Roger Clarke's Human Id in Info. SystemsHumanIdentification in Information Systems:ManagementChallenges and Public Policy Issues RogerClarkePrincipal, XamaxConsultancy Pty Ltd, CanberraVisiting Fellow,Departmentof Computer Science, AustralianNational University© Xamax Consultancy Pty Ltd, 1994Published in Information Technology & People 7,4 (December 1994) 6-37This document is at http://www.anu.edu.au/people/Roger.Clarke/DV/HumanID.htmlAbstractMany information systems involve data about people. In order to reliablyassociate data with particular individuals, it is necessary that an effectiveand efficient identification scheme be established and maintained. There isremarkably little in the information technology literature concerning humanidentification. This paper seeks to overcome that deficiency, by undertaking asurvey of human identity and human identification. The techniques discussedinclude names, codes, knowledge-based and token-based id, and biometrics.The key challenge to management is identified as being to devise a scheme whichis practicable and economic, and of sufficiently high integrity to address therisks the organisation confronts in its dealings with people. It is proposedthat much greater use be made of schemes which are designed to afford peopleanonymity, or enable them to use multiple identities or pseudonyms, while atthe same time protecting the organisation's own interests.Multi-purpose and inhabitant registration schemes are described, and therecurrence of proposals to implement and extent them is noted. Public policyissues are identified. Of especial concern is the threat to personal privacythat the general-purpose use of an inhabitant registrant scheme represents. Itis speculated that, where such schemes are pursued energetically, the reactionmay be strong enough to threaten the social fabric. Contents Introduction HumanIdentity and Human Identification Human Identity HumanIdentification OrganisationalNeeds For Formal Identification Basesfor Formal Identification Names Codes Knowledge-BasedIdentification Token-BasedIdentification Biometrics ManagementChallenges Desirable Characteristics of a Human Identifier Effectiveness of the Available Identification Bases Identification Schemes in Organisational Information Systems The Scope for Anonymous and Pseudonymous Transactions Conclusion Multi-PurposeIdentification Schemes The Concept Inhabitant Registration Schemes in Continental Europe Countries with British Legal Backgrounds Current Developments PublicPolicy Issues Inherent Objections to Identification Risks in Multi-Purpose Identification Schemes Conclusions IntroductionHuman identity is a delicate notion which requires consideration at thelevels of philosophy and psychology. Human identification, on the other hand,is a practical matter. In a variety of contexts, each of us needs to identifyother individuals, in order to conduct a conversation or transact business.Organisations also seek to identify the individuals with whom they deal,variously to provide better service to them, and to protect their owninterests.The use of human identification in the personal data systems used byorganisations is remarkably little-discussed in the information systemsliterature. The purpose of this paper is to make good that gap, by undertakinga survey of the topic, and identifying matters of concern to managers andpolicy-makers.The survey is based on 25 years of professional experience in informationsystems, literature searches, and 20 years of research and advocacy in theareas of data surveillance and information privacy, which has necessarilyinvolved considerable work in relation to the question of human identification.The paper focusses on the identification of humans. The following relatedmatters arise, but are not the focal point of discussion: the identification of products and packaging; the identification of vehicles; the identification of animals; forms of identification which show a category to which a person belongs,rather than specifying the individual; the gathering and use of information about identified individuals; and restrictions on individuals' movements, actions and behaviour.The paper commences by outlining the concepts of human identity and humanidentification, and examining the reasons why organisations need to identifypeople. The various forms of identification are then presented. This includesdiscussion of names, codes, knowledge-based and token-based identification, andvarious kinds of physical characteristics which are encompassed by the term'biometrics'. On that basis, the nature of the challenge to management is ableto be drawn out. Finally, a discussion of multi-purpose identification schemesleads into an assessment of public policy issues arising in relation to humanidentification. HumanIdentity and Human Identification*Human IdentityIn the context under discussion, identity is used to mean "the condition ofbeing a specified person" (Oxford, 1976, p.533), or "the condition of beingoneself ... and not another" (Macquarie Dictionary, 1981, p.879, definition 3of 9). It clusters with the terms 'personality', 'individuality' and'individualism', and, less fashionably, 'soul'. It implies the existence foreach person of private space or personal lebensraum, in which one'sattitudes and actions can define one's self.Since the Renaissance, individuality and human identity have become central toour modern conception of mankind. The later stages of the industrial age haveenabled the majority of the population to become concerned far less withsurvival, and far more with 'the higher things in life', such as'self-fulfilment'.The integrity of the individual has become central to western civilisation. Itis the justification for our horror at the Nazi persecution of the Jews, atterrorist treatment of hostages, and at totalitarian regimes' arbitraryimprisonment and torture of dissidents. It is the reason for carefulexpression of human rights in documents like the U.S. Constitution, theUniversal Declaration of Human Rights (UDHR) and the International Covenant onCivil and Political Rights (ICCPR).The dictionary definitions miss a vital aspect. The origin of the term impliesequality or 'one-ness', but identities are no longer rationed to one perphysiological specimen. A person may adopt different identities at varioustimes during a life-span, and some individuals maintain several at once. Norare such multiple roles illegal, or even used primarily for illegal purposes.Typical instances include women working in the professions, artists andnovellists, and people working in positions which involve security exposure(such as prison warders and psychiatric superintendents).* HumanIdentificationThe term 'identification' means the act or process of "establishing theidentity of, [or] recognising", or "the treating of a thing as identical withanother" (Concise Oxford Dictionary, 1976, p.533), or "the act [or process] ofrecognising or establishing as being a particular person", but also "the act[or process] of making, representing to be, or regarding or treating as thesame or identical" (Macquarie Dictionary, 1981, p.879).For the purposes of record systems, these definitions are rather abstract andunhelpful. Information Technology Dictionaries are of little or no assistance;for example, the Penguin Dictionary of Computers (1985, p.221) provides nodefinition for human identity or identification, and the definitions for 'fileidentification' and 'file identifier' both depend on the meaning of the word'identify', which is not defined.In the context of information systems, the purpose of identification is moreconcrete: it is used to link a stream of data with a person. Hence this paperadopts as its operational definition:human identification is the associationof data with a particular human beingIdentification is applicable to data stored in structured, tangible andmanageable form, as in corporate databases and documentary filing schemes; butalso to data stored in less formal ways, as in private notes; and inincorporeal form, as in ballads and human memory.The original needs for identification were social rather than economic. Thesocial dimension of human culture is reflected by the idea of a person'identifying' with a group. Indeed, group-membership ('one of us' or 'one ofthem') was probably a far more important matter than individual identity ('I','you' or 'he') throughout pre-historic times and most of the historic era.Relatives, friends and acquaintances recognise a person on a contextual basis,in which physical appearance, voice characteristics, knowledge of privateinformation, location and espoused name all play a part. These features arenot individually reliable, they only work when the people involved are in closeproximity, and they depend upon human memory, with all its vagaries. They are,however, sufficient for most social purposes.As the complexity of economic transactions developed, the need arose forparties to know with whom they were dealing. It became normal for parties toprovide one another with information about themselves, appropriate to thenature of the transaction. This may have been an explicit identifier (e.g. ofthe property the person owned, such as 'the Dalkeith', or perhaps of the personhimself, e.g. 'Arthur, King of the Britons'). Alternatively, a number ofpieces of information might together identify the person ('meet me at the baron the corner in ten minutes; I'll be wearing a red carnation in my lapel';or 'you'll always find me in this corner of the market on Tuesdays. AskBeowulf at the next stall - he'll vouch for that').The purposes of the interchange of identification include to provide a gestureof goodwill, to develop mutual confidence, and to reduce the scope fordishonesty; to enable either person to initiate the next round ofcommunications; and to enable either person to associate transactions andinformation with the other person.If identification is to be more than casual and unreliable, it must have anadequate basis. There are several types of evidence which could be used. Somedepend on intrinsic or physiological characteristics of the person, others onmore abstract information. In practice a person is accepted as being theperson to whom a record relates because they represent themselves as being thatperson, they know things that in the normal course of events only that personwould be expected to know, they do things (like paying money) that would onlybe in the interests of that person to do, or they are in possession of adocument or token which it is reasonable to expect that, and preferably onlythat, person to have. In practice, it is common to use various techniques incombination.Literatures of many ages and cultures have taken advantage of the scope formistaken identity, with Shakespeare and Gilbert & Sullivan providingmanifold examples. All identification mechanisms are fraught withdifficulties, and hence the vast majority of transactions involve risk. Theyalso cost money. A primary purpose of this paper is to provide a basis wherebyindividual organisations on the one hand, and policy-makers on the other, canuse rational processes to implement schemes which balance the costs, thebenefits and the risks involved. OrganisationalNeeds For Formal IdentificationIdentity and identification are vague and ambiguous. They continue to betreated with considerable looseness by most legal systems, particularly thosewhose origins can be traced to Britain. For social purposes, informal,contextual identification is sufficient. There are also many circumstances inwhich informal identification, or even none at all, suffices for economictransactions. This is generally the case for transactions which are completedin a single step, as is the case with both barter and sales for cash, and inother circumstances, where the costs of errors are negligible, or the partybearing the risk of an identification error does so willingly.In some situations, however, organisations have a need for reliableidentification of the individuals they deal with. The reason may be to protectthe individual; for example, a record of any allergies the individual may haveto drugs and particularly anaesthetics, and of drugs which the person iscurrently taking. More commonly, the purpose is to protect the organisation;for example, to ensure that the person can be contacted and located in thefuture in the event that he or she does not fulfil an obligation such aspayment of a debt; or to guard against a person misrepresenting their status,e.g. their educational qualifications, age, income or medical condition.The twentieth century has seen a vast growth in organisational size, and indistance between organisations and people. Organisations have increasinglyassumed that there is a need for large quantities of identified data aboutpeople. This 'information-richness' has assumed the dimensions of animperative, to the extent that individuals who demur when asked for evidence ofidentity are frequently presumed to 'have something to hide'.Organisations often assume that a one-to-one relationship exists betweenpersons and identities, no matter how many different roles he or she may play,or choose to adopt. There are exceptions, however, in a variety of contexts;for example, many banks and insurance companies have only recently adopted'client-oriented' approaches (whereby all accounts or policies which eachindividual has with the company are recorded against a single identifier,rather than being scattered around the company's divisions and branches); andemployees who are also customers of their employer frequently have distinctemployee and customer codes.Implicit within many of the issues discussed in this paper are the questions asto when anonymity is unacceptable and identification necessary; and in whatcircumstances the restriction of a person to a single identity is appropriate. Basesfor Formal IdentificationA variety of means is available for identifying a person, in order toassociate data with them. These include: appearance - or how the person looks; social behaviour - or how the person interacts with others; names - or what the person is called by other people; codes - or what the person is called by an organisation; knowledge - or what the person knows; tokens - or what the person has; bio-dynamics - or what the person does; natural physiography - or what the person is; and imposed physical characteristics - or what the person is now.This section of the paper commences by examining identification using namesand codes. Identification based on knowledge and tokens is then discussed.Finally, it considers the cluster of 'biometric' techniques that depend onappearance, social behaviour, bio-dynamics, physiography and imposed physicalcharacteristics.* NamesThe nature of names is tightly bound up with the cultural and legalenvironment. The discussion in this section is oriented towards thosecountries whose traditions originate in Great Britain. The situation may bequite different in other countries, such as those in continental Europe, inother areas influenced by the Code Napoléon, and in Arabic and EastAsian nations. The primary references used were Fox-Davies &Carlyon-Britton (1906), Josling (1980), Halsbury (1981) and Robinson (1986).In english-language cultures, names generally comprise one or more Christian,first, given or fore-names, and a one-word (sometimes two-word or hyphenated)surname. In Britain, a 'Christian name' was and is that provided at the timeof baptism. If the child was not baptised, or no name was given at baptism,then a name is gained by 'repute', i.e. by usage. Whether or not a person hasa Christian name, and whether or not he or she uses it, alternative andadditional names may be used, without restraint by the law. In short, there isnothing illegal about the use of an alias or 'aka' (also-known-as), althoughacts which involve the use of an alias may be.Surnames are of more recent origin than given names. They were originallywritten above the Christian name, and the term 'surname' derives from theFrench 'surnom' implying 'above'. There is no evidence of surnames being usedin Britain before the Norman Conquest in 1066. They were initiallydescriptions, and related to the land the person owned, as in Simon 'deMontfort'. By about 1200, it had become normal for the small minority ofland-owners to use surnames, and for them to be hereditary family names, i.e.passed from parent to child, generally (although never quite exclusively)through the male line.In 1465, Edward IV created what appears to have been the first statute lawrelating to names, by requiring that every Irishman take to himself an Englishsurname. One of the key steps in entrenching the use of surnames was therequirement enacted in 1538, in the reign of Henry VIII, that (Anglican) parishpriests keep registers of births, deaths and marriages. Birth entries were toinclude the surnames of the parents.Registers remained the responsibility of the clergy until 1837, when the Birthsand Deaths Registration Act made it a civil matter. In many jurisdictions, thesurname of the child was implicitly assumed to be that of the father, if bornin wedlock (children born out of wedlock technically did not have a surname,although they commonly gained their mother's or adoptive parents' surname byrepute). In New South Wales, for example, it was only in 1966 that the surnameof the child began to be recorded on the Register.Over a period of centuries, the need for and use of surnames worked its waydown through the classes. For people who did not own land, the primary sourcesof surnames were: locality or territory (e.g. Bywater, Styles, Ashurst, Attwood, Heath,Kent); offices, and later occupations and trades (e.g. Butler, Clark, Smith,Cook, Fletcher, Thatcher, Mason, Slater, Miller, Foster); parentage, predominantly in the male line (e.g. -son, Mac-, O'-); and nicknames (e.g. Black, Fox, Wise, Hardman, Russell).In most english-speaking countries, there has never been any legalcompulsion for a married woman to adopt her husband's surname. However it hasbeen traditional to do so, and this was reinforced by the (until quiterecently) almost universal application to children born in wedlock of theirfathers' surname. A small proportion of women continue using their name aftermarriage, although some do so only in the workplace, and choose to be knownsocially by their husband's surname. There is nothing to prevent a woman fromadopting the name of a de facto spouse, and for convenience some do,at least for some purposes.The contemporary concern with gender equality is not the only demonstration ofthe flexibility of names, and of the many-to-one relationship between names andindividuals. People in security-sensitive positions (such as staff in prisonsand psychiatric hospitals, and operatives and managers for espionage andcounter-espionage agencies) use multiple identities as a means of protectingthemselves and their families. Actors, authors and playwrights use multipleidentities in order to more readily take advantage of artistic licence.It is important to appreciate that the name is distinct from the person; forexample, the validity or criminality of any act is unaffected by the use of aname: " ... (provided always that no question of deception or fraud entersinto the matter) an act done in any name holds for good or bad equally with anact done in a genuine name" (Fox-Davies & Carlyon-Britton, 1906, pp. 41,51, 8).Under the common law, anyone may take on whatever surname, and as manysurnames, as he or she pleases. In various jurisdictions, exceptions to thatrule have been created by statute. For example, the Australian Aliens Act ats.11 prohibits residents of Australia who are not citizens from changing theirnames without first obtaining written permission from the Minister ofImmigration; and the Change of Name Regulation Act 1923 of the State ofWestern Australia requires that changes of name be evidenced by executing andregistering a Deed Poll. It does not appear that such requirements are widelyknown, honoured, or enforced.It is curious that, despite all the complexities of law regarding theregistered name-at-birth, in few jurisdictions is there any compulsion to everuse it, and it has very limited official force. In general, a person is freeto establish any name 'by reputation', that is to say, by using itconsistently, if only within some particular context. Legal mechanisms areavailable whereby a person may evidence that he has changed his name, or thathe consistently uses a name, in particular the deed poll.The effect is that, with minor exceptions, there may be such a thing as 'thelegal name of a person', but there is no compulsion to use it, and noprohibition on using any other name or names instead, or as well. Examples ofthis are seen when the press reports that a person has been arrested andcharged with a variety of offences in a variety of States under a variety ofnames. A person may, in general, use any name he or she wishes to, provided heor she does not thereby attempt to defraud.As a basis for identification, names lack constancy andreliability. Moreover, many other difficulties arise. The legal andadministrative systems of many countries in which anglo-saxon-celtic traditionsdominate continue to have difficulty with non-European names, which may, forexample: have different sequences (e.g. <family name> may appear first); have additional components in the name (e.g. a name of religious ratherthan identificatory significance); be incomplete (e.g. there may be no <family name>); be assigned in unfamiliar ways (e.g. the surname may come from thematriarchal rather than patriarchal line, or by leap-frogging generations); change in ways or at times foreign to local traditions (e.g. at puberty);and be variable depending on the context (e.g. by omitting the religiouscomponent).In some cultures, a relatively small number of first-names are prevalent(e.g. John and James in Anglo-Saxon communities), and in others a small numberof surnames may dominate (e.g. Kim in Korea, Ng and Nguyen in Vietnam, andSingh universally among Sikhs). As a result, many duplications of namearise.A further challenge arises from mis-spellings and variations. In some casesthese are initiated or enforced by organisations with whom the person deals,which may have difficulties with transliteration from a non-Roman script, orfrom a Roman script which uses diacritics such as ç, ü andø, or in handling long series of consonants (such as "...wrysczwicz").The unilateral actions of immigration officers at Ellis Island off Manhattanare reputed to have contributed greatly to the enormous richness of surnames inthe U.S.A. Various techniques are used by organisations to cope with thesedifficulties, such as 'phonex' algorithms to deal with homophone(like-sounding) names. Specialised software packages combine these techniquesto assist large organisations in matching new transactions with existingdata.In order to cope with these uncertainties, it is common to use further data asadditional elements of the identification, or as confirmatory data. Mostcommon among these are date-of-birth (which suffers from being, for somepeople, particularly sensitive), and address. Address is also sensitive forsome people, and is volatile. In developed countries, it is not uncommon for10-15% of the population to be at a different address from where they were oneyear earlier.In short, names are a challenging and risky foundation on which to build anorganisation's id system.* CodesTo cope with the vagaries of name-based identification, it is common fororganisations to create coding schemes. These are commonly based on a set ofdigits, but may incorporate alphabetic characters.A major reason why identification codes are of value to organisations is thattheir issue can be controlled, and hence the uniqueness of the code assured.It is common to not only assign a code to each person with whom theorganisation deals, but also to request them to remember it (see the followingsection on knowledge-based identification), and to issue them with a tokenbearing the code, and request them to have the token with them when theyconduct transactions with the organisation (see the subsequent section ontoken-based identification).It is possible to build some degree of internal and external validity checkinginto an id code. For example, it can carry a check-digit, such that, at thepoint of data capture, a simple computation will (generally) detect a invalidcode; or it may include, in clear or in hidden form, some characteristic ofthe person, such as their year of birth, gender, location of residence, orpension status, enabling alert counter-staff to detect possible errors, orfraudulent or criminal behaviour.Codes may be devised in such a manner as to be readily human-readable,machine-readable, or both. Bar-coding is a currently popular means ofrecording codes on products and packages in such a way that devices can readthe code, and card-borne magnetic stripes and memory-chips can also containidentification codes.* Knowledge-BasedIdentificationPeople may be recognised by demonstrating that they are in possession ofinformation which only that person would be expected to know. Examples of dataused for this purpose are one's family and given names, prior names, father'sname, mother's name, mother's and grandmothers' maiden names, date and place ofbirth, address, marital status, religion, and occupation. There have even beenproposals to apply astrology, in the form of the person's spouse's zodiac sign.Identification on the basis of such information suffers from the problems thatsome people just do not know (e.g. orphans and refugees), some forget, and anysuch information is or can be known by other people. It results in manyerrors, of commission and omission, and of false-inclusion andfalse-exclusion.Passwords are a very common application of knowledge-based identification.Another is the Personal Identification Number (PIN) used in conjunction withAutomatic Teller Machines and merchants' EFT/POS terminals. Imposed passwordsand PINs are not easily memorised and are easily forgotten. As a result, asignificant proportion of the population records them on or near the card whoseunauthorised use it is supposed to prevent, reducing the effectiveness of theidentification scheme. User-nominated passwords and PINs may be more readilyguessed by an imposter, but less likely to be stored adjacent to the card orterminal.Knowledge-based approaches to personal identification seldom provideorganisations with an adequate basis for the operation of their informationsystems. They can have some value as a means of secondary, correlativeconfirmation of identity, particularly in relatively low-security contexts.* Token-BasedIdentificationA 'token' is some 'thing' which a person has in his or her possession, inparticular documentary evidence. Commonly used documents are birth andmarriage certificate, passport, driver's licence (or in most states of theU.S., non-driver's licence), employer-issued building security card, creditcard, club membership card, statutory declaration, affidavit, or letter ofintroduction.The passport is a particular token which is popularly regarded as beingespecially reliable, and this section commences by considering it as an exampleof documentary evidence. Important sources used included Ehrlich (1966),Thornberry (1974) and Stewart (1982), but see also Turack (1972).A passport was originally a document, provided by a sovereign to an individual,which requested officials at borders and in seaports to permit the bearer toenter. The notion was known to English law at least as early as 1300. At theend of the nineteenth century, passports were issued on request, by thegovernments of various countries. Their purpose was to provide evidence ofnationality, and, by implication, of identity; but there were fewcircumstances in which it was actually necessary to have one, even whencrossing national borders. After World War I, in a climate of mass movementsof displaced persons, it became increasingly common for governments to demanddocuments which evidenced a person's nationality. An international conferencein 1920 established the present passport system.During the inter-war period, the passport became a near-universal requirementfor international travel. It has remained so, even though many aspects of thesystem are inadequate or inappropriate for contemporary use. Measures are intrain to overcome some of its deficiencies. Meanwhile, within some communitiesof nations, and especially within the European Union, it is being progressivelysupplanted by alternative forms of identification.The issue of passports, and indeed of all forms of documentary evidence ofidentity, depend on some 'seed' or 'breeder' document such as birth,naturalisation, residence, or immigration papers. It is therefore important toappreciate the nature of the most fundamental of these, the birthcertificate.In Britain, from the Middle Ages, the church recorded events of significance inecclesiastic law, and in particular birth, baptism, marriage and death. In1538, both the recording of the event and the maintenance of the register weremade a civil responsibility of the parish (the lowest level of ecclesiasticorganisation). The coverage of events was highly variable, both betweenparishes, and, over time, within each parish.These events came to take on various kinds of secular significance. Forexample, they are now used in establishing entitlements (e.g. patriality,retirement age, age for insurance purposes); and in determining freedom tomarry (based on age and previous marriage). In 1837, the function ofmaintaining the registers was assumed by the State. The data collectionfunctions are generally performed by doctors, hospitals and marriagecelebrants, but also to some extent by individuals.There are very limited protections against a person, other than the person towhom the facts relate, acquiring a copy of a birth certificate. The law andpractice relating to the issue of certificates is fairly consistent across mostcommon law countries, for example:An application for a copy of or an extract from a Birth Certificate shallbe: in writing signed by the applicant; contain sufficient particulars toenable the search to be made; and specify the reason for which the search isrequired. Where the Registrar is of the opinion that a ... copy or extract isrequired for an improper reason ... , he may refuse to ... issue the copy orextractafter Sections 51(2) and (4), A.C.T. Registration of Births, Deaths andMarriages Ordinance 1963. All Australian State and Territory laws are verysimilar to this.Thus, although Registrars may have the authority to refuse to issue a BirthCertificate, there is no onus on them to satisfy themselves about the person'sidentity or reasons for wanting it. Moreover, if Registrars were given anygreater responsibility than they already have, many individuals would suffergreat inconvenience in getting copies of certificates.The position has been summarised as follows: " ... a tendency has developed inthe community to regard a birth certificate as evidence of identity. Itclearly is not evidence of identity. Without evidence to connect a person withthe person named in the birth certificate, the certificate establishes nothingabout that person. It is easy to obtain from any of the registries ... a birthcertificate relating to another person without that person's knowledge. Itmatters not whether the other person is living or dead" (Stewart, 1982,p.56).A variety of more specific problems arise. For example, in respect of theapproximately 20% of Australia's population born outside the country, it isnecessary to use a seed document other than an Australian Birth Certificate orRegister entry. Some 7.5% of the population is British-born, and British BirthCertificates suffice. The remainder come from many different countries withmany different traditions of birth registration. For many of them, birthcertificates are unavailable, or their form is unacceptable to Australianauthorities. There are some 2 million such people, including the majority ofthe estimated 60-100,000 illegal immigrants. For those whose Birth Certificatecannot be used as a seed document, it is therefore necessary to interpolate theuse of various of the Department of Immigration and Ethnic Affairs' documentsor data systems. These include the Citizenship Register (for those alreadynaturalised), and arrival cards and visa register entries.Another consideration in Australia is that multiple Registers of Births, Deathsand Marriages operate, and are functionally and geographically independent.There has generally been no contact among the 8 State and Territory Registrarsin relation to particular individuals, and no attempt to correlate deathcertificates back to the corresponding birth certificates. In any case, laterevents could be directly related back to births only where the event occurredin the same state as the person's birth, and the name was recorded in the samemanner as at birth. The situation is similar in many other countries.The difficulties of associating death certificates with the corresponding birthentries are exacerbated by the transient nature of names. As was discussedearlier, there is no obligation for a person to ever use the name in which hisor her birth was registered. It is generally not obligatory for change of nameto be registered with anyone, let alone Registrars of Births. It is notuncommon for a person's death to be recorded under a name different from thaton their birth certificate. There are therefore severe impediments tocross-relating deaths back to birth entries.Another class of document which is much-used in some countries as evidence ofidentity is the driving licence. It is commonly sought in many countries as asupporting document, and in some cases even the primary document, despite theabsence of any obligation on the part of the licence-issuing authority toundertake any substantial integrity assurance measures. In recent years,photographs have joined signatures as a means of enabling people to whom thedocument is produced to satisfy themselves that the person presenting the tokenis probably the same person as that to whom it was issued.In summary, seed documents attest only to the facts concerning some event.Nothing intrinsic to them associates them with any particular person. Anyreliability they may offer in identifying a person must therefore come fromsome other source. In most cases, it is not even practicable to prevent thesame seed document from being used to create several different identities.This could only be achieved if each data system contained some controlmechanism which ensured that each document was used only once as a basis forthe creation of an entry. I use the term 'the entry-point paradox' to refer tothe problem of low integrity being propagated from seed documents onwards toderivative documents.Stories about 'false identities', how they are used, and how they areconstructed, are stock-in-trade for journalists, and re-surface continually invarious guises. A particularly lucid explanation of how identities are builtby exploiting the entry-point paradox was provided in a 'Sydney Morning Herald'(9 April 1993) report on a District Court judgement against a pensioner who haddefrauded the Department of Social Security of $400,000. The defendant hadclaimed he was born overseas, obviating the need for a birth certificate. Headopted multiple names. For each name, he entered himself on the ElectoralRoll, obtained a Tax File Number and submitted a tax return (for amounts whichdid not incur the payment of tax), nominated on various application forms thenames of various companies as previous employers, visited doctors and acquiredvarious certificates from them, and using these obtained membership of aroadside assistance association, insurance policies, union membership, Medicareand government concession cards. An Appendix to FACFI (1976) and Hibbert(1992) also provide insights into the twilight world of 'false identities'.Generalising, a relatively high-integrity identity is constructed byaccumulating a collection of low-integrity evidence. Even people who areresponsible for nominally high-integrity schemes accept accumulations of dataas being sufficient evidence, especially for people whose (apparent) backgroundsuggests that they will have difficulty producing 'harder' evidence; theseorganisations know that ultimately they would have to anyway.Token-based schemes are of value in tightly controlled environments, as avariant on the 'turnaround document' approach: the person first presents at acounter, then must wait in a large, anonymous area prior to visiting thecounter a second time. If an identifier is issued on the first occasion, andinterchange or theft of the identifier is unlikely, then its presentation onthe second occasion will be fairly reliable 'proof of identity' within thatlimited context. Generally, however, schemes based on tokens alone are oflimited integrity. To overcome the deficiencies, it is necessary to haveadequate means of associating the token with the person to whom it relates, andof detecting attempts by others to use it.* BiometricsThe term 'biometrics' is used to refer to any and all of a variety ofidentification techniques which are based on some physical anddifficult-to-alienate characteristic. They are sometimes referred to as'positive identification', because they are claimed to provide greaterconfidence that the identification is accurate.Among many other instances in the animal world, mice and penguins are capableof using their olfactory senses, aided to some extent by other cues, to veryreliably recognise their parents and their progeny, even among largepopulations packed into a small space. Humans with such capabilities appear tobe limited to those whose other senses are severely impaired, such as the blindand deaf Helen Keller (Young 1988). Hence biometric techniques involve'metrics' or measurements of some kind, rather than depending merely oninformal or subliminal methods. Exhibit 1 presents a classification scheme andexamples of biometric techniques.The natural physiological characteristics traditionally employed by theinternational passport system are fairly gross, and are seldom sufficient toreliably identify a person. Teeth and skeletal injuries and repairs are usedin forensic applications, although they are of little use for routineidentification. Anyone who has played the various party-games involvingblindfolded recognition of their partner's knees (or other body-parts) willattest to the difficulty of recognising even close friends by means other thanfacial appearance, voice, and above all the correlation of appearance andbehavioural characteristics.Exhibit1: A Taxonomy of Biometric Techniques appearance (e.g. the familiar passport descriptions ofheight, weight, colour of skin, hair and eyes, visible physical markings;gender; race; facial hair, wearing of glasses; supported by photographs); social behaviour (e.g. habituated body-signals; generalvoice characteristics; style of speech; visible handicaps; supported byvideo-film); bio-dynamics (e.g. the manner in which one's signature iswritten; statistically-analysed voice characteristics; keystroke dynamics,particularly in relation to login-id and password); natural physiography (e.g. skull measurements; teeth andskeletal injuries; thumbprint, fingerprint sets and handprints; retinalscans; earlobe capillary patterns; hand geometry; DNA-patterns); and imposed physical characteristics (e.g. dog-tags, collars,bracelets and anklets; brands and bar-codes; embedded micro-chips andtransponders). Some of these features change naturally over time, such as hair colour, heightand weight. Natural changes can be enhanced or retarded by such means astinting, platform shoes and dieting. Some are fairly readily changed, whetherfor personal whim, or as an explicit attempt to change appearance; forexample, contact lenses change eye-colour, the shape of glass-frames has theeffect of changing the shape of the face, and changed facial hair styles(including beard, moustache, sideburns, eyebrows and eyelashes) make physicalidentification quite difficult. Gross devices like wigs, body-padding andcosmetic surgery can be of assistance in the endeavour to deceive, butfrequently the pattern adopted by the scores of facial muscles is moreeffective.Most such attempts to change appearance are an endeavour to communicate,perhaps even to achieve, change in some aspects of identity. Althoughintentionally 'deceptive', only a very small proportion would be regarded as'acts of deceipt', or are undertaken in order to effect criminal fraud.Photographs, although not originally intended for the purpose, can be used asevidence of identity. Photographs provide a gross representation of part of aperson's physiognomy or facial features, at a particular point in time, andunder particular lighting conditions. Depending on their size, the fineness ofgrain, and the precision of the reproduction media, and on whether it is inmonochrome or colour, a photograph may be a more or less faithfulrepresentation, in two dimensions, of a historical three dimensional reality.It may therefore be a more or less fair guide to the past appearance of aperson from a particular perspective, under particular conditions. For thereasons discussed in the previous paragraphs, a photograph is a highlyunreliable means of recognising a person at a later time, particularly if theperson is seeking to avoid being recognised. The internal passport scheme inthe U.S.S.R. attempted to surmount this obstacle by containing threephotographs taken at three different ages.All such relatively informal appearance- and behaviour-based schemes can assistin detecting an imposter, but are not reliable for that purpose. They are oflimited use in confirming that the person presenting is the right one.In addition to gross features, others of a far finer nature enable more preciseidentification. Thumbprints, individual fingerprints and sets of fingerprintshave been used since the end of the nineteenth century in matters of a criminalnature (Wilton 1938, Moenssens 1969, Vic CCPPI 1987). In relatively freecountries, the situation generally is that there is no authority for thecompulsory provision of fingerprints, unless they are being charged with acriminal offence; and there is no authority for the prints to be retainedunless the charge is pursued and the offence proven. A few countries, however,including the U.S.A., apply fingerprinting in other areas such as immigrationmatters.Linear measurements of parts of the body (anthropometrics) are also feasible,but have proven difficult and have seldom been used until recently. Earlyexamples were the use of cranial measurements in attempts to correlatehead-shape with race and with psychological measures. These were interests ofvarious German scientists during the last two centuries, under the influence ofliberal interpretations of Hegel and Nietzsche. More recently, handmeasurements and three-dimensional optical scans of the index finger have beenused as the basis for commercial products.For many years, forensic scientists have used genetic testing of various kindsas aids to identification, but because, for example, blood-groups are shared bymany people, none of them represented a precise identifier. A small portion ofthe human genome is believed to be all but unique in all cases except identicaltwins. Based on this assumption, a method of identification based on patternsof DNA has been developed. It is variously referred to as DNA 'prints','typing' or 'profiling'. It was first used in 1983 in a United Kingdom case(Wambaugh 1989), has since been applied in many jursidictions, and has beengenerally accepted by the scientific community, the courts and the public as avery-high-integrity identification method. In at least the United States, thishas led very quickly to proposals that national databases of DNA prints beestablished as the basis for a national personal data system, and applied toall manner of purposes (OTA 1990). Thereare also imposed physical identifiers. Branding and tattooing have beenemployed at many times in history, usually in the context of slavery, racialsubjugation or harsh criminal systems. Some schemes, on the other hand, havegeneral community acceptance, such as the wearing of dog-tags by soldiers onactive duty, and of id-cards by employees and visitors within secure premises.Even with these, however, concerns can arise regarding the uses to which theyare put, such as the tracking of employees' movements throughout a workingday.Tags of various kinds are commonly used with manufactured goods, with packagingand containers, and with animals. There has been an increasing tendency inrecent years to apply similar technologies to the design of collars, ankletsand bracelets for institutionalised persons, including patients, particularlynew-born babies and those who are comatose or suffering senile dementia), andprisoners in gaol, on day-release schemes, and on bail. There were proposalsto use them for prisoners-of-war during the Gulf War.Tags are passive, and need to be inspected. Some devices are designed torespond when queried using a radio signal, and others are active in the sensethat under pre-programmed conditions they can transmit a message.It has been technically feasible for some time, and is increasinglyeconomically practicable, to implant micro-chips into animals for the purposeof identification and data-gathering. Examples of applications are to petswhich may be stolen or lost, breeding stock, valuable stock like cattle, andendangered species like the wandering albatross. As the technology develops,there will doubtless be calls for it to be applied to humans as well. In orderto discourage uncooperative subjects from removing or disabling them, it may benecessary for them to be installed in some delicate location, such as besidethe heart or inside the gums. ManagementChallengesMany organisations no longer rely on their employees to recognise individualclients. They seek a means whereby individual humans can be recognisedreliably, at a distance, over a period of time, without reliance on humanmemory, and (in some cases) despite the preference by the person not to berecognised. As Rule put it, " ... the problem of linking the client with hisnumber, and hence with his data, remains a very difficult one" (1973, p.294).Information systems have tended to use codes rather than names as the primaryidentification mechanism. As information technology develops, there are signsthat artificial codes may be beginning to give way to natural names again.This is because processing capabilities with textual data are improving; sotoo are the handling of non-unique identifiers, of partial data and ofpartially incorrect data like mis-spellings; and key-based data management isbeing supplemented by, and may progressively be supplanted by,text-string-based and contextual access techniques.In establishing their id schemes, organisations apply variants and combinationsof the techniques described in the preceding section, in manners appropriate tothe circumstances. It is vital that, in doing so, they appreciate thedifficulties involved. Of especial importance is the need to achieve anappropriate balance between the harm arising from false-inclusions (i.e. theacceptance of imposters and mistaken matching), and from false-exclusions (i.e.rejecting or failing to recognise correct matches). This section highlightssome of the considerations.*Desirable Characteristics of a Human IdentifierIt is remarkable in how few places in the literature criteria for assessingthe quality of huamn identification have been seriously discussed (see,however, IBM 1969, NZCS 1972 and HEW 1973). In Exhibit 2, a set of criteria isproposed, whereby an organisation can assess alternative means of identifyingpeople with whom it deals. Inevitably, these objectives exhibit internalconflict.Exhibit2: Desirable Characteristics of a Human Identifier universality of coverage every relevant person should have an identifier uniqueness each relevant person should have only one identifier no two people should have the same identifier permanence the identifier should not change, nor be changeable indispensability the identifier should be one or more natural characteristics, which eachperson has and retains. If artificial, the identifier should be enforcedlyavailable at all times collectibility the identifier should be collectible by anyone on any occasion storability the identifier should be storable in manual and in automated systems exclusivity no other form of identification should be necessary or used precision every identifier should be sufficiently different from every otheridentifier that mistakes are unlikely simplicity recording and transmission should be easy and not error-prone cost measuring and storing the identifier should not be unduly costly convenience measuring and storing the identifier should not be unduly inconvenient ortime-consuming acceptability its use should conform to contemporary social standards The term 'universal' has two distinct usages. In this paper,it means 'completeness of coverage of the relevant population'. In somedocuments, it means 'used by all agencies for all purposes', but for thatpurpose this paper uses the term 'general-purpose identifier'. There are alsoa number of writers, particularly in the press, who use the term in bothsenses, sometimes in the same sentence. The confusion is deepened because insome acronyms 'U' stands for 'universal', while in others it stands for'unique'.*Effectiveness of the Available Identification BasesWhen assessed against the desirable characteristics, most naturalphysiological identifiers are universal and indispensable, but many are notunique, including facial appearance, height and weight, colour of eyes andskin. Many are not permanent, including marks and scars and handicaps, as wellas height and weight. Gender is not unique, (in recent times at least) it isnot necessarily permanent, and its collection may also conflict with socialstandards. Teeth and skeletel injuries and repairs are often distinctive, butare not unique, may be only semi-permanent, and are available only withintrusive examination. Although appropriate and accepted in post-mortems, theyare otherwise not very practicable.Measuring, collecting and processing natural characteristics involve seriousproblems. For example, tissue testing requires intrusive surgery, if only of aminor kind, and are only possible when the person presents themselves. Sometechniques are feasible remotely, using high-quality video-transmission.Despite the great strides it is currently making, contemporary video technologycannot record and transmit copies of fingerprints sufficiently quickly andcheaply to enable their routine use. And despite the sophistication ofsatellite-image processing in military intelligence work and now landinformation systems, application of image-processing, codification and storagein personal data systems has made slow progress.Fingerprints are associated with criminality, and in many countries would notappear to be currently acceptable for general usage. The feasibility ofapplying other forms of biometrics are also subject to technical, economic andsocial limitations. DNA-testing is expensive and slow, and involves theprovision of tissue or specimens, which many people find demeaning, and whichcreate logistics and security problems. Branding, tattooing and micro-chipimplantation fulfil many of the prime requirements, but would not seem to besocially acceptable, at least at this stage.Non-physiological information suffers worse problems. Names are not unique(although duplicates are sufficiently uncommon that cases of mistaken identityoccasionally - and sometimes damagingly - arise because most people most of thetime presume uniqueness). Names are also not permanent, and many errors aremade in their recording and transmission. Date and place of birth are notunique, but are universal and permanent. For some people they are sensitivedata. They are widely used as the prime means of distinguishing betweenduplicate names.Race is amongst the most sensitive of all data, and anyway is not clearlydefined. Address, marital status, religion and occupation are non-unique,non-permanent, ambiguously-defined, and in some cases, sensitive. Codes may becontrived to satisfy universality, uniqueness and storability, but they arevery difficult to make indispensable, reliably collectible, and exclusive.There is no basis for identification that fulfils all desirable characteristics.*Identification Schemes in Organisational Information SystemsOrganisations vary enormously in the care with which they apply humanidentification techniques to their needs. At one extreme, some organisationshave no interest whatsoever, as in retail cash sales and public advisory bodieslike tourist offices. At the other, a small number of organisations, mainly incriminal investigation and national security, depend upon the collection offine-grained physical characteristics, traditionally fingerprints, butincreasingly DNA-prints.Many organisations depend upon documentary evidence when they establish arelationship with an individual. Thereafter they usually depend on theperson's knowledge (e.g. of his name, his birth-date or his client-code), or onhis ability to present a token issued by the organisation itself (e.g. a motorclub card, or an automatic teller machine card), or on a combination of both.Documentary evidence is treated by many administrators as though it were the,or even the only, authoritative basis for identification. In fact, asdiscussed earlier, all documents are dependent on a seed document, and theintegrity of an identification scheme also depends on a provable relationshipbetween the person and the document.A common approach taken by many organisations is to seek a variety ofinformation about a person, from a variety of sources, and, in the absence ofinconsistencies or 'bad' references, accept the person as being identified bythat loose set of data. For the majority of the population,and the majority of purposes, document-based identification schemes, supportedby limited cross-checking, provides sufficiently reliable evidence of identity.Most people have no inclination to establish multiple identities, and for manyof those who are interested in doing so, the effort, difficulty and costoutweigh the potential benefits; but for those with an axe to grind, a seriousprank to play, or criminal intent, the effort is frequently perceived to beworthwhile.The lack of integrity of most identification schemes is mirrored by the lack ofregard paid to identification cards. No matter what care and expense isinvested in the design and issue of cards, their potential for ensuringaccurate identification of individuals is dependent on the assiduousness ofgatemen and doormen. Anecdotes abound of the swapping of cards between beardedblack-haired giants and petite blonde women; and of cards carrying thebearer's dog's photograph going undetected for long periods. Even inostensibly medium-security environments, cards seldom contribute much to theaccuracy of identification.* TheScope for Anonymous and Pseudonymous TransactionsThe contemporary organisational habit of requiring an identity appears to beof late-nineteenth and early-twentieth century origin, and to be derived froman increase in the size of the institutions, a decrease in the degree of trustbetween organisations and individuals, and an increase in the incidence oflong-term economic relationships.In some circumstances, there are clear functional needs for the identificationof individuals; for example when entering into loans and making repayments;and investing funds, and seeking interest payments and return of capital.There is also a fiduciary need for organisations providing income-supportpayments to individuals to know to whom it is being paid.Corporations which actively market goods and services to consumers avidlygather information about them. During the last two decades, they have applieddevelopments in information technology to sustain customer loyalty, encouragingthem to buy more from them more often, by providing volume-based incentives.These 'frequent-buyer' and 'loyalty' schemes presume that the clients identifythemselves to the company.These mainstream activities have led to a presumption on the part of manyorganisations that they need to have identity in order to conduct almost anykind of transaction. There remain many circumstances, however, in which theidentity of the person with whom an organisation performs transactions is of noconsequence. In fact, the majority of the transactions undertaken betweenindividuals, and between individuals and corporations, are still conductedanonymously. This includes most cash payment and barter transactions, and manylegitimate transactions which have some sensitivity about them, ranging fromthe booking and the payment for services of prostitutes, and treatment atvenereal disease clinics, to the purchase of gifts for one's spouse.There are many additional circumstances in which identification is commonlyassumed to be necessary, but may not be; for example, whether taxationauthorities need the parties involved in every significant economic transactionto be identified depends entirely on the taxation mechanism used: a tax leviedat a rate which depends on a cumulation of transactions (i.e. a progressive orregressive rate) may require identification of the parties; but one levied ata flat rate on each transaction does not.With the dramatic increase in electronically facilitated transactions recentlyand in the coming decade, an increasing amount of effort is being invested intransaction techniques which protect the identity of one or all participants(e.g. Chaum 1985). One approach is 'anonymity', whereby none of the partiesare aware of the identity of the others (e.g. in many stock exchanges, buyerand seller are never aware of who they sell to and buy from; and nor do theyneed to be). Another is 'pseudonymity', whereby the parties are aware of anidentification code for the other party, and may be able to initiate contactwith them using that code, but cannot associate that identity with anyparticular person. In effect, that person has multiple identities thatcorrespond with particular roles he, she or it plays, and it is not possible tocorrelate the identities without the person's active cooperation.Using such schemes, it is possible for a corporation which runs a loyaltyscheme to achieve its ends without actually having details of its clients'identities. It is also feasible to implement schemes in which the parties areunaware of one another's identities, yet are secure in the knowledge that thegoods or services, and the funds, have been transferred as agreed. Forexample, each party to the transaction may have to identify itself to theothers while the transaction is conducted, but all parties may be precludedfrom recording the other's identity. Alternatively, schemes may be used thatauthenticate each party's eligibility to conduct the transaction (e.g. is amember of an appropriate class, or has a particular characteristic) withoutdisclosing the party's actual identity.*ConclusionOrganisations are confronted by enormous difficulties in devisinghigh-integrity identification schemes. In practice, the difficulties do notprevent organisations from dealing successfully with their clientele. Thedictum that most of the population is fairly honest most of the time, enableseven organisations highly prone to cheating to operate successfully. Forexample, credit companies budget in advance for bad debts, and still make aprofit. The challenge confronting each organisation, in respect of eachinformation system it operates which involves people, is to devise anidentification scheme appropriate to the particular set of circumstances. Thedesign criteria are to enable information to be associated with, and/or actionto be taken in respect of, the right person, with a degree of accuracycommensurate with the gravity of the information or the action.In order to rationally decide on an identification scheme, an organisationshould identify the alternatives, and apply an appropriate form of financialanalysis or cost/benefit analysis (e.g. Thompson 1980, Gramlich 1981, Sugden& Williams 1985). Corporations have a financial incentive to do so, wherethe costs and/or benefits associated with the various alternatives areperceived to differ significantly. For public sector organisations, however,the incentives are often much less direct, and much less effective (Clarke1994c).Given that identification schemes are costly, and generally of only moderateintegrity, organisations in both the public and private sectors need tofamiliarise themselves with anonymous and pseudonymous transaction techniques,and assess their applicability to their operations. Multi-PurposeIdentification Schemes*The ConceptThe analysis undertaken in the first half of this paper has been keptrelatively simple by sustaining an implicit assumption that each organisationoperates its own, separate identification scheme. In fact, there may besignificant advantages in multiple organisations using the same basis foridentifying the individuals with whom they deal.One apparent reason is cost. A single organisation can take responsibility forestablishing the scheme (e.g. validating the credentials offered, establishinga code, issuing a token, maintaining the registers of codes and tokens, andperforming integrity checks such as recording attempts to use credentials whichhave already been accounted for, and reflecting in the register such events asdeaths, emigration and temporary 'non-person' status through, for example,imprisonment). All organisations might contribute to the costs of the idissuer, or the organisation might absorb them as costs of its own operation ora service to the community. Economies of scale can be gained if the equipmentand software needed to check the tokens and capture the code are common.An additional advantage of a multi-purpose scheme is that organisations whichperform related functions can have an easy means of inter-relating the datathey hold and collect about each individual. Moreover, the overall costs ofthat kind of operation would be lower, and hence it would become economic formore pairs and sets of organisations to share data about their clients. In theextreme case, a single, general-purpose scheme could be used by allorganisations for all purposes, facilitating general-purpose use of personaldata. Instances exist of both 'centralised' schemes, in which the register isheld in a single location, and 'dispersed' schemes, in which the data is heldregionally or locally.Many multi-purpose schemes exist. Some of these are operated by the privatesector, especially in relation to credit reporting schemes and insurance claimand claimant information systems, such as the U.S. Medical Information Bureau.The remainder of this section examines multi-purpose identification schemesoperating primarily in the public sectors of various countries. A few of themmake incidental use of a physiological characteristic (e.g. schemes inSingapore, Hong Kong, Malaysia and Spain have been claimed to store a The Registration and Certification of Births and Deaths inNew South Wales' Discussion Paper for the N.S.W. Law Reform Commission (March1986)Rotenberg M. (1991) 'The Use of the Social Security Number as a NationalIdentifier' Comp. & Society 21, 2-4 (October 1991) 13-19Rule J.B. (1973) 'Private Lives and Public Surveillance' Allen Lane 1973Rule J.B., McAdam D., Stearns L., Uglow D. (1980) 'The Politics of Privacy'Elsevier, New York, 1980Rule J.B., McAdam D., Stearns L., Uglow D. (1983) 'Documentary Identificationand Mass Surveillance in the U.S.' Social Problems 31:222-234 December,1983Sterling B. (Ed.) (1986) 'Mirrorshades: The Cyberpunk Anthology' ArborHouse, New York, 1986Stewart (1982) 'Royal Commission of Inquiry into Drug Trafficking, InterimReport No.2: Passports', Aust Govt Publ Serv, 1982Sugden R. & Williams A. (1985) 'The Principles of Practical Cost-BenefitAnalysis' Oxford U.P., 1985Thompson M. (1980) 'Benefit-Cost Analysis for Program Evaluation' Sage,1980Thornberry C. (1974) 'Going Abroad: A Report on Passports' British Sectionof the International Commission of Jurists, Barry Rose Publishers, Chichesterand London, 1974Turack D.C. (1972) 'The Passport in International Law' D.C. Heath & Co.,Lexington MA, 1972Vic CCPPI (1987) 'Identification Tests and Procedures - Fingerprinting'Consultative Committee on Police Poafter the revolution of 1789 (Walker 1986). The useof such schemes accelerated during the first half of the twentieth century. Insome countries in 1939-40, especially the Netherlands, the existence of adetailed register was of considerable assistance to the Nazi invader, andresulted in the easy identification and location of many people targeted forthe most extreme form of racial discrimination. Such experiences generated orreinforced distrust of efficient registration schemes in some Europeancountries; for example, censuses in The Netherlands were abandoned in the1980s, due to public opposition and the consequent low quality of data; andthe inhabitant registration schemes in Austria, France and Italy are officiallynon-compulsory (despite which, or perhaps in part because of which, they areclose to universal in coverage).The misgivings are less apparent in Scandinavian countries. Widespread use ofa single personal identity number in Sweden began in 1947, in the context of acensus. Norway followed suit in the 1960s, and a similar arrangement wasintroduced in Denmark in 1968 (Blume 1990). One of the advantages claimed forit is that a periodic census is unnecessary, because statistics can beextracted from the national personal data system at the time they are needed.In some countries, including The Netherlands, Switzerland and (at least atpresent) West Germany, the Register is stored in a dispersed manner, at thelevel of the municipality. All events deemed relevant by the authorities mustbe registered with the municipality. When the person moves across municipalboundaries, both the old and new municipalities must be informed, to enabledata transfer to take place. In at least The Netherlands, passport issue isrecorded against the munipical register (Stewart, 1982, p.60).In general, there is not, or not yet, a requirement that individuals carry atall times a token evidencing their right to use a particular code. Oneexception in Western Europe is Belgium, where members of the police force havethe power to arbitrarily require proof of identity from any person at any time.Under the most repressive regimes, such as those in Communist Eastern Europe,inhabitant registration schemes were instrumental in the prevention ofunauthorised movement both within the country and out of it. Systems inpost-communist eastern Europe appear likely to retain at least some similarcharacteristics (Clarke 1994b).The absence of the power to demand evidence of identity weakens the integrityof a general-purpose identification scheme. It is only to be expected thatvarious pressure-groups will seek to increase the impositions as time goes by,in response to such problems as illegal immigration, perceived worsening of lawand order, epidemics, natural disasters, national security emergencies, etc.The European Union (EU) continues to make efforts to 'harmonise' the variousinhabitant registration schemes of its member-states sufficiently to enableeach country's internal passport / identification card to be used for transitacross EU borders, and perhaps even for residence and employment in other EUcountries. The cultural and systemic differences are such that progress hasnot been easy.*Countries With British Legal BackgroundsIn the United States, the Social Security Number (SSN) is operated by theSocial Security Administration (SSA), for its own purposes. Many otheragencies use the number and card for additional purposes, and there has beenconsiderable use in business and in education. The SSN has a very substantialcoverage of the population, but the integrity is very low (FACFI 1976, CG 1980,OTA 1981).The history of the Social Security Number is instructive. As in mostcountries, there was a gradual increase in the reliability of birth registryinformation during the nineteenth and early twentieth century. By 1933, it wasestimated that at least 90% of all births and deaths were recorded (Rule etal., 1980, p.31). This laid the foundation for an id scheme. Following theoriginal Social Security Act of 1935, which imposed a tax on both employees andemployers, an identifying number was established in late 1936, and employeeswere required to provide that number to their employers. The card that wasissued bore the legend 'Not For Identification' (HEW, 1973, pp.114-122).In 1943, the decision was taken to extend the use of the SSN to all FederalGovernment employees, and "An Executive Order [9397] by President Roosevelt ...required that, as a means of avoiding costly duplication, any Federal agencyestablishing a new system for personal identification must use the SocialSecurity number. That order is still in effect" (Westin & Baker, 1972,p.41).However, those decisions had very little impact until 1961, when the InternalRevenue Service (IRS) began to use the SSN for identifying taxpayers. In turn,IRS imposed on corporations which pay interest to individuals theresponsibility to collect and report the SSNs of individuals they deal with.The SSN is of low integrity. It is very easy to nominate a number which hassurface validity, and relatively few organisations which use them have theability to confirm or deny whether the number was issued by SSA to the personwho is supplying them the number. The 9 digit (nnn-nn-nnnn) code permits 1,000million combinations, or only about four times the country's living population.In addition, several blocks of codes, totalling close to 200 million, are notused. The proportion of possible codes which are currently assigned to aliving person is therefore approaching 40%. As a result, a large proportion ofwrong codes (whether they are wrong through accident or intent) aresyntactically valid, in the sense that they are assigned to someone, or arewithin a range that is in use. A highly-used bogus number is 078-05-1120,which was printed on 'sample cards' inserted in thousands of wallets sold inthe 1940s and 1950s.Despite these serious weaknesses, many federal government agencies have usedthe number as the basis for identification of their own clients, andcorporations make the provision of the number a condition of doing business,and use it for their own purposes, despite the absence of any authority forthem to do so (Hibbert 1992). The Lotus Marketplace service, which wasintended to sell vast quantities of data about consumers (but was withdrawn dueto the furore its announcement stimulated), used the SSN as the primaryidentifying mechanism.In Canada, a similar scheme to the U.S. SSN exists, called the Social InsuranceNumber (SIN). The Canadian Privacy Commissioner expressed serious concernabout the threats to personal privacy involved in any expansion of the use ofthe SIN (1981), and subsequently the extent of its use was rolled back by anAct of Parliament.The United Kingdom, Australia and New Zealand generally claim to share a strongtradition of personal freedoms, and do not have inhabitant registrationsystems. At least Britain and Australia had schemes during World War II,however. They were justified by the threat of invasion, and made possible bythe resulting economic deprivation. They were abandoned when the threat wasremoved, because they were regarded as unsustainable and inappropriate:"Britain had ... the identity card system used during the Second World Warand up until 1951. Food was so scarce as to be unavailable without rations,and rations were available only to persons registered in their area ofresidence and provided with an identity card. Registration was all butuniversal, and the continual need for rations forced people to keep theauthorities apprised of their current addresses, so that they could present avalid identity card. The cards were nationally indexed, so that the policecould immediately find the address of any person throughout the country. Aslong as food remained virtually impossible to obtain without rations, theinducements to keep contact with the authorities remained highly persuasive ...the system in its old form would have quickly become unworkable without theinducement of rationing to keep addresses current" (Rule, 1973,pp.314-315).*Current DevelopmentsIt is in the self-interest of executives of government agencies to establishtighter social control, and proposals for inhabitant registration schemes arebeing continually brought forward (Westin & Baker 1972, OTA 1981, Eaton1986). During the last decade, the march of identification, data-processingand communication technologies have excited a particularly enthusiastic surgeof attempts by governments to introduce general-purpose, national schemes (PIBulletin 1993-). In Australia, for example, there was a concerted effort inthe mid-1980s to establish a national identification scheme to attack taxevasion, welfare fraud and illegal immigration. It foundered on the rocks ofpublic opinion (Clarke 1987). Subsequently, use of the Tax File Number hasbecome a great deal more widespread. Despite nominal promises and legislativeprovisions, it is being developed as a proxy for the failed Australia Cardproposal (Clarke 1991, 1992).Other initiatives have included the United Kingdom (where the control of unrulysoccer fans was the stated motivation), Singapore (to enable cross-enforcementof laws by various agencies), and Iran. There are two current politicalinitiatives in the United States, one in relation to the proposed nationalhealth scheme, and the other to verify employment eligibility and facilitatecross-matching between agencies.Even a national inhabitant registration scheme would not solve internationalproblems. A general-purpose scheme would be at its most effective if it wereworld-wide, with all people registered at birth. The scope for people toundertake illegal activities would be constrained. In principle at least, itwould be very difficult for anyone to have any other than their own officialidentity; it would be scarcely possible to live entirely out of contact withthe national government of the country in which they were resident; andsimilarly difficult to move between countries without being intercepted byborder officials.Improving the integrity of these schemes, however, involves enormousdifficulties, including establishing and maintaining standards across more than200 nation-states (including, at any given time, a modest number of maverickgovernments and endemically corrupt administrations); the fundamental problemsof ensuring a scheme of sufficient integrity in the first place; theprevention of forgery; and ongoing quality assurance. Periodic attempts aremade to harmonise the identification procedures among associated countries(notably within the European Union, but also among other sets of closeneighbours such as Australia and New Zealand). There is, however, little(publicly-perceived) momentum toward a world-wide identification scheme. PublicPolicy Issues*Inherent Objections to IdentificationIn considering the design of identification schemes, many interests need tobe balanced. Powerful institutions and individuals seek to sustain theirinfluence over individuals, variously as customers, suppliers, employees,students, patients, critics and opponents. There is also a collective interestin social control, primarily in order to sustain law and order and therebyprotect life, health and property, but also to ensure that equity is achievedin terms of tax payment and receipt of government benefits (or, morerealistically, that the inequities are planned, rather than accidental).Against these motivations for tight social control, and an efficientidentification scheme to support it, it is necessary to balance the interestsof individuals in the various aspects of civil liberty. Private spaces inwhich people can behave free from intrusions are being rapidly invaded by datasurveillance technologies. In this paper it is not appropriate to enter into alengthy analysis of the impact of information technology on civil liberties,but see Rule (1973), Rule et al. (1980), Clarke (1988, 1994a), Davies (1992,1994), Wigan (1994) and Agre & Harbs (1994).The need to identify oneself may be intrinsically distateful to some people.For example, they may regard it as demeaning, or implicit recognition that theorganisation with whom they are dealing exercises power over them. Many peopleaccept that, at least in particular contexts, an organisation with which theyare dealing needs to have their name. Some, however, feel it is an insult tohuman dignity to require them to use a number or code instead of a name. Somefeel demeaned by demands, as part of the identification process, that theyreveal information about themselves or their family, or embarrassed at havingto memorise a password or PIN.Some people are unwilling to submit to the regimen of carrying tokens, orunprepared to produce them, on the grounds that this reeks of a totalitarianregime, reflects and perpetuates a power relationship that they despise (suchas the South African pass laws during the period of apartheid), or carries withit the seeds of discrimination (as reflected by the content of the token).Another factor which forces compromise between the interests of accountabilityand law and order on the one hand, and civil liberties on the other, is theimportance of multiple identities as a means of avoiding physical harm anddeath at the hands of violent opponents.All forms of identification may attract opposition in different circumstances.The greatest degree of public distrust, however, is generally associated withbiometric identifiers. Their use is in some cases invasive, and in all casesseems that way. In many countries whose law and traditions derive from theUnited Kingdom, fingerprints continue to be associated with the exercise ofpower by the State over people, especially in relation to criminal lawenforcement. As a result, the compulsory provision of fingerprints is seen insuch countries as an invasion of privacy, an indignity and an embarrassment(e.g. Vic CCPPI 1987). The situation is rather different in the U.S.A., wherea wide range of organisations require the provision of fingerprints, and "nearthe end of 1968, the FBI's collection of civilian fingerprints exceeded 150million sets" (Moenssens 1969, pp.143, 238). This author also claimed that thecourts "have recognised that fingerprinting has come into general use as ameans of identification, and that it can no longer be maintained that thetaking of fingerprints of a person stigmatizes him as a criminal" (p.72).DNA-printing is especially intrusive, because it requires not just moralsubmission to authority, but also physical submission, in the form of bodytissue or fluids.Imposed physiographic identifiers, such as embedded chips, represent a yetgreater exercise of power over the individual, to the extent that the person istreated in a manner similar to inanimate goods on a production-line. It isreasonable to anticipate that the public of some countries would at leastresent, and may take political action to limit, the imposition of many forms ofbiometric identification.As the sophistication of identification technologies increases, theidentification schemes operated by individual corporations and governmentagencies require regulation, in order to achieve appropriate balance betweenpersonal, corporate and social needs. The need for equity makes thisparticularly important in the case of organisations which exercise effectivemonopoly, and where the multiple organisations which offer a particular productor service apply similar conditions, e.g. as a result of co-operation throughan industry association.The regulation of organisations' practices represents de facto approval oftheir aims, and of the social valuations implicit in their operations. Thereare many dealings among people, and between people and organisations, in whichthe parties' interests can be satisfied even though they are unaware of oneanother's identities. In these circumstances, any requirement that the partiesidentify themselves is extraneous to the business itself, and the regulatoryregime should extend to requiring justification for the use of anyidentification scheme.*Risks in Multi-Purpose Identification SchemesPeople's dealings with individual corporations and government agenciesinvolve significant issues, but the level of public concern becomes much moreacute once identification schemes are used for multiple purposes. Accordingly,the question of what transactions can reasonably be conducted anonymously orpseudonymously requires even more careful consideration.There is a common presumption that, when required to do so by an appropriateauthority, people must identify themselves. In many jurisdictions, however,that presumption is largely unjustified. In many countries, a policeman onlyhas the power to demand that a person identify themselves in particularcontexts or locations. He may be empowered to demand the driver's licence of aperson driving a vehicle, when dealing with a traffic offence. In somecountries, this power may exist even in the absence of an offence. In manyinstances, however, the power does not extend to, for example, demanding theidentification of passengers in the vehicle, or the identification of a driverwho has passed a random breathalyser test.There are countries, such as Belgium, in which a policeman has arbitrary powerto stop any individual and demand their identity. Generally, however, (andleaving aside traffic matters), policemen, and even magistrates and judges, maynot have the power to demand the identity of individuals, even if they arecharged with criminal offences. In some States of Australia, for example, itis an offence not to provide one's identity (e.g. in Queensland and SouthAustralia); whereas in others it is not (e.g. in Victoria). One may have tocompromise other rights by exercising the right to remain unidentified (e.g.bail might be refused); but the right exists, and some people in somecircumstances will wish to exercise it.Public concerns about multi-purpose identification schemes have beenwell-documented in the United States. That country has considerable problemswith illegal immigration and citizen dishonesty. There have been continualproposals by government agencies to upgrade the integrity of the SSN with theintention that it become an efficient multi-purpose identification scheme.In 1969, the American National Standards Institute (ANSI) proposed a standardnational identifier which incorporated the Social Security Number. Westin& Baker, after completing a major study of 'databanks' were of the opinionthat "Given the cleavages in the nation today, the levels of distrust ingovernment already present, and the fears that a national administration mighttake repressive actions in response to disorders or political crises, we shouldjoin nations such as Great Britain, Canada and France that are not moving tochange historic policies against the establishment of a citizen numberingsystem at this time" (1972, p.41). The draft standard was withdrawn.In 1973, an Advisory Committee to the U.S. Department of Health, Education andWelfare took the position that "a standard universal identifier (SUI) shouldnot be established in the United States now or in the foreseeable future ... Werecommend against the adoption of any nationwide, standard, personalidentification format, with or without the SSN, that would enhance thelikelihood of arbitrary or uncontrolled linkage of records about people,particularly between government or government-supported automated personal datasystems. What is needed is a halt to the drift toward a [Standard UniversalIdentifier]" (HEW, 1973, pp.xxxii, 122).The U.S. Privacy Act of 1974 (Public Law 93-579) recognised the concerns. Itdoes not go so far as to require agencies using the SSN to change to some otheridentifier, nor does it prevent agencies from using the SSN for new purposes;however, it does make it unlawful for any Federal, State or local governmentagency to deny to any individual any right, benefit or privilege provided bylaw because of such individual's refusal to disclose his social securityaccount number. This can of course be overridden by statute, but it doesensure that an agency is in practice unable to use the SSN as the majoridentifying key for its clients (since some clients would decline to providetheir numbers), until it has gone through the formality of gaining legislativeapproval for compulsory collection.After (yet another) government agency assessment of the scope for the SSN toprovide the basis for a national identification scheme, FACFI (1976) concludedthat any attempt to improve on or replace the highly unreliable SSN schemewould not be worth the money. Subsequently, the Comptroller-General alsorecognised the unreliability of any documentary identification scheme, andespecially the SSN, noting the estimate of about 4.2 million Americans withmore than one Social Security Number (CG 1980). The title of this GovernmentReport is itself quite informative: 'Re-issuing Tamper Resistant Cards WillNot Eliminate Misuse of Social Security Numbers'.Reviewing developments during the 1970's, Rule concluded that " ... federalauthorities have avoided any overt move in the direction of identificationcards per se. There has recently been discussion of devising a tamperproofSocial Security card, mainly to counteract the hiring of illegal aliens, butfederal officials have apparently judged that a full-scale system of federallyrequired, rigorous personal identification would be politically unacceptable.Their judgment is prudent" (Rule et al., 1980, p.161).In the early 1980s, an Australian Royal Commission examined the manner in whichinternational drug traffickers established and maintained sufficient identitiesthat they could escape detection. Despite the security inadequacies which thelooseness of birth certificate, citizenship certificate and passport issueentail, the Commission recognised that a free society like Australia's wouldnot be prepared to accept tight controls, and decided not to recommend majorchanges, nor any form of national identification scheme (Stewart 1982).Despite this catalogue of findings against the SSN in particular, and the ideaof an inhabitant register and code in general, proposals keep coming forwardfrom government agencies desperate for a 'magic bullet' to address theirconcern-of-the-moment. Meanwhile, arguments have been presented toCongressional Committees in favour of the prohibition of the use of the SSN forpurposes other than its mainstream and controlled uses in social securityadministration (Rotenberg 1991). Similar arguments have been mounted in manyother countries, including Australia (Clarke 1987) and Germany (Taeger 1984).Most people are cowed by the power of large institutions, and resent at leastsome aspects of the surveillance society. The imposition of social controlmechanisms, including the enforced use of intrusive identification, couldstimulate an increased degree of conscious non-acceptance of authority. Thiscould in turn bring on the collapse of that twentieth century phenomenon, thenation-state, and with it the disappearance of regional enforcement of law andorder. The cyberpunk genre of science fiction (e.g. Gibson 1984, Sterling1986) works on the assumption that the social surveillance and control movementcontains the seeds of its own self-destruction. If this premonition hasvalidity, it is vital that the public policy aspects of identification schemesbe subjected to much more serious consideration than they have been in the past. ConclusionsIdentification is an important design consideration in information systemswhich deal with people. Management faces challenges in devising cost-effectiveschemes which fit their particular circumstances. The more effectivebiometrics-based identification schemes all involve serious socialimplications, and can be expected to excite considerable public suspicion andeven hostility. It is remarkable how poorly understood the topic is. Thispaper has set out to fill a void in the literature. It points to a need forresearch into the origins for, and justification of, identification ofindividuals.It was concluded that organisations should consider whether the nature of theirrelationships with individuals really requires identification, or whetherappropriate design can enable transactions to be undertaken anonymously, orusing pseudonyms. Organisations must appreciate that, in many cases, it isentirely feasible for them to protect their interests without knowing theirclients' identities.Inhabitant registration schemes, in countries with appropriate social controlinfrastructure, and designed appropriately, can be important elements in theexercise of control over the majority of the public, who are relativelystraightforward in their life-styles, respectful of authority, honest, andpolitically weak. The inevitable deficiencies in any scheme leave ample scopefor the seriously dishonest to manipulate it. Hence multi-purposeidentification schemes assist in the enforcement of social control over theweak; but they do little to influence the powerful, clever and dishonest.Societies which seek to implement or sustain inhabitant registration schemesmay do so at the risk of their social fabric.Any high-integrity identifier represents a threat to civil liberties, becauseit represents the basis for a ubiquitous identification scheme, and such ascheme provides enormous power over the populace. All human behaviour wouldbecome transparent to the State, and the scope for non-conformism and dissentwould be muted to the point envisaged by the anti-utopian novellists. Thehighest-integrity schemes combine physically intrusive data-collection with apotentially ubiquitous instrument of power. As a result, the kinds ofmulti-purpose identification schemes, or inhabitant registration systems, whichwould appear capable of exciting the greatest degree of concern are those basedon DNA-printing and implanted chips.Government agencies, and some corporations, are seeking to exercise tightercontrol over individuals using various forms of data surveillance, underpinnedby effective identification schemes. Parliaments throughout the world maypassively process bills put before them to facilitate such schemes.Alternatively, they may choose to actively seek a balance between theorganisational and collective interests on the one hand, and the individualinterests on the other. If they adopt this course, then they must proscribeunjustifiably intrusive schemes, promote the use of anonymous and pseudonymoustransactions wherever practicable, and, except in carefully justified andregulated cases, deny the multiple use of identification schemes. ReferencesAgre P.E. & Harbs C.A. (1994) 'Social Choice About Privacy:Intelligent Vehicle-Highway Systems in the United States' InformationTechnology & People 7,4 (December 1994)Blume P. (1990) 'The Personal Identity Number in Danish Law' Comp. L. &Security Rep. 5,3 (1989-90) 10-13CG (1980) 'Re-Issuing Tamper Resistant Cards Will Not Eliminate Misuse ofSocial Security Numbers' U.S. Comptroller-General, 1980Chaum D. (1985) 'Security Without Identification: Card Computer to Make BigBrother Obsolete' Comun. ACM 28,10 (October 1985) 1030-44Clarke R.A. (1987) 'Just Another Piece of Plastic for Your Wallet: TheAustralia Card' Prometheus 5,1 June 1987. Republished in Computers &Society 18,1 (January 1988), with an Addendum in Computers & Society18,3 (July 1988)Clarke R.A. (1988) 'Information Technology and Dataveillance' Commun. ACM31,5 (May 1988). Re-published in C. Dunlop and R. Kling (Eds.)'Controversies in Computing', Academic Press, 1991Clarke R.A. (1991) 'The Tax File Number Scheme: A Case Study of PoliticalAssurances and Function Creep' Policy 7,4 (Summer 1991)Clarke R.A. (1992) 'The Resistible Rise of the Australian National PersonalData System' Software L. J. 5,1 (January 1992)Clarke R.A. (1994a) 'Dataveillance by Governments: The Technique of ComputerMatching' Information Technology & People 7,2 (June 1994)Clarke R.A. (1994b) 'Information Technology: Weapon of Authoritarianism orTool of Democracy?' Proc. World Congress, Int'l Fed. of Info. Processing,Hamburg, September 1994Clarke R.A. (1994c) 'Computer Matching by Government Agencies: The Failure ofCost/Benefit Analysis as a Control Mechanism' Forthcoming, Informatization andthe Public SectorDavies S. (1992) 'Big Brother: Australia's Growing Web of Surveillance'Simon and Shuster, Sydney, 1992Davies S. (1994) 'Touching Big Brother: How Biometric Technology Will FuseFlesh and Machine' Information Technology & People 7,4 (December 1994)Eaton J.W. (1986) 'Card-Carrying Americans: Privacy, Security and theNational ID Card Debate' Rowman & Littlefield, Totowa NJ, 1986Ehrlich T. (1966) 'Passports' 19 Stanford L. Rev. 129-149 (1966-67)FACFI (1976) 'The Criminal Use of False Identification: the Report of theFederal Advisory Committee on False Identification', U.S. Dept of Justice,1976Fox-Davies A.C. & Carlyon-Britton P.W.P. (1906) 'A Treatise on the LawConcerning Names and Changes of Name' Elliot Stock, London, 1906Gibson W. (1984) 'Neuromancer' Grafton/Collins, London, 1984Gramlich E.M. (1981) 'Benefit-Cost Analysis of Government Programs'Prentice-Hall 1981Halsbury (1981) 'Halsbury's Laws of England' Butterworths, London, 4thEdition, Vol. 35, 1981, pp. 651-656HEW (1973) 'Records, Computers and the Rights of Citizens: Report of theSecretary's Advisory Committee on Automated Personal Data Systems' (U.S. Dept.of Health, Education and Welfare) M.I.T. Press 1973Hibbert C. (1992) 'What To Do When They Ask for Your Social Security Number'Comp. Professionals for Social Responsibility, version of June 1992, ftp frompit-manager.mit.edu in the file /pub/usenet/news.answers/ssn-privacyHIC (1985a) 'An Outline Plan Prepared for the Inter-Departmental Committee onNational Identification', Health Insurance Commission, May 1985HIC (1985b) 'Establishment and Administration of a National IdentificationSystem: The Australia Card Program: Interim Planning Report', HealthInsurance Commission, August 1985IBM (1969) 'Identification Techniques' I.B.M. 1969 (GC20-1707-0)IDC (1985) 'The National Identity System: Report of the Inter-DepartmentalCommittee established to develop legislative requirements and other aspectsnecessary to complete the detailed implementation of the National IdentitySystem (NIS)', Dept. of Health, August 1985 (published December 1985)Josling J.F. (1980) 'Change of Name' Oyez Publishing, London, 1st Edition,1946, 12th Edition, 1980Moenssens A.A. (1969) 'Fingerprints and The Law' Chilton, Philadelphia,1969NZCS (1972) 'Investigation of a Unique Identification System' N.Z. Comp. Soc.May, 1972OTA (1981) 'Computer-Based National Information Systems: Technology andPublic Policy Issues' Office of Technology Assessment, Congress of the UnitedStates, Washington DC (September 1981)OTA (1990) 'Genetic Witness: Forensic Uses of DNA Tests' Office ofTechnology Assessment, Congress of the United States, OTA-BA-438, Washington DC(July 1990)Robinson M. (1986) 'The Registration and Certification of Births and Deaths inNew South Wales' Discussion Paper for the N.S.W. Law Reform Commission (March1986)Rotenberg M. (1991) 'The Use of the Social Security Number as a NationalIdentifier' Comp. & Society 21, 2-4 (October 1991) 13-19Rule J.B. (1973) 'Private Lives and Public Surveillance' Allen Lane 1973Rule J.B., McAdam D., Stearns L., Uglow D. (1980) 'The Politics of Privacy'Elsevier, New York, 1980Rule J.B., McAdam D., Stearns L., Uglow D. (1983) 'Documentary Identificationand Mass Surveillance in the U.S.' Social Problems 31:222-234 December,1983Sterling B. (Ed.) (1986) 'Mirrorshades: The Cyberpunk Anthology' ArborHouse, New York, 1986Stewart (1982) 'Royal Commission of Inquiry into Drug Trafficking, InterimReport No.2: Passports', Aust Govt Publ Serv, 1982Sugden R. & Williams A. (1985) 'The Principles of Practical Cost-BenefitAnalysis' Oxford U.P., 1985Thompson M. (1980) 'Benefit-Cost Analysis for Program Evaluation' Sage,1980Thornberry C. (1974) 'Going Abroad: A Report on Passports' British Sectionof the International Commission of Jurists, Barry Rose Publishers, Chichesterand London, 1974Turack D.C. (1972) 'The Passport in International Law' D.C. Heath & Co.,Lexington MA, 1972Vic CCPPI (1987) 'Identification Tests and Procedures - Fingerprinting'Consultative Committee on Police Powers of Investigation, Melbourne, Australia(October 1987)Walker G. de Q. (1986) 'Information as Power: Constitutional Implications ofthe Identity Numbering and ID Card Proposal', CIS Policy Report, 2,1, Centrefor Independent Studies, St Leonards NSW, February 1986Wambaugh J. (1989) 'The Blooding' William Morrow, New York NY, 1989Westin A.F. and Baker M.A. (1972) 'Databanks in a Free Society'Quadrangle/N.Y. Times Book Co. 1972Wigan M.R. (1994) 'The Influence of Public Acceptance on What IntelligentVehicle Highway Systems Can Achieve' Information Technology & People 7,4(December 1994)Wilton G.W. (1938) 'Fingerprints: History, Law and Romance' William Hodge& Co., London, 1938NavigationGo to Roger'sHome Page.Go to thecontents-page for this segment. Sendan email to RogerCreated: 13 October 1995Last Amended: 16 August 1997 These communityservice pages are a joint offering of the Australian National University (whichprovides the infrastructure), and Roger Clarke (who provides the content). The Australian National UniversityVisitingFellow, Faculty of Engineering and Information Technology,InformationSciences Building Room 211 Xamax ConsultancyPty Ltd, ACN: 002 360 45678 Sidaway St Chapman ACT 2611AUSTRALIATel: +61 2 6288 1472, 62886916 |
|
