Privacy: Trails in the Sand
People have always left tracks behind them. Apart from the physical footsteps we leave in the dust and the mud, some of the
people who see us, and who we talk to, remember the events.
The twentieth century has seen a significant increase in the intensity of our trails. There have been many reasons for this,
including the increased scale and geographical spread of societies, the growth of organisations to the point where employees
have no personal relationship with the organisation's clients, and the ongoing drive for efficient and rational management.
Since the middle of the century, the capabilities, and the capacity, of various elements of the computing and communications
technologies have been an important driver of increased intensity in the personal data gathered, stored and used by
Some examples of trails that we have been leaving for some time are:
charge account transactions (known to retail establishments and utilities such as electricity suppliers, that we
deal with on a regular basis);
cheques drawn (known to our bank);
loans (known to the lending bank, credit union, finance company, etc.);
credit-card transactions (known to our credit-card operator and/or bank); and
taxation details, welfare payments of various kinds, and licensing details (known to the various
government agencies that are responsible for these matters).
In many cases, these trails have remained entirely independent of one another.
In some cases, however, marketing organisations have shared data about our purchases; lending companies have shared data
about our applications for, and repayments of, loans; and the tax authority and more recently the Department of Social
Security have raided many different data-sources in an endeavour to catch people out.
Recently New Trails
We have been leaving additional tracks in the sand:
* debit-card payments
A proportion of what used to be anonymous cash transactions are now identified, because, during the early 1990s, we have
begun making many moderate-sized payments to supermarkets and petrol stations by debit-card instead of cash.
* ATM withdrawals
We are withdrawing money from ATMs more often that we used to in the bygone days when we went to bank-branches in
order to get cash into our wallets. This results in our whereabouts in time and space being recorded more frequently.
* telephone call records
The devices from which telephone calls are made, and the numbers to which the call is placed, are now recorded and
New Trails, Right Now
A whole series of developments is taking place, which are resulting in yet more, yet more intensive trails. Consider the
* building access
Entry to and exit from many buildings and areas within buildings is now controlled by cards and chips of various kinds.
These give rise to logs of which cards (and therefore which individuals) passed which points when, and therefore where
people were at various times.
Increasing use is being made of cameras and video-monitors, in such places as banks, shopping malls and car-parks. The
records are migrating from film to digital form, and are being kept for an increasing duration. Various universities and
companies are working on automating the detection of particular kinds of actions, and the identification of individuals
appearing on film.
* email traffic
The sources and destinations of all email is logged. Content is also logged, in many cases only briefly, but in others for an
extended period of time. Employers are tending to claim (and in some cases actually have) the power to monitor, and to
intercept any message sent or received by an employee. This was less clear with telephone calls, and logs of telephone calls
have generally not existed.
The sites and pages visited, the web-forms filled in (including their content), and the search-terms provided to spiders, are all
logged. This logging may be by the client workstation, a nearby server, or a distant server. The Netscape 'Cookies' feature
enables a server to initiate an inquiry into a file stored on a client; and Java scripts enable a server to cause processing to be
performed by a client.
* stored-value cards
Stored-value cards are intended to replace anonymous cash payments. Some schemes are just as anonymous as real cash; but
some are at best pseudonymous (by which is meant that that an indirect identifier is used, rather than the person's 'real'
identifier); and in many SVC schemes, all transactions are identified. The large numbers of small-value transactions that we
undertake each day represent a splendid trace of our movements.
New Trails, Coming Soon
And there's more .... Here are some forthcoming sets of records:
* calling-number display ('CND' or 'Caller-ID')
Telcos are implementing technology to enable the receivers of calls to be able to see and record the number from which the
caller is dialling. The primary purpose of this is to enable marketing companies to gather identification, contact and
demographic data about their callers; and to inter-relate it to their exist data-holdings.
* personal telephone numbers
Until recently, telephone numbers have identified sockets in walls. With the advent of analogue mobile telephones, they
came to identify devices. With digital mobiles, they now identify the chips on the cards inside the devices (and shortly the
telephone company will be identifying both the chip and the device).
Meanwhile, plans are in place for numbers to be issued not to sockets, devices and chips; but to people. Calls will be placed
to a person, and the network will work out where the person is and how to connect the call. The ambiguity involved in
existing trails will disappear, as call records will unequivocally record which two people the conversation was between; and
the telephone network will incorporate a real-time locator capability for people generally. This will presumably be sold as a
* intelligent transportation systems
The transport industry intends that, in perhaps a decade's time, vehicles will be routinely tracked through transport
networks, and their drivers will pay for their usage of the space. Most such schemes are being designed to identify vehicles,
and even their owners, which will result in a real-time log of people's locations and movements.
A range of means are used for associating data with individuals. For a comprehensive review, see Clarke (1994).
There is an increasing trend towards the invention and application of biometric means of identification, which depend on
human attributes or behaviour. Although certainly not foolproof, they are capable of being more accurate than existing
schemes based on tokens and personal knowledge.
There is a great temptation to use the same identification scheme for multiple purposes. Where this is done, it is trivially
simple to merge two or more sources of data, and generate an even more intensive trail of personal data.
Does This Matter?
Some people regard all of the above as simply technological progress, and bound to be all for the best ('why else would
companies and governments be doing it?', they reason).
Other people perceive enormous dangers in the increasing intensity of personal data trails. These are based on:
the low quality of most personal data;
the scope for confusion and wrong inferences to be drawn from low quality data;
the many different meanings that apparently identical kinds of data have (e.g. what do the terms 'spouse', 'child',
'dependent' and 'income' mean?);
the far greater scope for confusion and wrong inferences to be drawn that arises from the mingling of multiple trails
of low quality, differently defined data;
the scope for people to be pressured by organisations, government agencies and other individuals using the threat of
publication of data about them; and
the 'chilling effect' which intensive data trails have on the exercise of freedoms, at the levels of individual
self-expression, art and politics, whether or not pressure is actually brought to bear.