Title: CASE STUDY: USING ATTRIBUTES AS ACCESS RIGHTS IN EGOVERNMENT

Case Study: Using Attributes as Access Rights in eGovernment

We now present private solutions to two key problems facing many governments: identification cards and traffic regulation. Both of our solutions work with an offline authority.

First, consider an example. Suppose Alice wants to use her government issued driver’s license to convince a bar owner that she is over the age of 18. In the common non-private solution (which is currently the de facto standard), Alice provides her complete driver’s license to the bar owner, which includes her name, birth date, address, and other personal information. The bar owner uses the birth date to confirm that Alice is over 18. A benefit of this solution is that it is both fast and simple. However, once Alice’s digital credentials are scanned by a computer, rather than simply looked at by a human, Alice’s personal information may be easily exploited (e.g., unsolicited mail sent to her address) or used to track her personal habits (e.g., the bar might keep a detailed record of when she came in and who else came in shortly before or after her.)  

In a private solution, Alice and the bar owner could instead execute a protocol, at the end of which the bar owner will be convinced that Alice has a valid driver’s license with a birth date making her over the age of 18 but will learn nothing else about Alice (including her name and actual birth date). Such systems are called anonymous credential systems (e.g. (Camenisch and Lysyanskaya, 2002)). They use cryptographic techniques to selectively reveal portions of a credential, as chosen by the user. A benefit of this solution is that is it very privacy friendly. Although, its implementation is more involved than the standard solution, the underlying cryptographic protocols are reasonably efficient.

When we talk about e-Government, two primary use cases come to mind: identification cards and road tolls. Let us briefly discuss both scenarios. 

Identification Cards

IBM idemix (identity mixer) is an anonymous credential system developed by IBM which is currently being extended to support the guidelines for machine readable travel documents [Int06] that were put forward by the International Civil Aviation Organisation.

With an idemix credential, a user can either hand over all of her personal information (as is currently done today) or can selectively release information by proving statements of the following form:

1. The user is between the ages of X and Y (without revealing her actual age). 

2. The user belongs to a certain group (without revealing which group member she is). For example, a user in the USA might prove that she is from an East Coast state without revealing which one. 

3. The user does not belong to a certain group (without revealing any additional information). For example, a user might prove that her blood type is not A-negative. 

Road Tolls and Intelligent Cards

Most major cities world-wide are experiencing alarming levels of traffic congestion and accidents. To mitigate congestion, many cities (such as London) are charging a toll each time a vehicle enters or exits the city. To mitigate accidents, transportation officers are designing intelligent cars that report their locations to the road infrastructure and to each other to help the human driver avoid accidents. Governments implementing these systems again have to make privacy-impacting choices. 

Consider the case of intelligent cars. Bob might attack the system by flooding the infrastructure with reports of traffic congestion on any road that he is on. This way, the infrastructure tells nearby cars to avoid Bob’s route and he enjoys a quick drive to work. This problem can be avoided by making Bob’s car digitally sign all reports it issues and accepting only one report from Bob each minute. Unfortunately, this solution creates a privacy problem, because now Bob’s driving patterns can be easily monitored by the government. 

Recently, (Camenisch, Hohenberger, Kohlweiss, Lysyanskaya and Meyerovisch, 2006) proposed an efficient k-anonymous authentication system, where a user, call him Bob, can anonymously, but authentically issue up to k reports per an arbitrary time period. If Bob maliciously tries to issue k +1 reports, this cheating will be detected, Bob’s identity will be revealed, and he can be punished accordingly. If Bob acts honestly, however, the government will not be able to link his anonymous reports.