Identification versus anonymity in e-government PAPER-BASED AND ELECTRONIC SIGNATURES

Paper-based and electronic signatures

Today, documents signed traditionally on paper are stored in various places within public administrations and enterprises. Getting access to these documents and linking various corresponding transactions to a certain user needs a considerable effort and a lot of resources, as support by computers (e.g., using indices or registers) for analysing these paper documents is limited in most cases.  

With a transition from a traditional to an electronic signature, this situation potentially changes for several reasons. To reduce costs for processing and storage of digital data, centralised Document Management Systems (DMS) will be used increasingly as a platform for various governmental procedures. If the access control of these centralised DMS is insufficient, data may be read out and analysed by unauthorised parties. In addition, signed documents are frequently transferred via the Internet. If technical security (e.g., encryption on the transport of data via the Internet) or organisational security (e.g., in clearing houses or gateways) breaks, communication can be eavesdropped and analysed.

In contrast to signed paper documents that can be analysed manually only or with limited computer support, unencrypted digital signatures can be analysed in an automated way. In most cases the certificate issued by the certificate authority issuing the electronic signature is the key for this analysis. For electronic signatures mostly X.509 V.3 compatible certificates are used (Meints, Hansen 2006). In addition to a unique certificate number that allows for easy linkability of cases in which electronic signature were applied, they store additional information of the legitimate user of the key(s) for the electronic signing processes. This information may include, depending on the rules of the different certificate authorities in different countries:

1. First name, surname and in some countries title of the legitimate user 

2. Date of birth 

3. Address 

4. Citizens register number  

It is safe to say that some of this information is usually not needed in cases where an electronic signature is applied. For example in most cases where a contract to buy something is signed, date of birth and citizens register number are not needed. The standardised disclosure of this information does not meet the data minimisation principle stated in the European Data Protection Directive 95/46/EC, but as the use of personal data for electronic signatures is regulated in the European Signature Directive 1999/93/EC and corresponding national laws, these certificates are clearly legal (Gasson, Meints, Warwick 2005: 25).

Traditional paper based signatures are used in governmental services in different contexts. Not all of these contexts require an ad hoc identification of the signing person, as information transferred in a signed document may belong to different circles of information (cf., section 3.2) and may have different relevancy in the context of governmental processes. Nevertheless aiming at fast and reliable identification of citizens in Germany requirements for electronic signatures are highly standardised for eGovernmental services.