Privacy-Enhancing Technologies

Since the mid-1990s, a range of technologies have been developed to assist privacy rather than threaten it. The term commonly used for these is privacy-enhancing technologies (PETs). PETs help mitigate the effects of privacy-invasive technologies (PITs). This segment provides background information on PETs.

There are three categories of PETs:

1. means of countering against privacy-invasive technologies
   
2. means of providing genuine, untraceable anonymity
   
3. means of providing strongly protected pseudonymity

1. Counter-Privacy-Intrusive Technologies

Many technology applications gather data, collate data, apply data, or otherwise assist in the surveillance of people and their behaviour (the “PITs”). Among the host of examples are surveillance technologies (such as CCTV), data-trail generation (such as keystroke monitoring) and identification through the denial of anonymity (e.g., telephone caller ID, loyalty cards and intelligent transport systems), data warehousing and data mining, and the use of biometric information. In an internet context, there is considerable concern about the various types of malware, including viruses, worms, trojans, keystroke-loggers, 'spyware' and 'phishing'.

Some PETs are designed to counter the effects of PITs. Examples include spam-filters, cookie-managers, password managers, personal firewalls, virus protection software, SSL/TLS for channel encryption and spyware-sweepers. Other advanced PET services display to the browser-user information about the owner of an IP-address before connecting to it and monitor inbound traffic for patterns consistent with malware and hacking and monitor outbound traffic for spyware-related transmissions.

In some projects, it may be appropriate for organisations to provide advice to their users to assist them to protect themselves against malware, and to protect their authenticators (such as passwords). There may be benefits in going further, and offering assistance to users in relation to such matters as the installation and configuration of software such as web-browsers, firewalls, and anti-virus and anti-spyware packages.

The effective incorporation of PETs into a scheme may reduce pressures on privacy that result from programme goals or efficiency requirements, with little increase in cost.

2. Anonymity PETS

The first category of PETs described above does little to stop the accumulation of personal data. Another approach is available which sets out to deny personal identity by providing anonymity. Examples include anonymous ('Mixmaster') remailers and web-surfing schemes, and anonymous e-payment mechanisms. (beware though that some remailers and payment mechanisms have been described as 'anonymous', even though they are not because it is possible to trace transactions to the people who conducted them).

There are many circumstances in which organisations can and should permit anonymous communications. Examples include general enquiries, and the provision of generalised (as distinct from person-specific) information and to support 'whistle-blowing'.

On the other hand, many of an organisation's mainstream business processes cannot be conducted with anonymous users. The reasons include the inability to prevent fraud, the likelihood of inappropriate access to personal data, and the need for some kinds of transactions to be recorded against a person's records.

3. Pseudonymity PETs

With anonymity, an organisation is prevented from being able to identify the person who it is dealing with. Pseudonymity refers to a situation where the person's identity is not apparent, but could, under some circumstances, be discovered.

Genuine anonymity has the disadvantage that it can be used to avoid detection of criminal activity. Most people would be prepared to use pseudonymity instead, as a more balanced form of privacy protection. However, they may need assurance that their identity will not be revealed without due cause.

A pseudonymous transaction is one that cannot normally be associated with a particular individual. Hence a transaction is pseudonymous in relation to an individual if the transaction data contains no direct identifier for that person and can only be related to them in the event that specific additional data is associated with it.

To be effective, pseudonymous mechanisms must involve legal, organisational and technical protections, to ensure the link between a transaction and an identifiable individual can be achieved only under appropriate circumstances. Examples of relevant techniques are:

• Use 'pseudonyms', and ensure that the linkage between a personal identifier and the person who uses it is recorded only by a 'trusted third party'.
• Avoid collecting identifiers, and instead use one of these techniques to manage risks:
  • ensure that payment has been received before providing the goods or services (hence authenticating value rather than identity)
  • check a person's eligibility, or a relevant characteristic of the person such as age, disability, or educational qualifications (which is referred to as attribute authentication, rather than identity authentication)

Pseudonymous techniques can provide innovative ways of addressing fundamental issues in system design while protecting personal information. Such technologies can potentially provide secure identification to reduce fraud; secure networking to reduce losses from theft; and secure payment systems that dispense with the administrative costs of cash while permitting high levels of user anonymity and privacy protection. Cost savings and privacy protection need not be opposing values.