Identification versus anonymity in e-government CASE STUDIES

Case studies

Two case studies have been conducted in the Netherlands in order to evaluate the extent to which the identification process has changed, and the extent to which the citizen has become more anonymous or more identified by the government when new technologies are applied in the process of public service provision. The first case, application of a tree felling permit in the city of Dordrecht, was selected because this is a typical example of a widespread, simple service that is increasingly being delivered by electronic means. Although DigiD, a recently introduced measure for citizens to identify themselves in the realm of online public services is implemented in many municipalities, most municipalities only use DigiD to allow citizens to request information electronically (e.g., Attesta Vita or certified copy of an entry of birth). Dordrecht is a leader in electronic municipal government and one of the very few municipalities that already use DigiD for electronic personal data exchange, as is the case with the application of a tree felling permit. The second case, border passage at Schiphol Airport, was selected for being an exceptional case. Electronic border passage uses a biometric identification, an iris scan, to identify individuals, which is uncommon in public service provision.  

In both case studies the traditional identification process was compared with the electronic identification process to see whether the identification processes differ from each other and to see whether a shift in the identifiability-anonymity continuum could be observed. The identification process is understood as all personal information that is asked for, gathered, stored, matched, used, and shared, i.e., the identity knowledge about an individual. The amount of personal information in the identity knowledge was considered and the personal information was classified according to the five different types of identity information, as distinguished by Marx (2005), to establish the nature of the personal information by the distance from the core identity. Finally, the identity knowledge of the provider of the public service was explored. In the first case, the traditional and electronic services are provided by the same organisation, i.e., the city of Dordrecht. In the second case, however, another party is involved in providing the electronic service.

Case study 1: The application for a tree felling permit

In the Netherlands, each municipality has its own regulation for tree felling. In practice, however, the regulations of the different municipalities are very similar to each other and in almost all municipalities one has to apply for a tree felling permit. The application was traditionally paper-based but Dordrecht provides electronic application for a tree felling permit by means of DigiD as well. (www.egem.nl) 

DigiD is the abbreviation of ‘digital identity’; it is a system used to authenticate individuals in the online environment. It is controlled by GBO.Overheid, which is part of the Ministry of Internal Affairs & Kingdom Relations (Ministerie van Binnenlandse Zaken en Koninkrijksrelaties). Together with Inland Revenue (Belastingdienst), GBO.Overheid is making DigiD available for the public at large. DigiD can be used in online relationships with many public service providers: municipalities, local governments, Inland Revenue, central student system (Informatie Beheergroep), and land registry office (Kadaster) for example. One can apply for DigiD on the website of DigiD by filling in a social security number, birth date, postal code, house number, and email address. Then the self chosen username and password have to be filled in. Within a few days, an activation code is sent to the home address and after DigiD is activated online it can be used. (www.digid.nl)

The data for this case were collected from several sources: an interview with the project leader of DigiD (and Advisor Information Management) of the city of Dordrecht, information provided by the Dordrecht department that decides applications for a tree felling permit, including the forms used in this process, and Internet sources. 

Findings

For the traditional, paper-based, application of a tree felling permit, the form can either be obtained at the counter at the city hall or be downloaded from the website of the city of Dordrecht (DigiD is not needed). This paper form has to be filled in and the following personal data are asked for: name (i.e., surname and initials), address, postal code, place of residence, private phone number, mobile or business phone number, place of signature, date of signature, and signature. The paper form has to be sent back by post or can be delivered at the city hall. 

To obtain the digital form, the citizen has to authenticate himself or herself by means of DigiD. When the button of the web form is clicked, a redirection to the DigiD website takes place. On this website one has to log in with the DigiD username and password and the user is authenticated. This authentication is digitally sent to the City of Dordrecht who verifies this authentication. After verification, the social security number of the applicant is sent by DigiD to the city of Dordrecht; there it is matched with data from the municipal Personal Records Database (Gemeentelijke Basis Administratie, GBA). This database contains the following personal information: name, address, place of residence, gender, birth date, and social security number. The digital application form, on which the name, initials, address, postal code, and place of residence are already filled in, is sent to the applicant. The form has to be filled in further with the following personal information: private phone number, mobile or business phone number, and email address, and then it has to be electronically submitted. 

Both forms will first arrive at the department ‘Information Process Management’, where they will be stored. The digital form can be saved directly; the paper form is scanned and then saved. In the ‘Vaststellingsbesluit selectielijst archiefbescheiden gemeentelijke en intergemeentelijke organen vanaf 1 januari 1996’ it is decided that a tree felling permit is subject to the general provisions according to archiving as laid down in the ‘Archiefwet’ 1995 (Archive Act). This decision states the minimal term an application has to be retained. Granted permits have to be retained at least one year; denied, withdrawed, or lapsed permits have to be retained at least three years. Dordrecht, however, extended both terms of retention to ten years, so the information can be consulted at a later date (e.g., when the applicant has been granted the permit but has the obligation to replant or when one suspects that a new application for a tree felling permit has been done for the same location). Every official of the municipality is allowed to consult this information. According to the ‘Wet Openbaarheid van bestuur’ (Freedom of Information Act), every citizen can request information about tree felling permit applications. These citizens have neither access to the actual documents, nor to all personal information, but only the relevant information is communicated. In the case of a tree felling permit this relevant personal information is the location (i.e., address) where the trees are or were located. The number and species of the trees is also communicated, but this is not considered personal information. After being stored at the department ‘Information Process Management’, the paper form or a print of the digital form is sent to the department ‘Stadswerken’ (City Works), where the application is handled. The personal information is copied and put in the computer where it is retained for a couple of years.

If it is doubtful whether the applicant is the legal owner of the land, and hence legally justified to apply for a tree felling permit, the name, and location (i.e., address) will be matched with the information in the software program ‘Flexigis’. This program contains a Geographic Information System, e.g., information from the land registry office. The private, mobile, and business phone numbers and, when it concerns a digital application, the email address can be used to contact the applicant for more information. After a decision is made, the decision is communicated back to the applicant by mail, using the applicant’s name and address. The decision is published in the local newspaper and reported are the address, number and species of the trees, and the motivation of the applicant for felling these trees. This information is also available at the City hall for a period of six weeks, so other citizens can officially object to the decision.

Interpretation and conclusion

The main differences between the traditional and electronic identification processes take place in the front office (see table 1 in the appendix). In the traditional identification process, all personal information is directly asked for and no additional information is gathered from other sources. The electronic identification process has a different sequence of the various parts of the procedure. Because information is also gathered from another source, less information is directly asked but the amount of information that is collected (i.e., directly asked and gathered from other sources) roughly equals that of the traditional identification process. In the back office, the procedures for both forms are similar.  

In contrast to the traditional identification process, the electronic identification process uses the social security number to authenticate the applicant and match the number with the name, initials, and address, but this number is not stored or used in the dispatch of the application. Sometime in 2007, the social security number will be replaced by the citizen service number, which is the same number but which can be used in more relationships with public and probably private service providers as well (e.g., health organisations, health insurance companies, banks, and land registry office). Although the systems of the different service providers are not linked and DigiD is only used to authenticate individuals, it will be easier to collect information about an individual from various sources when the same unique identification number is used. 

Apart from the social security number, the electronic application also requests an email address of the applicant. The email address can reveal little or much information about the applicant. One_two_three@hotmail.com for example does not reveal any information, whereas John.Anderton@PreCrime.org does not only reveal the applicant’s first and last name but also the company he works for, at least on the face of it.  

On the paper form, also the signature of the applicant is requested to validate the correctness of the personal information (i.e., the applicant is who he claims to be). Place and date of signature are requested too. Place and date are often requested when a signature is asked for and this originates from signing contracts but it is in this context more a habit than a necessity. The signature, although being unique information about an individual, is not used in the dispatch of the application.  

According to Marx’ five different types of identity information, name, and address are private information, because this information is unknown until communicated. Together, however, they form a relative unique identification of an individual. The phone numbers (i.e., private, mobile and business) are also private information. It is fairly easy to get a name and address attached to the private phone number, but this is more difficult for mobile or business phone numbers.  

The traditional and the electronic applications for a tree felling permit are handled by the same organisation (i.e., the city of Dordrecht), so it is irrelevant to address the identity knowledge capacity of the organisation. 

In conclusion, there are only minor differences between the traditional and electronic identification processes and these differences mainly occur in the front office. Depending on the information revealed by the email address, the electronic identification process can identify the citizen slightly more. The citizen can thus become more known by using the electronic form when applying for a tree felling permit, but this increase is only marginal, and it is information that the citizen can normally choose himself to share or not, e.g., by choosing an anonymous or non-revealing email address. 

Case study 2: Border passage at Schiphol Airport

To establish whether an individual may enter or leave the Netherlands, the individual need to be identified. Identification takes place by passport, identity card, or another official travel document. Residents of the Netherlands can apply for a travel document at ‘Afdeling Burgerzaken’ of the municipality where they are registered in the Municipal Personal Records Database (Gemeentelijke Basis Administratie, GBA). Application has to be done in person and all travel documents in possession (Dutch and foreign) and a colour passport photo that is a good likeness and complies with the standards. Anyone with a Dutch nationality can apply for a travel document, but children under 18 wishing to apply for a passport need written permission of both parents (or legal guardian). The same applies to children under 12 wishing to apply for an identity card.

Travel documents are produced and personalized at a central facility in the Netherlands and contain the following personal information: nationality, surname, given names, date of birth, place of birth, height, gender, and personal number (i.e., social security number). The same data is also stored in the machine readable zone of the travel document. The photo and the signature are also on the travel document. Travel documents issued on or after 26 August 2006 also contain a chip. This chip is invisible and it is incorporated in the data page of the travelling document. The chip contains the photograph in colour (the ‘facial’ image) and all the data that are printed on the data page, except for the signature. A special piece of equipment is required to read the data in the chip. The ‘reader’ shows the information on the screen but the reader does not store the data it has read. The reader is provided by the Ministry of Interior at various locations in the Netherlands (i.e., 27 municipalities and Schiphol Airport). (www.paspoortinformatie.nl) All data that were colleted in the application process of the travel document and the data about the travel document (i.e., document number, expiry date, and municipality where the travel document is issued) are stored in the ‘reisdocumentenadministratie’ (travel document administration) and kept there for eleven years (Paspoortuitvoeringsregeling on wetten.overheid.nl).

To facilitate a faster border passage, Amsterdam Schiphol Airport developed a biometric identification system. The iris is unique for every individual, so identification and authentication of an individual can take place by iris scan. The iris scan equipment is designed by Amsterdam Schiphol Airport and is approved by the Ministry of Justice and the ‘Koninklijke Marechaussee’ (KMar) (border police). The iris scan is called Privium and one can apply for a Privium card by filling in the application form. After receiving a letter of confirmation, an appointment at the Privium Service Point for a scan of the iris pattern and to pick up the Privium card has to be made. The appointment at the Privium Service Point consists of three parts: identity papers are checked, the iris patterns of the eyes are scanned and a brief explanation on how to use the Privium card is given. From the iris scan, a maximum of 256 measuring points can be recognized. These measuring points can be used to reproduce the pattern of light and dark of the iris, which is unique for every individual. The scan is only stored on the Privium card and not in a database. When an individual crosses the border, the iris is scanned and the data obtained is compared with the data stored on the card. (www.schiphol.com/privium) The Privium card is not replacing a passport, so a valid travel document is still needed to travel to other countries.

Passport control, however, is not always necessary when crossing a border. To facilitate free movement within an area without internal border controls, several countries signed the Schengen Agreement on the gradual abolition of checks at the common borders in 1985. The Schengen Convention was signed in 1990 and came into effect in 1995. The Schengen Convention abolished the checks at internal borders of the signatory countries and created a single external frontier, where the checks for all signatory countries were to be carried out in accordance with a common set of rules. Countries that are now signed up to the Schengen Convention are: Belgium, Denmark, Germany, Greece, Spain, France, Italy, Luxembourg, Netherlands, Austria, Portugal, Finland, Sweden, Iceland, and Norway. (www.ec.europa.eu) 

The data for this case were collected in several ways. Due to time constraints it was not possible to hold an interview with an employee of Privium. The data from Privium were collected using Internet sources, a Privium user was interviewed, and a phone call was made to Privium to get the remaining questions answered. This user sent an email to Privium to ask which personal data were collected and for which purposes, who have access to this personal data and for which purposes and what data exchange take place and for which purposes. Privium answered these questions by email. The data for traditional border passage were mainly collected by using Internet, but also two telephone calls were made to the Koninklijke Marechaussee (KMar) to get some remaining questions answered.

Findings

When travelling to or from a non-Schengen country, the travel document is checked by the KMar for genuineness. Then the passport photo is matched with the individual and possibly the height and year of birth, reported on the travel document, are taken into account to establish whether this person is the same as the person on the photo. In addition, some personal information (most likely this contains the name, date of birth, and place of birth because this is the same information that is stored on the Privium card, but the KMar refused to answer questions about this) is entered in the computer, when the passport does not contain a chip, or the data on the chip is read by the ‘reader’, when the passport is equipped with a chip. The obtained data is compared with data in the Schengen Information System (SIS). The SIS was set up to allow police forces and consular agents from the Schengen countries to access data on specific individuals (e.g., persons wanted for arrest for extradition purposes, aliens for whom an alert has been issued for the purpose of refusing entry, missing persons or persons needing temporary police protection, witnesses and persons summoned to appear before judicial authorities, and persons submitted to discreet surveillance or specific checks for the purpose of prosecuting criminal offences or for the prevention of threats to public services) and on goods which have been lost or stolen. These data are supplied by all participating countries via national sections (N-SIS) that are connected to a central function (C-SIS). The SIS is supplemented by a network known as Sirene (supplementary information request at the national entry) which allows communication between the Sirene offices in every member country. (Benyon, 1994; www.ec.europa.eu; www.politie.nl) The Dutch are, when leaving the Schengen area, also checked for unpaid fines or unserved sentences by matching name, date of birth, and personal number with data in the ‘Recherchebasissysteem’ (RBS) (database of the detective force which contains all criminal offences). (www.mpbundels.mindef.nl)

The data about the border passages of individuals to a non-Schengen country are, according to the explanation of the Act ‘Wijziging Paspoortuitvoeringsregeling 2001’, stored in a database that is managed by the KMar. The KMar, however, denies that it stores information about border passages of individuals. Which data are stored is unclear, but most likely these include name, date of birth, place of birth, and travel date. To perform their duties and to fight international terrorism, this database can be accessed by the ‘Algemene Inlichtingen- en Veiligheidsdienst’ (General Intelligence and Security Service) and the ‘Militaire Inlichtingen- en Veiligheidsdienst’ (Military Intelligence and Security Service) and they can match this data with the personal data from the database ‘reisdocumenten-administratie’. (Wijziging Paspoortuitvoeringsregeling on wetten.overheid.nl)

When applying for a Privium card, one has to fill in an online form at the Schiphol/Privium website. The personal data have to be filled in exactly according to the passport and they are: surname, all initials, date of birth, place of birth, nationality, type of travel document (i.e., passport or European identity card), travel document number, expiry date of the travel document, home address (i.e., street name, house number, postal code, city, and country), and email address. Private and business phone numbers are optional to fill in. A different invoice address (e.g., of the company) is also optional and when left blank the home address will be used. A payment method has to be chosen and when a direct debit from a bank account is chosen, the Dutch bank account number is also requested. These data are stored in the Privium database and some of these data are shared with the KMar, but which data is unclear. 

After receiving a letter of confirmation, an appointment at the Privium Service Point for a scan of the iris pattern and to pick up the Privium card has to be made. Before a scan is made, the travel document is checked by the KMar for genuineness, after which the passport photo is matched with the individual and possibly the height and year of birth, reported on the travel document, are taken into account to establish whether this person is the same as the person on the photo. Then, the irises of both eyes are scanned and the template of the iris scan is stored on the chip of the Privium card along with the Privium card number, name, date of birth, and place of birth. The iris scan is only stored on the card and nowhere else.  

When a Privium member travels to or from a Schengen country, the Privium card can be used to gain fast access into the clean area. The iris scan itself is not used, because the identity of the traveler does not need to be checked when travelling in the Schengen area. The Privium Card has to be inserted in the reader and the gate will open. In any case the Privium Service is used, not only the date and time at which the card was inserted will be processed, but also the name, date of birth, and place of birth of the user. The KMar has access to these data at all times. In contrast to the traditional border passage, the ticket is not checked as a matter of course, but the KMar and the Security Staff may check tickets at random.  

Using Privium and travelling to or from a non-Schengen country, however, requires an iris scan. The card has to be inserted in the reader and the Privium member has to look in the scanner so an iris scan can be made. At least four, simple, digital, black and white photographs are made of the eye in less than a second. A code is calculated on the basis of one of the photographs and this code is then compared with the template of the iris which is stored on the Privium Card. If the iris recognition fails, the passport will be checked by the KMar. The other data on the card (i.e., name, date of birth, and place of birth) are automatically matched with the SIS and the RBS to see whether the person is allowed to leave or enter the Netherlands. When there is a match between the data on the card and the data in the SIS or RBS, the gate will not open and a passport check by the KMar will be needed. Although Privium facilitates automatic border passage without manual checks on passports and tickets, the KMar still carries out random checks on passports and tickets of Privium members.

The use of the Privium card (i.e., date and time) as well as user data (i.e., name, date of birth, and place of birth) is stored in the Privium database. The Privium database is accessible at all times by the KMar, because the KMar needs information about border passages of persons for safety reasons. (www.schiphol.com/privium) 

Interpretation and conclusion

The main difference between the traditional and electronic identification processes is that the personal information of a Privium user is stored in yet another database (i.e., the Privium database) and that the data stored also include address and email address. In addition, data storage also occurs when the Privium user travels to a Schengen country and these data are accessible by the KMar, whereas with traditional border passage personal data are not stored (see table 2 in the appendix).  

When travelling to a non-Schengen country, the travelling document or Privium card is asked for. Although the travelling document contains more personal information than the Privium card (see table 3 in the appendix), the KMar can easily access databases where the information on the travel document is stored (i.e., Privium database or Reisdocumenten-administratie). Because the actual identification of the individual takes place manually in the traditional border passage, the identification is less reliable than the automatic identification of comparing the template of the iris with the iris scan of the individual. Not only is there a higher chance of making mistakes, but also the passport photo is a less unique identifier than the iris template. People can change their hair style or glasses and thus look different than on the photo. In addition, identical twins can use each others passport. It is, however, impossible to change your irises and the irises are unique for every individual. This holds for identical twins too and even both irises of one individual differ from each other. 

Name, date of birth, and place of birth are used to identify and match individuals. According to the five different types of identity information, this can be considered as unique information about an individual, because there is only a very small chance that there is another person with exactly the same name (i.e., surname and first names) born on the same date in the same town. However there is still a chance. From an ICT point of view it could be argued, that it would be more logical to use the personal number (social security number), which is also in the travel documents, to identify individuals. This is not permitted by law, however. A passport photo is unique information about an individual too, but a template of the iris is able to identify an individual more accurately.  

The address and email address, both types of private information, are additional information, requested by Privium. These are only used to contact the Privium member and not in the actual identification process. However, the address and email address are stored in the Privium database and therefore accessible by the KMar. As we have seen in the first case, the email address can reveal little or much information, but the individual can choose what kind of email address he wants to use if he is aware of the storage of his data in the Privium database. 

In conclusion, using the electronic border passage identifies an individual to a greater extent than is the case in traditional border passage. Using Privium means not only that the personal data are stored in an extra database, but also that more information is asked for, stored, and shared.  

The identity knowledge capacity (i.e., the size of the files held, the centralization of those files, the speed of information flows, and the number of points of contact) (Rule, 1973) of the KMar increases with the use of the Privium card. The KMar has access to more personal information (i.e., address and email address from the Privium database) about a Privium user than a non-Privium user, so the size of the files increases. In addition, the KMar also has information when a Privium member is travelling to a Schengen country (i.e., name, date of birth, place of birth, date of passage, and time of passage), this in contrast to traditional border passage, so the number of points in the life of a person that are available for collecting information increases too.