Working Party on the Protection of Individuals with regard to the Processing of Personal Data
RECOMMENDATION 3/97
Anonymity on the Internet
Adopted by the Working Party on 3 December 1997
THE WORKING PARTY ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA,
- set up by Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995
- having regard to Articles 29 and 30, paragraph 3 of that Directive,
- having regard to its Rules of Procedure, in particular to articles 12 and 14 thereof,
has adopted the following recommendation:
The Working Party at its 8th meeting in Brussels
on 3 December 1997 adopted the Discussion Paper XV/5022 ("Anonymity
on the Internet") and took note of the Report and Guidance by the
International Working Group on Data Protection in Telecommunications ("Budapest
- Berlin Memorandum on Data Protection and Privacy on the Internet");
Recommends that the European Commission develops
proposals on the basis of the attached Discussion Paper ("Anonymity
on the Internet"; Annex 1) as well as of the recommendations made
in the Budapest-Berlin Memorandum (Annex 2) to support their implementation
through the appropriate international fora.
Discussion Paper - Anonymity on the Internet
Adopted at the 8th meeting.
Introduction
The rapid development of the Internet and the
prolific growth in the types and number of services available over this
new medium have been well documented. It is clear that the Internet phenomenon
is already transforming the way we live and work as employees and citizens,
bringing huge changes to the way goods and services are bought and sold,
and reshaping the behaviour of organisations in both public and private
sectors.
Such dramatic and wide-ranging changes inevitably
bring new problems and new challenges for those involved in the process
of defining, developing and enforcing public policy. Initially the main
focus of attention for policy-makers was on the potential of the Internet
both as a forum for criminal or undesirable behaviour `on-line' (such as
the distribution of child pornography) and as a `safe' means of communication
to facilitate criminal activities `off-line'.
At European level these concerns were the main
motivating factor behind a series of initiatives: the Green Paper on the
protection of minors and human dignity in audio-visual and information
services (COM (96) 483 final), the Commission Communication on Illegal
and Harmful Content on the Internet (COM (96) 487), the Council Resolution
of 28 November 1996 on Illegal and Harmful Content, and the Report of the
Working Party on Illegal and Harmful Content established by the informal
Council meeting at Bologna.
Gradually, however, it has
become apparent that many other issues are involved too. The Commission
Communication "A European Initiative in Electronic Commerce"
(COM (97) 157) seeks to widen the debate to include a whole series of other
important areas of policy, such as taxation (particularly VAT) of on-line
commercial activity, and the protection of intellectual property rights
in respect of content distributed on-line.2
In all of these areas new ideas are being discussed, and new potential
solutions put forward which aim to ensure that the traditional values and
societal interests developed over many decades can continue to be upheld
in this new technological age. A problem which cuts horizontally across
many of these areas is the difficulty in detecting the fact that illegal
activity has taken place and then identifying the liable person. Who is
responsible for placing a particular piece of child pornography on the
Internet? Who has downloaded a particular piece of copyright-protected
material? Who has failed to declare VAT in respect of services offered
on-line?
Faced with this problem an understandable response
has been to suggest that all those wishing to access the Internet and its
various on-line services should be properly identified, and that all on-line
activity should be traceable.
The Privacy Perspective
The development of policy with regard to the
Internet does not take place in a vacuum, but against the background of
well-established principles and values. Critics of attempts to restrict
or regulate activity in cyberspace frequently cite the right to free expression,
a fundamental right guaranteed in Europe by Article 10 of the European
Convention of Human Rights (ECHR) and incorporated as a general principle
of Community law by Article F.2. of the Treaty on European Union. However,
the right to privacy (Article 8, ECHR and similarly incorporated into Community
law) is equally important when assessing any policy towards the Internet.
Over the past 25 years it has become apparent
that one of the greatest threats to this fundamental right to privacy is
the ability for organisations to accumulate large amounts of information
about individuals, in a digital form which lends itself to high-speed (and
now very low-cost) manipulation, alteration and communication to others.
Concerns about this development and the potential misuse of such personal
data has led all European Member States (and now the Community with directive
95/46/EC) to adopt specific data protection laws which set down a framework
of rules governing the processing of personal information.
A basic data protection principle (see Articles
6(1)(c) and 7 of directive 95/46/EC) is that the personal data collected
in any situation should be limited to that which is necessary and relevant
to the purpose. All personal information is a potential threat to an individual's
privacy and it is therefore necessary to ensure that, whenever such information
is collected, it is for a legitimate purpose and that the amount of information
collected is restricted to a minimum.
A feature of telecommunications networks and
of the Internet in particular is their potential to generate a huge quantity
of transactional data (the data generated in order to ensure the correct
connections). The possibilities for interactive use of the networks (a
defining characteristic of many Internet services) increases the amount
of transactional data yet further. When consulting an on-line newspaper,
the user `interacts' by choosing the pages he wishes to read. These choices
create a `clickstream' of transactional data. By contrast more traditional
news and information services are consumed much more passively (television
for example), with interactivity being limited to the off-line world of
newspaper shops and libraries. Although transactional data may in some
jurisdictions receive a degree of protection under rules protecting the
confidentiality of correspondence, the massive growth in the amount of
such data is nevertheless a cause of legitimate concern.
As on-line services develop in terms of their
sophistication and their popularity, the problem of transactional data
will grow. Everywhere we go on the Internet, we leave a digital trace.
As more and more aspects of our daily activities are conducted on-line,
more and more of what we do, our choices, our preferences, will be recorded.
But the risks to our personal privacy lie not
only in the existence of large amounts of personal data on the Internet,
but also in the development of software capable of searching the network
and drawing together all the available data about a named person. A recent
article in the Minneapolis Star Tribune explained how one could
compile a detailed biography of a randomly selected individual using such
software and exploiting information from all the discussion groups in which
the person participated. The newspaper was able to obtain the person's
address and telephone number, place of birth, where he studied, his profession,
his current workplace, his interest in amateur theatre, his favourite type
of beer, his preferred restaurants and holiday destinations, and his views
on such diverse subjects as Bill Gates and the `socially repressive' state
of Indiana. There are already a number of sites in the United States offering
such "look-up services" commercially.
Anonymous data - a way of addressing privacy concerns
Transactional data are only a threat to individual
privacy if the data relate to an identifiable person. Clearly one way of
addressing privacy concerns would therefore be to seek to ensure that wherever
feasible the data traces created by using the Internet do not permit the
identification of the user. With anonymity guaranteed, individuals would
be able to participate in the Internet revolution without fear that their
every move was being recorded and information about them accumulated which
might be used at a later date for purposes to which they object.
The need for anonymity in on-line communications
is already recognised as entirely legitimate in certain situations, for
example where a victim of a sexual offence or a person suffering from alcohol
or drug dependency wishes to share experiences with others, where an individual
contemplating suicide wishes to consult specialist on-line help, or where
some-one wishes to report a crime without fear of retaliation. In other
situations guaranteed anonymity serves to underpin not only privacy but
also freedom of expression, such as in the cases of political dissidents
subject to a totalitarian political regime wishing to express their opposition
to the political system in which they live and draw attention to human
rights abuses.
But the need for anonymity goes much wider
than these specific cases. For identifiable transactional data by its very
existence will create a means through which individual behaviour can be
surveyed and monitored to a degree that has never been possible before.
Reconciling privacy with other public policy objectives
It is clear therefore that the question of
anonymity on the Internet is at the centre of a dilemma for governments
and international organisations. On the one hand the possibility of remaining
anonymous is essential if the fundamental rights to privacy and freedom
of expression are to be maintained in cyberspace. On the other hand the
ability to participate and communicate on-line without revealing one's
identity runs against the grain of initiatives being developed to support
other key areas of public policy, such as the fight against illegal and
harmful content, financial fraud or copyright infringements.
Of course such apparent conflict between different
public policy objectives is not new, and, as the Commission's Green Paper
on the Protection of Minors and Human Dignity in Audio-visual and Information
Services underlines, the European Convention of Human Rights already provides
a framework for resolving such conflicts : a set of fundamental rights
subject to certain restrictions for specified reasons, including the prevention
of crime. In considering such restrictions the caselaw of the European
Court of Human Rights has developed the principle of proportionality
as crucial test of conformity of any restrictive measures applied to the
fundamental rights guaranteed under the Convention.
The fact that such caselaw has developed demonstrates
that it has always been necessary to balance conflicting public policy
objectives. In the context of the more traditional `off-line' modes of
communication, such as letter and parcel post, the telephone, newspapers,
or broadcasting via radio and television, a balance between these objectives
has been achieved. The challenge facing policy-makers today is to ensure
that this balanced approach, which guarantees basic rights while permitting
proportionate restrictions to these rights in limited and specified circumstances,
is maintained in the new context of cyberspace. Central to this balance
will be the extent of, and limits to, a person's ability to participate
on-line in an anonymous fashion.
Learning from the past to find solutions for the future
There is a clear consensus that activity on
the Internet cannot be exempted from the basic legal principles that are
applied elsewhere. The Internet is not an anarchic ghetto where society's
rules do not apply. Equally though, the ability of governments and public
authorities to restrict the rights of individuals and monitor potentially
unlawful behaviour should be no greater on the Internet than it is in the
outside, off-line world. The requirement that restrictions to fundamental
rights and freedoms be properly justified, necessary and proportional in
view of other public policy objectives, must also apply in cyberspace.
This principle of treating the Internet no
more or less favourably than older technologies is reflected both in the
introduction to the Commission's Communication on Illegal and Harmful Content
on the Internet which states "what is illegal off-line remains illegal
on-line", and the Report of the Working Party on Illegal and Harmful
Content on the Internet which sets out in its second proposal for further
action the principle that "information on the Internet should be allowed
the same free flow as paper-based information".
On the key issue of anonymity
the same approach should be taken. As rightly stated in the "Bonn
Ministerial Declaration"3, the principle
should be that where the user can choose to remain anonymous off-line,
that choice should also be available on-line. The various services and
activities available over the Internet must be examined, and wherever possible
analogies drawn with existing services using older more established modes
of communication and means of delivery. Such comparisons will provide a
valuable insight into those areas where the possibility to remain anonymous
is desirable and those where it is not.
E-mail (point-to-point correspondence over the Internet)
Most e-mail communications currently identify
the sender either by virtue of his/her own e-mail address or IP address.
This information is usually available both to the recipient of the e-mail
and the access and service providers involved in the provision of the e-mail
service. There are, however, two types of alternative arrangements which
provide a degree of anonymity:
1) anonymous re-mail services - where this is an option offered by the access provider,
or where an individual makes use of a specific `anonymising' service
to which he/she directs his e-mail. The anonymous re-mailer will send the
message on in an anonymous form;
2) anonymous access to the network - where an individual is able to access the Internet
anonymously by, for example paying in advance for a certain amount
of on-line time and receiving an anonymous e-mail address, or accessing
the network by way of a public Internet kiosk.
Anonymous re-mailing services involve the retention
of a link between the sender of the message and the message itself which
can be reconstituted at a later stage, for example in the context of a
police investigation. It does not therefore guarantee anonymity
in the same way as the second alternative and there need to be rules about
the use made by the re-mailing service of the identifiable data it retains.
But nevertheless both of these possibilities give important privacy benefits
to individuals and need to be maintained and promoted.
The existence of an anonymous option for e-mail
is particularly important if one compares the service with other traditional
point-to-point communications technologies. The old-fashioned postal service,
for example, is far more privacy friendly, in that the sending of a normal
letter can be done in complete anonymity. The postal service provider is
unable to collect any identifiable transactional data about the sender
of the communication (unless the sender chooses to identify himself on
the outside of the envelope). The most common payment system (the postage
stamp) is also entirely anonymous. It is additionally possible for the
sender to remain anonymous to the recipient of a letter.
Traditional telephony services
also offer a greater degree of anonymity than e-mail. The widespread availability
of public kiosks allow anonymous access to the network, and services can
be paid for with cash or anonymous pre-paid cards. Phone calls carried
out in this way create no identifiable transactional data. Where a subscriber
calls using his/her own private phone transactional data are created, however,
and it has been necessary to introduce data protection rules (now in the
process of harmonisation at Community level as a result of the `ISDN' directive4) to limit the retention period for such data and
the purposes for which they may be used. Nevertheless the caller will remain
anonymous as far as the recipient of a call is concerned until the called
party chooses to pick up the phone, unless a system of calling line identification
(CLI) is in place, which allows the caller's number to be displayed to
the called party before the call is answered. The impact of CLI on the
privacy of parties to telephone calls is such, however, that a specific
article in the above-mentioned directive has been considered necessary
to ensure that individuals are able to block the transmission of their
number where they wish to do so. This provision represents a precedent,
which may be considered in the field of point-to-point online correspondence.
There may be circumstances in which restrictions
to anonymous e-mail communication are justified, for example if there is
reason to suspect that a particular communication is linked to the planning
of a terrorist act or other serious criminal offence. The effect of such
restrictions may be to require an anonymous remailer to supply to the police
the true identity of the parties to a communication. However, any such
restrictions should respect the test of proportionality and be applied
strictly on a case by case basis.
Newsgroups, Bulletin Boards, and other Public Discussion
Fora
Communication over the Internet does not always
take the form of point-to-point private correspondence. `Newsgroups' and
`chat rooms' dedicated to particular subjects or shared interests are numerous
and very popular. Here individuals that contribute material do so in the
knowledge that it is intended to be accessible to a wider public that could
include children or other vulnerable individuals. In such a situation there
are genuine concerns about the nature of the content that is contributed,
and a genuine need to ensure that inappropriate content is not made available
in such open fora, and/or that a liability exists if any of the content
made available proves to be illegal.
There are various possibilities by which a
degree of control can be exerted over such `newsgroups'. One suggestion
is that all those contributing material should be identifiable, and that
a data trace is kept whenever material is contributed. There are question
marks, however, as to whether this is a proportionate, and indeed practicable,
response to the problem. After all in the non-virtual world there are numerous
notice boards in workplaces, schools and universities on which individuals
are invited to place material. It is not conceivable that access to such
noticeboards would be closely monitored in this way.
Other possibilities do exist, however. For
instance, contract solutions may be developed to guarantee a certain degree
of "content quality". Or, the provider of the newsgroup service
could ensure the constant involvement of a `moderator' in newsgroups, whose
role would be to monitor contributions for illegal and harmful content.
Such moderators could ensure that unsuitable content be quickly removed
and that individuals actually in the process of contributing such material
be disconnected from the group. Telephone `chat lines' and `party lines'
have traditionally used such mechanisms to moderate the behaviour of participants.
It is even possible that the service provider be given a degree of legal
liability for the material made available, thus having a direct interest
in vetting all incoming material and only publishing that which is considered
lawful and acceptable for public consumption. In this scenario the anonymity
of contributors can be maintained, while the service provider takes on
a role akin to that of the editor of a newspaper's letters page.
This might also be an area where technological
solutions could play a role. If completely anonymous access to some public
fora were to be deemed problematic, nevertheless individuals maybe permitted
to gain access on the basis of a `pseudo-identity' attributed to them by
a specialist service provider similar to the anonymous remailers discussed
above. In such cases, while anonymity would normally be respected, if criminal
activity were suspected, a link with the true identity of the individual
user could be reconstructed.
It is clear that entirely anonymous contributions
to public discussion fora raise difficulties, which are not present in
simple point-to-point communication, and that appropriate mechanisms must
be developed to prevent misuse of such fora. However, the fundamental rights
of privacy and freedom of expression must not be restricted in a disproportionate
way by systems of compulsory identification, particularly when other more
proportionate means of controlling and moderating content are available.
Passive Browsing of Internet World Wide Web Sites
Most of today's World Wide Web sites exist
primarily to give information to the public at large, and millions of individuals
pass their time on-line idly browsing the myriad of different sites available.
The closest analogy to this practice in the
non-virtual world would be that of browsing in a public library or a bookshop,
or wandering through the high street window-shopping. Like on-line browsing,
there is often no intent to purchase, but simply an impulse of curiosity
to see what is available. A key difference though is that while browsing
in a library or wandering the high street can be done in almost complete
anonymity, browsing on the Web invariably leaves a permanent and identifiable
digital record behind.
There is no public policy or general interest
justification for such traces to be identifiable, unless the user wishes
them to be so. Of course the collection of the names and e-mail addresses
of visitors to a commercial website will often be valuable data to the
website owner, who may wish to use the data for marketing purposes. However,
any such data collection from individuals who are simply browsing must
be entirely transparent and must take place on the basis of the user's
informed consent. Individuals wishing to browse the World Wide Web anonymously
must be entirely free and able to do so.
Purchasing goods and services over the Internet
As secure means of payment are developed, together
with mechanisms for data integrity and authentication of transactions (e.g.
digital signatures), the Internet will increasingly become a mainstream
area of commercial activity where individuals go not only for information,
but also to buy goods and services. In this context the question arises
as to whether an individual must be identifiable in order to make purchases
over the Internet or whether the option of anonymity should still be available.
In the non-virtual world anonymous payments
with cash are common, and indeed this is considered the most convenient
and efficient way of paying for goods and services, particularly those
which involve relatively small amounts of money. The vendor in a small
corner shop is not interested in the identity of his customer, but solely
in the fact that the cash being offered to him is authorised legal tender.
For larger purchases it is often inconvenient
for both the purchaser and vendor to use cash. Banknotes take up a lot
of space in a wallet or a cash till. There is also the security risk in
keeping too much cash. For these reasons non-anonymous payment methods
such as cheques or debit cards tend to be preferred when the amount of
the purchase is large.
Of course when payment is made using credit,
anonymity is no longer an option. When buying on credit the individual
incurs a debt for which he/she is liable. There must therefore be a record
created which links the individual to the debt incurred. When a conventional
credit card is used the individual's liability is to the issuer of the
card rather than directly to the vendor, but nevertheless an identifiable
trace of the transaction will be needed.
Electronic commerce over the Internet should
in principle follow the model which has been established for off-line payments.
Individuals should be allowed to choose from a variety of secure payment
methods, among which should be the possibility of an anonymous system.
Anonymous electronic cash should indeed have some significant advantages
over traditional cash which would make its use even more attractive. First,
unlimited amounts could be held conveniently, on a small card for example.
Second, the card could, without affecting its anonymity, incorporate security
features, such as an individual access code known only to the purchaser,
which would greatly reduce the risks in the event of losing the card. Such
features could make anonymous electronic cash an attractive option even
for large purchases on-line.
A key requirement is that any such electronic
cash is verifiably `real money'. This implies the inclusion of technical
anti-counterfeiting features which guarantee the authenticity of the electronic
cash, without affecting the possibility of using it anonymously.
There are, however, other public policy considerations
which must be taken into account in the assessing the desirability of anonymous
payment methods on-line. Chief among these is the fight against money laundering.
The laundering of large sums of money obtained from criminal activities
typically such as drug trafficking, either anonymously or by using a fictitious
identity, is a serious problem. To help combat this activity a directive
was adopted in 1991 (91/308/EEC) seeking to prevent the use of the financial
system for money laundering purposes. Key provisions in this directive
require credit and financial institutions to require identification of
their customers prior to entering into a business relationship with them
and to keep records of transactions for a minimum period of at least five
years.
This directive is not in itself, however, incompatible
with anonymous payment. Its prime focus is on transactions with banks and
other financial and credit institutions5, whereas
systems of anonymous electronic cash would be used essentially for transactions
between individuals and merchants who are not part of the financial system.
It would be normal for an individual to need to prove his/her identity
before withdrawing electronic cash from a bank, and perhaps when depositing
large quantities of electronic cash. But once the cash is in his/her position,
there is no reason why it should not be anonymous in the same way as traditional
cash. The needs of the police and law enforcement agencies seeking to track
down money laundering offenders therefore need to be balanced very carefully
against the advantages for privacy that anonymous payments provide. Limits
to the use of anonymous payment might need to be made, but only where there
is clear evidence that the anonymity of a transaction really does prejudice
the detection of money laundering. Small value transactions would not seem
to pose a problem in this regard, and even larger transactions (e.g. the
buying of expensive software on-line) are not likely means of laundering
money.
SUMMARY OF MAIN CONCLUSIONS
- The ability to choose to remain anonymous
is essential if individuals are to preserve the same protection for their
privacy on-line as they currently enjoy off-line.
- Anonymity is not appropriate in all circumstances.
Determining the circumstances in which the `anonymity option' is appropriate
and those in which it is not requires the careful balancing of fundamental
rights, not only to privacy but also to freedom of expression, with other
important public policy objectives such as the prevention of crime. Legal
restrictions which may be imposed by governments on the right to remain
anonymous, or on the technical means of doing so (e.g. availability of
encryption products), should always be proportionate and limited to what
is necessary to protect a specific public interest in a democratic society.
- Wherever possible the balance that has
been struck in relation to earlier technologies should be preserved with
regard to services provided over the Internet.
- The sending of e-mail, the passive browsing
of world-wide web sites, and the purchase of most goods and services over
the Internet should all be possible anonymously.
- Some controls over individuals contributing
content to on-line public fora (news-groups etc.) are needed, but a requirement
for individuals to identify themselves is in many cases disproportionate
and impractical. Other solutions are to be preferred.
- Anonymous means to access the Internet
(e.g. public Internet kiosks, pre-paid access cards) and anonymous means
of payment are two essential elements for true on-line anonymity.
Putting the Conclusions into Practice - Operational
Recommendations
The above conclusions, which are essentially
about the extent of the individual's legitimate right to anonymity in the
context of the Internet, set out the situation which needs to be brought
about if individual privacy is not to be eroded. The current situation
is very different. User access and activity on the Internet is very rarely
anonymous. Efforts to provide semi-anonymous services (e.g. anonymous re-mailers)
have run into regulatory problems, the technical configuration on Internet
protocols does not easily allow true anonymity, and the most widespread
payment means on-line remains the credit card, while experiments with anonymous
electronic cash have yet to break into the mainstream electronic marketplace.
For this picture to change, ways must be found
of putting the conclusions into practice. Actions should be undertaken
at a number of different levels:
1) Regulatory Environment
The principle that the collection of identifiable
personal data should be limited to the minimum necessary must be recognised
in the evolving national and international laws dealing with the Internet.
It should also be embodied in codes of conduct, guidelines and other "soft
law" instruments that are developed. Where appropriate this principle
should specify that individual users be given the choice to remain anonymous.
2) Technological Environment
Discussions within the World Wide Web consortium
should be intensified with a view to developing Internet infrastructure
and protocols which are conducive to anonymous user activity.
Research and development funding, (such as
that available under the Community's 5th Research and Technological Development
framework programme) should be targeted specifically at projects seeking
to develop anonymous means of payment over the Internet and anonymous means
of access (e.g. public Internet terminals).
3) Economic Environment
Governments should examine ways of providing
economic support to encourage the widespread adoption in the market place
of technologies which enhance privacy and allow individuals to remain anonymous.
For example a government could use its market power as a major customer
for IT products and services and include privacy and anonymity requirements
as a criterion for its own public procurement. Consideration could also
be given to favouring `privacy-friendly' products and services by way of
subsidies or tax benefits, as happens with environmentally-friendly goods
such as lead-free petrol.
4) Raising Awareness among Internet Users,
Access and Service Providers, and the IT industry
Most internet users are unaware of the privacy
risks that result from their on-line activity. There is an urgent need
for advice and guidance in this regard. Data protection authorities around
the world have an important role to play in the provision of such advice.
The guidance produced by the Spanish data protection commission shows the
way forward. Consideration must now be given to ensuring the widest possible
dissemination of such advice to the Internet community.
Equally those who collect and process data
over the Internet (access providers, service providers, websites) must
be made aware that they are already subject to existing data protection
laws requiring, inter alia, transparency and openness in the collection
of data, and restricting the purposes for which personal data can be used
and disclosed.
1) OJ no. L281 of 23/11/1995, p. 31
2) This latter issue had already been the subject
of a Green Paper and Commission Communication "Follow-up to the Green
Paper on Copyright and Related Rights in the Information Societies".
3) Ministerial Declaration of the Ministerial Conference
in Bonn on Global Information Networks, 6-8 July 1997,
4) Directive 97/.../EC of the European Parliament
and of the Council concerning the processing of personal data and the protection
of privacy in the telecommunications sector, adopted, but yet to be published.
5) Article 12 does include a provision which may
result in its scope being extended to cover areas such as gambling casinos
and dealers in objects of high value (art, antiques, real estate, precious
metals).
|