The privacy preserving e-petition system aims at shielding off any identifiable information about the users through the use of anonymous credentials and anonymous communications channels. This is an extremely important element in comparison with the traditional e-petition systems, where no anonymity is ensured. In those systems the user reveals a lot of information, like her name or identification number, which is not really necessary for the needs of the e-petition system. Such systems contradict the data minimization and the proportionality principles, which require that only the absolutely necessary and relevant data shall undergo processing. At this point it is important to be reminded that the system is designed to run on an anonymous communications layer, which will be taken as a de facto requirement in the analysis that follows.
First and foremost it needs to be examined whether the e-petition system entails the processing of personal data and consequently whether the legal framework on data protection—to be precise the Belgian Privacy Act of 1992 (BDP 1993) and the EU Data Protection Directive of 1995 (EC 1995)—will apply. According to Art. 2(a) EU Data Protection Directive “personal data” shall mean any information relating to an identified or identifiable natural person (‘data subject’). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.Footnote 5 Besides the concept of personal data, the Data Protection Directive provides in Art. 8 (1) for the prohibition of the processing of special categories of data, commonly known as “sensitive data”. Such data are the personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and data concerning health or sex life. The processing of the aforementioned data, which can be revealed in various petitions, is only allowed on grounds explicitly mentioned in Art. 8 (2)–(7) of the directive.Footnote 6
Before proceeding with our analysis, we need to make a differentiation between the communication among (i) the user and the credential issuer on the one hand and (ii) the user and the e-petition web server on the other.
In order to obtain the anonymous credential, the user communicates with the credential issuer by using her Belgian ID card. Indisputably, the Belgian e-ID card is a rich source of personal data, as it contains not only the full name of the holder and her nationality, but also the National Registry Number, date and place of birth, noble condition, etc. (see De Cock 2009).Footnote 7 In the current design of the system, the user is fully identifiable by the credential issuer, who in this case is processing personal data of the user in order to ensure authentication and authorization and to issue the anonymous credential that will be used for the e-petition signing. The credential issuer is thus rendered controller of the data; i.e., the one that determines the purposes and the means of the processing of personal data,Footnote 8 and has to fulfil the obligations that the data protection legislation foresees for the data controller.
Significant from a legal viewpoint is that our credential issuer does not simply generate a credential file which it then sends to the user. If that were the case, the credential issuer would be able to identify the owner of a given credential. The user and the credential issuer send each other specified data messages from which the user is able to generate a valid and verifiable credential. As such, the credential issuer never sees the resulting credential.
The communication between the user and the e-petition web server is more complicated when examined from a data protection point of view. A difficult concept that needs to be explained is that a credential can be used without handing it over, like you would hand over a token in the physical world. One way to explain it is that the credential holder is quizzed by the petition server and that only the holder of a genuine credential is able to give the correct answers. As already mentioned, the data protection legislation only applies when the processing of personal data takes place. When the data are anonymous and can not be related to a natural person, their processing does not fall under the provisions of the data protection legal framework. In our e-petition system, it shall be examined whether the data that relate to the anonymous credential are anonymous or whether the user is just pseudonymous towards the e-petition web server and thus the latter processes personal data.
In defining whether the data in the e-petition system are anonymous or simply pseudonymous, Recital 26 of the Data Protection Directive needs to be mentioned. This article stipulates that in deciding whether data could be used to identify a particular person “account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person”. Clearly, if the controller is in possession of both the pseudonymized data and the key with which to deanonymize them, the data are identifiable and data protection provisions apply.
The notion of identifiability differs between the European Member States. The German legislation, for instance, has adopted a more pragmatic approach to the notion of identifiability. The German Federal Data Protection Law (BDS 1990) in Art. 3(6) defines the notion of “anonymization” as follows: ‘“Rendering anonymous” means the modification of personal data so that the information concerning personal or material circumstances can no longer or only with a disproportionate amount of time, expense and labour be attributed to an identified or identifiable individual”.Footnote 9 The definition of anonymisation allows the deduction of the following argumentum a contrario: personal data are information that can be attributed to an identified or identifiable individual without a disproportionate amount of time, expense and labour. The data protection laws of France, Belgium and Sweden, on the other hand, have adopted a broad interpretation of the concept of personal data, rendering any information as personal data, if an individual can be identified, regardless of the technical or legal difficulties in determining the identity of the individual. Thus according to the Belgian legal interpretation of the term personal data and as long as the deanonymization key is out there somewhere, the data are identifiable, no matter how unlikely it is that the controller and the key holder would cooperate.
As supported by the legal scholars “pseudonymous data are still subject to data protection law, since they could be tied to the individual” (Kuner 2007. The Article 29 Working Party has adopted a similar position, stating that “[r]etraceably pseudonymized data may be considered as information on individuals which are indirectly identifiable” (Party 2007). It is interesting however, to mention that the Article 29 Working Party in the same opinion, stated, with regard to key-coded data in statistical and pharmaceutical research, that if all technical measures (e.g., cryptographic, irreversible hashing) have been taken to assure that the identification of the data subject is not expected or supposed to take place under any circumstance, the Data Protection Directive is not applicable. Even more difficult is the situation where seemingly anonymous data becomes identifiable through statistical analysis or cross-referencing.
The Belgian e-ID is by purpose and design a rich source of personal data. Whilst well suited for conventional identity checks (e.g., by the police or government officials), this becomes a disadvantage in any situation that requires both strong authentication and anonymity or at least increased privacy. The data protection legislation in Belgium is based on a very broad concept of identifiable data, encompassing even data that can not be deanonymized without considerable effort or without colluding with others.
However, reverse identifiability is not possible in our e-petition system. Although the Credential Issuer knows the identity of the user that asks for a credential, it does not know which specific credential has been assigned to her. The Credential Issuer just knows that a specific user was given “a” credential with certain attributes encoded. For instance, let us assume the age is the only attribute encoded in the credential and that the proof of knowledge is proving that the age of the credential holder is at least 18 years old (age ≥ 18). When the Credential Issuer issues 10 credentials, 8 of which were given to people with age ≥ 18, he will only be able to verify that the credential holder is actually older than 18 but in no case will he be able to tell which of the 8 possible users she is. Thus, the privacy preserving e-petition system does not allow any kind of reverse identifiability and does not provide any mechanisms for deanonymization.
The proof of knowledge generates a number, deterministically from other parameters such as petition ID. When a user signs the e-petition multiple times, the number will appear several times, meaning that the e-petition web server will be able to tell that two signatures were created by use of the same credential, so that duplicates are removed. However, neither the e-petition web server, nor the certificate issuer, as already discussed above, will be able to define which specific user had this credential and produced these signatures. It shall be noted at this point that even signatures of the same user on different e-petitions are unlinkable. As already mentioned above, Belgium has adopted a broad interpretation of the concept of personal data, rendering any information as personal data, if an individual can be identified, regardless of the technical or legal difficulties in determining the identity of the individual. Even under this broad interpretation, there is no possibility in our system to trace back the identity of the credential holder. Neither the e-petition web server, nor the certificate issuer are able to get back to the identity of the credential holder. Therefore the data that are processed by the e-petition web server are anonymous and the data protection legislation will not apply.