Datenschutz in der Europäischen Union
Homepage

Wir über Uns
Berlin
Deutschland
Europa
International
Recht
Technisch-Organisatorische Maßnahmen
Aktuelles
Kontrolle
Materialien
Service
Themen

Working Party on the Protection of Individuals with regard to the Processing of Personal Data

RECOMMENDATION 3/97
Anonymity on the Internet

Adopted by the Working Party on 3 December 1997

THE WORKING PARTY ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA,

- set up by Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995

- having regard to Articles 29 and 30, paragraph 3 of that Directive,

- having regard to its Rules of Procedure, in particular to articles 12 and 14 thereof,

has adopted the following recommendation:

The Working Party at its 8th meeting in Brussels on 3 December 1997 adopted the Discussion Paper XV/5022 ("Anonymity on the Internet") and took note of the Report and Guidance by the International Working Group on Data Protection in Telecommunications ("Budapest - Berlin Memorandum on Data Protection and Privacy on the Internet");

Recommends that the European Commission develops proposals on the basis of the attached Discussion Paper ("Anonymity on the Internet"; Annex 1) as well as of the recommendations made in the Budapest-Berlin Memorandum (Annex 2) to support their implementation through the appropriate international fora.

Discussion Paper - Anonymity on the Internet

Adopted at the 8th meeting.


Introduction

The rapid development of the Internet and the prolific growth in the types and number of services available over this new medium have been well documented. It is clear that the Internet phenomenon is already transforming the way we live and work as employees and citizens, bringing huge changes to the way goods and services are bought and sold, and reshaping the behaviour of organisations in both public and private sectors.

Such dramatic and wide-ranging changes inevitably bring new problems and new challenges for those involved in the process of defining, developing and enforcing public policy. Initially the main focus of attention for policy-makers was on the potential of the Internet both as a forum for criminal or undesirable behaviour `on-line' (such as the distribution of child pornography) and as a `safe' means of communication to facilitate criminal activities `off-line'.

At European level these concerns were the main motivating factor behind a series of initiatives: the Green Paper on the protection of minors and human dignity in audio-visual and information services (COM (96) 483 final), the Commission Communication on Illegal and Harmful Content on the Internet (COM (96) 487), the Council Resolution of 28 November 1996 on Illegal and Harmful Content, and the Report of the Working Party on Illegal and Harmful Content established by the informal Council meeting at Bologna.

Gradually, however, it has become apparent that many other issues are involved too. The Commission Communication "A European Initiative in Electronic Commerce" (COM (97) 157) seeks to widen the debate to include a whole series of other important areas of policy, such as taxation (particularly VAT) of on-line commercial activity, and the protection of intellectual property rights in respect of content distributed on-line.2

In all of these areas new ideas are being discussed, and new potential solutions put forward which aim to ensure that the traditional values and societal interests developed over many decades can continue to be upheld in this new technological age. A problem which cuts horizontally across many of these areas is the difficulty in detecting the fact that illegal activity has taken place and then identifying the liable person. Who is responsible for placing a particular piece of child pornography on the Internet? Who has downloaded a particular piece of copyright-protected material? Who has failed to declare VAT in respect of services offered on-line?

Faced with this problem an understandable response has been to suggest that all those wishing to access the Internet and its various on-line services should be properly identified, and that all on-line activity should be traceable.

The Privacy Perspective

The development of policy with regard to the Internet does not take place in a vacuum, but against the background of well-established principles and values. Critics of attempts to restrict or regulate activity in cyberspace frequently cite the right to free expression, a fundamental right guaranteed in Europe by Article 10 of the European Convention of Human Rights (ECHR) and incorporated as a general principle of Community law by Article F.2. of the Treaty on European Union. However, the right to privacy (Article 8, ECHR and similarly incorporated into Community law) is equally important when assessing any policy towards the Internet.

Over the past 25 years it has become apparent that one of the greatest threats to this fundamental right to privacy is the ability for organisations to accumulate large amounts of information about individuals, in a digital form which lends itself to high-speed (and now very low-cost) manipulation, alteration and communication to others. Concerns about this development and the potential misuse of such personal data has led all European Member States (and now the Community with directive 95/46/EC) to adopt specific data protection laws which set down a framework of rules governing the processing of personal information.

A basic data protection principle (see Articles 6(1)(c) and 7 of directive 95/46/EC) is that the personal data collected in any situation should be limited to that which is necessary and relevant to the purpose. All personal information is a potential threat to an individual's privacy and it is therefore necessary to ensure that, whenever such information is collected, it is for a legitimate purpose and that the amount of information collected is restricted to a minimum.

A feature of telecommunications networks and of the Internet in particular is their potential to generate a huge quantity of transactional data (the data generated in order to ensure the correct connections). The possibilities for interactive use of the networks (a defining characteristic of many Internet services) increases the amount of transactional data yet further. When consulting an on-line newspaper, the user `interacts' by choosing the pages he wishes to read. These choices create a `clickstream' of transactional data. By contrast more traditional news and information services are consumed much more passively (television for example), with interactivity being limited to the off-line world of newspaper shops and libraries. Although transactional data may in some jurisdictions receive a degree of protection under rules protecting the confidentiality of correspondence, the massive growth in the amount of such data is nevertheless a cause of legitimate concern.

As on-line services develop in terms of their sophistication and their popularity, the problem of transactional data will grow. Everywhere we go on the Internet, we leave a digital trace. As more and more aspects of our daily activities are conducted on-line, more and more of what we do, our choices, our preferences, will be recorded.

But the risks to our personal privacy lie not only in the existence of large amounts of personal data on the Internet, but also in the development of software capable of searching the network and drawing together all the available data about a named person. A recent article in the Minneapolis Star Tribune explained how one could compile a detailed biography of a randomly selected individual using such software and exploiting information from all the discussion groups in which the person participated. The newspaper was able to obtain the person's address and telephone number, place of birth, where he studied, his profession, his current workplace, his interest in amateur theatre, his favourite type of beer, his preferred restaurants and holiday destinations, and his views on such diverse subjects as Bill Gates and the `socially repressive' state of Indiana. There are already a number of sites in the United States offering such "look-up services" commercially.

Anonymous data - a way of addressing privacy concerns

Transactional data are only a threat to individual privacy if the data relate to an identifiable person. Clearly one way of addressing privacy concerns would therefore be to seek to ensure that wherever feasible the data traces created by using the Internet do not permit the identification of the user. With anonymity guaranteed, individuals would be able to participate in the Internet revolution without fear that their every move was being recorded and information about them accumulated which might be used at a later date for purposes to which they object.

The need for anonymity in on-line communications is already recognised as entirely legitimate in certain situations, for example where a victim of a sexual offence or a person suffering from alcohol or drug dependency wishes to share experiences with others, where an individual contemplating suicide wishes to consult specialist on-line help, or where some-one wishes to report a crime without fear of retaliation. In other situations guaranteed anonymity serves to underpin not only privacy but also freedom of expression, such as in the cases of political dissidents subject to a totalitarian political regime wishing to express their opposition to the political system in which they live and draw attention to human rights abuses.

But the need for anonymity goes much wider than these specific cases. For identifiable transactional data by its very existence will create a means through which individual behaviour can be surveyed and monitored to a degree that has never been possible before.

Reconciling privacy with other public policy objectives

It is clear therefore that the question of anonymity on the Internet is at the centre of a dilemma for governments and international organisations. On the one hand the possibility of remaining anonymous is essential if the fundamental rights to privacy and freedom of expression are to be maintained in cyberspace. On the other hand the ability to participate and communicate on-line without revealing one's identity runs against the grain of initiatives being developed to support other key areas of public policy, such as the fight against illegal and harmful content, financial fraud or copyright infringements.

Of course such apparent conflict between different public policy objectives is not new, and, as the Commission's Green Paper on the Protection of Minors and Human Dignity in Audio-visual and Information Services underlines, the European Convention of Human Rights already provides a framework for resolving such conflicts : a set of fundamental rights subject to certain restrictions for specified reasons, including the prevention of crime. In considering such restrictions the caselaw of the European Court of Human Rights has developed the principle of proportionality as crucial test of conformity of any restrictive measures applied to the fundamental rights guaranteed under the Convention.

The fact that such caselaw has developed demonstrates that it has always been necessary to balance conflicting public policy objectives. In the context of the more traditional `off-line' modes of communication, such as letter and parcel post, the telephone, newspapers, or broadcasting via radio and television, a balance between these objectives has been achieved. The challenge facing policy-makers today is to ensure that this balanced approach, which guarantees basic rights while permitting proportionate restrictions to these rights in limited and specified circumstances, is maintained in the new context of cyberspace. Central to this balance will be the extent of, and limits to, a person's ability to participate on-line in an anonymous fashion.

Learning from the past to find solutions for the future

There is a clear consensus that activity on the Internet cannot be exempted from the basic legal principles that are applied elsewhere. The Internet is not an anarchic ghetto where society's rules do not apply. Equally though, the ability of governments and public authorities to restrict the rights of individuals and monitor potentially unlawful behaviour should be no greater on the Internet than it is in the outside, off-line world. The requirement that restrictions to fundamental rights and freedoms be properly justified, necessary and proportional in view of other public policy objectives, must also apply in cyberspace.

This principle of treating the Internet no more or less favourably than older technologies is reflected both in the introduction to the Commission's Communication on Illegal and Harmful Content on the Internet which states "what is illegal off-line remains illegal on-line", and the Report of the Working Party on Illegal and Harmful Content on the Internet which sets out in its second proposal for further action the principle that "information on the Internet should be allowed the same free flow as paper-based information".

On the key issue of anonymity the same approach should be taken. As rightly stated in the "Bonn Ministerial Declaration"3, the principle should be that where the user can choose to remain anonymous off-line, that choice should also be available on-line. The various services and activities available over the Internet must be examined, and wherever possible analogies drawn with existing services using older more established modes of communication and means of delivery. Such comparisons will provide a valuable insight into those areas where the possibility to remain anonymous is desirable and those where it is not.

E-mail (point-to-point correspondence over the Internet)

Most e-mail communications currently identify the sender either by virtue of his/her own e-mail address or IP address. This information is usually available both to the recipient of the e-mail and the access and service providers involved in the provision of the e-mail service. There are, however, two types of alternative arrangements which provide a degree of anonymity:

1) anonymous re-mail services - where this is an option offered by the access provider, or where an individual makes use of a specific `anonymising' service to which he/she directs his e-mail. The anonymous re-mailer will send the message on in an anonymous form;

2) anonymous access to the network - where an individual is able to access the Internet anonymously by, for example paying in advance for a certain amount of on-line time and receiving an anonymous e-mail address, or accessing the network by way of a public Internet kiosk.

Anonymous re-mailing services involve the retention of a link between the sender of the message and the message itself which can be reconstituted at a later stage, for example in the context of a police investigation. It does not therefore guarantee anonymity in the same way as the second alternative and there need to be rules about the use made by the re-mailing service of the identifiable data it retains. But nevertheless both of these possibilities give important privacy benefits to individuals and need to be maintained and promoted.

The existence of an anonymous option for e-mail is particularly important if one compares the service with other traditional point-to-point communications technologies. The old-fashioned postal service, for example, is far more privacy friendly, in that the sending of a normal letter can be done in complete anonymity. The postal service provider is unable to collect any identifiable transactional data about the sender of the communication (unless the sender chooses to identify himself on the outside of the envelope). The most common payment system (the postage stamp) is also entirely anonymous. It is additionally possible for the sender to remain anonymous to the recipient of a letter.

Traditional telephony services also offer a greater degree of anonymity than e-mail. The widespread availability of public kiosks allow anonymous access to the network, and services can be paid for with cash or anonymous pre-paid cards. Phone calls carried out in this way create no identifiable transactional data. Where a subscriber calls using his/her own private phone transactional data are created, however, and it has been necessary to introduce data protection rules (now in the process of harmonisation at Community level as a result of the `ISDN' directive4) to limit the retention period for such data and the purposes for which they may be used. Nevertheless the caller will remain anonymous as far as the recipient of a call is concerned until the called party chooses to pick up the phone, unless a system of calling line identification (CLI) is in place, which allows the caller's number to be displayed to the called party before the call is answered. The impact of CLI on the privacy of parties to telephone calls is such, however, that a specific article in the above-mentioned directive has been considered necessary to ensure that individuals are able to block the transmission of their number where they wish to do so. This provision represents a precedent, which may be considered in the field of point-to-point online correspondence.

There may be circumstances in which restrictions to anonymous e-mail communication are justified, for example if there is reason to suspect that a particular communication is linked to the planning of a terrorist act or other serious criminal offence. The effect of such restrictions may be to require an anonymous remailer to supply to the police the true identity of the parties to a communication. However, any such restrictions should respect the test of proportionality and be applied strictly on a case by case basis.

Newsgroups, Bulletin Boards, and other Public Discussion Fora

Communication over the Internet does not always take the form of point-to-point private correspondence. `Newsgroups' and `chat rooms' dedicated to particular subjects or shared interests are numerous and very popular. Here individuals that contribute material do so in the knowledge that it is intended to be accessible to a wider public that could include children or other vulnerable individuals. In such a situation there are genuine concerns about the nature of the content that is contributed, and a genuine need to ensure that inappropriate content is not made available in such open fora, and/or that a liability exists if any of the content made available proves to be illegal.

There are various possibilities by which a degree of control can be exerted over such `newsgroups'. One suggestion is that all those contributing material should be identifiable, and that a data trace is kept whenever material is contributed. There are question marks, however, as to whether this is a proportionate, and indeed practicable, response to the problem. After all in the non-virtual world there are numerous notice boards in workplaces, schools and universities on which individuals are invited to place material. It is not conceivable that access to such noticeboards would be closely monitored in this way.

Other possibilities do exist, however. For instance, contract solutions may be developed to guarantee a certain degree of "content quality". Or, the provider of the newsgroup service could ensure the constant involvement of a `moderator' in newsgroups, whose role would be to monitor contributions for illegal and harmful content. Such moderators could ensure that unsuitable content be quickly removed and that individuals actually in the process of contributing such material be disconnected from the group. Telephone `chat lines' and `party lines' have traditionally used such mechanisms to moderate the behaviour of participants. It is even possible that the service provider be given a degree of legal liability for the material made available, thus having a direct interest in vetting all incoming material and only publishing that which is considered lawful and acceptable for public consumption. In this scenario the anonymity of contributors can be maintained, while the service provider takes on a role akin to that of the editor of a newspaper's letters page.

This might also be an area where technological solutions could play a role. If completely anonymous access to some public fora were to be deemed problematic, nevertheless individuals maybe permitted to gain access on the basis of a `pseudo-identity' attributed to them by a specialist service provider similar to the anonymous remailers discussed above. In such cases, while anonymity would normally be respected, if criminal activity were suspected, a link with the true identity of the individual user could be reconstructed.

It is clear that entirely anonymous contributions to public discussion fora raise difficulties, which are not present in simple point-to-point communication, and that appropriate mechanisms must be developed to prevent misuse of such fora. However, the fundamental rights of privacy and freedom of expression must not be restricted in a disproportionate way by systems of compulsory identification, particularly when other more proportionate means of controlling and moderating content are available.

Passive Browsing of Internet World Wide Web Sites

Most of today's World Wide Web sites exist primarily to give information to the public at large, and millions of individuals pass their time on-line idly browsing the myriad of different sites available.

The closest analogy to this practice in the non-virtual world would be that of browsing in a public library or a bookshop, or wandering through the high street window-shopping. Like on-line browsing, there is often no intent to purchase, but simply an impulse of curiosity to see what is available. A key difference though is that while browsing in a library or wandering the high street can be done in almost complete anonymity, browsing on the Web invariably leaves a permanent and identifiable digital record behind.

There is no public policy or general interest justification for such traces to be identifiable, unless the user wishes them to be so. Of course the collection of the names and e-mail addresses of visitors to a commercial website will often be valuable data to the website owner, who may wish to use the data for marketing purposes. However, any such data collection from individuals who are simply browsing must be entirely transparent and must take place on the basis of the user's informed consent. Individuals wishing to browse the World Wide Web anonymously must be entirely free and able to do so.

Purchasing goods and services over the Internet

As secure means of payment are developed, together with mechanisms for data integrity and authentication of transactions (e.g. digital signatures), the Internet will increasingly become a mainstream area of commercial activity where individuals go not only for information, but also to buy goods and services. In this context the question arises as to whether an individual must be identifiable in order to make purchases over the Internet or whether the option of anonymity should still be available.

In the non-virtual world anonymous payments with cash are common, and indeed this is considered the most convenient and efficient way of paying for goods and services, particularly those which involve relatively small amounts of money. The vendor in a small corner shop is not interested in the identity of his customer, but solely in the fact that the cash being offered to him is authorised legal tender.

For larger purchases it is often inconvenient for both the purchaser and vendor to use cash. Banknotes take up a lot of space in a wallet or a cash till. There is also the security risk in keeping too much cash. For these reasons non-anonymous payment methods such as cheques or debit cards tend to be preferred when the amount of the purchase is large.

Of course when payment is made using credit, anonymity is no longer an option. When buying on credit the individual incurs a debt for which he/she is liable. There must therefore be a record created which links the individual to the debt incurred. When a conventional credit card is used the individual's liability is to the issuer of the card rather than directly to the vendor, but nevertheless an identifiable trace of the transaction will be needed.

Electronic commerce over the Internet should in principle follow the model which has been established for off-line payments. Individuals should be allowed to choose from a variety of secure payment methods, among which should be the possibility of an anonymous system. Anonymous electronic cash should indeed have some significant advantages over traditional cash which would make its use even more attractive. First, unlimited amounts could be held conveniently, on a small card for example. Second, the card could, without affecting its anonymity, incorporate security features, such as an individual access code known only to the purchaser, which would greatly reduce the risks in the event of losing the card. Such features could make anonymous electronic cash an attractive option even for large purchases on-line.

A key requirement is that any such electronic cash is verifiably `real money'. This implies the inclusion of technical anti-counterfeiting features which guarantee the authenticity of the electronic cash, without affecting the possibility of using it anonymously.

There are, however, other public policy considerations which must be taken into account in the assessing the desirability of anonymous payment methods on-line. Chief among these is the fight against money laundering. The laundering of large sums of money obtained from criminal activities typically such as drug trafficking, either anonymously or by using a fictitious identity, is a serious problem. To help combat this activity a directive was adopted in 1991 (91/308/EEC) seeking to prevent the use of the financial system for money laundering purposes. Key provisions in this directive require credit and financial institutions to require identification of their customers prior to entering into a business relationship with them and to keep records of transactions for a minimum period of at least five years.

This directive is not in itself, however, incompatible with anonymous payment. Its prime focus is on transactions with banks and other financial and credit institutions5, whereas systems of anonymous electronic cash would be used essentially for transactions between individuals and merchants who are not part of the financial system. It would be normal for an individual to need to prove his/her identity before withdrawing electronic cash from a bank, and perhaps when depositing large quantities of electronic cash. But once the cash is in his/her position, there is no reason why it should not be anonymous in the same way as traditional cash. The needs of the police and law enforcement agencies seeking to track down money laundering offenders therefore need to be balanced very carefully against the advantages for privacy that anonymous payments provide. Limits to the use of anonymous payment might need to be made, but only where there is clear evidence that the anonymity of a transaction really does prejudice the detection of money laundering. Small value transactions would not seem to pose a problem in this regard, and even larger transactions (e.g. the buying of expensive software on-line) are not likely means of laundering money.

SUMMARY OF MAIN CONCLUSIONS

  • The ability to choose to remain anonymous is essential if individuals are to preserve the same protection for their privacy on-line as they currently enjoy off-line.
  • Anonymity is not appropriate in all circumstances. Determining the circumstances in which the `anonymity option' is appropriate and those in which it is not requires the careful balancing of fundamental rights, not only to privacy but also to freedom of expression, with other important public policy objectives such as the prevention of crime. Legal restrictions which may be imposed by governments on the right to remain anonymous, or on the technical means of doing so (e.g. availability of encryption products), should always be proportionate and limited to what is necessary to protect a specific public interest in a democratic society.
  • Wherever possible the balance that has been struck in relation to earlier technologies should be preserved with regard to services provided over the Internet.
  • The sending of e-mail, the passive browsing of world-wide web sites, and the purchase of most goods and services over the Internet should all be possible anonymously.
  • Some controls over individuals contributing content to on-line public fora (news-groups etc.) are needed, but a requirement for individuals to identify themselves is in many cases disproportionate and impractical. Other solutions are to be preferred.
  • Anonymous means to access the Internet (e.g. public Internet kiosks, pre-paid access cards) and anonymous means of payment are two essential elements for true on-line anonymity.

Putting the Conclusions into Practice - Operational Recommendations

The above conclusions, which are essentially about the extent of the individual's legitimate right to anonymity in the context of the Internet, set out the situation which needs to be brought about if individual privacy is not to be eroded. The current situation is very different. User access and activity on the Internet is very rarely anonymous. Efforts to provide semi-anonymous services (e.g. anonymous re-mailers) have run into regulatory problems, the technical configuration on Internet protocols does not easily allow true anonymity, and the most widespread payment means on-line remains the credit card, while experiments with anonymous electronic cash have yet to break into the mainstream electronic marketplace.

For this picture to change, ways must be found of putting the conclusions into practice. Actions should be undertaken at a number of different levels:

1) Regulatory Environment

The principle that the collection of identifiable personal data should be limited to the minimum necessary must be recognised in the evolving national and international laws dealing with the Internet. It should also be embodied in codes of conduct, guidelines and other "soft law" instruments that are developed. Where appropriate this principle should specify that individual users be given the choice to remain anonymous.

2) Technological Environment

Discussions within the World Wide Web consortium should be intensified with a view to developing Internet infrastructure and protocols which are conducive to anonymous user activity.

Research and development funding, (such as that available under the Community's 5th Research and Technological Development framework programme) should be targeted specifically at projects seeking to develop anonymous means of payment over the Internet and anonymous means of access (e.g. public Internet terminals).

3) Economic Environment

Governments should examine ways of providing economic support to encourage the widespread adoption in the market place of technologies which enhance privacy and allow individuals to remain anonymous. For example a government could use its market power as a major customer for IT products and services and include privacy and anonymity requirements as a criterion for its own public procurement. Consideration could also be given to favouring `privacy-friendly' products and services by way of subsidies or tax benefits, as happens with environmentally-friendly goods such as lead-free petrol.

4) Raising Awareness among Internet Users, Access and Service Providers, and the IT industry

Most internet users are unaware of the privacy risks that result from their on-line activity. There is an urgent need for advice and guidance in this regard. Data protection authorities around the world have an important role to play in the provision of such advice. The guidance produced by the Spanish data protection commission shows the way forward. Consideration must now be given to ensuring the widest possible dissemination of such advice to the Internet community.

Equally those who collect and process data over the Internet (access providers, service providers, websites) must be made aware that they are already subject to existing data protection laws requiring, inter alia, transparency and openness in the collection of data, and restricting the purposes for which personal data can be used and disclosed.


1) OJ no. L281 of 23/11/1995, p. 31

2) This latter issue had already been the subject of a Green Paper and Commission Communication "Follow-up to the Green Paper on Copyright and Related Rights in the Information Societies".

3) Ministerial Declaration of the Ministerial Conference in Bonn on Global Information Networks, 6-8 July 1997,

4) Directive 97/.../EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the telecommunications sector, adopted, but yet to be published.

5) Article 12 does include a provision which may result in its scope being extended to cover areas such as gambling casinos and dealers in objects of high value (art, antiques, real estate, precious metals).

Seitenanfang


Overview of the documents from the Group 29 Overview of the documents from the Group 29

  Berlin,
  am 14.09.1998
mail to webmaster