Identification versus anonymity in e-government PSEUDONYMOUS

Global identification and control in Belgian eGovenrment.

One of the main building blocks of Belgian federal eGovernment is to use the globally unique identifier for natural persons to achieve interoperability in general, for the exchange of data about these persons across several contexts. This is a new evolution initiated by eGovernment with important consequences. We come back to this below.

In addition, various types of additional information can now also be requested from the National Registry, for example for a number of identity management-related tasks (such as user management or mandate management), also outside the context of the National Registry. This creates globally unique identification and authentication of the concerned person (either user or subject of the exchanged data), and – at least in theory – linkability of these several contexts. 

Moreover, it also appears that the content of the new Belgian electronic identity card is protected against forgery, but not kept confidential: when the card is being inserted in a card reader, the data contained in the identity file can be accessed and stored, even without the user’s consent. Even though this easy storage capacity of identity data requires physical presence of the card, it goes without saying that it has important consequences which were triggered by eGovernment. 

Before the eID era, someone could of course also make a paper copy of the identity card when having the card at his or her disposal. The difference lays mainly in the fact that with the eID this can be done in a much more systematic way, without the card holder even noticing it, or being able to object to it. 

For the sake of clarity, in Belgium, the identity card serves in the first place as a proof of registration in the population registry. There is an obligation to carry the card with you, starting from the age of 15 (“kidscards” are being issued from the age of 12). Each identity card holder shall present the card (1) to the policy, when requested, (2) when demanding certificates (in general), (3) to bailiffs with regard to a writ of summons, and (4) (also in general) whenever he or she has to offer a proof of his identity (art. 1 Royal Decree 25 March 2003). 

An open question in this context is whether any service provider (e.g., the shop that rents out videos, or your supermarket) is allowed to request a proof of identity. This is far from clear. The legal answer would be: only if the proof of identity is necessary to provide the services (based on the finality and data-minimization principles of the general Data Protection legislation). 

One should admit, however, that it is common practice. As far as we know, no case-law is yet available on the topic, and it would be interesting to verify whether service providers are fully aware of the obligations they have under data protection legislation whenever they are processing eID data (e.g., notification to the privacy commission, legitimacy ground, finality principle, right to access, correct, and obligation to inform). 

What we have just explained with regard to eID data also applies to the National Registry Number in general. Only a limited number of entities are allowed to process the number (see above, the entities listed in Art. 8 of the National Registry Act), but many entities are now increasingly becoming aware of it. Only the usage of the number (which means storing it separately, doing something with it) is a type of processing that falls under the terms of the law. 

An interesting side-note is that before the eID era, people could object to having their National Registry number printed on the card. This is no longer the case. Moreover, the number is now also available electronically. It is contained in the X.509 certificates. The same applies to the National Registry number, which is contained in the X.509 certificates that are being used for entity authentication and non repudiation purposes. In other words, with each exchange of a digital signature created with the Belgian eID, that is, with each authentication or digitally signed document, the signatory further propagates the National Register number. It goes without saying that this increases the potential misuse of that number. 

Global identification versus sector or context-specific identifiers

When identification is always required, and data exchange is done via a global identifier, it is possible that even though a number of data interconnections are not authorized, or illegal, they will take place anyway. 

As soon as the necessary infrastructure is in place, it cannot be excluded that other decisions are made in the future, based on ad hoc arguments or on different political choices. Therefore, the decision whether or not to base the identity management infrastructure on anonymity or pseudonymity as the default position or rather on identity as the default is a fundamental one.  

1. The first option is to choose an identity society, where technology has carte blanche, and where the question of how fundamental rights (such as privacy) are being protected depends on the subsequent political decisions.

2. The other option is to choose a pseudonym society, where technology is intentionally limited and regulated in advance, and where fundamental principles are incorporated in the architecture design.

As explained, the most important risk connected with the usage of a globally unique identifier such as the National Registry Number lays in the fact that it makes it technically possible to link data about an entity from one context to the other, without any form of control by the entity itself. This risk could be avoided via the usage of sector or context-specific identifiers or pseudonyms.

A pseudonym is an identifier of a specific entity’s (partial) identity, by which a certain action can be linked to this entity. It can be defined as an identifier of an identifiable entity that is either self-chosen by this entity or assigned by a provider, to identify this entity to a reliable party for a period of time.

A number of gradations in pseudonyms can be imagined. Depending on the frequency with which they are used, we can distinguish different types of pseudonyms:

1. Persistent pseudonyms: pseudonyms used for an extended period of time that spans multiple sessions. Persistent pseudonyms can be used to represent an identity federation (we come back to this term below).

2. Transient pseudonyms: pseudonyms used for a relatively short period of time that need not span multiple sessions.

Pseudonyms allow forming sets of partial identities which are not necessarily linkable to the originating entity. With respect to the degree of the resulting linkability between the applicable sector and context and other sectors and contexts, various kinds of pseudonyms (or identifiers) can be distinguished:

1. A person identifier, person pseudonym, or global identifier is a substitute for the holder’s name, which is regarded as the representation of the holder’s civil identity. It may be used in multiple, if not all, contexts and sectors. Examples of this type of identifier are the unique number of an identity card, the social security number, the Belgian National Registry Number, the Belgian Crossroads bank for Enterprises number, a nickname etc.

2. A context- / sector-specific identifier or context- / sector-specific pseudonym is an identifier that has only meaning to the communication partners within a specific context or a specific sector.

3. An opaque handle is an identifier of the entity that has meaning only in the context between a specific identity provider and a specific service provider.

4. A role identifier or role pseudonym is an identifier limited to specific roles, such as a customer pseudonym or an internet user name; it can be an assigned or a chosen identity.

5. A relationship identifier or relationship pseudonym means that for each communication partner a different identifier of the entity is used, but the same relationship pseudonym could be used in different roles for communicating with the same partner (e.g., nicknames).

6. A role-relationship identifier or role-relationship pseudonym means that for each role and for each communication partner, a different role-relationship identifier is used. The communication partner does not necessarily know whether two identifiers used in different roles belong to the same holder.

7. A transaction identifier or transaction pseudonym is used for only one transaction. It is unlinkable to any other transaction identifiers and is (at least initially) unlinkable to any other item of interest (e.g., randomly generated transaction numbers for online-banking).

Partial identification is the identification of an entity via a context- or sector-specific identifier or a combination of one or more characteristics, in only one context or sector.

Pseudonymity and trusted agents

In the literature, one often hears criticism of the usage of sector-specific identifiers, namely that it only makes data exchange more difficult also in those cases where data exchange is allowed. The point those authors want to make is that sector-specific identifiers do not prevent data linkage, but just make it more complicated, as data can still be linked via concordance tables. We believe, however, that this can be solved through the usage of trusted agents.

A trusted agent is a trusted party, a trusted third party, or a trusted device that acts as an intermediary to forward authorized, properly authenticated service requests to remote service providers. The trusted agent can – as an (additional) privacy service – obfuscate the original requestor’s identity. In other words, if the entity is authorized to request a particular service, it will forward the service request as if it was its own. In practice, if the trusted agent also offers privacy services, it will typically do the conversion between one unique identifier of the entity that accesses the conversion service and the different sector or context-specific identifiers used by different service providers.