Source

Automatically imported from: http://commons.somewhere.com:80/rre/1997/Privacy.Going.Down.Under.html

Content

This web service brought to you by Somewhere.Com, LLC.

Privacy [Going?] Down Under

``` [In a very odd move, the Australian government is trying to renege on its campaign promises of legislation to bring Australian privacy policy into alignment with the practices of most other industrialized nations. I've also enclosed a message of my own, from the same issue of Privacy Forum, about proposals for the deceptive use of iris scanning in banks.]

---

This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help@weber.ucsd.edu

---

Date: Tue, 15 Apr 97 22:48 PDT From: privacy@vortex.com (PRIVACY Forum) Subject: PRIVACY Forum Digest V06 #05

PRIVACY Forum Digest Tuesday, 15 April 1997 Volume 06 : Issue 05

---

Date: Thu, 27 Mar 1997 15:35:42 +1100 (EST) From: Roger Clarke Subject: Privacy [Going?] Down Under

During the mid-1990s, Australian industry and privacy advocates have been in agreement that the country's privacy legislation needed to be extended beyond government agencies, to cover the private sector.

They were even agreed on the approach to be taken, namely industry codes of practice developed in consultation with the Privacy Commissioner and administered by the industry, supervised by the Privacy Commissioner, and subject to statutory backing. The term being used in Australia for that approach is 'co-regulatory'.

A series of government and parliamentary reports recommended action, and the approach was adopted in the platforms of both major parties. In September 1996, a Discussion Paper was issued by the Attorney-General, indicating the intended shape of the initiative. See: http://www.agps.gov.au/customer/agd/clrc/privacy.htm It therefore appeared that action was imminent. For a brief review, see: http://www.anu.edu.au/people/Roger.Clarke/DV/FedLeg.html

But, abruptly on 21 March 1997, the dry-as-a-bone Prime Minister issued a four-para. press release, announcing that "the Commonwealth will not be implementing privacy legislation for the private sector", and citing compliance costs as the justification for the decision.

This announcement appears to have been made without consultation with the Cabinet, the Attorney-General or the Privacy Commissioner. It would appear that the Prime Minister was captured by a narrow and uninformed lobby group, most likely the major banks. [A review of the financial system by people from the right end of town is about to report ('the Wallis Enquiry'), and the finance sector lobbyists feel that they're on a roll].

A summit of privacy advocacy groups has been held, and plans are being formulated as to how to correct the Prime Minister's aberration, and get the process back on the right track. The summit's co-ordinators are: Chris Connolly Tim Dixon

Further details follow.

Some key facts are:

- the Liberal Party was elected on a platform that included the adoption

of "a co-regulatory approach to privacy within the private sector, comparable with best international practice"

- the Attorney-General's Discussion Paper of late 1996 envisaged a scheme

consistent with that platform, and held that line in speeches as late as 19 February and 12 March

- associations representing relevant parts of the private sector have

been arguing for just such an approach, including formal submissions in response to the Discussion Paper

- privacy interest groups have been arguing for just such an approach

- successive reports by government and parliamentary committees have

recommended that action of this kind be taken

- at least two State Governments are encouraging just such an approach,

as a means of balancing privacy against other interests, and to ensure public confidence in applications of information technology generally, and of electronic services delivery in particular

- the European Union's Directive has the effect that Australia needs to

enact privacy laws that satisfy international norms; otherwise Australian companies will be disadvantaged in international trade. This argument was run by The Australian Financial Review on 27 March.

---

Roger Clarke http://www.anu.edu.au/people/Roger.Clarke/ http://www.etc.com.au/Xamax/ Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA Tel: +61 6 288 1472, and 288 6916 mailto:Roger.Clarke@anu.edu.au Visiting Fellow, Faculty of Engineering and Information Technology The Australian National University Canberra ACT 0200 AUSTRALIA Information Sciences Building Room 211 Tel: +61 6 249 3666

---

Date: Fri, 11 Apr 1997 09:10:41 -0700 (PDT) From: Phil Agre Subject: Iris scanning

An article in the 4/11/97 San Francisco Chronicle (Peter Sinton, ATM Cash For Your Eyes Only: New Device IDs a Customer's Iris, page A1) discusses the use of iris scanning for identification of bank customers. According to the article, the major selling point of the technology is that people can be identified without knowing it.

The article quotes Kevin McQuade, who it identifies as "vice president of Sensar, which first developed the technology to detect motion for the U.S. military", as saying, "The real sexiness of this technology is that it is unobtrusive; you don't have to say anything or do anything". Citicorp Chief Technology Officer James Zeanah is quoted as saying, "A lot of people who walk into banks feel we communicate distrust when we ask them for identification. This device could help banks be a lot friendlier". To this end, the article suggests, "Sophisticated iris scanners could spot customers in a crowd and tip off bank personnel to their identity without having to ask for identification". This is because the iris scanners can operate reliably at a distance, which the article reckons at 36 inches although it discusses applications that would require more.

The problem here is not the use of biometric identification. Biometric identification can protect privacy rather than eroding it, for example by indexing the individual's biometric signature to a cryptographic key rather than a social security number or other personal identifier. The problem, instead, is the idea of using iris scanning to deceive patrons. People who feel that a bank is expressing distrust by asking them for identification before disbursing their money are fools; organizations routinely draw attention to these people because they help portray all sorts of privacy invasions in warm fuzzy terms as responses to popular demand. It's fitting that this new technology of deception originated in a military context, which presupposes a grossly adversarial relationship between the owners of a system and the people whose persons and lives are represented in the system's records. It would be much better, I think, to get beyond this mentality and design systems that are based on the well-known fair information principles of openness, clear notification, and collection of the minimal information needed to do the job.

It's also useful to imagine what could be accomplished by setting up an iris scanning machine on a street corner, or at the front door of a shop. Once databases of individual iris signatures become available, it would become possible to track people's movements surreptitiously. I can almost imagine the PR people explaining to us that participation in this service is perfectly voluntary, given that everyone has the option of wearing sunglasses.

Phil Agre, UCSD

---

End of PRIVACY Forum Digest 06.05

--- ```

This web service brought to you by Somewhere.Com, LLC.

Privacy [Going?] Down Underwriting

Source

Content

Privacy [Going?] Down Under