Open government and citizen identities: promise, peril and policy

of remarkable and unprecedented change for developing countries around the world, particularly in terms of their capacity to facilitate channels of connectivity, information sharing, and communication between individuals, civil society groups, business organizations, and governments. These new technologies may play an essential role in the near future in enabling new forms of government transparency, citizen participation, collaboration, service provision, and accountability. This is precisely what the advocates of open government suggest. We repeatedly hear reports on the positive roles that technologies including mobile phones and online social media are already playing in our networked world: organizing the masses in disaffected societies, mobilizing groups to effect positive social and political change, exposing misdeeds, shedding light on abuses of power, and holding wrongdoers to account. For example, the large protests that followed the disputed presidential elections in Iran in 2009 were organized with the help of ICTs, with the events being described as a Twitter revolution in the country. At the time Gordon Brown, the then prime minister of the United Kingdom, commented that the Rwandan genocide would not have happened in a Twitter-enabled world. There is, thus, great excitement around the possibilities for new technology to bring about more open and fairer societies. As this chapter argues, however, achieving the goals of increased transparency of (and collaboration and political participation in) governance processes (i.e., open government) requires far more than simply adopting new technology. Harnessing the power afforded by ICTs, and particularly mobile telephony and more recent Web applications such as social networking tools, will require additional infrastructure and policy development, particularly in the closely related areas of privacy and identity. These complex infrastructures do not yet exist in many countries. Where legal 9 Open Government and Citizen Identities: Promise, Peril, and Policy


Openness for Improved Democratic Governance
It is widely accepted that the rapid diffusion of the Internet and related ICTs has provided a new platform with which to improve interactions between citizens and governments. 6 Citizens in the information age can more easily and directly access both government services and public information. Similarly, government agencies are opening new channels of communication and information exchange with citizens, enabling a more efficient, transparent, and responsive government. These developments, broadly understood under the rubric of e-government policy reform, 7 are now being articulated in terms of open government as policy-makers realize the potential of new technologies. 8 In 2005, the Organisation for Economic Co-operation and Development (OECD) declared that from the public's perspective "an open government is one where business, civil society organizations and citizens can 'know things'-obtain relevant and understandable information; 'get things'obtain services from and undertake transactions with the government; and 'create things'-take part in decision-making processes." 9 Similarly, the Transparency and Open Government initiative launched by the U.S. government put forward the Obama administration's commitment to achieving an "unprecedented level of openness in Government." 10 The U.S. open government initiative has been designed around three core values: • Transparency: to enable greater accountability, efficiency, and economic opportunity by making government data and operations more open.
• Participation: to create effective opportunities to drive greater and more diverse expertise into government decision making; to listen to public opinion and to increase opportunities for public engagement.
• Collaboration: to generate new ideas for solving problems by fostering cooperation across government departments, across levels of government, and with the public.
The use of new ICTs to access and disseminate information, in conjunction with the ongoing deployment of e-government programs, is seen as the most promising way to achieve the goals of openness in government. 11 Pursuing transparency by making government information more publicly available to citizens has been one of the major drivers of many e-government portals worldwide. In Mexico, for example, the freedom of information legislation approved in 2001 mandates a records management system that supports online access to public information. 12 Legislation such as the one in Mexico has the potential to become a cornerstone for more 9724_009 sophisticated e-governance initiatives, as well as for increased online citizen participation. 13 One of a growing number of examples of this participatory trend is Brazil's House of Representatives e-participation website, called "e-Democracia." 14 The initiative provides various mechanisms to encourage citizen participation (i.e., identifying problems that need to be addressed, discussing possible solutions, and even how to draft bills), and it relies on the direct engagement of members of Brazil's parliament via participatory channels such as opinion polls, public forums, and chat rooms. Collaborative technologies such as Web 2.0 provide attractive cost-effective solutions to facilitate participation, open access, and collaboration, not only in terms of citizen-government interaction but also in terms of how governments do their jobs. 15 In terms of the latter aim, the Internet and related network technologies are conceived as powerful tools to standardize work procedures and smoothen information flows, so that organizational processes become more efficient and accountable, fostering the changes prescribed by the New Public Management wave of reforms. 16 The assumption behind open government initiatives has been that transparency and participation will enhance public management as well as governance more generally. Indeed, recent analyses and attention among researchers has been especially optimistic, focusing mainly on the potential benefits and usefulness of ICTs in delivering a "better and more open government" (see, for example, the special issue on Government Information Quarterly 2010 on the topic).
However, more critical voices need to be heard in these debates. Transparency and open access to government information may also have their perils. In a 2009 essay, Lawrence Lessig suggested that the circulation of poorly understood or misleading information may raise confusion, while the misuse of publicly available information may force the political system into crisis 17 (as some argue is the case with the release of confidential U.S. diplomatic cables by WikiLeaks, the transparency organization). Another concern is the increase in government surveillance and potential privacy invasions that accompany governments' access to social networking data. 18 We must also consider the inherent difficulties and complexities in de-identifying large sets of government data that might include personal information on citizens, civil servants, and others before making them publicly available on government-sponsored portals. 19 Public servants are not immune from these risks either, as they also become more accountable and potentially liable if they fail to protect personal or sensitive organizational data.
Selecting the right technologies and appropriate channels to communicate both externally with the public and internally is not straightforward. The goals of transparency, participation, and collaboration require additional infrastructure and policy development; particularly those related to the handling of personal or identifiable information. Although open government debates are receiving more and more attention, 20 little has been said about the role that digital identity management systems will be required to play as part of these platforms. Given the fact that governments have a unique relationship with citizens, this arguably requires a careful assessment of how information technology impinges upon public values. 21 Moreover, electronic authentication policies and technologies pose several issues, including multifaceted privacy issues, 22 which demand our attention. The next section deals with these issues more deeply.

Citizen Identity Management in a Digital Era
The term identity management covers a wide range of policies and technologies for enabling organizations to identify or authenticate users of a system or service and, conversely, for users to ensure the trustworthiness of the organizations with which they interact. 23 In offline settings, identification technologies include national identity cards, visas, and passports, for example, used most commonly when interacting with a bank or government agency, or crossing international borders. The issue of identity management in the context of open government, however, has taken on newfound importance as it could help to achieve the objectives of transparency and participation by allowing citizens to deal more effectively and assuredly with government online. It also requires systems and processes that potentially alter the interactions and dynamics of trust, information disclosure, and authentication as compared to face-to-face interactions (such as at the border). If leveraged correctly, these identity systems can facilitate many of the platforms that underlie open government in a privacy-sensitive and socially fair manner. If they are poorly conceived and designed, however, such policies and systems will introduce new problems and vulnerabilities. This section provides an overview of the main issues and technologies of digital identity management.
To begin, there are important differences between the concepts of identity, identification, and authentication. David Lyon distinguishes between identity and identification. Acknowledging that we tend to treat the terms as synonyms in practice, he understands the former concept as being deeply personal and relational (i.e., I am always in relation to other people and objects) and the latter as connoting more technological priorities. 24  authentication. 25 Identification is the process by which a person's identity (or identity attribute) is revealed (e.g., "This is Carlos Gardel"), which is a different process from authentication, although in the common vernacular the two concepts are often conflated. Authentication strictly involves the confirmation of a request or granting of access to something and, importantly, does not necessarily require the revelation of an identity (or identity attribute). For example, some typical authentication requests include: • "Is this person a citizen of country X?" (e.g., at a border crossing).
• "Is this young person at least eighteen years old?" (e.g., when proving whether someone is of legal age to consume alcohol).
• "Is the person an inhabitant of the local council or county?" (e.g., when accessing a restricted local service).
Importantly, at no point during these requests does a person's identity (or components thereof-his or her name, ID number, or date of birth) need to be revealed. Authentication is, therefore, fundamentally a yes/no type of request (i.e., it relies on the minimal disclosure of personal information in a transaction). Identification and authentication are thus distinct activitiesmotivated by different policy drivers-and need to be treated differently by systems that collect or process identity information. These concerns are particularly relevant in online settings in which, due to the nature of the medium, it is especially easy to collect information from users that may be irrelevant to the transaction at hand. The over-identification of users, especially in contexts in which only an authentication-type request is required, may over time lead to the creation of extensive and rich data profiles or "data doubles." 26 Data doubles are the outcome of practices that aggregate information on peoples' past behaviors, transactions, associations, preferences, and so forth. These practices may also trigger concerns about unwarranted profiling and surveillance. 27 There may be a tendency to use these data for purposes that were originally not specified to the citizen (a phenomenon known as "function creep"). 28 In societies in which governments have engaged extensively in such profiling activities, critical discourses about the "database state" have emerged. 29 One potential risk resulting from these surveillance practices and attendant discourses is decreased citizen trust in the government institutions pursuing new information strategies.
But appropriate information practices can help to avoid these problems. For example, in many scenarios, what is actually needed to complete a transaction or access a service is an authentication measure rather than the full disclosure of an identity. In these contexts it should be possible for users to use pseudonyms or to remain anonymous in their dealings with organizations, as long as the right information is disclosed for the relevant transaction (e.g., whether the person claiming benefits is entitled to them) and that information may be verified as trustworthy. Currently, however, as organizations pursue new ways of solving the various problems of online identity, many of these considerations about authentication/identification and fair data collection and retention are being overlooked or neglected. Take, for example, a controversy from the world of online gaming from 2010. Without consulting its users, the gaming company Blizzard ® Entertainment (makers of the very popular World of Warcraft ® -a multiplayer, online role-playing game) instituted a new identification policy for participants. Its new policy required players to use their real names when participating in discussions in user forums. The original idea was to improve the quality of exchanges on the forums, on which, as one of the website's managers described it, "flame wars, trolling, and other unpleasantness run wild." 30 This Real ID policy did not go over well with gamers, who are accustomed to remaining pseudonymous in gaming environments, for these are perceived as spaces for entertainment and leisure. Under intense pressure from its community, which accused the company of neglecting users' privacy and security, Blizzard quickly retracted the policy. Other online networks, such as Facebook and Google+, are encountering similar problems with their strict user identification policies.
Governments are also trying to leverage new tools for identity management online, although for different purposes, such as simplifying user authentication procedures across different e-government portals, achieving cost savings related to online authentication, and improving government operations. Among these tools of identification and authentication are a range of different technologies and techniques-some well established, others still emerging. The paper documentation of yesteryear is being enhanced with new methods such as the insertion of computer chips and radio frequency identification (RFID) technologies. Supported by encryption techniques (digital certificates and public key infrastructures), these new "smart cards" are said to be more reliable and secure than traditional paper documents. They also require extensive technical infrastructures and organizational routines to make good on their technological promise. Aware of what is to be gained and lost in the online marketplace, the issue of electronic citizen identities is therefore fast becoming a priority for governments. 31 As governments around the world continue strategizing and making decisions on how best to leverage digital identity systems online, many  32 Others are reappropriating existing Web 2.0 and social networking sites for identity management purposes (see, for example, the United Kingdom's Cabinet Office's proposals to use Facebook as an authentication platform for government services 33 ), sometimes with perverse and unintended effects. Many of these platforms are plagued by ongoing privacy concerns, which put agencies that are using these systems as part of their open governance initiatives in a difficult position. For example, strict rules on the use of real names on popular social networking sites may prevent citizens from discussing or campaigning on sensitive moral, social, and political topics, for fear of being personally targeted by opponents. We further discuss these and related consequences in the next section.

Open Government and Online Identity in Practice: Challenges Ahead
This section illustrates the complex dynamics at play in government initiatives to engage citizens in online environments and the implications for identity, privacy, and surveillance. Empirically, these illustrations build on observations from different contexts where the use of new ICTs to achieve more open government has caused considerable controversy. Although these cases originate in so-called developed countries, the lessons learned from them are also potentially applicable to developing countries, if applied intelligently with sufficient attention to the diversity and differences in the context. The purpose of these illustrations is to look proactively at the benefits and risks associated with the use of these technologies for governance purposes, on which to draw policy principles. The first example relates to the use of social networking websites for political and civil engagement; the second involves the (unintentional) tracking of users on open government websites incorporating new multimedia and Web 2.0 functionality; and the third pertains to the use of mobile phones and open data for new e-government applications (i.e., m-government or mobile government).

Profiling Citizens? Political Engagement in Online Social Networks
Governments are increasingly seeking to connect with citizens online. One way of achieving these connections is by joining existing online social networks on which the public already gather, rather than attempting to create new platforms from scratch. Among these online networks are such popular web sites as Facebook, Google+, Orkut, Myspace, and Twitter. Different authors have observed a range of privacy harms in governments' use of such online social networks to engage citizens: • Government agencies may trawl information from the profiles on these networks and use it for purposes that users did not previously consent to, including for policing, immigration, welfare administration, or tax administration purposes. A case in Israel from 2010 involved the military searching through Facebook to identify female soldiers who had claimed to be Orthodox Jewish (and thus exempt from military service), using a range of data-mining techniques to root out draft dodgers. 34 These issues are especially salient in the contemporary context in which websites such as Facebook continually update their privacy settings and in doing so expose users to unexpected publicity.
• Government could use the information provided on social networks to make unfair judgments and inferences about individuals, including their political associations 35 and sexual preferences 36 ; such uses would also potentially implicate the privacy rights of a user's extended network, as profile information of these friends of friends may also be subject to harvesting and misuse. • On a more general level, Danielle K. Citron locates harm in governments' use of online social networking information in terms of how it violates privacy norms. 37 Building on Helen Nissenbaum's notion of privacy as "contextual integrity," 38 she argues that any government use of data gleaned from social networks is problematic as it is likely that users have shared this information based on context-dependent expectations about how it will be used and with whom it will be shared. These expectations are arguably defied when state actors join online social networks for purposes that are incongruent with users' own aims.
Another privacy-related dimension pertains to the circumstances in which government organizations are permitted to block users in these online environments. An incident from late in the year 2010 speaks to the ongoing uncertainty and sensitivity of these issues. It was revealed that the Transportation Security Administration (TSA), the U.S. government agency responsible for overseeing the country's airport security, had blocked a critical member of the public on Twitter who had expressed his opposition to the agency's latest round of security measures (involving "advanced imaging technology" and "enhanced pat-downs"). While he was eventually unblocked by the TSA, the reasons for the original censor remain unclear. 39 More Recent events reveal that cases such as these do not only occur in the sphere of the developed world. After a controversial presidential election in Iran in 2010, journalists reported how the police followed electronic trails left by activists, which ended with the arrest of thousands of protest participants. 40 As well, in June 2011, the Chilean government announced a plan to monitor comments on social networks as a way to measure public perception about the current administration. The government backtracked two months later following considerable public controversy, with many worried about the potential infringement of freedom of expression and citizens' privacy. 41 These examples are indicative of the ongoing tensions surrounding privacy, freedom of expression, and open government initiatives that exist beyond North America and Europe.

Tracking Citizens and Third-Party Access to Personal Information
The technical design of the underlying platforms and technologies that make open government applications possible may also have important and inadvertent privacy consequences. Another example from the United States illustrates these concerns. Every week the U.S. president delivers a video address to the nation, which is now posted on the Internet using Web 2.0 multimedia technology. To transmit these videos the White House originally relied on Google-owned YouTube technology, which by design stores persistent cookies in users' web browsers. The use of such tracking cookies is a common yet controversial practice, especially in the public sector context. Until recently U.S. government agencies were forbidden from using such cookies on their websites due to privacy and civil liberties considerations. 42 Following an outcry from privacy activists who complained about the government tracking users online, the White House switched to another video platform which does not rely on persistent cookies-although they claimed this switch was not motivated by privacy concerns. 43 Regardless of their motivations, this incident and others (e.g., see the case of "supercookies" being used on the challenge.gov site 44 ) shows how taken-for-granted design features can complicate the values of open government, while also highlighting the role that third parties play in technology development and how these solutions may implicate privacy laws and norms.
A separate case from the United Kingdom further illuminates the risks of third-party access to personal information on Web 2.0-based government platforms. In November 2010 it was revealed that users of a National 9724_009.indd 232 7/26/13 12:52 PM

PROPERTY OF MIT PRESS: FOR PROOFREADING AND INDEXING PURPOSES ONLY
Health Service (NHS) website (known as NHS Choices), which provides general health advice to the public, have had details of their visit unknowingly communicated to Facebook, Google (for analytics purposes), and other advertisers and third parties. The information that was passed on included details of the ailments or conditions that the user was researching. Facebook users who visited the website had information about the date and time of their visit, the Web page browsed, and technical information about their Internet protocol (IP) address, browser, and operating system communicated back to the social network. 45 The only way to opt out of the service was to disable cookies in the Web browser, which is impractical as doing so makes navigating the Web difficult. The NHS has been criticized for these data-sharing practices and a formal investigation is underway.

M-Government, Open Data, and New Frontiers for Surveillance
With the exponential growth of mobile phone usage worldwide, governments have also seen the potential to extend their services and information provision to mobile platforms. M-government allows citizens, businesses, and government employees to access information and services through mobile devices, thereby increasing the range and accessibility of e-government. 46 These mobile technologies also enable the use of location-based services, which utilize mobile networks to access information about the user's current geographical position and deliver tailored information or services based on that location. For example, in Beijing authorities are tracking approximately seventeen million mobile phones to improve traffic flow in the city, which has raised privacy concerns among users. 47 Despite some initial hype around the promise of m-government, to date there has not been extensive uptake of these services, arguably due to the lack of a unified or consistent strategy by government agencies. Certain mobile phone-based notification or payment services have emerged, but otherwise m-government offerings remain underdeveloped: "The only area of constituent-centric service where mobile technology seems to play a critical role is public safety: mass notification and location-based emergency calling clearly yield a great value to people." 48 With the development of new smart phones and their accompanying easy-to-use applications, however, this situation is likely to change in the near future, particularly in developing countries (e.g., Android-enabled phones are being widely adopted in countries like Kenya). 49 While it is still very early in the technology development and adoption cycles to try to predict the range of m-government applications that may emerge for these new smart phones, there are emerging trends that shine some light on the issues. Contemporaneous to the emergence of smart phones is the increased availability of public data sets-another important facet of open government-that has made the creation of mash-ups ever popular. These mashups combine data and functionality from different sources to create new services, many of which can be run on mobile phones. Indeed, one of the drivers of the success of smart phones is the wide availability of apps (applications), which often rely on repurposed data sets. One such service that relates to open government (albeit in an atypical sense) is an application for citizens to survey the whereabouts of registered sex offenders.
The best-selling iPhone app known as Offender Locator is a mash-up of sex offender registry data in the United States (which are publicly available online as the result of "right to know" legislation called Megan's Law) and Google Maps. The app allows users to see the last known address of released sex offenders and displays this information on a map (importantly, at the time of writing this is not real-time tracking but rather a static visualization of an offender's most recently registered home). 50 While this might appear an extreme example of the future of m-government and the use of open data, it illustrates many of the problems that can arise when personal information (such as criminal history and address) are put online by governments without carefully considering the implications of doing so, the range of potential uses to which such information may be put, and how technological innovations might complicate the future use of such data (e.g., its use as part of a mobile phone-based mapping service). These are, of course, matters of policy which need to be democratically deliberated and informed by evidence; however, there is a convincing line of reasoning about the need to provide these and similarly demonized groups an opportunity to restart their lives once they have paid their debt to society. 51 Of course, these points extend beyond the surveillance of sex offenders to other groups and policy areas. 52 The point is that the online publication of government data is not universally desirable and that there might be good reasons to refrain from total transparency, including the protection of civil liberties.
Beyond this example, there are other emergent trends in this space which implicate issues of open government, including crime-mapping applications (see the United Kingdom's Information Commissioner's advice regarding the transparency and privacy aspects of these services 53 ), the proposed use of mobile phones for e-voting, and the use of mobile technologies for the transmission of medical information to patients (as public health is often a government function in poorer parts of the world). 54  must be carefully considered by policymakers before they are adopted and implemented.

Policy Principles for Protecting Identities in Open Government
How can policymakers interested in developing and adopting technologies and platforms for open government purposes build their solutions to engender trust, protect privacy, and limit the potential for harmful citizen surveillance? The answer is neither straightforward nor guaranteed. Moreover, there are several dimensions to explore, ranging from technical and interoperability issues, to ensuring privacy and security, as well as questions of citizen empowerment. 55 While all these dimensions are important, here we focus on two main aspects: privacy and information security. This section builds on three policy principles developed in Scotland for privacy-friendly identity management in the context of public service delivery, 56 tailoring their recommendations to the ongoing discussion on open government.

1: Minimal Disclosure of Identifiable or Personal Information
Citizens should only be asked to prove who they are (i.e., to identify themselves) in order to use government services online when it is absolutely necessary. These systems should instead be designed to authenticate entitlement to information or services using reliable technologies that are appropriate to the medium (e.g., the Internet or mobile network). This involves asking for the minimal amount of information necessary for the transaction. To ensure the reliability and trustworthiness of these transactions, service providers should also offer a provable means for citizens to identify the organizations they are transacting with.

2: Clear, Coherent, and Verifiable Policies for Web 2.0 Platforms
Public sector organizations that aspire to offer their services on Web 2.0 and related platforms must develop clear, coherent, and verifiable privacy and information-security policies specific to these platforms. These policies should encourage Surveillance Impact Assessments or Privacy Impact Assessments (PIAs) prior the project's implementation. user consent for collecting these data whenever necessary. We realize that advanced data analytics and the use of "big data" for open government applications may complicate the data protection principles of notice, consent, and data minimization, but they are nonetheless fundamental to safeguarding privacy. Third parties involved in supporting these services or with access to personal data on these platforms must also abide by these policies. This can be achieved through the creation of contractual obligations specific to these privacy principles. Requiring that technology partners use privacy-enhancing technologies and systems is another way to achieve this policy objective. That way, privacy and accountability can be effectively outsourced to third-party organizations. Making systems transparent so that citizens can see exactly what data about them is being collected and shared will further empower citizens as will providing mechanisms for citizens to restrict third party access.

3: Minimize Personal Information Collected and Stored
Government agencies engaging with citizens online must minimize the personal information they collect and store. Taken to an extreme, this guidance echoes Citron's call for a "one-way-mirror" policy for government's use of data from social media. 58 This policy permits individuals to provide feedback to government on these platforms but prevents governments from using, collecting, or distributing individuals' personal data. It creates a presumption of openness as to policy-related matters and a presumption of privacy as to individuals' personal information. Citron's concept is a legal one, not a technical one. She argues that with strong privacy rules such as these, individuals may be more inclined to participate in open government initiatives. There are, however, limitations to these sorts of proposals, including the ongoing situation in which government bodies use legal means such as data request letters, subpoenas, and search warrants to obtain these data from social media companies. 59 While outside the scope of debates on open government, these developments cannot be ignored by policymakers who aspire to pursue privacy-friendly e-government using social media and related technologies. This problem becomes worse in countries with less robust data protection laws.
Assuming one-way-mirror-type policies are impractical, government agencies should avoid centralizing the personal information they collect, segregating personal and transactional data separately, and securing access to these databases. Agencies should not track citizens on and across different open government sites and platforms. Government  also consider whether the storage of identifying information is even necessary to provide their services (for often it is not).

Conclusions
Open government initiatives are quickly moving to the fore of many government agendas, and will most likely bring many benefits. Our intent is not to diminish these benefits. Rather, we aim to raise awareness of a set of potential concerns, negative effects, and unintended consequences of open government, in particular in the area of citizen identity and privacy. We have argued that government programs that encourage and promote openness must simultaneously consider the identity infrastructures that enable such interactions and transactions. If appropriate infrastructures and policies are not put into place, the shift toward these more open spaces, in particular where personal information is concerned, could result in widespread privacy invasions, information security breaches, harmful surveillance, discrimination, or worse. As this chapter is being written, the U.S. government is pursuing new proposals for a National Strategy for Trusted Identities in Cyberspace, which capture many of the policy guidelines offered in the previous section. This is a positive development. It remains to be seen what will happen with these proposals, and importantly for policymakers in developing countries, how these developments will affect the plans for open government and online identity infrastructures in other countries.
As it has been the case with e-government in the past, governments in developing countries are especially well known for adapting models that have been first designed and implemented in developed countries. 60 Although there is no simple way of designing and implementing new digital identity systems that both respect privacy and civil liberties and guarantee all the potential good of openness, in this chapter we have proposed certain pathways worth exploring. Therefore, the policy principles we suggest serve two main purposes: (1) to advance the debate to begin addressing the complexity of dynamics of open government and its potential negative consequences; and (2) to offer some possible ways to keep risks at a minimum. In doing so, we aimed to establish the terms for further debate and discussion on digital identity within the next generation of platforms for online access, participation, and collaboration.
In light of the wide array of technologies, policies, and social and political contexts, we acknowledge that much more research is needed to understand the gamut of privacy consequences of open government ventures in