A presentation by Karen Curtis Federal Privacy Commissioner to the 2nd International Policing Conference, Adelaide, 3 November 2004

By any yardstick, identity management and policing and privacy are important issues facing our society in the early 21st century.

As said in the introduction by the MC, I''ve been in my role as Federal Privacy Commissioner for almost 4 months. So I''m really a probationary privacy commissioner!

But one of the clear messages that has emerged for me with respect to privacy, is that privacy is always a question of balance.

The challenge we face as a society is how to protect the rights of individuals while recognising the collective needs of our community at any given time. It is always a balance.

In the current global environment there has been increased attention on security and identity management. But, privacy and security measures do not have to be inconsistent or mutually exclusive. For instance, if good identity management and authentication systems are carefully planned and implemented, then privacy does not have to be sacrificed.

And the debate about identity management policing and privacy is a good example.

In discussions about privacy and the rapidly changing technological environment in which we live, two key questions are often posed. Do you consider the answers to be true or false?

• The first question is: was Scott McNealy right in early 1999 when he said ''You have zero privacy anyway - get over it''. The Sun Micro-systems CEO''s opinion is that in a Hi-Tech World ''privacy is dead'' - a non-issue! Organisations, governments and people are constantly using new methods and technologies to collect information about you and there''s nothing you can do about it - so get over it!
• The second question is; Anyway ''if you have nothing to hide, you have nothing to fear''. This is a strong counter claim to the importance of privacy.

But before we explore these questions further its worth considering what we mean when we talk about privacy.

Samuel Warren and Louis Brandeis were the authors of the first key modern writing on privacy in 1890. Their work is particularly relevant to discussions about privacy and technology. Warren and Brandeis emphasised a court decision made by Judge Cooley as distilling the essence of privacy. Cooley suggested that privacy was the ''right to be let alone'' and he argued that there was a particular need for legal protection of this right in the face of ''recent inventions and business methods''.

In the 1969 Boyer Lecture, Professor Zelman Cowen, later Sir Zelman Cowen and Governor General of Australia gave us another way of thinking about privacy. Professor Cowen argued that privacy is about autonomy:

He said - ''A man without privacy is a man without dignity; the fear that big brother is watching threatens the freedom of the individual no less than the prison bars.''

It is worth noting that this makes privacy both a subtle and intangible right, but not an absolute right. Indeed our legislation points out that privacy is to be balanced against competing social and business interests.

One thing to note about privacy is that often one does not notice it until it''s gone, and then you feel its loss keenly.

A useful and universal description of privacy has been to segment privacy into 4 categories:

• Bodily privacy - protection of our physical selves against invasive procedures
• Territorial privacy - setting limits on intrusion into domestic and other environments
• Information privacy - involving rules for the handling of data
• Privacy of communications - security and privacy of mail, phones etc

It is important to note that my role extends primarily to the last two forms of privacy, particularly information privacy.

In Australia we have had federal privacy legislation covering the use of personal information by the federal departments and agencies since 1988.

The way personal information is collected, used, stored and disclosed is covered by 11 Information Privacy Principles - the IPPs. Federal law enforcement agencies like the Australian Federal Police and the CrimTrac Agency are covered by these IPPs.

In December 2001, with some exemptions, the private sector was covered by the Act in the way it collected, used, stored and disclosed personal information by 10 national Privacy Principles - the NPPs.

Of course, credit reporting agencies and credit providers were covered from 1990.

We also have other Commonwealth legislation which addresses privacy eg:

• Telecommunications Act 1997
• Telecommunications Interception Act 1979
• Spam Act 2003
• Corporations Act 2001

We also have various state and territory legislation that covers the use of personal information by state agencies.

But privacy in practice means that the NPPs and the IPPs deliver privacy through giving people control of their personal information:

• Consent for collection and use
• Security and access
• Anonymity where practical

A generous interpretation of Scott McNealy''s statement about the ''death of privacy'' would be that he was saying that on the balance the new services that the high-tech environment can provide, may outweigh the negatives of the loss of privacy.

And he''s right to emphasise the fact that new technologies make available new services and better ways of profiling customers to make better suited services and better goods.

However, at the same time new technologies enable new types of crime such as identification theft and hacking.

A recent report estimates the cost of identity fraud in Australia to be $1.1bn per annum. The report states ''while the fraudulent representation of identity has existed for many decades, if not centuries'' it may be easier to perpetrate due to the rapid global information flows, increased use of the internet, and fewer face-to-face transactions (Identity Fraud in Australia: Sirca Report).

Coupled with this is the fact that new technologies also provide new responses to crime detection eg CrimTRAC - Obviously your earlier sessions in the conference would have discussed these concepts in detail.

Ironically, the day before McNealy, the CEO of Sun Microsystems stated that ''Privacy was Dead'' - competitors, Intel, were being confronted by privacy.

Intel had just developed its new Pentium III chip which sent out a unique ''fingerprint'' identifier over the Net making it easier to identify users and track movements.

The chip enabled users to authenticate themselves for online transactions efficiently but it also allowed users to be tracked and profiled while using the internet.

Many in the community were concerned about the privacy implications of this new technology. Following a letter from a US member of the House of Representatives, Intel decided to modify its system to allow users to turn off the fingerprint identifier.

Intel knew that to maintain legitimacy it had to respect privacy and achieve a balance between its commercial interests and community values.

Policing agencies face similar challenges to businesses in this respect. Existing policing strategies and powers combined with new technologies can add up to a powerful set of tools; the question is when and how to use them while respecting the values of the community including its privacy values

Community Attitudes Research conducted by Roy Morgan research, in May this year, for my Office shows that there is support for allowing government departments to share information for policing initiatives (68%) but there is also a significant group of people who are strongly concerned about their privacy (24%).

Recent examples of law enforcement initiatives including mass data matching projects overseas which were abandoned after privacy criticism include:

• Total Information Awareness (TIA) - funding suspended pending a report of implications for privacy and civil liberties.
• More US states have withdrawn from Matrix (a data mining initiative similar to TIA run by the states) than have stayed with it.
• Canadian Longitudinal Labour Force File (LLFF) - database of information on Canadians to inform policy - could be used to build profiles of people - became subject to external advisory committee, protective legislation and ongoing relations with Canadian Privacy Commissioner.

I love the heading on the CrimTrac website that good privacy is good policing, and ''that the systems policies and procedures that the CrimTrac agency is implementing is aimed at achieving the twin goals of personal information privacy and good policing''.

The OFPC has developed a framework which intends to bring about balance and perspective to considerations of legislative proposals and law enforcement initiatives with significant effects on privacy. It does so by leading us through seven key steps, including:

• Identify the Problem
• Identify the range of possible solutions
• Is the proposed solution appropriate?
  • Proportionality
• What does the community think?
  • Consultation
• Implement the new powers expressly in law
• Transparency, Accountability and Reporting
• Review processes

The framework outlined here for considering new legislative responses that have a major impact on the community, by giving law enforcement agencies more intrusive powers, was first explored at the Australian Institute of Criminology''s conference in June 2001.

The point is that this framework will help to minimise the negative impact on privacy.

An important element in making privacy and security work together, is having appropriate accountability mechanisms in place and this includes cross-border accountability arrangements for policing activities. Two recent reports to government have raised the need to match the new multi-jurisdictional powers of aw enforcement agencies with regulator oversight.

The Report of the Independent Review of Part 1D of the Crimes Act 1914 - Forensic Procedures (March 2003, conducted by Tom Sherman) draws attention to the importance of establishing an effective national framework for the oversight and accountability of the DNA database system.

The report concludes that present legislative and administrative arrangements fall short of that objective. It notes where further work is needed, including for accountability agencies to develop proposals for the investigation of complaints with a cross-border complexion (Recommendations 16 and 18), and the need for external audit of the national DNA database system (Recommendation 17).

The joint Report of the Australian Law Reform Commission (ALRC) and the Australian Health Ethics Committee (AHEC), Essentially Yours: The Protection of Human Genetic Information in Australia (March 2003) made recommendations about the independent oversight of the national DNA database system, including a periodic audit by an independent body (Recommendation 43-4).

Both reports are currently being considered by the Standing Committee of Attorneys-General (SCAG) and Australian Police Ministers Council Joint Working Group on National Investigation Powers.

In November 2003, SCAG requested the federal, state and territory Ombudsmen and Privacy and Information Commissioners to report on their legislative and administrative capacity to deal comprehensively and consistently with issues of accountability and complaints handling in relation to cross-border investigations. The joint report has been provided to SCAG and I understand yet to be considered.

What the Office has been saying since 2000 is that while it is a good thing that LEAs are being granted powers to help them operate across borders, the powers granted to LEAs must be balanced with an equivalent and workable national accountability framework. Workability will depend on the ability to delegate powers, transfer information and refer complaints seamlessly between regulators and across jurisdictional borders.

This will mean that regulators are able to conduct joint investigations and audits effectively and efficiently so that between them they can ''see'' the data flows across the various jurisdictional elements of the national law enforcement system.

Another way of building privacy into policing is to use Privacy EnhancingTtechnologies (PETs) instead of Privacy Invasive Technologies PITs. This can be a simple exercise and it can sometimes avoid the need to implement the legislative framework mentioned a moment ago.

Using PETs can be quite easy in some instances. For example, in the biometrics field, some airports are considering introducing body scanning technology that will help security staff identify hidden firearms and other devices.

One version of this technology, being used in the USA, is a privacy invasive technique that scans a person and shows an image of each traveller''s naked body in some detail on a computer screen.

A privacy respecting version of the same technique is available that simply indicates to an officer the vicinity in which there may be a concealed weapon, without displaying the individual''s naked body. The first technique is privacy invasive, while the second technique, which achieves the same outcome, is less so.

This example serves to illustrate that in many instances privacy enhancing technologies are available for use.

Use of privacy enhancing technologies combined with the Office''s legislative framework can ensure a balance which will help to allow security and law enforcement agencies pursue their goals while respecting privacy.

The point again is that policing goals do not have to result in privacy trade-offs! Good policing can mean good privacy (as Crimtrac says).

A particular area of interest for the Office is Identity Management -it''s a key issue for the Office and a crossroads where matters of security, new technologies and privacy intersect.

A simple description of identity management is that it is about making sure people are who they say they are.

New technologies are being used by organisations and Law Enforcement Agencies in many new authentication initiatives. Greater confidence about the identity of individuals, particularly in electronic contexts is aimed at preventing financial, welfare and benefits fraud, as a response to identity theft, protecting national borders and increasing national security, and better profiling customers or clients to better target services and goods.

Identity management has the potential to deliver a number of desirable outcomes for the community but it is easy to see why those who value their privacy may be concerned about ID management.

To verify identity, Identity management initiatives are using new technologies to collect more information, and more sensitive information, from individuals such as:

• DNA
• Biometric information
• Financial information

ID management systems give us powerful new tools of surveillance, which can provide a significant aid to policing initiatives, but also simultaneously may pose a potential threat to privacy.

Trust is a buzz word at the moment and rightly so because it is an important part of the social fabric. It plays a crucial role in our society.

Trust is a facilitator of commerce and exchange and social cohesion.

Trust makes people''s lives better and more enjoyable. People have a lower quality of life when they feel distrusted.

Breaking the issue of ID management down to a fundamental level, we can see that it is a problem of trust. The need for trust is the common thread in ID management which both organisations and people share.

Organisations want to trust the individuals they deal with; trust that they are who they say they are, and that they are authorised to do what they do.

Individuals want to be trusted and to know that they have control over their identity and personal information and to trust that it is dealt with appropriately.

The big risk with identity management is that if it is implemented poorly it is likely to have limited success in building trust, improving security and reducing fraud. Implemented well, identity management can achieve its worth goals without endangering personal freedom and privacy.

There are currently a very large number of identification management projects and or proposals, cutting across government and private sector organisations. There is a risk that these are being considered in a narrow range of circumstances without thinking about the big picture privacy issues.

There is an urgent need to explore the social, economic and political consequences of identity management especially in relation to policing initiatives, in part to see if we like where it is taking us, and in part to shed light on better and the best ways to go about it.

Here are two examples of ID management solutions which I suggest may be the Clayton''s approach to ID management.

For those that are too young to remember in Australia there was a big advertising campaign for Claytons (a non alcoholic drink) - the drink you''re having when you are not having a drink! It came into common usage as something that wasn''t quite what it was meant to be.

Some examples of Claytons approaches to identity management include the one number per person/Australia card solution and some biometrics.

Advocates of the One number per person/ Australia card solution argue that having only one number, which is used for all of our authentication needs will increase the efficiency of our day to day business. This benefits individuals who will only have to remember one number (or show one card) and it benefits organisations which will no longer have to collect and store multiple forms of authentication for the multiple functions they perform.

The security pay-offs that come from the One number per person/ Australia card system are a result of the depth of information connected to the number. The deeper the information contained in the number, the more unique it is. The uniqueness of the information is what that makes it a good form of authentication.

This system will make it harder to create a fraudulent identity because of the depth of information and referencing associated with the number.

some forms of biometrics may also be Clayton''s solutions. The logic of biometric authentication is that the same body equals same person. It is the uniqueness of our bodily information; unique to one person, which makes it a strong and useful form of authentication. Proponents of the technology ask "how can that go wrong?"

However, these solutions are not perfect!

Any ID management solution that indiscriminately links a large amount of sensitive and unrelated information has severe flaws.

Placing large amounts of information in one place makes it easier to zip together disparate sets of data. If information can be zipped together then it will be zipped together eventually. Recent examples of function creep [1] with the Tax File Number suggest that zipping together information would be a more than likely occurrence with a one number per person system.

Data linking has a number of unpleasant consequences for privacy, which raise alarm bells with people. Do we want information from banks, libraries, video shops, and takeaway food outlets zipped together with government identifiers, employment and health records? Are we comfortable with organisations having access to highly detailed sets of data about the way we live our lives?

Anecdotally, it is clear that we do not want detailed sets of data about us, to actually be linked together and available indiscriminately.

A possible disastrous consequence of a one number per person solution is that people may change their behaviour to avoid situations that might be misunderstood by watchers, e.g. talking to people with strong political views, or of certain ethnic backgrounds

Another alarming possibility is that the growth of data linking could paradoxically increase ID theft. Creating large treasure chests of information about people increases the incentives to steal or forge identifiers and gain access to stores of valuable and detailed information about people.

The use of biological data in biometric authentication systems may also have problems.

In September this year, on the 20th anniversary of the development of genetic fingerprinting Sir Alec Jeffreys, the founder of genetic fingerprinting techniques voiced concerns over privacy issues and the use of DNA biometric technology:

His concern was that DNA contains too much irrelevant but sensitive information - DNA can carry information about ethnic origin, health, family etc.

A variation on this problem exists with speech recognition technology which may carry information about accent or cultural background unnecessarily.

The reliability of some biometric systems is yet to be established.

Another concern is that the link between a person and the biometric may be unbreakable, even when it needs to be. If the system is hacked will the identifier be compromised?

Reconstruction, or ''reverse engineering'' from biometric identifier may be possible? A possible example is that a picture of a fingerprint may allow reconstruction of a forged fingerprint model.

Policing initiatives that require authentication systems should avoid the negatives pitfalls of the Claytons ID management approaches, and build good identity management systems that can reduce privacy risks, and even enhance privacy by adopting some of the following approaches:

• Use different identifiers for different purposes:
  • e.g. prohibition on private sector using Federal Government identifiers (NPP 7, Privacy Act 1988);
  • e.g. iris recognition systems can be designed so that the iris scan identifier used for one system can''t be linked to that used for another system.
• Use identifiers that carry as little information as possible:
  • e.g. arbitrary numbers, by themselves, carry no information about an individual;
  • design biometric identifiers to carry as little information as possible for the job of identifying;
• Design Biometric identifiers that can''t be easily ''reverse engineered''.
  • If using biometric identifiers, use them to encode and unlock other authenticating information, e.g:
    • fingerprint reader on a smartcard (no fingerprint stored on a central database) so that only my fingerprint can unlock the ID number and medical information on my medical smartcard.
• Don''t identify if you don''t need to (NPP 8, Privacy Act 1988).
  • Do you need to know a person''s name for the purpose at hand?
  • If you do need their name, do you need to be absolutely sure of it?
  • Don''t authenticate identity if you don''t need to - consider whether something else needs to be authenticated. E.g. you may find that you need to authenticate simply that:
    • the person is a licensed builder,
    • the person is permitted in the building,
    • the person is authorised to do this particular action.

The challenge we are facing is to balance privacy, policing and technological change.

I''ve described a multi-layered approach covering a number of different bases. Achieving a balance between policing objectives and privacy means that we need to

• Use PETs and OFPC assessment framework for policing initiatives
• Attention needs to be given to developing a national accountability framework
• Recognise that there are good ID management solutions
  • And use them
  • Use technology that can identify people without creating a ''honey pot'' for all the information about a person
• Achieving a balance with privacy will be worth it in the long run

The goal that privacy agencies and policing bodies should be striving for and working with each other to achieve is to reach a privacy/policing equilibrium.

This will mean that individuals feel trusted by the government agencies and organisations they deal with.

Individuals have control over who knows about them, and how much they know.

• Just the right amount of personal information is handled:
  • only the minimum necessary to authenticate identity, complete the transaction

  The big picture is that policing initiatives need to be balanced with community values of privacy. There is a strong push for Identity Management. If we get it wrong society will be significantly worse off.

  If we get it right we will achieve a society with trust, where people feel that they have control over their personal information and their lives.

  This should be a shared goal for policing agencies and broader society because after all privacy is a fundamental human right, as is the right to feel safe and secure.

  Footnotes

  [1] The use of the Tax File Number provides a recent example of function creep. There is a voluntary quotation principle (Guideline 1.2 of the Tax File Number Guidelines[1]) by which quoting one''s Tax File Number is guaranteed to be voluntary. When the Tax File Numbers first came into effect in 1988, for many people, the only penalty for not quoting it was that for some income, for example a dividend stream, you made an interest free loan for less than a year to the Tax Office of the difference between the top marginal tax rate and the marginal tax rate you paid (this amounted to nothing for high income earners and not much for most others).

  Through a range of legislative changes since 1988, it is now the case that some Australians are not able to survive without obtaining and quoting their TFN (for example, to obtain unemployment benefits and a number of other interactions with Government). The function of the Tax File Number has moved from, as it was initially, a purely taxation-related function, to the present situation, where it is used to cross match data relating to government assistance of various sorts.