Diving into a “Digital Country” : e-Estonia
I have had the unique opportunity to visit a “Digital Country”: Estonia. It has been a “dive” into a unique eGovernment organization during a few days, at the occasion of the conference “Future of Identity” held in Tallinn on September 1–2, 2016. During these days, the main e-Estonia officials have shared with us in details the way eGovernment is operating and what it brings to the population, the economy, the administration and the government. In addition, the unique e-Residency program, which allows any citizen of the world to be an “e-Resident” of Estonia, has been extensively discussed.
e-Estonia — a “Country as a Service”
In Estonia, the government is considering the population and the companies as their CUSTOMERS. In order to better serve these “customers”, Estonia has built, since its independence in 1991, a complete Digital Country. All the interactions between the government and its citizens, its residents and its economy have been moved to the Digital Space called e-Estonia. e-Estonia can be now considered as a CaaS: a “Country as a Service”. The aim of this Post is to present some of the key aspect of e-Estonia and to illustrate it through a few examples. More details can be found on the e-Estonia Website ( e-Estonia, the Digital society).
A Digital Identity
The first key of e-Estonia is a unique Digital Identity for everyone. Each citizen and each resident above 15 years old is automatically receiving a Digital ID. Thus, everyone is identified by a unique number of 11 digits which will be kept during his whole life. This Digital ID is the gateway to the e-Estonia Digital world. This Digital ID is encoded into the National ID card (for citizens) and into the Resident ID card (for residents). Thus, every time one would like to access to a Digital service, she connects her card to a computer and she inputs one of the two secret PIN codes for a secure identification (PIN1 to access the Digital services and PIN2 to sign digitally). In order to simplify the access to these digital services, it is also possible to connect via a Smartphone, using a Mobile-ID, with the same level of security.
A Digital Infrastructure
In any country, the government (through its administration) is collecting and managing a large number of information. Usually, these information’s are stored in government databases or in paper registries (books). Examples of these databases are: Population registry, Land registry, Company registry, Tax, Vehicules, Driver licenses, Health records, etc…
Estonia has a very efficient law which is called “Once only policy”. This means that the Government is not allowed to ask twice the same information (and thus to store twice the same information in different databases). For instance, the birth date or the home address of a person should be stored only in a single database and these information’s are retrieved from this database every time it is needed by any other query. One could think that the best way to achieve this goal is to build a single “super-database” with all the information. However, such centralized single database would be very difficult to manage and it would be much more vulnerable to attacks, being a single point of failure. Thus, e-Estonia has decided since the beginning to have a fully decentralized system, where each administration is keeping its own databases, with its specificities and structures. Thus a powerful system should be set-up to interconnect them.
A very clever interconnection system, called X-Road, has been designed to link, through the public Internet network, all these databases together and to guarantee the security of all the data transfers. On one hand, the protocols linking two databases are designed as to allow only the required information to be query and to be transfered. On the other hand, security servers are put at each interfaces between servers and X-Road, opening the communication only when data need to be transferred.
As it is shown in the above figure, the X-Road infrastructure is not only connecting State databases, but also some databases of the Private sectors, like Banks, Telco, …. We will see in the section on Taxes how this is providing a unique kind of service to the citizens.
A full traceability for a maximum security and a maximum transparency
Every time a query is launched on the system, the corresponding “transaction” is logged on a dedicated Blockchain to guarantee a full traceability of all the transactions. The log of the transaction is containing the Digital-ID of the person who made the query, as well as the reason for which the query has been done. Such system has no backdoor (the X-Road code is open source) and any action of the system administrator will also be logged in the same way (no way to go around this traceability system).
This unique logging system (which cannot be tampered, as it is timestamped in a Blockchain) allows a maximum level of security, as well as a full transparency. Unauthorized access to data is prevented by law, with severe penalties in case of breach (e.g. if a doctor would look at medical records of someone he is not in charge, with no reason, he can lose his job. If this same doctor would transfer illegitimately medical data to someone else, he can be sentenced to jail up to two years).
Blockchain to secure data integrity
In Estonia, the texts of the Laws are published on the government web site. The reference documents are the web documents and not the printed version. This means that the web site database which is hosting the reference texts of the State Laws should be very secure, to prevent any hacker to “change the law”. To do so, very sophisticated hashing technologies are used to check the integrity of the database every second. A modified “Merkel Tree” approach is used and the hash of the top of the tree is timestamped in a dedicated Blockchain every second (one should note that such Blockchain technology is slightly different from the one used in cryptocurrencies, such as Bitcoin, as it has been put in place before the launch of the Bitcoin. One way to guarantee the immutability of the data has been to published regularly in newspapers the top hashes).
In this way, the integrity of critical databases (like the Law database, the Population registry, the Health records, …) are verified every seconds again any attack or tampering. In case of an attack, it would be detected instantaneously and the infected system would be immediately isolated.
Examples — Tax declaration, Health records and e-Vote
Now that everyone has a Digital ID and that all the Databases are interconnected, let’s illustrate how it works through three examples: Tax declaration, Health records an e-Vote.
Tax declaration
e-Estonia officials are very proud to say that Tax declarations can be filed in a few seconds and a few clicks only. How is that possible, without having a “Big Brother” State which can access and see all my personal records and in particular my bank account?
When my company is paying my salary (via e-Banking), it is possible to click on a check-box to state that this is indeed a salary payment. Of course, the person to who the salary is paid is identified by her unique Digital ID number. Once this “check-box” is selected, the salary data are PUSHED from the bank to the different authorities (i.e. to the Social charges authorities and to the Tax authorities). The right amounts of social charges and taxes are automatically transferred to the corresponding authorities and all the data are stored in the right place for the tax declaration.
On the other hand, when I pay the interests of my mortgage, I want to be able to deduct these from my revenue. Thus, in the e-banking window, I can click on the “Mortgage” check-box and the bank will automatically transfer (PUSH) to the tax authorities the information about the mortgage amount which could be deductible.
Thus, in February, when the tax “season” is coming, automatically all my revenues will be known by the tax office and all the amounts that should be deducted from my revenue (like my mortgage interests) will also be known to the tax office (these information’s are of course transferred via X-Road in a secure and encrypted way and will be digitally signed by the persons who gave the corresponding instructions). Thus, when I will connect on my Tax declaration (with my Digital ID and PIN1), I will be able to verify if things are correct or not. I will be able to make some modifications if necessary and then I can sign it (with my Digital ID and PIN2). It is done! In Estonia, 97% of the population is filing his tax declaration digitally and 95% of the people are accepting the declaration without any modification.
Finally, it is important to say that the Estonian administration and Government does not have access to my bank account at all, as it has access only to the information that I (or my employer) has PUSHED to the Tax office. Moreover, all these PUSH transactions are logged and I can monitor all these records.
Health records
In Estonia, all the patients living in Estonia (citizens and residents) have Digital Medical Records. This means that all doctors, hospital and pharmacy are connected and are using the e-Health and e-Prescription system.
As an example, I can call my doctor and he can prescribe me a medicine. This prescription will be an e-Prescription, which will be filed in my Digital Medical Records. When I go to the Pharmacy, I identify myself with my Digital ID and the prescription is given to me. Each of these steps are automatically digitally signed by the person in charge and are logged. If I am really sick and I cannot go personally to the pharmacy, I can delegate the pick-up to a relative and the log will show that the drug has been indeed delivered at what time and to who.
Of course, as all my Medical Records are Digital, it can be accessed by any doctor, wherever I am in the Country. It is even planed that the medical file could be consulted in an ambulance, in order to anticipate problems with allergies or specific problems (with again the right logging of who have consulted my records, to prevent any unauthorized access).
Here again, one could argue that such a system is very dangerous and that my medical data can be exposed to anybody in the medical personal. Such unauthorized accesses are prevented by the fact that any access is logged (with the Digital ID login and in a way that it cannot be tampered, due to Blockchain timestamping). Thus, a doctor or a nurse will never consult a Medical file of someone that they are not allowed to (or that they don’t have a good reason to look at their records), because they will lose their job if they do so. It is important to remember that all “Read”, “Write”, “Modify” or “Delete” actions on any database (including the Medical records database) are recorded in the Log file. When one compares that to the security of Paper files (where it is impossible to know if someone has read it or not, or even photographed with his smartphone), such system is much more secure. When encryption and data integrity algorithms (see above) are added on top, the security is reaching a very high level.
e-Vote
Each citizen can vote electronically, using his Digital ID. The e-Vote can be cast regardless of the physical location, allowing to vote when travelling abroad. With the Digital ID or the Mobile-ID, there is no need to provide any voting document or any specific ID code to the citizen prior to the vote.
To guarantee the secrecy of the vote, a “Virtual double-envelope” scheme is used, similar to the system used for postal voting. The double-envelope system is secured by a set of public-private cryptographic keys, which guarantees that nobody can vote twice, nobody can tamper the virtual ballot box and that no vote can be left aside.
In addition, if someone is voting, she can change her choice until the closing time of the vote, by voting again later. In such case, the new vote is replacing automatically the previous vote in the “inner envelope”, through the appropriate cryptographic mechanism. Thus, it is possible to vote as many time as you want, but only the last vote will count. This allows to prevent that someone is “forced” to vote for a given candidate, under the pressure of some relative for instance.
For those who prefer to vote in a “traditional” way, this is still possible. In the 2015 Parliamentary elections, about 30% of the population did vote electronically. 5.7% of the e-Vote were cast from abroad, coming from 116 countries. As voting in Estonia is an exceptional event, happening not more than once a year, people still like to go to the polling station, as a social event.
Digital Signature
As each citizen and resident has a Digital ID, all the documents can be signed digitally, either on a computer with the ID card, or directly on a Smartphone, using the Mobile-ID. This electronic signature is used not only in the relationship between the Government/Administration and the citizens, but also by the private sector. For instance, a doctor will sign digitally a medical prescription, a company will sign digitally a contract with its customer, you will sign digitally a payment to your bank, etc… For instance, you can receive by email a contract on your phone (as a PDF or Word document) that you need to sign and send back. You will connect to your Digital ID on your phone via your Mobile ID, you will then sign the document with your Digital signature. The document will be automatically “embedded” in a cryptographic container, together with your Digital signature. You will then send the document and the container by email to the right person. The recipient will be able to check that your cryptographic certificate is well valid and automatically your signature is confirmed to be yours, without any possibility to be tampered or faked. In addition, the cryptographic mean which is used is preventing that the original document, which has been signed, is modified during the operation (i.e. the recipient or anyone else cannot change the Word document once it has been signed, as it would not be linked anymore to the signature).
In addition to Digital signatures, the Digital ID can be used as a single secure Login system to any public and private Digital service (the usage of such login by the private sector is of course voluntary). Such system is very secure as the Login certificates are managed by the Government, with a very high level of security. In addition, each company (Bank, Insurance, retail, e-commerce, …) does not need to “reinvent the wheel” by programming, installing and managing a secure identification system. Everybody can benefit from the Digital ID system.
For a user, the single ID card (or Residency card) is replacing all the access and login card that we have in other countries. Personnally, I have the following cards in my wallet: National ID, Driver’s license, Health insurance, Bank cards, Train pass, Bus pass, loyalty program cards (1 per program), etc…, not talking about my Credit cards. In addition, most of these cards are secured by a password or a PIN code, which are not always well managed. In Estonia, all these cards are replaced by a single ID card, secured by two PIN codes. As there are only two PIN codes to remember (to access all the services and to sign), they are kept well secret and well managed. Finally, if you lose this card, everybody knows where to call to block it and to get a new card. In such case, automatically, the corresponding Digital certificates are canceled and nobody can connect to any service using the Digital ID (whereas if I lose my wallet, I have to call several institutions to block them all — with the risk that I will forget one or another).
e-Residency concept
On December 1st 2014, Estonia has launched a disruptive initiative called e-Residency. “e-Residency offers to every world citizen a government-issued digital identity and the opportunity to run a trusted company online, unleashing the world’s entrepreneurial potential”.
In a few minutes, any citizen of the world can apply online to the e-Residency program, by giving her personal details, a photograph of her passport and her picture. The process is completed by paying 100 EURO. After a few weeks, during which the Police & Border control of Estonia is making its due diligence on your application, your e-Residency card is ready. You can then pick it up at an Estonian Embassy (after showing your passport and giving your finger prints, as a face to face identification). Today only a selection of Embassies are offering this pick-up possibility.
I have the privilege to be an Estonian e-Resident since a few weeks. I have picked up my card at the Embassy in Paris (see picture below).
My Digital ID number is 36102130142. With this e-Residency card (and the two PIN codes), I have access to the following services in a fully secure way (the following list is not exhaustive — more details on this link):
- Digitally sign documents and contracts
- Verify the authenticity of signed documents
- Encrypt and transmit documents securely
- Establish an Estonian company online
- Administer the company from anywhere in the world
- Open a bank account online
- Conduct e-banking and remote money transfers
- Access online payment service providers
- …
How much money is saved?
The transformation of manual services into digital services, the fact that the digital world is opening new kind of services, no more need to collect already available data, no duplication of identification services, simplified healthcare system, etc…, are saving a lot of time and money to the government, the administration, the population and the economy. The Estonian government is claiming that such Digital system is saving, to both the public and the private sectors, the equivalent of about one week of work for each person per year. This corresponds to about to 2% of the GDP of the country and it is equivalent to their military budget.
One could argue that such savings are at the expense of very high IT costs. In fact, the IT budget of the government (including salaries, infrastructure, investments and R&D) is about 50 million EURO per year (since a number of years). This number is incredibly low, compared to most developed countries (Finland IT Budget is 2 billion EURO/year and UK is 20 billion EURO/year). In addition, a number of high tech start-up’s have been able to emerge from this very fertile ground and some have been very successful (e.g. Skype).
Mindset, Trust & Transparency
e-Estonia has not been built in a few days. It is the result of many years of bright ideas and hard work. We can see however that this is a system which is working very well. It is certainly not perfect, but it has proven to the world that it is robust, secure and efficient since almost 10 years.
When going digital, the full security can never be guaranteed. However, a “standard” Government and Administration, with centralized databases and paper register is far from being fully secure. e-Estonia is offering the highest possible level of security and resiliency that could be found in today’s “market of eGovernment”.
The Trust of the citizens in their government and administration is also mainly due to a rule of “Absolute Transparency”. There is no “Back door” in the different components of the e-Estonia digital infrastructure. Even the President of Estonia, Toomas Hendrik Ilves, is pledging that in public (see the video). The most important is not what the President is saying, but the fact that this can be checked by any specialist, as all the code is open source.
Finally, in my discussions with e-Estonia officials, I have found a lot of humility. Estonia is a small country and all the forces were needed to reach such result. This means that nobody at e-Estonia is claiming to hold the full truth and that very young and talented entrepreneurs have been able to propose very clever solutions. The Government CIO of Estonia, Taavi Kotka, is calling himself an “Entrepreneur in Government” (with reference to an “Entrepreneur in Residence”), who is willing to serve his country, with the best services and technologies. Such behavior is creating a positive and innovative Mindset, which is propagating in all layers of the population, government, administration and industry.
Conclusions
The e-Estonia picture which is presented above seems to be perfect and it looks like Estonia is a heaven. It is certainly not the case and the country has also problems as any other country. However, with very limited resources, but a totally open and positive mindset and a full transparency, the different successive governments were able to build a system which is very powerful and efficient, to serve its customers (i.e. its citizens, residents and economy). Even if the system is not perfect, it has been very well thought, with no single point of failure and with a lot of resiliency.
To conclude, I would be very happy if other countries would adopt similar concepts (with of course some adaptation to the context of the given country), with a similar mindset. I am sure that this would contribute to a better world.
Thanks
Many thanks to @KasparKorjus (e-Residency Managing Director), @TaaviKotka (Government CIO), @SiimSikkut (Digital Policy Adviser at Government Office of Estonia) and all the other e-Estonia officials for their time, their very open mind and their warm welcome.
Philippe Thevoz
Digital Transformation — Blockchain — eGovernment — Smart City — eHealth
twitter : @PhilippeThevoz
Linkedin : linkedin.com/in/philippethevoz
