ANON: Before you joined the Anonymity Project, what sorts of topics were you researching at the Information Privacy Commission of Ontario? Was that work related to the broad sets of issues surrounding anonymity/identity/authentication?

KEN ANDERSON: As an organization, our research includes both policy and legal work. We have a proactive approach to the issues of the day. We have been researching privacy and security issues such as the security of the state in the post 9/11 climate. In particular we commented on federal and provincial legislation in reaction to that event. In order to do that, we had to go back and take a fresh look at some of the traditional ideas about privacy and security and see whether authentication and ID management are valid components of a security system.

We are also exploring privacy and technology, including commercial transactions as well as everyday use of computers and the internet. The IPC is also looking at how technology fits into non-commercial organizations and at the increasing use of biometrics as the access points into computers and data systems.

Surveillance is another area that the IPC has explored. Under our public sector privacy legislation we have police forces and municipalities and others who have interests in using video surveillance as a law enforcement tool. And finally, we have explored privacy issues in the health area including health and genetics.

ANON: What is the difference between anonymity and privacy and how does all of this fit in with the IPC's general mandate?

KEN ANDERSON: Privacy has an emotional component. What if there were photographs of yourself where you're not identified and no one knows who you are but you're aware that those photographs are out there. You may be 'exposed' in an anonymous form and yet some people may still feel that their privacy has been invaded; they might feel badly that they know that people are looking at these pictures, even though nobody knows in the end who that was. Privacy also includes a desire to control the slices of information or the access to oneself. Anonymity is an aspect of privacy where a particular set of identity is unknown. Then you get into all these issues about identity. You can have somebody be anonymous but not private. You can probably even have them be private but not anonymous; they're not always overlapping. Looking at those overlaps is a subject for our research.

These concepts come under our mandate both in a very direct way for how we run our commission, how we do our tribunal work and what information we put out. For example, when we're publishing results from a privacy investigation, we have to decide whether to publish names, or if leaving out names is sufficient. They also come into our work in a more academic way when we make comments on programs and do research and publish papers.

ANON: Do you think privacy law has addressed the issue of anonymity adequately?

KEN ANDERSON: I don't think privacy law such, as the public sector law in Ontario, has been addressed in a forward, positive way. You come closer to it when you look at the CSA (Canadian Standards Association) Code and PIPEDA, in terms of limiting the collection and use of information. Part of that comes from newer laws building on the experience of older laws and newer awareness. The older pieces of legislation, such as Ontario's public sector law dating from 1988, don't cover those things off as explicitly. Health legislation spends more time on notions of anonymity and to what level you anonymize and whether identifying information can be reconstructed ever or just reasonably.

There are a number of reasons why you probably are not going to move off to a pure form of anonymity. First, you have valid concerns of security and safety where there has to be some non-anonymity and identity. Second, you have issues of defamation and bullying. Or you have commercial defamation, where people go online and make statements about a company's stock going down. So you see a continuum, with total anonymity all the time at one end and total exposure all the time at the other end. Where do you move in the middle? Are there ever times when the default is anonymity but there is a process for removing that if there is some identified events? I do not think we are going to move off to a pure anonymity setting, but I think it is important for us in understanding that continuum to do exactly the kind of research we're doing now.

ANON: Do you think we have more protection for anonymity in Canada than in the US? What about Europe?

KEN ANDERSON: Generally no, but you can think of specific cases where you could argue that in a certain instance we might have more anonymity protection. As an example, you could say that we seem to have a fair bit of reluctance in our courts to have ISPs release the names of users, as we have seen recently. But by and large, I do not think, when you look at the actual practice, and not just individual pieces of legislation, we have a lot more protection for anonymity than the US or Europe.

ANON: You've written about the privacy/security conflict. How do you think these two important interests will ultimately be reconciled?

KEN ANDERSON: I think they will only be reconciled to the extent one wants to reconcile them. For instance, consider the technology and security in airports: You walk through a security device that basically sees through your clothing. So you have the image of a nude person going through there. Well, you can have scanners that do not actually show the whole of the nude body, but still check for metal objects and plastics. You can do that in a way that can reconcile privacy interests and address security interests. In order for this to occur, you need the people who are administering these devices to have some appreciation of the privacy issues at stake. You also need to have the people going through the scanners care. Amazingly enough, as Jeffrey Rosen has written about in the States, you find a huge number of people who do not care. So while you could probably work out an elaborate dance to balance the interests in theory, you need to have the different stakeholders care about doing that dance. Until there is more discussion across the public these issues will remain polarized.

ANON: You wrote about "Copyright, Courts & Criminals". What does Copyright have to do with anonymity or privacy?

KEN ANDERSON: This issue is all about Digital Millenium Copyright Act in the States and Copyright Reform here in Canada. But the same thing happens in money laundering and other areas, as in the recent recording industry case in Canada. If it is felt that somebody is violating copyright and using electronic means to do it, then what was being proposed in copyright reform in Canada was that Government, police or record companies could ask that those ISPs be forced to release the names of those persons. Now, I use an ISP in a commercial way, I pay some money and I get access and services, and I do not contemplate that they are going to take my name and maybe my user activities and forward them to someone else. I think that information is necessarily incidental to our commercial transaction, but is not something that these people should be further using.