Identity, privacy and the law Lorna Brazell firstname.lastname@example.org SCL Information Governance conference May 2009 Overview • Identity and privacy • Identities and partial identities • The private space • Territorial, bodily, media, information • Identity in law • In transactions • identification and authentication • In travel • MRTDs, ePassports and eIDs • Brave New World: • ambient intelligence and traffic data retention – • is data protection law sufficient? • Privacy-by-design • Organisation-centric and user-centric data (identity) management Identity • An identity is a set of attributes • Name, age, nationality, gender, qualifications, golf handicap, fingerprints, DNA sequence… • biographical or biological • No legal definition in English law prior to Identity Cards Act 2006 • Not seen as a legal issue… e.g. informal approach to naming • Cf civil law countries with limited list of legally allowed names, central registers of citizen and aliens • Name is a very inadequate identifier in most cases • Few names remotely unique • Does not convey any definite information about the bearer • Easily changed by declaration or deed poll Identity • What information is necessary to define an identity? • It depends! • Commercial relationships e.g. mortgage: age and salary • Social relationships e.g. golf club: handicap, salary and 'who you know' • Political relationships e.g. voting: nationality/ legal residency • Each comprises a different 'partial identity' of the same physical individual • Individual may conduct themselves differently – and possibly incompatibly - in each context • Ability to do so depends on ability to keep other aspects of life private Privacy • What is privacy? • Territorial • Bodily • Media • Information • Legal regulation • Land law – "my home is my castle" • Human rights – habeas corpus, limited police rights of stop and search, right to refuse medical treatment • Law of confidence – right to restrict possession/ use/disclosure of information obtained in breach of confidence • Data protection • And freedom not to have to identify oneself in day-to-day life • E-Privacy Directive Identity and Privacy: biographical • No clear boundaries • Information falls on a spectrum of confidentiality: • Schools attended – matter of public record and notice at the time • 30 years later may be difficult to uncover without disclosure • University societies or political groups – never entirely public, but at the time observable by fellow students • Law of confidence: protection may vary according to the circumstances/ relationship • Data protection: protection depends upon the exact nature of the information and upon other information held by the same controller • Neither 100% transparent to the ordinary citizen Identity and Privacy: biographical • Special cases: • Law of media privacy • Emerging from ECHR Von Hannover decision • Murray most far-reaching UK case to date • Reklos and Davourtis v Greece - potential image right? • Impact on CCTV? • Public communications systems: • "anyone using a public telephone system has to accept the risk of being overheard" (Malone v DPP) • In Malone, each wiretap was cumbersome and information capture/storage/analysis capacity was relatively limited • Cf RIP Act, current furore over traffic data retention proposals? Identity and Privacy: biological • No clear boundaries • Information falls on a spectrum • Immediately observable – height, (approximate) weight, ethnicity, to • Detectable only with sophisticated equipment – DNA, iris patterns, true hair/eye colour… • Some always confidential/ sensitive personal data • ECHR ruling on UK DNA database • Joseph Rowntree Trust report on UK databases generally…. • Other depends on context in which held Identity in law • Verification and authentication • Does such an individual/ identity exist? • Is the person claiming it the person actually entitled? • 'Brute force' solution: organisation-centric ID management • Capture all information (biological and biographical) about every individual from birth onwards and hold it in an enormous database • Any objections….? • loss of privacy • Incalculable potential for abuse • Appalling potential for identity theft and data loss Identity in law (1) Transactions: • Commercial – is identity relevant at all? • Only really need to know creditworthiness or authority level in counterparty • Both separable from individual's genetics and most of personal history • With public administration – ditto? • Only really need to know entitlement • to information/ services • to vote Identity in law (2) Travel • MRTDs, e-Passports, eIDs • What aspects of identity are relevant? • Citizenship • (terrorist affiliations… • … everything the individual has ever said, done or thought • …. Everywhere the individual has ever been….) • Balancing risk to individual privacy vs national security: • High level of assurance as to physical identity • Biometrics • High level of data security, surely? • But mass travel suggests convenience and speed of processing just as important… Identity in law • Is the single all-embracing eID really a solution? • The more applications to be covered, the more information must be stored/ linked • greater potential for abuse • greater risk of compromise • No such thing as uncrackable security of a misappropriated smart card • "Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety" Brave New World • Ambient intelligence/ the internet of things • Electronic devices generally equipped with data recording and communication potential • Broadband communications both within and outside buildings • European broadband performance index launched September 2008 • Massive increases in sophistication of data processing • E.g. ability to infer emotional states from facial expressions • A future of continuous undetectable sensing, analysis and feedback • The intelligent house/ office • Personalised location-specific services • Directions, goods/service availability, stock market updates on the move… Brave New World • Requires identification for all participating components • RFID • passive, low information on tag, low read range to • sophisticated, high data storage tags and long read range - reaching commercial viability in the near future • Applications – access control, ID cards, event ticketing, tracking in supply/ distribution chains • Future – remote monitoring of ambient conditions e.g. for food/ drug storage, environment. • Current supply-chain tagging mostly at pallet/ carton level, but trend toward individual item tagging as prices decline • Requires compatibility of data storage and transmission formats/ protocols Brave New World • Add in • SNS and Twitter • the limitless public disclosure of detailed personal information…. • Automatic numberplate recognition systems • Ubiquitous CCTV…. Brave New World • Challenges: • ability to trace information and join to profile individuals • potential pervasiveness of tags and readers – tracking of individuals without their knowledge • "the wearer of Rolex no. 1234567 has just entered your shop", or • "this shopper carries no luxury items: refuse credit" • Is this personal data at all? • protection of personal data, • redefinition of privacy? • control of boundaries of personal space is lost • Security risks – speed of cloning, skimming of data, confidentiality Privacy by design • Unrealistic to aim for total privacy or total security • Aim for • minimising data spillage or disclosure • Enabling data sharing within the control of the individual • New relationships of mutual trust • Both within acceptable standard of convenience Privacy by design • Principles: • Notice • real and effective • Choice/ consent • real alternative cf 'take it or leave it' • Anonymity/pseudonymity • Common Services Agency v Scottish Information Commissioner • Proximity/locality of dissemination of data • Security • Access controls • And proper enforcement of them Privacy by design • Methods: • Privacy audits • Automatic deactivation of tracking devices at point of sale • Unless consumer opts in • Announcements as to ambient surveillance – with opt out • Built-in range limitations • User-centric data (or identity) management • As opposed to the centralised database, or organisation-centric approach • Challenge: motivating individuals to sacrifice some convenience for greater control/ privacy…. Privacy by design • User-centric data management • Individual retains separate identifiers corresponding to separate partial identities, for use with separate entities • single-sign-on mechanism to a point of network presence • E.g. Austrian Burgerkarte • Individual authenticates to point of presence • Highly secure process necessary • Separate channels from point of network presence to counterparties use different identifiers • (or not, at individual's option) • Permission hub at point of network presence controls what information each counterparty can access • Including permission for different counterparties to share data • Individual has to take greater responsibility for data privacy Privacy by design • User-centric data management initiatives • Microsoft CardSpace • Tied to the computer used • But may shortly tie to mobile phones instead • OpenID • federated IdM • Liberty Alliance • Circles of Trust, e.g. airline and its partner hotel, car rental etc • Shibboleth • Academia Questions?