Many PETs assist people to defeat or neutralise privacy-invasive technologies and hence are usefully referred to as “Counter-PITs.” Examples include SSL/TLS for
channel encryption, spam-filters, cookie-managers, password managers, personal firewalls, virus protection software, and spyware-sweepers.
Although many protections are already productised, opportunities remain for organi- sations to contribute. For example, there is a need for services that display to the browser-user information about the owner of an IP-address before connecting to it,
and for the monitoring of inbound traffic for patterns consistent with malware and hacking, and outbound traffic for spyware-related transmissions (DCITA 2005).
Savage.PETs
For many people, that first category of PETs is unsatisfactory because they still permit organisations to accumulate personal data into dossiers and profiles. A much more
aggressive approach is available. One class of PETs sets out to deny identity and to provide untraceable anonymity. Examples include genuinely anonymous (“Mix-
master”) remailers and Web surfing schemes, and genuinely anonymous e-payment
mechanisms. (The inclusion of “genuinely” is necessary, because some remailers and payment mechanisms have been incorrectly described as “anonymous,” even though they are actually traceable).
Such techniques exist, and will always exist, nomatter what countermeasures are
developed. Major literature in this area includes Chaum (1981, 1985, 1992); Onion (1996); Syverson, Goldschlag, and Reed (1997); Clarke (2002); and Dingledine,
Mathewson, and Syverson (2004). See also Freehaven (2000). For a critical review of policy aspects, see Froomkin (1995).
Gentle.PETs
Where they are successful, “Savage PETs” work against accountability, because they reduce the chances of retribution being wrought against people who use them
to assist in achieving evil ends. It would be highly beneficial if a balance could be
found between anonymity on the one hand, and accountability on the other. The means of achieving this is through “protected pseudonymity.” It is the most technically challenging, and at this stage the least developed of the categories. The essential requirement of a gentle PET is that very substantial protections are pro-
vided for individuals’ identities, but in such a manner that those protections can be
breached when particular conditions are fulfilled.
Underlying this approach is a fundamental principle of human freedom that appears not yet to have achieved mainstream understanding: people have multiple identities, and to achieve privacy-protection those identities must be sustained. This favours
single-purpose identifiers and militates against multi-purpose identifiers (Clarke,
1994b, 1999).
The protections against breach of protected psuedonymity must be trustworthy, and must comprise an inter-locking network of legal, organisational and techni- cal features. If the power to override the protections is in the hands of a person
or organisation that flouts the conditions, then pseudonymity’s value as a privacy
protection collapses. Unfortunately, governments throughout history have shown
themselves to be untrustworthy when their interests are too seriously threatened; and
corporations are dedicated to shareholder value alone, and will only comply with the
conditions when they are subject to sufficiently powerful preventative mechanisms
and sanctions. The legal authority to breach pseudonymity must therefore be in the hands of an independent judiciary, and the case for breach must be demonstrated to the court.
A range of technical protections is needed. The creation and controlled use of identities
needs to be facilitated. The traffic generated using protected pseudonyms needs to be
guarded against traceability, because that would enable inference of an association between a person and the identity. In addition, there must be technical support for procedures to disclose the person’s identity, which must involve the participation of multiple parties, which in turn must be achieved through the presentation of reliable evidence (Goldberg, 2000).
These features are unlikely to be satisfied accidentally, but must be achieved
through careful design. For example, the original “anonymous remailer”, anon.
penet.fi (1993-96), was merely pseudonymous because it maintained a cross-refer-
ence between the incoming (identified) message and the outgoing (“anonymised”)
message, and the cross-reference was accessible to anyone who gained access to the device—including Finnish police, who do not have to rely on judicial instru- ments as authority for access, because they have the power to issue search warrants themselves (Wikipedia, 2002).
The notion of “identity management” has been prominent. The mainstream ap- proaches, those of Microsoft Passport, and of the misleadingly named “Liberty Al- liance,” are in fact privacy-invasive technologies, because they “provide” identities to individuals, and their fundamental purpose is to facilitate sharing of personal data among organisations. Microsoft’s “Identity Metasystem” (Microsoft, 2006),
based on Cameron (2005), is more sophisticated, but also fails to support protected pseudonymity.
The need is for “demand-side” identity management tools that are PETs rather
than PITs (Clarke, 2004; Clauß, Pfitzmann, Hansen, & Van Herreweghen, 2002).
Organisations need to utilise multiple means to protect their interests, rather than
imposing unjustifiable demands for strong authentication of the identity of the indi-
viduals that they deal with—because that approach is inherently privacy-invasive, and generates distrust.
Business.Cases.for.PETs
An organisation that is distrusted by staff or customers because of privacy concerns needs to consider using PETs as a means of addressing the problem. This section examines how organisations can evaluate the scope for PETs to contribute to their privacy strategy, and hence to their business strategy as a whole. There appear to be very few references to this topic in the literature, but see MIKR (2004, pp. 38-45).
The first sub-section clarifies the much-abused concept of “a business case.” The
second then shows how it can be applied to PETs.
Concepts
The technique that organisations use to evaluate a proposal is commonly referred to as the development of a “business case.” The term is rather vague, however, and a variety of techniques is used. One major differentiating factor among them is whether the sponsor’s interests dominate all others, or whether perspectives additional to those of the sponsor need to be considered. A further distinction is
the extent to which benefits and disbenefits can be expressed in financial or other
quantitative terms. Figure 1 maps the primary techniques against those two pairs of characteristics.
The top-left-hand cell contains mechanical techniques that work well in relatively simple contexts where estimates can be made and “what-if” analyses can be used to test the sensitivity of outcomes to environmental variables. The only stakeholder
whose interest is reflected is the scheme sponsor; and hence the use of these tech-
niques is an invitation to distrust by other parties.
The bottom-left-hand cell is relevant to projects in which the interests of multiple parties need to be appreciated, and where necessary traded off. But the distrust impediment can seldom be reduced to the quantitative form that these techniques demand.
The techniques in the top-right-hand cell are applicable to a corporation that is operating relatively independently of other parties but cannot express all factors in neat, quantitative terms. Even in the public sector, it is sometimes feasible for an agency to prepare a business case as though it were an independent organisation (e.g., when evaluating a contract with a photocopier supplier, or for the licensing of an
electronic document management system). Internal Cost-Benefit Analysis involves assessments of benefits and disbenefits to the organisation, wherever practicable using financial or at least quantitative measures, but where necessary represented by qualitative data (Clarke, 1994; Clarke & Stevens, 1997). Risk Assessment adopts
a disciplined approach to considering key environmental factors, and the impact of potentially seriously disadvantageous scenarios. Once again, however, only the interests of the scheme sponsor are relevant, and the perspectives of other parties are actively excluded.
More complex projects require the more sophisticated (and challenging) techniques in the bottom-right quadrant of Exhibit 1. For example, a government agency cannot afford to consider only the organisation’s own interests. It must at least consider
the needs of its Minister, and there are usually other agencies with interests in the matter as well.
Outside the public sector, it is increasingly common for organisations to work to- gether rather than independently. In some cases this takes the form of tight strategic partnerships, and in others looser value-adding chains. In yet others, “public-private partnerships” inter-twine the interests of corporations and government agencies. At the very least, most organisations work within infrastructure common to all participants in the relevant industry sector, or within collaborative arrangements negotiated through one or more industry associations. Such projects therefore de-
pend on “win-win” solutions, and the business case must reflect the perspectives
of the multiple stakeholders.
Some of the biggest challenges arise where there is significant disparity in size and
market power among the participants, especially where the success of the undertaking is dependent upon the participation of many small business enterprises. Appropriate approaches for such circumstances are discussed in Cameron and Clarke (1996) and Cameron (2005).
The discussion in this sub-section has to this point assumed that all participants are organisations. There are many projects, however, in which the interests of individu- als need to be considered, because their non-participation, non-adoption, or outright opposition, may undermine the project and deny return on investment. Clarke (1992) drew to attention the then-emergent concept of “extra-organisational systems” such as ATM and EFTPOS networks, and the need to ensure that consumers’ interests are
reflected in the system design, by engaging with consumers and their representatives
and advocates. Engagement requires information dissemination, consultation, and the use of participative design techniques. The rapid emergence of the open, public Internet in the years immediately following the publication of that paper enabled an explosion of such extra-organisational systems.
Yet corporations have seldom considered their customers as stakeholders, and even government agencies frequently leave them aside from business case evaluations. Organisations that want to avoid the distrust impediment need to apply the business
case techniques in the bottom-right-hand corner of Exhibit 1, in order to reflect the
perspectives of all of the important stakeholders, including human users and other individuals affected by the scheme. Impact and risk assessment activities need to encompass at least privacy, but the scope may need to extend to broader social and economic aspects such as accessibility, accidental discrimination against minorities, and the need for workplace re-training.