How Estonia is using X.509 for Identity, payments, voting and much more

 My life under Estonia's digital government Analyst Charles Brett is a fan
 2 Jun 2015

There is much government talk about the economic importance of enabling a
digital society. Yet little coherent in the UK seems to materialise – bits
here and there imperfectly integrated and with insufficient commitment.
Just think of the multiple UK initiatives over the years. That such slow
progress is a given calls into question whether a digital society is beyond
deliverable?

The example of Estonia, offers a startling contrast (and one different from
that of the European Commission <http://bit.ly/1EjJ4Fq> as summarised by *The
Reg* earlier this year). Before going into how Estonia delivers, consider
my own experience in Tallinn when obtaining an e-Resident card.

That Estonia introduced the concept of an e-Resident <http://bit.ly/1O7nQoV>
was previously described in *The Register* in October 2014 where it was
also pointed out that anyone wanting to be an e-Resident had to visit
Estonia twice - once to apply and then a second time to return to pick up
your e-Resident card if granted.
Tallin-bound

In the Autumn of 2014 my wife was posted to Tallinn, Estonia’s capital, for
six months. One of the delights of being a technology analyst is you can
you work anywhere there is good internet access. Estonia has excellent
internet coverage plus 4G available throughout the country (even in rural
areas – a matter or government policy). In addition, ‘being ‘local’ means
you can explore the digital business scene.

So, armed with my identification documents, I went to a designated
e-Resident office, having previously made an appointment online (of
course). Although I brought passport-sized photos I was directed to a
standard-seeming photo-booth which took my picture. Then I met a courteous
Estonian officer who swiftly took my details and bio-identifiers while also
linking to my electronic pictures from the photo-booth. I was told I would
receive an email in two weeks if my application was not refused.

Thirteen days later the promised email arrived. I returned to the same
office to sign for a package that included my e-Resident card and a neat,
and super-small USB e-Resident card reader. Nothing in the process could
have been simpler or more easily delivered (and from 1 April 2015 it has
been possible to achieve the same at selected Estonian embassies.)

With an e-Resident card you can set up a business remotely operating from
Estonia. As an e-Resident you can do everything legally required for a
business by electronic means from afar, including setting up a company,
signing contracts, opening bank accounts, making and receiving payments and
paying all taxes.

Estonia’s e-revolution has already reached far and deep

As *The Register* wrote back in October, “holding the card does “not entail
full legal residency or citizenship or right of entry to Estonia” (but) it
does allow “secure access to Estonia’s digital services and an opportunity
to give digital signatures in an electronic environment. ... Such digital
identification and signing is legally fully equal to face-to-face
identification and handwritten signatures in the European Union.”

So, how did Estonia achieve all this? It was not a short process. Yet
Estonia’s e-revolution has already reached far and deep, bringing together
citizens, government and business. Second, integration has been combined
with security and appropriate data ownership. Third, Estonia took its time
in establishing what is now a credible e-society - some 15 years after it
originally started back in 2001 (yes, that long ago). Today’s Estonian
citizen can (though he or she does not have to):

   - Identify themselves, via e-ID, an electronic identity system
   - Vote (iVote, available since 2007)
   - Complete tax returns (and make payments or receive refunds)
   - Obtain and fulfil prescriptions (eHealth)
   - Participate in census completion
   - Review accumulated pension contributions and values
   - Perform banking, including making and receiving payments
   - Pay and interact with utilities (like water, gas and electricity)
   - Interact with the education system (e-Education)
   - Set up businesses
   - Sign contracts
   - And more.

The above embrace a broad swathe of the economic and personal activities
and applies as much to government and business as to the individual. As
such the Estonian e-society provides facilities to all stakeholders in the
country, and with some interesting side effects.

For example, digitising the police now enables a police officer in a patrol
car to verify a car’s legality and insurance by querying the car
registration system. If this shows the owner is a driver who has been
convicted of a drink-driving offence within the past two years the police
officer can stop and breathalyse that driver. Convicted drunk-drivers know
this; unsurprisingly repeat drink-driving re-offences have fallen.
Conversely, electronic voting is less popular because Estonians value their
new found freedom to choose and many dress up in order to go to their
polling station.

All of the above depend on the acceptance of some fundamentals (an aspect
which successive UK governments have shown little appetite to address).
These were agreed right from the inception of the Estonian e-Society
initiative and specifically included:
A matter of principles

*1.* decentralisation combined with interconnectivity: there is no central
database; every stakeholder (government department, business or even
individual) has the freedom to choose its own system in its own time with
the guiding principle being that all participating systems be able to work
together

*2.* adoption of a secure open platform approach; the intention is any
institution (or individual) be able to use a publicly provided public key
infrastructure

*3.* a commitment to an open-ended process; capabilities are encouraged to
evolve, grow and improve organically

4. investment in a long term commitment to a suitable infrastructure,
particularly provision of two vital ingredients – a common middleware stack
(‘X-Road’ ) and a secure e-Identity (or e-ID).

Arguably the first three above are about principles. These are easy to
pronounce on but not necessarily easy to adopt or deliver. What marks out
Estonia so far is the way it has honoured its ongoing commitment to these
principles over more than a decade.
Follow the X-Road

Furthermore, acceptance is accelerating because, with time, the incremental
cost of adding a function or service reduces once a trusted infrastructure
is in place. Adding the online national census capability cost only the
census software, less than €10K, because the infrastructure was already in
place. The creation of the e-Resident initiative was a logical, and
practical extension, of what was already possible for Estonian citizens.

The fourth is about practicality. As the slide below shows, the X-Road is
the mechanism which connects all the decentralized components together.
This is what enables Estonia’s various databases and registers, whether
public or private, to link up and operate irrespective of what individual
platform they use. In this the ‘adapter server’ is the key integration
element which enable different applications to work together.
 [image: Screenshot showing estonia digital goverment organisation chart]

Similarly, e-ID is the nationally standardized system for verifying each
individual’s identity to the online environment (the ‘security server’ in
Figure 1). This opens the door to provision of e-services which offer
security and trust (the basis for the e-Resident card), and Estonia has
gone further than most in four additional dimensions:

   - it has introduced differentiation between roles associated with an
   e-ID; a civil servant, for example, can act as an individual or can act as
   his or her job demands, with quite different rights, accesses and
   privileges associated with his or her job
   - digital privacy is enshrined in law (Estonians argue their country has
   the strongest legislative protections, accompanied by stiff penalties for
   digital infractions or abuse)
   - the adoption of specific extending legislation where needed, for
   example for medical records; these are owned by the individual who
   authorizes doctors to use his or her patient’s medical records (using the
   e-ID to authenticate and record this authorization)
   - citizens have rights to access and inspect data held about them;
   transparency breeds trust, over time.

Estonia has not stopped at this. To provide demonstrable accuracy it
exploits blockchain technology (though not that from Bitcoins) to establish
trust and verification. Data and interactions use a blockchain (from
Guardtime, an Estonian company) to guarantee a record of the state of any
component within the network and data stores.

The implications of this are immense. It means that any unauthorized change
in the state, which can be regarded as attack on accuracy, can be detected.
Whether this ‘attack’ comes from outside or from (say) an employee on the
inside, record alteration is recorded while the original remains (or is
shown to have been tampered with).
Conclusion

Estonia proves that a digital society is practical today. Yet, apart from
Finland which is adopting the Estonian technology base, other European
countries including the UK lag behind. If it took Estonia 15 years to reach
where it has today, and with a population of less than 1.5M, how long will
it take the UK, France, Germany or Italy? Will e-Societies ever emerge in
these place in a coherent and meaningful way? Does this mean that large
countries are doomed to fall behind?

The sad aspect about such conclusion is that a proven technology base to
support an e-Society - X-Road and e-ID- exists. Yet recognition of what
Estonia delivers is ignored by those, especially fellow partners in the EU
who seem to think they will provide better - at some unpredictable point in
the future.

Estonia shows us that a digital society is practical today. We, as
citizens, should demand the same vision, coordination, commitment,
inclusivity and consideration of the needs and practicalities of all
stakeholders.

Instead we have politicians posing about the importance of digital
societies in order to get re-elected, and global multi-nationals exploiting
our personal data for their benefit.

We need not wait interminably for an e-Society. But, outside Estonia and
Finland, it looks as if we will. And any e-Society must be underpinned by
commonly accepted principles, as well as practical technologies, which
recognise the rights of all participants. ®

http://www.theregister.co.uk/2015/06/02/estonia/

Some more links:

https://e-estonia.com/e-residents/about/
http://en.wikipedia.org/wiki/Estonian_ID_card
http://estonia.eu/news/563--estonias-e-residency-goes-global.html

Received on Thursday, 11 June 2015 20:27:17 UTC