Following the previous post, we describe a two-phase process by which citizens can anonymously register with an e-participation platform while maintaining authentication and eligibility guarantees. Technical details are left out of this description for the sake of clarity, please refer to the previous post and its accompanying report.

To start things off, we assume there is some existing credential system in place that determines which citizens are authorized and which are not. This existing system could require on-site interaction, for example via a physical (governement or other institution issued) id, or some other previously existing digital credential (like a private key or password for other existing systems).

In the case of on-site physical credentials, there is an extra step in which the citizen is provided with a temporary digital credential. Once this physical interaction has taken place the rest of the steps are common to both types of existing credentials.

In the first phase of registration, a citizen accesses a registration page and logs in with their pre-existing digital credential. He/she is thus authenticated and validated as eligible to participate on the e-participation platform. The registration page then includes javascript code that will run on the client device in order to generate confidential information not available to the e-participation platform. This code will

  1. Generate a unique random token, using a secure random source.
  2. Display the token such that the citizen can copy it in some format (paper, electronic device).
  3. Encrypt the token with a public key previously generated by a set of independent trusted authorities.

The encrypted token is then sent to the server for storage. The token is accepted because it is sent by a logged in user (using their pre-existing credentials), and therefore belongs to a valid citizen. Note that, given this authentication, the server knows which citizen the encrypted token belongs to, but because the token is encrypted the link between token and citizen cannot be established.

At this point the first phase of registration is complete. Each citizen has copied their unique token while the server has stored them in encrypted form.

Phase two begins with the anonymization of the encrypted tokens, which is carried out by a mixnet (eg nMix) executed by the trusted authorities. At the end of the mixing process the anonymized encrypted tokens are decrypted. This results in a set of plain unencrypted tokens that now cannot be linked to their respective citizens.

To complete registration, citizens again access the registration page, but this time anonymously, without logging in as they did in phase one. Instead, they submit their token which acts as an anonymous credential. Once authenticated with this token, the client is allowed to create their user, as they would in a normal online registration process. The difference is that this newly created user is validated yet anonymous. From this point onwards users function as they would in any web platform. Citizens can access the e-participation platform using this newly created user and participate normally, but anonymously. Their user is effectively a privacy preserving pseudonym.

A final note on pseudonymity, as mentioned in the previous post:

E-participation tools whose nature is best described as social information filtering[6], consultation and ideation co-production[15], reputation[16], or deliberation systems require pseudonymity[36] as the privacy protecting mechanism. The notion of users with linkable contributions is fundamental to these platforms.

Users within these platforms function as pseudonyms, retaining some level of identity for purposes such as deliberation, reputation and accountability. Citizens’ anonymity is protected by the fact that the pseudonym cannot be linked to the citizen, not even by the administrators of the platform. The technical term for this is unlinkable pseudonymity. In this particular case there is an exception to this: if all independent trusted authorities agree, they can revoke a citizen’s anonymity.