Blueprints for Deploying Privacy Enhancing Technologies in E-Government

PETs in Government Strategy. The concept of privacy-by-design originated in the Office of the Privacy Commissioner of Canada. In privacy-by-design systems, privacy requirements are considered throughout the system’s entire lifecycle. They have also released a comprehensive PETs review [22].

PETs in E-Government Services and Regulation. Statistics Canada has developed a proof of concept for private set intersection combined with secure multi-party computation, and a proof of concept for training machine learning models on synthetic data. In 2018 and 2019, Statistics Canada generated synthetic datasets from real data using a mass data imputation method. The data was used in hackathons and other training exercises [26].

PETs in Government Strategy. The Estonian Digital Agenda 2030 [14] highlights the protection of fundamental human rights, including privacy, as a primary principle. The plan envisions the development of a human-centric digital state as the next significant leap in digital society. Concrete actions include raising awareness, and a more wide-spread implementation of data trackers and consent services. The plan emphasises the significance of implementing PETs to enable data reuse and data-driven governance. A national program for the application of PETs is set to be launched. Through these technologies, Estonia aims to achieve higher levels of transparency, intervenability, and unlinkability.

PETs in E-Government Services and Regulation. The Estonian internet voting system IVXV employs mix networks and zero-knowledge during the vote-tallying phase to de-identify signed e-votes [11]. Estonia has deployed secure multi-party computation to enable data analysis when anonymisation could not be used [2]. The Estonian government is offering an e-government-wide transparency service that allows citizens to see which organisations have been accessing their records. There is also a public catalogue for e-government information systems and data.

PETs in Government Strategy. The French data protection agency CNIL has published materials on PETs, e.g., pseudonymisation and anonymisation techniques [1]. CNIL regularly organises a scientific conference called the Privacy Research Day, which features PETs. CNIL has also published a methodology and guidelines for privacy impact assessment [3].

Industry PET Initiatives. In August 2022, Japan established a voluntary consortium known as the Privacy Tech Association¹. The primary objective of this association is to promote the use of privacy technologies in companies working with data. Research areas include anonymisation, secure multi-party computation, differential privacy, and data synthesis.

PETs in Government Strategy. Under the leadership of the Netherlands Ministry of Economic Affairs and Climate Policy, a cryptographic roadmap is being developed, which also encompasses PETs [13]. The document highlights opportunities for using these technologies in the healthcare sector, facilitating better and privacy-preserving use of sensitive data for disease research.

PETs in E-Government Services and Regulation. The Netherlands’ statistics office CBS has been studying PETs since 2018 to support secure and sustainable data sharing [19]. In collaboration with the health insurance company CZ and Zyderland Hospital, CBS has also created a pilot platform that uses private set intersection, homomorphic encryption, and secure multi-party computation to link and analyse health data [27].

PETs in Government Strategy. In 2022, the government agency IMDA launched a secure testing sandbox for pilot projects related to PETs [9]. The aim is to identify technologies that can assist companies with data sharing challenges and to understand their limitations. Based on the outcomes of the pilot projects, IMDA and the data protection agency PDPC plan to identify feasible PETs and develop standards and policies for the adoption of these technologies.

PETs in e-Government Services and Regulation. During the COVID-19 pandemic, Singapore pioneered TraceTogether, an app utilising Bluetooth Low Energy technology for contact tracing [20]. The solution was praised for not relying on privacy-infringing techniques like GPS tracking.

PETs in E-Government Services and Regulation. Switzerland has been developing their internet voting technology. In 2021, the source code and documentation were released to allow volunteers to test the system. The new system employs end-to-end encryption, mix networks, and zero-knowledge proofs for preserving voters’ privacy. At the start of the voting process, the vote is encrypted and sent to the voting server. Mix networks are used to shuffle the votes before tallying, the process is overseen by independent auditing components. Zero-knowledge proofs ensure that during the mixing and decryption processes, votes are not added, deleted, or altered [21]. Researchers from the Swiss Federal Institutes of Technology, EPFL and ETH Zurich, helped develop the DP-3T technology for contact tracing of COVID-19 patients. DP-3T gained widespread adoption due to its openness, privacy guarantees and decentralised approach [25]. The Swiss Academy of Medical Sciences (SAMS) oversees the Swiss Personalized Health Network that allows analysts to conduct research across data from multiple institutions by using homomorphic cryptography, secure multi-party computation, and differential privacy [16].

PETs in Government Strategy. In 2022, the United Kingdom and the United States started a PET prize challenge [24] to encourage technology uptake. The Centre for Data Ethics and Innovation (CDEI) spearheaded the organisation and planning of the challenge from the UK side.

PETs in E-Government Services and Regulation. The Office for National Statistics (ONS) has been studying synthetic data generation since 2018, with the aim of testing machine learning and data pipelines. In preparation for the 2021 census, the ONS generated synthetic data for testing data analysis and balancing workloads. ONS is also exploring the use of differential privacy in data synthesis [26].

PET Research and Standardisation. In 2023, the British Royal Society published a report on PETs [23]. They explored the public sector’s interest in PETs and found that the surveyed institutions were mainly interested in pseudonymisation, anonymisation, data synthesis, differential privacy, and federated learning.

PETs in Government Strategy. The White House Office of Science and Technology Policy, the National Institute of Science and Technology and the National Science Foundation led the planning on the US side [24].

PETs in E-Government Services and Regulation. A study of US Census has shown that anonymisation does not prevent re-identification [18]. The paper shows that 99.98% of Americans can be re-identified based on 15 demographic features. The US Census Bureau itself was able to re-identify the geographic location, gender, age, racial, and ethnic affiliation of 52 million anonymised individuals [7]. This led the bureau to adopt differential privacy for the 2020 census. The US Census Bureau has previously also used synthetic data generation to replace unique values with generated ones [12]. Higher education is often the most significant investment in the lives of US citizens, in addition to purchasing a home. To help prospective students make better decisions when pursuing higher education, the Student Right to Know Before You Go Act of 2019 was presented to the US Congress [8]. The aim of the legislation is to establish a more accurate, comprehensive, and privacy-preserving data system that allows inquiries about higher education institutions.

Privacy engineering is a discipline aimed at reducing privacy risks, justifying the allocation of developmental resources, and implementing protective measures in information systems. Privacy engineering supports compliance with privacy goals and data protection requirements. Privacy engineering can include requirements analysis, functional modelling, risk and impact assessment, architectural design and system implementation.

The same stages are present in the lifecycle of a system (e.g., an e-government service). Each system exists at some stage within this lifecycle. For instance, an operational information system may be assessed at a given point to decide whether to continue its development or decommission it. At each of these steps, decisions must be made and steps must be taken to better achieve the system’s privacy goals. Figure 1 shows a simplified lifecycle of an e-government service.

The cyclical nature implies that there must be a way to revisit earlier stages. We propose that the development and the operation stage can revert back to the analysis stage, if an internal requirements (e.g., emergence of new requirements during development) or external requirements (e.g., audits, legal assessments, opportunities for system improvement) demands.

The ISO/IEC TR 27550 [10] technical report aligns privacy engineering, system development, security engineering and risk management. The approach is generic and aligns with other lifecycle management practices and standards.

Problem Statement and Pre-analysis. Relevant activities include:

Specific PETs do not need to be selected at this stage. Instead, requirements for further development should be formulated. This stage may be divided into sub-stages, carried out by different stakeholders. For instance, a governmental body may conceptualise the task, but a service provider may perform the preliminary analysis through a procurement (see Sect. 4.3).

Process Modelling and Impact Analysis. Relevant activities include:

The goal is to create models with sufficient precision to identify the data elements each stakeholder processes, and to determine the level of identifiability required for fulfilling the system’s objective. Assigning data controller and processor responsibilities and understanding the stakeholders’ technical capabilities in deploying data processing technologies helps design the system. Based on this information, an initial data protection impact assessment can be performed.

System Design and Architecture. Relevant activities for design include:

Here, we select controls based on requirements. For example, if consent of the data subject is needed, mechanisms for obtaining and revoking consent, including transparency and intervenability capabilities, must be designed. If the impact assessment indicates higher risks to certain data, PETs may mitigate these risks while maintaining functionality. Otherwise, functionality must be reduced.

Relevant activities for architecture development include:

Stakeholder and operational considerations are transformed into technical specifications, and a system fulfilling the requirements is designed. Choices regarding PETs are also made during this stage. There might be multiple architectural candidates with or without PETs. To choose among them, establish evaluation criteria such as complexity, security objectives, privacy goals, legal compliance, development and maintenance costs, and conduct a comparative assessment. The architecture with the best score will be implemented.

Audits and Evaluations. Relevant activities include:

This is a critical step in the lifecycle as here legacy systems can be put on a path where they may be retrofitted with PETs. The first step is to recognise the desire for data protection by design. The second step involves reviewing the current status of the system (e.g., conducted impact assessments) and determining which privacy goals should be targeted in the next development cycle. The third objective is to allocate resources for the development of PETs.

Decommissioning. Relevant activities include:

Sometimes a system has fulfilled its purpose, the organisation no longer has resources for its operation, or it has become obsolete and is replaced with a newer, more suitable system. In such cases, the old system is decommissioned.

A service provider procure work at any stage of the lifecycle. The procurer should specify requirements for minimising or avoiding data processing during this process. When procuring e-government services, consider the following:

On the Estonian X-Road development roadmap [15], message rooms are intended for providing services based on the data of an individual or an organisation. A message room is necessary when the data required to provide a service are not held by a single party and data need to be aggregated from multiple sources.

Using PETs, these services can be delivered so that sensitive data will not be gathered in an unprotected form in one central location. Data processing in the secure message room can be performed either entirely in an encrypted format or by utilising hardware security measures. The service can use the secure message room to link records of an individual and evaluate the specific business logic.

Figure 2 describes the model for a secure message used in e-government services. Examples that use secure message rooms includeAdvantages for Data Subjects. First, the service provider will not have to see all input records (unless allowed for quality or anomaly detection). Secondly, the data providers do not have to learn which of their records were used. Third, message rooms support transparency and intervenability, as the respective features can also be built using secure computing technology.

While secure message rooms are designed for building services, the linking and analysis service is meant for analytical use. It will be especially helpful in e-governments that deploy a distributed data architecture where each agency holds its own databases of people or company data. In such a setting, data-driven policy-making, research and machine learning model training may be complicated. The output in this scenario is not a computation result for an individual but rather a statistical aggregation, a machine learning model, or a report.

Figure 3 describes the model for a privacy-preserving linking and analysis service. This service will support an e-government in the following:

Open data services provide data to other services. This allows the creation of service hierarchies that rely on government data. PETs are not needed for data that are not directly identifiable (e.g., weather, public transport). However, it may be possible to include more data by using PETs, assuming that re-identification is infeasible. Figure 4 describes the model for open data services.

For research and the development of new services there is a need for data that closely resemble real data but are de-identified. These activities (or PET use) are not often foreseen in the legal purposes of the respective databases. In such cases, it is practical to publish parts of a database after appropriate transformations.

The greatest risk associated with open data usage is the lack of control over their later re-use. The recipient of open data may re-identify individuals using any additional databases they have access to. Therefore, re-identification risk assessment for open data must be more comprehensive than for open data APIs. There may be a legal basis to release a database to a limited number of users (e.g., for research). This is not open data, but PETs can still be used to secure the processing. Figure 5 describes the model for publishing open data.

E-government services need to be developed and maintained. Ensuring the quality of these services requires that the performance, correctness, and usability of the systems must be tested. Data protection regulations prohibit testing systems with live (or other kinds of personal) data. However, testing with purely random data is insufficient as it may not reveal edge cases and errors. In an e-government system that heavily relies on services, synthesised databases alone are not sufficient. There is also a need for services that use these data. Thus, a synthetic digital twin of the core services, embedded with synthesised data, is required to test larger systems. Figure 6 describes the model for a synthetic digital twin.

Logging plays a crucial role in digital services. Logs are used to detect errors, anomalies and misuse. However, a system log might also be a very sensitive database. Consider, for instance, logs of digital identity usage. When a user authenticates, digitally signs a document, or presents some evidence, a query is made to a digital identity validity verification service. Such service providers, when storing network connection information, can infer which services an individual uses and how often. Depending on the nature of the service (e.g., a health advisory system), such a log might contain highly sensitive personally identifiable information. The European Union’s digital identity regulation is expected to impose restrictions on keeping such logs. Figure 7 describes the model for a private logging and log analysis service.

Advantages for the Government. Identity-driven e-government services have anomaly and fraud detection features that support maintenance and quality.

Future digital wallets and digital identity may allow an individual to prove that they qualify for a service (e.g., based on age or a group membership). Today, such proofs are conducted by presenting the relevant source data. With an increase in such transactions, data can be amassed by the recipients of such proofs. An attribute proving service will minimise this processing of personal data.

The ability is not restricted to proving single values or their ranges. We can use zero-knowledge proofs to convince a verifier of a statement without providing all the source data, but just a cryptographic proof. For example, we can create a proof that an individual’s health record meets a certain job-related health standard, an organisation’s bank transactions comply with their funding rules, or a vehicle has travelled a certain distance in a certain regions (for subsidy or taxation purposes). Figure 8 describes the model for an attribute proving service.

Advantages for Data Subjects. The processing of personal data in digital transactions is minimised as personal data will not be transmitted to the verifier. As the prover (individual) compiles the proof using their own devices, they can directly view data about themselves, resulting in enhanced transparency.