Privacy, anonymity and identity – PL 04 2011
31 May 2011 | 15:30-17:00
Programme overview 2011
Guaranteeing privacy and data protection in state-sponsored applications is essential not only for the safety and security of citizens, but also for building confidence and trust in such applications. Governments, therefore, need to create and use trusted reliable identities, so that they ensure the integrity, security and non-repudiation of the identity data used. These aspects will be explored during the session, with a focus on: citizens’ rights and control of personal data, privacy, anonymity and use of biometrics, among others.
People
Key Participants
- Ian Fish, British Computer Society
- Marie Georges, Council of Europe
- Bogdan Manolea, European Digital Rights
- Andy Smith, British Computer Society
- Peter Wenham, British Computer Society
- David Williams, British Computer Society
Moderator
- Louise Bennett, British Computer Society
Session report
For the Internet to function, to be used to provide services, and to act as a channel for commerce, it is necessary to identify who you are dealing with. This raises a number of questions such as how much personal information is needed, what happens to that personal information once provided, and what control does the individual have over that personal information?
Speakers outlined that it was often not necessary to know exactly who a person is. In most situations, such as interacting with an online bank, it is important to know that you are always dealing with the same person (identification). Here, the initial registration process is fundamental. It is clear that for most Internet-based interactions the person is remote from the system with which they interact. Therefore, it is necessary to have a robust registration process to prevent fraud and identity theft.
How can online services work in order to minimise the amount of personal data that needs to flow through a single system, and how can a good trust model be used to corroborate claims made by a person in order to provide fast and efficient online government services? The challenge to prevent data mining starts once you begin linking databases together.
Participants reflected on the basics of data protection as enshrined in EU regulations and Article 5 of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108).
The use and collection of biometric data was also an issue. There is now an ever-increasing use and demand by governments to collect and use photograph and fingerprint biometrics, for example in passports. The concerns are that there is little attention to privacy or civil liberties when designing these systems, which could lead to significant risks to individuals. Further difficulties raised in this context concern people with disabilities with regard to specific biometrics.
Moreover, basing electronic administrative personal identity on biometrics induces a complete shift in the social contract: individuals will no longer adhere and be recognised on the basis of data declared basically at their time of birth, but will be socially tied up by their body. Given these aspects, there is a need for more public debate on this topic.
A further point of discussion concerned consent and the pervasive dissemination of personal information online. The risks of data-mining and correlation of personal information to form comprehensive profiles of people and their lives justify privacy concerns. A possible solution using one-way trust was proposed including with regard to how systems can be best engineered to prevent misuse.
Privacy experts questioned how in daily democratic life there are basic needs for anonymity ie. anonymously accessing information, commercial information and administrative information, given that this possibility is not technically ensured on internet with the current TCP IP basic architecture, up to different needs of identifications. Currently there is no anonymous secured way of payment available on line.
In dealing with people on the Internet, governments face the need to balance national security and privacy concerns. If the balance is too far towards privacy, it can prevent law enforcement and security forces protecting the country and its citizens, but if the balance swings to the other direction, it can lead the state to having too much information that can be misused or used for unintended purposes.
Transcript
Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-719-481-9835, www.captionfirst.com
This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.
>> LOUISE BENNETT: Well, I can see that privacy, anonymity and identity are exciting subjects as far as EuroDIG is concerned.
Sorry?
I was told that we should start straight away.
We will start in three minutes’ time.
>> LOUISE BENNETT: Welcome to the fourth plenary session on privacy, anonymity and identity.
My name is Louise Bennett from the British Computer Society, which is a membership organisation of over 70,000 IT professionals worldwide.
Four of my BCS colleagues, Andy Smith, Peter Wenham, David Williams, and Ian Fish, are on the panel, together with Bogdan Manolea from the European Digital Rights in Romania, and Marie Georges a Council of Europe expert.
The panel will introduce four key issues concerned with identity assurance. Citizens rights and control of personal data, registration authorities and ID assurance. Rights and responsibilities of ID providers. Then we will have a dialogue on those. Then we will go to the meat of the subjects, privacy and anonymity versus security. And have a second dialogue.
In talking about citizens’ rights and control of personal data and anonymity, there are intrinsic risks associated with the creation of identity data, maintaining its integrity, security, and nonrepudiation, and these demand the highest standards of governance, which is after all what EuroDIG is about.
In some cases, this requires government involvement. It’s perception that identity assurance is trusted by all citizens internationally, and that it’s fit for a wide range of purposes.
Governments need to be able to identify their own nationals, to collect taxes, even though I think there are some in the audience who would think that is not a good idea, and deliver a wide range of services efficiently, without fraud.
They need to be able to warrant transactions and contracts within government and with its suppliers nationally and across borders, and they need to ensure that the global Internet is safe and a trusted place to do business.
In the UK in 2008, a very important report on this subject was produced. It was called the Crosby report on the challenges and opportunities of identity assurance.
And it put forward an important principle, which I hope the Council of Europe and the European Commission will take on and eventually that will be taken on by the IGF. And that was that the citizens should open their entry into any identity register in the sense that it shouldn’t be possible, other than for purposes of national security, for any such data, including biometric, to leave the register without the informed consent of the individual.
Verification of identity should be performed without the release of data.
This is a principle that the BCS and its professional membership endorses and believes has to be at the heart of identity assurance.
The key issue is that in the virtual world, we each want to know who we’re dealing with. But with varying levels of certainty, according to the context of the interactions. Here you can see part of my fantasy life.
When we identify someone, we sometimes want to establish that they are the unique biological being, as recorded on the birth certificate, and sometimes that they are simply a persona who did something at a different time.
When do you need to know that I’m the biological me and when do you need to know that I’m the same avatar or the persona you interacted with yesterday?
I would suggest that you need to know my biological identity when you are issuing a passport. But you only need to know my avatar when I’m engaged with an online game. Even if I want to withdraw money from my bank account that I opened last week, you only really need no know that I’m the person – persona who is using it and that I’m the same persona who deposited that money previously. You don’t necessarily need to know my biological identity.
So how can an individual control access to their biographic and biometric data after enrollment in any kind of identity scheme, be it a state one or with a bank or whatever?
Well, identity providers who create and maintain identities shouldn’t give to other people or use the personal data or biometrics associated with personal identity without the consent of the identity subject. And that is you or me. Except for very defined legal purposes, and these are principally in most countries defense and criminal justice.
This means that the identity subject must normally be given a choice of opting in to any plans to extend the use of his data or her data to other relying parties. That is organisations using that identity to provide a service or to share that data beyond that that was agreed when it was originally captured.
This is partly but not wholly covered throughout the European Union in the data protection and Human Rights directives and legislation that each country has put into their own legal frameworks.
However, the reality I think in most countries is that consent and sharing remain very complex and ambiguous issues. There is a lot of secondary legislation certainly in the UK and there are lots of hidden terms of service service, some of which we heard a bit about during EuroDIG, and these are eroding them.
So the identity provider relying party and the identity subject all have both rights and responsibilities with respect to data sharing. I’m just going to focus on one key and often forgotten responsibility and area, and that is the responsibility of identity subjects. That is the responsibilities of us and I felt it came up very much in the last session. Identity subjects have responsibilities to provide accurate data to identity providers in the context of the level of security that is required by that provider, and they have a responsibility to assist in the maintenance and repair of that data if it changes over time, which they can do if they own that data.
Identity subjects also have other rights that are in European Union law. And these are rights to hold multiple identities, rights to anonymity and rights to the personal data held by provider, and most importantly to address if we suffer harm because of failures of identity providers.
For us, this leads to three questions that we hope will come out and perhaps we will get your views in the dialogue.
When we identify someone, we sometimes need to establish that they are a unique biological identity. And sometimes they are simply the same persona who did something at a different time. So what are the implications for this in running any kind of identity assurance scheme?
Secondly, how can an individual control access to their biographic and biometric data after enrollment in an identity scheme?
And, third, what responsibilities should citizens, that is all of us, accept to assure identity insurance information held by providers is accurate and current? So I’d like these to come out, I hope, in the dialogue.
Now I’d like to hand over to Andy Smith.
>> ANDY SMITH: Fundamental to any identity scheme, anyone that is going to work properly, is the initial registration. It doesn’t matter what the identities are, what they are being used for. An issue actually recorded the information that you need unless you have that information corroborated and you are sure that the information you have is accurate and reflects the business process that you need to support, you’re going to run into problems. You’re going to get hit with fraud. You’re going to have identities stolen.
So whether it’s Google, whether it’s applying for a passport, there is a need for authorities to ensure that the information that they gather is accurate and meets the business needs.
Now, there’s three main sets of data. There are the immutable attributes. And there are subtle differences between immutable attributes and the assigned ones. Immutable things are like your biological parents. Now, that is not necessarily who you think your parents are, you may have been adopted at birth. So your recorded parents and your biological parents may be different. Your gender at birth and your current gender may be different. So there is a set of immutable attributes that were there when you were born, who your biological parents were, your your gender. There are few pieces of information that you can tie back to a bit of wet carbon, to a human being. Then you have assigned attributes and these tend to get recorded: Name, title, gender at the current time, health information, national nationality, date of birth.
And around that, there is a third set of data-related attributes, and this contains all sorts of information around social interactions, your historical interactions with the world and with society. Credentials, skills, education, all the sorts of bits of information about you that get recorded and get used throughout your life.
And a registration authority should only record those attributes that are necessary. There is one good way of doing it. When someone is born, you can stick a chip in them and take a DNA sample, and then you’ve got the lot. You know exactly who they are. You can tie that DNA to their parents so you know that they are the legitimate parents. You can get a full hierarchical birth and parental tree, so you know who your citizens are. No one can steal their identity.
How many European countries do you think will adopt this model? You might like the photograph there. We will be talking about him a bit later. But, that is a guy called Eric Blare. But we don’t know him as Eric Blare. Very few people know him as Eric Blare. And I get him mixed up with Orson Wells. It’s George Orwell, the author of “1984.”
The way it really works and the only way we can actually do it in a practical environment and comply with legislation, such as Human Rights, data protection, is when someone turns up at a registration authority and asks to have an identity registered for some form of business transaction or some form of need. They will claim an identity and they will give you a bunch of attributes. And the first thing you need to do is make sure that that identity really exists.
And so you take those attributes, you compare them with other databases, you look for evidence and corroboration that identity exists in society and that those are interactions around history.
Then comes the hard part, and that is making sure that the person claiming that identity owns it. They have providence over it. And it is really their identity and they are not just trying to steal that identity. We have big problems in Europe with people stealing identities. And in some area, we have problems with people selling their identity.
Now, there were certain countries where it’s actually possible to buy someone’s identity and apply for a passport in this identity to get into Europe and be taken or perceived as a European citizen, when you’re not.
So I want you to – so once you establish providence, you have to link and record all the information but you’ve got to put in some form of immutable link between the person and the recorded identity. Otherwise, if that link can be broken, it’s quite easy for someone else to steal it.
So, my view of identity is how you are perceived by others. It’s the bit of wet carbon, but it’s the relationship, the footprint you leave through history. It’s your interaction with everyone around you. And registrational authorities need to be clear about why they are recording information, what it’s needed for. Too many registration authorities try recording vastly too much information, and we need to try to get them away from that.
In fact, it’s only governments that really need to record the identity. If they are trying to ascertain whether you are a citizen, they are giving you a passport or registering your birth, they need that really strong registration. And it should be the case that only governments have the rights to ask for that. Everyone else it should be informed consent if they want to give that information.
So, I have three questions: What is a core identity? What attributes make it up? Have I got it right? Is the way I perceive identity correct?
Should biometrics be part of my identity? And if they are, that is great. If they are not, what else can you use? How how else can you tie a physical person to their identity?
And who should have the authority to record a core identity? One that is beyond reasonable doubt, one that will actually stand up in court? And here again, don’t get mistaken by the need for an identity beyond a reasonable doubt and beyond reasonable judgment. As far as a court is concerned, they don’t care what someone is called. They just want to know that that person committed the crime and the person that they put in prison is the person that committed the crime.
It’s only where identity theft or crimes against the state, such as impersonating a citizen of a state come into play that that level of protection is needed. That level of identity is needed.
With those thoughts I’ll hand it over to Peter.
>> PETER WENHAM: Thank you, Andy. Well, rights and responsibilities of ID providers you could argue are actually irrelevant until you actually have systems supposed or real to actually apply them to. Because if you haven’t got a system out there, there is no point having a right or responsibility. But as soon as you start thinking about systems, as Andy has mentioned getting a passport, you need a system to get that, then rights and responsibilities come into play.
So here is just some example rights and responsibilities that I’ve just put up, just to get your mental Juices going. You can see that we have an identity provider, but we also have a registrational authority, which is what Andy was talking about, where you actually go and register those unique biographic, biometric pieces of data that actually uniquely identify the piece of wet carbon that is you.
You have the user, and then we have the – a supplier, somebody who is going to provide some service.
Now, both Andy and Louise have talked about the rights of users and that, but I’ve got some here. And one of the ones I think is a right of a user is that the information that is held on them is accurate.
That, of course, we’re talking about an identity provider being separate from, in this particular example, from the registrational authority. So, the identity provider really has a right to expect that the information that they are being given by the registration authority is accurate.
Also, we need to make sure that the registrational authority needs to know that they have a legal obligation to give the identity supplier that information.
So let’s have a look at a possible solution. So here we have got the user. The user is going to undertake some transaction. But we have got multiple identity suppliers. It could be your bank. It could be the fact that you have a mobile telephone and therefore a mobile telephone account. It could be your local government being the provider or it could be the fact that you’ve got a document such as a passport, a real passport with a biometric chip in it that has been supplied to you by somebody else.
You want to go and transact some business, so the likelihood is, as we get into this joined up world, that you are going to go to some sort of hub. And if we’re talking about some government related business, that hub may be run by your municipality or run by regional or central government authority. And that is where you are going to log in, and from that hub you’re going to drive out to various services.
And I think we had a very good explanation of something like this yesterday, from what is happening here in Serbia, and the kind of things that can be done there.
But we have also now introduced the other layer, the attribute provider. So here we have got wealth data. That would be your bank. So you are going to transact to maybe pay your taxes. So the people who are collecting your taxes need to know that you’ve actually got the funds to do it. And that’s where the wealth data comes in. It’s an attribute. You’ve got other attributes about your education, about your health. So these all come together and we’re beginning to build quite a fairly complex picture here from you want to do something, you – we need to verify your identity, but now we are going to go off to some third-party to go and get some attributes to mesh it altogether so that you can complete a transaction.
So let’s have a look at a worked example. Let’s assume that you have just moved into a new locality, that locality has on-street parking. Parking is heavily regulated. And you, therefore, need a permit from the local government in order to park your car there. But of course they’re not going to just give you the permit. They actually want to take some money off of you as well.
So you log on to the hub. You give the hub some basic data. The hub goes off and your car registration details are supplied up to the hub. Your other details are supplied into the hub and eventually all that information about the fact that you do now live at number 3 East Jean Cottages in South London, that you do own a battered car with a registration that is – and that car happens to be taxed and insured. Because all of that information will be there as well and that is passed through to the local authority, who then decides that yes, you are – you can have that certificate. And obviously in the background there will be some transaction going on with the bank to pay for it.
But all of that paints quite a complex picture. So, I have some questions which I’d like to put to you to consider, when we go get to the dialogue session. The whole concept of identity assurance, I feel, can be rather Big Brotherish, particularly to Jack and Jill Doe. How do they trust the process from the point when they were first registered they were born, so they didn’t really have any input to the process, did they? But that is the fundamental starting point is when they were registered into the system, the basic biometric data was captured.
Later on, you’ve got – you get telephone accounts, bank accounts, and we all know that people go off and you get fraud on people with – on bank accounts, on credit cards, et cetera. So how do we trust the system? Particularly if we – if we’re using a bank that supplied your credit card that got debited illegally last month, if they are one of your identity providers.
How can we ensure that an individual or a persona is who they say they are when they request a service? And more importantly, if something goes wrong, what mechanisms are in place for there to be a speedy resolution and redress process?
I don’t think anyone has talked about things going wrong yet. But we need to appreciate that things can and will go wrong, even if it’s only one in a million chance, that is an awful lot of people in Europe that things can go wrong for.
And, finally, my question is: Will it be up to the individual to ensure that the information held on them by an identity provider is actually accurate? And if it is, is it a case of ignorance is no defense? In British law, if you don’t know that a law exists and you go and do something, it is no defense to say that you don’t know. Is that the same case here?
I’ll leave you with those three question, and pass you back to Louise to run the next dialogue session.
>> LOUISE BENNETT: Okay. Do people have some questions and points to make on the things so far?
Could I have a show of hands then, how many of you think that individuals should own their personal data and their biometrics and have control of those themselves? So all of you who think that, put up your hands.
(Showing of hands)
Well, I’m slowly getting you on my side. How many people think that shouldn’t be the case?
(Showing of hands)
>> LOUISE BENNETT: A couple.
It would be quite interesting to hear from those who don’t think that that should be the case. There are other things to do with how you – your right to anonymity and how you control your personal data and how identity assurance is done that people would like to ask about.
Am I the person – yes, there is a –
>> AUDIENCE: Thank you very much for this presentation and all of your work.
My name is Nasma Desler and I’m from Switzerland. And I have a question to one of the panelists. When you asked do you want to have your – the control of your own personal data, I mean, I said yes. But one of the panelists said no. And I would be really interested to know why.
Thank you.
>> LOUISE BENNETT: Who said no?
I think it was probably – I thought it was Andy.
>> ANDY SMITH: Are we implying that I said no? I don’t believe it’s ever going to be practically possible to have full control of all of your personal information. It would be a lovely place to be, but, unfortunately, we do live in a regulated society. We do live in countries that are governed elected, hopefully elected governments. And there are a number of laws in place both at local and the European level that require us to provide data to the government, to meet certain needs of the country as a whole, whether this be for social benefits, or gaining access to government services.
Obviously if you get in trouble with the law, they will want personal information from you whether you like it or not.
So, you should be in control as far as possible. But as we’re saying in one of the presentations that is to come, there are situations where it’s just not practical to do that.
>> LOUISE BENNETT: Could I have a European Commission or Council of Europe view on the points that we put forward so far, whether they accept that those are the right ways for the EU to go? Meryem?
>> MARIE GEORGES: Control is a big word, what is behind? I think when you are engaged in – in a certain – if you ask for some – to be beneficiary of some social things or if you are paying your your tax and so forth, you should perfectly know what will be the chain of information.
If there is a control of your revenue from data coming from your boss and so forth, you should perfectly know all of this. And I think it’s – it’s very important that all citizens are aware of what are the flaws. Because for the moment, there is a movement, a trend, to simplify, I quote, to simplify things, because it’s true that the – in some times, the government is asking you a lot of papers that comes from different. So all of these papers was coming through you to one particular administration.
So you knew it was complex, painful, but you knew.
Now, you may not know any longer. But to have a responsible – I mean, for the daily life, of course, what I am saying is completely obvious. You need to know what are all of those, where they come from, because there might be an error somewhere. Maybe, you know, maybe your identity, the – the word “Revenue” all of these things may be different exceptions between different administrations. So you need to know all of this reality. It’s the administrative reality of your country and you need to know.
It is not controlling all data, you know, it is not asking for permission all the time. It is not that. It’s to have the real representation of all of this. And of course all these flows must be settled down, accurate as much as possible, no more than necessary all the principles of data protection, and this has to be put in regulations, implementing the principle, and you must know about that. Someone has to control it.
So you see the control is not that you are all – always going to look, no. No. No. But you know the general system, so if there is any problem you will have.
And of course the implementation of the principles are transparent. Either they have been adopted by the Parliament – here everybody talks about government. What is government? Well, you have Presidias, proposals by the government, the executive, by the Parliament, so you see. There are things like that.
But of course there are situations in which you need to give your consent and to be sure that, first, you are asking for something. Maybe you are not someone else that does the asking for you. I mean, so, behind the question of control, there are many, many different situations that we have to trust.
That’s what I wanted to say. But this question of control.
>> LOUISE BENNETT: Okay. Are there anymore questions? Could you take the...
>> FREDEROC DONCK: Yes. Thank you. My name is Frederic Donck from the Internet Society.
I’d like to come back on the privacy angle and also in contrast with anonymity and secrecy. First let’s define what privacy is. Privacy is about sharing data in a specific context in a given scope. It’s all about sharing. When you share with your bank or data with your bank, you expect your bank to take those data into account and not share with someone else. The same if you share something with physical, in your private life, et cetera. It’s nothing to do with secrecy, which is about protecting or trying to hide your data. So I believe those definitions need to be made clear.
Anonymity today in the Internet I believe is very difficult to obtain when you see how the Internet functions, when you see all the ways to collect data about you, even if you were extremely cautious, but there are MAC addresses, fingerprints, you can define all of those.
But anonymity today seems extremely difficult to obtain.
This is also then about what it is that we hear by transaction. So anything that you do on the Internet is about having a transaction, sometimes with people you don’t even know that they exist. If you direct your Web browsers to some Web site, you just don’t – and that’s only half a transaction with this Web site, but with multiple intermediaries that come into play. So it’s just about transparency and the informed consent of the user about this transaction.
The Internet Society is well engaged in the privacy, trust and identity through the Kantara initiative. And I’d like to hear from the panel about what we call the personal data ecosystem, which is this system. Certainly that might minimize some of the risks that I just underlined, not totally, but certainly minimize, and it’s just about users getting authorization to a trusted source, an ID provider, to share the data that needs to be shared in a specific transaction. So I’d like the panel to say a bit more about that.
Thank you.
>> LOUISE BENNETT: Right. I will answer part of that question. And then I think I’ll ask the other panel members to speak.
I myself am very supportive of the Kantara initiative. I’m a member of that myself as well.
I’d just like to speak about anonymity. You can in a sense have anonymity. I’m sure that I’m not the only person who uses more than one persona on the Internet. In the same way that you use more than one credit card, you probably have a special credit card for Internet transactions, with a particular value that, if something goes wrong with it and someone takes your identity, you don’t mind – you don’t mind that. And if you’re doing an online game, people would rather interact with your avatar than – they don’t know who you are, necessarily. And I think you can be anonymous in certain circumstances. It depends what transactions that you want to do.
But we thought privacy would be the thing that most people wanted to talk about. So in fact I think at this point I’ll ask Bogdan to speak as the first of our speakers on privacy. And I think you’ll find that he will answer some of your questions.
>> BOGDAN MANOLEA: Hello. My name is Bogdan Manolea. I represent the Association for Technology and Internet. We are a member of the European Digital Rights. It’s a society that comprises more than 28 members from the EU. Now, my position would be totally different than what has been discussed until now. It should be normal because I represent here the civil society.
But before we go to that, and just to tell you a comic story about trusting, identity and proving yourself, and that because a couple of months ago in Romania it brought out one problem by the pensions. The pension had one person from Romania who had gone into space. And he went in 1972. Divin Dinaria. And now the state is asking him: Can you prove that you’ve been in space? How can we trust you?
We have photos with you, we know that you’ve been to the United States and so on. So how can we trust him? How can you trust me that I’m Bogdan Manolea? Maybe that’s my nickname. Maybe I’m someone else on Facebook. Look for me. I don’t know.
So just to see how many of you are still here in the room, and are not sleeping, how many of you have a Facebook account?
(Showing of hands)
And how many of you, if tomorrow Facebook would ask you to give them your finger pint in order to identify that you are you, would do that? One, two, three. Thank you.
Why not? Because you don’t trust them. Well, that’s exactly why I would say the opposite. I don’t trust my government. And this is what the principle of the Council of Europe convention 108 tells you about, that I have the right not to trust my government. And I have the right to let them ask for my data only when I think it’s really necessary. And I have the right to question why do they ask for my data and in which cases?
These are the principles that you might know that are the authority principles in the convention. And I believe that this information needs to be very clearly specified in all the e-Government applications that we are talking about.
So we’re talking about different situations: That I need to pay my taxes. Why does the government need to know my identity when I pay my taxes? They shouldn’t. I know how much I need to pay. I can go everywhere and pay my taxes. I can ask my brother to pay my taxes. I can play poker online and I win money and I just give the other guy my bank account and why can’t I do that? Why do I have to prove that I am myself to pay my taxes or pay a parking fine?
Or the question of having a parking lot in my neighborhood, maybe I need to prove why. Maybe I don’t. Maybe we can find a way that we can implement the data immunization principle in the e-Government application that we use. And it’s not just that we are some bunch of lunatics or civil society experts that just want to do that.
The UN Rapporteur of the UN in a recent report on freedom, he mentioned that the government should allow anonymity in their application that they offer for citizens.
So, can e-Government applications run anonymity? It depends on the application. In some cases they might need to know who I am. But, who decides what personal data are requested? In most of the cases it is the person who designed the system. They rarely or only in some cases in most developed countries, they appeal to privacy experts and they debate this issue.
How many cases of e-Government implications have a privacy impact this month? They can tell you that we had the privacy expert that came here, he saw the system from one end to the other and can tell you that the data are safe.
And now let’s go to the biometrics. Do we really need biometrics in e-Government applications? Can we say that the government needs to have my fingerprint, for example, in order to access e-Government applications? Why do we need e-Government – why do we need, for example, fingerprints in passports? All of the time, you just take a look at the picture and that’s it. Sometimes they never look at the picture. The person at the customs, like it happened when I ended up now in Serbia. I said you’re trusting enough. You have a logo, that’s a good card.
Are biometrics reliable enough? A study performed in the Netherlands showed that in the case of getting fingerprints for people, they showed a failure rate of 21 percent. That is a huge percentage. I don’t know, I’m not a technician, but I don’t feel safe with it.
So, what are the current applications we see that more and more of the EU governments are asking us to give biometric data. The most well-known are the ones in the passports, in the RFIDs or in ID cards. But there is little discussion of how this has an effect or not on civil liberties and on Human Rights. And this has been highlighted by a recent letter by the privacy international, signed by over 80 signatures from 27 countries. That asks exactly that, for the Council of Europe to make a study to decide if there is or not a an impact of civil liberties. But we see more and more this – using this, for examplee the biometric passports, it’s a success story. And if you look at the map on the right, which is from Wikipedia, you see with dark green what are the countries that have biometric passports this year.
And you see that most of them do. Why? First because for the States they are obligation. All the countries that have a visa free regime with the EU, they need to have a biometric passports. But could you do an assessment on how they were made and how the data are collected and stored?
Probably in most of the cases, they just assume that there is a data protection regime. But are the data protection regime added weight? Well, if you look at Austria or the UK, we see that the European Commission is taking them to court because they didn’t properly implement the data protection directive.
If we look at other countries, we discussed I think yesterday about the lack of finance and the human resources, the data protection authorities, so who is controlling what here?
And I’ll just give you a couple of examples for the total respect for data protection from southeast Europe in two countries that I know directly. In Romania, when they implemented the biometric passport, in the first case, even though in the law it says they only need two fingerprints, they took ten, why? Because they could, technically. They would say you need to give all of your ten fingerprints and the person did, because he wanted the passport. He wanted to go abroad. Also, they kept the data for an undetermined period. Why? Because they could. They didn’t care about the law. The application authorities said that no, they solved the problem right now, they never made any kind of study afterwards.
Now, in Maldova they are working very much for that. So part of the requirement is to have the biometric passport which is obligatory for all citizens starting the first of January of this year,, so they decided to make a central database with all the fingerprints of all the citizens that are asking for biometric passports. The state register that is gathering all the data is also the state register that is having all the photos, that is all the car registration and car owners and previous car owners. That is also the database of all the companies.
Also the database of – and we can go on, they have about six. And of course they say that the data is not in the same server, which is true. But they can logically be put together.
Who can assure me or the Maldova citizens that they will not do that? These are the questions that I wanted to raise. So, after two more presentations, you may ask for questions.
>> LOUISE BENNETT: yes. Ian, if you could...
>> IAN FISH: I’m not going to do much that is very technical. And I’ll probably ask more questions than give answers, and hopefully that will help.
I also would like, before we start, to say that it might not be clear, but BCS’s actual position is close to that which Marie was talking about, which is essentially transparency and consent underpin everything in the data protection field. And you have to have data immunization and not retaining it for longer than you have to, obviously. So there is not that much difference.
Let’s start by talking about consent. I’m going to talk about this as a hypothetical system. First is public sector. I believe – maybe we will talk about that in a minute. But when the government uses my personal data, they tell me how and who is using it. But am I right? That comes back to my view to consent and giving the consent in the first place and the transparency of what happens to it thereafter. If I haven’t consented for it to go from ministry A to B, if it does go there, I should be – I believe that I should be told.
And then I should have perhaps the right to stop it happening.
I call this law enforcement, but we are talking about serious crime and national security.
There is no consent of what has happened with that data. I believe that if I have done wrong or I’m doing wrong, that it may happen without me being told. But am I right to believe that? Should it be like that? It’s an interesting point for questions, for discussion, I think.
Secondly, commercial interactions. I believe here that what is done with my data is done with my consent. But is this really true? I’m hearing all sorts of scare stories now about companies track my movement, my interests, my spending habits. We talked a lot about that in the last day and a half. I don’t know whether that is good or bad at the moment. It’s probably worth discussing.
On the social interactions, informed consent, well, we have heard quite a lot about this. But perhaps do I actually care? If I was one of the people doing the – the workshop that preceded this, perhaps I don’t. Or perhaps I’m starting to think more carefully about my privacy. I just throw out those questions.
The problem is, and this is very UK centric and I apologize except for the international bits on it, the personal information about me is everywhere. This is probably only a sample of the databases that we might be registered on. We might have been deciding that really when we go shopping we want those points. So somebody is tracking what we actually buy. We go in for a lot of social interactions, either on or offline. There are government records. My career gives us lots of information as well.
The problem here is, as I think Bogdan just said, it’s getting easier to correlate and connect data mining on multiple databases. Can this ability be minimized? Should it be? If so, how? And who would be responsible for doing such a thing?
Now, we have also just heard about a centralized database in Maldova I think. It seems to be the first resort of many governments. We had the same thing happening with our national ID card idea. It didn’t actually come to pass in the end. Of course, there are arguments for it. Some say that it’s easier to place security around the data if you have the only in one place, and also big arguments against it if your intentions were not good. But the whole argument about putting security around entities in a structure holding your personal data is at what point do the number of people that can access it become such that it’s accessible to the whole world? And again, when does that matter and when doesn’t it?
The way we’re moving now is more into using privacy enhancing technology, thinking about that, and trying to find ways to minimize, and you said earlier, the amount of data held for particular purposes. Personal data. If you don’t need more than your name and address, then you won’t have more than your name and address in one of the caches for the information that needs your direct confirmation. So it’s a-one way trust model.
There are lots of privacy enhancing technologies that can be used. And, in effect, for example, there can be one that you can have where software compares use of preferences with privacy policies, and how that is different. So you don’t have to read that in terms of those policies.
And there are some very technical ones as well to do with rewriting things in certain languages so that they become readable by machines. So privacy policy is written in languages – there are lots of technical things in privacy. And that in itself is a bit of a problem. Because if you don’t understand how the privacy enhancing technology works, either as a provider or user, are you going to use them? So that is another question.
But I have three questions that I think we probably will talk about at the end. How does an organization balance that need to know against need to disclose? How do you establish a culture of privacy within an organisation? Now, this is within the organisation, because it is actually important that there are issues of culture here, individual and organizational. And looking at the privacy enhancing technologies, how can we make them understandable enough so that they get used? And I would say here that there have been claims made for privacy enhancing technologies over at least 15 years. I’ve seen papers from 15 years ago which claim that such and such a technology is going to change the world and it hasn’t. So this is a real issue, the complexity of privacy enhancing technologies means they often do not get adopted.
Thank you.
>> LOUISE BENNETT: Thank you. Now, we will hear from Marie.
>> MARIE GEORGES: It’s difficult to follow all the logic and everything. I’d like to start back at the beginning. Is there a right to anonymity in our society? Someone can answer? Is there a right to?
Well, in some countries, they are. And when we are modernizing the convention 108 on data privacy, the Council of Europe asked in the public consultation if there should be, in addition to all the principles, the general basic principles, explicitly the right to anonymity. And among, you will have the result, it is not public yet, but I can tell you that the tendency is yes, it should be recognized.
There is only one response which was no, because in a way we know each other. We see each other. Even if we don’t know a person, when you see the person in the street, we can remember the face. So there is no anonymity completely.
Well, it seems to me that the question was raised recently more and more. It’s because if it’s true that in the reality there are many cases in which you have the right to privacy – to anonymity, which is very important, it is not well established within the Internet world, I quote.
For instance, when you look for – when you exercise your right to information and you go to search engines, there are traces. And they are kept. They may be kept.
If you go to a store in the street, you can get in, look, get out, not get anything, you just have seen the price and everything, you go somewhere else, no traces of that except in your mind.
On the Internet, okay, they don’t ask you your name and so forth, your identity, prove it. And if you get in a shop, a Web site, commercial Web site, but traces again, IP, time and so forth. And in your access provider, there is that you have been to this site.
And I could give other examples. So I think we have a basic problem with the current architecture, which does not accept very easily, and some governments are taking the opportunity of that to make obligations to keep long-time. And the question of retention, which is again on the table, and so this is really a problem.
If you think about the last architecture we had with other media, you would say that there had been very much differences. TV, cable TV, which were in three architecture or where, in the star architecture. In one case it was bad and the other one you had everything home and you could choose and nobody would know what you are looking at the TV. So there is a real question of architecture.
Secondly, there are – when you need to identify yourself, there is all kinds of social means you use. When you get in connection with someone you don’t know, you see maybe the name, full name, just a man, such, also the first name. But you don’t give your address at first and so on and so forth.
You have all of these things. And it seems that if the world of digital technologies have to help us, empower us to be in all our way of life, we need to have all of this flexibility.
Now, getting to identity insurance as you were talking at the beginning, there are situations in which you need to say who you are. And it’s true that the first time you have been registered of birth, that was in my country, in the 16th century. It’s the state, it was the king at the time who, in a certain village, this I did and everybody there would be a register. So we have still with this question of what is the identity? I would like you just to think what is identity.
Administrative identity, it’s mainly based on your birth certificate. There is no question of biology. It’s a declaration by you, who is the father, who is the mother, the situation in which there is no father and so forth. All these complicated things.
And how you prove your identity in the social life, you have even – I mean, in many countries, the proof of identity basically is based on freedom. You can prove your identity by any means. That is a principle in democracy. Of course, as principles, basic principles, you may have delegation regulated by the government. Like you may have to prove your identity by showing your family paper, by a card of identity, or a permit to drive, maybe. All these very different things.
Now, in the digital environment, especially, maybe you heard about a big battle when Microsoft tried to issue a passport that would be useful for everyone, by Microsoft. What happened? Libertarians came up. A number of providers – this is a concept that is very interesting. Think about what is in a Democratic society, an identity provider, when you think about what is your identity? Oh, okay, well, think.
Because, you know, I’m sure the situation today is not the end of the story. So I think it’s still useful to have some thought, even if we have to take daily decisions. So Libertarians came up saying that we can provide, when necessary to others, identity with a certain level of guarantee. And so there is not one model. One model.
So, when we came to – but we don’t hear any longer about – if Microsoft could give us some news about the Libertarians. No? We don’t hear. But we may. We may if there is new steps by governments. In some countries you have already an electronic card to be used on the Web, which are delivered by the state, and there are some countries for which – to get this, you have to give all of your fingerprints in some countries, not all, but some. And the tendency is on this side.
So we have to go, as my friend went into the biology and so I think here also we have completely social change, proving your identity if it’s at this level that we need it by your body. For me, it’s a little bit like middle age, Huh? With ties to your government by your Corpse. So think about that.
Also, like Meryem Marzouki could say, excuse me, I quote you, it’s a complete change in the social contract we have in a society. We were not linked together to our nation, to our national nationality, by our body. It’s completely changed. What is the effect?
I won’t talk too much about the domain or validity of each biometric, but there are always limits. Think about my friend who was born without hands, I have a friend without hands, how about to give – the huge debate that we had some years ago, about at what age the fingerprints are stable? Six years old? 13? So even the regulation issued by the EC had to take care of that. Okay?
To old people and many other questions about the validity, including the particular systems sold by a certain...
So we have a huge – if we get into the question of biometrics, we get into a huge space of questions. Just let me also tell you that in Korea, when they introduced this card with the ten fingerprints taken, people would tell me of course now we find the people dead, murdered, without hands. So we can’t identify the person.
You can think also a situation in which people will cut their finger and so on. So we enter into a very big new area.
Now, about the request that Bogdan was talking, the request by the IT organisation in Europe to the general secretary of the Council of Europe, asking for an investigation and query about those biometric systems used in some countries in Europe in the Member States. I would – I can add that parliamentary of the Council of Europe also asked the Council of Europe to make studies on that. What are the impacts of biometrics, asking also for harmonization of laws, saying in which situation it’s lawful to have biometrics.
I would like to answer on behalf of the Council of Europe two things. First, the request that had been sent by those associations is going to be looked at. They had been transferred to three buddies of the Council of Europe for consideration and making those investigations: The assembly of Parliament, the commissioner for Human Rights, and the committee of the convention 108, which is on data protection.
Yes. Sorry, I am long. I’m at the end, but I thought I should give you that information.
So there will be an answer which is going to be constructed by several buddies. Of course they will receive the association, because they have knowledge, but they will make studies, and there will be an answer. But as I told you, it seems to me that this kind of investigation needs to go at the level of philosophy of our society and not only on – day-to-day problems. Thank you. Excuse me for having been long, my English also.
>> LOUISE BENNETT: Thank you very much.
David, I’m sure you’ll be very short.
>> DAVID WILLIAMS: I’ll do my best.
Good afternoon ladies and gentlemen. My name is David Williams, as you can see. And the issue I want to look at is considering that one of the key success factors of getting public confidence in any – sorry, identify assurance scheme is to ensure the information is only available to the legitimate agencies for specific authorized purposes. And that wherever possible the data subject is in control of the dissemination. In other words, we have trust.
However, to ensure the security of States, sometimes it’s desirable for security agencies to have access to the information about individuals. At times for reasons of national security it may be necessary for the state to do this without the individual’s knowledge. Here I refer to the Universal Declaration of Human Rights, article 19, which states that everybody has the right to hold opinions without inference and everybody should have the right to Freedom of Expression. But goes on to say the exercise of these rights carries with it special duties and responsibilities. It may be subject to certain restriction, but these shall only be such as provided by law and are necessary, A, for the respect of the rights or reputations of others. Or, B, for the protection of national security or of public order or of public health or morals.
Now, the issue that I want to address is how can this be addressed in a proportionate manner without losing the trust that I just referred to or offending people’s personal liberties? Clearly there is a balance somewhere to be achieved. National security against the right of privacy.
And for the next couple of slides, just an illustration of what could happen if we get it wrong. For example, if we go too far, and suggest that privacy – we – too far on the side of personal privacy, then terrorism takes too much of a hold within the democracy – Democratic society. Let’s put the words right.
And a few examples there, which I’m sure are familiar to everybody.
If I go the other way, and Andy I think referred to George Orwell in “1984,” the picture on the right may not be as familiar to you, it’s actually a picture of a memorial in Washington, D.C, and those are faces of Jews. Now, those pictures were actually of Jews in Amsterdam, just at the beginning of the Second World War. The Gustoppo saw those pictures and you can imagine the consequences, which is why that is a memorial. Today obviously we have the digital equivalence.
So, the questions that really I’m posing or the point that is always going to be a difficult and subjective issue, state security is primarily about protecting life and a Democratic way of life, I would suggest.
Personal privacy is allowing individual people to protect their way of life as long as it does not impact in a negative manner on the lives of others.
What we see in article 19 is a high level statement. But if you start to unpack it at a slightly lower level, a number of questions come out.
For example, what is included within state security? Certainly, people would argue for counter terrorism, what about money laundering, taxation and so on? What can be regarded as a state security apparatus? Is it security agencies? Does it include law enforcement, the military, local councils? And what is becoming increasingly evident, terrorism particularly doesn’t recognize national borders.
Can one state apparatus pass information to another, where it may not know about it? Are there any controls in the system? What information are we actually talking about? Can it be browsed? Do people have to get warrants to actually request information? How long can they hold the information? Is there a good way of destroying this information? And is there an audit of the whole process?
The security of data on the move I would suggest is also important. And I’ve noticed in various stages here in EuroDIG people have been talking about privacy and purely data, which is static. There is also issues about data on the move, I would suggest.
I’ll leave the questions that I hang, and I’ll pass it back to Louise.
>> LOUISE BENNETT: Would you take the microphone over there.
>> AUDIENCE: I’m from the Ministry of Interior in Germany. My impression was that you were always talking about the most thrilling challenges of privacy, anonymity in the age of Internet. Many of the things that you are talking about are the battles of the past. If a government should take fingerprints, if we should talk about – well, what is the most dangerous thing for a citizen?
And when I see the Internet, and I Google myself, today I got many, many information about myself. And this information – it was not all information I entered myself into the Internet. I registered here, so people can see me on the list. They know that I was in Belgrade over this – over these days.
I joined other networks, for example, and this will all stay on the Internet. So the Internet is growing and it’s growing very, very fast. And we all fill the Internet. And these data, this information, this is all public. And everyone can – in the future, even if we have more information, there might be some kind of an identity picture of everyone in the Internet and everyone can Google it and see it on the Internet.
And what are we doing with this information and these data? And when it comes to biometric, everyone can take a smartphone, take a picture of his neighbor and can Google with this biometric data and he gets information. He knows the name, he knows some more information about him.
And I think these are the real challenges, because when we talk about this and restrictions of some of these services, what we are talking about in Germany, it’s about restricting the access to public data in a way. And that’s a real challenge.
So how do we we handle this? On one side it’s personal data, and personal data is part of public data in the age of Internet. Shall we do nothing on what services shall we focus on, some kind of profiling or whatever? I’d like to hear some answers on that.
>> LOUISE BENNETT: Can we have quick answers? Because we have several people queuing up.
>> Can we have the questions up on the screen. It’s easier to follow the discussion.
>> I’ll just pick up on a couple things on the privacy side. Privacy is important. But it’s getting difficult to wrestle control back. And that’s where we are. That information is out there and it’s going to stay out there. If you know my e-mail address from 1988, you can actually still find on the Internet e-mails I sent in 1988. And I’ve got a history that runs on the Internet now for far more years than I care to remember. And it’s – but, I’m lucky I’ve got a name, Andy Smith, so it’s actually quite hard to find the information about me, maybe, because there are so many Andy Smiths. But, if you have a unique name, it’s very easy to find information about a person.
And I don’t think it’s going to be possible to wrest control. Maybe I’m wrong, maybe at some point in time there will be tools or services or capabilities that can go around the Internet and remove all of that personal information. But I honestly don’t believe that that will be possible. So, yes, privacy, great idea. But you’re going to have to try and look after your own data.
>> LOUISE BENNETT: Bogdan, you wanted to say something and then we have got four more questions.
>> BOGDAN MANOLEA: The direct answer to that question I’m sure leaves us straight back to the previous discussion on new media. It’s a question of what data on that Internet will you trust about yourself or another individual? It could well be that you’ll get a huge – so you’re back in that quandary again I think.
>> Actually, yesterday, there was a workshop and I think they discussed over 45 minutes about this issues about personal data on the Internet, but behavior targeting, social networking and searching. So it’s difficult to resume that in a couple of minutes.
But, part of the answer is also on one hand educating the users about the information that you put online. You can always be anonymous when you want under certain circumstances. On the other hand, it’s using your rights as a data subject. This is part of the solution. Maybe not a perfect one, but this is I think a long discussion.
>> LOUISE BENNETT: We have got a remote question.
>> We have a question from the Ukrainian hub. Is it possible to create free world certification services, like DNS system, to issue certificates with certain biometric parameters for all over the world? This is the question.
>> I think the industry of fingerprints will be very happy. Thank you. That’s what they are looking for.
>> We are seeing this already with fingerprints and passports. The Chengan area has fingerprints in passports. The United States is taking fingerprints. More and more countries are taking fingerprints to either get a visa or gain entry to a country. So, raw fingerprints are becoming an accepted norm, which can be unfortunate, because they are not infallible.
>> AUDIENCE: I posed this question this morning in the cybercrime discussion, I think that’s a valid topic to be discussed there, but it’s something that is relevant here as well.
Speaking of rights, my right to see exactly how certain services uses the data that is over there, that is a right that yet has to be established. So, European – the Council of Europe, et cetera, et cetera, take note. This is, if you want to see how to help me, help me in that way. Empower my right to know exactly how my data is being collected, corralled and how it is being used.
And I used another example in the morning again, sorry for cross posting again, and that is when I log into Facebook, you know, it asks for my e-mail. And often I put the e-mail there and I forgot – I automatically put the password for my e-mail, not for Facebook to enter. So that goes into a database there. So I want to know exactly how those kinds of bits of information are being used.
Again, you’re speaking of rights. That right is not yet established anywhere for me to be able to use it.
>> LOUISE BENNETT: Marie, do you want to answer that first?
>> Well, you have been – being a European citizen you have the right to know what information Facebook is collecting about you. The question here is if Facebook is located on the European territory or not. That is the tricky one.
Now, I don’t have a Facebook account so I can’t tell you for that. I would have checked that privacy policy, but I remember at least for some countries, they used to make the agreement with Facebook. I don’t know if I’m not mistaken. And I think this issue was raised in yesterday’s workshop in regards to if Facebook could be liable directly to the European laws or No. If you want to add on that.
>> MARIE GEORGES: In my view as an expert, but my voice has not been heard by many people for the moment, the criteria of the applicable law in the directive, which says when the controller is not on the territory of the European Union but outside, but use a means located on the territory for the purpose of his data processing, okay, he has to – I mean, the European law applies.
The problem that has not been resolved, neither by the article 29th group of regulators, nor by the Judges when they had the case, is what means, the mean – in the philosophy of the writers of that directive, the means could be anything. It could be the human collecting the data and sending it away or putting on it paper or it could have been the PC, even if this PC was not under the ownership of the controller.
It’s clear. So, – so – for Internet, does it work? You can’t use Internet without having some screen, some device.
The device – so any controller outside of Europe or in Europe can’t operate data processing without using the device of the person. That’s clear. Why Judges did not understand that, I don’t know.
Why do does article 29th group say it lives the cookie. Yes, the cookie makes the application of the law of Europe. Because the cookie is – is the cookie of the controller, of the service provider. It have it’s means. Of course it was badly translated by equipment sometimes in certain language of the directive.
But, the mean, it can be anything in law. Huh? It’s – that’s the good thing to have general principle, general definitions, so even if they are he have lu, the principles are still pertinent.
That’s my answer.
Now, you have to know that for huge enterprise, working on the world level, I observe two things. First is the first time in my life that I found that one service provider wanted to send the same product or same service everywhere in the world does not take the higher level of protection in that field to do one product and send it everywhere. In all industry, that is the rule. All the advocates, lawyers, will tell you that. Will give this advice to their clients. With data protection, not yet. I don’t know. I don’t know why. Thank you.
>> LOUISE BENNETT: I fear that we have run out of time. I’d like to thank the panel on your behalf and thank you for your participation.
(Applause)