Data for Hire

When a contingent of lawyers, bankers, insurance executives and retailers approached Kansas officials in 1989 with an idea for developing a new way of delivering mission-critical public information to businesses, the state balked. After all, any new way of doing business-no matter what the benefits-cost money, and the state's cash-strapped agencies weren't too thrilled about a plan that might force them into "either/or" budgeting decisions.

As the meeting progressed, though, they quickly realized the idea had an attractive new twist: a built-in funding mechanism.

For the sake of convenience and equal access, users of such a system, the private-sector folks explained, would be willing to pay not only the usual transaction fees to cover agency search and retrieval costs but also an annual subscription to guarantee the cost of setting up and operating the network. There were other promises too, such as fewer people standing in line, less copying, less faxing and fewer testy phone conversations. In short, all upside and no obvious downside.

"There really wasn't anything not to like about it," said Jeff Fraser, the general manager of the resulting Information Network of Kansas (INK). "By the end of the meeting, the agency people were more enthusiastic about the idea than the private-sector people who had proposed it."

And such enthusiasm has only grown as the network has proven to be more successful than anyone had hoped-so much so, in fact, that other states, eager to set up their own self-funded information networks, now look to INK as a model of public/private cooperation and as a low-cost first step into electronic commerce.

"It's given everyone confidence that people are willing to access information electronically and, most importantly, that they're even willing to pay for certain kinds of it," Fraser said.

Eight years after being created by the Kansas legislature, INK takes in more than $6 million a year in revenues and has made a successful transition from a dial-up service to a World Wide Web-enhanced system that allows subscribers to download all types of public information in real time. Trucking companies, for example, can look up an employee's driving record, attorneys can tap the very latest opinions handed down by state appellate judges, and entrepreneurs can set up a new corporation entirely online, from filing articles of incorporation to filling out the requisite tax forms.

Moreover, officials have been able to leverage profits to develop additional applications that offer free information-such as legislative actions, lottery results and tax instructions-to citizens, further reducing agency workloads. And while profiteering by government is usually frowned upon, no one in the private sector has complained about the pricing structure that funds INK.

"The key thing is that businesses see value in having this type of service because overall it improves and streamlines the activities that surround those processes, so the idea of [INK] making money...has no negative connotation," said Rishi Sood, practice leader for public sector and health care at G2R Inc., a market research and management consulting firm in Mountain View, Calif. "So when you couple what is basically a hassle-free source of funding with the Web, which is so inexpensive and easy to implement, this becomes extremely cost-effective and easy to expand into other areas. It's really the way that all states will eventually go."

In fact, many states-including Arkansas, Georgia, Indiana and Nebraska-already have taken INK's example to heart and developed their own self-funded networks. As in Kansas, most programs began at the behest of businesses eager to cut costs and improve access, but each state has developed its own creative approach.

Nonetheless, the states have all followed Kansas' lead in several critical ways. To begin with, each offers a central access point to all state information, a characteristic that helps ensure control over who can see the information as well as a standard format and look, so the learning curve for users is minimal. "Users don't have to surf around looking for a bunch of different Web addresses or learn the idiosyncrasies of several systems," explained Tom Bostick, executive director of the GeorgiaNet Authority. "Our site is a front end to all of that, and so all users have to do is plug in our address and then just point and click."

A visit to Access Indiana, in fact, will yield not just wide-ranging state data but also criminal and civil court records collected by Indianapolis and Marion County agencies. "Our customers don't care which agency has the information, they just want to get that information," said William "Brad" Bradley, president of Indiana Interactive Inc., which runs both Access Indiana and CivicNet, the city and county network. "By creating an enterprisewide service, you're facilitating convenience, and the more convenient the system, the more people will access it."

That doesn't mean that agencies lose control of their data, Bradley emphasized. The network home page represents a firewall, a buffer of sorts, between the customer and the state's database.

"We're the coordinator of information," said Sam Somerhalder, general manager of Nebrask@ Online and president of Nebraska Interactive, a third-party vendor that manages the network. "We determine who wants to see the information, why they need that information and what type of format they want to see it in, and then we consider the agency's policy and technology issues. After that, we build an interface between the two."

To access driver's license records, for example, the Federal Privacy Act requires that users have a legitimate business need for it. Subscribers to Nebrask@ Online and other systems must fill out applications detailing what federal exemptions they fall under and how they plan to use the information, and they must sign what amounts to a contract before they are ever given a user name and password that would allow them to gain access to the information.

Such concerns lead to the second important factor in successfully selling public information: Upfront planning and cooperation among network managers, employees who deal with customers and data, technical personnel and agency officials. Several issues must be dealt with, including agency regulations that govern the disbursement of data, consumer privacy concerns and technology problems, such as how best to interface with legacy mainframe databases. "You don't want to just automate the way things have always been done," Fraser said. "It's an opportunity to really improve and redo the previous paper-based systems and to do that with a focus on the customer."

Cooperation extends well beyond the planning phase. Network personnel offer expertise in Web page design, Internet technologies, security and database access, and they're all willing to help agency personnel with any of their needs. In Georgia, the Department of Natural Resources was prepared to pay $100,000 to an outside contractor to set up a Web site, until employees of GeorgiaNet-a public corporation-stepped in and performed the service for free. And Indiana Interactive, despite being a commercial vendor, is more than willing to dip into its profits to help any agency develop a premium application or informational Web site, deal with database access problems or address security concerns.

"We're in this for the long term," Bradley said. "A customer-oriented, market-driven approach is critical to this type of network, so anything we can do to improve the overall appeal of the network will draw more people to it, increase the revenues and eventually increase our profits."

As premium networks have caught on, the money issue has given rise to some criticism by privacy advocates and other government watchers, who question whether information collected and maintained using taxpayer money should be paid for one more time at what is ultimately a higher price than the agencies charge. Although Kansas and Georgia charge agency-standard statutory fees (and Nebrask@ Online actually charges less for some data) for electronic access to public records, each network collects an upfront subscription fee that ranges from $50 to $75 a year. Conversely, Indiana charges a transaction fee that is $1 more than an in-person retrieval would cost, in addition to its $50 annual subscription price.

Bradley is blunt in countering arguments that the information should be offered free of additional cost. "Sure, taxpayers have paid for the government to gather the information, and they've paid for the government to deliver it to them, but they haven't paid for the government to deliver it to them in their living rooms three hours away from the state capitol at midnight on Friday night instantly," he said. "That's the difference. That's a service that needs to be subsidized because it's an additional cost to the government."

Many critics worry more about the privacy implications involved if government agencies view their databases as a potential cash cow. "I think a temptation exists because when you have government agencies collecting fees, then the whole fee process takes on a life of its own at the expense of personal privacy," said Beth Givens, head of the Privacy Rights Clearing House, a nonprofit consumer advocacy group based in San Diego. "Information is valuable, and easy access to information is even more valuable, so I think government has to have some type of deliberative process in place to ensure that [it doesn't] lose sight of the reasons why it put the information online in the first place."

Somerhalder said an oversight board or committee does indeed safeguard against agencies or third-party vendors taking monetary advantage. "All of the premium services have to be approved, and they watch our margins pretty closely," he explained. "We're not going to get rich off of this thing, but hopefully we can make a living."

In many cases, revenues already are earmarked. In Kansas, the money goes into two pots: The first holds transaction fees, which range from 25 cents for a search of the Kansas Board of Healing Arts to $8 for a search of the Uniform Commercial Code. The fees are funneled back into the general agency budget to be reappropriated by the General Assembly. The second pot holds the gross received from annual subscription fees, which go toward operating, maintaining and expanding the network. Another service, such as Kansas' Lobbyist in a Box, which for $50 a month tracks bills and legislative issues for subscribers and then notifies them by e-mail of any action, contributes money to both pots. Thus, of its $6 million in profits in 1997, Kansas sent more than $5 million back to the agencies. The remainder, less than $700,000, pays for the network, the salaries of 19 employees and the development of new, free and premium applications.

GeorgiaNet splits its revenues in a similar manner, although it also must pay to deliver free information over statewide kiosk machines. Last year it took in more than $17.5 million in money, but Bostick said that all but $20,647 of that was earned from a dedicated system set up for insurance companies that buy bulk driving records. Typical of the commercial model, Indiana and Nebraska take any profits left after all costs are paid. Nebraska Interactive nets around $150,000, but Somerhalder said that in its first year of operation, when it forked out initial capital investment costs, the company earned just $700.

Security remains the most critical element in any network that sells premium information because such information is most likely to contain personal information, such as names, addresses and Social Security numbers. "The public's trust is paramount to making this thing work," Bradley said. "Once you get a bad reputation, you're dead."

As a safeguard, INK and other networks always err on the side of caution. Security begins at the subscriber application phase, when potential users must supply (and prove) all their vital information, state their reasons for accessing the data and sign a statement that details the penalties for any abuse or misuse of the information. Once the subscriber is given a user name, the system can then track exactly what data was accessed and when. "In reality, it's easier to enforce laws like the Kansas Open Records Act and keep tabs on who's using the information because we know exactly who's in our system and what they're doing there," said INK's Fraser, who is so sensitive to security issues that he won't even divulge the architecture of his network. "Anybody who wants to get someone's address, for example, for some illegal reason, has to go to a lot of trouble and risk to obtain it over our system."

Several firewalls also are put in place to keep any user from directly accessing state databases. Secure information is encrypted during transit. And at present, credit card numbers or bank account numbers are taken only during the paper-based application process. Most networks hope to begin taking such information electronically once the Secure Electronic Transaction technology, which is being developed by Visa, MasterCard and several banks, is thoroughly tested and made available.

With information that is particularly sensitive, some networks only query a database rather than pull whole records. Nebraska, for example, is working on an application that would allow rental car companies to check drivers' records, but instead of a receiving a detailed driving record, the computer would answer yes or no to questions such as, "Does this person have three or more moving violations?" or "Has this person received any DUIs?"

Despite some concerns about privacy and security, the well-documented success of premium services is quietly but quickly paving the way for true electronic commerce, proponents say. GeorgiaNet, for example, expects to take in gross revenues of more than $19 million this year, including more than $115,000 from its Web site, a growth of nearly 600 percent.

"Use is just exploding," Somerhalder said, adding that Nebrask@ Online received 2.7 million hits in the first three months of 1998, compared to a total of 4.2 million hits for all of 1997. "People want the information. They're feeling more and more confident in the system. They're willing to pay for it. We're signing agencies all the time. And the success of the premium services is helping to build financial solidarity, so we're able to add more services, and the state is able to do things better and faster. It's a real constructive cycle."l

Heather Hayes is a free-lance writer based in Stuarts Draft, Va.

*****************

Maintaining Trust

Security problems in a government electronic commerce system have been rare, but when they do occur the result can be deadly to public trust. Just ask Arizona, which last year contracted with IBM Corp. to set up an online vehicle registration renewal system. Using a credit card, residents could simply update their vehicle status for $25 plus a $6.95 surcharge from IBM. Unfortunately, a programming error left several files on the wrong side of the system's firewall, which meant that anyone who came to the site armed with a little bit of Internet savvy could access the names, addresses and credit card information of the 300-plus motorists that used the system over a six-week period in March and April of this year.

The breach left state governments and technology executives wide open for renewed attack by privacy advocates. "Quite simply, they didn't have their act together before they went online, and they put a lot of people at risk for identity theft and credit card risk," said Beth Givens, head of the Privacy Rights Clearing House, a nonprofit consumer advocacy group in San Diego. "They should have tested it fully and monitored it more closely. Frankly, they should have known better."

Mark Nelson, a spokesman for IBM Global Government Industry, blamed the incident on "human error" and said the problem was immediately fixed when it was brought to IBM's attention. The system is back up and running, and even drivers who were directly affected claimed that the convenience benefit was worth the risk. "Our studies show that people are increasingly in support of using the Internet for transactions," Nelson said, pointing to successful electronic commerce systems such as Amazon.com and L.L. Bean.

That may be true in the private sector, but anecdotal evidence shows that a large number of people don't have much faith in governments armed with electronic distribution capability. More than 250,000 Maryland residents, spooked by a rumor that the government was selling their Social Security numbers and their driving records, nearly stampeded the Motor Vehicle Administration after the state passed a law that gave them the option of closing their files to public scrutiny.

Kansas had a similar problem, and Georgia had to deal with much-believed scuttlebutt that had government officials collecting and selling the fingerprints of residents to insurance companies.

"With the Internet, things certainly are faster and easier, but there's too much potential for technological or human error on a much larger scale," said Solange Botol, legislative counsel for the American Civil Liberties Union. "Sure, sometimes they're unintentional, but not always. The potential certainly exists for abuse."

Givens and other privacy experts recommend several steps to state and local governments that are truly interested in bolstering public confidence:

* Test the operating system several times before actually opening the service to the public.

* Do plenty of consumer education and consider the potential consequences before activating the system. Givens pointed to San Diego, which before actually putting county tax assessment records online informed local law enforcement and court officials of the plan and suggested they put any property holdings in trust. "The problem there is that there are plenty of people besides law enforcement types who have good reasons to shield their home addresses from the public, such as stalking victims, for example," she said. "That wasn't even taken into consideration."

* Develop a system to ensure that only people with a legitimate need can access the system.

* Install an electronic auditing system to track the users of any information that contains personal data, including information that is given for free.

* Make the penalties for misuse of information or an online system to be severe enough to be a deterrence. "Too often, if someone misuses the information or lies to a certifying authority, the worst they get is maybe loss of access to the system," Givens said. "That's not going to get it done."

Jeff Fraser, general manager of the Information Network of Kansas, said that even if people's fears seem unrealistic, they have to be taken seriously. And though the agencies, which as custodians of public information are ultimately responsible, technology officials also can guard against potential problems by making sure that any state regulations or agency policies dealing with privacy are integrated into the information-sharing network. "When in doubt, always lean toward privacy," Fraser said.

- Heather Hayes