Upload
steve
View
213
Download
1
Embed Size (px)
Citation preview
ww.sciencedirect.com
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 1 7e6 3 2
Available online at w
ScienceDirect
www.compseconl ine.com/publ icat ions/prodclaw.htm
Identity crisis: Global challenges of identityprotection in a networked world1
Alison Knight*, Steve Saxby
Institute for the Law and the Web, University of Southampton, UK
Keywords:
Digital identity
Identity crime
Identity management
Big data
Profiling
Mobile identity
Automated identification
Identity surveillance
Biometrics
1 An abbreviated version of this paper wasSecurity and Privacy Issues in IT Law) heldKnight, Alison (2013) ‘Identity crisis: global cPractice: Critical Analysis and Legal Reasoninfootsteps of ‘FIDIS’ (The Future of Identityprovided an integrated inter-disciplinary apphow future legal research around digital ide
* Corresponding author. Institute for the LaSouthampton, SO17 1BJ, UK.
E-mail addresses: [email protected]
http://dx.doi.org/10.1016/j.clsr.2014.09.0010267-3649/© 2014 Steve Saxby & Alison Knig
a b s t r a c t
Modern identity is valuable, multi-functional and complex. Today we typically manage
multiple versions of self, made visible in digital trails distributed widely across offline and
online spaces. Yet, technology-mediated identity leads us into crisis. Enduring accessibility
to greater and growing personal details online, alongside increases in both computing
power and data linkage techniques, fuel fears of identity exploitation. Will it be stolen?
Who controls it? Are others aggregating or analysing our identities to infer new data about
us without our knowledge or consent? New challenges present themselves globally around
these fears, as manifested by concerns over massive online data breaches and automated
identification technologies, which also highlight the conundrum faced by governments
about how to safeguard individuals' interests on the Web while striking a fair balance with
wider public interests. This paper reflects upon some of these problems as part of the inter-
disciplinary, transatlantic ‘SuperIdentity’ project investigating links between cyber and
real-world identifiers. To meet the crisis, we explore the relationship between identity and
digitisation from the perspective of policy and law. We conclude that traditional models of
identity protection need supplementing with new ways of thinking, including pioneering
‘technical-legal’ initiatives that are sensitive to the different risks that threaten our digital
identity integrity. Only by re-conceiving identity dynamically to appreciate the increasing
capabilities for connectivity between different aspects of our identity across the cyber and
the physical domains, will policy and law be able to keep up with and address the chal-
lenges that lie ahead in our progressively networked world.
© 2014 Steve Saxby & Alison Knight. Published by Elsevier Ltd. All rights reserved.
presented at the 2013 IAITL Legal Conference Series (8th International Conference on Legal,in Bangkok, Thailand and published in the conference proceedings as: Saxby, Steve andhallenges of identity protection in a networked world’. In: Kierkegaard, Sylvia (ed.) Law &g. Copenhagen, DK: International Association of IT Lawyers, p. 13. This paper follows in thein the Information Society), an EU-funded network of excellence from 2004 to 2009 thatroach to an identity research agenda, by offering a broad overview for possible reflection onntity might progress.
w and the Web, School of Law, Faculty of Business and Law, The University, Highfield,
k (A. Knight), [email protected] (S. Saxby).
ht. Published by Elsevier Ltd. All rights reserved.
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 1 7e6 3 2618
1. What does ‘identity’ mean today?
Identity refers to ‘who I am’. Extrapolating beyond this basic
definition presents us with a choice of intellectual routes. At a
descriptive level, identity is a physical fact inseparable from
and often unique to us (such as our fingerprints and DNA
profile). Surpassing our biological self, it incorporates bio-
graphical characteristics that others attribute to us or that we
acquire during our lives (such as our birth name, date of birth,
nationality or employment history). Combinations of identity
attributes may also include personality traits, our interests,
our habits and other behavioural characteristics.
Identity becomes even more intricate when we drill down
further. It is a concept shaped by context and circumstance.
Who I am now depends upon a host of factors. For example,
howwe present ourselves in our daily lives depends on where
we are, who we are with and what roles we are fulfilling.
Indeed, we have wider scope nowadays than generations
previously for constructing alternate identities for different
purposes. Consider someone who is a parent, a lawyer, a
diabetic, a keen gardener and a Manchester United football
supporter. While the projection of each aspect of ‘self’ may
correctly come to the fore under particular circumstances, a
person can be all of these personae simultaneously and much
more. Each one displays only a part of what makes up an in-
dividual. Our self-presentation (‘impression management’)
may also change over time as we respond to the norms and
expectations of others, and as we mature in ‘our-selves’. The
advance of the online world enhances this trend.
Identity conception is also pragmatic: it is that which
represents and makes us identifiable within a set of people.
Social identity, for example, typically refers to identification in
a group or belonging to a class. In this context, your race,
gender and sexual orientation are constituents of identity,
albeit that they may not be obvious to a bystander or neces-
sarily clear-cut. Closely associated is the phrase ‘cultural
identity’ suggesting association with a specific ethnicity, or
other tradition-based social grouping such as religious affili-
ation, which may be manifest through a particular choice of
lifestyle.
Law, by contrast, customarily conceives of citizens as
having only one, panoptic identity to which legal rights and
responsibilities affix.2 Nevertheless, even fairly stable civic
‘identifiers’ (those proxies bywhichwe are recognisable), such
as full name, nationality and gender, can alter over a lifetime,
with changes typically subject to legal recognition and ratifi-
cation. In combination with the fact that many of the formal
identifiers used by a State may be associated with more than
one individual within it, the conception of a fixed, single
2 Based on the locus of interests of the authors, this paperprovides examples primarily from European law and regulation,in particular from the UK. However, it is hoped that the readerwill appreciate that there are important commonalities to thechallenges faced by countries all around the globe that allowgeneralisation to a certain degree on these issues. For an inter-national perspective, we recommend Sullivan, C. (2010). DigitalIdentity, an Emergent Legal Concept: The Role and Legal Natureof Digital Identity in Commercial Transactions. Adelaide,Australia: University of Adelaide Press.
identity becomes legal fiction, together with the notion of a
fool-proof guarantee of its assurance. For example, although
possession of physical tokens (such as birth certificates) may
suggest that a recognised authority has provided them to us,
they do not connect intrinsically to us. The same is true for
information knowledge chosen by us (such as passwords).
Individuals only connect with identifiers with very high cer-
tainty in the case of certain biometrics (such as DNA). Such
obstacles are surmountable at an everyday practical level
because themeans for formal identification required by law is
variable depending upon the perspective of the one doing the
identifying, alongside the degree of certainty required in the
ultimate identity decision.
Given that identity reveals itself in digital as well as
physical contexts, an additional consideration in determining
what identity means today is the impact of modern technol-
ogy. Technology influences how we present ourselves and
how others identify us. The importance of identification grew
as electronic technologies replaced paper documents, gener-
ating personal data for storage and automatic processing into
usable information. Copying, searching, storing and sharing
personal details takes even less time and expense since the
arrival of the Internet and ‘datification’ (the ability to quantify
all sorts of information into machine-readable data format).3
Therefore, the notion of identity is multi-faceted and
evokes complex arrays of sub-themes. It distinguishes one
individual from another, while also connoting qualities of
sameness over time. Identity is a sumof different attributes by
which we, and others, recognise our individuality and shared
commonalities within sets of people. Furthermore, it com-
bines multi-disciplinary perspectives of psychology, physi-
ology and philosophy, amongst others academic areas. While
theories of identity from different disciplines persevere,
technological developments, in hand with economic and so-
cietal changes, affect modern identity perceptions, its con-
struction and presentation.
The purpose of this paper is to explore the changing nature
of identity online and reflect upon some current issues of
misuse giving rise to challenges worldwide of a legal and
policy nature. This work is a component of an interdisci-
plinary project called ‘SuperIdentity’, which seeks to develop
a model for evaluating and investigating elements of identity
across both online and offline spaces, together with the direct
and indirect linkages between them.4
The analysis develops in stages. The next section reflects
upon the distributed nature of digital identity. Sections three
and four explore identity misuse in its multiple forms,
including the rising challenges posed by big data and profiling
(where vast amounts of data are analysed extensively using
3 Cukier, K., & Mayer-Schoenberger, V. (2013) Big Data. A Rev-olution That Will Transform How We Live, Work, and Think.London, UK: John Murray, p. 15.
4 The Engineering and Physical Science Research Council(EPSRC) funds the SuperIdentity project under grant number EP/J004995/1. See ‘SID: An Exploration of Super-Identity’. Retrieved16 July 2014 from http://gow.epsrc.ac.uk/NGBOViewGrant.aspx?GrantRef¼EP/J004995/1. See also the Website of the Super-Identity Project. University of Southampton. Retrieved 21September 2013 from http://www.southampton.ac.uk/superidentity/.
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 1 7e6 3 2 619
complex algorithms). Bridging links between online and off-
line identities have potentially serious implications for in-
dividuals and raises concerns that need addressing as
important matters of policy. These are discussed in sections
five and six. The penultimate two sections reflect upon the
shortcomings of existing legal models for protecting in-
dividuals against identity misuse and suggest principles on
which to base an evolved legal and policy paradigm for tack-
ling the identity crisis. We conclude with a discussion of the
challenges ahead.
2. Digital identity and its fragmentation
At its most basic conceptualisation, digital identity suggests
the sum of all data available about us. It also has wider
connotations. We can express ourselves in more ways and
to more people online than offline, including through social
media, chat rooms, personal websites, discussion boards,
blogs and virtual worlds. Alongside extensive opportunities
to adopt group identities through common interests, cy-
berspace creates ideal conditions for generating an addi-
tional set of identities as individuals. Social categorisation
(such as by age, gender, race and body shape) is much more
difficult online.5 Our digital representation can additionally
take many forms: text, photos, videos, avatars and our ‘so-
cial map’ (the data visualisation of our network of
connections).
Thus, we can customise or construct anew multiple pre-
sentations of self online for multiple purposes and interact
with people and organisations inmany different ways via the
exchange of identity data.6 To this end, a growing area of
psychological research is concerned with how people
manage their identities online and why they express their
digital personae differently in certain online spaces.7 Of
course, we can also express and leak personal data online
without real awareness of who can see what about us. Even if
one chooses not to create user profiles online, for example,
others may still discuss us, ‘tag’ our image (link it to our
name), or merely collect information about us to which they
may add their own personal interpretation and embellish as
suits their wishes.
With increased sharing and accessibility of identity-related
data, boundaries between the public and the private are more
likely to breakdown online than offline. Moreover, partial or
total control over our projected identitiesmay be lost and false
personae imposed upon us. Consequently, our ‘digitally-
extensible’ selves emerge in fragments distributed across
5 International Telecommunication Union. (2006). ITU InternetReport 2006: digital.life. Geneva, Switzerland. Retrieved 21September 2013 from http://www.itu.int/osg/spu/publications/digitalife/, p. 93.
6 Floridi argues that we are informational entities and infor-mation communication technologies are “technologies of theself” (Floridi, L. (2013) The Ethics of Information. Oxford, UK:Oxford University Press, p.221).
7 See, for example, Whitty, M., Doodson, J., Creese, S., &Hodges, D. (2014). ‘Image Choice to Represent the Self in DifferentOnline Environments’. In: Social Computing and Social Media.Cham, Switzerland: Springer International Publishing, p. 528.
cyberspace. Taken together, isolated pieces of data moving
across multiple contexts can give incomplete and disjointed
informational perspectives of the people they partially
represent and lead to ill-founded assumptions that our ‘cyber-
doubles’ are comprehensive representations of our offline
selves.
Despite heightened concerns about privacy today, how
securely we protect our digital identities depends not just
upon active identity management techniques, but also on our
levels of understanding around the potential risks on theWeb.
A willingness to divulge personal details is rarely matched by
knowledge of what happens once such information is uploa-
ded online, viz. a recognition of the impact that subsequent
processing may have and how to action objections. The sheer
volume of personal data accessible makes effective oversight
impossible and few of us have the ability and desire to adjust
technical settings to minimise data disclosure or the will to
exercise the option to withdraw from the online world
completely. The increasing pace of technological change e
smart phones, tablets, apps, cloud storage, automatic image
recognition, faster connectivity and new platforms enhances
the potential for confusion.
Distinctions between, on the one hand, our self-projection
online and, on the other, the means of our online identifica-
tion, also blur increasingly. Technological advances have
made ‘cyber-identifiers’ e digital proxies for physical pres-
ence used to represent and establish our identities online e
increasingly accessible. As well as chosen by us, they can also
be imposed by others or derived and relatable to us through
analysis. Examples include usernames, user-specified ques-
tion responses, email addresses, PINs and online browsing
patterns. Yet, validating the identity of users through the
presentation of identity credentials is inherently more diffi-
cult online than offline. As the Web-overlaid Internet lacks an
embedded identification system at the network layer to war-
rant the identity of those we interact with, we are forced to
rely on application layer cyber-identifiers8 that can be
manipulated. Murray describes increasing reliance on proxy
data to identify ourselves as a “divorce of identity from the
person”, placing our disembodied identity “at unique risk” to
which we now turn.9
3. Online threats to identity
Identity threats of the type that exist in the physical domain
(the so-called ‘real’world) increase in type and severity online
due to the reach and availability of the Internet and the Web.
Moreover, the sheer volume of personal data now available
online, coupled with new technologies that makes it easier to
access and link together previously discrete elements of
identity in new ways, have facilitated an unprecedented level
of growth in personal knowledge capture. The consequences
8 ‘Application layer identifiers’ applied to the Web relate tosoftware applications for end-users that implement communi-cations methods across an Internet protocol (IP) computernetwork. An example is an email address.
9 Murray, A. (2011). Information Technology Law: The Law andSociety. Oxford, UK: Oxford University Press, p. 463.
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 1 7e6 3 2620
for individuals can be severe. It is critical, therefore, to
consider the main types of identity misusers, as well as their
methods and motivations.10
3.1. Criminals and the individual
Online identity fraud can take many forms. Often motivated
by the prospect of financial gain, typical means are through
the appropriation of one or more cyber-identifiers. This can
be by deception in an attempt to impersonate a victim, take
over their accounts (including their existing privileges,
together with any implied authority to create new privileges,
drained from their identifier-associated reputation) and
commit crimes under their persona. In extreme cases of
identity fraud, complete exposure of the physical person to
the criminal may follow as “the bleed between the [cyber-
space and the natural world] can offer opportunity for in-
telligence gathered in one to be used in attacks on the
other”.11
Loss attributable to identity crimes has risen exponentially
in total value since the Millennium and it is now a significant
problemworldwide.12 Cyberspace facilitates identity crime by
making it easier, quicker and less costly to identify and
defraud victims than in the offline world. Several factors may
explain why. Minimising physical interaction reduces crimi-
nals' operational risks. Online fraudsters can more easily
persuade victims to disclose personal details directly or indi-
rectly in exchange for perceived benefits.13 In addition, poorly
chosen password selection remains widespread due to the
convenience factor.14
10 These are not exhaustive categories. For example, identitymisuse online can be carried out by other individuals foundedupon a desire to manipulate and/or publicly humiliate an indi-vidual. Examples include the non-consensual revealing of a per-son's physical identity online, such as the unauthorisedpublication of material containing their private sexual activity.Reputational damage and other types of loss may follow, themagnitude of which should not be underappreciated by makersof policy and law.11 Hodges, D., & Creese, S. (2013, October). ‘Breaking the Arc:
Risk control for Big Data’. In: Big Data (2013) IEEE InternationalConference. IEEE, p. 613.12 For example in 2010, based on a review of several studies
carried out in the preceding decade regarding the extent ofidentity crime, Smith estimated that losses for the UK, Australia,the US and Canada exceeded the equivalent of £1 billion annuallyper country (Smith, R. (2010). ‘Identity theft and fraud’. In: TheHandbook of Internet Crime. Abingdon, UK: Willan Publishing,pp. 273e201, p. 293). In a 2014 report, McAfee estimated that thetotal cost of cybercrime to the global economy was $445 billionper annum: McAfee Center for Strategic and InternationalStudies. (2014). Net Losses: Estimating the Global Cost of Cyber-crime. Santa Clara, US. Retrieved 16 July 2014 from http://csis.org/files/attachments/140609_rp_economic_impact_cybercrime_report.pdf, p. 6.13 Whitty, M. (2013). The Scammers Persuasiveness Techniques
Model Development of a Stage Model to explain the Online DatingRomance Scam. British Journal of Criminology, 53:4, p. 665.14 Creese, S., Hodges, D., Jamison-Powell, S., & Whitty, M. (2013).
‘Relationships between Password Choices, Perceptions of Riskand Security Expertise’. In: Marinos, L., & Askoxylakis, I. (2013).Human Aspects of Information Security, Privacy, and Trust. Ber-lin, Germany: Springer Berlin Heidelberg, p. 80.
3.2. Business and the individual
We are witnessing the growing monetisation of digital iden-
tities in a transactional sense, to the point that identity is
touted as “the new money”.15 While information has always
been highly valued by commerce, data are now valuable
commodities. Data about us have become critical assets for
many businesses due to new streams of revenue unlocked
from within through data analysis. Many of these uses can be
beneficial or neutral in their effects upon individuals. E-com-
merce sites, like Amazon and Netflix, collect personal details
about their customers to offer automated, personalised ser-
vices. Cyberspace has also facilitated highly targeted adver-
tising via third party agreements. Google, for example, sells
data gathered about us so that user-suitable adverts may
display on its website.
Nonetheless, the effect on individuals can be prejudicial.
While individuals can barter for knowledge or access to ser-
vices via disclosure of aspects of their identity, thereby
forsaking a degree of privacy, temptations lurk in the online
world to reveal personal data in exchange for immediate
gratification that, conversely, we may be disinclined under
normal circumstances to share with a stranger or organisa-
tion in a physical setting.16 Personal details and preferences
can also form the basis of negative decisions taken about
individuals. These include potential exclusion from access to
services and offers, as well as other significant discrimination
and privacy implications. Worse, the overall ‘picture’ upon
which such decisions are based can be biased, dependent
upon the commercial perspective at play. As Rosen points
out, “In cyberspace…the version of you being constructed out
there e from bits and pieces of stray data e is probably not
who you think you are”.17 Of note, while Facebook and Google
brand themselves as identity service providers, they and
other online service providers are primarily interested in
individuating their customers so they can establish and
refine a commercial relationship with them by creating per-
sonalised and customer-oriented services, rather than in
strongly authenticating their customer records as factually
accurate.
To understand the extent of these concerns, we need to
consider how data gathering and processing have changed as
the cost of data storage has dropped. Not only do we interact
more digitally now, but also we do so in recordable ways that
are more easily convertible into analysable form, attributable
in real-time. From the trivial to themajor, data records link us
15 Crosby, S. HM Treasury. (2008). Challenges and opportunitiin identity assurance. London, UK. Retrieved 16 July 2014 frohttp://www.statewatch.org/news/2008/mar/uk-nat-identity-crosby-report.pdf, p. 3.16 The terms ‘identity data’ and ‘personal data’ are hereaft
used interchangeably to mean data that can be related (directlyindirectly) to an individual, the revelation of which individualor cumulatively may be sufficient to enable real-world disclosu(and traceability) of that person.17 Rosen, J. (2000). The Eroded Self. The New York Tim
Magazine. Retrieved 21 September 2013 from http://partnernytimes.com/library/magazine/home/20000430mag-internetprivacy.html.
esm
erorlyre
ess.
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 1 7e6 3 2 621
to the content we download from and upload to the Web,
enabling others to follow our ‘digital identity trail’ and trade
information related to it. This trail, in turn, is translatable into
knowledge about who we know, what we are interested in,
howwe are feeling and what we are doing. Even ourmetadata
(data about our data, automatically computer-generated as
logs by the use of certain technology, such as device hardware
details, operating system and browser version) can have
economic value as revealing personal information. For
example, from communications metadata it may be possible
to work out the identity of the persons with whom a service
user has communicated and by what means, the times of
communication, as well as the place from which that
communication took place and the frequency during a given
period.
While many companies are interested in such data in their
own right, data brokers act as intermediaries in collecting vast
amounts to sell-on to interested parties. Yet we are mostly
oblivious to the data generated, observed and stored around
our online activities. One example is an IP address (the
network address of an internet-connecting device) which is
easily detectable. Another is the installation by online pro-
viders (website operators or online advertising networks) of
cookies upon a user computer, with the ability to track
browsing behaviour.
The capacity to re-use data in new ways is another key
driver in data's monetisation. Indeed, the value generated by
data re-use is often for reasons not envisioned upon at first
collection. Economic value may similarly derive from aggre-
gating personal data to infer and extract additional knowledge
about individuals, with potentially severe privacy-related
consequences. It may prove particularly damaging to in-
dividuals by connecting compartmentalised contexts of their
lives and compromising their ability to separate these or to
counteract innuendo. We are similarly vulnerable to being
defined prejudicially when information is taken out-of-
context, such that “a part of our identities will come to be
mistaken for who we are”.18 Conclusions drawn about us by
companiesmay also be false. Hence, identities revealed in and
through cyberspace can become distorted, outdated and
increasingly detached from factual truth but nonetheless may
endure in online search results as if they are current and
correct.
4. The identity challenges of profiling
Increases in computing powers and new technologies are
major factors in the facilitation of profitability from identity
exploitation. The capacity for aggregating fragmented aspects
of our identities into much more complete identity compos-
ites is beyond that previously imaginable. In particular, the
identity risks for individuals flowing from the creation and
retention of vast repositories of personal data and associated
capabilities for automated profiling exceed those risks out-
lined so far.
18 Rosen, J. (2000). The Eroded Self. The New York Times Maga-zine. Retrieved 21 September 2013 from http://partners.nytimes.com/library/magazine/home/20000430maginternetprivacy.html.
4.1. Profiling techniques
In everyday language, a ‘profile’ refers to a collection of
characteristics applied to individuals. Thus, a typical com-
mercial purpose for creating a personal profile is to identify an
individual's purchasing interests. The term also finds use in
relation to criminal profiling, to draw up a list of characteris-
tics that might be associated with a targeted individual under
investigation.
Automated profiling, by comparison, is a technique that
starts from the premise of a group profile, created from data
collected from numerous individuals that may be applicable
to one or more of its members. A single source or cross-
referencing from multiple sources can be used to glean the
aggregated data, with the results either anonymised or relat-
able to individuals. The crucial commonality is using analytics
to create a group profile through the ‘mining’ of data to
discover correlated data patterns. Increasingly, the analytical
combination of extremely large and disparate data sets (so-
called ‘big data’) enables the identification of relational trends
between individuals that distinguish them as a set from
others. The final stage of profiling is the application of profiles
to known individuals because they share one or more of a
group profile's characteristics. Profilers then draw statistical
inferences to attribute new information to such individuals
resulting in the creation of predictions about previously un-
known elements of their identities upon which decisions may
be based.
4.2. Consequences for the individual
While inferential predictions about individuals based on data
correlations lie at the heart of the autonomic profiling
method, the discovery of new information that profilers may
infer through deductive reasoning over huge datasets can be
highly privacy-intrusive. Profiling can create highly accurate,
detailed and intimate insights into the multifaceted lives of
people. Due to the widespread availability of personal data
online, and the increasing possibilities of interlinking such
data, they can potentially reveal preferences, interests, habits,
or other sensitive attributes or associated facts about which
even the individual concerned may lack awareness. For
example, a study published in 2013 analysed what people
‘like’ on Facebook and found that “highly sensitive personal
attributes” e including sexual orientation, substance addic-
tion and even parental separation e are highly predictable.19
Moreover, the purposes to which knowledge acquired by
profilers (based upon inferential data-led conclusions) may be
used can give cause for concern. Profiles can form the basis of
negative and unjustified decisions taken about individuals,
such as price discrimination or denial of access to a service or
product. Discriminatory decisions taken based upon conclu-
sions drawn, such as by potential employers, insurers and
health providers, may also perpetuate existing prejudices and
stereotypes, in turn aggravating problems of social stratifica-
tion and exclusion. Automated profiling can also lead to
19 Kosinski, M., Stillwell, D., & Graepel, T. (2013). Private traitsand attributes are predictable from digital records of humanbehavior. Proceedings of the National Academy of Sciences, 110:15, p. 5802.
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 1 7e6 3 2622
inferential predictions about an individual's future behaviour.
In 2012, a study reported the ability to predict a person'sapproximate location up to 80 weeks into the future, at an
accuracy level of above 80%.20 This possibility bodes serious
cause for concern when persons are subject to decisions and
actions “in the name of the behaviour they are expected to
have taken”.21
Furthermore, there are risks associated with the applica-
tion of inaccurate profiles to individuals. Errors and bad data
aside, since autonomic profiling uses statistical extrapolation,
its output will de facto not always be factually correct. The
possibility of profiling leading to erroneous conclusions
regarding a person's identity can have serious ramifications
for the profiled, including falsifying their identities and
possibly leading to false accusations.
Perhaps most disturbingly from an Orwellian perspective,
profiling is far less transparent than other personal data pro-
cessing. The profiled may not be aware that it is taking place
nor its extent. Even if aware, theymay still not understand the
source of the data that led to the creation of profiles about
them, the logic of follow-on decisions or be able to access their
profiles to correct them. As Hildebrandt observes, we have “no
effective means to know whether and when profiles are used
or abused”.22 Major risks associated with profiling activities
are conceivable, therefore, in terms of shifting informational
power structures that favour profilers heavily over the pro-
filed. Hence, the creation of profiles and reliance upon them
may have significant effects on the interests and rights of
individuals.
5. Linking online and offline identities
So far, we have considered profiling processes directly linked
to specific individuals. Individuals do not have to be identified
(in a real-world sense) to be subject to profiling, however, as
long as they are distinguishable from other individuals. An
example is an individual who remains non-traceable by the
20 Sadilek, A., & Krumm, J. (2012). Far Out: Predicting Long-TermHuman Mobility. Twenty-Sixth AAAI Conference on ArtificialIntelligence, 2012. Retrieved 16 July 2014 from http://www.cs.rochester.edu/~sadilek/publications/Sadilek-Krumm_Far-Out_AAAI-12.pdf. According to the abstract of the paper describing thefindings of the study, the authors use “an efficient nonparametricmethod that extracts significant and robust patterns in locationdata, learns their associations with contextual features (such asday of week), and subsequently leverages this information topredict the most likely location at any given time in the future.The entire process is formulated in a principled way as aneigendecomposition problem. Evaluation on a massive datasetwith more than 32,000 days worth of GPS data across 703 diversesubjects shows that our model predicts the correct location withhigh accuracy, even years into the future”.21 Bellanova, R., & Friedewald, M. (2011). Deliverable 1.1: Smart
Surveillance e State of the Art. Retrieved 21 September 2013 fromhttp://www.sapientproject.eu/docs/D1.1-State-of-the-Art-sub-mitted-21-January-2012.pdf, p. 15.22 Hildebrandt, M. (2007). ‘Profiling and the Identity of the Eu-
ropean citizen’. In: Hildebrandt, M., & Gutwirth, S., (Eds.). (2008).Profiling the European Citizen. Cross-disciplinary perspectives.Dordrecht, Holland: Springer, p. 318.
profiler but is recognisable from online browsing patterns
collected about them via cookies.
Where profiles relate to unknown individuals, we might
assume that the potential consequences for them are less
severe. However, where large-scale aggregation and anal-
ysis of data is involved, profiles not directly linked to a
physical identity now may become linkable later on. In
other words, individuals are more easily identifiable offline
because of large-scale aggregation and analysis of data from
an array of digitised sources that span online and offline
contexts. An example is cross-referencing a user's bankcard
transactions with metadata related to their mobile phone
and social networking sites (SNS) to deduce where a person
has been, at what time, what they were doing and with
whom.
Attempts to link aspects of offline and offline identities
may increase in the future, not just because of the
“increasingly networked state of many people's lives”,23 but
also because of growing commercial demand for more ac-
curate personal and behavioural profiles. For example, last
year Facebook announced that it had struck a deal with data
brokers to merge their data, linking real-world activities to
those online.24 SNS specifically designed for smart phone
(‘MOSN’) may also play a large role in this trend. Through
access to geo-location metadata about the phones of users
and those of their connections, “[t]he combination of loca-
tion information, unique identifiers of devices, and tradi-
tional leakage of other personally identifiable information
now give third-party aggregation sites the capacity to build a
comprehensive and dynamic portrait of MOSN users”.25 The
implication here is that the boundaries between online and
offline activities will blur further. As offline activities are
increasingly reflected in information about us online, “the
quantity, fidelity, sensitivity, resulting value of this infor-
mation is increasing”.26
Of course, the linking of offline and online identities via
automated profiling or other mechanisms to create the po-
tential for more robust means of identification may also be
intended to benefit the average citizen. To combat the risks
associated with identity misuse, for example, the Super-
Identity project proposes that a complete sense of modern
identity requires acknowledgement and understanding of
23 The Government Office for Science. (2013). Foresight FutureIdentities e Final Report. London, UK. Retrieved 21 September2013 from http://www.bis.gov.uk/assets/foresight/docs/identity/13-523-future-identities-changing-identities-report.pdf, p. 24.24 Sullivan, B. (2013). Facebook to team up with real-world data
brokers to pick ads for you. NBC News. Retrieved 21 September2013 from http://www.nbcnews.com/technology/facebook-team-real-world-data-brokers-pick-ads-you-1C8552879.25 Castelluccia, C. (2012). ‘Behavioural Tracking on the Internet:
A Technical Perspective’. In: Gutwirth S., Leenes R., De Hert, P., &Poullet, Y., (Eds.). (2012). European Data Protection: In GoodHealth? London, UK: Springer, p. 26.26 Van Kleek, M., Smith, D. A., Tinati, R., O'Hara, K., Hall, W., &
Shadbolt, N. (2014). ‘7 billion home telescopes: observing socialmachines through personal data stores’. In: Proceedings of thecompanion publication of the 23rd International Conference onWorld Wide Web Companion. International World Wide WebConferences Steering Committee, p. 915.
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 1 7e6 3 2 623
both offline and online spaces in unison, and appreciation of
how identification reliability can vary with context, as a
means to help detect online deception. Specifically, the proj-
ect analyses general correlations found in datasets between
identity measures from the following four domains, together
making a ‘superidentity’27
� ‘Biometric’ encompassing physical (including behavioural)
traits, e.g. iris patterns or fingerprints;
� ‘Biographical’ related to facts about people, e.g. age or
name;
� ‘Personality’ related to those beliefs, values or traits that
direct and determine behaviour, e.g. howwe choose online
avatars; and,
� ‘Cybermetric’ characteristics related to our online identi-
ties, e.g. social media profiles or swipe patterns on smart
phones.
Mapping linkages between different types of identifiers in
suchdomains so classified - in particular, those linking aspects
of identity in the physical world to those in the digital world-
feeds into a complex mathematical model created and
visualisedwithin theproject.28 In turn, thismodel can facilitate
clearerunderstandingofhowto improvetheaccuracyofdigital
identification and authentication decisions. Upon populating
the model with person-specific data during an investigation,
for example, it can help spot potential contradictions in those
data that might denote identity-related fraud. This model also
aims to enable knownmeasures of identity in particular cases
to predict unknown measures, generating new insights about
suspect individuals during a law enforcement or intelligence
investigation to enrich their identity profiles.
For example, a prediction about an individual's gender e
and the confidence that can be associatedwith that prediction
can be enhanced not only by knowledge about their anatom-
ical features (say, their height), but also by knowledge about
the relationship between certain anatomical features,
enabling inference from one feature to another (say, gait
stride to height). Similarly, personality traits and other bio-
graphical and/or biological identifiers may be inferred with
certain levels of confidence from choices revealed in the cyber
domain for example, by an online user's default SNS privacy
settings, their choice of virtual avatar and the pattern of their
onscreen touch gestures.29
The advanced capabilities of automated identification
technologies for both private and public contexts, bringing
27 Black, S., Creese, S., Guest, R., Pike, B., Saxby, S., StantonFraser, D., Stevenage, S., & Whitty, M. T. (2012). Superidentity:Fusion of identity across real and cyber domains. ID360: TheGlobal Forum on Identity.28 Creese, S., Gibson-Robinson, T., Goldsmith, M., Hodges, D.,
Kim, D., Love, O., Nurse, J., Pike, B., & Scholtz, J. (2013). ‘Tools forunderstanding identity’. In: Technologies for Homeland Security(HST) (2013) IEEE International Conference. IEEE, p. 558.29 Emanuel, L., Bevan, C., & Hodges, D. (2013). ‘What does your
profile really say about you?: Privacy warning systems and self-disclosure in online social network spaces’. In: ACM SIGCHIConference on Human Factors in Computing Systems (CHI2013):Extended Abstracts, April 27eMay 2, 2013 Paris, France.
both individual risks and public benefits, justify contempla-
tion of policy and legal considerations.
6. Challenges for identity policy
6.1. States and the individual
Identity issues challenge governments around the world.
States focus significant efforts on reliablemeans of identifying
individuals residing in their jurisdictions. Yet the methods
they use may vary widely. In particular, States have different
cultural attitudes affecting their choice of identity verification
and authentication schemes, from reliance upon possession
of physical tokens to usage of high-tech identification tech-
nologies and data analytics. For example, in the last decade
the UK saw a sharply contested debate around the proposal to
introduce compulsory, state-issued identity cards, later
dropped in the face of a public outcry over concerns that it
would infringe civil liberties.30
The Web has also caused many governments to re-
examine their identity policies. With the rise in online iden-
tity fraud, States grapple with the unique challenges associ-
ated with identification policies in cyberspace, including the
setting of appropriate levels of trustworthy identity manage-
ment and assurance standards in relation to the provision of
e-government services.
The reasons that States may require reliable identifica-
tion techniques can vary in different contexts but typically
relate to security concerns. We look briefly at three fields of
application from a policy perspective.
6.1.1. ImmigrationImmigration issueshave dominated newsheadlinesworldwide
over the last decade. Physical tokens that countries use to
authenticate identity, with varying degrees of success, include
birth certificates, passports and identity cards. As the sophisti-
cation of identity authentication technologies increase, some
countries are also developing and implementing state-wide
initiatives involving electronic identity (‘eID’) cards designed
arounddigital proxies, suchas electronic signatures andunique
identification numbers, supported by encryption techniques.
The combination of multiple metrics of identification has clear
benefits over single proxies of identity in termsof increasing the
probability of making a correct identification.31 However,
30 The UK Identity Cards Act 2006 was repealed following criti-cism around the feasibility of its national identity card schemeproposals, the public interest benefits of which (if achieved) wereconsidered likely to be disproportionately small compared to thesecurity and privacy risks involved. Central to this debate was thepublication of a report setting out the view that “the proposals aretoo complex, technically unsafe, overly prescriptive and lack afoundation of public trust and confidence” (Department of In-formation Systems, London School of Economics and PoliticalScience. (2005). The identity project: an assessment of the UKIdentity Cards Bill and its implications. London, UK. Retrieved 11August 2014 from http://eprints.lse.ac.uk/684/).31 In India, for example, there is a huge national programme of
identity registration underway designed to give every citizen anidentity that relies on three biometric modalities: face, finger-print, and iris scans.
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 1 7e6 3 2624
despite notable efforts to introduce cross-border interopera-
bility,32 a lack of international harmonisation is currently
a significant limitation upon the utility provided by eID cards.
The possibility of globally recognised and operable digital
identifiers seems unlikely without incorporating biometric
recognition, an increasingly common feature in civilian ap-
plications. Biometric traits are a preferred security standard as
they are inherent to the individual and cannot be lost or
transferred. Some show strong anti-spoofing capabilities and
others require evidence of viability of life, making them
difficult to use fraudulently. The value of a biometric en-
hances when it carries unique or near-unique characteristics
that are stable and resistant to change. eID cards may contain
one or more biometrics of the individual concerned, such as
facial and fingerprint images, often accompanied by radio
frequency identification (RFID) chips. There has also been
uptake in the use of automated biometric recognition tech-
nologies, predominantly iris and fingerprint scans, in border
control procedures.
The security and privacy risks associated with the use of
biometrics online include the fact that digital biometric rep-
resentations are still liable to misappropriation at potentially
greater risks to individuals than other methods of identity
assurance.33 Moreover, identity authentication is only
possible when there is a pre-existing database to check
against, which hinders mass scaling.
In addition, border controls use profiling techniques. Pas-
senger surveillance systems analyse and data mine personal
data to identify high-risk travellers. Resultant profiles may
constitute “the basis for decisions on fly/no-fly, arrest, detain
for questioning and so on”.34 It can also generate inferences
about matters not relevant to security issues, “[b]y collecting
and correlating information like ‘special meal requirements’
or ‘seating particularities’ or even by ‘efficient’ use (profiling)
of the same individual's name, inferences may be made about
such sensitive issues as the religion or health condition of the
passengers”.35
32 An interoperability agenda in eHealth and eGovernment ismoving forwards within the EU as part of the single marketobjective to support the mobility of its citizens across borders. Forexample, the EU launched its ‘STORK 1.0’ (Secure idenTity AcrOssBoRders LinKed) project to promote mutual recognition of na-tional electronic identities, enabling EU-wide citizens to accesselectronic public services securely in EU Member State countriesother than their home country.33 See, for example, Senator Franklin, A. (Chairman of the US
Senate Judiciary Subcommittee on Privacy, Technology and theLaw). (2013). Letter to the CEO of Apple, Inc. about the inclusion ofa fingerprint reader on the iPhone 5S. Retrieved 21 September2013 from http://www.franken.senate.gov/files/documents/130919AppleTouchID.pdf: “[I]f hackers get hold of your thumb-print, they could use it to identify and impersonate you for therest of your life”.34 Geradts, Z., & Sommer, P., (Eds.). (2008). Forensic Profiling
(FIDIS Deliverable D6.7c). Retrieved 21 September 2013 fromhttp://www.fidis.net/resources/fidis-deliverables/forensic-implications/d67c-forensic-profiling/.35 Papakostantinou V., & De Hert P. (2009), The PNR Agreement
and Transatlantic anti-terrorism Cooperation: No firm humanrights framework on either side of the Atlantic. Common MarketLaw Review, 46:3, p. 887.
6.1.2. Law enforcementOne of themost important uses for identificationmechanisms
is in law enforcement. The importance of identifying persons
responsible for the commission of criminal behaviour
correctly remains at the heart of justice systems across the
globe because of the dire consequences of wrongful identifi-
cation for the innocent and guilty alike. Law-enforcers there-
fore require both the tools and skills necessary to enable them
to attribute behaviours to individuals as accurately as possible.
In developing ways to make more robust the means of
identifying criminals, countries have moved generally to-
wards implementing national biometric databases (typically
of fingerprints and DNA samples), as well as researching
models for enhancing abilities to identify individuals within
cyberspace, both raising privacy and security concerns.
Intelligence-led policing aimed at identifying potential
criminals to manage (and if possible pre-empt) risks of future
offences taking place (so-called ‘predictive policing’) is also
generating increasing interest at a governmental level, of
which the inferential capacities of automated profiling is a
vital component. However, to cast judgement on people for
actions they have not carried out, reliant upon machine
agency predictions of what they might do, has obvious im-
plications for notions of fairness and justice based upon a
presumption of innocence until guilt is proven.36
6.1.3. Counter terrorismIdentity-related intelligence gathering is now at the forefront
of national security priorities, in particular to detect and pre-
vent terrorist attacks. In order to respond to terrorist threats,
investigating agencies aim either to identify a known target or
to single out possible enemies of the State based on certain
characteristics or behavioural patterns.
The Web increases the potential for covert surveillance
activities (‘dataveillance’) by States on individuals. Govern-
ments are also interested in automated profiling technolo-
gies. What sets governments apart from the private sector is
the amount of data potentially available to them about the
activities and habits of their citizens from which to uncover
knowledge and generate profiles. Many governments have
sought legislative powers to tap into personal data held by
companies. Publicly available information and information
input on government records are other potential sources of
personal data that governments can mine.37 This potential
impact on individuals will be exacerbated in countries
where private data is shared between different public
agencies.38
36 Cukier, K., & Mayer-Schoenberger, V. (2013) Big Data. A Rev-olution That Will Transform How We Live, Work, and Think.London, UK: John Murray, p.163.37 Obvious examples include health records, tax records and law
enforcement records.38 Plans to share more personal data between public bodies is a
point of current contention and scrutiny in the UK (see, e.g. TheTelegraph, (2014). Revealed: Whitehall plans to share your privatedata. Retrieved 8 August 2014 from http://www.telegraph.co.uk/news/11009405/Revealed-Ministers-blueprint-to-share-private-data.html).
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 1 7e6 3 2 625
6.2. Balancing private interests against public interests
Thus, there are many legitimate reasons why governments
need to investigate and enrich their knowledge of an in-
dividual's identity. At times, it may be justified for a State to
use surveillance technologies without an individual'sknowledge. Nevertheless, the intrusion accompanying such
measures raises important questions for policy-makers about
how to strike a fair balance between private and public
interests.
The major concern is one of ensuring the necessity to
legitimate purpose and proportionality. Media reports about
the broad remit of the data-gathering powers of the National
Security Agency (NSA) in the US have spurred global debate
on this issue. For example, the NSA has admitted to coming
into contact with nearly 2% of the total 1.826 petabytes of
online data processed every day.39 Human analysts employed
by the State may review a mere fraction only of the mass of
online data under surveillance at the time of interception.
However, there are obvious temptations for States to try to
legitimate the indiscriminate retention of data (the content
as well as associated metadata linked to online communi-
cations) for long durations in case some of it proves ‘useful’
later on.
Of course, the US government is one of many amassing
mountains of personal data. However, different States take
different approaches to striking a fair balance between public
and private interests. The decision-making process is highly
politicised and the types of safeguards taken to ensure fair
balance diverge. Indeed, the need for safeguards may be
under-appreciated where technology (“neither good nor bad,
nor […] neutral”)40 plays a critical role rather than human
judgement.
A recent UK government-commissioned report on future
identities makes predictions as to how Britons may perceive
and use identities in the coming decade in light of techno-
logical impacts and their possible consequences for UK so-
ciety. In this context, the report describes trust levels
between citizens and authorities as “critical to issues such as
holding, protecting and regulating personal data, and the use
of ‘big data’ sets”.41 This statement holds true worldwide.
Nevertheless, achieving sufficient levels of civic trust based
solely upon the premise that public policy is capable of
establishing fair trade-offs between public and private
39 National Security Agency. (2012). The National SecurityAgency: Missions, Authorities, Oversight and Partnerships.Retrieved 21 September 2013 from http://www.nsa.gov/public_info/_files/speeches_testimonies/2013_08_09_the_nsa_story.pdf.40 Kranzberg M. (1986), Technology and History: Kranzberg's
Laws, Technology and Culture, 27:3, p. 544.41 The Government Office for Science. (2013). Foresight Future
Identities e Final Report. London, UK. Retrieved 21 September2013 from http://www.bis.gov.uk/assets/foresight/docs/identity/13-523-future-identities-changing-identities-report.pdf, p. 51.More generally, in summarising the findings of a project thataimed to come to a broad and independent scientific view ofchanging identities in the UK by bringing together multi-disciplinary evidence, the report is an interesting contributionto the worldwide dialogue ensuing about governmental roles inorienting policy around identity issues in hyper-connectedsocieties.
interests is challenging. How policy makers establish trade-
off decisions (such as the processes by which they identify
and assign values to different types of interests, e.g. in the
context of national security and privacy concerns) are rarely
transparent.
We now turn to law to see if legal models for protecting
identity are more effective.
7. Legal models for identity protection
Along with concerns relating to State public policy about
identity, there is increased awareness of the importance of its
protection in law in its own right. To ensure legal safeguards
protect individuals against the risks outlined above, we look
first to existing legal models. Two models are chosen, as they
form part of the legal frameworks of many countries world-
wide. These are the right to privacy and rules on data pro-
tection. Both recognise that, while States have primary
obligations to ensure the security of their citizens, it is also
necessary to preserve individual freedoms enshrined in law.
7.1. A right to privacy e a redress model
A right to privacy is often part of human rights legislation.
Examples include Article 8 (“the right to respect for an in-
dividual's private and family life”) of the European Convention
on Human Rights and Fundamental Freedoms (‘ECHR’),42 and
Article 7 (“the right to respect for private life”) of the EU
Charter of Fundamental Freedoms (‘the Charter‘),43 to which
the vast bulk of European countries subscribe. In general, a
privacy right of this type codifies the notion of entitlement to
some level of protection from the scrutiny and interference of
public powers.
As a human right, the right to privacy so conceived is also
an example of law that applies after the appearance of dam-
age flowing from a wrong, which aims to compensate victims
for harm caused by the actions of another and/or to penalise
the perpetrator of that harm. A fundamental feature of this
legal model is redress: protecting individuals from the effects
of an unjustified interference by States into their private af-
fairs after it has happened.
A right to privacy is not absolute, however, but subject to
countervailing human rights and public interests (such as
crime prevention and national security) on the facts of each
case. In other words, for it to be justified as legitimate in
law, any interference with privacy rights must usually be
proportionate (‘no greater than that required’) to achieve
other legally recognised rights or interests in the public
interest.
42 Council of Europe, European Convention for the Protection ofHuman Rights and Fundamental Freedoms, as amended by Pro-tocols Nos. 11 and 14, 4 November 1950, ETS 5.43 Charter of Fundamental Rights of the European Union, OJ C
364, 18.12.2000, p. 18. The EU Lisbon Treaty made the EU Charterof Fundamental Rights legally binding on EU Member States,explicitly recognising both the right to respect for private life andthe right to protection of personal data.
47
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 1 7e6 3 2626
A recent European Court of Justice (‘ECJ’) judgement is
instructive in this regard. In the Digital Ireland case,44 the ECJ
considered the compatibility of the EU Data Retention Direc-
tive45 with the Charter, in particular its Article 52(1), which
provides that, “any limitation on the exercise of the rights and
freedoms recognised by this Charter must be provided for by
law and respect the essence of those rights and freedoms”.
The Directive mandates that EU Member States adopt laws
requiring communications service providers to retain for be-
tween six and 24 months certain types of traffic, subscriber
and location data generated by their service users, which can
then be made available for the purposes of the investigation,
detection and prosecution of “serious crime”. The ECJ held
that the collection and retention of the large quantities of data
generated in connection with the pervasive, everyday elec-
tronic communications of EU citizens constituted a particu-
larly serious interference with Article 7 of the Charter.
Specifically, the Court stated that, taken as a whole, such
metadata can supply very precise and intimate information
revelatory of the private lives of persons.46 While the ECJ
accepted that the provisions included in the Directive were
nevertheless suitable to achieve a material public interest
objective, it found that the duration of the retention period
constituted a disproportionate interference with the right to a
private life, and one moreover without any temporal,
geographical or other restrictions based on individuals'behaviour. For those reasons, the Directive was declared
invalid. In other words, the legislative instrument was
adjudged to overvalue the achievement of public interests to
the detriment of the protection of private ones.
As with public policy, however, the judicial trade-off
thought process between private and public interests is
rarely so transparent as to be found debated in a publicly-
available court judgement of the highest jurisdictional level.
Indeed, appropriate levels of transparency, in terms of what a
citizen can expect to find out about public interests such as
national security, is worthy of separate and lengthy legal
discussion. Moreover, while legislation usually contains its
own privacy safeguards embedded into their statutory
framework (for example, surveillance legislation setting out
the legal conditions necessary for authorisation of surveil-
lance activities), it is unclear how such due process would
44 Digital Rights Ireland and Seitlinger and others, Joined CasesC-293/12 and 594/12, 8 April 2014.45 Directive 2006/24/EC of the European Parliament and of the
Council of 15 March 2006 on the retention of data generated orprocessed in connection with the provision of publicly availableelectronic communications services or of public communicationsnetworks and amending Directive 2002/58/EC, OJ L 105, 13.4.2006,p. 54.46 Indeed, in his (non-binding but influential) Opinion preceding
the ruling in this case, Advocate General Cruz Villal�on describedthis possibility as extending at its fullest to providing “a completeand accurate picture of his private identity” (paragraph 74). Thus,the Advocate General appears to recognise the importance of anidentity thematic in law where an aggregation of data pertainingto the activities of individuals is being considered. The implica-tion is that Web-based activities should be considered integral towho we are as evidencing a core component of the multi-facetedlives we now lead.
apply to automated data analytics, especially in the context of
enabling State-commissioned, pervasive online surveillance.
A redress right to privacy against a State, therefore, ap-
pears unfit for purpose on its own to address the identity
challenges outlined above. Overall, it is adrift from the tech-
nological reality of digital identity misuse as currently exists.
Moreover, Andrade warns that any form of privacy fixation in
legal terms obscures identity's significance in its own right.47
For example, the seclusion of parts of us from the public
view only protects against certain types of identity misuse.
Rather than wishing to hide from public view, victims of
identity misuse may seek to create or maintain a truthful
expression of their identity in public uncontradicted (what we
might call ‘identity integrity’ concerns).48 There is also a view
that societal fascination with privacy over the last three de-
cades has in fact facilitated an increase in identity crime.
According to LoPucki, the decline in ‘public identities’ since
the 1970's (“in a world where home addresses were listed in
numerous public places and names were plastered on the
sides of mailboxes”), together with greater secrecy generally
in society around the identification process in private trans-
actions, has enabled impersonation in ways that are now
often invisible to a victim.49
7.2. Data protection e a control model
With the introduction of the data protection model, the law
evolved from focussing on privacy in relationships to focus-
sing on informational privacy. The principles it espouses aim
to ensure fair automatic processing (including collection,
storage, dissemination and use) of personal data by thosewho
have control over such activities.
An example is the EU Data Protection Directive (‘the
Directive’).50 According to the Directive, “personal data”51
should be obtained only for specified, explicit and lawful
purposes and not further processed in any incompatible
manner with those purposes; kept for no longer than is
necessary for those purposes; shall be adequate, relevant and
not excessive; and where necessary, kept up-to-date. Data
controllers of personal data should notify the data subjects of
Andrade, N. (2011). ‘The Right to Privacy and the Right toIdentity in the Age of the Ubiquitous Computing: Friends of Foes?A Proposal towards a Legal Articulation. In: Akrivopoulou, C., &Athanasios, P. (Eds.). (2011). Personal Data Privacy and Protectionin a Surveillance Era: Technologies and Practices. Hershey, US:Information Science Publishing, p. 19.48 Burrell, W. (2011). I Am He as You Are He as You Are Me: Being
Able to Be Yourself, Protecting the Integrity of Identity Online.Loyola. L.A. Law Review 44, p. 705.49 LoPucki, L. (2003). Did Privacy Cause Identity Theft? Hastings
Law Journal, 54:4, p. 1278.50 Directive 95/46/EEC on the protection of individuals with re-
gard to the processing of personal data and on the free movementof such data, OJ L281/31 (1995).51 Personal data are defined in the Directive as “any information
relating to an identified or identifiable natural person (“datasubject”); an identifiable person is one who can be identified,directly or indirectly, in particular by reference to an identifica-tion number or to one or more factors specific to his physical,physiological, mental, economic, cultural or social identity”(Article 2(a)).
57 In 2013, the national data protection authorities of six EUMember States (France, the Netherlands, the UK, Spain, Ger-many and Italy) announced that they would set up an inter-national administrative cooperative procedure between themto examine whether Google was complying with EU data pro-tection rules in respect of its revised privacy policy. Retrieved11 August 2014 from http://www.cnil.fr/english/news-and-
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 1 7e6 3 2 627
the purposes for which they intend to process the data and
provide access to them in certain circumstances. These and
other Directive provisions are distillable, broadly, into princi-
ples espousing proportionality, accuracy and transparency.
Data protection rules predominantly aim to prevent unfair
data processing before it occurs, with the intention of safe-
guarding individuals' rights to control whether, how, for what
purpose and whomay process their personal data. The model
does this primarily through reliance upon the notion of an
entitlement to give or withhold ‘informed’ consent at the time
the data is collected. Notwithstanding, the rules are subject to
some exemptions, such as in cases of personal data held for
law enforcement purposes where the upholding of data pro-
tection principles is considered likely by the data controller to
prejudice the prevention or detection of crime, or the appre-
hension or prosecution of offenders.
As such, the model aims to remedy a number of limitations
suffered by the right to privacy as applied to information tech-
nologiesas, according toAndrade, “scholarsbeganrealizing that
the underlying interest for isolation and seclusion was not suf-
ficient toprotectone'sprivacy”.52Andradegoeson tosay that, in
this way, the concept of privacy “took on an activist dimension,
entailing … a person's right to control the world in order to
maintain her secret “hiding place” so changing “fromstances of
passivity and seclusion to activity and control”.53
Nonetheless, the data protection model also falls short in
its ability to protect identity. One criticism relates to its
reliance upon the efficacy of the informed consent mecha-
nism. The Directive requires that consent be “unambigu-
ous”54 and a “freely given, specific and informed indication of
the wishes by which the data subject signifies his agreement
to personal data relating to him being processed”.55 In prac-
tice, however, the consent regime is rarely adequate as con-
sent generally turns out be “formal, rarely free and often
unavoidable”56.
A connected criticism relates to how themodel approaches
proportionality. In exhorting the limitation of personal data
processing to the specific purposes for which it was gathered
(the purported ‘purpose limitation’ rule), data protection rules
aims to prevent further uses of personal data in different
contexts that data subjects may find objectionable. This
approach to addressing the problem of creeping data func-
tionality is flawed in practice when viewed in combination
with the confidence placed upon the notion of informed
52 Andrade, N. (2011). ‘The Right to Privacy and the Right toIdentity in the Age of the Ubiquitous Computing: Friends of Foes?A Proposal towards a Legal Articulation. In: Akrivopoulou, C., &Athanasios, P. (Eds.). (2011). Personal Data Privacy and Protectionin a Surveillance Era: Technologies and Practices. Hershey, US:Information Science Publishing, p. 19.53 Andrade, N. (2011). ‘The Right to Privacy and the Right to
Identity in the Age of the Ubiquitous Computing: Friends of Foes?A Proposal towards a Legal Articulation. In: Akrivopoulou, C., &Athanasios, P. (Eds.). (2011). Personal Data Privacy and Protectionin a Surveillance Era: Technologies and Practices. Hershey, US:Information Science Publishing, p. 22.54 Article 7, the Directive.55 Article 2(h), the Directive.56 Gutwirth, S., Poullet, P., De Hert, P., de Teerwangne, C., &
Nouwt, S. (Eds.). (2009). Reinventing Data Protection? Dordrecht,Holland: Springer, Preface xiii.
consent at the time of data collection. How can organisations
provide notice, and individuals give informed consent, to
exploitation of their personal data for unknown future pur-
poses (including data aggregation as part of profiling activ-
ities)? Without consent, however, any re-use of personal data
would require re-asking permission from every data subject.
Huge datasets wouldmake this process a logistical nightmare.
Such tensions were visible from the European-wide regu-
latory action faced by Google concerning its 2012 adoption of a
single, sweeping privacy policy.57 The revision of its privacy
policy allowedGoogle to aggregate and evaluate extensively all
of its users' personal data from their different Google service
accounts, thereby enhancing significantly its ability to create
enrichedcustomerprofiles.Googlewas found tobe inbreachof
data protection rules for broadly similar reasons by the EU
Member States data protection agencies carrying out investi-
gation procedures. In a letter to Google by theUK's Information
Commissioner'sOffice, forexample, it states, “[We]believe that
the updated policy does not provide sufficient information to
enable UK users of Google's services to understand how their
data will be used across all of the company's products”.58 Ac-
cording to the Hamburg Commissioner for Data Privacy and
Freedomof Information, therefore, “it is completely impossible
for the user to foresee the scope and content of his consent to
theprocessingof his data”.59 Similar conclusionswere reached
in Spain in December 2013, with the Spanish data protection
agency declaring in a statement that Google had failed to
obtain the consent of its users as the “highly ambiguous” lan-
guage in its privacy policy created difficulties for individuals
attempting to find out what would happen to their data.60 The
Frenchdataprotectionagencyalso found thatGoogle “doesnot
sufficiently inform its users of the conditions in which their
personal data are processed, nor of the purposes of this pro-
cessing. They may therefore neither understand the purposes
for which their data are collected, which are not specific as the
law requires, nor the ambit of the data collected through the
different services concerned. Consequently, they are not able
events/news/article/google-privacy-policy-six-european-data-protection-authorities-to-launch-coordinated-and-simultaneo/.58 Information Commissioner's Office. (2013). ICO update on
Google privacy policy. Retrieved 11 August 2014 from http://ico.org.uk/news/latest_news/2013/ico-update-on-google-privacy-policy-04072013.59 Der Hamburgische Beauftragte fur Datenschutz und Infor-
mationsfreiheit. (2013). Google's Privacy Policy under Scrutiny.Retrieved 16 July 2014 from https://www.datenschutz-hamburg.de/fileadmin/user_upload/documents/PressRelease_2013-04-02_Google_PrivacyPolicy.pdf.60 Agencia Espa~nola de Protecci�on de datos. (2013). La AEPD
sanciona a Google por vulnerar gravemente los derechos de losciudadanos. Retrieved 11 August 2014 from http://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2013/notas_prensa/common/diciembre/131219_NP_AEPD_POL_PRIV_GOOGLE.pdf.
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 1 7e6 3 2628
to exercise their rights, in particular their right of access, ob-
jection or deletion”.61 Google has so far been ordered to pay
fines ranging from EUR150,000 (in France) to EUR900,000 (in
Spain), althoughnotably foracorporation thesizeofGoogle the
quantumof thefines isunlikely tohaveasignificantdeterrence
effect and are dwarfed by the size of fines that can be imposed
for breaches of EU competition law.
More generally, data protection law as traditionally
conceived appears wholly inadequate conceptually from the
perspective of the individual to deal with this and similar
challenges related to data amalgamation concerns, including
those emergent from big data analytics and progressively
automated decision-making.62 For example, data protection
law stipulates that data subjects should not be subject to
automated processing decisions that produce legal effects
concerning or significantly affecting them. However, unless
their legitimate interests are protected legally,63 the invisi-
bility of profiling creates nothing more than a pretence of
adequate data protection. As mentioned above, individuals
are unlikely to be awarewhen they are the subjects of profiling
activities and therefore to suspect possible damage resulting
to their interests. Moreover, it remains highly contentious as
to the exact points at which a person can be said to be affected
‘significantly’ by automated-generated effects (as opposed to
because of the actions of humans), or when their legitimate
interests might be deemed sufficiently protected legally.
64 Discussion around data deletion and anonymisation modelsrelated to identity protection involves complex issues deserving aseparate paper and so is only mentioned in passing, save forreference to the so-called ‘right to be forgotten’ online. A variant ofthis right was recently adjudicated upon by the European Court ofJustice in the context of obligations placed upon search engines(Google Spain and Google, Case C-131/12 Judgment of the Court(Grand Chamber), 13 May 2014). A similar concept (a ‘right toerasure’) was independently proposed in January 2012 by the Eu-ropeanCommission as part of a legislative proposal, (Article 17 of a
7.3. Legal model evolution
Seeking redress from those who impose unreasonable con-
straints upon the intimate expression of identity, and control
over informational aspects of identity one shares with others,
form the heart of existing legal identity protection in many
countries. The evolution between the two illustrates how pop-
ular legal models have expanded in their identity-protective
capacities: from a court-enforceable model against States, to a
61 Commission nationale de l'informatique et des libert�es.(2014). The CNIL's Sanctions Committee issues a 150 000 V
monetary penalty to GOOGLE Inc. Retrieved 11 August 2014 fromhttp://www.cnil.fr/english/news-and-events/news/article/the-cnils-sanctions-committee-issues-a-150-000-EUR-monetary-penalty-to-google-inc/.62 In 2013, the EU Data Protection Article 29 Working Party (a
group formed of the EU Member State's Data Protection Com-missioners) published an Opinion on the principle of purposelimitation (Opinion 03/2013) singling out mention of the circum-stances under which it believes that personal data can be usedlegitimately in the context of big data analytics projects. ThisOpinion makes two broad recommendations. First, requests forconsent to use personal data must not include vague or broad-brush statements describing the purposes for which they arecollecting personal data. Second, data controllers must assess thecompatibility of any new purposes for which they want to pro-cess personal data with the purposes for what the data wascollected initially, and for which consent was obtained beforethey proceed. The Working Party suggests that data controllersmay only process personal data for ‘incompatible’ purposesbased on a domestic exemption adopted by an EU Member State.While opinions of the Working Party are likely to be taken intoaccount by national data protection regulators when interpretingnational laws, they are not binding legally under EU law.63 Article 15, the Directive.
model leaning heavily upon the notion of advanced informed
consent, regulatory oversight and self-regulation by the private
sector.
Nonetheless, these existing legal models were both
designed for the offline world and, while very important pil-
lars of any legal system, they do not go far enough in their
protective coverage of additional private interests threatened
by identity misuse. For example, data subjects rarely have
default rights to use or rectify their personal data (indeed, law
is often agnostic on the issue of who owns personal data,
preferring the position that it is not possible to have pro-
prietary rights in data). As discussed above, when considering
recent technological developments affecting identity, these
problems aggravate its potential for falsification and the
consequences that may flow from loss of control over its
integrity. Identity integrity, in turn, relates closely to impor-
tant human values such as reputation, dignity and autonomy,
as a form of informational self-determination. In this context,
identity, as a concept, aligns more closely to the notion of a
development and sense of self that people evolve over the
course of their lives. It is clear that greater identity protection
is required to cover such unaddressed areas of vulnerability.
While many see data deletion and anonymisation as the
only tools left to individuals to combat misuse, they are often
very difficult to achieve and impossible to guarantee.64
We must look elsewhere.
proposal for a Regulation of the European Parliament and of theCouncil on the protection of individuals with regard to the pro-cessing of personal data and on the free movement of such data(2012/0011, COD) (the General Data Protection Regulation)), in thecontext of wider plans to reform EU data protection rules. Like theright toprivacy, the right tobe forgotten/erasure conceptaddressesharm after it has occurred. Like the data protection model, how-ever, its procedural nature is an attempt to reinstate user controlover the portrayal of aspects of their digital identities. By providingusers with a mechanism to request the removal of informationthey no longer wish to be publicly available online, it aims tomakeup for someof the deficiencies of the consent regimeand implicitlyrecognises that personal identity is dynamic and interaction-dependent. Andrade calls it, “the right to be different, not fromothers but from oneself, i.e. from the one(s) we were before”(Andrade, N. (2012). Oblivion: The Right to Be Different from One-self e Reproposing the Right to Be Forgotten. VII InternationalConference on Internet, Law & Politics. Net Neutrality and otherchallenges for the future of the Internet, IDP No. 13, p. 122). Yetthere are many open questions surrounding the implementationand enforcement of a right to be forgotten/erasure, such as itsgeographical circumscription to Europe. Such difficulties illustratehow thenotion that any of us canhave complete control our digitalidentities through lawor technology alone is likely to beunrealisticfantasy. Furthermore, the right to be forgotten/erasure seemsinadequate in protecting individuals against the informationasymmetries arising from profiling technologies.
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 1 7e6 3 2 629
8. New ways of thinking
As technology changes our expression and understanding of
the identity concept, we need new ways of thinking about
ways to tackle its digital challenges. These include reconsi-
dering how we can safeguard those freedoms that make us
who we are in law. We propose seven complementary prin-
ciples to start a new identity dialogue that might lay the
foundation for improved models of protection designed
around the needs of the individual, by cohering and devel-
oping existing legal thinking in this area.
67 Van Kleek, M., & O'Hara, K. (2014). The Future of Social isPersonal: The Potential of the Personal Data Store. Retrieved 16July 2014 from http://eprints.soton.ac.uk/363518/1/pds.pdf.68 European Commission Communication. COM (2014) 442 final.
Towards a data-driven economy. Retrieved 16 July 2014 fromhttp://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id¼6210.69 Van Zoonen, L., & Turner, G. (2014). Exercising identity:
agency and narrative in identity management. Kybernetes, 43:6,
8.1. Techno-regulation
It is clear that law-makers must gain deeper understanding of
the ways in which technologies work. In addition, and in light
of the regulatory lag that persists as regulators try reactively to
catch up with technological innovation,65 identity-protective
values need to be inscribed into technology in ways that
work with existing or developing legal frameworks. Notable
examples include online visualisation tools that allow users to
see the personal data that companies hold about them, tools
for tagging data with software code (including individual
preferences for data usage in different contexts) to facilitate
compliance with fair data processing principles by data con-
trollers, as well as obfuscation-based techniques for location
privacy protection.
Such techno-regulation opportunities must not only be
technically feasible, but also enforceable in practice, with
penalties for breach. Indeed, often one will not work without
the other. For example, the introduction to the US Senate of
the ‘Do-Not-Track’ Bill in 2011 would, if enacted, have allowed
users to declare their preference to block companies from
tracking them online and prohibit those who act in breach of
these preferences. However, barring mass adoption of
browsers to implement such preferences (which in turnwould
require market agreement on standard setting and sufficient
levels of endorsingmarket demand), change seems unlikely in
this area. Developing societal norms is clearly important, such
as the acceptance of notions of personal data ownership and
possibilities for its mass marketisation (such as intermediary
organisations helping individuals pool and licence out their
personal data to companies at a cost). A pioneering example in
the UK is the ‘Midata’ project, which aims to improve access
by consumers to the electronic personal data that businesses
hold about them via its supply in a re-usable, portable
format.66
Another aspect of shifting cultural attitudes relates to
greater recognition of the roles of technology designers and
their ability to give users more control over their digital
65 Ball, K., Lyon, D., Murakimi-Wood, D., Norris C., & Raab, C.(2006). A Report on the Surveillance Society: For the InformationCommissioners office by the Surveillance Studies Network. Lon-don, UK, p. 30.66 Department for Business, Innovation & Skills (2014). Providing
better information and protection for consumers. London, UK.Retrieved 16 July 2014 from https://www.gov.uk/government/policies/providing-better-information-and-protection-for-consumers/supporting-pages/personal-data.
identities, together with doing more to encourage self-
governance and standard setting, possibly with formal regu-
latory oversight. An analogous process is ‘privacy by design’,
where privacyeprotective processes embed into systems ar-
chitecture. The European Commission, for example, views
privacy enhancing technologies as going hand-in-hand with
complementary legal principles and advocates privacy impact
assessment upon the adoption of new technologies. Similar
thinking could resonate around the notion of ‘identity pro-
tection by design’. Current research into the potential for so-
called ‘personal data stores’ - decentralised, often cloud-
based technologies that aim to bolster the capabilities of its
users “for managing, curating, sharing and using data them-
selves and for their own benefit” - is promising in this regard.67
The individual-centric nature of personal data stores, facili-
tating interactive identity management (and thus dynamic
control over isolated elements of identity enabled through
technology) by the user, is apt to set the right tone for framing
a dialogue across technical and legal audiences in this
context. The European Commission has declared that it will
launch a consultation in this area imminently.68
8.2. Adjusting to context and risk
Legal rules need to be more flexible to encompass modern
conceptions of identity. As Van Zoonen points out, “a different
concept of identity is needed” that goes beyond the conven-
tionally static notion of identity as “the sum of different in-
formation about a human being”; a more dynamic paradigm
encompasses identity as “doing in addition to being”.69 In a
similar fashion, law must evolve beyond the constraints of
traditional discourses around privacy and data protection
with its emphasis on the point of data collection, towards an
identity-centric one that is capable of taking into account
varying levels of risk associated with usage and outcomes
arising from data processing activities in different contexts.70
Factors that could affect assessments of risk include -
not just the type of data at issue and the wishes of the data
subject - but also the likely permanence and severity of po-
tential effects upon individuals from personal data misuse,
such as might be the case if the security of biometric data is
jeopardised. Legal rules must also be flexible enough to
p. 8.70 The recommendation that policy-makers should focus more
on the actual uses of data and less on its collection is a majortheme of a report concluding a 90-day study requested by Presi-dent Obama to examine the effects of big data technologies in theUS (President's Council of Advisors on Science and Technology(PCAST) Big Data and Privacy Working Group. (2014). Big Data:Seizing Opportunities, Preserving Value. Retrieved 16 July 2014from http://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_may_1_2014.pdf).
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 1 7e6 3 2630
recognise an array of different types of possible detrimental
effects to individuals that can flow from identity-intrusive
behaviours online. The fact that profiling techniques can
have quite different results when introduced into different
contexts and under different circumstances suggests that
profilers should be mandated legally to carry out upfront pri-
vacy impact assessments and (if negative effects on in-
dividuals are reasonably foreseeable) that they also be
required to formulate and implement bespoke safeguards to
mitigate such effects.
Visual models of identity like the SuperIdentity model
could potentially play some role in assisting such assessments
by helping individuals to understand better the nature of the
risks they might face by disclosing different types of personal
data online. For example, given a particular context and the
assumption that certain pieces of information are already in
the public domain, a person may be able to assess more
accurately the likelihood of new inferences being made about
them and what these might be, as well as the type of personal
data most likely valued highest in a targeted attack.71
In line with the adoption of digital risk assessment, law
must take into account how the very nature of identification
and re-identification risk has changed. With ever-wider
technological capabilities related to de-anonymisation
emerging, alongside the advance of technology and tran-
sitioning from the offline to the digital world, the ability to
identify someone from data is much more context-specific,
depending upon who the identifier is and what methods are
used. For that reason, another area of focus ripe for re-
evaluation from an identity-centric and big data viewpoint is
the legal definition of ‘personal data’ (more commonly
referred to as ‘personally identifiable information’ from a US
perspective) and, with it, the outer boundaries of legal and
regulatory rules applying to its protection.
73 In English law, for example, it is not a criminal offence in it-self to appropriate another's identity.74 Article 29 Data Protection Working Party. (2013). Advice paper
on essential elements of a definition and a provision on profilingwithin the EU General Data Protection Regulation. Retrieved 16 July
8.3. Greater data accountability
Those who process personal data should bear greater legal
accountability and responsibility for its misuse (even going so
far as to attribute them with, a term we have coined, ‘data
controller stewardship’ to denote a very high level of entrust-
ment of care). In linewith the thinking ofWeitzner, information
accountability “must become a primary means through which
societyaddressesappropriateuse”72and,hence,also itsmisuse.
Thus, greater accountability and responsibilitymay be required
for some data controllers by establishing specific safeguards to
protect subjects' rights, such as by creating an obligation to
anonymise personal data they process on their behalf.
Accountability should be proportionate to the level of
misuse. Severe cases of identity misuse should expose mis-
users to robust sanctions, including regulatory actions such as
significant fines so that organisationswill take data protection
71 Creese, S., Gibson-Robinson, T., Goldsmith, M., Hodges, D.,Kim, D., Love, O., Nurse, J., Pike, B., & Scholtz, J. (2013). ‘Tools forunderstanding identity’. In: Technologies for Homeland Security(HST) (2013) IEEE International Conference. IEEE, p. 558.72 Weitzner, D., Abelson, H., Berners-Lee, T., Feigenbaum, J.,
Hendler, J., & Sussman, G. (2008). Information accountability.Communications of the ACM, 51(6), p. 82.
compliance more seriously than at present and/or criminal
prosecutions. Achieving this outcome may involve giving
regulators stronger powers, with quick response times to
create deterrence effects.
Also required is the creation of bespoke laws to deter and
address identity misuse directly, including specific criminal
offences for identity-centric crimes.73 In the future, punish-
ment for data offences related to illegally gathering and
aggregating personal data, or de-anonymising individuals
without their consent, may become the normwhere such acts
are shown to have caused significant harm.
8.4. Greater transparency
Transparency complements accountability. More information
should be made available to individuals about who controls
their personal data and to what ends. For instance, individuals
can better appreciate the underlying value and the possible
implications of sharing their personal data by understanding
how its processing takes place, by whom, andwhat safeguards
exist to reduce the likelihood of risks of harm occurring.
There is a need to focus in particular on disclosure around
the potential for data re-usage in order to help individuals un-
derstand how and when their data may be recycled for new
purposes and the potential implications for them before this
happens. For example, the EU's Article 29 Working Party has
published an advice paper on profiling recommending that
more be done to explain and mitigate the various risks that
profiling canpose,while advocating the introduction of specific
requirements inorder for profilingactivities to be legitimated.74
These includesuggestions thatprofilersbeobliged tomakedata
subjects aware when their personal data are used in profiling
and requiring information to be provided about the context,
purpose and underlying logic used for automatic processing.
The practices involved in covert government surveillance
of individuals, and accompanying legal checks and balances,
would especially benefit from increased transparency. While
the rationale of such surveillance and risk profiling requires a
degree of opacity around case specific details, more openness
would be beneficial in terms of providing clearer and more
detailed information about the application of data analytics,
as well as how exactly law and any built-in safeguards apply
to protect individual interests in respect of automated iden-
tification mechanisms.
A sector-specific example around the merits of greater
transparency relates to organisations active in health and
social care that provide explanations to patients around the
2014 from http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2014/annex_one-stop_shop_20130513_advice-paper-on-profiling_en.pdf. In seeking tolimit the extent to which data subjects may become subject tomeasures based on the automatedpersonal profiling of individuals,the Working Party recommends that profiling should be subject tothe data subject's explicit consent, to guarantee additional infor-mation rights and a higher level of control for individuals.
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 1 7e6 3 2 631
anonymised uses of personal data collected about them, their
rights to withhold or withdraw consent to its sharing and use,
as well as the consequences of not providing consent. A
number of recommendations to this effect were set out, for
example, in a 2013 report commissioned by the UK Govern-
ment into information governance in these sectors.75 Rec-
ommendations include that health and social care
organisations should keep and record an audit trail of patient
consent decisions, including revocations, and the steps taken
to implement them when they apply to data in their control.
Furthermore, such organisations should be required to pub-
lish details of all cases where there has been unlawful pro-
cessing or sharing of patients' personal data (accurate or
inaccurate).
8.5. More empowered users
Greater transparency also engenders the ability for greater
involvement by individuals. As the value of data becomesmore
tangible and their uses more dynamic, people may want to
exercise control and choice in ways not relevant to offline
identity-constitutive information. Again, we make reference to
the possibility of personal data stores that can help individuals
to specify exactly what data about themselves they are willing
to share with others. Ease of usability, as well as security and
portability, must lie at the heart of such initiatives.
From a purely legalistic viewpoint, the EU Data Protection
Article 29 Working Party Opinion 03/2013 on the purpose
limitation principle singles out mention of big data analytics
that lead to the formation of conclusions about individuals
and states that opt-in consent would usually be required for
these activities.76 Positively empowering individuals using
legal mechanisms such as consent opt-ins, or the ability to
contest any measure or decision based on profiling, should be
enforceable in court.
Greater user empowerment might also involve giving in-
dividuals more rights over the processing of their personal
data of a type that go beyond those currently available under
European data protection rules. The European Commission
started in this direction of travel by proposing a data protec-
tion, legislative reform package in 2012, which heralds the
laying of an important, new foundation for the potential
development of European law. Included within the package
are proposals to introduce practical measures and tools to
protect privacy rights, which would strengthen online users'control over their digital identities by enabling them to
participate more fully in the data choices they make. For
example, the draft General Data Protection Regulation in-
cludes a specific provisionmandating data controllers to build
in data protection ‘by design and default’, which it is hoped
75 Caldicott, F., Department of Health. (2013). Information: Toshare or not to share. The Information Governance Review.London, UK. Retrieved 16 July 2014 from https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/192572/2900774_InfoGovernance_accv2.pdf.76 Article 29 Data Protection Working Party. (2013). Opinion 03/
2013 on the purpose limitation principle. Retrieved 16 July 2014from http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf.
will facilitate creative technical solutions for protecting legal
rights without losing the benefits of a big data project. More-
over, it is proposed to introduce a new data portability right
would enable individuals to obtain a copy of the data held
about them by organisations in a reusable, electronic format.
While the full implications are still being considered of what
recognising individuals legally as ‘data controllers’ of their
personal data would involve, shifting to a new kind of legal
thinking is essential to help promote and develop the idea that
individuals can be endowed, not only with legal rights that are
enforceable practically, but also responsibilities to manage
their own data.
When identitymisusesoccur, ingeneral thereshouldalsobe
well-publicised, appropriate and easy ways for individuals to
report them. Moreover, tasking agencies to review and pursue
the most serious cases to enforcement proceedings should
reinforce the desired deterrence effect related to the commis-
sion of identity crime currently missing in many countries.
8.6. Identity-centric government programmes
Policy-led government initiatives specific to identity concerns
could help individuals by placing their interests as consumers,
citizens and users of governmental digital services at the
heart of governmental reforms. For example, government-
commissioned programmes (such as the UK Midata project
and its vision of greater consumer empowerment mentioned
above) can be designed to help individuals to have greater
control over both the amount of personal data they reveal
online and the awareness of who now holds their data.
Of course, there is no single design best for governments to
adopt and there are obvious risks involved in reliance upon a
central government register of identity data. It is important
that the design capabilities of identification systems be so-
cially and ethically acceptable to be usable.77 One promising
approach is a legislation-implemented, identity assurance
scheme set up by a government advisory group and delivered
by certified private sector online service providers. Identity
service providers under such a scheme could contract to meet
certain criteria, and help promote greater public trust in the
safety of online interactions, similar to the Identity Assurance
Programme and its Principles currently under proposal in the
UK.78 If individuals trust in certified organisations to provide
an identity service (such as identity authentication), operating
according to transparent trust principles, they will have
greater reassurance that their cyber-identifiers are secure
when accessing government services and transacting online.
8.7. Internationalism
Legal jurisdiction based on national borders can create false
limitations where the online world is concerned. Taken in
77 Hodges, D., & Creese, S. (2013, October). ‘Breaking the Arc:Risk control for Big Data’. In: Big Data (2013) IEEE InternationalConference. IEEE, p. 613.78 Privacy and Consumer Privacy Group. Cabinet Office. (2013).
Draft identity assurance principles. London, UK. Retrieved 16 July2014 from https://www.gov.uk/government/consultations/draft-identity-assurance-principles/privacy-and-consumer-advisory-group-draft-identity-assurance-principles.
c om p u t e r l aw & s e c u r i t y r e v i ew 3 0 ( 2 0 1 4 ) 6 1 7e6 3 2632
conjunctionwith the global nature of the Internet, and despite
the fact that identity policies are often culturally sensitive, the
internationalisation of legal responses to online identity
misuse is likely to become increasingly necessary.
Reliance upon international laws and consortia favours
non-binding guidelines and informal rules that have practical
effect through shared understandings of mutual benefits,
rather than as direct challenges to national sovereignty. By
being more adaptive to changing circumstances, such ‘soft’
laws might also facilitate greater collaboration between pri-
vate groups and public actors in the development and
administration of rules regarding identitymisuse. In turn, this
would help promote wider participation in identity-centric
policy and law formulation internationally (although ulti-
mately these effects would be normative only).
An example of an international legal instrument specif-
ically focused on protection from harms arising from profiling
technologies is a European Recommendation on the use of
profiling in the public and private sector introduced in 2010.79
The Recommendation aims to ensure more transparency and
access in profiling. Although non-binding and therefore non-
enforceable legally, the Recommendation signifies a step in
the right direction towards providing essential protection
against profiling risks to identity.
9. Concluding thoughts
Across many countries around the globe, it now abundantly
clear that technological and cultural change has led to an
identity crisis. The detail and the traceability of the ‘portraits’
that our digital identities provide - the exhaustive mapping
and assemblage of our everyday lives in data - grow steadily
and with it their value and potential for usurpation. Govern-
ments and law-makers increasingly find themselves
embroiled with the consequences of digital identity misuse
and mechanisms for policing it.
Without effective safeguards to protect identity, we have
argued that there are substantial risks to individuals. The time
is ripe, therefore, to reconceptualise its protection in keeping
with our richer understanding of modern identities mediated
through digital technology. We need now to reflect upon how
to ensure appropriate balances between private and public
interests, and robust oversight of automated identification
techniques (particularly those that rely on big data analytics
and geo-location data).
Against this backdrop, law must continue to “seek to bal-
ance the rights of individuals to liberty and freedom of
expression (both online and offline), while protecting their
privacy and their data”.80 At the same time, existing models
need to adapt so as to embrace opportunities to evolve a
protective capacity against emerging threats to identity, while
79 Council of Europe. Recommendation CM/Rec (2010)13. On theprotection of individuals with regard to automatic processing ofpersonal data in the context of profiling. Retrieved 16 July 2014from https://wcd.coe.int/ViewDoc.jsp?id¼1710949.80 The Government Office for Science. (2013). Foresight Future
Identities e Final Report. London, UK. Retrieved 21 September2013 from http://www.bis.gov.uk/assets/foresight/docs/identity/13-523-future-identities-changing-identities-report.pdf, p. 59.
recognising that there are no complete legal or technical fixes.
An enhanced legal framework fit to meet new identity chal-
lenges must accommodate a risk-management approach to
accountability that appreciates themulti-contextual nature of
people's identities. It must also empower individuals to
recognise and take advantage of new opportunities to benefit
from their identity data, including through greater data
handling transparency. Furthermore, policy intended to un-
derpin identity management initiatives needs to reflect what
is socially acceptable, as well as technologically feasible, in its
country of implementation.
As indicated, some steps are already underway in Europe
and elsewhere around the world to meet such challenges.
However, there is long way to go and the wise path will direct
us towards an inter-disciplinary approach to identity in which
our relationship with data, machines and each other is inex-
tricably linked to who we are today.
As society's appetite for digital technology, hyper-
connectivity and big data shows no sign of abating, the
identity crisis is destined to deepen still. In the next few de-
cades, even the most mundane and unlikely records of day-
to-day behaviour may become useable for unanticipated
and ever-wider purposes. Increased use of mobile technology
and remote biometric recognition further blurs the distinc-
tion between offline and online spaces. Consequently, the
capacity for automated identification technologies to engage
in real-time monitoring to deduce whether patterns of
human behaviour diverge from a pre-defined normality (e.g.
to monitor crowds or verify transactional identity automati-
cally for digital payments) becomes an ever more stark
reality.
In the more distant future, artificial intelligence advances
could result in profiles of unnerving precision and persis-
tence, even of absolute falsehoods, and pervasive automated
decision-making. The way we interact with each other and
our society is likely to change radically. The ‘internet of
things’ (everyday objects with sensors linkable online)
recording and tracking our movements, as well as ground-
breaking developments in genetic research and mass bio-
banks, may enable the federation of our identities81 into
single digital identifiers running across multiple systems
that follow us continuously throughout our lives. We must
face the implications now because one day our virtual rep-
resentationsmay becomemore important thanwhowe truly
are.
Acknowledgement
This paper is produced under the auspices of the Engineering
and Physical Science Research Council (EPSRC) SuperIdentity
project under grant number EP/J004995/1 within the umbrella
remit of the Global Uncertainties Programme, together with
the Department of Homeland Security in the US.
81 A ‘federated identity management’ solution refers to a singledomain that enables interoperability between different identitymanagement systems, such that different user identitiesmanaged by different systems could be recognised as belongingto the same individual and tracked as such.