Privacy-enhancing technologies

9.5 The way that technology is used often determines whether it is privacy enhancing or privacy invasive.[9] Some technologies, known as privacy-enhancing technologies (PETs), operate to protect privacy. Particular PETs that can be implemented by individuals are discussed throughout this chapter. Chapter 10 discusses the role of PETs in a regulatory framework, as well as the importance of ensuring awareness of PETs and encouraging agencies and organisations to incorporate PETs into technical systems at the stage of design. For example, the United States National Security Agency and members of the information technology industry have developed a system that implements a mandatory access control framework, which provides enforced security settings and prevents the setting of discretionary preferences by a computer application or user.[10] Two other PETs that can be used in the online environment are encryption and identity management, considered in more detail below.

Encryption

9.6 Encryption, a form of cryptography, refers to a sequence of processes that ensure that information stored in electronic form or transmitted over networks such as the internet is not accessible to any person not authorised to view that information. Encryption can be used to convert data into a form which cannot be read without using an appropriate ‘key’. A particular form of encryption, public-key cryptography, enables the creation and use of ‘digital signatures’—that is, the encryption of data in a message with a private key allocated to a particular sender that assures others that only the sender could have created the message.[11] Encryption, however, does not prevent the deletion of information.

9.7 Encryption systems use either, or both, symmetric or asymmetric key ciphers. Information encoded by a symmetric key cipher requires the decoder of the message to hold a key that is identical to, or readily derived from, the key held by the encoder. An asymmetric key cipher system, such as public-key cryptography, uses a combination of a secret ‘private’ key and a widely available ‘public’ key. In this system, information encoded using the public key remains encrypted and secure until a person holding the corresponding private key receives the information and uses the private key to decode the information. In some asymmetric systems, the private key also can be used to encode information so that the corresponding public key can be used to decode the information. This reverse approach provides a ‘guarantee of authenticity’ rather than an encryption method as any person can decode the information using a public key.[12] In comparison to symmetric key cipher systems, asymmetric systems are complex and slow in execution.[13]

9.8 Symmetric and asymmetric encryption systems can be used in conjunction with mechanisms such as one-way-hash functions to ensure that information stored or transmitted in an encrypted form remains unaltered. A hash function can be applied to data, or a message, to produce data of a fixed bit length—for example, 8, 16 or 32 characters. The hash function condenses the message to a ‘hash value’ of the original message. In a security system intended to safeguard the integrity of messages against any alteration, a hash value together with an original message is transmitted to a receiver who knows the relevant hash function. The receiver can apply the hash function to the original message to create a second hash value that may be compared against the original hash value. Identical hash values indicate that the original message was not altered in transmission. The message, however, could have been intercepted, altered and a new hash value calculated and added during transmission. To prevent this, the hash value itself may be encrypted before being added to the message for transmission. A receiver who possesses a corresponding cipher key can then decrypt the hash value and compare it against the second hash value that is recalculated from the received message.[14]

Identity management

9.9 The remote nature of online transactions has led many agencies and organisations routinely to require individuals to authenticate their identity during transactions. Arguably, however, it is not always necessary for individuals to identify themselves when engaging in online transactions and it is more desirable for some forms of transactions to be ‘pseudonymous’.[15] Pseudonymous transactions could be achieved through the use of ‘identity escrow’—that is, a system where a trusted third party holds evidence about a person’s identity and issues that person an identifier enabling him or her to conduct transactions with other parties.[16] Identity management systems also could facilitate the use of pseudonyms and partial identities.

9.10 Identity management systems provide a mechanism for establishing trust between individuals, agencies and organisations transacting in the online environment.[17] The Privacy Identity Management for Europe (PRIME) project, for instance, emphasises the privacy-enhancing nature of its identity management project, noting that it allows individuals to minimise the disclosure of their personal information in the online environment and provides them with technical tools to negotiate privacy preferences with online entities.[18]

9.11 Identity management has been described as a three step process.[19] First, an identity is established, which may require an individual, for example, to choose a password or verify his or her identity in person. Before using an identity, authentication through the presentation of credentials is required. A credential may be something that an individual has, such as a radio frequency identification (RFID) tag; something that an individual knows, such as a password; or something that an individual is, such as a facial biometric or fingerprint.[20] Finally, revocation of identity refers to the removal of an identity when use of that identity is no longer required, such as where a customer changes banks. Revocation of identity is an important measure to reduce identity theft.[21]

9.12 User-centric authentication systems require both an individual and the entity with which the individual is transacting to authenticate their identities. Such mutual authentication projects have emerged as a response to the ‘asymmetric sharing of control over personal information … [that] commonly leads to a corresponding asymmetry of risk allocation’ in the one-way trust model described above.[22] Microsoft and IBM have both developed user-centric identity management systems.[23]

9.13 A new trend in identity management is the development of the federated identity system.[24] Identity federation systems use a central identity provider to authenticate an individual, who can then access certain other domains without needing to re-authenticate their identity. In an identity federation system, individuals can manage their identities by setting pseudonyms for use in different domains and determining what information can be revealed in different contexts. Standardisation in identity federation systems is required for their effective operation, and this is currently the subject of deliberation in international forums.[25]

[9] See, eg, J Alhadeff, Consultation PC 169, Sydney, 26 April 2007; M Crompton, ‘Under the Gaze, Privacy Identity and New Technology’ (Paper presented at International Association of Lawyers 75th Anniversary Congress, Sydney, 28 October 2002), 9–10.

[10] United States National Security Agency, Security-Enhanced Linux (2007) <www.nsa.gov/selinux/> at 24 April 2008.

[11] Parliament of Australia—Senate Select Committee on Information Technologies, Cookie Monsters? Privacy in the Information Society (2000), [2.77]–[2.113].

[12] Y Fen Lim, Cyberspace Law: Commentaries and Materials (2nd ed, 2007), 221.

[13] United States Department of Commerce—National Institute of Standards and Technology, Introduction to Public Key [Technology and the Federal PKI Infrastructure] (2001), 11.

[14] Y Fen Lim, Cyberspace Law: Commentaries and Materials (2nd ed, 2007), 221. In Ch 28, the ALRC recommends that the OPC should develop and publish guidance on the ‘Data Security’ principle. Among other things, this guidance should address the relevant security measures that can be taken to protect personal information, including privacy enhancing technologies such as encryption: Recommendation 28–3.

[15] In Ch 20, the ALRC recommends that the Unified Privacy Principles (UPPs) should contain a principle called ‘Anonymity and Pseudonymity’ that requires an agency or organisation to give an individual the clear option to interact anonymously or pseudonymously, where this is lawful and practicable in the circumstances: Recommendation 20–1.

[16] See, eg, R Clarke, Identification, Anonymity and Pseudonymity in Consumer Transactions: A Vital Systems Design and Public Policy Issue (1996) Australian National University <www.anu.edu.au/
Roger.Clarke/DV/AnonPsPol.html> at 30 July 2007.

[17] Information Integrity Solutions, Trust and the Critical Role of User Centric ID Management (2006), 1.

[18] Privacy and Identity Management for Europe (PRIME), PRIME White Paper v2 (2007), 1.

[19] International Telecommunication Union, digital.life: ITU Internet Report 2006 (2006), 114.

[20] Information and Privacy Commissioner of Ontario and A Stoianov, Biometric Encryption: A Positive-Sum Technology that Achieves Strong Authentication, Security AND Privacy (2007) Information and Privacy Commissioner of Ontario, 2.

[21] International Telecommunication Union, digital.life: ITU Internet Report 2006 (2006), 114. Identity theft is discussed in Ch 12.

[22] Information Integrity Solutions, Trust and the Critical Role of User Centric ID Management (2006), 2.

[23] Kim Cameron’s ‘7 Laws of Identity’ have been incorporated into Microsoft’s ‘CardSpace’ application: K Cameron, The Laws of Identity (2005) Microsoft Corporation; Microsoft Corporation, Introduction to Windows CardSpace (2006) <cardspace.netfx3.com/content/introduction.aspx> at 30 July 2007. See too IBM, Idemix: Pseudonymity for e-Transactions (2006) <www.zurich.ibm.com/security/idemix/> at 24 April 2008.

[24] S Wilson, Correspondence, 23 April 2007.

[25] International Telecommunication Union, digital.life: ITU Internet Report 2006 (2006), 115–120.