Thanks to anonymous and AJ the exemplary report: Privacy-enhancing Technolgies: The Path to Anonymity Registratiekamer, The Netherlands Information and Privacy Commissioner/Ontario, Canada August 1995 Volume I Volume II is available at: http://www.replay.com/mirror/privacy/ _________________________________________________________ Introduction [Excerpts] The Dutch Data Protection Authority (the Registratiekamer) and the Information and Privacy Commissioner for the Province of Ontario, Canada (IPC) are both privacy protection agencies that oversee compliance with their respective juridiction's privacy laws. The Registratiekamer and IPC decided to pool their resources and collaborate in the production of a report exploring privacy technologies that permit transactions to be conducted anonymously. The first international paper of this type includes a survey of companies that might be expected to offer such technologies, and organizations that might use them. In addition to anonymous transactions, the range of security features commercially available for use and the types of services actually being used by various organizations were also examined (see 2.1 Survey methodology). The Registratiekamer and IPC felt that a joint report outlining the practices followed in their respective jurisdictions would shed some light on this little-studied but extremely important area where the future of privacy-protection in an electronic world may lie. Consumer polls have repeatedly shown that individuals value their privacy and are concerned with its potential loss when so much of their personal information is routinely stored in computer databases, over which they have no control. Protecting one's identity goes hand in hand with preserving one's ability to remain *anonymous* -- a key component of privacy. While advances in information and communications technology have fuelled the ability of organizations to keep massive amounts of personal data, this has increasingly jeopardized the privacy of those whose information is being collected. Minimizing identifying data would restore privacy considerably, but would still permit the collection of needed information. When assessing the need for identifiable data during the course of a transaction, the key question one must start with is: how much personal information/data is truly required for the proper functioning of the information system involving this transaction? This question must also be asked at the outset -- prior to the design and development of any new system. But this is not the case today. This question is rarely asked at all since there is such a clear preference in favour of collection identifiable data, 'the more the better'. However, with the growth of networked communications and the ability to link a wide number of diverse databases electronically, people will become more and more reluctant to leave behind a trail of identifiable data. What is needed is a paradigm shift away from a 'more is better' mindset to a minimalist one. Is it possible to minimize the amount of identifiable data presently collected and stored in information systems, but still meet the needs of those collecting the information? We believe that it is. The technology needed to achieve this goal exists today. We will describe some of the privacy technologies that permit one to engage in transactions without revealing one's identity by introducing the concept of an *identity protector*. The notion of *pseudonymity* will also be introduced as an integral part of protecting one's identity. These technologies are available now and within our reach; what is needed is the will to implement privacy technologies over the tracking technologies that are in use today. When organizations are asked what measures they have in place to protect privacy, they usually point to their efforts at keeping information secure. While the use of security measures to prevent unauthorized access to personal data is a very important component of privacy, it does not equal privacy protection. The latter is a much broader concept which starts with the questioning of the initial collection of the information to ensure there is a good reason for doing so and that its uses will be restricted to legitimate ones that the data subject has been advised of. Once the data has been collected, security and confidentiality become paramount. Effective security and confidentiality will depend on the implementation of measures to create a secure environment. Alternatively, instead of restricting the focus to security alone, a more comprehensive approach would be to seek out ways in which technology may be used to enhance the protection of informational privacy or data protection. We use the term *privacy technologies* to refer to a variety of technologies that safeguard personal privacy by minimizing or eliminating the collection of identifiable data. Not only are measures that safeguard privacy becoming an important mark of quality, but increasingly, consumers are demanding that organizations pay attention to their privacy concerns. Social acceptance of demands for one's personal information, without adequate assurances of protection, appears to be on the decline. Not only do consumers wish to maintain control over their personal data and be informed of its uses, but insufficient protection will be reason enough for consumers to take their business elsewhere -- to companies that follow privacy-protective practices. -----