of exciting the greatest degree  of
          concern  are those based on DNA-printing  and  im-
          planted chips.

          Jeremy Bentham's 1791 conception of the  'panopti-
          con'  depended on line of sight,  visual  surveil-
          lance,  by  prison  warders, from  a  high  tower.
          Foucault's  twentieth  century  image  of   modern
          society as prison is associated with dataveillance
          rather than visual surveillance methods  (Foucault
          1977). The creator of the chip-card recognised  at
          the  time, in 1974, that the most central  element
          of  the  'virtual  panopticon'  is  the  enforced,
          computer-readable, real-time monitorable identify-
          ing chip.

          Public Policy Options for Chip-Based ID Schemes

          General  policy  considerations are  addressed  in
          Clarke (1996d). These encompass:

          awareness and education;

          public  participation, through impact  statements,
          consultation,   and  direct  involvement  in   the

          access to anonymous or pseudonymous schemes;

          measures to encourage pseudonymous schemes;

          justification  for  personal data  collection  and

          equitable terms and conditions of usage;

          andcomprehensive  privacy laws, going beyond  mere
          'data protection' and 'fair information practices'
          legislation.  Relevant  documents include  the  EU
          Directive,  and  the Australian  Privacy  Charter.

          Inadequacies in one country's protective regimeare
          examined in detail in Clarke (1997b).

          It  is readily argued that governments are captives  of
     business interests, and that social interests will therefore
     necessarily  capitulate to economic interests. On the  other
     hand,  public concerns in many countries are a  considerable
     political  force. A substantial example of community  impact
     on  policy  in  Australia is documented  in  Clarke  (1987).
     Overviews of community attitudes in that country are provid-
     ed at Clarke (1996b), and in Clarke (1997a). Similarly  high
     levels of concern exist in many other countries.

          In  Clarke  (1996b),  it is argued  that  the  public's
     increasing  wariness of the power that IT  offers  organisa-
     tions is resulting in increasingly clear demands for greatly
     enhanced privacy protections. There are many signs of immin-
     ent change. Organisations that are slow to appreciate  these
     new realities risk suffering the consequences; whereas those
     that  move  proactively to gain a competitive  or  strategic
     advantage from their privacy stance, will reap the benefits.

          Design Features for Chip-Based ID Schemes

          From  the  analysis conducted in this paper,  it  would
     seem inevitable that chip-based ID schemes threaten privacy,
     and that a direct conflict exists between the deployment  of
     chips in ID cards and the survival of the kinds of relative-
     ly free and democratic society that advanced nations  aspire

          Because  of their programmability, however,  chips  are
     very  flexible instruments. They offer such a wide scope  to
     the  scheme designer that they can in fact be  applied  with
     several alternative effects:

          to destroy privacy, at one extreme;
          to protect privacy, at the other; or
          to  achieve balance between the privacy  interest,
          and other interests of individuals, of groups,  of
          corporations andgovernment agencies, and of socie-
          ties as a whole.

          This   final  section  identifies   particular   design
     features that need to be adopted by the sponsors of  schemes
     that apply chip technology to identification-related purpos-

          The  first  cluster  of  requirements  relates  to  the
     avoidance  of  dangerously  privacy-invasive   multi-purpose

          identified  transaction trails must be  restricted
          to  circumstances in which they are  justified  by
          the impossibility of alternatives;

          anonymity  must  be sustained except where  it  is
          demonstrably inadequate;

          in order to achieve balance among competing inter-
          ests,  much  greater application must be  made  of
          pseudonymity,   inparticular   through   protected

          (expressing the preceding requirements  different-
          ly),  identity  authentication must only  be  used

          where it is functionallynecessary, and much great-
          er application must be made of eligibility authen-

          multiple  single-purpose ids must  be  implemented
          rather than a few multi-purpose ids;

          an  important  corollary  of  the  'multiple  ids'
          principle is the maintenance of separation between
          applications withinmulti-function chips, in  order
          to  assure the integrity of each application,  and
          protect  against unauthorised sharing  ofdata  and

          and another important application of the 'multiple
          ids'  principle is the implementation of  role-ids
          as  well as person-ids, to reflect the facts  that
          individuals  perform  multiple roles at  the  same
          time,  and that multiple individuals  perform  the
          sameorganisational function.

          The  second  cluster  of requirements  relates  to  the
     provision  of individuals with a significant degree of  con-
     trol over processes involving chip-based ID cards:

          the ownership of cards must be in the hands of the
          individual, not the State;

          the design of chip-based ID schemes must be trans-
          parent to the individual;

          the  issue  and  configuration of  cards  must  be
          undertaken  by multiple  organisations,  including
          competing   privatesector   corporations,   within
          contexts set by standards bodies, and by  relevant
          government  and private sector  organisations,  in
          consultation with public interest representatives;

          private keys used variously for message-encryption
          and  for  digital signatures may be  stored  on  a
          personal  card, but no central storage of  private
          encryption  keys must be permitted to develop.  An
          appropriate descriptor for such a personal card is
          an 'electronic signature card' rather than an  'id

          the control of individuals' biometrics must be  in
          the  hands  of the individual concerned,  not  the
          State. Hence biometricsmay be stored on the relev-
          ant  person's  card, and  in  backup  arrangements
          under  the individual's control, but  no  central-
          storage of biometrics must be permitted to  devel-

          and schemes must feature two-way device  authenti-
          cation,  i.e. personal chips must verify  the  au-
          thenticity  of devices that seek to transact  with
          it,  and must not merely respond to challenges  by

          These design features create additional challenges  for
     organisations  planning the use of chips as a basis  for  an
     identification  scheme.  But they provide  a  basis  whereby
     organisations  can achieve their legitimate aims, yet  indi-
     viduals  can  be  assured that the schemes  are  not  unduly


          Chip-based ID embodies the most serious perils for free
     and  democratic societies. One scenario is  direct  conflict
     between  the power of governments and  government  agencies,
     supported  by  corporations, on the one hand,  and,  on  the
     other,  a  populace that is unprepared to go meekly  to  the

          But the technology also holds promise. As a result,  an
     alternative scenario exists, in which chips are applied in a
     manner  that  balances  the interests of the  State  and  of
     corporations against those of individuals. This will fail to
     achieve  the  nirvana of a  controlled  and  efficiently-run
     society, with individuals treated as goods, and behaving  in
     a  manner no less predictable than livestock; but in  return
     it will sustain humanity.

          The time for choice between those two scenarios is  not
     remote. It is now.

          References to Other People's Works

     Bentham  J. (1791) 'Panopticon; or, the  Inspection  House',
          London, 1791

     Davies  S. (1992) 'Big Brother: Australia's Growing  Web  of
          Surveillance' Simon & Schuster, Sydney, 1992

     Davies  S.  (1996) 'Monitor: Extinguishing  Privacy  on  the
          Information  Superhighway',  Pan  Macmillan  Australia,

     EPIC (1995-) 'National ID Cards', Electronic Privacy  Infor-
          mation       Center,      Washington       DC,       at

     Foucault M. (1977) 'Discipline and Punish: The Birth of  the
          Prison' Peregrine, London, 1975, trans. 1977

     Kim J. (1997) 'Digitized Personal Information and the Crisis
          of Privacy: The Problems of Electronic National Identi-
          fication  Card  Project and Land  Registry  Project  in
          South        Korea',        at         http://kpd.sing-

     NSWPC (1995)  'Smart Cards: Big Brother's  Little  Helpers',
          The Privacy Committee of New South Wales, No.66, August
          1995,                                                at

     Privacy International (1996) 'Privacy International's FAQ on
          Identity Cards'', at

     Rule J.B.  (1974)  'Private Lives and  Public  Surveillance:
          Social  Control  in the Computer Age'  Schocken  Books,

     The Winds  (1997) 'The future has arrived' (June  1997),  at


     References to the Author's Own Works

     Clarke  R.  (1987) 'Just Another Piece of Plastic  for  Your
          Wallet:  The Australia Card' Prometheus 5,1  June  1987
          Republished in Computers & Society 18,1 (January 1988),
          with  an  Addendum in Computers &  Society  18,3  (July
          1988).                                               At

     Clarke R. (1988) 'Information Technology and Dataveillance',
          Commun.  ACM 31,5 (May 1988). Republished in C.  Dunlop
          and  R.  Kling (Eds.),  'Controversies  in  Computing',
          Academic           Press,           1991,            at

     Clarke  R. (1992) 'The Resistible Rise of the National  Per-
          sonal  Data System' Software Law Journal  5,1  (January
          1992)                       ,                        at

     Clarke  R. (1993a) 'Why the Public Is Scared of  the  Public
          Sector',  IIR Conference paper February 1993.  Abstract

     Clarke  R.  (1993b) 'Profiling: A Hidden  Challenge  to  the
          Regulation  of Data Surveillance', Journal of  Law  and
          Information    Science   4,2   (December   1993),    at
          . A shorter version was published as 'Profiling and Its
          Privacy Implications' Australasian Privacy Law & Policy
          Reporter       1,6      (November       1994),       at

     Clarke R.A. (1994a) 'The Digital Persona and Its Application
          to  Data  Surveillance' The  Information  Society  10,2
          (June                     1994),                     at

     Clarke R. (1994b) 'Information Technology: Weapon of Author-
          itarianism or Tool of Democracy?' Proc. World Congress,
          Int'l  Fed.  of Info.  Processing,  Hamburg,  September
          1994.                                                At


     Clarke  R.  (1994c)  'Human  Identification  in  Information
          Systems:  Management Challenges and Public  Policy  Is-
          sues'  Information  Technology & People  7,4  (December
          1994)                     6-37,                      at

     Clarke  R. (1994d) 'Dataveillance by Governments: The  Tech-
          nique  of Computer Matching' Information  Technology  &
          People    7,2    (December    1994).    Abstract     at

     Clarke R. (1995a) 'Computer Matching by Government Agencies:
          The  Failure  of  Cost/Benefit Analysis  as  a  Control
          Mechanism' Informatization and the Public Sector (March
          1995).                                               At

     Clarke  R.  (1995b) 'A Normative  Regulatory  Framework  for
          Computer Matching' Journal of Computer and  Information
          Law   XIII,4   (Summer  1995)  585-633.   Abstract   at

     Clarke  R. (1995c) 'When Do They Need to Know  'Whodunnit?':
          The  Justification for Transaction Identification;  The
          Scope for Transaction Anonymity and Pseudonymity' Proc.
          Conf.  Computers, Freedom & Privacy, San Francisco,  31
          March                     1995.                      At

          CFP95.html.  Revised version published as  'Transaction
          Anonymity  and Pseudonymity' Privacy Law &  Policy  Re-
          porter  2,  5 (June/July 1995) 88-90.  Condensed  paper
          published as 'Identification, Anonymity and Pseudonymi-
          ty in Consumer Transactions: A Vital Systems Design and
          Public     Policy    Issue',    October    1996,     at

     Clarke    R.    (1995d)   'Trails   in   the    Sand',    at

     Clarke  R. (1996a) 'Smart move by the smart  card  industry:
          The Smart Card Industry's Code of Conduct' Privacy  Law
          & Policy Reporter 2, 10 (January 1996) 189-191, 195. At

     Clarke R. (1996b) 'Privacy and Dataveillance, and  Organisa-
          tional Strategy', EDPAC Conference Paper (May 1996), at

     Clarke R. (1996c) 'Data Transmission Security, or Cryptogra-
          phy  in Plain Text'Privacy Law & Policy Reporter  3,  2
          (May  1996), pp. 24-27 , at

     Clarke R. (1996d) 'Privacy Issues in Smart Card Applications
          in  the Retail Financial Sector', in 'Smart  Cards  and
          the  Future of Your Money', Australian  Commission  for
          the     Future,    June    1996,     pp.157-184.     At

     Clarke R. (1996e) 'The Information Infrastructure is a Super
          Eye-Way: Book Review of Simon Davies' 'Monitor'' Priva-
          cy  Law  &  Policy  Reporter 3,  5  (August  1996),  at

     Clarke R. (1997a) 'What Do People Really Think? MasterCard's
          Survey  of the Australian Public's Attitudes to  Priva-
          cy', Privacy Law & Policy Report 3,9 (January 1997), at

     Clarke R. (1997b) 'Flaws in the Glass; Gashes in the Fabric:
          Deficiencies   in  the  Australian   Privacy-Protective
          Regime',  Invited  Address  to Symposium  on  'The  New
          Privacy   Laws',   Sydney,  19  February  1997   ,   at

     Clarke  R. (1997c) 'Smart Cards in Banking and Finance'  The
          Australian    Banker    111,2    (April    1997),    at

     Clarke  R. (1997d) 'Privacy and 'Public  Registers'',  Proc.
          IIR Conference on Data Protection and Privacy,  Sydney,
          12-13             May             1997,              at


     Greenleaf  G.W. & Clarke R. (1997) 'Privacy Implications  of
          Digital  Signatures',  IBC Conference on  Digital  Sig-
          natures,     Sydney,     12     March     1997,      at

     Xamax Consultancy Pty Ltd, ACN: 002 360 456 78 Sidaway St
     Chapman ACT 2611 AUSTRALIA
     Tel: +61 6 288 6916 Fax: +61 6 288 1472

Juno offers FREE or PREMIUM Internet access for less!
Join Juno today!  For your FREE software, visit:

More information about the Rushtalk mailing list