DOCUMENTOS Y REFERENCIAS RELACIONADOS EN EL ANEXO

Transcription

DOCUMENTOS Y REFERENCIAS RELACIONADOS EN EL ANEXO
DOCUMENTOS Y REFERENCIAS RELACIONADOS EN EL ANEXO EXPERIENCIA DE ESTONIA 1.
2.
3.
4.
5.
6.
7.
8.
Certificates.mht -­‐ http://www.id.ee/index.php?id=31013 Mobil ID.mht -­‐ http://id.ee/index.php?id=36877 Mobil ID Protocol.pdf eID Estonia.pdf eID Estonia Market vs Governance.pdf Electronic Signature.mht -­‐ http://eturundus.eu/digiallkirja-­‐kalkulaator/ egov Estonia.pdf Aplicaciones Sostenibilidad E-­‐Stonia.htm -­‐ https://www.foreignaffairs.com/articles/eastern-­‐europe-­‐caucasus/2015-­‐
01-­‐28/e-­‐stonia-­‐and-­‐future-­‐cyberstate#main-­‐menu 9. Modelo de Negocio.pdf 10. Estrategia Digital Estonia.pdf 11. Marco Regulatorio eID Estonia.pdf 12. Estrategia de uso eID Estonia.pdf 13. An†lisis TÇcnico Arquitectura.pdf 14. Modelo Interoperabilidad.pdf 15. Casos Exito.pdf 16. Explicacion Completa Modelo Estonia.pdf 17. Implementacion Tecnica.pdf 18. Componentes Socioculturales.htm -­‐ https://e-­‐estonia.com/ 19. Modelo Open Goverment.pdf 20. Mejores pr†cticas egov.pdf 21. eID Card and Digital Signature.pdf Formal Analysis of the Estonian Mobile-ID
Protocol
Peeter Laud1,2 and Meelis Roos1,2
1
2
Cybernetica AS
Tartu University, Institute of Computer Science
Abstract. In this paper, we report the results of the formal analysis
performed on the Estonian Mobile-ID protocol (deployed since 2008), allowing citizens and permanent residents of Estonia to authenticate themselves and issue digital signatures with the help of a signature-capable
SIM-card inside their mobile phone. We analyze the resiliency of the
protocol to network attacks under various threat models (compromised
infrastructure, client application, etc., confusing user interface) and give
suggestions for improvement.
1
Introduction
Since 2002, Estonia has issued chipped ID cards to its citizens and permanent
residents. The card has been integrated into a national public-key infrastructure.
Upon the initialization of a new ID card for the user U , two RSA keypairs are
loaded into it. The card is capable of performing modular exponentiations with
the secret exponents of those keypairs. During initialization, certificates binding
the public keys to the user U are also issued and stored on the card (as well
as in a public database). The certificates are issued by a certification authority
(CA) in the list of state-recognized CAs. The intended uses for the secret keys
(as recorded in certificates) are identification (for the first keypair) and signing
(for the second keypair).
The identification functionality of the card can be used when accessing public web-sites. When the user has directed his client application (usually a web
browser) to access a server over a secured connection, the two will perform a TLS
handshake [10] during which both the server and the client are authenticated.
During the protocol, the client has to sign a message, a hash of which is handed
over to the ID card in a smartcard reader connected to client’s computer. The
card will apply the RSA exponentiation to this hash, using the secret exponent in
the first RSA keypair. The result is handed back to the client application which
includes it in a protocol message. To activate the card’s signing functionality, a
PIN (consisting of four or more decimal digits) has to be given to it (different
PINs for different keypairs). The PIN is entered either from the computer keyboard or the PIN-pad integrated with the card reader. In the first case, the PIN
is handled by the client application and given to the card together with the hash
to be signed. The card locks up after a couple consequtive incorrect enterings of
the PIN.
Since 2007, Eesti Mobiiltelefon (the largest Estonian mobile operator) in
cooperation with Sertifitseerimiskeskus AS (the only state-recognized CA in Estonia) have issued mobile SIM cards with the same functionality [15]. Later that
year, they were joined by the Lithuanian mobile operator Omnitel [20]. Similarly,
RSA keypairs are loaded into those cards and the public keys are issued certificates binding them with users. The SIM card can compute signatures on users’
behalf after being given a PIN which is entered from the keypad of the mobile
phone. The mobile ID thus reduces the threats related to handing over one’s PIN
to a possibly trojaned computer. Trojan horse attacks on mobile phones are as
of now only a negligible part of the malware market [13], although should their
number and impact increase, the conclusions made in this paper must be reconsidered. Another claimed advantage of mobile ID is convenience — no smartcard
reader is necessary [16].
At the same time, client authentication in the Mobile-ID protocol uses a
much more complex protocol than the TLS handshake, and involves many more
parties. This raises a number of interesting security questions. The goal of the
research reported in this paper was to formalize the Mobile-ID protocol in the
protocol checker ProVerif [7] and use it to explore what happens if various parts
of the system are acting differently than expected. We also have tested the implementation of central parts of the protocol; this paper shows how to formally
model the possible weaknesses we found. After reporting the results of this exploration, we also suggest modifications for the protocol to make it more secure
under certain attacks.
A general security analysis of Mobile-ID has been performed previously [21].
This analysis was considerably broader in scope than the one reported in this
paper; it considered not just the network attacks, but also legal and human issues
and risks related to the failure of technical components. The conclusion of the
analysis was that generally, the risks associated with Mobile ID are the same
as the risks of using the ID card. There are some additional risks related to the
necessity to trust the extra infrastructure used in the Mobile ID protocols. No
formal analysis of the protocols was presented in [21].
In this paper we first describe the Mobile-ID authentication protocol and base
security assumptions (honesty of certain parties and security of certain channels)
for it. The base security assumptions describe the situation where only parties
that are normally considered to be dishonest can be dishonest. As next we describe how we have formalized the Mobile-ID protocol in ProVerif. In the next
section we describe the results of our analysis. We have analyzed the protocol under base security assumptions, as well as several different, stronger assumptions
where we have allowed certain parties or connections to be under adversarial
control. We finish the paper with suggestions for improving the protocol, as well
as general conclusions.
2
The Mobile-ID Protocol
The Mobile-ID protocol [4] involves the following parties:
2
– The user U that wants to access some service requiring authentication.
– The phone P of that user, as well as the SIM card inside it. Although technically two different units, we model them as a single one. The SIM card
knows the secret signing key skU , the corresponding public key pkU of which
is bound to the identity of U by the certificate certU .
– The client application C of that user, typically a computer running a web
browser. The client application is used to actually access the service.
– The server S that the user wants to connect to. It has a secret key skS which
public counterpart pkS is bound to the name S by the certificate certS . With
the help of skS , the server can participate in a TLS handshake as a server.
– The mobile operator O that has issued the SIM-card of the phone P .
– The DigiDocService D [4]. This is a central party of the protocol meditating
the authentication process and forwarding the messages to right parties.
The DigiDocService has a secret key skD allowing it to participate in a TLS
handshake as a server. The certificate certD binds the corresponding public
key pkD to the identity of D.
The parties above actively take part of a protocol session. Besides them, there is
also the certificate authority CA issuing the certificates. Also, there are means
(OCSP) to verify the status of a certificate [19].
The Mobile-ID protocol [4] is depicted in Fig. 1. A protocol session is initiated by the user U deciding to contact the server S and informing the client
application C about this choice. The client application locates the certificate
certS of the server and initiates a TLS handshake with it. During the handshake, the server is authenticated to the client, but not vice versa. The resulting
TLS tunnel is used to communicate the rest of the messages between C and S.
To authenticate the user, C sends to S the name U (which also determines the
phone number P ). The server S then initiates a TLS handshake with D, again
resulting in the secure identification of D, but not S. Again, the TLS tunnel is
used to encapsulate the messages between S and D. The server S sends to D
the names U and P , identifying the user. Additionally, S generates a 10-byte
challenge r1 (part of the challenge signed with skU ) and sends it to D, too. Optionally, r1 may be empty. Also, S sends to D something that identifies itself:
S̃ = (S, m) where m is an additional message that will be displayed to the user
on the screen of the mobile phone. Both S and D will then locate the certificate
certU of the user.
The DigiDocService will generate a random nonce r2 . The phone of the user
is supposed to sign the concatenation of r1 and r2 with the key skU , where pkU is
included in certU . DigiDocService forwards both S̃ and r1 kr2 to the phone P via
the mobile operator O. The communication between D and O is protected by a
VPN solution. The communication between O and P is through SMS-s, and is
protected by encrypting the messages between O and P with the symmetric key
K̃P known only to themselves. DigiDocService also computes CC1 as the control
code of r1 kr2 . The control code consists of four decimal digits. The control code
CC1 is forwarded to the client application C that displays it to the user U . The
phone P also computes the control code of r1 kr2 and displays it to the user,
3
C
S
S
know certD
get certS
skS
TLS HS
D
O
VPN
U, P
P
U
protected
using K̃P
U
skD
TLS HS
S̃, U, P, r1
get certU
CC1
get certU
S̃, P, r1 kr2
CC1 := cc(r1 kr2 )
CC1
CC1
S̃, r1 kr2
CC2 := cc(r1 kr2 )
S̃, CC2
Compare CC1 and CC2 . Check S̃.
PIN
sigskU (r1 kr2 )
sigskU (r1 kr2 )
OK
Fig. 1. Mobile-ID protocol
along with the name of the server S and the accompanying message m. The
user checks that the control codes displayed by the client application and the
phone are equal. The user also checks that the name of the server displayed by
the phone is equal to the server he wanted to access, and the message m makes
sense. If the checks succeed then the user instructs the phone that it is OK to
sign the challenge, and provides the PIN for identification. The phone, receiving
the PIN, signs the challenge r1 kr2 and forwards it to D via O. DigiDocService
D verifies that signature. If the signature verification is successful, and r1 is
not empty, then the signature is forwarded to S that also checks it, and upon
success deems U to be authenticated. If r1 is empty (i.e., S did not provide a
challenge) then D does not forward the successfully verified signature to S, but
only sends the confirmation that the verification succeeded. Again, S considers
U to be authenticated. The TLS tunnel between C and S is then used for the
regular communication.
2.1
Base security model
There are several entities, with several channels between them. Certain of those
may be controlled by the adversary. In our “base” model we make the following
assumptions about the security of various channels and entities:
4
1. There are several users and servers, some of them may be under adversarial
control.
2. There is a single DigiDocService and mobile operator. They are honest. The
channel between them is secure. In reality, these parties are relatively large
organizations under significant public scrutiny. Still, we will relax this assumption in certain models.
3. The phones and client applications are under the control of their respective
users.
4. The channel between a user and his client application is secure. So is the
channel between a user and his phone. This is a reasonable assumption (for
the base model, where we do not consider trojaned devices) as these channels
are realized by the keyboards and screens of computers and phones.
The basic security property that we are interested in is the secrecy of the TLS
keys agreed by honest clients and servers. We are also interested in correspondence properties: if a server S thinks that it talks to a client controlled by the
user U using the key K and U is honest, then U must also think that it talks to
the server S in a session where his client application C is using the key K (integrity for servers). Similar property must hold if we swap the user and the server
(integrity for clients). Note that integrity for clients is derived directly from the
properties of TLS because the server is authenticated during TLS handshake.
TLS is a thoroughly researched protocol [12] and we know that it provides integrity for clients. Therefore we will subsequently only be concerned with the
integrity for servers.
3
Formalization in ProVerif
ProVerif [7] is a protocol analyzer in the formal (or: Dolev-Yao) model [11].
To apply it to a protocol, it has to be formalized in a language reminiscent
to the applied π-calculus [3]. In this calculus, messages are represented by formal expressions made up of free names and expression constructors, the set of
constructors is fixed for a protocol. The process is expressed in a language containing primitives for sending and receiving messages (the channel has to be
specified, too; it is a name), generating new names (modeling the generation
of new keys, nonces, etc.), constructing and deconstructing messages, branching, sequential and parallel composition, and replication. The input language of
ProVerif also contains means to specify the security properties (both secrecy and
correspondence properties, as well as various process equivalences that we are
not using here). ProVerif is a mature tool, having been used to check the security
of various key-exchange [7, 2], authentication [8], fair exchange [1], secure storage
[9], electronic voting [17, 5], etc. protocols. The tool is capable of modeling different cryptographic primitives, including Diffie-Hellman key exchange [2] and
non-interactive zero-knowledge [6].
Our model of the Mobile-ID protocol, following the base security model consists of the following parts.
5
TLS handshake We follow the modeling by Tankink and Vullers [22]. They
have verified that the TLS handshake provides integrity for clients. The TLS
handshake is used as a subprotocol in two different places of the Mobile-ID
protocol. We use the trick described by Haack [14] to include TLS handshake as
a subprotocol, without duplicating its code.
Certification Instead of including a full-fledged CA process in our model, giving
signatures to certificate requests, we have included a private expression constructor cert, such that cert(X, pkX ) represents that pkX is the public key of X. The
privacy of the constructor means that the adversary cannot use it to construct
new expressions. On the other hand, we have included destructors that the adversary can use and read both components of a cert-message. The honest users,
servers and DigiDocService generate their keys and publish the corresponding
certificates at the beginning of their processes. To give certificates to dishonest
users and servers, we add a (replicated) process that takes a public key pk as
an input, generates a new name n and outputs cert(n, pk ) on a public channel.
It is important that the name is newly generated, otherwise the adversary could
issue new certificates to honest parties.
Phone registration The binding of the key K̃P to the phone P is handled similarly — there is a private binary constructor phonereg representing the binding
of a key to a user’s phone. There are also destructors to read both components
of a phonereg-message, but only the one giving the name of the user is public
(i.e., can be invoked by the adversary). Binding a key to the phone of a dishonest
user is handled similarly to certification. Actually, the process described in the
previous paragraph is extended to also output a phonereg-message.
User, client application and phone We model these parties as a single process (with several replicated subprocesses). The process first generates a new
name and keys for signing and mobile communication and publishes the certificates for them. The process will then split into several parallel subprocesses,
each of them replicated. These subprocesses are described below.
One of the subprocesses models the client application in one protocol session.
It receives the name of the server to connect to (from the user subprocess), runs
the TLS handshake with the server, verifying server’s identity in that process,
receives the control code from the server through the established TLS-tunnel and
sends it to the user subprocess. The channel between the user and client subprocesses is a secure one; its name is generated before the parallel subprocesses
start.
Another subprocess models both the user and the phone during one protocol
session. It tells the client application to start connecting to a server (the name of
the server is received from the adversary), gets back the control code from it, and
also gets the challenge to be signed and information identifying the server from
the network, encrypted with the key for mobile communication. The process
6
verifies whether the control code from the client application matches the control
code of the challenge (also checks the identity of the server). If the check succeeds,
it signs the challenge and sends it back, encrypted.
Third subprocess is used to indicate that this user is honest. It sends the
name of the user on a private channel (a free name that the adversary does not
have access to).
Other parties The processes modeling a server, the DigiDocService, and the
mobile operator are straightforward. The server process first generates the name
and the key of the server, publishes the certificate certS and then runs an unbounded number of processes implementing the server part of the Mobile-ID
protocol. The name of the DigiDocService is globally known, hence the DigiDocService process starts by generating only the key and publishing the certificate
for it. We use a private channel (a free name that the adversary cannot use) to
model the VPN used for communication between the DigiDocService and mobile
operator.
The whole system The analyzed process consists of the parallel composition
of the client process (replicated), server process (replicated), DigiDocService
process, mobile operator process, processes for TLS handshake (replicated) and
the process for issuing certificates for dishonest clients and servers.
Checking the control code The control code consists of four decimal digits,
hence collisions are easy to construct. It would be wrong to model the control
code just by a message constructor with no additional equations as that would
hide the very real possibility of control code collisions. In our model, we still
introduce the constructor cc, such that cc(r) is the control code corresponding
to r, but instead of using equality of terms to check the control code in the user
process, we have introduced a binary predicate TestCCEq (ProVerif supports
such introduction of predicates). The invocation of TestCCEq(r, c) is supposed
to return true if c is the control code corresponding to r (recall that the user
process receives the control code from the client process and the challenge from
the mobile operator). Our model contains the clause TestCCEq(x, cc(x)). Additionally, it contains the clauses for modeling that given c, the adversary can
construct messages of certain shapes whose control code is c. The shapes of these
clauses depend on the attacks that the adversary may want to perform. In the
weakest case (the adversary can find preimages of a given control code, but cannot control the shape of the preimage) the clause is TestCCEq(invcc(x), x), where
invcc is a new message constructor. We consider stronger cases when we study
different security models. Our model does not consider the possibility that two
control codes might be equal by chance. An honest DigiDocService can easily
ensure that challenges with equal control codes are not awaiting signatures of
the same user at the same time.
7
Security properties We are interested in two security properties — the secrecy of the keys of the TLS-tunnel between honest clients and servers, and the
authentication of users to servers. Our model in ProVerif contains queries for
verifying these two properties. For verifying the secrecy of keys, we have introduced a private free name M. The server process encrypts M with the keys of
the TLS tunnel at the end of each protocol round (at the bottom of Fig. 1) and
makes the resulting ciphertext public. The query asks ProVerif whether M is still
secret.
For the correspondence properties we use the events. An event E is a program
statement that is semantically equivalent to a no-operation, but records that the
program point containing event E has been passed (E has happened). ProVerif
can answer queries of the form “if event E2 has happened, then must the event
E1 also have happened?” In our model, we add an event ServerEnd(U, S, k),
where k is the key for the TLS-tunnel between S and C, to the end of the server
process, after it has accepted that user U has been authenticated. We also add
an event UserEnd(U, S, k) at the point where the user has completed all of his
steps to be accepted by the server — at the point where the user must enter his
PIN to the phone. The user process does not normally have the key k. Therefore
the client process will send k to the user process, too. The query asks whether
the event ServerEnd(U, S, k) implies UserEnd(U, S, k).
Both properties are easily invalidated if the user is dishonest. Hence the server
performs the actions for both properties (publishing the encryption of M , and
performing the event ServerEnd) only if the user is honest. The user is honest if
the server can receive his name over the private channel for honest user names
(see the description of user, client application and phone processes above).
4
Verification results
The Mobile-ID protocol, as we have modeled it in Sec. 3, following the security
model of Sec. 2.1 is deemed secure by ProVerif — the correspondence property
holds and the message M cannot be found by the attacker. Still, this only reflects
an in some sense “ideal” situation. Let us now consider the protocol where certain
things go wrong with respect to the base security model.
4.1
Attacker controls DigiDocService
DigiDocService is a mediator of messages, helping the protocol to proceed. It
would be unnatural if the security of the protocol depended on its actions. It is
straightforward to model DigiDocService being under adversarial control — we
make public its secret key skD , as well as the channel between it and the mobile
operator.
Being under adversarial control, the DigiDocService is expected to look for
collisions in control codes for challenges. As it can fix the second half of the
challenge, we expect that DigiDocService desires to solve the problems of the
following form: given c and r1 , find r2 so that cc(r1 kr2 ) = c. This is a reasonably
8
solvable problem, and we add a clause to the definition of TestCCEq stating its
solvability. Namely, we introduce a binary message constructor postc and state
that TestCCEq((r1 kpostc(c, r1 )), c) holds.
ProVerif finds an attack violating both security properties. This attack should
not even be so surprising, because the construction of the signature sigskU (r1 kr2 )
violates certain prudency criteria for the construction of cryptographic protocols
[18, Ch. 11]. If the adversary wants to masquerade as U to a server S then it
waits until U wants to contact some server S ′ , and proceeds as follows:
– A contacts S and performs the TLS handshake with it. At the same time,
U is performing the TLS handshake with S ′ .
– A identifies itself to S as U . S contacts DigiDocService D (under control of
A), performs the TLS handshake with it and forwards it the name U (and
P ) together with its own name S̃ (including the additional message m) and
its half of the challenge r1 . At the same time, U identifies itself to S ′ , which
also performs the TLS handshake with D and forwards to it the names U
and P , its own name S̃ ′ and the half of the challenge r1′ .
– The adversary (as D) constructs r2 and r2′ so, that cc(r1 kr2 ) = cc(r1′ kr2′ ).
Let c be this control code. The adversary (as D) sends c back to S and S ′ .
It also sends S̃ ′ , P , and r1 kr2 to the mobile operator, which forwards them
to P .
– The server S ′ sends c back to U . The phone P shows S̃ ′ to the user U . The
user agrees that it intended to contact S ′ . The phone also shows the control
code of r1 kr2 to the user. This happens to equal c.
– The user enters his PIN to the phone and the phone signs r1 kr2 . This signature is forwarded to S (via the mobile operator and the adversary posing as
DigiDocService), and S accepts the connection with A as coming from U .
Note that here the adversary only controls D, and not any other parties. Therefore this is a very powerful attack.
The attack succeeds even if the collisions for control codes were impossible
to construct. Impossibility of collisions means that the control codes must be
so much longer (at least 40-50 decimal places) that it would seriously degrade
the usability of the system. In this case, the attack is possible if S ′ is under
adversarial control. Compared to the described attack, we now just take r1′ = r1
and r2′ = r2 , and we do not have to look for collisions.
A prudent protocol design guideline says that when constructing a signature,
let the name of the intended verifier be a part of the signed message. This
guideline has not been followed in the design of the Mobile-ID protocol. We
could modify the protocol by letting P include the name S under the signature
it generates, and subsequently verifying that a correct name has been included.
This change still does not fix the protocol, but now the original attack succeeds only if S = S ′ . In other words, the user U initiates one session with the
server S and the attacker initiates a different session at the same time. The adversary (in the role of D) again finds r2 and r2′ so that there is a collision in the
control codes. The modified protocol might be secure if a server does not allow
9
the same alleged user to run two sessions in parallel. Unfortunately, we do not
know of a simple means to model such restriction in ProVerif.
ProVerif deems the protocol secure if both modifications (no control code collisions and server name under signature) are made. To ensure that adversarially
controlled DigiDocService does not generate control code collisions, the server
itself should generate the whole challenge. In terms of Fig. 1, r2 should be the
empty string and r1 should be long enough to be unpredictable. The server must
also make sure to not issue challenges with the same control code for parallel
sessions of allegedly the same user. It goes without saying that the control code
CC1 sent to the user via his client application must be computed by the server,
not the DigiDocService.
4.2
Attacker partially controls the client
One of the goals of the Mobile-ID protocol was to reduce the effect that a compromised client machine might have on the security of authentication. Clearly,
if the adversary has completely taken over the client computer, then it knows
the keys for the TLS-tunnel between the client and the server and can listen
and speak on behalf of the user. Still, even in this case the adversary cannot
contact a server S on behalf of a user U while the user U remains completely
passive: ProVerif claims that even in this case the event ServerEnd(U, S) implies
the event UserEnd(U, S) (note that we do not include the key for the TLS-tunnel
in the arguments of these events) and moreover, the correspondence is injective:
for each action of the user (instructing the phone to sign a challenge), the adversary can start at most one session with the server. To model in ProVerif that
the adversary controls the client machine, we make public the secret that this
process uses: the channel between the client application and the user.
A keylogger does not have to take over the whole machine in order to cause
harm (record the PIN of the ID card). A similarly interesting case for the MobileID protocol is, when the malware has not taken over the whole machine, but can
influence how the control code is shown to the user. This case models malware
that can redraw the screen. This change is simple to model — in Fig. 1, the
value CC1 is received by the user U not from C, but from public network.
ProVerif finds, that if the adversary controls the value of CC1 as presented
to U , then the protocol is insecure. If the adversary A wants to masquerade as
the user U to a server S, then it proceeds as follows.
– Wait until U himself contacts S. As we explained in the first paragraph, it
is impossible to initiate a session (as U ) with S, unless U himself also wants
to contact S.
– Start a session with S, claiming to be U . Let both sessions proceed to the
point where DigiDocService has constructed control codes c (for U ) and c′
(for A) and sent them to S and to P .
– The adversary makes sure that the challenge with the control code c′ reaches
P first. This can be achieved with right timing. The adversary also makes
sure that the second control code is not shown to the user before it has
10
accepted c′ . By our experimentations with DigiDocService3 , this condition
trivially holds — a mobile phone does not hint of the existence of a second
incoming control code before the user has taken action on the first one.
– The adversary receives c′ , the client application receives c. The dishonest
client application now contacts the adversary, learns c′ , and shows it to the
user instead of c. The user confirms that the client application and the phone
show the same control code c′ and instructs the phone to sign the challenge.
This challenge corresponds to the session between A and S.
The attack should be avoidable if the server does not start several sessions with
the same user in parallel. Indeed, if a session has ended and the user has generated the event UserEnd(U, S) then the server has also generated the event
ServerEnd(U, S) and because of injective correspondence, this event UserEnd(U, S)
cannot be used to match a different ServerEnd(U, S) taking place later (presumably because of adversarial activity).
4.3
User confused regarding the server names
An important class of attacks are semantic attacks where the adversary tries to
convince the user that a wrong statement holds. One example of such attacks
are the phishing web-sites masquerading as legitimate ones. They typically have
names similar to the one they are trying to masquerade. Authentication using an
ID card is relatively immune to such attacks — while an attacker can obviously
make the user connect to a fake server (if the user does not notice its fakeness),
this cannot be used to masquerade the user to a legitimate server.
We studied how well the Mobile-ID protocol fared against such attacks. We
assumed that there is an adversarially controlled server S ′ that is hard to distinguish from a legitimate server S. It turned out, that a classical man-in-the-middle
attack is possible, allowing the adversary to masquerade as U to S. In this attack, U connects to S ′ thinking it is S, while the adversary (masquerading as
U ) connects to S. The server S contacts D and the phone of the user receives
the challenge and the information S̃ identifying the server. The control code is
also sent from D back to S, which forwards it to A, which forwards it to U as
S ′ . The phone shows S as the name of the server, the user is connected to S ′ ,
but we assume that he does not notice the difference. The control codes shown
by the phone and the client application are the same. The user hence tells the
phone to sign the challenge and S will accept A as U . The attack works even if
the name of the server is included in the signed message.
4.4
Server chooses the control code
When server S contacts the DigiDocService D, it sends it not only the name S,
but also the up to 40 characters long message m; both S and m will be shown to
the user on his phone. A typical picture of the phone screen is shown in Fig. 2a.
3
http://www.sk.ee/DigiDocService/DigiDocService 2 3.wsdl
11
Here S equals “TheBank” and m equals “Enter?”. The next lines have been
produced by software running inside the phone (actually, inside the SIM-card).
They inform the user that the control code of the challenge is 1234.
TheBank
Enter?
Testing
TheBank
Enter?
Control code:
1234
Ok
Cancel
(a)
TheBank
Enter?
Control code:
2345
Ok
Cancel
Control code:
2345
Ok
(b)
Cancel
(c)
Fig. 2. Typical screen for comparing the control code
The possible values for S have been enumerated by the DigiDocService D and
D also weakly authenticates S by its IP-address. The server named “Testing”
may connect from any IP-address. We have experimented with DigiDocService
and various values of m, using this server identity. We have discovered that if m
contains embedded newlines, then these are shown as line breaks on the phone
screen. E.g., if m equals “TheBank\nEnter?\n\nControl code:\n2345\n” then
the phone screen (for certain models) will look as shown in Fig. 2b. Here the
entire message shown by the phone has not fit on the screen and a scroll bar
has appeared on the right-hand side. If we scroll down, we see the control code
that has been computed by the phone itself and may be different from 2345.
Depending on the model of the phone, this scroll bar may be rather hard to
notice.
We believe that with IP-spoofing, we can cause the picture in Fig. 2c to
appear on the phone screen. Also, if the adversary controls either TheBank or
the DigiDocService (as we have argued before, this case has to be analyzed, too)
then it is straightforward to make this picture appear, as the DigiDocService
can control which S and m are sent to the phone. Hence we conclude that a
malicious server or DigiDocService can (under certain circumstances) control
which four-digit number is shown to the user as the control code.
We have modeled this scenario with ProVerif. The necessary modifications
involve several parts of the model, as the fake control code is inserted at the
server, and then travels to DigiDocService, mobile operator, phone, and the
user. At the same time, the changes are rather straightforward.
We have considered the case where the DigiDocService is honest, but a malicious server is capable of entering a fake control code, eventually shown to the
user by the phone. Somewhat surprisingly, the protocol is still deemed secure.
One may conjecture that the user might not need to perform the equality check
of control codes at all. Of course, this is not so; there exists a straightforward
12
parallel attack: both U and A connect to S, both claim to be U , the challenge
for A’s session is the first to arrive at U ’s phone, U does not check the equality
of control codes and causes this challenge to be signed. Note that U still checks
that the phone shows the name of the server S (the opposite is considered in
Sec. 4.3). The reason why there is no attack if a malicious server can pick a fake
control code, is that to use this capability, the attacker has to set up a malicious
server S ′ whose name will be shown to and rejected by the user.
In Sec. 4.1 we gave some suggestions to handle a dishonest DigiDocService.
We have checked the security of our modifications (server name under signature,
challenge generated entirely by the server, no control code collisions) if a server
or the DigiDocService can also choose the control code that the phone shows.
ProVerif gives us an attack. The attack is similar to the attack presented in
Sec. 4.2. The only difference is that now the attacker changes the control code
shown by the phone, not the control code shown by the client application. Again,
the attack should not work if the server does not start several sessions with the
same user in parallel.
5
Proposed improvements
We suggest the following modifications to the Mobile-ID protocol to increase its
security:
– When the phone signs the challenge r1 kr2 for the server S, the signed message
should not be sigskU (r1 kr2 ), but sigskU (r1 kr2 , S). The presence of S under the
signature must be checked by parties receiving that signature.
– r2 should be a constant, most naturally the empty string. The control code
CC1 should be computed by S, not D. The server S should generate the
challenges r1 in such a way that the sessions of the same alleged user U have
challenges with different control codes.
We also suggest that the user interface of the phone should be modified in a
way that the control code is always in the same place at the phone screen, and
always visible when the message is first shown to the user. This can be achieved
by showing the control code before the message m, or by appropriately filtering
m. Users should also be educated to look for the control code in a certain place.
6
Summary
Above, we have considered attackers of various strength. They all had the ability
to initate protocol sessions; they controlled certain users and servers and had
no access to the phones of the users. Their strength varied along the following
dimensions:
– d1 — control over the DigiDocService or mobile operator (possible values: 0
— no control, 1 — full control);
13
– d2 — control over the client application (0 — no control, 1 — can change
displayed CC, 2 — full control);
– d3 — ability to confuse the user about server names (0 — no, 1 — yes);
– d4 — ability for a compromised server to pick the control code shown on
phone screen (0 — no, 1 — yes).
We see that the abilities of attackers may include the corruption of any party in
Fig. 1, except the phone P , taking the advantage of the user interface issues in
both C and P , and phishing attacks. We have not considered the attacker gaining
significant control over the phone. Indeed, any reasonable attack model would
allow the adversary to learn the PIN entered from the keypad of the phone; the
knowledge of the PIN gives the adversary full capabilities of masquerading as
the user U . We have also not considered the user’s failure to compare the control
codes shown by the client application and the phone, but this is subsumed by
the dimension d2 . To summarize, we believe that we have not left any significant
attack vectors without consideration.
We have proposed two mutually independent protocol modifications. These
propositions introduce dimensions on whether they have been taken into account.
– d5 — is the name of the server included under the signature of the challenge?
(0 — yes, 1 — no)
– d6 — is the half r2 of the challenge empty? (0 — yes, 1 — no)
Another dimension is introduced by an honest server’s behaviour when allegedly
the same user attempts to authenticate himself several times in parallel:
– d7 — does S allow parallel sessions with the same U ? (0 — no, 1 — yes,
but picks challenges with different control codes, 2 — yes) Note that d7 = 0
means that the server lets a session with a user U to time out before agreeing
to participate in a different session with U . This may make denial-of-service
attacks too simple.
Let Lij denote the predicate dj ≤ i. Our analysis shows that the security properties described in the end of Sec. 3 hold if
(L01 ∨ (L05 ∧ L06 ∧ L17 )) ∧ L12 ∧ (L02 ∨ L07 ) ∧ L03 ∧ (L04 ∨ L01 ∨ (L05 ∧ L06 ∧ L07 )) .
Indeed, the justification for each of the conjuncts is the following:
– We showed in Sec. 4.1 that an adversarially controlled DigiDocService is
capable of breaking the protocol unless the modifications stated in Sec. 5
were introduced.
– If the adversary has full control over the client application, then it can take
over the connection between C and S.
– In Sec. 4.2 we showed that if the adversary can change the control code
shown to the user by the client application, then there exist an attack that
requires parallel sessions with the same server.
– In Sec. 4.3 we argued that the mobile-ID protocol does not protect against
phishing attacks, even if we implement the modifications in Sec. 5.
14
– In Sec. 4.4 we showed that the capability for a malicious server to choose the
control code displayed by the phone is not enough for breaking the security
properties, but if the DigiDocService is also under adversarial control then
the modifications of Sec. 5 no longer suffice to preserve the security, but
parallel sessions between the same alleged user and server must be ruled
out. Hence we suggested in Sec. 5 to make sure that L04 holds.
7
Conclusions
We have analyzed the security of the Mobile-ID protocol introduced by an Estonian CA and Estonian and Lithuanian mobile operators. We have discovered
some weaknesses in the protocol which manifest under strong adversarial models.
Despite these weaknesses, we believe that the usage of the protocol can continue
in the immediate future. Indeed, we believe that the attack vectors included in
those adversarial models either will not materialize in the immediate future, or
their materialization would allow attacks of similar success against other authentication methods, sometimes including ID card based methods. Still, the
weaknesses should nevertheless be fixed with high priority.
Our analysis also shows that compared to other methods of authentication
(passwords, one-time passwords, PIN-calculators), Mobile-ID does not offer significant protection against user errors or weaknesses of the client application. We
conclude that it is too premature to state that modulo negligible risks, Mobile-ID
is at least as secure as authentication with ID card [21].
Acknowledgments
This research has been supported by Estonian Science Foundation, grant #6944,
by the European Regional Development Fund through the Estonian Center of
Excellence in Computer Science, EXCS, and by Sampo Pank. We are grateful
to Dan Bogdanov, Ilja Livenson, and Mari Seeba for fruitful discussions.
References
1. M. Abadi, B. Blanchet. Computer-Assisted Verification of a Protocol for Certified
Email. In Static Analysis, 10th International Symposium (SAS’03), LNCS 2694,
pages 316–335, San Diego, California, June 2003.
2. M. Abadi, B. Blanchet, C. Fournet. Just Fast Keying in the Pi Calculus. In Programming Languages and Systems: Proceedings of the 13th European Symposium
on Programming (ESOP’04), LNCS 2986, pages 340-354, Barcelona, Spain, March
2004.
3. M. Abadi, C. Fournet. Mobile values, new names, and secure communication. In
28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), pages 104–115, London, UK, January 2001.
4. AS Sertifitseerimiskeskus. DigiDocService specification, v. 2.122, April 24th, 2007.
http://www.sk.ee/files/DigiDocService spec eng.pdf
15
5. M. Backes, C. Hritcu, M. Maffei. Automated Verification of Remote Electronic Voting Protocols in the Applied Pi-Calculus. In 21st IEEE Computer Security Foundations Symposium, CSF 2008, Pittsburgh, Pennsylvania, pages 195–209, June
2008.
6. M. Backes, M. Maffei, D. Unruh. Zero-Knowledge in the Applied Pi-calculus and
Automated Verification of the Direct Anonymous Attestation Protocol. In 2008
IEEE Symposium on Security and Privacy, pages 202–215, May 2008.
7. B. Blanchet. An Efficient Cryptographic Protocol Verifier Based on Prolog Rules.
In 14th IEEE Computer Security Foundations Workshop (CSFW-14), pages 82–96,
Cape Breton, Nova Scotia, Canada, June 2001.
8. B. Blanchet. From Secrecy to Authenticity in Security Protocols. In 9th International Static Analysis Symposium (SAS’02), LNCS 2477, pages 342–359, Madrid,
Spain, September 2002.
9. B. Blanchet, A. Chaudhuri. Automated Formal Analysis of a Protocol for Secure
File Sharing on Untrusted Storage. In IEEE Symposium on Security and Privacy,
pages 417–431, Oakland, CA, May 2008.
10. T. Dierks, E. Rescorla. The Transport Layer Security (TLS) Protocol, Version 1.1.
IETF Network Working Group, RFC 4346, April 2006.
11. D. Dolev, A. C. Yao. On the security of public key protocols. IEEE Transactions
on Information Theory 29(2):198–207, 1983.
12. S. Gajek, M. Manulis, O. Pereira, A.-R. Sadeghi, J. Schwenk. Universally Composable Security Analysis of TLS. In 2nd International Conference on Provable
Security, ProvSec 2008, LNCS 5324, pages 313–327, Shanghai, China, October
2008.
13. S.
Golovanov,
A.
Gostev,
D.
Maslennikov.
Kaspersky
Security
Bulletin
2008:
Malware
Evolution
January
June
2008.
http://www.viruslist.com/en/analysis?pubid=204792034#9
14. C. Haack. Verification of Security Protocols, ProVerif’s Resolution Method, lecture
slides. March 2008. http://www.cs.ru.nl/˜chaack/teaching/2IF02-Spring08/
15. idBlog. EMT Launches the Mobiil-ID Service. http://www.id.ee/blog en/?p=20,
May 2nd, 2007.
16. ID.ee. Mobile-ID main page. http://www.id.ee/10995, November 20th, 2008.
17. S. Kremer, M. Ryan. Analysis of an Electronic Voting Protocol in the Applied Pi
Calculus. In Programming Languages and Systems, 14th European Symposium on
Programming, ESOP 2005, LNCS 3444, pages 186–200, April 2005.
18. W. Mao. Modern Cryptography: Theory and Practice. Prentice Hall, 2003.
19. M. Myers, R. Ankney, A. Malpani, S. Galperin, C. Adams. X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. IETF Network
Working Group, RFC 2560, June 1999.
20. R. Šablinskas. Summary of Mobile-ID launch in Lithuania. Minutes of the Baltic
WPKI Forum Steering Committee, October 31, 2007. http://wpki.eu/Launch-ofmobile-ES-BalticWPKI.pdf
21. Security Analysis of Mobile ID (Summary, in Estonian). Ordered by Department of State Information Systems, fulfilled by Jaak Tepandi. July 11th, 2008.
http://www.riso.ee/et/files/MOBIIL-ID kokkuvote 11-07-2008.pdf
22. Carst Tankink, Pim Vullers. Verification of the TLS Handshake protocol. May
20th, 2008. http://www.cs.ru.nl/˜chaack/teaching/2IF02-Spring08/tv-report.pdf
16
Prepared for the eGovernment Unit
DG Information Society and Media
European Commission
Good Practice Case
eID in Estonia
Case Study
17 October 2006
Case study prepared by Ralf Cimander
(ifib, Germany) in co-operation with
Andres Aarma and Ain Järv from AS
Sertifitseerimiskeskus, Estonia.
eGovernment Unit
DG Information Society and Media
European Commission
Table of contents
1.
eID in Estonia
2
1.1
Case Summary
2
1.2
1.2.1
1.2.2
1.2.3
Problem addressed
Specific Problem
General Background
Policy context and strategy
3
3
4
6
1.3
1.3.1
1.3.2
1.3.3
Solution
Specific Objectives
Principles of eID card
Implementation
- Workflow description
- Security and Privacy
- Awareness and Marketing
8
8
8
13
14
16
17
1.4
1.4.1
1.4.2
18
18
1.4.3
Features making it a candidate for good practice exchange
Impact
Relevance of the case for other administrations that could learn
from the experience
Transferability
1.5
Results
21
1.6
Learning points and conclusions
23
1.7
References and links
26
19
20
Annex 1: Assessment Questionnaire for the MODINIS Case Descriptions
GP - Case: eID in Estonia
10-2006, vs 1.0
27
1
1.
eID in Estonia
1.1
Case Summary
Estonia has implemented the ID card as the primary document for identifying its citizens and alien
residents living within the country. Before introduction of this card, no national personal
identification document - neither physically nor electronically - did exist in Estonia. The card,
besides being a physical identification document, has advanced electronic functions that facilitate
secure authentication and legally binding digital signature, in connection with nationwide online
services.
There is only one version of the national ID card — no optional features or variations exist. All
cards are equipped with a chip containing electronic data and a pair of unique digital certificates
relating to each individual. In emergency cases (e.g. loss of the card) the certificates can be
suspended if required — disabling the ability to use the card for electronic authentication and
transactions.
The Estonian ID card scheme is the overall responsibility of the Estonian Government's Citizen and
Migration Board (CMB) and is regulated by the government's National Identity Act. The process
itself is managed through a tight public and private partnership with two key private organizations,
the AS Sertifitseerimiskeskus which is a joint venture between banks and telecommunications
organizations in Finland – acting as Certification Centre - and TRÜB Baltic AS which is the
company that personalizes the card itself — both physically and electronically.
The overall aim of the CMB was the introduction of a reliable and trustworthy identification
infrastructure in Estonia, receiving high acceptance by citizens and businesses and hence
becoming a success in terms of effectiveness and efficiency of its use in everyday life. As an (e-)ID
infrastructure is a very sensible area in public administration of a country, which need to be highly
reliable and requires full-time technical support in case of problems, a solution had to found that is
based on already proven technology and that is provided by inner country software and vendors.
Besides, this infrastructure had to be scalable, flexible and standards-based for expansion to other
services as well as forward-looking to enable also cross-border use.
Considering these overall goals, specific objectives and the organisation of service delivery, the
interoperability requirement is that of different public services which have to use the same
auxiliary services, i.e. digital signature, authentication, document encryption. Beside the use for
application of public services or signing of documents, the approach is universal and is also
applicable to private use and services. The interoperability requirement is met by employment of
standardised workflows in form of a common document format applicable to each service
independent of its provider (DigiDoc) and a central common public, service-rendering resource,
connecting national databases (X-Road). In addition, a centralised infrastructure of a national,
unique identification number for each Estonian resident has been employed serving their
authentication (not only) in electronic processes. Each workflow where digitally signed data or
documents are integrated in the legacy systems, IOP in the front-office to back-processes has
been achieved, in the other cases front-office to front-office flows are concerned. Almost 70 per
cent of Estonian residents own an ID card out of which 2.5 per cent use the electronic features of
the card. Several applications are already working with eID, like e.g. e-voting pioneered at the
local government elections in 2005 and with the e-ticketing of public transport tickets as one of
the most massively used application.
GP - Case: eID in Estonia
10-2006, vs 1.0
2
1.2
Problem addressed
1.2.1
Specific Problem
Prior to introduction of the present ID card there was no personal
identification document which could be applied both physically as
well as electronically. The same applied to residence permits.
Specific problems
addressed:
• No personal
identification
document existed;
neither physically nor
electronically
In terms of interoperability in the Estonian eIDentity Management
project, interoperability had to be employed where auxiliary services
(digital signature, authentication, document encryption) are to
support different primary services.
IOP requirement 1:
IOP between eID card
functions (auxiliary
services) and different
services
As the main objectives of the Estonian eID card is to digitally sign,
documents, encrypt documents and to authenticate users, the
natural focus of service delivery is on the front-office to front-office
processes and where documents are directly integrated in the
respective legacy system, front-office to back-office processes are
also concerned.
Service delivery
model:
IOP among front-offices
and where data are also
integrated in the legacy
systems, front-office to
back-office processes
are also concerned
To meet the interoperability requirement, a central database of
unique identification numbers, allocated to each Estonian resident
has been established providing authentication of the card holder (i.e.
the applicant or signing person). To enable identification and
authentication for different services via a corporate infrastructure, a
common public, service rendering resource – X-Road - has been
developed. Based on Internet, X-Road connects public databases
and information systems, tools centrally developed by the state (i.e.
the State Portal Centre) and the X-Road Center (management and
control of the gateway) with the Certification Centre for the (e-)ID
cards. The eID card of citizens is just a secure token for different
purposes where access to these purposes, i.e. public services is
provided by a single point of entry - the E-Citizen Portal. To digitally
sign documents, a communication model using standardised
workflows in form of a common document format (DigiDoc) has been
employed. DigiDoc format is based on the XML Advanced Electronic
Signatures standard (XAdES) and is a profile of that standard.
XAdES defines a format that enables structurally storing signed data,
GP - Case: eID in Estonia
10-2006, vs 1.0
Basic organisational
model employed:
• Centrally provided
unique identification
number for each
Estonian resident
• Common public,
service rendering
resource to connect
national databases (XRoad)
• Central single point of
access to public
services (E-Citizen
Portal)
• Standardised
workflows in form of a
uniform document
format (DigiDoc)
3
signature and security attributes associated with digital signature
and hence caters for a common understanding.
1.2.2
General Background
Issued by the Estonian Government’s Citizen and Migration Board
(CMB), national ID cards represent the primary source of personal
identification for people living within Estonia and are mandatory for
all citizens and resident aliens above the age of fifteen.
The Estonian identification card carries two discreet functions:
−
Physical Identity – can be used as a regular ID in conventional
real-world situations — anywhere one would typically need to
prove identity, age and so on.
−
Electronic Identity – enables citizens to use the same card to
electronically authenticate to Web sites and networks, and/or
digitally sign communications and transactions as required.
There was no national ID card scheme in place in Estonia before the
launch of the new ID card project. Conventional ID card schemes
(e.g., corporate cards) have been in operation for some time within
Estonia; however the dual-purpose physical/electronic ID cards were
not so familiar. To fulfil the scheme's requirements, the Estonian
Government’s Citizen and Migration Board required a single, holistic
system which could process and provision users with a dual-purpose
smart identification card. The process had to be straightforward for
citizens (to register and receive), easy to administer (for technology
controllers) and above all, be secure and reliable. In conjunction
with the ID Card initiative, the CMB were also eager to drive the
adoption of electronic signatures within the region, thus streamlining
key public service and commercial processes for residents and
businesses.
The Estonian ID card scheme is the overall responsibility of the
Estonian Government’s Citizen and Migration Board. It is responsible
for the issuance of identity documents to citizens and alien residents
as required by the government's National Identity Act. The CMB is
the institution that physically receives card application forms from
residents. However, the process itself is managed through a tight
public and private partnership. Two key private organizations work
with the government to support the ID card project:
−
AS Sertifitseerimiskeskus (hereinafter 'SK') – a joint venture
formed in 2001 between two of Estonia’s largest banks
(Hansapank,
Eesti
Ühispank)
and
telecommunications
organizations (Eesti Telefon and EMT). SK functions as the
certificate authority for the Estonian ID card project and
manages a complete range of associated electronic services —
GP - Case: eID in Estonia
10-2006, vs 1.0
Service:
Electronic Identity –
enables citizens to use
the same card to
electronically
authenticate to Web
sites and networks,
and/or digitally sign
communications and
transactions as required
Types and level of
agencies involved:
• Estonian
Government’s Citizen
and Migration Board
• AS
Sertifitseerimiskeskus
as Certification
Authority which is a
joint venture between
two of Estonia’s
largest banks and
telecommunications
organizations
• TRÜB Baltic AS – a
subsidiary of the TRÜB
financial services
organization
• Certification Service
Providers (CSPs)
• Time-stamping Service
Providers (TSPs)
• As Supervising
Authority the Ministry
of Economy and
Communications, in
particular the National
Registry of
Certification Service
Providers
4
including the LDAP (Lightweight Directory Access Protocol)
directory service, OCSP (Online Certificate Status Protocol)
validation service, and other certificate-related services. SK also
manages the end-user distribution channel (through its parents'
retail bank outlets).
−
TRÜB Baltic AS – a subsidiary of the TRÜB financial services
organization — headquartered in Switzerland. TRÜB is the
company that personalizes the card itself — both physically and
electronically. TRÜB receives the card application from CMB and
manufactures the card, printing and engraving the personal data
on the card, generating keys on the chip and embedding the
certificates on the card.
Besides, for the processing and controlling of digital signatures,
following authorities and agencies are relevant:
According to the Estonian Digital Signature Act (DSA), Certification
Service Providers (CSPs) certify real persons identifiable by name
and ID code and must be legal entities fulfilling specific legal
requirements.
DSA also regulates the work of Time-stamping Service Providers
(TSPs). The requirements to such service providers are generally the
same as those to CSPs. According to DSA, a time stamp is simply a
data unit that proves that certain data existed at a certain moment.
The National Registry of Certification Service Providers contains data
about all Estonian CSP-s and TSP-s. Although it confirms the public
keys of CSP-s, it is technically not a root CA in Estonia. Instead, it
functions as a supervisory authority, confirming the results of service
providers’ annual audits among other things. The Ministry of
Economy and Communications, in whose administration area the
registry works, has the right to verify audit results and inspect the
service providers' premises and relevant information.
GP - Case: eID in Estonia
10-2006, vs 1.0
5
1.2.3
Policy context and strategy
The Republic of Estonia is a small, independent Baltic state with a
population of just below 1.4 million people. Estonia is structured into
15 sovereign counties. While Estonia is a relatively small country (in
terms of other European population sizes, land area, GDP levels,
etc.), the nation is an innovator when it comes to introducing and
adopting new technology products and services. According to spring
2006 data (TNS Emor Gallup e-Ratings study), 58 per cent of the
population regularly use the Web — the figure shows that Estonia
has one of the highest Internet-usage rate in Eastern Europe.
Internet connectivity is also very high and well accessible at homes,
offices and schools.
Institutional context:
• Estonia is structured
into 15 sovereign
counties
• Highest Internetusage rate in Eastern
Europe
The legal framework associated with the issuance and government of
ID cards was established through the Identity Documents Act, which
was passed in 1999 and took effect on January 1, 2000. The specific
legislation associated with digital signatures - the national Digital
Signature Act (DSA) - was passed separately by the Estonian
parliament (Riigikogu) on March 8, 2000 and came into force on
December 15, 2000. This law regulates the framework and rules
required to effectively govern a national PKI and digital signature
infrastructure.
Legal framework:
• Identity Documents
Act of 1 January 2001
• National Digital
Signature Act (DSA) of
15 December 2000
• Rules and regulations
for Certificate Service
Providers (CSPs)
• Rules and regulations
for Time Stamp
Providers (TSP)
• Personal Data
Protection Act
The primary aim of the DSA was to give electronic signatures the
same level of trust and assurance as handwritten ones. As a rule,
digital and handwritten signatures should be equivalent in both the
public and private sector. The DSA also states that public service
departments must accept digitally signed documents. The DSA
requires that each digital signature can:
−
Uniquely identify the signatory.
−
Bind the individual to the signed data.
−
Ensure that signed data cannot be tampered with retrospectively
— without invalidating the signature itself.
While there is no direct sanction for not holding an ID card, it is
expected that as the first Estonian passports were issued in 1992
(following independence from the Soviet Union) with a 10-year
validity period, most people will apply for a card when renewing their
passport — if not already done so independently. By 2007, the
government expects over one million cards to be issued (almost the
entire registered and qualified population).
In terms of EU status, all certificates issued in association with the
ID card scheme are qualified certificates as per the European digital
signature directive 1999/93/EC. The Estonian DSA only regulates
advanced electronic signatures with regard to the EU directive.
Naturally, other types of electronic signatures can also be regulated,
but the DSA does not give them legal power or status.
One of the core components of the DSA was the establishment of
rules and regulations with regard to Certificate Service Providers
GP - Case: eID in Estonia
10-2006, vs 1.0
Interoperability
Framework:
All certificates issued in
association with the ID
card scheme are
qualified certificates as
per the European digital
signature directive
1999/93/EC
6
(CSPs) — who issue digital certificates to users and manage related
security services. The Estonian DSA mandated a number of stringent
requirements (financial and procedural) to ensure that CSPs are set
up and managed properly — to perform their function to the highest
possible standard.
The DSA also regulates time stamping services which are provided
by dedicated Time Stamp Providers (TSP). These TSP service
providers have to adhere to similar laws and regulations as CSPs.
The time stamp is simply a piece of data which attests to the
occurrence of an event at a specific time. The DSA does not define
time stamps in great detail, but ensures that time stamped data
cannot be tampered with or amended without invalidating the time
stamp itself.
A national registry of service providers contains all the relevant
information associated with registered CSPs and TSPs.
A broad Personal Data Protection Act regulates the use of personal
data and databases containing personal data by public authorities
and private entities.
GP - Case: eID in Estonia
10-2006, vs 1.0
7
1.3
Solution
1.3.1
Specific Objectives
In order to drive the adoption of digital signatures within the region,
software and technology had to be available for parties looking to
incorporate compatible applications.
When technical experts looked for a generic application or
implementation that would fulfil this requirement, no ideal solution
was found. It was also not optimal to rely on a foreign software or
technology vendor to provide and guarantee support for a critical
piece of national infrastructure. This reliance could have detrimental
impact on the country’s day-today functioning going forward.
Because of these considerations, a bespoke software model was
developed specifically to cater for Estonia and its digital signature
constituents.
In order to issue and manage the PKI-based digital credentials, the
following objectives were set by SK:
−
Selection of a PKI product which is already value proven in a
range of successful deployments in similar environments;
−
Scalability and Flexibility of the product;
−
To have a technology structure that is based on standards since
the PKI has to interoperate with a broad range of
complementary technologies;
−
Consideration of internationalization aspects since the Estonian
language is rich in non-ASCII characters that need to be
correctly processed and embedded in the certificates;
−
Auditable security and the possibility to construct reliable
processes. Technology is just one aspect of security, equally
important are the organizational and physical security measures.
Estonian legislation requires annual external info system audits
from the PKI providers.
1.3.2
Objectives to be
achieved in general:
• Raise the adoption of
digital signatures
• Good availability of
software and
technology for
interested parties
• Not to rely on foreign
software or vendors
for this sensible piece
of infrastructure
Specific objectives:
• Implementation of an
already value proven
technology
• Scalability and
Flexibility
• Standards-based
solution to enable
expansion to other
services
• Processing and
embedding of nonASCII characters that
are common in
Estonian language
• Auditable security and
possibility to construct
reliable processes
Principles of eID card
The front side of the card contains the card holder's signature and
photo, and also the following data:
−
name of card holder
−
personal code (national ID code) of card holder
−
card holder day of birth
−
card holder sex
−
card holder citizenship
−
card number
−
card validity end
GP - Case: eID in Estonia
10-2006, vs 1.0
8
The back side contains the following data:
−
card holder birth place
−
card issuing date
−
residence permit details and other information (if applicable)
−
card and holder data in machine-readable (ICAO) format
Electronic data on card
Each ID card contains all the above data except photo and
handwritten signature in electronic form, in a special publicly
readable data file. In addition, the card contains two certificates and
their associated private keys protected with PIN codes. The
certificate contains only the holder's name and personal code
(national ID code). In addition, the authentication certificate
contains the holder's unique e-mail address.
GP - Case: eID in Estonia
10-2006, vs 1.0
9
- Certificates
Each issued ID card contains two discreet PKI-based digital
certificates – one for authentication and one for digital signing. As
said, the certificates contain only the holder's name and personal
code (national ID code). These certificates are standard X509 v3
certificates and have two associated private keys on the card – each
protected by a unique user PIN code. The certificates contain no
restrictions of use: they are by nature universal and meant to be
used in any form of communications, whether between private
persons, organizations or the card holder and government. They
contain no roles or authorizations: those where required must be
managed using some out-of-band method (see below, "Roles,
authorizations and organizations' validations").
The certificates contain the card holder's name and national ID code.
It is agreed in Estonia that this data is public by nature. The
certificates identify the card holder uniquely because even though
there may be name overlaps, the national ID code is unique. In
addition, the authentication certificate contains the card holder's email address.
In terms of the European Council and Parliament digital signature
directive 1999/93/EC, all the certificates on Estonian ID card are
qualified certificates.
- E-mail address
The authentication certificate on each ID card contains the card
holder's government-assigned e-mail address in the format
[email protected]. Random numbers can be used in
addition to provide unique e-mail addresses even to persons with the
same name. The address does not change with subsequent
certificate or card issuing – it is guaranteed to be a person's
"lifetime" address.
There is no real e-mail service associated with the address. It is
merely a relay address which forwards e-mails to users' "real"
addresses (e-mail accounts). Each user must configure the
forwarding addresses using an online service made available for this
purpose, and may reconfigure the addresses as often as he or she
pleases. Up to five forwarding addresses can be specified.
The address is supposed to be used in communications from
government to the person, but it can also be used in
communications between persons and companies and private
persons themselves. The addresses are available online to anyone
through CSP's certificate directory.
The address can be used as a simple e-mail address, but using the
address and the authentication certificate on the card, users can also
digitally sign and encrypt their e-mail. The digital e-mail signature is
not legally binding and not covered by DSA, but it provides receivers
additional confirmation of sender authenticity. E-mail encryption and
GP - Case: eID in Estonia
10-2006, vs 1.0
10
signing using certificates on smart card is a standard function of
various e-mail applications.
Anti-spam measures are implemented in the forwarding server. In
addition, spamming is illegal in Estonia and spammers will be
prosecuted accordingly.
Roles, authorizations and organizations' validations
In connection with implementing PKI and digital signatures, the
question of roles and authorizations has arisen in various projects. It
is assumed that certificates for digital signing may be issued for
specific purposes only, and that a person's roles can be embedded in
role certificates that are then used for authenticating the certificate
holder into different systems and giving digital signatures in different
roles. Thus, a person needs additional role and signature certificates
for each different role (s)he has, and the number of certificates
grows, creating substantial interoperability and scalability issues.
The Estonian approach states (as also said in the Estonian DSA) that
a digital signature given using a digital signing certificate is no
different than a handwritten one. A person's handwritten signature
does not contain his or her role – the role and authorization are
established using some out-of-band method (out-of-band in the
context of certificates). The same approach also goes for
authorization while authenticating – a person's certificate should not
contain his or her authorization credentials. Instead, everyone has a
similar universal key (authentication certificate), and the person's
role and authorization can be determined using some other method
(e.g. an online database) based on that key.
Case capitalises
mainly on following
layers of IOP:
• Technical and
syntactic IOP is
provided by the use of
the Internet-gateway
X-Road connecting the
national databases
and by DigiDoc which
is based on
OpenXAdES and hence
on ETSI standard.
DigiDoc provides a
common document
format and is a key
feature of the
semantic
standardisation. A key
feature enabling
semantic IOP is the
use of the national ID
number for
authentication
throughout any public
service
A practical example illustrating the above concept is signing
documents in organization using power of attorney. In traditional PKI
environments, this has been done using some form of attribute
certificates where issues described above arise. In Estonian and PKI
context, we could ask how power of attorney given in real life is, and
use the same principles in electronic document management.
Traditionally, power of attorney is granted in the form of a document
signed by the person giving the authorization. The document is then
given to the person who receives the authorization and who can then
present the document to relevant parties if necessary. The same can
be done electronically: the person giving the power of attorney can
sign the document using his/her own universal personal certificate,
and forward the document to the person who is given authorization.
The person can then enclose the digital power of attorney with any
further documents (s)he signs. The person receiving the document
can then verify both the original signed document and the enclosed
power of attorney that confirms that the person indeed had the right
to sign such a document.
Attribute certificates can of course be used in connection with the
universal certificates and documents outlined above, but the
Estonian concept is geared more towards universal certificates.
GP - Case: eID in Estonia
10-2006, vs 1.0
11
An exception to the above is organization's validation. Digital
documents sometimes need to be validated by organizations, so that
other organizations can be sure of the identity of the organization
where the document originated. This is useful for e.g. signing pieces
of databases (e.g. bank statements) online, to be presented to other
organizations. For this, SK issues certificates to organizations that
can be used to sign documents digitally. Technically, they are
equivalent to personal signing certificates on everyone's ID card, but
legally, they are not viewed as signatures and need not be covered
by law, because according to the Estonian law, only real persons can
give signatures. The "organizations' signatures" must therefore be
viewed simply as additional tools for proving information authenticity
(that it really originated from a specific organization) which may or
may not be accompanied by a digital signature of a real person
working in that organization. Still, the PKI complexity stops here,
and besides personal and organizational signature certificates, there
is no need for personal role certificates or anything else more
complex.
GP - Case: eID in Estonia
10-2006, vs 1.0
12
1.3.3
Implementation
In order to bring digital signatures into everyday life, common
understanding and signature handling practices are required. In
addition, software and technology must be available for anyone
interested, in order to create compatible applications. After all, the
key to unleashing potential digital signature benefits lies in
communication between organizations, not within one organization.
Therefore, it is vital that all organizations in a given community
interpret and understand digital signatures the same way. In case of
Estonia, the community is the whole country.
SK, together with its partners, delivered a comprehensive digital
signature architecture called DigiDoc. DigiDoc is a universal system
for giving, processing and verifying digital signatures created by AS
Sertifitseerimiskeskus. It can be connected to any new or existing
piece of software, but its components are a stand-alone client
program and a Web portal.
The core components of DigiDoc are:
− Client Program – DigiDoc Client is available to anybody to
download for free. Anyone can use it to verify digital signatures
or, if you have an Estonian ID card and smartcard reader,
generate digital signatures.
−
Web Portal – The portal is located at http://digidoc.sk.ee and is
available to all ID cardholders free of charge. Its functions are
similar to the client program — you can use it to generate and
verify digital signatures. In addition, you can use it to have a
document signed by a number of people. With a few clicks of the
mouse, you designate the people whose signatures you need on
the document, and they can all sign it in the same portal. Every
user has a directory of his or her documents which no one else
sees but where anyone can send documents to be signed by
you.
−
File Format – DigiDoc specifies the file format for storing a digital
signature and other technical data in a container file, together
with the original file that was signed. All DigiDoc-enabled
programs must support this format, and it must be possible to
export files from all the programs into stand-alone files, to be
verified with the stand-alone DigiDoc Client.
−
Software Library – The DigiDoc library is available to all
developers as a program library in C and as a Windows COM
component. It can be connected to any existing or new software.
For example, you could add DigiDoc support to accounting
software, document management system, Web and intranet
applications, and so on.
Supporting
infrastructure
employed:
• Web Portal to
generate and verify
digital signatures
• Software Library
(DigiDoc library
program in C
• DigiDoc document
format
• SK's OCSP validation
service
• X-Road, the Internetgateway connecting
the national databases
(public authorities),
Banks and the
Certification Authority
On the server side, DigiDoc provides an RFC2560-compliant OCSP
server, operating directly off the CA master certificate database and
providing validity confirmations to certificates and signatures. On the
GP - Case: eID in Estonia
10-2006, vs 1.0
13
client side, it provides a number of components — the most
important being the digital document format, which is key to
common digital signature implementation and practice.
SK based the DigiDoc document format on XML-DSIG standard. In
February 2002, ETSI published its extensions to XML-DSIG as ETSI
TS
101
903,
also
known
as
XAdES
(see
also
http://www.openxades.org). DigiDoc document format is a profile of
XAdES, containing a subset of its proposed extensions.
Based on the document format, a library was developed in C
language that binds together the following:
−
DigiDoc document format
−
SK's OCSP validation service
−
Interfacing with the user's ID card using Windows' native CSP
interface or cross platform PKCS#11.
Workflow description
The eID card is used for identification at the E-Citizen Portal. This
portal serves as a gateway to the services of approximately 20
different databases. Here, a person can check his or her data in
these various national databases and fill out application forms, sign
and send documents, and receive information about planned
electrical supply interruptions in the specific area. The DigiDoc
system described above is needed by citizens to start giving and
receiving digital signatures.
After identification at the E-Citizen Portal, services mainly of the
central public authorities like Benefits and Social Assistance,
Citizenship, Health Care or many others may be applied for (see
www.eesti.ee). The validity of the citizens' certificates will be
confirmed (OCSP) and a time-stamp given to the applications. Via a
common public, service rendering resource which connects the
national databases - the Internet X-Road - the application messages
are securely exchanged. More than 350 organisations already joined
this Internet-gateway.
GP - Case: eID in Estonia
10-2006, vs 1.0
14
Architecture of service delivery via eID in Finland
GP - Case: eID in Estonia
10-2006, vs 1.0
15
In 2004, The Parental Benefit Service was awarded for the best
government agencies cooperation solution.
Five information systems interact the data (real time).
−
Citizens' Portal
−
Register of Social Insurance Board
−
Population Register
−
Information system of Health Insurance Fund
−
Information system of Tax and Customs Office
Security and Privacy
The data protection question is not seen to be very relevant in the
context of Estonian ID card because there is very little private data
involved in the card issuing and further utilization process. There is a
broad Personal Data Protection Act in effect in Estonia which
regulates the use of personal data and databases containing
personal data by public authorities and private entities, and Estonian
Data Protection Inspection is the government body overseeing that
the requirements of the act are met and enforcing compliance if
necessary.
The certificates on the card are available publicly in a directory
service and contain only the card holder's name and personal ID
code, which are considered public data by law in Estonia. In addition,
e-mail addresses in authentication certificates are also available in
the directory. The directory contains only valid (active) certificates:
if a person suspends or revokes his/her certificate, it is also removed
from the directory and the data are no longer available.
GP - Case: eID in Estonia
10-2006, vs 1.0
Warranty of security
and privacy:
• Only little data is
saved on the ID card
• Estonian Data
Protection Inspection
controls that
requirements of the
Personal Data
Protection Act are met
• Personal ID code is
held publicly together
with card holder's
name and are
considered public data
by law in Estonia
16
The public data file is not published anywhere online. The personal
data on the card in visual and electronic format are accessible only
to those persons to whom the card holder physically presents the
card.
The general stance to ID card and data protection in Estonia is that
the card should contain as little private data as possible. Instead, the
data should be kept in databases at relevant authorities, and a
person can use the card as key (authorization method) to access his
or her data in the database.
Requests by third parties (e.g. representatives of authorities) for
private data are logged and logs are available online for the
individual upon request (via the citizen's portal). Thus such approach
presumes justified interest on behalf of authorities. An individual can
submit additional queries regarding the requests.
Warranty of security
and privacy:
• Card holder can
suspend or revoke
their electronic
certificate form the
card (for only "offline"
use of the card)
• Public data file is not
published anywhere
online
• Card is used as key to
access his/her data in
databases in public
authorities instead of
containing these data
Awareness and Marketing
Till now, the electronic usage of eID cards has been mostly the
realm of professionals and enthusiasts. This mainly due to:
-
the time required to change the mindset;
-
lack of inevitable applications (e.g. compared to free Internet
telephony);
-
initial technical glitches which discouraged some first-movers
and resulted in lack of hype for the ID card;
-
relative expensiveness of ID card readers (currently readers are
offered at more than three times cheaper price than some years
ago).
However, currently the card is used very actively as the token for
verification of a valid e-ticket in city public transport. One of the key
drivers behind a rapid and successful adoption of e-tickets is the
price difference between e-tickets and paper tickets.
The eID function of the bank card is currently much more often used
as that of the ID card. However, in order to strengthen the use of
the eID card instead of the bank card citizens as well as banks shall
be convinced by economic logic: As Internet use is affected by
viruses and other similar things updated security features and other
applications are permanently required in order to provide secure
services. This costs lots of money for the banks for services which
are not directly related to their own business. Also citizens need to
update their systems for these purposes which would not be the
case if they use the eID functionalities.
Currently, the Computer Security 2009 initiative has been launched
with the aim to ensure a more secure use of internet by application
of PKI products and services. E.g. internet banking transaction limits
which presume usage of higher security means (e.g. PKI tokens)
shall be decreased significantly. Also, new PKI products and services
are in production.
GP - Case: eID in Estonia
10-2006, vs 1.0
Awareness and
Marketing:
• Currently, the use of
the e-function for
identification is mostly
the realm of
enthusiasts
• However, card is
widely used as token
for verification of valid
e-tickets in public
transport
• e-tickets are cheaper
than paper ones and
force their use
• Increase of Internet
security envisaged by
development and use
of PKI products and
services
• As the use of the eID
card saves costs for
banks and also for
citizens in terms of
Internet security,
economic logic will
support the change
from using banking
cards to eID cards for
public service
applications
17
1.4
Features making it a candidate for good practice exchange
1.4.1
Impact
The Estonian eID roll-out is known to be one of the most successful
in Europe. It has been organised in a valuable public-private
partnership and there are already many applications working with it.
E.g. Estonian citizens can use it to buy e-tickets for public transport
and it allows drivers permit verification. Citizens can browse through
their information in the population register; they can digitally sign
documents or check their telephone bill. The card is also be used for
health insurance and banking purposes.
Outreach:
• > 950,000 residents
own an ID card, i.e.
almost full national
roll-out
• e-functions are active
by default and 2.5%
are using it
The first Estonian ID cards were issued in January 2002. In the first
year, more than 130,000 cards were issued, and the total figure up
to now (mid 2006) is more than 950,000; i.e. almost everybody has
one, considering that citizens under the age of 15 do not need one.
2.5% are users of the e-function of the ID-card in terms auf
identification and authorisation in public services.
Estonia has a PKI penetration of more than 67%. The reason for its
major success is that Estonia is a relative small country with almost
1.4 million residents.
The card is meant to be universal and its functions are to be used in
any form of business, governmental or private communications. It is
already helping people to make everyday communications more
convenient.
Although the ID card project is a success it took five years instead of
the originally expected 14 months to implement the infrastructure
and raise awareness and high uptake due to legislative and political
issues. Another challenge was to promote the use of the card and to
make people getting used to it.
Like in many cases the take-up of eGovernment service applications
based on the eID card was very slow due to the reasons mentioned
in the Awareness and Marketing chapter above.
With the DigiDoc library easy-to-use interfaces to the signature
relevant features are provided and there is no need for application
developers to know OCSP protocol specifics or DigiDoc (XAdES, XMLDSIG) format internals. It can be embedded in any application or on
top of it. A COM interface has been implemented, making it easy to
add DigiDoc support to any Windows based application supporting
COM technology. A Java implementation is also provided.
Despite these strengths, providing the libraries and formats was not
enough — because these do not add value to end users without real
applications. Although it is expected that DigiDoc support will
eventually be present in most Estonian document management
systems and Web sites dealing with documents, a number of sample
or reference applications were also provided. The parental benefit
service, the health care services or taxation services are good
GP - Case: eID in Estonia
10-2006, vs 1.0
Performance:
• DigiDoc support will
eventually be present
in most Estonian
document
management systems
and Web sites
• Easy to use function
as DigiDoc client is a
Windows application
• No need to install
stand-alone software
on user side as
functions are provided
via a web portal
• Libraries,
specifications, and
applications are
provided free of
charge to Estonian
public
18
examples in this regard. DigiDoc Client is a Windows® application
that lets users simply sign and verify documents, and DigiDoc portal
is an application that lets users do the same online — without the
need to install any stand-alone software. Both are based on the
same DigiDoc library and thus fully compatible e-signatures given in
Client can be verified in portal and vice versa. The libraries,
specifications and applications are provided to the Estonian public
free of charge, and it is expected that digital signature usage in
common life and everyday business and government practices will
grow significantly through 2003–2008. The first official digital
signatures in Estonia were given using DigiDoc Client on October 7,
2002.
1.4.2
Relevance of the case for other administrations that could learn from the experience
With the national eID card the Estonian government follows a
pragmatic and simplicity approach avoiding some of the contentious
aspects of ID cards in general:
−
ID cards do not contain any digital biometrics;
−
ID cards do not contain any roles or authorizations. Where such
is required these must be managed using some out-of-band
method;
−
The certificates are simple and only contain the holder's name
and personal code (national ID code);
−
There is not central aggregation of loads of user data as the card
is only the 'key' to user data stored in public authorities;
−
The certificates contain no restrictions of use: they are by nature
universal and meant to be used in any form of communications;
−
The use of the eID card is easy to understand for users as it only
contains two functions to be used with two different PIN codes,
one for digital signing and one for authentication;
−
Users may disable the electronic functions of the card in case
they have lost it or they have doubts or fears about using these
functions;
−
Users do only need card and card reader for using the system.
Innovativeness:
• Simplicity of the card
(no digital biometrics)
• Simplicity of the
certificates (only
contain name and ID
code)
• Simplicity of its use
(only two functions:
digital signature and
authentication)
• No restrictions in use
since certificates are
universal
• No central aggregation
of loads of user data
• Possibility to disable
the electronic
functions of the card
However, the use of a unique national ID code for identification still
bears some risks for abuse and privacy concerns are present. The
success of such applications is highly dependent on the trust users
have in the system including the legal regulations encompassing also
the control of its use. In addition, as an objective and a possible
killer application of the card is its multifunctional use, in particular in
the private sector, one has to consider whether it is appropriate that
these private sector organisations know the identity of their clients.
GP - Case: eID in Estonia
10-2006, vs 1.0
19
1.4.3
Transferability
Foreign Certificates
DSA regulates the recognition of foreign certificates, stating that in
order for them to be recognized equivalent to those issued by
Estonian CSP-s, they must be either confirmed by a registered CSP,
be explicitly compliant with DSA requirements or covered by an
international agreement.
DigiDoc and OpenXAdES
Estonia launced the OpenXAdES initiative which is, as the name
indicates, an open initiative where anyone is welcome to join.
OpenXAdES is a free software development project aiming at
profiling XAdES (XML Advanced Electronic Signatures), technical
standard
(TS
101
903)
published
by
ETSI
(European
Telecommunication Standards Institute). With digital signatures,
common understanding of the document format is critical as digital
signatures can't be converted. Open XAdES' mission is to
concentrate efforts on developing a common document format and
share implementations supporting this. With DigiDoc, a uniform
platform based on XAdES has been developed which has the
following important features:
−
Can be verified offline without any additional information;
−
Signature can be given to several original documents at the
same time;
−
Protection against format attacks – type of signed document is
also signed;
−
Original document can be in the container or stored separately;
−
Original document can be XML or any binary file (Word, Excel,
PDF, RTF etc);
−
Zero, one or more signatures per container;
−
One validity confirmation per signature.
Transferability:
• Foreign certificates
can be dealt with
when they are
confirmed by a CSP or
are compliant with
DSA requirements
covered by
international
agreement
• Launch of the Open
XAdES Initiative
aiming at commonly
(with other countries)
profiling XAdES which
is a standard
published by ETSI
• Agreement on IOP
between Estonia and
Finland
In
June
2003,
AS
Sertifitseerimiskeskus
and
Finnish
Väestörekisterikeskus (Population Register Centre, PRC) signed an
agreement for improving digital signature interoperability between
the countries, with the goal of making digital documents a reality
within and between Finland and Estonia. Estonia and Finland invite
other parties from other communities to join the project and thus
expand the network of "digital countries".
GP - Case: eID in Estonia
10-2006, vs 1.0
20
1.5
Results
The Government's objective is to reach one million ID cards issued
by 2007. Besides the use of the national ID card, Estonian residents
can also use their Internet banking identification data to access
online public services (more than 70% of Estonian residents use
Internet banking, the highest proportion in Europe).
The most important application for public services, - the e-Citizen
portal – can be used by both cards for authentication purposes. As
internet banking already started in 1995, citizens are more used to it
and tend to login to their bank and then go to the portal. E.g. many
people (65%) declared their tax online with bank codes but not
through the eID card. Hence authentication is currently not the killer
application for eIDs in Estonia though the main purpose of the eID
card is to authenticate its owner.
Benefits:
• Unique identification
throughout public and
private services
• Provision of secure email account and
unique e-mail address
• Possible encryption of
documents
• e-tickets for public
transportation is a big
success as it is used
110,000 times per day
Beside authentication, the card can also be used for secure e-mail.
The idea was to give a lifetime e-mail address to the citizens so the
authentication certificate contains an e-mail address. The e-mail
address provided by the government looks like the perfect
communication channel. Since it works voluntarily, and the citizen
has to login to the citizen portal and register the address, not
everyone does this.
The card can be also used for encryption of documents so that only
the person intended to view the document can decrypt it. This is a
very efficient means for secure transfer of documents using public
networks.
One of the most successful applications is the electronic ID-ticket
which can be used for travel in the public transport of Tallinn, Tartu
and Viimsi as well as in the county of Harjumaa. During year 2005,
passengers using this e-ticket service purchased a total of 975,263
electronic ID-tickets. Today, more than 110,000 persons use the ID
ticket system every day.
Another application is Internet voting piloted in 2005. As the
infrastructure was in place, it was desired to use it via the eID card.
I-voting was based on an envelope scheme. The citizen makes a
choice and the choice is then encrypted with the public key of the
whole system. Many international observers were present at its first
run. However, there were and still are some privacy concerns about
the I-voting and the buying of public transport ticket with the eID
card mentioned above. E.g. even if the personalisation of tickets
actually eliminates the risk of forgery (which is an issue with nonpersonalised paper tickets) the transport company knows the
identity of the person who bought the ticket. The success of these
applications is highly dependant on the trust users have in the
system. Of course one can always travel anonymously by buying a
paper ticket.
GP - Case: eID in Estonia
10-2006, vs 1.0
21
In May 2006, the largest banks and telecoms (SEB Eesti Ühispank,
Hansapank, Elion, EMT) as well as the Ministry of Economic Affairs
and Communications of Estonia signed a co-operation agreement to
launch a nationwide "Computer Protection 2009" initiative, pledging
to invest up to EEK 60 million to increase end-user PC protection and
awareness in Estonia.
The initiative aims at making Estonia a country with the most secure
information society in the world by year 2009. To this end, a number
of sub-projects have been launched, one of the priority fields being
the promotion of ID card-based authentication in the use of eservices. Thus PKI should become the main method of authentication
as well as transaction verification within the three years with a total
of ca 600,000 active users. Parallel to the existing ID card, mobile ID
will be launched by the beginning of 2007 enabling secure
authentication and digital signing using a mobile phone.
GP - Case: eID in Estonia
10-2006, vs 1.0
Future developments:
• Launch of the
nationwide "Computer
Protection 2009"
initiative in order to
making Estonia leader
in secure information
management
22
1.6
Learning points and conclusions
Critical success
factors for IOP:
Many lessons were learned while organising, developing,
implementing, and running eIDs in Estonia and are presented below.
As Estonia is a main driver in the OpenXAdES initiative and eID
adheres to this standard, many lessons can also be stated on a
rather general level which stem from the OpenXAdES group.
Digital signature is universal
Think of your handwritten signature. Whether you sign a paper as a
citizen, the CEO of your company, the head of some non-profit
hobby association or as a bank customer - the scribbling that you
draw on paper and that is called a signature always looks the same,
regardless of your role. Whether you were indeed authorized to sign
the document or did agree to its content or other such questions are
totally different matters, just as in the traditional world. Aim merely
at providing users a way of working with legally binding digital
signatures.
Document must be self-contained
No additional validation services should be needed for verification
after the signature has been created and saved. Documents should
contain the digital signature, original signed data and all other data
necessary for document verification. Using the data in the document
file, it is possible to firmly establish whether the digital signatures
are valid (whether the certificates were valid at the time of signing
etc).
Legislation is important
Since we are talking about legally binding signature, legal framework
for digital signatures is critical. Different countries have different
digital signature regulations and you should provide solutions which
are as flexible and universal as possible. OpenXAdES is such a
solution which fully complies with the Estonian digital signature
regulation, as well as the EU directive 1999/93/EC, regulating the
general use of digital signatures within the EU. There is also a
chance that OpenXAdES is already compliant also with the regulation
in your country.
• Aim merely at
providing users a way
of working with legally
binding digital
signatures
• Document must be
self-contained - no
additional validation
services should be
needed after the
signature has been
created
• The use of legally
binding signatures
requires a valuable
legal framework
• As different countries
have different legal
frameworks, provide
flexible and universal
solutions to be
connective with these
countries
Additionally, when talking about legislation, we cannot only
concentrate on strictly digital signature and PKI-related acts:
whether you can use digital signatures or not depends also on the
legislation of other generic areas of life, e.g. administrative
procedure, civil relations, court proceedings etc. A number of
European countries are at a disadvantage in this respect: although
digital signature law is in place, other laws foresee that documents
can only be used on paper. Estonia is in a good position because
many of the country's laws have recently been passed or updated to
GP - Case: eID in Estonia
10-2006, vs 1.0
23
reflect the vision described above: digital documents and paper
documents should be used interchangeably in everyday life in private
and business relations and should be considered equivalent in all
respects.
PKI hype is over, business value is important
It is no more the year 2000 where technology opened all the doors
(and buzzwords guaranteed immediate funding). Set the focus on
added business value to organizations and end users. This may
sound painful to some PKI enthusiasts: many PKI projects carried
out so far do not justify the costs made and do not add significant
value to anybody. Avoid this pitfall by trying to be as simple as barebones as possible, while adding considerable value to any business
process which uses legal documents. This ensures hat the business
requirements would take precedence and that the most appropriate
technology would be used to implement them.
Open standards and trust are critical for user confidence and
interoperability
Digital signatures and the whole PKI is based on trust and confidence
- implementers and end users need to be aware of what actions
cause what outcomes in the system, and that the system is really
doing what it claims to be doing. Open source and free software,
based on public standards enable that anyone can examine the
project and document internals if necessary. E.g. do not use any
heavyweight and cutting-edge time-stamping protocol for signature
timing and validation - instead, use lightweight and proven
standards such as OCSP.
Our main competitor is pen and paper
Remember that we are talking about giving signatures to
documents. This has been done the same way for many hundreds
and thousands of years. Telling people that it can also be done
differently is a very complex task and you are facing fierce
competition from traditional signing tools, pen and paper. If you
cannot explain the benefits of the new method to people and
organizations and do not credibly demonstrate that it is more cost
effective to them, you will fail and people will continue using paper
documents.
PKI business model must be based on certificates and
corporate services, not end-user services and transactions
This is a direct consequence of the above point: Understanding and
accepting the new system is already hard enough for people. If you
want to charge them lots for using the digital signature, they won't
ever use it. A place where persons can be charged is issuing a
certificate for them, but after that, it should be free, both the
services and the software.
GP - Case: eID in Estonia
10-2006, vs 1.0
Critical success
factors for IOP:
• Business requirements
should be the driver
not the most
sophisticated PKI
solution
• Base your project on
open standards to
enable trust in the
system
• Use open standards to
be prepared for
interoperability
• Demonstrate the
additional benefit by
using the new solution
in contrast to the
traditional way
• Base your business
model on certificates
and corporate services
in stead of end-user
services and
transactions
24
Critical success
factors for IOP:
Capitalize on already existing IT investment
Much of the infrastructure that is necessary for using digital
signatures is most often already in place. Most people and
businesses have access to PC-s and the Internet. Countries and
communities are starting to distribute universal national or regional
ID cards. Having an ID card and access to smartcard-reader
equipped PC should be the only thing a person needs for using the
digital signature.
The costs to businesses and end users should be limited
We do not need to construct complex expensive PKIs for each
different service: single PKIs, perhaps even on a national scale such
as in Estonia, are suitable for all purposes.
People should be able to understand digital signatures
Complexity has been the key inhibitor in successfully providing PKI
services to end users, and much of that complexity is due to the fact
that current services and products have been specific to one service
or organization only. People have to learn new approaches and new
interfaces for each communication pattern, and it is very frustrating.
Having a single certificate and PIN code for all digital signature
purposes is all that a person needs, and people can also understand
this, exactly as they can understand using ATM cards and mobile
phones.
Single tokens are more secure
When people have only a single token to look after, they know they
have to be very careful with it. If a single card carries the
authentication and digital signature functions such as in Estonia,
security-critical functions can be easily established and maintained,
such as a round-the-clock helpdesk for suspending card and
certificate validity in case of loss or theft. Problems associated with
outdated or insecure passwords are eliminated, as smartcard- and
certificate-based authentication gains momentum.
GP - Case: eID in Estonia
10-2006, vs 1.0
• Capitalize on already
existing IT
investments in to
protect investments
also on user side
• One unique PKI
system for all public
services would be
more beneficial than
having one for each
service
• Provide easy to
understand services in
order to drive their
dissemination
• Provide single tokens
as they are more
secure than having
different solutions
25
1.7
References and links
All URL's worked out on the last visit on 04.09.2006:
The Estonian ID card project information, including the newest version of their Whitepaper, is
available online at http://www.id.ee. Contact at [email protected].
Important papers which also build the basis of this case study are:
Cybertrust 2005: Managing Digital Identities and Signatures through Public/Private Partnership
(http://www.cybertrust.com/media/case_studies/cybertrust_cs_easton.pdf)
The Estonian ID Card and Digital Signature Concept. Principles and Solutions. Whitepaper.
Version: June 5, 2003 (http://www.id.ee/file.php?id=122)
Acts:
Digital Signature Act: http://www.esis.ee/ist2004/101.html or PDF:
(http://www.esis.ee/legislation/digital_signatures_act.pdf#search=%22digital%20signature%20ac
t%20estonia%22)
Personal Data Protection Act: http://www.esis.ee/ist2004/103.html
Further useful references and websites:
−
AS Sertifitseerimiskeskus: http://www.sk.ee
−
DigiDoc
Format
Specification.
Version
1.3.0,
12.05.2004
(http://www.id.ee/file.php?id=342#search=%22digiDoc%20format%20specification%22)
−
Modinis IDM 2006: National profile for eGovernment IDM initiatives in Estonia. In: D 3.5: IDM
Initiatives
Report.
(Estonian
example:
https://www.cosic.esat.kuleuven.be/modinisidm/twiki/bin/view.cgi/Main/EstonianProfile)
−
OpenXAdES group: http://www.openxades.org
−
Web Portal to generate and verify digital signatures: http://digidoc.sk.ee
−
E-Citizen Portal: http://www.eesti.ee
GP - Case: eID in Estonia
10-2006, vs 1.0
26
Annex 1: Assessment Questionnaire for the MODINIS Case
Descriptions
In order to ensure the case descriptions meet the information needs of stakeholders in
interoperability at the local and regional level, we ask you to complete this short assessment
questionnaire. Your feedback will be used to improve the next version of the present case and will
also be taken into consideration when writing up more cases to be described in the course of the
project.
Case being reviewed:……………………………………………………………………………………………………………………….…
1.) Information content
a) Completeness of description
1
5
|-----------|-----------|-----------|-----------|
only few
all
relevant
relevant
aspects
aspects
b) Detail of description
1
3
5
3
1
|-----------|-----------|-----------|-----------|
too
right
too many
general
level
details
2.) Length of description
1
3
5
3
1
|-----------|-----------|-----------|-----------|
too
right
too
short
length
long
3.) Structure / headings
1
5
|-----------|-----------|-----------|-----------|
unclear
clear
GP - Case: eID in Estonia
10-2006, vs 1.0
27
4.) Margins
1
3
5
|----------------------|-------------------- --|
misleading
not necessary
good
orientation
5.) Learning potential
1
5
|-----------|-----------|-----------|-----------|
none at all
many new insights
6.) Usefulness for your own work
1
5
|-----------|-----------|-----------|-----------|
not at all
very much
7.) Transferability of case to your country
1
5
|-----------|-----------|-----------|-----------|
not at all
very high
8.) Will you get into contact with the contact person?
1
5
|-----------|-----------|-----------|-----------|
certainly
for sure
not
Comments
______________________________________________________________________________
______________________________________________________________________________
Your affiliation
local/regional
government
GP - Case: eID in Estonia
national
government
IT
business
10-2006, vs 1.0
academia
28
Prepared by:
Ralf Cimander and Herbert Kubicek
Institut für Informationsmanagement Bremen GmbH (ifib)
Am Fallturm 1, D-28359 Bremen, Germany
www.ifib.de
Tel.: (+49 421) 218 26 74, Fax: (+49 421) 218 48 94, email: [email protected]
http://www.ifib.de/egov-interoperability
European Institute of Public Administration (EIPA)
Center for Research and Technology Hellas / Institute of Informatics and Telematics
(CERTH/ITI)
Prepared for:
European Commission
Information Society and Media Directorate-General
eGovernment Unit
Tel
Fax
(32-2) 299 02 45
(32-2) 299 41 14
E-mail
[email protected]
Website europa.eu.int/egovernment_research
IDIS (2010) 3:213–233
DOI 10.1007/s12394-010-0044-0
Electronic identity management in Estonia
between market and state governance
Tarvi Martens
Received: 22 October 2009 / Accepted: 4 February 2010 / Published online: 9 March 2010
# The Author(s) 2010. This article is published with open access at Springerlink.com
Abstract The present paper summarizes the development of the national electronic
Identity Management System (eIDMS) in Estonia according to a conceptual
framework developed in an European comparative research project outlined in the
first chapter of this special issue. Its main function is to amend the picture of the
European eIDMS landscape by presenting a case with high involvement of the private
sector and thereby checking the generalizations from the comparisons of Austria,
Belgium, Germany and Spain, presented by Kubicek and Noack in the previous
chapter of this special issue. Starting with a short introduction into the historical
background of identity documents in Estonia the national population register, the
passport as well as the bank ID are described as the main pillars of the Estonian
eIDMS, on which the national ID card builds on, which has been introduced in 2002.
The technical features of the eID and the ID card are described in Section two as well
as the areas of application and the processes for production and distribution. Section
three presents the actors constellation, Section four the time line of the development
process, starting from 1997. Section five deals with the diffusion and promotion of the
ID card and the eID authentication function. After a very low and slow take up during
the first 5 years due to a cooperation agreement between major banks, telecom
operators and the government usage has increased. But still the authentication by
Internet banks, which provides authentication services to third parties, including
government, is the biggest competitor for the eID function on the national eID card.
Only recently the major banks have announced to slowly fade out the password cards
and PIN calculators as alternative modes of bank authentication.
Keywords Estonia . Digital signature . Electronic identity
This report is based on official documents and the personal experience of the author. It has been compiled
under contract with the Institute for information management Bremen, funded by Volkswagen Foundation,
Germany
T. Martens (*)
Certification Centre, Pärnu Ave. 141, 11314 Tallinn, Estonia
e-mail: [email protected]
214
T. Martens
Historical background of identity documents in Estonia
The present structure of the national identity management in Estonia has been
established in 1992 after the full independence from the Soviet Union. Under the
Soviet regime, Estonian SSR had the same identity document system as the rest of
USSR had i.e. paper passports and other paper identity documents.
In the new system the central agency is the Citizenship and Migration Board
(CMB1), a state authority under the Ministry of the Interior. It runs the national
population register, administers the national Personal Identification Code and issues
identity documents, since 1992 a passport and since 2002 an ID card, including an
eID-function. However, the most popular method for online authentication for ecommerce and e-government was and still is via the Bank ID, which has been
introduced in Estonia 1996 for Internet banking.
The national population register and the personal identification code
The national Population Register is a central database for the performance of
functions of the state and local governments established by the Population Register
Act regulating the registration of the population, the maintenance of the records and
the rights and obligations of citizens and public authorities.2 It contains the personal
data of the citizens, data of all identity documents and vital events certificates. The
registry includes the following personal data: names, sex, date of birth, place of
birth, citizenship, residence permit, place of residence and marital status and the
Personal Identification Code (PIC).
PIC is the core element of the identity system in Estonia. It is a unique number
assigned to every Estonian citizen and resident. The legal basis for assigning and
using the PIC was established in 1992. The 11-digit PIN consists of:
&
&
&
&
gender/century of the birth digit (one digit for two attributes)
date of birth digits (YY+MM+DD)
three random digits
one checksum digit
All certificates of widely accepted eID-s in Estonia (ID-card and Mobile-ID)
contain the PIC. It is used as a primary key in the majority of databases containing
personal information both in the public and private sector. Therefore service
providers can easily link eID-authenticated users with their personal data. Moreover,
digitally signed files contain a certificate of the signatory including the PIC and
thereby allowing for a definite identification of the signatory.
The data entered in the Population Register is the basis for other databases
of the state and local government authorities. The population registry is also
issuing the PIC to other state authorities who have to document a person for
1
2
As of 01.01.2010 CMB is a part of Police- and Border Guard Board, see http://www.politsei.ee/en/.
Population Register Act (2005), in English: http://www.legaltext.ee/et/andmebaas/ava.asp?m=022.
Electronic identity management in Estonia
215
the first time (usually by birth or issuance of the residence permit or the right
of the residence).3 The data is collected and entered by different state and local
government authorities, natural and legal persons. Persons and authorities can
submit data to the population register online or by forwarding data through a data
communication network.
The passport
First passports in Estonia were issued in 1992 by the Citizenship and Migration
Board (CMB). The CMB issues passports for Estonian citizens and aliens, temporary
travel documents, seafarers’ discharge books, certificates of record of service on
ships and refugees’ travel documents. For 10 years the passport was the only
national ID document.
Bank ID
In 1996 Estonian banks started Internet banking and introduced two methods for
online authentication, which are still offered today:
–
–
Password cards containing 24 one time passwords are issued personally to the
customer in his bank,
PIN calculators are off-line card readers with a keypad. At log in the customer
receives a code number on his screen, enters his bank card and this number and
the calculator generates a new one time PIN which the customer enters online.
PIN calculators were introduced in the beginning of 90’s.
Until 2002 the only and today still the most popular method for online authentication
is to use the Bank ID authentication modes. In contrast to many other European
countries Internet bank authentication is not only used for online banking but is a
service, which the five major banks are providing to third parties. It started back in 1996
and today covers almost 100% of the people between 16 and 74. It is simple to use, as
no special hardware or software is needed: the user logs into the Internet bank, using the
appropriate method, selects “external e-service”, user’s PIC is securely communicated
to the e-service and the user continues work with selected e-service.
Since 2002 the ID card based eID is offered as a third option. Considering the
number of cards issued the password cards and ID cards are almost equal:
&
&
&
around one million password cards (with 24 codes) have been issued,
estimated 50,000 PIN-calculators are in use,
since 2002 over one million ID-cards have been issued.
But looking at the use for online authentication, the password-based authentication with estimated 80% still is the mostly used method today. It is considered
relatively secure as these password cards are issued personally in the bank office.
Trustworthiness of banks is generally considered as good. Therefore it is not
3
The use of the registry is regulated in the Personal Data Protection Act (English: http://www.legaltext.ee/
text/en/X70030.htm.
216
T. Martens
surprising that several eGovernment services like eTaxation and Citizen Portal make
use of the bank authentication.
The eID and the ID-card
Considering that the first generation of passports had to be renewed in 2002, the
Government had an historical chance to introduce a new type of identity document.
It was obvious that lot of people will come for a new passport starting from 2002 as
in 1992 people tried to get an Estonian passport as soon as possible.
The idea for a second ID-document emerged in 1997 in the form of a national ID
card, which could carry an eID and certificates for electronic signatures. It has been
launched in 2002 and roll out has been finished in 2006. It is obligatory. Every
citizen older than 15 years has to hold such an ID card. Estonia has about 1.3 million
inhabitants, and there are about 1 to 1.1 million cards active. The legal basis is the
Identity Documents Act of 2004.4 In addition to the eID on the national ID card in
2007 a mobile eID has been introduced.
The national ID card
Compared to the systems in Austria, Belgium, Germany and Spain as described by
Kubicek and Noack in this special issue the Estonian ID card and eID is quite similar
to the Belgian one (see Table 1).
The ID card contains the holder’s surname, given names, sex, citizenship, date of
birth, place of birth, personal identification code (PIC), a photo, a signature, the date
of issue and date of expiry, and a document number. For resident aliens with valid
papers, the ID card also contains residence and work permit or right of residence
data. In addition to many security features, the card has a machine-readable code
(Figs. 1 and 2).
The Estonian ID-card contains a data file, which is unprotected and includes the
same personal data that is visibly printed on the card—most notably name and PIC
of the cardholder. This allows for quick retrieval of personal data when the card is
inserted into a terminal/smartcard reader, e.g. when using the ID card as a loyalty
card, as an entrance card to libraries, sport clubs etc. or for quick registration to an
event or for entering premises.
The ID1-shaped card is based on PKI technology and contains two certificates:
one for authentication, and one for electronic signatures, both of them considered as
qualified. Each private key is dependent on the use of a different PIN-code. The
certificates contain name(s), surname(s), PIC (containing gender and date of birth)
and a government-assigned e-mail address in the authentication certificate. There is
no electronically usable biometric information on the card. The use of the certificates
is regulated in the Digital Signature Act.5
Initially ID-cards were issued for a lifetime of 10 years with certificate validity of
3 years. Renewal of certificates is without charge for end users and the process can
4
5
http://www.legaltext.ee/text/en/X30039K10.htm.
http://www.legaltext.ee/text/en/X30081K4.htm.
Electronic identity management in Estonia
217
Table 1 The Estonian eID and eID card in comparison with other European systems
AT
BE
GE
ES
EE
carrier card
identical with national ID-card
–
X
X
X
X
card character
obligatory / age
–
> 12
>16
>14
>15
card function
Authentication (online)
X
X*
X**
X
X*
Authentication (visual)
X***
X
X
X
X
e-signature
X
X*
X**
X
X*
Data on card
and chip
contact/contactless chip
Contact
Contact
RFID
Contact
Contact
* opt out,
** opt in,
*** depending
of used Card
visual data:
• address
X***
–
X
X
–
• owners photograph
X***
X
X
X
X
national register number
–
X
–
X
X
PIN-protected identity data
–
–
X
–
–
PIN-protected authentication data
X
X
X
X
X
Biometrics face fingerprints
–
–
X
X
–
–
–
X**
X
–
be performed over the Internet. From January 2006 both certificates and the card
have a lifetime of 5 years.
Mobile-ID
In addition to th eID on the national ID card in May 2007 a Mobile-ID was
introduced to Estonian market by the largest mobile operator EMT in co-operation
with SK, the Estonian Certification Authority. In order to get a Mobile-ID, the user
needs to replace his SIM-card by a PKI-capable one. As the registration process is
performed by the mobile operator, it is not considered trustworthy enough. Therefore
the user needs to “activate” his/her Mobile-ID with his ID-card. Thereby issuance of
the Mobile-ID is bound to the security and quality of the ID-card. Mobile-ID
certificates contain the same personal information on the subject.
Mobile-ID provides certain advantages for the end user compared to the ID-card:
the user does not need a smartcard reader nor any specific software. Currently the
Mobile-ID is available from one mobile operator only and the number of active users
is below 100, 00. Two other main mobile operators (Elisa, Tele2) launched their
Mobile-ID service in December 2009.
Applications of the ID card
Besides many online services there are two remarkable applications to be mentioned
separately:
&
ID-ticketing: Over 120,000 users are carrying the ID-card every day to prove
their entitlement to travel in public transportation in Tartu, Tallinn and
218
T. Martens
Fig. 1 Estonian ID card—front cover
&
surroundings (Harjumaa county). Tickets for one to two hours, or for one, three,
ten, thirty or ninety days can be obtained using the internet, mobile or landline
phone, or paying cash in more than 80 sales points. Checking officers are
carrying GPRS-enabled handheld terminals for quick and automatic entitlement
checking.
Partial replacement of driver’s documents: Almost all traffic police cars are
equipped with devices for querying information from the drivers license database,
car insurance and car registry. When a car driver has his ID-card with him, it would
allow checking the identity and retrieving all other relevant information.
All main web-based applications requiring strong user authentication make use of
the ID-card both in public and private sector. Most sites supporting ID-card login
also support Mobile-ID. Authentication is using standard TLS/SSL protocol. This
implies that the service provider receives the complete certificate of the user
including the PIC.
In public sector the most notable service is the Citizen Portal,6 which links the
majority of public services via a single point of entrance. Another important service
is provided by the Estonian Tax and Customs Board7 allowing tax declarations
online for natural persons as well as for companies. While most government
applications offer Bank ID authentication option as well, this is not the case in the
6
7
http://www.eesti.ee/.
http://www.emta.ee/.
Electronic identity management in Estonia
219
Fig. 2 Estonian ID card—back cover
eHealth field. The Health Information System8 does not accept Bank ID
authentication because of the higher security level demands, instead authentication
is only possible by the national eID.
The ID-card is also an enabler of Internet voting (I-voting), which in Estonia is an
official method of voting and produces binding results.9 It was introduced in 2005
for elections of local governments and repeated in 2007 for elections of the national
Parliament. I-voting is a major application for engaging new ID-card users: up to
40% of I-voters in 2007 were first-time users of the eID function. In 2009, I-voting
was enabled in two elections (European Parliament and Local Elections) and the
number of I-voters finally broke barrier of 100,000 which makes I-voting share more
than 15% of all voters. For full statistics please refer to National Electoral
Committee.10
One of the most popular e-services accessible with the eID is e-school,11 an easyto-use student information system, connecting parents, students, teachers and school
administrators over the Internet, making school information accessible from home
and decreasing the work routine of teachers and school management.
8
http://www.digilugu.ee.
http://www.valimised.ee/.
10
http://www.vvk.ee/index.php?id=11178.
11
http://www.ekool.ee/.
9
220
T. Martens
Internet banking12 is the most popular e-service in the private sector, although
logging in with an ID-card is not the most popular option. In the financial sector, the
Estonian Central Securities Register13 and Pension Register14 also make use of IDcard authentication. Telecom companies (for example: Elion, EMT, Tele2) and utility
companies (water, gas and electricity) make use of the ID-card authentication in their
self-service environments. A list of sites accepting ID-card authentication can be
found on http://id.ee/?id=10953.
Digital signatures with eID
One of the main reasons for introducing the ID-card was to implement the Digital
Signature Act and provide means for digital signing for Estonian residents. Free
tools for end-users and system integrators were released back in 2002 and are still
evolving. As a result, Estonians are sharing a common understanding of digitally
signed documents in file form, fully standardized and widely accepted by
everyone, including courts. A piece of software called “DigiDoc Client”, allowing
for digital signature creation and verification, comes with a package of the IDcard software and therefore can be installed on every computer with a smartcard
reader attached.
This development has resulted in massive use of digital signing as digital
signatures created with those tools are legally equivalent to a hand-written signature.
There are cases in the law where digital signatures are considered even to be stronger
than handwritten ones—e.g. in the establishment of companies.15 Digital signatures
are massively pushed by Internet banks as all transactions are required to be signed
digitally (in case the user logged in with his ID-card or Mobile-ID).
Authority to access the eID
The personal data on the ID card—data file and certificates—are available to every
card terminal as they are not PIN-protected. The authentication certificate is
available to Service Providers after successful ID-card login. The digital signature
certificate is available in the digitally signed document to everyone who sees the
document. As a result, the citizens’ PIC in the data file or in certificates is made
available with every electronic use of the ID-card. Furthermore, the PIC is used as a
key in almost every database—both in the private and public sector. The question of
cross-use of different registries and databases is a legal matter covered by the
Personal Data Protection Act16 and controlled by Data Protection Agency.17 Crossuse of databases is generally allowed only if granted on application.
12
http://www.hansa.ee, http://www.seb.ee, http://www.sampo.ee, http://www.krediidipank.ee, http://www.
sbmbank.ee, http://www.rahanet.ee.
13
https://www.e-register.ee/.
14
https://register.pensionikeskus.ee/public/authorization.jsp.
15
https://ettevotjaportaal.rik.ee/index.py?chlang=eng.
16
http://www.legaltext.ee/text/en/X70030.htm.
17
http://www.aki.ee/eng/.
Electronic identity management in Estonia
221
Production and distribution of the ID card and the eID
The eID card is issued by the Citizenship and Migration Bureau (CMB). The
Database of the CMB is communicating heavily with the Population Register (see
above) so that the integrity of identity management is ensured. All changes in the
Population Register (i.e. death of a person, change of name etc.) are communicated to CMB through the Population Register. In those cases CMB
invalidates the ID-card and issues a request for certificate revocation which is
carried out automatically.
CMB cooperates with private sector suppliers in the issuance process of the
ID-card. CMB receives an application from the resident (by post or in person)
and decides upon issuance and data on the card. Personalization and certification
services are outsourced to private companies as illustrated in the following
Fig. 3.
Personalization of the ID card is carried out by TRÜB Baltic AS, which requests
certificates from AS Sertifitseerimiskeskus (Certification Centre, SK). The latter also
provides after-service (PIN renewal, certificate renewal etc) though the bank offices
(Swedbank and SEB) operating as Registration Authorities. There is currently just
one CA in Estonia (SK).
Fig. 3 Production and distribution of the Estonian eID
222
T. Martens
Actor constellation
Main actors
On the political level there are two major ministries in Estonia involved in the eID
development:
–
–
The Ministry of the Interior (MoI) is supervising the Citizenship and Migration
Bureau18 (CMB), directly responsible for issuance and maintenance of identification documents and for maintaining (electronic) identities of residents at large.
The Ministry of Economic Affairs and Communications (MEAC) includes the
Department of State Information Systems (RISO) which is responsible for the
general ICT coordination in the public sector. The tasks of the department
include the coordination of state IT-policy actions and development plans in the
field of state administrative information systems. Furthermore the Estonian
Informatics Centre (EIC), a subdivision of the MEAC, is responsible for
implementation of the policies set by RISO.
State register of certificates functioning under MEAC is a supervision body for
certification and time-stamping service providers. As the number of this kind of
service providers is very low (one CSP and 2 TSP-s) the Register has been quite
inactive functioning as a mere registrar just receiving compulsory yearly audit
reports from service providers and filing them.
An eIdentity Working Group had been established under the auspices of MEAC
consisting of different stakeholders from the public and private sector. The group
held meetings on-demand basis addressing actual issues around the eID topics. The
group is supposed to advice the Minister but in reality functions as a roundtable for
exchanging information and ideas.
Private sector is playing a significant role in the Estonian eIDMS. ID-card
manufacturing and personalization is outsourced to TRÜB Baltic AG and certification
and validation services are provided by privately held AS Sertifitseerimiskeskus (SK).
The latter functions also as an excellence centre for electronic usage of the ID-card
providing software, including a digital signature software framework, end-user
support as well as support and services to Service Providers making use of the ID-card.
SK is owned by the “big four” of Estonian economy—two of the biggest banks
(Swedbank and SEB bank) and the two big telecom operators (Elion and EMT). This
set-up allows SK to act as a unique roundtable bringing together public sector,
telecom and banking sector. This is definitely one reason for having established the
ID-card as a preferred eID token across all sectors and a reason for the absence of
alternative strong eID tokens (besides Mobile-ID which is seen more like a tool
complementary to the ID-card). This set-up has also facilitated the broad-bottomed
introduction of digital signatures.
By definition the Department of State Information Systems and its executive branch
EIC are responsible for the implementation of the Digital Signature Act, including
software for digital signing. Lack of activities from these parties forced SK and its
18
http://www.mig.ee/index.php/mg/eng.
Electronic identity management in Estonia
223
owners to take over this role. As a result, SK has been filling the gap for 7 years now in
this area. With money from the European structural funds EIC finally announced a
tender for ID-card software in 2008, which shall be available late in beginning of 2010.
Actors and relations around eID in Estonia are illustrated in Fig. 4:
Importance of policy fields
Although the main reason for introducing the ID card with an eID was the provision
of electronic signatures, the design of the system included authentication
functionality. CMB under the authority of the Ministry of the Interior played the
main role through out the introduction phase of the ID-card and made most of the
decisions regarding the ID-card functionality (sometimes with help of the established
working groups). The card is and will always be “CMB-issued” i.e. coming from
Ministry of Interior. Although the card contains a certificate for a digital signature,
CMB is not supporting this field by any software or any other initiative.
With regard to the importance and the influence of different policy field according
to the categories applied by Kubicek and Noack in their comparison of Austria,
Belgium, Germany and Spain we may conclude that the Estonian picture is quite
similar to the German and Spanish one, although the outcome is quite different and
more like the Belgian system (Table 2).
Timeline of the development process
As mentioned above, preparations for a “new generation identity document” started
at CMB in 1997. Several working groups were formed with representatives from the
Fig. 4 Actors in the Estonian eID development
224
T. Martens
Table 2 Actors and their importance and influence in the eID development process
Actors and their importance and influence in the process (1=low, 3=high)
Actors / Policy Fields
GER
AUT
ESP
BEL
EE
Interior/Police
3
1
3
1
3
Public Admistration
2
3
2
3
2
Industry/Commmerce
1
1
2
1
2
Finance
1
1
1
1
1
Social/Health
1
2
1
2
1
Chancellery/Cabinet
1
3
2
1
1..2a
a
the one-time remarkable role of the Cabinet was the very first decision to introduce ID-card with full eID
functionality to everyone
public sector and private sector. Preliminary studies concluded that eID technologies
had developed far enough to allow application on a nationwide scale and that there is
a demand in society for electronic ID-cards, particularly in connection with digital
signatures.The following process can be divided in four additional phases: legal
provisions, organizational and technical preparations, roll-out and up-take (see
bottom line, Fig. 5).
The “legal phase” took longer than anticipated as topics of electronic identity and
digital signatures were uncommon at the time: The working group preparing a draft
of the Digital Signature Act started working in 1997 and took almost 3 years to
finish the job.
The “preparation phase” saw the formation of two new companies in 2001,
primarily for the sake of participating in the ID-card project: the establishment of AS
Sertifitseerimiskeskus (by the two largest banks and two large telecom companies) and
the creation of a Baltic subsidiary of Swiss-based company TRÜB AG. The decision
for delivering chip- and certificate-equipped ID-card to everyone, however, was made
in the last minute by the falling government under Prime Minister Mart Laar in
October 2001. That decision, initated by Mr. Linnar Viik, advisory to Prime Minister
on ICT matters played a crucial role in the success story of Estonian ID-card.
The first card was issued January 28th, 2002 to the President of Republic of
Estonia. The milestone of 1 million cards was surpassed in October 2006 and from
this time on the number of active cards has remained between 1.0 and 1.1 million.
During the roll-out phase several software releases have been issued in order to make
usage of the ID-card easy and comprehensive, including wide distribution of digital
signing software. Relatively low uptake of electronic usage of the ID-card became an
issue in 2006, resulting in a new program “Computer Security 2009” (CS 2009)
addressed in the next section.
Compared to Austria, Belgium, Germany and Spain the development process
took 5 years until the first card was issued and thus is rather short as in Austria and
Belgium, without the delays that occurred in Germany and Spain (see Kubicek and
Noack in this issue. Considering the generalizations derived from the four other
countries, we may confirm for Estonia that the rather straight development process
was due to a smooth cooperation of the two ministries via the working groups and
Electronic identity management in Estonia
225
Fig. 5 Time line and most important events in the development process
that with regard to important decisions the Prime Minister and his advisor formed a
successful couple of a power and an expert promoter.
Although these decision had been taken by a fallen government, change in
governments did not hinder steady introduction of the ID-card in the way it was
agreed at first. Thus the generalisation also applies also to Estonia: Changes in
government offices due to elections during the development process did not
influence the design and dissemination of the eID function.
With regard to the influence of industry we have to consider that there is no
Estonian chip industry that might have tried to be involved. However the telecom
and banking branches successfully have offered their services and influenced the
eIDMS. This is quite different from the four countries compared by Kubicek and
Noack in this issue, and much more like the Swedish case described by Aklund in
the following paper. Banks were involved from the beginning and became part of the
eIDMS via their shareholder role with SK. On one side the eID is in competition
with their previous authentication by password cards. But on the other hand they
have an interest in an additional system with qualified certificates and stronger
authentication as well. Thus it was better for them to join and gain some control over
the competitor.
Diffusion and promotion
Although the public perception was not positive after the launch of ID-card, it has
been rapidly changing into more positive direction. The lack of applications,
226
T. Martens
unawareness and news about outrageous investment of 20 million EURO into the
project raised a lot of criticism in the public. No one seemed to take care of ID-cardenabled applications and usage in 2002. Although the MEAC was in charge of that
by the book, they did not take this role at the time.
Significant breakthrough came with a decision of SK to enter the ID-card usage
business. SK developed and launched the digital signing system DigiDoc at the end
of 2002 and started systematical work in areas of public promotion and support for
application developers and service providers. The reason for entering this business
was quite straightforward: SK was in charge of selling certificates; in case no one
would use them SK would have to go out of business. In addition SK was backed by
powerful industry players, including banks which are No.1 e-service providers
making use of ID-card authentication and digital signing. This unique setup of
private and public cooperation with strong players enabled to build a uniform
platform. But it was extremely hard to achieve this status as there were attempts
challenge it. In 2002 AS Cybernetica (www.cyber.ee) launched an alternative digital
signing tool/system and tried to compete with DigiDoc via local Estonian
standardization. This attempt was not successful and named standards were replaced
by a DigiDoc-style standard in 2008.
Strong commitment from the private sector has definitely been the key for the
successful uptake of the ID-card. E-services by private sector (e.g. Internet banking)
are massively more heavily used than public sector e-services. It is obvious that
without private sector involvement there will be no incentive to make ID-card
holders overcome the barrier of smartcard reader acquirement and usage learning
curve. Lately, MEAC and EIC have woken up and are making significant
contributions to the ID-card uptake by procurement of a new generation software
for the ID-card and supporting the Computer Security 2009 initiative by a number of
promotional and educational programs.
Computer Security 2009 is an initiative by major banks, telecom companies and the
Government, who signed a co-operation agreement on May 2006.19 This initiative
addresses general IT-security topics for end-users (firewalls, anti-virus etc.) but with
high emphasis on a transition to PKI-based authentication methods, including
&
&
&
&
promotion and widened support of the ID-card and Mobile-ID,
increasing availability and affordability of smartcard readers,
introduction of alternative PKI-based authentication systems like Mobile-ID and
alternative eID cards,
significant increase of the user base of PKI-based authentication systems in
3 years (from 27,000 to 300,000 by the end of 2009 (Fig. 6).
The Computer Security 2009 initiative has notably accelerated growth of ID-card
users. An “ID-card user” in these figures is defined as a cardholder making use of
certificates, for e-authentication or digital signatures. As every electronic usage of
the ID-card involves a certificate validation from SK’s OCSP responder, the numbers
are draws from the statistics of the OCSP responder usage. Number of ID-card eID
functionality users reached almost 300,000 by the end of 2009.
19
http://www.sk.ee/pages.php/02030201,1107.
Electronic identity management in Estonia
227
350000
300000
250000
200000
150000
100000
50000
20
02
VII
I
20
02
XII
20
03
IV
20
03
VII
I
20
03
XII
20
04
IV
20
04
VII
I
20
04
XII
20
05
IV
20
05
VII
I
20
05
XII
20
06
IV
20
06
VII
I
20
06
XII
20
07
IV
20
07
VII
I
20
07
XII
20
08
IV
20
08
VII
I
20
08
XII
20
09
IV
20
09
VII
I
20
09
XII
0
Fig. 6 Development of eID card users
The authentication by Internet banks is another significant factor to be considered
when assessing usage of the ID-card as banks providing authentication services to
third parties. The following graphs illustrate the growth of ID-card usage during
1 year with the two largest Internet banks (Figs. 7 and 8):
The most popular e-government service is tax declaration. In addition to ID-card
and Mobile-ID authentication, the e-tax board allows login via Internet banks and
100%
13.74%
13.21%
77.40%
68.90%
8.37%
13.63%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
May 2008
ID-card Mobile-ID
Fig. 7 Online authentication at SEB Bank
June 2009
Password card PIN-calculator
228
T. Martens
100%
14.15%
15.51%
79.48%
73.58%
5.95%
10.24%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
May 2008
ID-card
Mobile-ID
June 2009
Password card
PIN-calculator
Fig. 8 Online authentication at Swedbank
also delivers its own password cards. Usage of PKI-based authentication methods,
however, has been increased almost five-fold over past 2 years:
The most popular e-government service is tax declaration. In addition to ID-card
and Mobile-ID authentication, the e-tax board allows login via Internet banks and
also delivers it’s own password cards. Usage of PKI-based authentication methods,
however, has been increased almost five-fold over past 2 years (Fig. 9).
Until today we find a similar pattern as reported by Kubicek and Noack in this
issue for Belgium, Austria, and Spain: As long as other modes of authentication are
accepted by the tax office, the share of the eID is rather low (Table 3). But as in
Belgium it is growing.
20%
18%
16%
14%
12%
10%
8%
6%
4%
2%
0%
2007-02
2007-06
2007-10
2008-02
2008-06
Fig. 9 Usage of ID-Card and Mobile-ID in the E-tax Board
2008-10
2009-02
2009-06
Electronic identity management in Estonia
229
Table 3 The share of eID authentication in online tax services
BE
ES
AT
EE
State of rollout
early in 2009
9.3 million, 90%
of the Belgians
entitled to an
ID card
3 million, 10% of
the Spaniards
entitled to ID
card
8.4 million
e-Cards, 100%
of all citizens
1.1 million
active cards,
roll-out
complete
eID function
activated
7.5 million
(80%)
not necessary
approx. 74000,
0,9% thereof
approx. 20000
office ID cards
Around 50%,
the rest have
expired
certificates.
Use rate for
electronic
income tax
2008: 24%
2009: 56%
21%
25.7%
87%
eID use rate for
income tax
(% of the
electronic
applications)
2008: 3.6% 2009:
14,2% (half of
them with the
help of civil
servants in the
tax office)
2008: 0.1%
2008: 0.7%
6% (yearly
average)
The authentication by banks was and still is the biggest enemy of the eID based
authentication. But in Estonia, several measures are employed to make users
favouring the eID-based authentication:
&
&
&
All banks have continuously lowered the maximum money transfer sum when
authenticating with password cards. This sum is currently € 200/day.
A number of e-services advertise ID-card and Mobile-ID based authentication
over “bank authentication” by displaying informational banners and requiring
users to make an extra step for bank authentication.20
Few services like e-health, Internet voting and digital signing can be used
exclusively with the ID-card or Mobile-ID only.
Promotion and stimulation of applications
SK has been the center of eID support, promotion and excellence from the very
launch of the ID-card. SK operates a 24/4 phone support (short number: 1777)
initially designated for certificate suspension only but providing full end-user
support nowadays. A website www.id.ee contains comprehensive information for
end-users and developers on a wide range of eID topics. This includes self-training
application, problem solver, massive amount of well-structure information etc.
The ID-card software is available as of 2003 from https://installer.id.ee. The
Installer is an intelligent application which analyses configuration of the computer
(including attached smart-card reader if any) and installs all essential software with
one-click button. The user can enjoy animation on topics of ID-card usage whilst the
software is being installed. Essential software covers smart-card reader drivers for
20
See for example e-tax board http://www.emta.ee/?Id=12223.
230
T. Martens
more than twenty readers, middleware for the ID-card, web plug-ins for web-based
signing, service certificates, card management utility and DigiDoc Client for digital
signing and digital signature verification in the desktop environment. The latter has a
self-update functionality in order to drive people to update the software when
important updates are available.
Smartcard reader distribution problems were first tackled in 2003 after launching
the Installer mentioned before. At that time a €20 package was made available in
Elion stores (a fixed-line telecom giant) containing smartcard reader, manual and CD
with installation software which contained the same software as was available from
the website, This package was not entirely successful as the software in the printed
CD tended to outdate rapidly and the price margin was above expectations of the
average consumer (Figs. 10 and 11).
The second wave of smartcard reader distribution was started in 2007 after a bulk
deal with smartcard reader vendor Omnikey. This allowed bringing USB smartcard
readers at a price around €6 in the retail market. According to the deal, selected
alternative models like one with PIN-pad and one PCMCIA reader are also available
with above-the-average price mark. These readers are available from a number of
competing retail channels. This low price has inspired a number of campaigns such
as banks giving out free readers for selected customers, political party distributing
readers for free in order to promote Internet voting etc.
Most of the measures for helping the uptake have been carried out under the
“Computer Security 2009” program described above. Currently a number of
educational programs are running in order to bring more (especially elderly) people
to Internet and use of ID-card such as a moving ID-bus, stands in shopping malls,
courses for beginners, advanced courses and courses for “mentors” in local
Fig. 10 €20 ID-card Starter Kit from 2003
Electronic identity management in Estonia
231
Fig. 11 €6 Omnikey smart card reader
communities. The program is expecting to bring some 100,000 more Internet and
ID-card users during 1 year by summer 2010.
The Estonian case in comparison
Path dependency
Comparing the Estonian case with the developments in Austria, Belgium, Germany
and Spain and considering the main hypothesis related to the threefold path
dependency formulated by Kubicek and Noack in this issue, for the Estonian eID we
may state a only a medium degree of path dependency and some significant path
creations.
With regard to the definition of the eID there was no change. The eID has been
defined according to the ID registered in the national Population Register. But new
organizational paths have been created for production, issuing and personalization as
well as running the infrastructure. While in the other countries existing organizations
have taken over additional eID related functions in Estonia the founding of CMB is a
unique approach.
With regard to technical features there is a high degree of path dependency similar
to the other countries: The decisions taken for most of the technical components of
the Estonian eIDMS follow established paths of smart card and authentication
technologies. However the introduction of an additional mobile eID solution is a
case path creation which offers an alternative to the necessity for smartcard readers.
The regulatory pattern was kept quite stable. Existing legislation only was
adopted to legalize the technical and organizational changes.
Privacy issues
Kubicek and Noack report that in Austria, Belgium and Germany there was no doubt
that, because the eIDMS concerns basic privacy rights, precise legal regulation is
required. In Spain the Ministry of the Interior took the view that no additional data
232
T. Martens
will be collected compared to the previous ID card and the filing of fingerprints in a
central database and therefore no parliamentary consent is required.
In Estonia, although the certificate reveals personal data such as the date of birth
and as these personal data on the card are not PIN-protected, there was no privacy
debate in the process of legislation or in the media. There is only one remarkable
exception. Initially all active certificates were published in the freely accessible
LDAP21 directory. This made it possible to find out the birthday and gender of any
cardholder. After several years and couple of scandals in the media the set-up was
changed so that certificates can be queried from the LDAP directory by PIC only.
As the PIC is used as a key in most databases, both in the public and the private
sector, technically different personal information can be correlated. However, the
Data Protection Agency is taking care of personal privacy. Cross-relating personal
data between different databases is possible only with official permit from the Data
Protection Agency. The citizen can find out via Citizen Portal22 what data is
recorded about him/her in different databases of public administration and in some
cases also who has accessed the data.
Estonia seems to be culturally close to Scandinavian countries where safety of
personal data handed over to the government is considered “safe enough” and
privacy concerns are not that acute.
Staatsverständnis
A remarkable difference to the development in Austria and Spain as described in
previous papers in this issue, but somehow in line with the Belgium development is the
recent intense promotion. Compared to these countries Estonia since 2006 is offering
much more support. However, it has to be noted that this support does not come from
government and therefore is not caused by an corresponding Staatsverständnis
according to the Welfare State model. Rather Estonian politics is called sometimes
“ultra-liberal” meaning that government tries to outsource what they can and therefore
building so-called “thin state”. This happened to the eID development as well.
ID-card is issued by the government and was subsidized (around 50%) during
2002–2007. Now the fee for the ID-card is raised to almost covering the costs of the
issuance. But government did nothing during this period about client software or
smartcard readers. Rather the privately owned company SK did this so far. But this is
expected to change from this year as government is in the middle of contracting for
developing new wave of ID-card software.
Both these changes have very little to do with political changes. In case of
subsidizing the ID-card it was just a matter of calculation and judgment of “people
have now enough money to pay the full prize”. Software procurement was a result of
5 year long lobbying and opening of EU structural funds. Therefore we can not fully
confirm the generalisation by Kubicek and Noack that differences with regard to the
“Staatsverständnis” did influence the opening for e-commerce, the provision for
electronic signatures and the supporting provisions for components, hotlines etc.
21
22
Light Weight Directory Access Protocoll.
http://www.eesti.ee.
Electronic identity management in Estonia
233
Future perspectives
There will be no major changes in the eID arena in Estonia, except for a possible
upgrade of the ID-card chip. A next-generation ID-card is envisaged to be launched
during 2011, which will contain an RFID chip with biometric information such as in
the electronic passports. This, however, will not change anything with regard to the
definition of the eID and the electronic functionalities and applications for the IDcard. Two other major mobile operators launched Mobile-IDs in December 2009.
This could result in more attention and usage in Mobile-ID field in the future. Thus,
in contrast to Belgium and Spain, we can not confirm, that once a technical choice
has been made and a new path has been created, this establishes path dependency for
the future.
Open Access This article is distributed under the terms of the Creative Commons Attribution
Noncommercial License which permits any noncommercial use, distribution, and reproduction in any
medium, provided the original author(s) and source are credited.
Background reading
Cimander R. eID in Estonia. Good Practice Case. MODINIS Stud¥ on Interoperability at Local and
Regional Level. Prepared in Cooperation with Andreas Aarma and Ain Jary, AS Sertifitseerimiskeskus, Estonia. Download from http://www.ifib.de/projekte-detail.html?detail=Study%20on%20
Interoperability%20at%20Local%20and%20Regional%20Level&id_projekt=194 (last visited December
28th 2009.
European Commission, eGovernment in Estonia. eGovernment Factsheets, Edition 11.0, May 2009.
Download from http://www.eptactice.eu/en/factsheets. Last visited December 28 2009.
IDABC (Ed.), National Profile Estonia. eID Interoperability for PEGS. Brussels, November 2007.
Kubicek H, Noack T. The path dependency of national electronic identities. A comparison of innovation
processes in four European countries. Identity In The Information Society, Special Issue, 2010.
Tepandi J. A population wide ID Card (Estonia). Case description on http://www.eptactice.eu/cases/
eIDEstonia, last updated 10 December 2009. last vistied December 28 2009.
Smith A, Pickles J. Theorising transition: the political economy of post-communist transformation:
political economy of post-communist transformations London. Routledge Chapman & Hall; 1998.
Subrena J-J (Ed). Estonia: identity and Independence: Amsterdam–New York; 2004.
eGovernment in
Estonia
ISA
WHAT’S INSIDE
Country Profile
History
Strategy
Legal Framework
Actors
Who’s Who
Infrastructure
Services for Citizens
Services for Businesses
Visit the e-Government factsheets online on Joinup.eu
Joinup is a collaborative platform created by the European Commission under the Interoperability
Solutions for Public Administrations (ISA) in Europe Programme. Joinup provides numerous services
around 3 main functionalities:
1. An observatory on interoperability, e-government, e-inclusion and e-health
2. A collaborative platform of open communities
3. A repository of interoperability solutions
This document is meant to present an overview of the eGoverment status in this country and not to be exhaustive in its
references and analysis. Even though every possible care has been taken by the authors to refer to and use valid data
from authentic sources, the European Commission does not guarantee the accuracy of the included information, nor does
it accept any responsibility for any use thereof.
Cover picture © Fotolia
Content © European Commission
© European Union, 2015
eGovernment in Estonia, January 2015, Edition 17
Country Profile ......................................................................................... 1
eGovernment History ............................................................................... 7
eGovernment Strategy ........................................................................... 18
eGovernment Legal Framework ............................................................. 24
eGovernment Actors .............................................................................. 28
eGovernment Who’s Who ....................................................................... 32
eGovernment Infrastructure .................................................................. 35
eGovernment Services for Citizens ......................................................... 39
eGovernment Services for Businesses .................................................... 43
eGovernment in Estonia
January 2015
Country Profile
Basic data and indicators
Basic Data
Population (1 000): 1,315,819 inhabitants (2014)
GDP at market prices: 18,739 million Euros (2013)
GDP per inhabitant in PPS (purchasing Power Standards EU 28=100): 72.8 (2013)
GDP growth rate: 1.6 % (2013)
Inflation rate: 0.5 % (2014)
Unemployment rate: 8.6% (2013)
General government gross debt (Percentage of GDP): 10.1% (2013)
General government deficit/surplus (Percentage of GDP): -0.5% (2013)
Area: 45,227 km2
Capital city: Tallinn
Official EU language: Estonian
Currency: EUR
Source: Eurostat
Political Structure
Estonia is a parliamentary republic.
Legislative power lies within the unicameral Parliament, called the State Assembly
(Riigikogu in Estonian). The Assembly has 101 members, elected by popular vote, to serve
four-year terms. Members are elected on the basis of a proportional system, and a 5 %
splinter party threshold applies for those wishing to take part in parliamentary activities.
Estonia’s Head of State is the President, elected for a five-year term by the Riigikogu. The
Government, exercising executive power, is formed by the Prime Minister, nominated by
the president and a total of 14 ministers. The Government is appointed by the President
with the approval of the Parliament.
Estonia is divided into 15 counties and 227 urban and rural municipalities (towns and
parishes), whose powers and responsibilities are established by the Local Government
Organisation Act of June 1993. The Government of each county is led by a County
Governor, who represents the national Government at regional level and is appointed by
the Central Government for a term of five years. Local self-government is exercised solely
at the municipal level.
The Constitution of the Republic of Estonia was adopted on 28 June 1992.
Estonia became a member of the European Union on 1 May 2004.
Head of State: President Toomas Hendrik Ilves (since 9 October 2006).
Head of Government: Prime Minister Taavi Rõivas (since 26 March 2014).
[1]
eGovernment in Estonia
January 2015
Information Society Indicators
Generic Indicators
The following graphs present data for the latest Generic Information Society Indicators for
Estonia compared to the EU average. Statistical indicators in this section reflect those of
Eurostat at the time the Edition is being prepared.
Percentage of households with
Internet access in Estonia
90%
80%
70%
67
69
83
79
74
Percentage of enterprises with
Internet access in Estonia
100%
96
96
97
96
2011
2012
2013
2014
90%
80%
60%
70%
50%
60%
50%
40%
40%
30%
30%
20%
20%
10%
10%
0%
2010
96
0%
2011
2012
2013
2014
2010
Source :
http://appsso.eurostat.ec.europa.eu/nui/show.do?dataset=iso
c_bde15b_h&lang=en
Source:
http://appsso.eurostat.ec.europa.eu/nui/show.do?dataset=iso
c_ci_in_en2&lang=en
Percentage of individuals using the internet at least once a week in Estonia
90%
80%
71
73
75
77
2011
2012
2013
82
70%
60%
50%
40%
30%
20%
10%
0%
2010
2014
Estonia
EU
Source : http://appsso.eurostat.ec.europa.eu/nui/show.do?dataset=isoc_bdek_di&lang=en
[2]
eGovernment in Estonia
January 2015
Percentage of households with a
broadband connection in Estonia
90%
80%
70%
73
64
78
81
Percentage of enterprises with a
broadband connection in Estonia
100%
90%
65
88
92
96
96
96
2012
2013
2014
80%
60%
70%
50%
60%
40%
50%
40%
30%
30%
20%
20%
10%
10%
0%
0%
2010
2011
2012
2013
2014
2010
2011
Source :
http://appsso.eurostat.ec.europa.eu/nui/show.do?dataset=iso
c_r_broad_h&lang=en
Source:
http://appsso.eurostat.ec.europa.eu/nui/show.do?dataset=iso
c_bde15b_e&lang=en
Percentage of individuals having
purchased/ordered online in the last
three months in Estonia
Percentage of enterprises having
received orders online within the
previous year in Estonia
45%
16%
40%
37
35%
12
12%
30%
10%
25%
10
11
11
2011
2012
10
8%
20%
15%
14%
16
17
16
6%
13
10%
4%
5%
2%
0%
0%
2010
2011
2012
2013
2014
Source:
http://epp.eurostat.ec.europa.eu/tgm/table.do?tab=table&init
=1&language=en&pcode=tin00067&plugin=1
2010
2013
2014
Source :
http://epp.eurostat.ec.europa.eu/tgm/table.do?tab=table&init
=1&language=en&pcode=tin00111&plugin=1
Estonia
EU
[3]
eGovernment in Estonia
January 2015
eGovernment Indicators
The following graphs present data for the latest eGovernment Indicators for Estonia
compared to the EU average. Statistical indicators in this section reflect those of Eurostat at
the time the Edition is being prepared.
Percentage of individuals using the
internet for interacting with public
authorities in Estonia
55%
50%
45%
40%
35%
30%
25%
20%
15%
10%
5%
0%
50
2010
53
55
48
2011
2012
2013
51
2014
Source :
http://appsso.eurostat.ec.europa.eu/nui/show.do?dataset=iso
c_bde15ei&lang=en
Percentage of individuals using the
internet for obtaining information from
public authorities in Estonia
55%
50%
45%
40%
35%
30%
25%
20%
15%
10%
5%
0%
49
2010
48
2011
51
45
2012
2013
48
2014
Source:
http://appsso.eurostat.ec.europa.eu/nui/show.do?dataset=iso
c_bde15ei&lang=en
Estonia
EU
[4]
eGovernment in Estonia
January 2015
Percentage of individuals using the
internet for downloading official forms
from public authorities in Estonia
40%
38
35%
Percentage of individuals using the
internet for sending filled forms to
public authorities in Estonia
40%
31
31
30%
30
20%
15%
15%
10%
10%
5%
5%
0%
0%
2013
30
2014
Source:
http://appsso.eurostat.ec.europa.eu/nui/show.do?dataset=iso
c_bde15ei&lang=en
32
25%
20%
2012
33
30%
25
2011
36
35%
25%
2010
38
2010
2011
2012
2013
2014
Source:
http://appsso.eurostat.ec.europa.eu/nui/show.do?dataset=iso
c_bde15ei&lang=en
Estonia
EU
[5]
eGovernment in Estonia
January 2015
eGovernment State of Play
The graph below is the result of the latest eGovernment Benchmark1 study, which monitors
the development of eGovernment in Europe, based on specific indicators. These indicators
are clustered within four main top-level benchmarks:




User Centricity – indicates to what extent (information about) a service is provided online and
how this is perceived.
Transparent Government – indicates to what extent governments is transparent regarding: i)
their own responsibilities and performance, ii) the process of service delivery and iii) personal
data involved.
Cross Border Mobility – indicates to what extent EU citizens can use online services in another
country.
Key Enablers – indicates the extent to which 5 technical pre-conditions are available online.
There are: Electronic Identification (eID), Electronic documents (eDocuments), Authentic
Sources, Electronic Safe (eSafe), and Single Sign On (SSO).
These top-level benchmarks are measured using a life-events (e.g. mystery shopping)
approach. The following life-events were used for measuring the eGovernment Benchmark
top-level indicators: Business start-up and early trading operations, Losing and Finding a
Job, Studying, Regular business operations, Moving, Owning and driving a car, and Starting
a small claims procedure. The figure below presents the development of eGovernment in
Estonia compared to the EU average score.
Source: http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=5550
1
http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=5812
[6]
eGovernment in Estonia
January 2015
eGovernment History
Main developments and key milestones (in reverse
chronological order)
For the latest developments, see: Joinup news.
Recent News
February 2015
General elections are held in Estonia. At the time of updating this document, the
percentage of internet voters (i-voters) in the total number of voters is not yet clear, but a
new i-voting record has again clearly been set with 176491 voters having cast their vote
electronically.
The Minister of Economic Affairs and Communications and the Minister of Education and
Research sign the Science and Technology Pact. The pact is a cooperation agreement
between the government, local authorities, educational institutions, the private sector and
non-governmental organisations to support the technology and engineering fields. The aim
of the Science and Technology Pact is the sustainable development of education and
entrepreneurship in the field, as well as the supply of an adequate workforce.
January 2015
The Minister of Economic Affairs and Communications signs an ambitious plan to increase
digital literacy in Estonia, funded by the EU Social Fund. The plan foresees a myriad of reand upper-skilling projects with dual aims of increasing both basic computer literacy skills
and fostering the development of ICT-skills for specialists within other sectors.
The Ministry of Economic Affairs and Communications starts cooperation with the University
of Oxford (UK) to study the implications of information society and cyberspace and to pass
that knowledge on to Estonian students outside ICT-subjects. This is a cutting-edge project
being the first systematic research and teaching initiative dedicated to cyber issues within
political science at any of the world's major universities.
December 2014
Estonia becomes a founding member of the D5 alliance of leading e-governance countries.
The purpose of the alliance, established in 2014 in London, is to exchange experience about
information society and the e-state.
In 2015, D5 will focus on the following topics: best practices of IT procurement,
programming studies for children, and connectivity (Internet availability and quality). The
2015 summit of D5 will be held in Estonia.
In addition to Estonia, the network includes the United Kingdom, South Korea, Israel, and
New Zealand.
The Government of the Republic approves a Green Paper on Open Data elaborated at the
leadership of the Ministry of Economic Affairs and Communications. In addition, a new
improved version of open data gateway at https://opendata.riik.ee/ goes live.
[7]
eGovernment in Estonia
January 2015
November 2014
Estonia becomes the first country in the world to issue e-residency. People from all over the
world now have an opportunity to get digital identity provided by the Estonian government
in order to get secure access to world-class digital services from wherever you might be.
E-residency is a state-issued secure digital identity for non-residents that allows digital
authentication and the digital signing of documents.
An e-resident will be a physical person who has received the e-resident’s digital identity
(smart ID-card) from the Republic of Estonia. This will not entail full legal residency or
citizenship or right of entry to Estonia.
Instead, e-residency gives secure access to Estonia’s digital services and an opportunity to
give digital signatures in an electronic environment. Such digital identification and signing is
legally fully equal to face-to-face identification and handwritten signatures in the European
Union.
October 2014
The e-Governance Academy of Estonia enters into an agreement with the government of
Namibia for the implementation of a data exchange layer similar to X-Road in Namibia over
the next two years.
The X-Road will enable Namibian public sector institutions to make secure, Internet-based
crossover use of data from different institutions and to develop e-services for the country’s
residents and companies. Estonia has assisted in the development of an information system
similar to the X-Road in Azerbaijan and is currently helping Palestine on this issue.
September 2014
The Government approves the Cyber Security Strategy for 2014–2017 with the objective of
increasing the capacity of the state in the area of cyber security and raising the awareness
of the population of cyber risks.
The strategy focuses on ensuring the provision of vital services, raising the efficiency of
combating cyber-crimes and development of the national defence capacity. The additional
supporting activities are the development of the legal framework, improvement of
international cooperation, raising the awareness and ensuring the availability of experts and
solutions for cyber security.
July 2014
An eHealth Task Force is set up at the leadership of the Government Office with a goal to
develop a strategic development plan for Estonian eHealth until 2020.
The role of the Task Force is to develop an Estonian eHealth Strategic Development Plan
until 2020 along with development activities, a financing plan and a detailed
implementation plan for 2015 - 2017.
[8]
eGovernment in Estonia
January 2015
June 2014
From June 2014, all ministries have similarly designed and structured webpages to allow
the visitor to access information faster and more easily than before as well as have a clear
overview of the goals and activities of the government and governmental authorities.
The similarly structured and designed webpages of the Government, Government Office
and 11 ministries now form a common online environment – the Government Portal.
April 2014
On April 23-30, the first ever Tallinn ICT Week is held in Tallinn. A number of different
seminars, conferences and workshops aimed at different target groups, e.g. ICT sector,
other sectors of economy, start-up community, policy-makers from all over the world etc is
held throughout the week. One of the central events of the ICT Week is the Nordic Digital
Agendas Day, organized at the initiative of the Ministry of Economic Affairs and
Communications. During the conference, ICT policy-makers from all Nordic countries share
their experience in developing information society and discuss regional co-operation in the
field. The week ends with a high-level freedom online conference "Free and secure internet
for all", organized in co-operation with the Ministry of Foreign Affairs of Estonia and the
Freedom Online Coalition.
March 2014
A new Tallinn-Helsinki cross-border fibre connection is launched between EEnet and Funet,
the Estonian and Finnish national research and education networks. The new high capacity
optical fibre connection between the two capitals provides major improvement of the
available network transmission capacity between the Estonian and Finnish research and
education networks. For more information, please see here
The world's most popular programming tool Codecademy.com is now available also in
Estonian. The project was carried out at the initiative of the Information Technology
Foundation for Education to facilitate teaching and learning of code-writing both in
educational institutions and on a wider scale in society. Estonian is one of the first working
languages of Codecademy after English language. For more information see here.
January 2014
The Estonian education minister Jaak Aaviksoo and Finnish education minister Krista Kiuru
sign a co-operation memorandum on the creation of a joint Estonian-Finnish Education
Cloud. The cloud provides a digital environment for stud materials and good practices,
which supports better learning and is open for all students and teachers.
December 2013
The prime ministers of Estonia and Finland conclude the first digitally signed
intergovernmental agreement (Memorandum of Understanding) focusing on joint
development of e-services between the two countries. One of the central elements of the
memorandum foresees that the state data exchange layer, known in Estonia as the X-Road,
will be developed jointly with Finland in the future.
[9]
eGovernment in Estonia
January 2015
November 2013
Digital Agenda 2020 for Estonia together with implementation plan for 2014-2015 is
approved by the Government of the Republic. The general objective of the Estonian new
ICT policy is to ensure a well-functioning environment for the widespread use and
development of ICT-solutions, contributing thereby to the economic growth, better public
administration and greater well-being of people. The document sets out actions in four
target areas: ICT infrastructure, better ICT skills, smarter governance and public
administration, and greater awareness of e-Estonia in the world. The strategy that was
elaborated in close co-operation with representatives of the private and the nongovernmental sector also sets out a vision for information society 2020.
An ambitious project entitled Nutikaitse 20017 is initiated in co-operation between the
public and the private sector. The aim of the project is to promote safer use of smart
devices and development of secure mobile services. For more information see here.
October 2013
On October 7, 2013, a specific programme is approved for carrying out different projects
aimed at increasing the efficiency and effectiveness of public services via ICT tools. The
programme is initiated and implemented at the leadership of the Ministry of Economic
Affairs and Communications.
September 2013
Neelie Kroes, the Vice-President of the European Commission, visits Estonia in order to
discuss the development of the digital single market as well as issues related to increasing
competitiveness, simplifying doing business and reducing bureaucracy through the use of esolutions.
When presenting the development of e-services in Estonia to Kroes, the Prime Minister of
Estonia, Andrus Ansip, gave her a personalised test-ID card as a gift and the Commissioner
could try giving a digital signature, while seeing its simplicity and performance. The goal of
Estonia is to reach the recognition and use of digital signatures across Europe.
May 2013
On May 16, 2013 the Government of the Republic approves the Green Paper on the
Organisation of Public Services in Estonia. The document:
 establishes the definition of "public service";
 identifies problems faced by citizens and enterprises in the usage of central and local
government services;
 proposes solutions.
On the same month, the Director General of the Estonian Information System's Authority
(RIA), Jaan Priisalu, and the Head of the State Portal (eesti.ee), Mihkel Tikk, meet the
President of the Portuguese Agency for the Modernisation of the Public Administration
(AMA), Paulo Neves, and its representatives. The purpose of the meeting is to exchange
best practices on the modernisation of the two states’ public administration.
AMA representatives are particularly interested in RIA’s Document Exchange Centre
(Dokumendivahetuskeskus - DVK, in Estonian). This is an information system that provides
[10]
eGovernment in Estonia
January 2015
a common central document exchange service for various document management systems
as well as other information systems that handle documents. In addition, both RIA and AMA
representatives agree to deepen collaboration and make a formal proposal to sign a
memorandum of cooperation.
April 2013
Annual information society conference is held at the initiative of the Ministry of Economic
Affairs and Communications. This year's event is designed to contribute to the elaboration
of the new ICT strategy and focuses, thus, on the priorities and objectives of information
society development in the next seven years.
In the framework of the conference, the winners of a competition "Best e-services in
Estonia" were announced. The overall winner of the contest, a company offering money
transfer service - Transferwise - was also nominated for the World Summit Award, where it
was chosen as one of the 40 best e-services in the world.
March 2013
The Estonian State Portal eesti.ee celebrates its 10th anniversary.
February 2013
Estonia and the UK sign a memorandum of understanding for the two countries to
exchange experience in creating user-friendly public e-services.
During the same month, a study by the Ministry of Economic Affairs and Communications
reveals that the use of electronic solutions has changed the way public services work by
being 12 times faster and of higher quality than the conventional services.
Margus Püüa, Ministry’s State Information Systems department mentions that despite the
limited research conducted so far, a substantive impact analysis pertaining to the use of
and satisfaction with eServices has yet to be conducted. He adds that the purpose of the
study is to develop a method and use it to assess how much time and money eServices can
save.
News 2012-2001
2012
On 27 September 2012, the Government approves a proposal, drafted by the Estonian
Information Society Strategy 2014-2020, which will constitute the basis for the Ministry of
Economic Affairs and Communications (Majandus- ja Kommunikatsiooniministeerium MKM, in Estonian) to prepare a new Information Society Strategy 2020. The greatest
benefits of this development include: good Internet accessibility, the use of services to
support the development of state information and security for citizens and businesses, as
well as the development of electronic services.
 In February 2012, since the launch of the national eID card ten years ago (28 January
2002), around 1.6 million cards have been issued, and citizens have well integrated
their use into their daily lives. Ms Tatjana Portnova, Estonian Police and Border Guard
[11]
eGovernment in Estonia
January 2015
Board's service centre director says that people have been showing a multiplied interest
in the use of the eID card, on a daily basis.
2011
 A new version of the State Portal 'eesti.ee' goes live in November 2011. The
development of the portal, led by the State Information System's Authority is based on
user involvement and their feedback. One of the major benefits of the new version is
that search for information is much faster, as articles, services and contacts are better
interconnected.
 During the same month, Tallinn, the capital of Estonia, is awarded with the European
Public Sector Award 2011 for citizen eServices.
 On 9 September 2011, a Memorandum on Mutual Assistance is signed between Estonia
and Greece. The objective of the co-operation was the reduction of corruption and
bureaucracy through ICT.
 Between 26-28 September 2011, an international eGovernment conference ICEGOV
(International Conference on Theory and Practice of Electronic Governance) is organised
under the auspices of the UN and held in Tallinn, Estonia.
 On 27 September 2011, the annual information society conference was held in Tallinn,
focusing on copyright in the information society, aiming to analyse the topic from a
balanced viewpoint, taking into account the interests and rights of creators, users and
the industry.
 In August 2011, the Information Society Yearbook 2010 is compiled by the Department
of State Information Systems, Ministry of Economic Affairs and Communications. The
Information Society yearbook of 2011-2012 is also available.
 Estonia's eAnnual reporting environment, which enables entrepreneurs to file annual
reports electronically is voted and announces a winner in the category of 'eGovernment
& Institutions' at the global eContent contest World Summit Award (WSA) 2011 on 16
June 2011. The eReporting environment enables entrepreneurs to submit their
compulsory annual reports via the eBusiness Registry Company Registration Portal.
 Following a reorganisation on 1 June 2011, the public authority in charge of Estonia's
information systems' security, is renamed from Estonian Informatics Centre to Estonian
Information System's Authority (EISA). It will help with and monitor the security of the
information systems of private and public sector organisations. It has 11 main
functions, but the reorganisation primarily affected the two departments dealing with
information security. These are:
 The Department of Critical Information Infrastructure Protection (CIIP) evaluates
the security of information systems in Estonia and carries out risk assessments.
 The Computer Emergency Response Team Estonia (CERT-EE) handles security
issues involving the '.ee' domain.
 In April 2011, a new information system for the management of draft laws is launched.
The Draft Information System (Eelnõude Infosüsteem - EIS) provides access to all draft
laws and other documents that have been submitted by government bodies for
consultation and approval or sent to the Government.
 On 6 March 2011, Parliamentary Elections are held in Estonia. For the fifth time in a
row, Estonians are able to cast their votes over the Internet during the advanced polling
days from 28 February to 2 March 2011.
 The Estonian Government launched the Rural Municipality Portal in February 2011. The
Portal aims to increase the transparency of local governments and expand citizen
[12]
eGovernment in Estonia
January 2015
participation. The service portal is based on an open source content management tool
which allows for easy and uniform site administration.
 On 1 February 2011, the Estonian Police and Border Guard (Politsei- ja Piirivalveamet)
made available a new type of digital identity, the mobile-ID, which enables users to
provide electronic identification and a digital signature using a mobile phone.
 On 31 January 2011, the Estonian Unemployment Insurance Fund opens its self-service
employment portal for public testing. Anyone interested could find and view in the
portal public-sector job vacancies. Users can log in by using their ID-card or mobile-ID
and then create their own CV, apply for jobs, manage their own work requests, review
the statements made to the Unemployment Insurance Fund about the outcomes and
decisions, and inform them of any changes to their data or situation.
 In 2011 good progress is made towards the goals of the Estonian broadband strategy,
EStWin, aiming to build a country-wide broadband network capable of delivering
100 Mbps connections to the majority of Estonian households and businesses by
the end of 2015. The Estonian Broadband Development Foundation (ELA) will be
responsible for the EstWin, a project with the aim of bringing the new generation
broadband networks into every home, business and institution and so eliminating the
digital divide between the Estonian countryside and the biggest cities.
2010
 Since August 2010, the section of the 'Eesti.ee', aimed at companies is updated and
translated into English to promote cross-border business and public services to the
benefit of European companies. The section for companies of 'Eesti.ee' works as a Point
of Single Contact that enables service providers operating all over Europe to solve the
formalities needed for starting or continuing their business activities in the European
Union (EU).
 'Diara' is an open source application that allows public administrations to use the
Internet in order to organise polls, referenda, petitions, public inquiries as well as to
record electronic votes using electronic identity (eID) cards; its first version went online
at the end of August 2010.
 On 1 July 2010, Estonia switches to digital-TV.
 On 5 July 2010, new domain rules come into force in Estonia, making the '.ee' country
code top-level domain (ccTLD) significantly more accessible. While according to the
previous rules, only companies could obtain '.ee' domains, private individuals and
foreigners will now be able to obtain them too. In addition, a person will be able to
register several domains. The new regime introduces a dual-level registration, the
interaction with registrants being delegated to registrars by the Estonian Internet
Foundation.
 According to the findings of a research study executed in June 2010, 75 % of the
Estonians who used the public electronic services are very satisfied. 1 020 Estonian
residents were interviewed for this study, in the framework of the 'Information society
awareness' campaign, which is funded by the European Union Structural Funds in
Estonia.
 The Estonian Government approved on 1 April 2010 an amendment bill to the Electronic
Communications Act and the Information Society Services Act regulating the use of
individuals' electronic contact data for sending out commercial emails.
 In February 2010, the Government of Estonia approves the Implementation Plan for
2010-2011 of the Estonian Information Society Strategy 2013.
[13]
eGovernment in Estonia
January 2015
 In January 2010, a digital prescriptions system is launched in Estonia, freeing the
patients from the fear of losing or forgetting their paper prescriptions and considerably
reducing the time doctors and pharmacies spend on them.
 A month-long campaign entitled 'Gateway to eEstonia' is launched in January 2010 to
promote State Portal eesti.ee both to the general public and to service providers. The
campaign's objective is to increase users’ awareness of the portal and invite them to
provide feedback on how to improve the website and increase its user-friendliness.
2009
 On 1 October 2009, the Estonian Informatics Centre - EIC (Riigi Infosüsteemide
Arenduskeskus - RIA) opened its Department for Critical Information Infrastructure
Protection (CIIP). CIIP aims to create and run the defence system for Estonia's critical
information infrastructure.
 In August 2009, Estonia’s largest ICT companies establish the Estonian Broadband
Development Foundation with the objective that the basic infrastructure of the new
generation network in Estonian rural areas is developed by the end of 2015.
 In July 2009, the Government of the Republic approved the amended version of the
'Estonian Information Society Strategy 2007-2013'. The update concerns measure
4.1.1, 'Broadening technological access to digital information' to which a chapter was
added on the development of broadband internet. In addition, the Estonian 'Rural
Development Plan 2007-2013' is amended in the summer of 2009 to allow for the use of
resources of the EU recovery package.
 During the second week of May 2009, the first company in Estonian business history is
created in the Company Registration Portal with a Finnish ID card, without the founders
of the company having had to leave their desks to have the company officially
registered in Estonia. The Estonian Company Registration portal which opened to the
users of Finnish ID-cards at the end of last year also accepts digital signatures from
Portugal, Belgium and Lithuania.
2008
 In August 2008, entrepreneurs are invited to activate their email address on the
eGovernment Portal to avoid company identity theft and detect it when it occurs.
Businesses which subscribe to the service will receive an automatic notification when
the Commercial Register receives an application for altering an entry.
 In May 2008, the Estonian Government adopts a Cyber Security Strategy. Cyber
security in Estonia is primarily based on reducing the vulnerability of the cyberspace in
the nation as a whole. This is accomplished through the implementation of domestic
action plans, but also through an active international cooperation which supports the
enhancement of cyber security.
 Since April 2008, residents of the Estonian capital city, Tallinn, can apply for and renew
parking permits electronically on https://www.parkimine.ee/en using their eID card,
Mobile-ID or Internet banking authorisation codes. The payment of the granted permits
is performed online.
 As of 15 February 2008, Estonians have made use of the improved Tax and Customs
Board's online service to submit their tax returns electronically can benefit from
refunds well before those who have chosen to complete theirs on paper.
[14]
eGovernment in Estonia
January 2015
2007
 During the last quarter of 2007, a new version of the Estonian State portal results from
the merge of the former State Information portal and the Citizen portal, created a single
integrated service. Access to information and eServices on the new portal depends on
whether the user is a citizen, entrepreneur or State official.
 During December 2007, a new, user-friendly tax and customs web service is
launched. Following a consultation period with Internet users, the website’s sections
have been designed to match the needs of different user groups, whether they are
private persons or representatives of legal entities.
 In November 2007, the Ministry for Economic Affairs and Communications approves the
programme 'Raising Awareness about the information society' whose objective is to
inform citizens on the possibilities of the information society. The programme is
implemented over the period 2007 - 2013 by the Estonian Informatics Centre with a
total budget of 50 million Estonian kroons (approx. € 3.2 million), funded from the EU
Structural Funds.
 In September 2007, the Informatics Council - an advisory committee for the
Government of Estonia – approved thehttp://www.riso.ee/en/files/Implementation Plan
2007-2008 of the Estonian Information Society Strategy_0.pdf Estonian information
society Strategy 2013, promoting the development of a citizen-centred and inclusive
information society, as well as the advancement of the knowledge-based economy.
 In August 2007, the Estonian Tax and Customs Board begins offering a new eService
to local authorities which enables them to make inquiries on the income of the
taxpayers living in their area.
 Due to the cyber-attacks against Estonia’s governmental and private web pages, the
Government approves an Action Plan to fight cyber-attacks in July 2007. The plan,
implemented by the Ministries in charge of Economic Affairs and Communications,
Defence, Internal Affairs and Justice, aims to create a strong legal basis for fighting
cyber-crime and seeks to improve the processes for preparing for such emergencies.
 Furthermore, the Osalusveeb website is launched; it allows everyone (Estonian citizens,
associations, civil society stakeholders) who has registered as a user to express
opinions on drafts published by the Government.
 Since June 2007, Estonian businesses can submit their annual accounting reports
electronically through the Company Registration Portal.
 Launch of the Mobile-ID service in May 2007. Mobile-ID enables the identification of a
person and the signature of digital documents via mobile phone, giving greater freedom
for performing transactions that require personal identification.
 In April 2007, Estonia’s governmental and private web pages suffer coordinated cyberattacks.
 On 4 March 2007, Estonia holds the world's first national general elections with an
Internet voting option. A total of 30 275 citizens uses this option to register their
preferences for the Estonian Parliament (Riigikogu).
 In February 2007, the newly launched Company registration portal makes it possible for
start-up companies to set up a new company electronically, in just a couple of hours,
using an eID card.
 Regulations for X-Road, the middle-tier data exchange layer enabling Government
databases to communicate with each other, are also published that month.
 The ‘Estonian Information Society Strategy 2013’ enters into force on 1 January 2007.
It is conceived as a sectoral development plan, setting out the general framework,
[15]
eGovernment in Estonia
January 2015
objectives and respective action fields for the broad use of ICT in the development of
the knowledge-based society and economy in Estonia for the period 2007-2013. The
plan focuses on the use of IT to improve quality of life and increase citizen involvement
in public life.
 Moreover, citizens can request an electronic voter card through the eGovernment portal
for citizens by 31 January 2007. Once registered for the eVoter card, citizens will no
longer receive paper voter cards through normal mail.
2006
 In December 2006, the Estonian Informatics Centre (RIA) conducts a legal analysis
to assess the legitimacy of electronic communications between the State and citizens.
The study coincides with the introduction of a new service called the ‘Notification
Calendar’ on the eGovernment portal.
 In July 2006, for the third year in a row, Estonian students taking national examinations
can register on the Estonian Citizen’s Portal to receive their results either by email or on
their mobile phones via SMS. Results reach examinees as soon as the marks are
entered into the central database.
 Moreover, the Estonian Government launches a new service enabling Estonian high
school graduates to apply to universities online. This new service is available on the
Citizen’s portal, or on the new Common Admissions Information Portal (SAIS).
 In May 2006, Estonia’s Computer Emergency Response Team (CERT) is officially
presented. This new unit of the Estonian Informatics Centre deals with security incidents
that occur on Estonian networks, carries out preventive actions and contributes to
awareness-raising on Internet security.
 During that same month, leaders of the largest banks and telecommunication
companies as well as the Ministry of Economic Affairs and Communications sign a cooperation agreement to launch a nationwide 'Computer Protection 2009' initiative so as
to increase end-user PC protection in Estonia while making the country the most secure
information society in the world by 2009.
 Publication of the Estonian IT Interoperability Framework, (version 2.0) in April 2006.
 In March 2006, the new initiative Küla Tee 3 (VillageWay 3) is launched. Its objective is
to improve access to permanent Internet connection in sparsely populated rural areas
by guaranteeing quality Internet coverage of 90 % of Estonia’s territory.
 Moreover, the Estonian Ministry of Economic Affairs and Communications releases the
annual report ‘IT in Public Administration of Estonia - Yearbook 2005’. It presents the
main achievements in the eGovernment field in 2005, the latest figures relating to the
information society progress in Estonia and a brief description of the Government’s
‘Information Policy Action Plan 2004-2006.
2005
 In November 2005, Estonia launches a nation-wide Information Security policy
which specifies and coordinates the upcoming eSecurity related initiatives, aiming to
create a secure ‘eEnvironment’ for business and consumers.
 In October 2005, Estonia becomes the first country in the world to enable its citizens to
vote over the Internet for political elections. To vote online, users must insert their eID
cards into readers connected to their computers and log on to the Internet voting
website.
[16]
eGovernment in Estonia
January 2015
 In June 2005, the Government adopts the Information Policy Action Plan for 20042006.
 In April 2005, the Estonian Parliament approves the Estonian Broadband Strategy
setting out the principles for the development of fast Internet connections until 2007.
2004
In May 2004, the Estonian Government adopts a new information society policy called
Principles of the Estonian Information Policy 2004-2006. An Information Policy Action Plan
for 2004-2006 is also adopted.
2003
 In May 2003, Finland and Estonia sign an agreement to harmonise the concepts and
practices between the two countries regarding digital signature, document format and
exchange. The project, codenamed 'OpenXAdES', is an open initiative which promotes
the 'universal digital signature'.
 In March 2003, the Estonian Government launches its eGovernment portal eesti.ee.
The site is intended to provide a single, one-stop umbrella for the many Government
services already online, as well as for all new services being developed.
2002
 In the summer of 2002, together with the United Nations Development Programme
(UNDP) and the Open Society Institute (OSI), the Estonian Government establishes an
eGovernance Academy (EGA) to enable Estonia’s neighbours to benefit from its
eGovernment experience and expertise.
 In January 2002, Estonia starts the introduction on national electronic ID cards. The
card functions are to be used in any form of business, governmental or private
communications.
2001
 In December 2001, the 'X-Road' system (‘X-tee’ in Estonian) is launched. 'X-Road' is a
middle-tier data exchange layer enabling governmental databases to communicate.
 In the summer of 2001, the Estonian Government launches an innovative
eDemocracy portal, TOM (Täna Otsustan Mina – 'Today I Make Decisions') whose aim
is to enhance citizens’ participation in the public decision-making process. This portal
has since then been renamed to ‘Osalusveeb’.
 In February 2001, the Government approves an updated Information Policy Action Plan.
[17]
eGovernment in Estonia
January 2015
eGovernment Strategy
Main strategic objectives and principles
Estonian Information Society Strategy 2014 - 2020
The Information Society Strategy 2020 does not
deal with the introduction of ICT in various
residential and policy areas, such as the use of
ICT in health care or business. Rather it focuses
on the use of ICT and smart solutions for the
creation of an enabling environment assurance.
The higher goal is thus to support the
competitiveness of the economy through ICT,
human well-being and an increase in the efficiency of state government.
The Information Society Strategy includes a number of steps necessary for development
activities. Indicatively these steps include the following:
 Construct a base ready for the ultra-fast Internet network, enabling that at least 60 %
of all Estonians use the Internet on a daily basis.
 Enhance the cross-border capability of eServices in joint cooperation with the Nordic
Institute of eGovernment Innovation aiming at developing X-roads, eIdentities, digital
signatures, etc.
 Enable that by 2020, 20 % of the population uses the digital signature.
 Provide people with the technological and organisational infrastructure to take control
over the use of their data and know at any time who, why, when and how these data
are being used by their government.
 Modernise Estonian public eServices and implement uniform quality standards and
support reform of old IT solutions.
 Improve related policies for better decision-making and service provision.
 Launch a virtual or eResidency by issuing a digital identity to non-residents and
providing its eServices in a similar way to Switzerland's banking industry.
Cyber Security Strategy 2014-2017
The Cyber Security Strategy 2014-2017 is the basic document for planning Estonia’s cyber
security and a part of Estonia’s broader security strategy. The strategy highlights important
recent developments, assesses threats to Estonia’s cyber security and presents measures
to manage threats. The strategy continues the implementation of many of the goals found
in the Cyber Security Strategy 2008-2013.
The new Cyber Security Strategy sets out four objectives:
1) A comprehensive system of security measures, consisting of different levels, will be
implemented in Estonia to ensure cyber security at national level.
2) Estonia will be a country that is characterised by a very high level of information security
competence and awareness.
[18]
eGovernment in Estonia
January 2015
3) Proportionate legal regulations serve to support the secure and extensive use of
information systems.
4) Estonia will be one of the leading countries in international co-operation to enhance
cyber security.
Implementation of the strategy will be coordinated by the Ministry of Economic Affairs and
Communications. All ministries and government agencies will participate in its
implementation, above all the Ministry of Defence, the Information System Authority,
Ministry of Justice, The Police and Border Guard Board, the Government Office, Ministry of
Foreign Affairs, Ministry of the Interior and the Ministry of Education and Research. The
strategy will be implemented in cooperation with non-governmental organisations, business
associations, local governments and educational institutions.
The total cost of implementation of the activities provided in the strategy is approximately
EUR 16 million.
Previous eGovernment Strategies
Estonian Information Society Strategy 2013 (2008-2013)
The ‘Estonian Information Society Strategy 2013’ was approved on 30 November 2006 by
the Estonian Government and entered into force on 1 January 2007. This strategy has been
designed as a sectoral development plan, setting out the general framework, the objectives
and the respective action fields for the broad use of ICT in the development of a
knowledge-based society and economy in Estonia for the period 2008-2013. This latest
strategy takes into account the objectives and priorities of the EU-level policy framework,
namely: the initiative ‘i2010: A European Information society for growth and employment’
and the related ‘i2010 eGovernment Action Plan’.
The strategy is dedicated to an ICT vision for Estonia, based on the beliefs that the country
is a constantly developing, inclusive society, raising the living standard of everyone and
that the wide take-up of ICT will improve citizens’ quality of life as well as actively involve
them in public life. Thus the strategy aims to place more emphasis on: the development of
a citizen-centric and inclusive society, a knowledge-based economy as well as a
transparent and efficient Public Administration.
Actions and measures
For each component of this 'Vision', actions and measures are being taken in three fields
of action, as follows:
Action field I: Development of a citizen-centric and inclusive society
In the information society, most of the information is stored in a universal digital form. To
ensure citizen welfare, citizens must possess the skills and have the willingness to use the
opportunities created by the information society, while benefiting from a multi-access
channel to digital information that suits their needs. In line with the strategy, by 2013,
75 % of Estonian residents should be using the Internet, while household Internet
penetration should amount to 70 %. Moreover, by 2010, all public sector websites complied
with the Web Accessibility Initiative (WAI) criteria. To such an end, the following actions are
foreseen:
 broadening technological access to digital information;
 improving skills and widening possibilities for participation.
Action Field II: Development of a knowledge-based economy
[19]
eGovernment in Estonia
January 2015
The strategy foresees that by 2013, the productivity per employee in Estonian enterprises
will account for 75 % of the EU average and that the share of ICT enterprises in the
national GDP will amount to 15 %. To reach this objective, the following measures will be
taken:
 promoting ICT uptake by enterprises;
 increasing the competitiveness of the Estonian ICT sector.
Action field III: Development of a citizen-centric, transparent and efficient Public
Administration
In line with this objective, the Administration should function efficiently while collecting,
using and managing data necessary for the provision of public goods in a common and
systematic manner. Public sector processes must be transparent and easy to understand.
In addition, public services for citizens and businesses must be fully available electronically,
widely used and structured around users’ needs. By 2013, the strategy sets the objective of
80 % of citizen satisfaction and 95 % of business satisfaction with regard to the use of
public sector eServices. In this light, the following measures will be taken:
 improving the efficiency of the public sector;
 providing user-friendly public eServices
Estonian Cyber Security Strategy 2012
Estonia belongs to the group of highly cyber dependent countries that considers ensuring
cyber security a matter of national security and societal welfare. Estonia has actively
addressed the question of cyber security on a national level since at least 2007, with the
aim of ensuring the security and availability of national institutions and essential services at
all times. The National Cyber Security Strategy developed in 2008 laid out a national action
programme up to 2013.
In 2011, the Estonian Information System’s Authority (RIA) was established as Estonia’s
central cyber security competence and coordination centre with related priorities such as
assembling the necessary competence to ensure security, creating and developing
cooperation networks, developing specific capabilities (e.g. SCADA/ICS security) and
supporting providers of essential services and critical infrastructure administrators in
ensuring cyber security. The responsibility for cyber security policy coordination was
handed over from the Ministry of Defence to the Ministry of Economic Affairs and
Communications in the same year.
On 21 March 2013, the Government approved a proposal according to which the Estonian
cyber security strategy for 2014 -2017 will be drawn up.
Estonian Broadband Strategy 2011
A report was issued in 2011 regarding Estonia's Broadband Strategy, related regulations
and developments. The Estonian Broadband Development Foundation (ELA) is responsible
for the EstWin, a project with the aim of bringing the new generation broadband networks
into every home, business and institution and so eliminating the digital divide between the
Estonian countryside and the biggest cities.
The ELA began building the network in rural areas where the private sector was not
investing due to its unprofitability. It is expected that the building of the base network will
ensure that 98 % of homes, businesses and institutions will be within 1.5 km of fibre optic
networks. The ELA does not build connections to end users.
[20]
eGovernment in Estonia
January 2015
Estonian Information Society 2004-2006
In 1998 the Estonian Parliament approved the Estonian principles of the initial ICT policy.
These principles serve as a basis for making public policy decisions to support the rise of
the information society on the basis of an action plan. The Information Policy Action Plan in
its turn is the basis for all government agencies to make specific proposals to the
Government, including that of schedules, sources of finances, and responsibilities for the
implementation of information policy programmes every year. The Action Plan was
approved by the Government in April 1998, May 1999 and February 2001.
According to the Government decision of 14 May 2002 the information policy priorities for
2002/2003 are as follows:
 develop services for citizens, business sector and public administration, especially the
elaboration of ID-card applications, proceeding also from the list of eGovernment
services defined in the eEurope+ Action Plan;
 improve skills and access of social groups in unequal position for using electronically
provided services;
 elaborate and introduce of systems for digital document management and archival
processing;
 develop of the system and infrastructure of state registers, including the development
of systems that ensure the maintenance of databases and the introduction of the data
exchange layer (project “X-road”) of information systems;
 provide schools with computers to achieve the ultimate goal - one computer per 20
students;
 launch of Tiger University program to support the development of information and
communication technology (ICT) infrastructure and academic ICT staff, and the
infrastructure for post-graduate training.
Further details are available through the related document on the principles of the Estonian
Information Policy 2004 - 2006.
Implementation Plan (2009-2011)
eGovernment in Estonia is part of the broader Information Society Policy under the
responsibility of the Ministry of Economic Affairs and Communications. Therefore
eGovernment strategy is embodied in strategic documents related/focused on information
society and IT. The most relevant recent document is the Implementation Plan for 20092011 of the Estonian Information Society Strategy 2013, giving an overview of the
activities on the Information Technology and Telecommunications front. The main areas of
focus of the implementation plan include to:
 develop the ICT’s export abilities, including international relations, sales and marketing;
 educate labour force on the ICT sector, by popularising the IT field, the quality of
professional education, etc.;
 promote intra-association cooperation;
 facilitate of cooperation with other professional associations on the uses of information
and communication technology;
 cultivate electronic communications;
 increase ICT companies' social responsibility.
[21]
eGovernment in Estonia
January 2015
The Plan seeks to ensure that the development of Estonia is understood, reckoned with and
appreciated as an information society based on the category of information. Thus it aims at
securing the existence of initiatives fostering the development of the information society in
the election platforms of Estonian political parties and boosting ICT management capacities
in the governing system of Estonia. In this view, the Estonian Association of Information
Technology and Telecommunications foresees the creation of a work group focusing on
developing the area of information society, participate in defining the parties’ expectations
on this field, setting the goals and priorities of the activity plan and launching a
development process of the ICT sector’s development programme.
Information Security Policy (2009-2011)
In November 2009, Estonia launched a nationwide Information Security Policy that specifies
and coordinates the upcoming eSecurity-related initiatives. The policy notably aims to
create a secure ‘eEnvironment’ for business and consumers.
The main goal of the Estonian Information Security Policy is to found a secure, securityaware, internationally cooperating and enabling Estonian information society. Specific goals
include the elimination of non-acceptable risks, the defence of basic human rights,
information security awareness and training, participation in international eSecurity-related
initiatives, as well as competitiveness of economy.
Secure eGovernment must be based on appropriate legislation, standards and
procedures, such as security requirements for databases, services, and State
procurement. Regulations in this field are coordinated by the Ministry of Economic Affairs
and Communications, together with the Ministry of Internal Affairs.
Information society Strategy for Local Governments (2008-2011)
In 2008, the Ministry of Internal Affairs elaborated a development plan called 'Information
society strategy for local governments 2008-2011'.
The main aims of the Strategy in question are the following:
 introduce electronic public administration to all local governments;
 develop Internet-based tools for citizens' involvement in the organisation of local life;
 ensure that all local government officials are aware of ICT possibilities;
 develop the preconditions for the use of eServices in all local governments;
 establish organisations for the coordination of information society development in
counties.
Programme for increasing awareness of the information society
(2007- 2013)
The aim of the programme funded by the Structural Funds of the European Union is to
widen the uptake of existing eSolutions; promote the development of new eServices; and
ensure, by raising awareness of information security, the sustainable development of the
information society.
The target groups of the programme include consumers of both existing and future
eServices; parties related to the development of eServices; and entrepreneurs, whose
increased awareness of the information society will increase their motivation to apply IT
[22]
eGovernment in Estonia
January 2015
solutions. In addition, the programme contains activities aimed at increasing the awareness
of opinion leaders and representatives of media, contributing thus to increased interest and
positive attitudes towards new eSolutions.
The programme’s implementation plan for 2007-2008 focused on three action lines:
 inform the general public of electronic functions of the ID card (i.e. electronic
authentication and digital signing);
 introduce the possibilities of the state information system;
 increase awareness about information security.
As part of this programme, a number of campaigns were held to increase the use of the
electronic functions of the ID card; to increase public awareness about threats related to
the use of computers and possibilities to protect oneself against these and to increase
awareness about information security both within the public sector and among the general
public of Estonia
Principles of the Estonian Information Policy (2004-2006)
This strategy set three year long-term objectives for the Estonian information policy:
 introduce eServices to all state agencies together with respective training and
awareness-raising activities for the whole society;
 keep the level of ICT use in Estonia at no less than the average level of the EU, ensuring
thus the efficiency of the Estonian economy and society in general;
 increase the export capacity of the IT sector.
The strategic document underlines that for the short-term, concerning the years 20042006, Estonia would proceed with the following goals:






develop eServices for citizens, entrepreneurs and public sector institutions;
promote eDemocracy, eLearning and eInclusion;
increase the efficiency in the public sector;
facilitate the interaction between the ICT industry and eBusiness;
establish IT security;
cultivate a strong position at the international arena.
Principles of the Estonian Information Policy (1998-2003)
‘Principles of the Estonian Information Policy’ was the first strategic document to present
ICT principles serving as a basis for an action plan for establishing an information society.
The action plan, in turn, is the basis for all Government agencies to present specific
proposals to the Cabinet, on an annual basis, together with schedules, sources of finances
and responsibilities for the implementation of information policy programmes. The
Government foresees the development of an information policy that will:
 promote and ensures democracy in the Republic of Estonia;
 support the development of an information infrastructure;
 create of a competitive economy, especially through demonopolisation, speeding up the
restitution of property, the development of electronic commerce and electronic banking;
 sustain the development of Estonian culture and language, considering also values
deriving from cultural diversity;
 modernise and improve State defence as a result of developments in information
technology.
[23]
eGovernment in Estonia
January 2015
eGovernment Legal Framework
Main legal texts
eGovernment
impacting
on
the
development
of
eGovernment Legislation
Current status
There is currently
legislation in Estonia.
no
overall
eGovernment
Freedom of Information Legislation
Public Information Act (2001)
The first version of the Public Information Act (PIA) took effect in January 2001. A newly
revised, updated Public Information Act entered into force on 1 January 2015, which has
started the transposition of the provisions of the revised Directive (2013/37/EU) into
national law. The Act covers State and Local Agencies, legal entities in public law and
private entities that are conducting public duties including educational, health care, social
or other public services. Any person may make a request for information, which is
registered; the holder of information must respond within five working days. Fees may be
waived, if the information is requested for research purposes. Departments and other
holders of public information have the duty to maintain websites and post an extensive list
of information on the Web. These entities are also required to ensure that the information is
not 'outdated, inaccurate or misleading'. In addition, email requests must be treated as
official requests for information. The Act is enforced by the Data Protection Inspectorate.
Since 1 January 2008, the Act has also been regulating the field of the former Databases
Act (in force from 1997 to 2007).
Digital Signatures Act (2000)
Approved on 8 March 2000, the Digital Signatures Act (DSA) entered into force on 15
December 2000. A newly revised, updated Digital Signatures Act entered info force on 1
July 2014. The Act gives the digital and handwritten signatures equal legal value and sets
an obligation for all public institutions to accept digitally signed documents and a chapter
regulating state supervision and administrative supervision over certification service
providers and time-stamping service providers was included. See a more detailed overview
at Public Key Infrastructure.
Archives Act (1998)
The Archives Act entered into force on 1 May 1998. The Act sets the principles for
collecting, evaluating, archiving, preserving, accessing archival documents and for archiving
activities. It furthermore sets the guidelines for private records entered in the archives'
register and the transfer of ownership of private records also entered in the archives'
register.
Data Protection/Privacy Legislation
System of Security Measures for Information Systems (2008)
[24]
eGovernment in Estonia
January 2015
This Regulation entered into force on 1 January 2008 and establishes the system of security
measures for information systems used for processing the data contained in state and local
government databases and for information assets related therewith. The system consists of
the procedure for the specification of security measures and the description of
organisational, physical and IT security measures to protect data. However, it is underlined
that this Regulation does not apply to security of information systems processing state
secrets.
Consumer Protection Act (2004)
This Act entered into force on 15 April 2004 and it regulates the offering and sale, or
marketing in any other manner, of goods and services to consumers by traders.
Furthermore, it determines the rights of consumers as the purchasers or users of goods or
services, and provides for the organisation and supervision of consumer protection and
liability for violations of this Act. Some minor amendments were included and entered into
force on 1 January 2015 (proceedings and punishments for legal persons).
Personal Data Protection Act (1996)
The Personal Data Protection Act (PDPA) entered into force on 19 July 1996. The Act was
amended in 2003, to be made fully compliant with the EU Data Protection Directive
95/46/EC, and once again amended in January 2008. The Act protects the fundamental
rights and freedoms of persons with respect to the processing of their personal data, in
accordance with the right of individuals to obtain freely any information that is
disseminated for public use.
The 2008 version of the Act introduced several changes. Firstly, the previous classification
of personal data into three groups (non-sensitive personal data, private personal data and
sensitive personal data) has been replaced by two data categories: (1) 'personal data' and
(2) 'sensitive personal data', the latter being the sub-class under special protection.
Secondly, all processed personal data are protected and registered by Chief processors (i.e.
controllers) with the Data Protection Inspectorate, the data protection supervision
authority. Moreover, the new PDPA Act extends all general principles applying to the
processing of personal data and to the processing of the personal identification code
(the unique number assigned to every Estonian citizen and resident). From 1 January 2015
the Data Protection Inspectorate may submit reports concerning significant matters which
have an extensive effect or need prompt settlement which become known in the course of
supervision over compliance with the Act to the Constitutional Committee of the Riigikogu
and the Legal Chancellor.
System of Security Measures for Information Systems (2008)
This Regulation entered into force on 1 January 2008 and establishes the system of security
measures for information systems used for processing the data contained in state and local
government databases and for information assets related therewith. The system consists of
the procedure for the specification of security measures and the description of
organisational, physical and IT security measures to protect data. However, it is underlined
that this Regulation does not apply to security of information systems processing state
secrets.
eSignatures Legislation
Digital Signatures Act (2000)
Approved on 8 March 2000, the Digital Signatures Act (DSA) entered into force on 15
December 2000. The Act provides for the use of digital signatures and digital ink, and the
conditions of certification and oversight procedures for time-stamping services. It, basically,
grants similar legal value to digital and handwritten signatures while setting an obligation
for all public institutions to accept digitally signed documents. The Act introduces the use of
[25]
eGovernment in Estonia
January 2015
digital stamps, namely, the technical and organisational means to set up data collection
system, which uses digital ink-holder of the certificate to prove the integrity of the digital
document and a document of their relationship. The Act was amended on 31 December
2007, and its last amendment took place on 31 December 2010.
eCommerce Legislation
Information Society Services Act (2004)
The information society services act was passed on 14 April 2004 and entered into force on
1 May 2004. It implements EU Directive 2000/31/EC on certain legal aspects of information
society services, in particular electronic commerce, in the Internal Market. It establishes
the requirements pertaining to information society service providers, as well as the
organisation of supervision and liability in the case of violation of these requirements. The
Act was lastly amended on 21 January 2010.
eCommunications Legislation
National Broadcasting Act (2007)
The National Broadcasting Act entered into force on 1 June 2007, providing the legal status,
objective, functions, financing, and organisation of management and activities of the
Estonian National Broadcasting. The objective of National Broadcasting is to assist in the
performance of the functions of the Estonian state provided by the Constitution of the
Republic of Estonia.
Electronic Communications Act (2004)
The Electronic Communications Act was passed on 8 December 2004 and entered into force
on 1 January 2005 in order to implement the EU Regulatory Framework for Electronic
Communications.
The purpose of this Act is to create the necessary conditions to promote the development of
electronic communications networks and communications services while ensuring the
protection of the interests of users of such services. The Act provides requirements for:
publicly available electronic communications networks and communications services; radiocommunication; management of radio frequencies and numbering; apparatus and State
supervision over the compliance with the requirements. The Act was lastly amended on 16
January 2011 and entered into force on 1 January 2015. It is already known that there will
be new amendments which will enter into force 1 January 2016.
eProcurement Legislation
Public Procurement Act (2007)
A new Public Procurement Act came into force in May 2007, thus transposing the EU
Directives on public procurement (2004/17/EC and 2004/18/EC). It includes legal
provisions enabling the further development of eProcurement (eAuctions, Dynamic
Purchasing System, eCatalogues etc.) so as to give better opportunities for taking forward
a fully electronic Procurement tendering process.
It is worth mentioning that the previous version of the Public Procurement Act (October
2000) had already established rules for the eNotification of public tenders through the
country’s Public Procurement State Register.
[26]
eGovernment in Estonia
January 2015
In order to implement EU directives 2014/24/EC, 2014/25/EC and 2014/23/EC the
legislative process is currently under way and the new Public Procurement Act should come
into force 1 April 2016.
Re-use of Public Sector Information (PSI)
Public Information Act (2001)
The Public Information Act covers the provisions of the EU Directive 2003/98/EC on the reuse of public sector information (PSI). Estonia thus notified full transposition of the PSIdirective in July 2009.
Transposition of the EU Directive 2013/37/EU into Estonian legislation is currently under
way.
[27]
eGovernment in Estonia
January 2015
eGovernment Actors
Main roles and responsibilities
National eGovernment
Policy/Strategy
Ministry of Economic Affairs and Communications
The Ministry of Economic Affairs and Communications holds political responsibility for the
development of the State information policy. It elaborates the state's economic policy and
economic development plans, while also drafts the respective legislation bills, in a variety of
fields, among which, informatics, development of state information systems, research, and
development and innovation.
Department of State Information Systems (RISO)
The Department of State Information Systems (RISO) of the Ministry of Economic Affairs
and Communications plays a major role in the elaboration of the Estonian information
society Policy. It embarks on developing information society-related activities in the field of
information technology and on the preparation of draft legislation in the relevant fields.
RIO's strategic tasks include the coordination of state IT-policy actions and development
plans in the field of state administrative information systems (IS), such as state IT budgets,
IT legislation, coordination of IT projects, IT audits, standardisation, IT procurement
procedures and international cooperation in the field of state IS.
Estonian Association of Information Technology and Telecommunications (ITL)
The ITL is a non-profit organisation, aiming to unite the Estonian information technology
and telecommunications companies; to promote their co-operation in Estonia's
development towards information society; to represent and protect the interests of its
member companies and to express their common positions.
The main activities of the association include the popularisation of information and
communication technology (ICT), promotion of vocational education and amendment of
legislation.
e-Estonia Council
The e-Estonia Council created in 2014 (formerly Estonian Informatics Council) is a
government committee that directs the development of digital society and e-governance in
Estonia.
Five experts and ICT sector representatives and three ministers are members of the
Council. It is chaired by Prime Minister. Other government institutions and experts are
involved in the work upon need.
Coordination
Department of State Information Systems (RISO)
The Department of State Information Systems (RISO), as part of the Ministry of Economic
Affairs and Communications, is the main actor in coordinating governmental ICT policy and
information society policy. In more detail, RISO coordinates: the state information policy
and the consequent development of sustainable energy development projects in the
initiation and implementation of information society; the development of national
[28]
eGovernment in Estonia
January 2015
information systems regarding international cooperation within its jurisdiction and the
initiated national information systems related to IT standardisation.
Department of Information Society Services (ITAO)
ITAO, also a department of the Ministry of Economic Affairs and Communications, coordinates the development of public sector services. It elaborates and disseminates
different guidelines and manuals regarding common quality criteria for public services, lifecycle approach to public service development, choice of service channels etc.
Estonian Information System's Authority (EISA)
Since 1 June 2011, the Estonian Informatics Centre has been re-organised to the Estonian
Information System's Authority (EISA). The Authority's mission is to "coordinate the
development and management information system so that Esthonian citizens are served in
the best possible way." It coordinates all Public Key Infrastructures related to the operation
of ICT and Information Technology, like the State portal www.eesti.ee, the middleware
system X-Road, the Government backbone network EEBone, the administration system of
the State information system (RIHA) and the electronic document exchange centre (DVK).
It is also liable to coordinate the state information system development projects and the
preparation and participation in international projects. Finally, EISA also monitors the
legislation process concerning the management information system requirements.
Estonian Association of Information Technology and Telecommunications (ITL)
The ITL is a non-profit organisation whose primary objectives are to: coordinate the cooperation of the Estonian information technology and telecommunications companies,
educational institutions and promote their co-operation towards the development of
information society in Estonia. Main activities of the association include the popularisation
of ICT and the amendment of legislation. The central coordination provided by ITL, deals
with strategic planning, setting priorities, ensuring financing and creating cooperation
networks while ensuring their functionality.
e-Estonia Council
The e-Estonia Council created in 2014 (formerly Estonian Informatics Council) is a
government committee that directs the development of digital society and e-governance in
Estonia.
Five experts and ICT sector representatives and three ministers are members of the
Council. It is chaired by Prime Minister. Other government institutions and experts are
involved in the work upon need.
Implementation
Department of State Information Systems (RISO)
The Department of State Information Systems, part of the Ministry of Economic Affairs and
Communications, is responsible for the development and the implementation of State IT
strategies at central level.
Estonian Information System's Authority (EISA)
EISA implements Estonia’s national eGovernment strategy, through the State portal
www.eesti.ee, the EEBone network, the State information system (RIHA) and the electronic
document exchange centre.
Government Departments and Agencies
Government Departments and Agencies are responsible for the implementation of the
departmental eGovernment projects falling within their respective fields of competence.
Since Estonia is a highly decentralised country when it comes to the information society
[29]
eGovernment in Estonia
January 2015
organisation, they play a very important role in the implementation of action plans and
projects.
Support
Estonian Informatics Council
Besides its role in coordination and policy formulation, the Estonian Informatics Council is
an expert committee advising the Government on ICT matters in a horizontal manner.
CERT Estonia
The Computer Emergency Response Team of Estonia (CERT Estonia), established in 2006,
is an organisation responsible for the management of security incidents in '.ee' computer
networks. Its duty is to assist Estonian Internet users in the implementation of preventive
measures in order to reduce possible damage from security incidents and to help them in
responding to potential security threats. CERT Estonia deals with security incidents that
occur in Estonian networks or incidents that have been notified of by citizens, or institutions
either in Estonia or abroad.
Estonian Information Technology Foundation (EITF)
EITF is a non-profit organisation aiming to assist in the preparation of the highly qualified
IT specialists and to support information and communication technology-related
developments in Estonia. For these purposes, the Foundation has established and manages
the Estonian IT College and administers ’Tiger University’, the National Support Programme
for ICT in Higher Education.
eGovernance Academy
The eGovernance Academy is a non-governmental, non-profit organisation, which aims to
promote the use of ICT in the work of Government and in democratic practices. Its mission
is to train and advise leaders and stakeholders in using information and communication
technology (ICT) to increase government efficiency and to improve democratic processes
with the aim of building open information societies. The Academy is a regional learning
centre set up by the Republic of Estonia, the United Nations Development Programme
(UNDP) and the Information Programme of the Open Society Institute.
Audit/Assurance
National Audit Office
The role of the National Audit Office (Riigikontroll) is to promote reforms while supporting
public bodies in their efforts to create, through their activities and services, best value for
the taxpayers. In this context, the National Audit Office assesses the performance
(economy, efficiency and effectiveness) and regularity of the activities of Public
Administration, and furthermore provides recommendations to assist the Parliament and
the Government in improving the operation of the State.
Data Protection
Personal Data Protection Inspectorate (DPI)
The Personal Data Protection Inspectorate is an independent agency placed under the
authority of the Ministry of Justice. The DPI supervises the legality of the processing of
personal data and databases, as well as the organisation of data protection activities. To
accomplish that, it acts as: a commissioner (ombudsman) and preliminary court; an auditor
and a licensor; an educator and consultant; a designer of legal practices; a political
consultant and an enforcer and a punisher.
AS Sertifitseerimiskeskus
[30]
eGovernment in Estonia
January 2015
AS Sertifitseerimiskeskus (SK) is the Certification Authority (CA) providing certificates for
the Estonian electronic ID card and related services pertaining to the use of these
certificates while giving legally-binding digital signatures. The authority's mission is to
ensure the reliability and integrity of the electronic infrastructure underpinning the Estonian
'eID card' project, and to offer reliable certification and time-stamping services. It also
functions as a competence centre for the eID card and spreads the knowledge necessary
for creating electronic applications for the card. To this end, AS Sertifitseerimiskeskus has
created 'DigiDoc', a universal system for giving, processing and verifying digital signatures.
'DigiDoc' can be connected to any existing or new software, but its components are also a
stand-alone client programme and web portal.
Regional & Local eGovernment
Policy/Strategy
Estonian Ministry of the Interior
The Estonian Ministry of the Interior has prepared a ‘Municipalities Information Society
Programme’ for the period 2008-2011 and an Action Plan for the years 2008-2011.
Other
Association of Estonian Cities
The Association of Estonian Cities is a voluntary union established for representing the
common interests and arranging co-operation among cities and rural municipalities. The
Association’s main goal is to ensure the development of Local Governments through joint
activities. The Association is also in charge of the Local Government Portal (KOP) created
2003, providing information, news and any development related to local government.
Association of Municipalities of Estonia
This Association gathers the majority of Estonian rural municipalities within the 15 Estonian
counties, communicating between them through a dedicated Intranet system, bringing
together local government units, and contributing to the development and strengthening of
self-government administration and decentralisation of power under the principles of
democracy.
[31]
eGovernment in Estonia
January 2015
eGovernment Who’s Who
Main eGovernment decision-makers and executives
Minister responsible for eGovernment
Urve Palo
Minister for Economic Affairs and Communications
Contact details:
Ministry for Economic Affairs and Communications
Harju 11
15072 Tallinn
Tel.: +372 62 56 304
Fax: +372 63 13 660
E-mail: [email protected]
Source: http://mkm.ee
Government CIO
Taavi Kotka
Deputy Secretary
Information System
General
for
Communications
and
State
Contact details:
Ministry of Economic Affairs and Communications
Address: 11 Harju St, 15072 Tallinn, Estonia
Tel.: +372 63 97 680
Fax: +372 63 13 660
E-mail: [email protected]
Source: http://mkm.ee
Head of eGovernment
Aet Rahe
Head of State Information Systems Department (RISO)
Contact details:
Harju 11, 15072 Tallinn, Estonia
Tel.: +372 63 97 640
Fax: N/A
E-mail: [email protected]
Source: http://riso.ee/en/department-state-information-systems
[32]
eGovernment in Estonia
January 2015
National ICT Policy Advisor
Siim Sikkut
Head of State Information
Government Office of Estonia
Systems
Department
(RISO),
Contact details:
Stenbocki maja, Rahukohtu 3, 15161 Tallinn
Tel.: +372 69 35 626
Fax: N/A
E-mail: [email protected]
Source: http://valitsus.ee/et/
Information Society Services
Janek Rõzov
Director, Department of Information Society Services
Contact details:
Ministry of Economic Affairs and Communications
Address: 11 Harju St, 15072 Tallinn, Estonia
Tel.: +372 62 56 364
Fax: +372 63 13 660
E-mail: [email protected]
Source: http://mkm.ee/2581/
Head of Information Society Division
Karin Rits
Head of Information Society Division Information Systems
Department (RISO)
Contact details:
Ministry for Economic Affairs and Communications
Harju 11, 15072 Tallinn, Estonia
Tel.: +372 63 97 640
Fax: +372 63 13 660
E-mail: [email protected]
Source: http://www.riso.ee/en
[33]
eGovernment in Estonia
January 2015
National ICT Coordinator
Ave Lauringson
State Information Systems Department (RISO)
Contact details:
Harju 11, 15072 Tallinn, Estonia
Tel.: +372 63 96 40
Fax: N/A
E-mail:[email protected]
Source: http://riso.ee/en/
e-Government executive
Taimar Peterkop
Director General of the Estonian Information System's Authority
(EISA)
Contact details:
Estonian Information System's Authority (EISA)
Pärnu mnt 139a
15169 Tallinn
Tel.: +372 66 30 200
Fax: +372 66 30 201
E-mail: [email protected]
Source: http://www.ria.ee/
[34]
eGovernment in Estonia
January 2015
eGovernment Infrastructure
Main eGovernment infrastructure components
Portals
'eesti.ee': eGovernment portal
Estonia’s eGovernment portal was first launched in March 2003 on the basis of the 'eCitizen'
project which was initiated in 2002. Since then, the portal has been constantly renewed. In
the last quarter of 2007, a new version of the portal merged the former ‘State Information
portal’ and the ‘Citizen portal’, creating a single integrated service. This portal coordinates
the information provided and the services offered by various State institutions. It features a
safe Internet environment for communication with the State and offers reliable information
and eSolutions for citizens, entrepreneurs and officials respectively. The access to relevant
information and eServices on the portal indeed depends on whether the user is a citizen,
entrepreneur or State official.
The State portal’s environment allows users authenticated with their national eID card to:
access and check their personal details; perform transactions with municipal and
Government bodies; complete and convey online forms and applications; sign documents
digitally; create email addresses with the suffix @eesti.ee; and receive email or SMS
notifications. In addition, it gives access to other registry services (e.g. the Forest Registry)
on more than 20 national databases. Based on the data held in the State Commercial
Register, entrepreneurs using the portal can access transactional services for businesses.
'DigiDoc' portal
'DigiDoc' portal is available for Estonian ID-card and Estonian and Lithuanian Mobile-ID
users and allows for digital signing, verification of validity of digital signatures, forwarding
of documents to other users of the portal and receiving documents from other users of the
portal. The DigiDocService provides a quick and easy way to raise the security of any web
service to meet the highest demands. It makes it possible to carry out authentication based
on strong authentication devices from different vendors and provides service providers with
the opportunity to enter legal signatures on any created data within their service, which
provides long-term validity and proof of action in courts across the EU.
Rural Municipality Portal
The portal was launched in February 2011 by the Estonian Government, with the view to
increase the transparency of local governments and expand citizen participation. The
concept of the portal is innovative as it is based on an open source content management
tool, which allows for easy and uniform site administration. The developed solution includes
a standard website structure for local governments, tools for site administration and built-in
interfacing with public registers.
Network
ASOnet's 'EEBone'
'EEBone' (PeaTee) is the broadband network of data communication among Government
institutions. It is a Government-wide backbone network, connecting more than 20 000
computers from all Government offices across the country, providing secure access to the
Internet and the Government's Intranet. The network was launched in October 1998, and
[35]
eGovernment in Estonia
January 2015
its development was based on the backbone network 'ASONet' elaborated by the Border
Guard Administration, the Customs Board and the Police Board in 1993. The network
currently provides approximately 50 % of all administrative services to the various
associations.
The Estonian Information System's Authority (EISA) is highly involved in running the
network, either as a mediator of customised value-added data services, or as a provider of
customer service. The use of the backbone network is financed centrally from the State
budget and is free-of-charge for subscribed clients. Clients only have to pay to access the
backbone network and to determine the access connection service themselves.
X-Road Middleware
Launched in December 2001, the 'X-Road' (X-Tee) is a middle-tier data exchange layer
enabling Government databases to communicate with each other. It was initially developed
as an environment facilitating the formulation of queries to different databases in a
standardised way. The system allows officials, as well as legal and natural entities to search
data from national databases over the Internet within the limits of their authority, using a
unified user interface.
In addition, the system has been further developed to enable the creation of eServices
capable of simultaneously using data held in different databases. Several extensions have
thus been developed for the 'X-Road' system. These include: writing operations to
databases, transmitting huge data sets between information systems, performing
successive search operations of data in different data sheets, providing services via web
portals.
The 'X-Road', as one of the cornerstones of the Estonian State Information system, offers
the following services: authentication; authorisation; MISP (mini-portal system); register of
simple queries; queries to various databases and registers; opportunities to write registers;
sending large amounts of data over the Internet; secure data interchange, recording logs
and search tracking option; running of citizen portal and operator's portal; central and local
monitoring and collection service description in a special database (WSDL mode).
eIdentification/eAuthentication
Electronic ID card
Estonia started issuing national ID cards in January 2002. The card, which fulfils the
requirements of Estonia’s Digital Signatures Act, is mandatory for all Estonian citizens and
residing foreigners over 15 years of age; applications can be made online. It is meant to be
the primary document for identifying citizens and residents and is used in any form of
business – governmental or private communications. It is furthermore a valid travel
document within the EU. Since 1 January 2007, the card issued by the Citizenship and
Migration Board, has become valid for 5 years (instead of 10 years in the past). The IDcard can be used to vote electronically (since 2005), create a business, verify banking
transactions, be used as a virtual ticket, and view medical history (since 2010). As of
January 2012, more than 1.1 million people in Estonia (almost 90 % of inhabitants) have
ID cards.
In addition to being a physical identification document, the card has advanced electronic
functions facilitating secure authentication and providing a legally binding digital signature
for public and private online services. An electronic processor chip contains a personal data
file, a certificate for authentication (along with a permanent email address
[email protected] for eCommunications with the public sector), a certificate for
digital signature, and their associated private keys, protected with PIN codes. The
certificates contain only the holder's name and personal code (national ID code). The data
[36]
eGovernment in Estonia
January 2015
file is valid as long as the identity card is, and so are the certificates, which thus have to be
renewed every five years.
Mobile-ID
'Mobile-ID' is the ID-card based identity verification and digital signature solution for users
of mobile phones in Estonia. This means that the mobile phone, based on a standardised
SIM application, will act as a secure signing device. Thus, similarly to the eID card, the
mobile-ID enables authentication and digital signing of documents, bearing the same
legal value. The user’s certificates are maintained on the telecom operator’s SIM card; to
use them, the user has to enter a PIN code.
The new mobile-ID service (wireless PKI) was launched in May 2007 by the mobile operator
EMT, in co-operation with several banks and the Certification Centre, AS
Sertifitseerimiskeskus. This service allows accessing Internet banking services without
entering eBanking codes. To authenticate oneself securely with the mobile-ID, the user will
click on a dedicated button in the web environment. Upon completion of this action, s/he
will be requested to enter his/her authentication PIN number. Once this operation has been
completed, authentication is performed. The same process applies to the signing of digital
documents. In addition, mobile phones can be used to pay for car parking (m-parking) by
phoning a certain number or sending an SMS. To inform the parking controller that the
payment is being effected by phone, an m-parking sticker is stuck on the windshield or the
right-side window of the vehicle. The m-ticket service allows the user to purchase a ticket
on public transport without cash. It is also possible to buy theatre tickets and pay at the
grocery store using a mobile phone.
The main advantages of the mobile-ID include user-friendliness and convenience; the
computer no longer needs to be equipped with a card reader, or have a special additional
software installed.
ePassport
To comply with EU regulation 2252/2004/EC on standards for security features and
biometrics in passports and travel documents issued by Member States, the systems of the
Estonian Citizenship and Migration Board (CMB) have undergone considerable changes that
have been implemented step-by-step. The first biometric passports were delivered as of
22 May 2007, containing the holder's biometrical data. Changes in the organisation of work
and supporting systems of the CMB are planned to occur at both customer service and
document issuance systems’ levels.
eProcurement
eProcurement Estonia
The Estonian eProcurement environment enables Contracting Authorities to carry out a
procurement procedure from start to end in the same web environment - prepare and
publish notices, upload tender documents, receive eTenders, award contracts and carry out
dynamic purchasing systems and eAuctions. Authorities are also able to communicate with
interested persons and tenderers and carry out inquiries into other state registers, for
example to check payment of taxes or registration in the Commercial Register. The
environment is divided into the Information Portal and the Public Procurement Register.
Instructions and guides are available in the portal while procurements are published in the
Public Procurement Register.
Public Procurement State Register
Established in 2001 and maintained by the Public Procurement Office, the Public
Procurement State Register is a register where all public procurement notices are published
[37]
eGovernment in Estonia
January 2015
electronically. The register uses CPV standards in the catalogue, and all the information in
the register is publicly accessible over the Internet, free-of-charge.
Knowledge Management
Document Exchange Centre (DVK)
The document exchange centre is an information system providing a common central
document exchange service for various enterprise content management (ECM) systems, as
well as other information systems dealing with documents. The Centre is responsible for
interfacing dispersed information systems (via the X-Road Middleware); preserving
documents in the short-term; processing documents in the near future; and support
services in the proceeding of documents.
The DVK is an infrastructure for the transmission of documents (i.e. a mediation layer for
document exchange services of information systems) relying on the X-Road as a transportlevel infrastructure. These can be letters, draft legislation, financial documents (including
eInvoices and payment orders), electronic forms and documents related to public
procurement procedures).
'eKool' web application
'eKool' is a simple web application that connects all education stakeholders in an easy way
over the Internet, helping them to collaborate and organise their teaching/learning related
information. 'eKool' is available as either a direct web service for end users, or as a hosted
white label service for distributing/promoting partners.
Other Infrastructure
Administration System of the State information system (RIHA)
The objective of RIHA is to ensure the interoperability of public sector information
systems and the re-use of technical, organisational and semantic resources, so as to give a
clear view of the State registers and the services provided by them. The creation and
maintenance of Government databases is governed by the Public Information Act of 2007
which establishes an Administration System for State information systems (RIHA), where
all the databases and information systems must be registered.
RIHA includes metadata about existing public sector databases – ranging from the
information on the administrators of the databases to the eServices offered and the
technical data concerning the environment/platform. Registration in RIHA is web-based;
the user is authenticated and permissions are given by using the national electronic ID
card.
In the same web-based environment, requests to other information systems can be made
in order to launch a new X-road-based service. RIHA additionally administers two
supporting systems of State registers: the system of classificators and the address data
system. The system of integrated registers allows applying new principles of administrative
arrangements: citizen-orientation, flexibility, swiftness, as well as cost and time
effectiveness for both the citizens and the State.
[38]
eGovernment in Estonia
January 2015
eGovernment Services for Citizens
Availability and sophistication of eServices for Citizens
The information in this section presents an overview of the 20 basic public services, which
were identified by the European Commission and Member States, in the eEurope initiative
of 2000, to measure the take-up by businesses and citizens of electronically-available
public services.
The 12 services for citizens are as follows:
1.
Income taxes: declaration, notification of assessment
2.
Job search services by labour offices
3.
Social security benefits
4.
Personal documents: passport and driver’s licence
5.
Car registration (new, used, imported cars)
6.
Application for building permission
7.
Declaration to the police (e.g. in case of theft)
8.
Public libraries (availability of catalogues, search tools)
9.
Certificates (birth and marriage): request and delivery
10. Enrolment in higher education/university
11. Announcement of moving (change of address)
12. Health related services (interactive advice on the availability of services in different
hospitals; appointments for hospitals)
1. Income taxes: declaration, notification of assessment
Responsibility:
Central Government, Tax and Customs Board
Website:
http://www.emta.ee/?lang=en
Description:
The eTaxBoard (eMaksuamet) enables taxpayers to file, view and correct
their income tax returns online and to check their tax account balances.
Citizens can use their electronic ID card as the identification method for
accessing eTaxBoard. Those having submitted their tax returns online can
benefit from accelerated tax refunds.
2. Job search services by labour offices
Responsibility:
Central Government, Unemployment Insurance Fund
Website:
http://www.tootukassa.ee/?lang=en
Description:
The website provides an updated list of all job offers at national and
regional labour offices in Estonia, with a short description of each job,
deadlines for application and contacts for applying.
[39]
eGovernment in Estonia
January 2015
3. Social security benefits
a. Unemployment benefits
Responsibility:
Central Government, Estonian Unemployment Insurance Fund
Website:
http://www.tootukassa.ee/?lang=en
Description:
Information and forms to download.
b. Child allowances
Responsibility:
Central Government, Social Insurance Board
Website:
http://www.eesti.ee/eng/teemad/perekond/riigi_rahaline_abi_lastega_pere
dele/pere_ja_lastetoetused/
Description:
Pursuant to the Parental Benefit Act, the online Parental Benefit service was
launched at the beginning of 2004. The service is 100 % electronic:
persons without Internet access can go to the Social Insurance Board to
submit their application, but even there the application is filed electronically
with the assistance of Insurance Board employees. The whole process is
paperless. Based on the X-road middleware system connecting different
State databases, this service does not require citizens to submit data
already known by the State.
c. Medical costs (reimbursement or direct settlement)
Responsibility:
Central Government, Estonian Health Insurance Fund
Website:
http://www.eesti.ee/eng/teemad/health_care/health_insurance/
Description:
The Health Insurance Fund covers the cost of health services required in
case of illness regardless of the amount of social tax paid by each citizen.
Since there is no refund system in Estonia, if the health service provider
has a contract with the Estonian Health Insurance Fund, then all costs are
directly paid to him/her by the Fund. The patient pays only a reduced
personal, non-refundable contribution. If the health service provider does
not have a contract, the patient must pay for the health service
himself/herself. Internet banking clients or holders of the Estonian eID card
can use eServices available through the national portal to check the validity
of their health insurance, their address and the payment of sickness
benefits.
d. Student grants
Responsibility:
Central Government, Ministry of Education and Research, Higher Education
institutions
Website:
http://www.hm.ee/?1
Description:
With the Study Allowances and Study Loans Act (2003), Estonia has
established a system of study allowances and created the possibilities to
obtain study loans. The main objective of the system of study allowances,
only accessible at a certain level of income and for students who
successfully progress in their studies, is to motivate students to study full
time and successfully complete the study programme within the nominal
period. Study loans secured by the State intend to give full-time students
who are not entitled to receive study allowances the possibility to finance
their studies. Applications, attributions and payments of study grants are
managed directly by Higher Education institutions.
[40]
eGovernment in Estonia
January 2015
4. Personal documents: passport and driver’s licence
a. Passport
Responsibility:
Central Government, Police and Border Guard Board
Website:
http://www.politsei.ee/en/teenused/isikut-toendavad-dokumendid/eestikodaniku-pass/
Description:
Information and application forms to download. The website allows for
online application for ID documents. This service requires the use of an
electronic signature.
b. Driver’s licence
Responsibility:
Central Government, Estonian Road Administration Department
Website:
http://www.mnt.ee/index.php?id=12659
Description:
Information only. Applications must be submitted in person at the Estonian
Road Administration Department.
5. Car registration (new, used, imported cars)
Responsibility:
Central Government, Estonian Road Administration Department
Website:
http://www.mnt.ee/index.php?id=10663
Description:
Information and forms to download. Car registration applications must be
submitted in person at the Estonian Road Administration Department
(ARK).
6. Application for building permission
Responsibility:
Local Government
Website:
http://www.eesti.ee/eng/teemad/eluase/eluaseme_soetamine/ehitus_ja_re
mont/
Description:
Information only. Planning permission applications are handled by local
authorities.
7. Declaration to the police (e.g. in case of theft)
Responsibility:
Central Government, Estonian Police
Website:
http://www.politsei.ee/en/
Description:
An online crime reporting service is available on the website of the Estonian
Police.
8. Public libraries (availability of catalogues, search tools)
Responsibility:
Central Government, National Library of Estonia
Website:
http://www.libdex.com/country/estonia/tallinn/library_22677.html
Description:
Online catalogue and reservation facility.
[41]
eGovernment in Estonia
January 2015
9. Certificates (birth, marriage): request and delivery
Responsibility:
Local Government
Website:
http://www.eesti.ee/eng/teemad/perekond/
Description:
Information only. Requests for certificates are handled by the local
authorities.
10. Enrolment in higher education/university
Responsibility:
Central Government, Higher Education institutions
Website:
https://www.sais.ee/index_en.html
Description:
Enrolment in higher education is managed by Higher Education institutions.
An enrolment information system called SAIS (SissAstumise InfoSüsteem)
has been developed to enable the entire enrolment, processing, decisionmaking and information in a single environment on the Internet for
participating universities. The system uses the eID card as an
authentication tool. It can however be entered through one of the Estonian
Internet Banks. Since the results of high school examinations are already in
the online database, students can see immediately if they have been
accepted to a participating university.
11. Announcement of moving (change of address)
Responsibility:
Central Government (Estonian Population Register)/Local Government
Website:
http://w3.andmevara.ee/?lang=en
Description:
On the Estonian Population Register’s website, it is possible for citizens to
make the announcement of moving by sending a digitally signed document.
In that case, a person is automatically identified. Consequently, there is no
need for any other identifying document.
12. Health related services (interactive advice on the availability of services in different
hospitals; appointments for hospitals)
Responsibility:
Ministry of Social Affairs
Website:
http://www.digilugu.ee/portal/page/portal/Digilugu/ETerviseProjektid
Description:
The East Tallinn Central Hospital became the first in Estonia to introduce an
ePatient portal in April 2008. Patients can access the portal from the
hospital’s website. Through the portal, patients can view their medical
records, book doctors’ appointments and pay consultation fees. It is also
possible to order an appointment reminder via SMS or email. The project
consists of four sub-projects: Electronic Health Record (EHR); Digital
Imaging; Digital Prescription; and Digital Registration.
[42]
eGovernment in Estonia
January 2015
eGovernment Services for Businesses
Availability and sophistication of eServices for Businesses
The information in this section presents an overview of the 20 basic public services, which
were identified by the European Commission and Member States, in the eEurope initiative
of 2000, to measure the take-up by businesses and citizens of electronically-available
public services.
The 8 services for businesses are as follows:
1.
Social contributions for employees
2.
Corporate tax: declaration, notification
3.
VAT: declaration, notification
4.
Registration of a new company
5.
Submission of data to statistical offices
6.
Customs declarations
7.
Environment-related permits (incl. reporting)
8.
Public procurement
1. Social contributions for employees
Responsibility:
Central Government, Tax and Customs Board
Website:
http://www.emta.ee/
Description:
Estonian employers are required by law to pay ‘social tax’ for all persons
employed. The tax rate is 33 % of the taxable salary. 20 % is allocated to
pension insurance and 13 % to health insurance. The social tax can be
calculated, filed and paid online using the eTaxBoard (eMaksuamet).
2. Corporate tax: declaration, notification
Responsibility:
Central Government, Tax and Customs Board
Website:
http://www.emta.ee/
Description:
The eTaxBoard (eMaksuamet) enables corporate taxpayers to file, view and
correct their corporate tax returns online, and view their tax account
balances.
3. VAT: declaration, notification
Responsibility:
Central Government, Tax and Customs Board
Website:
http://www.emta.ee/
Description:
The eTaxBoard (eMaksuamet) enables corporate taxpayers to view their
VAT returns, submit VAT refund applications and view their tax account
balances.
[43]
eGovernment in Estonia
January 2015
4. Registration of a new company
Responsibility:
Central Government, Centre of Registers and Information Systems
Website:
https://ariregister.rik.ee/
Description:
The Centre of Registers and Information Systems is a State Agency
working under the Ministry of Justice. Its main function is the
administration of a number of central databases and registers, e.g. the
Estonian enterprises register. Since February 2007, entrepreneurs have
been enabled to submit data to the Commercial Register through the new
Company registration portal. They can submit registry documents
processed within the next working day, at the earliest. Persons are
identified and procedures are performed using the Estonian eID card and
digital signature. Information only. Company registration services are
handled by local courts.
5. Submission of data to statistical offices
Responsibility:
Central Government, Statistical Office of Estonia
Website:
https://estat.stat.ee/
Description:
Data can be submitted electronically to the Statistical Office. The eSTAT is
a web-based channel which has been available since February 2006 for
filing official statistical reports. It offers an operational overview of the
reports filed through different channels in the Statistical Office, as well as
contacts with the providers of these reports.
6. Customs declarations
Responsibility:
Central Government, Tax and Customs Board
Website:
http://www.emta.ee/
Description:
The Estonian Tax and Customs Board developed an eCustoms application
(eToll) that enables online filing of customs declarations. A web-based
system called COMPLEX was launched in May 2006 for processing customs
declarations. This system can be used from every computer with Internet
access. The Tax and Customs Board updates and maintains the system on
a day-to-day basis: users do not have to do it themselves; that allows
greater savings for enterprises. Customs declarations can also be drawn up
and submitted in XML-format. To use COMPLEX, a client can enter the
eTaxBoard, via the Tax and Customs Board's web-page, or an Internet
bank.
7. Environment-related permits (incl. reporting)
Responsibility:
Central Government, Ministry of the Environment, Estonian Environment
Information Centre
Website:
http://klis.envir.ee/
Description:
Fully transactional service.
[44]
eGovernment in Estonia
January 2015
8. Public procurement
Responsibility:
Central Government, Public Procurement Office
Website:
https://riigihanked.riik.ee/
Description:
Established in 2001, the Public Procurement State Register is an 'eTenders'
portal where all public procurement notices are published electronically.
[45]
eGovernment in Estonia
January 2015
European Commission
The factsheets present an overview of the state and progress of eGovernment in European
countries.
Jounup is a joint initiative by the Directorate General for Informatics (DIGIT) and the Directorate
General for Communications Networks, Content & Technology (DG CONNECT).
Contributor: Karin Rits, Head of Information Society Unit, Estonia
Production/Publishing: ISA Editorial Team, Kurt Salmon S.A.
[46]
An action supported by ISA
This action is supported by ISA, the European
Commission’s programme for interoperability solutions
for European public administrations.
Why ISA?
Administrative procedures have the reputation of being
lengthy, time-consuming and costly.
Electronic collaboration between public administrations
can make these procedures quicker, simpler and cheaper
for all parties concerned, in particular when transactions
need to be carried out cross-border and/or cross-sector.
ISA supports this type of electronic collaboration.
With more than 40 actions it provides tools, services
and frameworks for the modernisation of public
administrations in Europe, across e-borders and sectors.
More on the programme:
http://ec.europa.eu/isa/
Contact ISA:
[email protected]
E-identity as a business
Case studies and lessons learned in networked identity
Peter Valkenburg, Wouter Meijers (Everett)
Douwe Lycklama, Vincent Jansen (Innopay)
Sponsored by
1
Table of Contents
1
Management summary .................................................................................................... 3
2
Understanding networked e-identity .............................................................................. 4
3
4
2.1
Why e-identity? ...................................................................................................... 4
2.2
What is the problem? ............................................................................................. 5
2.3
How is e-identity provided? ................................................................................... 5
Introducing e-identity solutions ..................................................................................... 7
3.1
A world of two-party networks .............................................................................. 7
3.2
Towards an open model: three-corner networks ................................................... 8
3.3
The generic e-identity model explained further ..................................................... 9
3.4
Key characteristics of an e-identity service .......................................................... 10
Case studies ................................................................................................................. 11
4.1
OpenID ................................................................................................................ 12
4.2
CardSpace ............................................................................................................ 18
4.3
Google Apps ........................................................................................................ 23
4.4
DigiD ................................................................................................................... 27
4.5
Estonian e-ID card ............................................................................................... 30
4.6
BankID ................................................................................................................. 33
4.7
SURFfederatie ....................................................................................................... 35
5
Conclusions .................................................................................................................. 39
6
About Innopay .............................................................................................................. 42
7
About Everett ................................................................................................................ 43
© Everett, Innopay (2010)
Reviewed by Kick Willemse (Evidos)
2
1 Management summary
After many trials, pilots, successes and failures the identity market is still finding its shape
and size. Its crucial role in the development of e-business is not disputed and more and
more the subject is coming out of the „technology geek scene‟. Business people become
interested, since networked e-identity, which we define as “identity across organisational
boundaries”, can be regarded as „the mother of all transactions‟. In the generic end-to-end
trade process, identity is at the heart of each step: contract, order, shipment, invoice,
payment and tax settlement. Service providers in all forms and shapes see opportunities,
also „in the cloud‟, enabling previously unheard scalability.
The upshot of this is that e-identity should develop out of the positioning of a pure „cost‟,
„control‟ and „compliance‟ subject into a growth-enabling topic. E-identity develops from an
enterprise identity to networked identity, were it becomes a two-sided market with two
distinct user groups: end users and service providers (aka „relying parties‟) who can grow
revenues en lower costs by offering better e-services to their clients.
This paper aims to discuss some of today‟s main e-identity business propositions, including
their business models. The main observations are:
a. Success is for providers and solutions who clearly serve the distinct needs of end-users,
and service providers. If one of them is underserved, the solution will not scale well.
b. Governments are still a major driver for e-identity, but long term success comes when
the private sector is included, simply because users then have more need for usage.
c. Different solution approaches exists, all with their own right of existence. Mass adoption
and success will only come when interoperability is secured, enabling more rapid
growth.
The document starts with an explanation of the business of e-identity (chapter 2) and a
generic framework with which networked e-identity solutions can be analysed (chapter 3).
Based on various cases in the public and private sector including cloud services (chapter 4),
the most critical issues are addressed for those having to take business decisions in the
field of e-identity (chapter 5).
3
2 Understanding networked e-identity
2.1
Why e-identity?
Business transactions involve people. Irrespective of whether the activity is about a
contract, order, shipment, invoice, payment or tax settlement, it involves individuals who
initiate, perform tasks and sign them off. Most business activities are nowadays supported
in some sense by IT, and increasingly transactions are available as end-to-end services over
the Internet separating time and distance. Figure 1 shows the generic description of the
end-to-end trade process.
Figure 1: Trust in each step of the end-to-end trade process
For these electronic transactions trust is required on an increasingly large scale. This trust
makes it possible to order, pay, deliver and provide reliable communications and
trustworthy information. Trust in the digital world hinges on electronic identity (e-identity),
where two interacting parties achieve enhanced trust through e-identity.
In generic terms: the end user is able to prove (relevant parts of) his identity to the „service
provider‟ and the service provider is able to demonstrate he is the authentic source of its
services. In the natural world, a person has an identity which can be defined according to a
series of attributes, or specific properties such as sex, age, hair and eye colour, profession,
location etc. A person‟s online e-identity is an often-similar set of attributes that are kept in
IT systems and can be related to a person‟s natural, physical identity.
4
Identity information of end users is kept in many places in today‟s world and is often made
available to various organisations and individuals
through the Internet, providing the trust to do e.g. online
Organisational digital identity versus
banking. This kind of networked e-identity is a crucial
enabler for large-scale transactions, both in the public
and private sectors. Increasingly, e-identity is being
offered as a service and in that respect it can be said to
be the „mother of all transactions‟.
networked e-Identity
The digital identity of a person has, up to a
few years ago, mostly been restricted to the
use for services within a single organisation.
Nowadays, an employee or client of an
organisation often has an electronic identity
within each organisation the person is involved
2.2
in. The need to use a single identity for
What is the problem?
seamless and cost effective access to
increasing amounts of services on the Internet
The problem is on two sides:
has led to the growing use of cross-
1. End user: the scattering of identity information of
individuals over numerous organisations does lead to
privacy issues and user burden to remember and
organisational electronic identities, which in
this paper is addressed as 'networked eidentity', often abbreviated to just 'eidentity'. The major difference between an
intra-organisational identity and networked e-
maintain identities.
2. Service provider: for organisations the scattering of
identities does not add to the required trust. Every
organisation provides its own identity mechanism
online, varying from passwords to advanced
certificate infrastructure, leading to cost and
management burden.
identity lies in the fact that the latter needs to
be provided by a network of organisations
that must be aligned to create the business
and trust needed. The various parties involved
make setting up networked e-identity a
different endeavour than the nowadays wellunderstood and often straightforward
hierarchical setup of intra-organisational
digital identity.
E-identity is a (so far) under-recognised two-sided
market, where two distinct users groups (end users and
providers) interact with each other. There is a business opportunity for parties in the
facilitation of these two users groups. Dealing with the aforementioned two basic problems
will prove essential.
Networked e-identity is identity, which is re-usable over multiple organisations, thereby
reducing the two-sided problem.
2.3
How is e-identity provided?
With more and more services being offered online, ranging from e-commerce to egovernment and banking, service providers need to know whom they are dealing with and
consumers must be assured they deal with an authentic partner and that access to their
personal information is assured. But how do you know whom you
are dealing with?
When dealing with people in the offline world, identity is easier to
asses because of the physical interaction between these individuals.
A person‟s face coupled with a picture ID is usually sufficient. A
signature, matched to that on the ID, can add security. In addition, assessments of a
person‟s trustworthiness can be made based on appearance or intuition.
5
A specific example to illustrate this is age verification. In many countries there is a legal age
limit for purchasing alcohol. Here the attribute „age‟ is verified. In this situation, age
verification can be based on a visual assessment of the person‟s age. A general assessment
that the person is over the legal age limit may be sufficient and the person‟s exacted date of
birth may not be required. Alternatively, age can be determined on the basis of an identity
document bearing a date of birth and a picture such as a passport or a driver‟s license. The
identity document is a tangible document with certain standard characteristics that prove its
authenticity. The picture on the document is compared to the visual appearance of the
person offering the document to match the two. In both cases there is an immediate visual
assessment by one individual of the other individual.
This relatively simple situation is complicated when it is carried out online. In an online
transaction, the two parties, the end user and the service provider, are separated by time
and space, rendering visual means of authentication
unusable.
In the past two decades many technologies have been
developed to make identities usable in the digital
domain. Think of e.g. user names/ passwords, tokens,
certificates and biometrics, all tools for making e-identity happen. Many initiatives are
available now with all distinct characteristics. In the next chapter e-identity will be
introduced and a generic framework will be presented.
6
3 Introducing e-identity solutions
In this chapter we discuss e-identity solutions in a systematic way to allow the next chapter
to discuss different examples in a structured manner. First we introduce the evolution of eidentity solutions from a closed model to an open service provider model. From this
introduction we derive a description of a generic model for e-identity solutions.
3.1
A world of two-party networks
As an example to demonstrate the evolution of e-identity, let us consider Amazon.com.
Amazon.com was founded in 1994 as an online bookstore. It later diversified its product
range and grew into a leading global online retailer.
At Amazon.com, like at many other web shops, end users create an account with a
username and password. The account contains payment and shipping details (identity
attributes) and can be used to give product reviews. Amazon.com only accepts orders from
account holders that are properly authenticated, e.g.
through a successful credit-card payment.
In this solution there are only two parties involved: the
end user and Amazon.com. We call this a two-party
solution (or closed model). Amazon.com has all the
information and provides all functionality necessary to authenticate the end user.
Identity solutions have started as purely technical solutions, where the end user has a
relation with the service provider. The service provider stores the (relevant) identity
(attributes) of the end user and gives out authentication means to end-users. Only two
parties are involved.
Having (many) two party solutions is far from ideal for three main reasons:
1. End users have to create accounts for each service provider they visit ending up with a
great amount of identities (often usernames and passwords).
2. End users have to maintain their profiles (identities) at every service provider they visit.
Apart from the burden of having to maintain this information, a potential privacy risk is
introduced by having personal data scattered over all service providers.
3. Service providers have to implement and maintain their own identity solution. This is a
cost and time-consuming operation that keeps service providers away from their core
business.
In two party solutions the identity solution is often positioned as a cost to the service
provider.
7
3.2
Towards an open model: three-corner networks
The solution to the described drawbacks of the two-party solutions is actually quite simple:
introduce a third corner. Often this is referred to as „three party model‟, but the same party
can fill in the two corners. An identity provider (the third corner) can focus on implementing
and maintaining an identity solution that it offers to both the end user and the service
providers. This results in less credentials to remember and profiles to maintain for end
users and focus on core business for service providers while increasing profile accuracy. The
figure below shows a generic model for e-identity:
Figure 2: A generic three-corner model for e-Identity
It should be noted the needs of the two distinct user groups (end user and provider) are
catered for by only one provider. Therefore the service provider has two propositions: one
for the end user and one for the service provider.
Three party models come in two ways:
1. Government sponsored. Government gives out authentication means, mainly for use
with their own services
2. Service providers re-use. Service providers with large customer bases (e.g. Amazon.com,
PayPal, Google, Face book) re-use their credentials over each other‟s services. A specific
scheme has been created, which is called OpenID.
The business model of three corner models is still unclear. Either they do not have a
business model (e.g. OpenID or government issued ID cards) or they provide authentication
as part of a payment service (e.g. Amazon, Google and PayPal).
Three corner models overcome some of the drawbacks of two party models, because it
increases the re-usability of the credentials for the end user and reduces the integration
efforts for the service providers. The main problem however is that there is a multitude of
8
three corner models. Every initiative strives for „world domination‟ and becoming the „de
facto‟ solution. As a result, service providers do not reside all with the same three-corner
identity provider and therefore the end user is left with the management of multiple
identities.
This can only be overcome when all service providers and all end users concentrate at a few
identity providers. For competition and privacy reasons this could not be a preferable
situation.
3.3
The generic e-identity model explained further
In the previous paragraphs we saw a closed model evolve into a more open model. Within
this model we clearly can distinguish four core roles:
1. End users
End users request identity services from the e-identity provider. With such a service the
end user can transact on-line real-time. End users can be individuals acting on their
own behalf or on behalf of organisation.
2. Service providers
A service provider can be a private or public party who offers on-line services. Think of
e.g. tax filing, permit request, bookshop, airline ticket and banking. When using these
services the end user has to identify himself during the process. Also certain relevant
attributes might be checked, such as e.g. age or gender.
3. e-identity provider and broker
These two roles are often combined in one corner or party.
An e-identity provider role is the proposition towards the end user, whose identity
elements are managed by the e-identity provider. Therefore there must be a trust
relationship of some form. The level of trust is depending on the purpose. The identity
provider also facilitates the actual checking of the identity by service providers through
their e-identity broker. This is always triggered by the use of credentials issued to the
end user. Credential can be e.g. passwords, tokens, phones and certificates. One of the
core processes of the e-identity provider is the registration or issuing of identities. The
trust level towards the service providers is often determined by the registration process
(e.g. physical appearance is regarded as more reliable) in combination with the security
level of the tokens.
The e-identity broker role is the proposition to the service provider. Through the eidentity broker one or more e-identity providers can become part of the service towards
the service provider.
In order to assure that the interaction between the four roles (end user, service providers, eIdentity Providers) proceeds smoothly, securely and according to a prearranged set of
policies and regulations, one or more scheme owner organisations can be established.
Typically in a three corner set up, the party offering the central platform can be regarded as
the scheme entity.
9
In situations where the two proposition roles (e-identity provider and broker) can be offered
by different parties (four corner model), the scheme entity lays down the ground rules upon
which the various transactions take place. Also compliance with these rules is governed by
the scheme organisation. Scheme owners typically consist of a number of cooperating
parties that have a common interest in the creation and exploitation of a particular identity
management scheme.
3.4
Key characteristics of an e-identity service
With the generic e-identity model in mind, we will discuss in the following chapters various
e-identity initiatives. The analysis will be done according to certain characteristics. These
characteristics are chosen for the purpose of this white paper. Many more characteristics
exist, but they are not considered relevant for this paper.
Any e-identity service has two distinct aspects:
1. First is the registration phase where individuals register and are issued the e-identity by
the identity provider. The registration procedure, the process by which the e-identity is
issued and the integrity of the e-identity provider are fundamental for the integrity of
the e-identity service as a whole. If the registration phase is susceptible to fraud, the
integrity of the entire service is compromised.
2. Following registration is usage phase where the claimed identity of an individual is
authenticated, authorised, etc. Important aspects in this phase are the process by which
information regarding the identity is transacted between parties, the purpose of this
transaction process and who has control over the credentials.
Additionally, the working of the business model as well as issues regarding privacy and
trust are important elements in the authentication phase.
Different e-identity services can be described according to a number of key characteristics.
These include:

Registration – The registration process describes the procedure of initial registration and
the issuing of the e-identity.

Transaction – The authentication transaction process and the model of the service are
described.

Business model – The fees and revenues are described.

Privacy and trust – Any issues relating to privacy and trust such as the exchange of
attributes and the integrity of parties in the network.
In the next chapter a selection of current e-identity initiatives are discussed, along the lines
of the four characteristics.
10
4 Case studies
This chapter will present a number of case studies of e-identity services and standards in
use today. We have selected a wide range of services from e-commerce to online banking
and e-government and from different countries. We can learn a great deal from the way
these services are set up and how they operate.
The first two cases, OpenID and CardSpace, are technology driven but vendor-neutral
approaches1and have been selected because of their potential impact on the e-identity
marketplace. The remainder of the cases are business oriented and have been chosen to
depict how commercial, governmental or educational organisations have implemented
various technologies to solve specific business issues. Some of these solutions (e.g. Google
Apps, SURFfederatie) utilize open standards such as OpenID; some are based on proprietary
technology (e.g. DigiD).
1 We can argue whether CardSpace is in fact vendor-neutral, given the dominant role of Microsoft in the
development of the standard. However, Microsoft has stated to be committed turning the associated InfoCard
standard into a true open standard and has released all specifications and actively cooperates with third-parties to
make the standard a success.
11
4.1
OpenID
The power of OpenID is based on the explicit lack of a pre-existing relationship between the
service provider and the identity provider (in this particular case called the OpenID Provider).
Instead, the scheme relies on the user providing a claim of ownership of a URL to the service
provider. The service provider verifies this claim by establishing a shared secret in
cooperation with the server hosting the claimed URL (identity provider). The user must be
able to represent this shared secret when obtaining access to a resource owned by the
service provider. Because the scheme is entirely based on self-issued claims, OpenID is only
suitable for low-risk transactions. In practice, the scheme is mainly used to provide access
to social networking sites2.
Figure 3: the OpenID authentication scheme
4.1.1
Registration
A user can simply create an OpenID account by registering a URL on a server that can act as
an OpenID provider. This can be any one of the public OpenID servers but it can also be a
server owned and operated by the user. Example of an OpenID:
http://usermike.myopenid.com
Currently, many of the popular social networking sites have implemented the OpenID
protocol, allowing people with an account on one of these sites to login to any site
supporting OpenID. A non-comprehensive list of participating sites is: Google, Yahoo,
LiveJournal, Facebook, Hyves, Blogger, Flickr, Orange, MySpace, WordPress.com and AOL.
Apart from these, the user can also register a free account with any of the public OpenID
Providers such as Chi.mp, ClaimID, myID.net, myOpenID, VeriSign or yiid.
The following screenshots show a number of popular sites that offer OpenID as an
authentication method:
2
However, this situation might change in the future as more and more providers are adding extensions in-and-
around OpenID. One example is Google, who combined OpenID with the OAuth authorisation protocol (see chapter
4.3). Another example is the Japanese telecom giant NTT Docomo (over 55 million subscribers), who facilitate an
interface that providers can use to obtain additional identity information in the context of an OpenID authentication
and which can be used (among other things) to perform on-line payments.
12
Figure 4: MapQuest provides either an AOL or an OpenID login box
13
Figure 5: Plaxo provides a number of external authentication mechanisms, including OpenID
14
Figure 6: SourceForge offers an extensive range of external authentication methods, including OpenID
4.1.2
Transaction
OpenID entirely depends on existing and well-established Internet protocols and standards
such as HTTP and XML. The figure below depicts what happens when a user attempts to
access a site that supports the OpenID protocol:
Figure 7: The OpenID authentication sequence
The user enters his/her OpenID URL in the “OpenID login” box at the service provider (step
1). The service provider uses a discovery protocol (such as Yadis3) to find the location of the
Identity provider, based on the contents of the provided URL (step 2). The protocol might
3
The Yadis protocol (located at http://yadis.org) is closely related to OpenID, but can also be used by other
authentication schemes. Yadis translates the user-specified URL (the Yadis-ID) into an eXtensible Resource
Descriptor (XRD) document that provides a list of service identifiers applicable to this user-specified URL.
15
use a separate discovery service, depending on the format of the OpenID URL provided by
the user. Once discovered, the service provider and identity provider establish a “shared
secret” (step 3).
The discovery service can be considered the “e-identity broker” from our generic model. The
discovery service selects an identity provider based on the structure and content of the URL
provided by the user and thus allows the service provider to utilise a potentially large
number of different identity providers.
The user is now redirected to the identity provider (step 4) and is requested to authenticate
using any method supported by this provider. The authentication mechanism can be
anything from simple username/password to certificates, tokens or Info Cards (see: chapter
4.2, CardSpace). The identity provider asks the user whether he/she trusts the service
provider to receive the user‟s credentials and identity details (step 5). This is an important
step since it provides the user with a mechanism to control which information is disclosed
to the service provider.
If the user is satisfied with the requested information, he/she is redirected back to the
service provider, which verifies the received user credentials against the “shared secret”
established earlier. If all is satisfactory, the user is granted access to the requested
information.
Note that the exact set of credentials that can be exchanged varies between service
providers. When registering ones OpenID, the identity provider typically facilitates the
creation of user profiles and negotiates with a service provider regarding the attributes to
be returned as part of the credential request. In a typical case, the user is shown the list of
attributes that the relying party requests and the user can accept or refuse any of these
attributes before being redirected back to the service provider.
4.1.3
Business Model
The roots of OpenID are in the social networking domain where users expressed a desire to
obtain access to Blogs, Wiki‟s and other social networking sites without the need to register
and authenticate separately for each and every site. Instead, OpenID provides one, easy to
remember, URL-based user identity and associated profile that can be used to obtain access
to a large number of different sites.
Since users can run their own OpenID provider, they have maximum control over the identity
attributes that are used for authentication. Even when using a public provider (such as
MyOpenID), the user still has to maintain only a single shared profile that can be used to
obtain access to a large number of different sites. This central profile provides a good
incentive to users to keep the information up-to-date, which in turn is a benefit to the
service providers, which are more likely to receive accurate information.
The second advantage for the service providers is the delegation of user registration
information and authentication to the identity provider. Instead of having separate
registration forms, local authentication schemes and associated data stores, user properties
are maintained at the identity providers and are obtained during authentication by a usercontrolled process. Note that there exists no explicit trust relationship between service
16
providers and identity providers. This facilitates a federated authentication network that can
scale almost infinitely.
On the downside, this lack of trust relationship combined with the use of self-issued claims
means that services provided by service providers to the users are limited to relatively lowrisk service types, such as the aforementioned access to Blogs or other social networking
sites.
4.1.4
Privacy & Trust
The OpenID scheme is based on self-issued claims. Users maintain their own OpenID profile
(either at one of the many public OpenID identity providers, or at a provider managed and
operated by the user). During authentication, users can manage the properties that are
passed from the identity provider to the service provider. While this scheme provides a high
level of privacy protection from the user‟s point of view, the lack of explicit trust
relationships between the service provider and the identity providers, combined with the
fact that the service provider has no control over the strength and quality of the
authentication scheme implemented by the identity provider, also implies that the service
providers cannot depend on the quality and accuracy of the received user credentials.
The OpenID protocol relies heavily on redirection, in which the user is sent from service
provider to identity provider and back. This particular behaviour makes the OpenID protocol
vulnerable to “phishing” attacks (e.g. the introduction of rogue providers that insert
themselves into the authentication chain, thereby facilitating digital identity theft).
17
4.2
CardSpace
CardSpace, (otherwise known as “Info Cards”) is an identity management scheme originally
devised by Microsoft as a means to provide more control to the end user compared to the
more traditional schemes. CardSpace basically routes all traffic through the end user‟s
device and thereby provides maximum control of the identifying properties that are
exchanged between service provider and identity provider (in this particular case called the
Security Token Provider).
Figure 8: the CardSpace identity management scheme
Apart from being integrated in Windows Vista and Windows 7, CardSpace is currently
supported by a number of Identity Management software suppliers. Examples are the Bandit
project, IBM, FuGen solutions, the Higgins project, Ping Identity, the Shibboleth project,
Siemens, Sun, Oracle, VeriSign, WSO2 and the XMLDAP project. Since CardSpace is build
upon a set of open standards4, any application that supports these standards can integrate
with CardSpace. Microsoft actively promotes the standard and works together with the
open-source community to ensure that coexisting and interoperable implementations are
created.
4.2.1
Registration
The end user maintains a “wallet” of Info Cards that is maintained on the user‟s device
(desktop PC, laptop or mobile device). This wallet can be compared directly with a physical
wallet, containing any number of credit cards, debit cards or identity cards. Info Cards
basically come in two flavours:
1) Personal Cards, or “self-issued” cards, are created by the user and can contain any
information that the user desires to disclose about him/her. Since these are self-issued
claims, they have value only for low-security scenarios such as providing user-profile
information to web sites or an OpenID transaction (see chapter 4.1).
4
In particular, CardSpace uses the Web Services protocol stack, which consists of a number of open standards (WS-
Security, WS-Trust, WS-MetadataExchange and WS-SecurityPolicy).
18
2) Managed Cards are created and maintained by an external identity provider and have to
be verified by a third-party. These can be considered “digital credit cards” or “digital
identity cards”. Managed Cards can be used as a secure authentication or electronicsignature mechanism.
4.2.2
Transaction
The Info Card “wallet” is otherwise known as a “card selector” and plays an important role in
any CardSpace authentication transaction. The figure below depicts such a transaction:
Figure 9: The CardSpace authentication sequence
The CardSpace authentication sequence starts when the user attempts to access a protected
resource at the service provider‟s web site (step 1). In order to allow access, the service
provider requests a number of claims from the end user. The relying party informs the card
selector of these claims (step 2).
Based on the requested claims, the card selector determines which Info Cards, present in
the wallet, are suitable to fulfil these claims and presents a list of these cards to the user.
The user subsequently picks a card to be used in the transaction (step 3).
The selected card determines which identity provider must be consulted to validate the
claims present on the card. The card selector requests an encrypted and signed message
containing these validated claims. This message is called a “security token”. The token,
holding the claims, is returned to the service provider for verification and subsequently
allows the user access to the requested resource.
CardSpace does not recognize a separate “e-identity broker”, since all traffic is routed
through the user device. One could thus state that the user himself acts as a broker, since it
is the user who selects the appropriate identity provider by selecting a specific card.
Microsoft has attempted to act as “the mother of all brokers” in the Microsoft Passport
project (now „renamed‟ Windows Live ID). However, this initiative has failed completely since
the market did not want to trust Microsoft in such an important role. Microsoft has learned
19
from this experience and designed CardSpace around the user instead of attempting yet
another broker function.
The card selector is available in Windows as an integrated feature (see figure below). The
open-source community provides some card selectors for the Firefox browser, Apple OS/X
and Linux.
Figure 10: Windows CardSpace card selector.
Figure 11: Card selector for Firefox
20
Figure 12: And a card selector for Apple OS/X
4.2.3
The seven laws of Identity
Business Model
Following the failure of Microsoft Passport as an
The CardSpace scheme places the user in the
infrastructure for Internet-wide authentication and
driver seat. Instead of requiring the user to
keep track of multiple authentication profiles at
identity management, Kim Cameron, a security architect
working for Microsoft, has devised a set of rules
various sites (each with possibly conflicting
applicable to an Internet-wide identity ecosystem.
requirements), the user can select the most
Following is a summary of these rules, which are
otherwise known as “the seven laws of identity”:
suitable Info Card for each authentication
1 User control and consent: the user must be able to self-
request. Although the need to remember
manage the use of his or her identity information.
usernames and passwords does not go away,
2 Minimal disclosure for a constrained use: the user does
the entire authentication process becomes
more transparent from the user‟s point of view.
Even better, the user has the option to mix and
match the best fit for each authentication
not have to provide any more information than required
for successful execution of the service requested by that
user.
3 Justifiable parties: identity information must only be
request, thereby remaining in full control at all
provided to relevant and trusted parties.
times.
4 Directed identity: an identity system must support
identities for large-scale, general use as well as specific,
Even though the user might be requested to
directed use.
authenticate when contacting an identity
5 Pluralism of operators and technologies: the identity
provider, the number of different
system can be implemented and supported by different
authentication mechanisms to manage is now
directly related to the set of Info Cards that the
user holds and is no longer a function of the
parties.
6 Human integration: the presentation and use of identity
related information must be unambiguous and user-
service providers that the user attempts to
friendly.
access. This scheme can be compared directly
7 Consistent experience across contexts: the identity
with the use of “physical” Credit Cards or Bank
system must provide a consistent user experience,
independent of technologies and services.
Cards: even though each card requires a
separate PIN code, the user relies on a limited
number of cards to conduct transactions at a large number of different facilities.
The CardSpace scheme facilitates loose coupling between users, service providers and
identity providers by means of the broker function of the card selector. Service providers
simply have to issue a set of required claims and do not depend on a particular mechanism
21
in order to fulfil these claims. The card selector, in combination with the identity providers,
perform the role of translating claims into security tokens and provide an open standards
based, secure token verification facility which is independent of any particular combination
of service provider and identity provider. Authentication is effectively “externalized” from
the service providers.
CardSpace seems to be designed with the user strongly in mind. It is unclear how the service
provider fits in: does he have an attractive enough proposition? Does he have to contract
with Info Card provider, similar to credit cards or banks? That aspect gives Info Card limited
network scalability since the service provider is never sure he can address every end user
who uses CardSpace. As of this moment, there are no major Card Space implementations
present on the Internet. Even Microsoft does
The STORK project
not offer it as an option on their community
sites. Although some implementations were
The aim of the STORK project is to establish a European
attempted back in 2007 (e.g. the German
eID Interoperability Platform that will allow citizens to do
transactions and communication across borders, by
retailing giant OTTO used to have a CardSpace
presenting national eIDs.
implementation), most of these initiatives are
Cross-border user authentication for such e-relations
no longer active today.
4.2.4
takes place in the project by means of five pilot projects
using existing government services in EU Member States.
Privacy & Trust
In time however, additional service providers should
The advantage of the CardSpace model is that it
almost perfectly fulfils all of the seven laws of
become connected to the platform thereby increasing the
number of cross-border services available to European
users.
Identity (see frame “The seven laws of Identity”
Thus in the future, a citizen should be able to start a
on the previous page). By putting the user in
company, get a tax refund, or obtain university papers
the middle of the transaction, he/she has
without physical presence. To access these services one
optimal control over privacy and can determine
enters personal data using the national eID, and the
exactly which information to disclose to service
providers.
STORK platform obtains the required guarantee
(authentication) from the respective government.
The role of the STORK platform is to identify a user who is
CardSpace offers two levels of trust:
in a session with a service provider, at a defined (and
cross-national) trust level, and to send the identification
1. Personal Cards provide a low-level of trust
to this service. Whilst the service provider may request
in return for user convenience and can be
various data items, the user should be in control of the
used to provide e.g. profile information in
data to be sent. The explicit consent of the owner of the
data, the user, is always required before data can be sent
low-security contexts, such as the
to the service provider, which fits various EU privacy
provisioning of customisation information
regulation. In this respect STORK can be said to be user
to social networking sites.
centric, since the user acts as the broker of identity data.
2. The concept of Managed Cards provides the
More information: www.eid-stork.eu
required level of trust to conduct business
transactions between service providers, the user and identity providers.
It is striking to notice that to date there are few e-Identity services that actually use
CardSpace although cases in which privacy is considered paramount would seem logical
applications. A case in point here may be the EU STORK project which addresses crossnational eID subject to privacy regulation; see the text box on STORK.
22
4.3
Google Apps
Back in 2006, Google introduced their cloud-computer offering, Google Apps, as an
evolution of the popular Gmail webmail application. Google Apps offers a growing number
of business productivity tools (mail, calendar, documents, groups and more). Google Apps
are “true” cloud applications, meaning that the applications are hosted by Google, including
all associated data and are offered as a set of services, accessible by means of only a web
browser. Users need a subscription from Google and in return receive the rights to use the
services. Thus, Google Apps can be considered a service provider in a two-party network.
Since Google has made the underlying Google Apps engine available to software developers,
the number of available applications that run on the Google Apps framework is growing
rapidly. Starting from March, 2010, Google provides an on-line marketplace of available
applications at http://www.google.com/enterprise/marketplace. At the time of opening this
marketplace, approximately 50 vendors had application offerings available, targeted at the 2
million organisations using Google Apps (with a total of over 25 million users).
What makes the Google solution interesting in the scope of this document is an associated
service, Google Accounts, which utilises the Google account database to act as an identity
provider as well as a service provider. Google Accounts utilises the OpenID protocol (see
chapter 4.1) for this purpose and can thus be considered a “regular” identity provider in an
OpenID network. Furthermore, Google combines OpenID with the OAuth protocol, which
allows a user (with a Google account) to authorise a third-party service provider to use
Google services on behalf of that user. The key feature of OAuth is that this authorisation
process does not disclose any account information to the third-party service provider.
Figure 13: the Google Apps combined authentication and authorisation model
The solution depicted above positions Google as an identity provider, in which case access
to Google Apps (or services provided by third-party service providers) is governed by the
Google Accounts database. Google offers a second solution, based on the SAML open
standard, in which case the roles are reversed: Google acts as the service provider and a
third-party has the identity provider role. Users trying to access a Google Apps application
23
are now authenticated against an external identity store, managed by a third-party identity
provider. In the scope of this paper, we only consider the case in which Google acts as an
identity provider.
4.3.1
Registration
Google differentiates between Google Apps “Standard Edition” and “Premier Edition” (as well
as some special editions for the educational, governmental and non-profit markets).
Standard Edition is free and is targeted towards individuals or home users and offers basic
messaging, collaboration and document processing. The Premier Edition requires an annual
subscription fee and provides access to the full suite of applications, provides large
amounts of storage space and is targeted to commercial users. All Google Apps
subscriptions are acquired on a per Internet domain basis (e.g. “mycompany.com”). Google
facilitates self-service of domain accounts and prevents domains from accessing each
other‟s information.
Any user with a Google account (either Standard or Premier Edition) can utilize Google
Accounts as an OpenID identity provider, e.g. they can authenticate to any web site that
utilizes the OpenID protocol by providing their Google account identifier as an Open ID.
Also, any user with a Google account can request service access from third-party service
providers by means of combined OpenID authentication and OAuth authorization. For the
OAuth authorization to work, the third-party service provider has to be registered at
Google. Registration implies that certificates and shared secrets have been exchanged
beforehand since these are required by the OAuth protocol to establish the necessary trust
between identity provider and third-party service provider.
4.3.2
Transaction
Assuming the user wants to access services provided by a third-party service provider and
these services in turn require Google Apps services then the transaction might look as
depicted below:
Figure 14: The Google authentication + authorisation transaction
24
The authentication sequence starts when the user attempts to access a resource at the
third-party service provider‟s web site that requires additional services from Google Apps
(step 1).
The user selects the OpenID protocol to authenticate, using his Google account. The service
provider redirects the user to Google for authentication (step 2). This process utilises the
standard OpenID protocol as described in chapter 4.1.2. However, as part of the “shared
secret” information exchange (step 3 in the OpenID transaction), the third-party service
provider requests an OAuth “Request Token”. The OAuth protocol uses these tokens to
validate the credentials of the third-party service provider, based on pre-registered
certificates. Assuming that validation proves to be successful, the request token is returned
to the third-party service provider together with the user identity (the result of the OpenID
authentication).
Request tokens do not provide access to resources, they are only used to authenticate the
third-party service provider in the context of the user session and typically have a limited
validity time (e.g. 1 hour). Within this time period, the third-party service provider has to
ask the identity provider to swap the request token for an “Access Token” (step 3). Access
tokens have (at least with Google) an unlimited validity time and can only be revoked
through the Google Apps management interface for the domain that initially requested the
token. Token revocation implies that the third-party service provider has to go through the
complete sequence again (authenticating the user, obtaining a request token and exchange
this token for an access token). This process assures that no tokens are exchanged without
the proper user consent.
Once the third-party service provider has obtained the access token, the token can be used
to request Google Apps services, in which case the token acts as a “valet key”, e.g. it
provides limited access to a specific set of services defined by the contents of the token
(step 4).
4.3.3
Business Model
Today‟s Google business model relies heavily on advertising services. E-identity services are
currently just „a cost of doing business‟. However, in the long term this could change, when
cloud-computing takes off and Google start selling to large amounts of organisations and
end users. Currently, the income from Google‟s cloud computing ventures is minimal
compared to the other sources of income. However, Google expects a massive growth of
revenue in the coming 5 to 10 years, since the potential savings for end users is very high.
By investing heavily in the underlying technologies, pushing standards, giving away the
“Standard Edition” for free and opening the underlying Apps engine to the software
developers community, Google expects to become a major player in the cloud computing
arena within a couple of years.
Since the Google Accounts database is tightly integrated with the Apps engine and contains
tens of millions of accounts, it makes sense for Google to use the contents of this database
for additional purposes besides simple authentication for their own applications. Opening
the accounts database to the Internet as an identity provider places Google in a favourable
position compared to many other identity providers, given the sheer number of accounts (as
25
an example, by mid 2009 there were over 140 million GMail users, all of whom are in the
Google Accounts database).
Each and every transaction that involves Google services (e.g. accessing Google search,
Google Apps, GMail, YouTube, OpenID authentication, etc.) is logged and processed by
Google to produce valuable marketing information, telling Google exactly what their users
do and what their areas of interest are). As of 2006, the Google logging databases, not
counting all applications, contained over 1 Petabytes (1.048.576 GByte) of information. By
opening the accounts database to the Internet for third-party authentication and
authorisation, even more valuable marketing information will be collected.
For the end user, the advantages of using only a single account for accessing cloud
applications as well as logging in to hundreds (or even thousands) of web sites supporting
the OpenID and/or the OAuth protocol are evident.
For third-party service providers, utilizing the massive Google Accounts database offers a
unique authentication resource with a number of available accounts that would be very
difficult, or even impossible, to establish by themselves.
4.3.4
Privacy & Trust
Google utilises the OpenID protocol for authentication. As stated in chapter 4.1, there is a
limitation to the level of trust related to this protocol. Given that the majority of accounts
that are present in the Google Accounts database are free accounts, established by the users
and used to obtain access to free services such as GMail or Apps “Standard Edition”, the
trust level offered by Google is currently limited to low-trust types of services.
The OAuth protocol offers a reasonable level of trust, given that all messages exchanged
between service provider and identity provider are encrypted and signed by pre-registered
certificates and shared secrets. The integration of OAuth with the OpenID protocol creates a
higher level of trust compared to “plain-vanilla” OpenID. Also, OAuth requires service
providers to be pre-registered at the identity provider, which implies that the service
providers know in advance the quality and the strength of the authentication facilities
offered by Google, which is an improvement over the standard OpenID protocol.
Regarding privacy: users perform “self-registration” with Google in order to obtain a Google
account. With the exception of paid accounts (which are still a minority), there is hardly any
guarantee that provided information is correct. Also, given that Google logs all information
that flows through their systems for purpose of analysis (and potential marketing), there is a
high potential for privacy violations. In their privacy statement, Google explicitly states that
it claims the right to combine user information with data collected from other services with
the purpose to improve products and services provided by Google to the end users. The
privacy statement also states that no personal information will ever be disclosed or used,
either within Google or to third parties, without the proper user consent5. However, it is still
5 “Google considers the privacy of its customers important and is serious regarding data protection. Google
adheres to the US Safe Harbor Privacy Principles of Notice, Choice, Onward Transfer, Security, Data Integrity, Access
and Enforcement and is registered with the U.S. Department of Commerce‟s Safe Harbor Program. The processes
and systems related to data security and privacy protection have been successfully audited for SAS 70 Type II
compliance.”
26
difficult (if impossible) for end users to verify that all information flowing through the
Google systems is indeed protected properly against privacy violations, identity misuse or
theft. This is a serious issue for organisations that consider the use of cloud applications,
since they have to trust the service provider to treat the, potentially sensitive, corporate
information properly according to pre-defined service level agreements (in which Google
explicitly denies any responsibility beforehand and explicitly states that the services are not
meant to be used for “high-risk” activities).
The OAuth protocol that is used to grant third-party service providers access to Google
services offers a fair amount of privacy protection, since no account information is ever
disclosed to these third-party providers. Also, OAuth assures that any user-related
information that needs to be exchanged between Google and the third-party provider has to
be approved by the end-user in order for the transaction to succeed.
4.4
DigiD
DigiD is a single sign-on and authentication service launched in 2003 by the Dutch
government that enables legal residents of the Netherlands to use e-government services. It
is mostly used to file income tax statements online with most users using it only 1.2 times a
year on average. From an end user perspective it is not a great success, because the
relevance in a person‟s life is limited. From the identity provider point of view it is more of a
success since at least 8 million people have enrolled for DigiD, because of the obligation to
use DigiD for tax filing. The figure below depicts the scheme:
Figure 15: The DigiD authentication scheme
The DigiD Scheme operator is “Logius”, a Dutch Government Agency that is also responsible
for hosting and exploitation of the DigiD application itself.
27
4.4.1
Registration: leveraging citizenship
Users request a DigiD through the DigiD website. The DigiD is based on the Citizens Service
Number (BSN) that is issued to each legal resident of the Netherlands by the municipality in
which they live and on the Municipal Basic Administration (GBA) to which the BSN refers. The
GBA is regulated by Dutch law, which stipulates how the information can be acquired,
altered and used. An independent body, the Dutch Data Protection Authority (CPB), oversees
the GBA and its compliancy to national and international law.
The picture below depicts the registration procedure:
Figure 16: DigiD Registration
1) A DigiD can be requested from the DigiD website. End-users fill in their BSN, postal
address and email address and can then select a username and temporary password.
The account can be used from here on, but with severely limited functionality (security
level “temporary”).
2) DigiD verifies the provided information against the Municipal Basic Administration (GBA)
and if proved to be correct, creates the account.
3) On correct registration, an activation code is sent to the End-user‟s home address by
mail. This activation code has to be used at the DigiD website to activate the account. At
this time, the user also has to select a permanent password. The account is now ready to
be used for authentication transactions.
A key point is that the DigiD identifier is the Citizens Service Number (BSN). Only legal
residents of the Netherlands are issued a BSN and only government organization are allowed
to use the BSN for authentication purposes. Because DigiD is based on the BSN, any
restriction applying to issuing or the use of BSN applies to DigiD as well.
Only government organizations can be service providers. This means that DigiD cannot be
used for non-governmental e-services such as financial services, e-commerce or social
networks. However, Dutch law is able to designate exemption and it has done so for medical
28
insurance companies providing the mandatory basic health care insurance. Thanks to this
exemption, DigiD can be used to apply for this service online or login at insurance
companies.
4.4.2
Transaction
DigiD can only be used as an authentication facility. These authentication transactions are
stateless, which implies that DigiD does not “remember” whether a specific user has
authenticated earlier within the same browser session. The net-result is that the user will
have to re-authenticate for each and every government site that the user is visiting in the
same session.
Figure 17: DigiD authentication sequence
The DigiD authentication sequence is invoked when the user visits a government web site
and selects the “DigiD login” button (step 1). Selecting “DigiD login” will redirect the user to
the DigiD web site for authentication using username/password (step 2). If required, the
user can select a “stronger” authentication level, in which case a one-time code is sent as an
SMS to the mobile number provided during registration. The user has to enter this number
as part of the authentication transaction.
Assuming that authentication has been successful, the user is now redirected to the
requested web resource at the service provider. In case of unsuccessful authentication, the
user is left at the DigiD site to try again.
The service provider invokes a DigiD service in order to verify the authentication transaction
data that has been received from DigiD and finally grants access (step 3).
Since the DigiD scheme only contains a single identity provider, there is no use for a
separate e-identity broker in this case.
4.4.3
Business model: not-for-profit
DigiD is free for end users as well as service providers to use. As a government service it is a
not-for-profit initiative, which is subsidized by the Dutch Ministry of Internal Affairs.
29
The main purpose of DigiD is to replace the many different username/password
combinations that citizens required to obtain access to government web sites. Since DigiD
only provides a user identifier (authentication only), these web sites still have to maintain
local profiles to store all additional information they require. DigiD thus only solves part of
the problem (authentication) and leaves the issues of maintaining identity assets to the local
government sites.
Also, although penetration of DigiD is high, use of DigiD is limited for most users to a few
occasions per year for government transactions only.
Against this background the Dutch government has started developing a new network called
eRecognition6 that allows private sector employees to access government services based on
an open market for identity services. eRecognition is a based on a 4 corner model, of which
the government supports the scheme, and is expected to also support B2B services.
4.4.4
Privacy and trust
DigiD differentiates between three security levels that are to be used for different types of
services:

The first level requires only a username and password (one factor authentication), and is
suitable for services that require a limited level of security, privacy and trust.

The second level requires the username and password in addition to a One Time
Password (OTP) sent by SMS to the End-user‟s mobile phone (two-factor authentication).
This level is intended to be used for services that require a high level of security, privacy
and trust.

A third level was planned and would involve a physical electronic identity card that is yet
to be introduced and a face-to-face registration process. However, this program has
been put on hold indefinitely.
DigiD provides limited trust, since each authentication session is only based on a
transaction between the DigiD identity provider and a single service provider. Users still
have to authenticate repeatedly when visiting other identity providers, even if these are also
supporting DigiD. A new initiative called “mijnoverheid.nl” (my-government.nl) will improve
on this situation by establishing a federation of cooperating, trusted, parties. In this case, a
user who authenticated (using DigiD) with “any” service provider within this federation is
allowed to travel between all service providers that are member of the federation, without
the need to re-authenticate.
4.5
Estonian e-ID card
The Estonian e-ID card is a national identification card that can also be used for a whole
range of online authentication services including e-government services, online banking,
online financial services and e-commerce. A single ID card can be used for offline as well as
6
See http://www.eoverheidvoorbedrijven.nl/afsprakenstelseleherkenning/english/english.html; a whitepaper on
the eRecognition network approach can be downloaded at http://innopay.com/publications
30
online authentication. Online, the card can also be used for digital signatures while offline
the card can also be used at a ticket in public transportation. The digital version of the
Estonian ID card is provided by Sertifitseerimiskeskus (SK, www.sk.ee) as a certificate issuing
and validation service.
Around 80% of Estonians have an e-ID card and they each use it for online authentication 25
times a year on average. Compared to other Estonian authentication methods, such as those
offered by banks, this figure is relatively low. The power of the Estonian e-ID service is that
it leverages the identity card already mandatory for all legal residents over 15 years old. For
those already owning a card, using it for online authentication is a small step.
Figure 18: E-identity provider SK using the Estonian ID card
4.5.1
Registration: leveraging the ID card
Registration for the Estonian e-ID card has two parts: the issuing of the card and the issuing
of the information needed for online authentication. Most often both parts will be carried
out simultaneously but they can also be carried out independently.
1. Issuing the card. In the first part of registration the physical identity card is issued to the
End user through the Citizenship and Migration Board (CMB) after a request made by the
End user. The card is picked up and activated at a bank branch. The card is a standard
polycarbonate card containing the end user‟s name, date of birth and other information
in addition to a photograph of the end user. Every Estonian citizen and legal resident of
the country over the age of 15 is required to have such an identity card. The card is
linked to the 11-digit Personal Identification Code (PIC) that uniquely identifies each
Estonian legal resident and is provided to the CMB by the Population Register of Estonia.
The card also contains a microchip that can be used for electronic authentication online
as well as at terminals. The creation of the card is outsourced to TRÜB Baltic, a company
that personalizes cards.
31
2. Issuing the digital content. In the second phase of registration, the information on the
chip in addition to other information needed for online authentication is issued. The
information issued is: the digital content of the chip, PIN and PUK codes, and a national
e-mail address. There are three pieces of digital content stored on the chip: basic
personal data equivalent to that printed on the card, a digital certificate for online
authentication, and a digital certificate for digital signatures. Both certificates contain
only the End user‟s name and their PIC, with the certificate for online authentication also
including the End user‟s national e-mail address. The card thus carries little
authentication data and function primarily as a key to access the databases where the
information is stored. Each certificate is protected by a different PIN.
The digital content of the card is added by TRÜB Baltic. TRÜB forwards the end user‟s
personal information to SK in order to create a database entry. Once the content is
loaded onto the card, and the PIN and PUK codes have been generated, everything is
sent to a bank branch for pickup.
Figure 19: The registration of e-identity for SK
4.5.2
Transaction
SK serves as a certificate provider, a validation authority, maintains the technical
infrastructure and develops the necessary services and software. All authentication
transactions carried out by End users are routed through SK and the central directory
containing all authentication data. SK is a private organization owned by banks Swedbank
and SEB and telecommunication companies Elion and EMT.
All service providers connect directly to SK. To facilitate this connection, SK provides
downloadable applications and requires little further technical integration.
32
For end users to use the Estonian e-ID card for online identification, several things are
required:

the physical e-ID card

a PIN code (self chosen)

a username (self-chosen, can vary across services)

a card reader connected to the computer

software installed on the computer.
An end user can initiate a transaction on any website connected to the service.
4.5.3
Business model
For End users, acquiring the physical e-ID card costs approximately EUR 10. Updating or
changing authentication related information such as PIN codes or certificates is free of
charge at the Citizenship and Migration Board while SEB and Swedbank bank branches
charge a small fee of approximately EUR 2-4. Card readers can be purchased at SEB and
Swedbank branches for approximately EUR 6. Aside from these small set-up fees, the
service is free for End users.
Service providers pay a monthly fee for the service. This fee ranges from EUR 25 for 400
transactions per month to EUR 6,000 for 750,000 transactions per month. The price is
therefore between 0.008 and 0.06 EUR per transaction, which is substantially lower than
other electronic transaction services such as online payments. A six-month 8.000
transaction starter‟s package is free of charge.
4.5.4
Privacy and trust
With the exception of the CMB, all parties involved in the issuing of the card and digital
content are private entities. This may raise concerns over security and trust. In Estonia, all
public and private organizations are subject to the Personal Data Protection Act that
regulates the use of personal data and databases containing personal data. Adherence to
the Act is overseen and enforced by the Estonian Data Protection Inspection.
The Estonian e-ID card uses two factor authentications: the combination of the PIN and the
card. As the personal information contained on the card is considered public information in
Estonia, the card does not contain any private data. It functions only as a key to access the
central database. Thanks to the two factor authentication, a stolen card does not give access
to online services. The PIN code is self-chosen but cannot be easily altered.
4.6
BankID
BankID is a Swedish e-identity solution developed by Swedish banks that was subsequently
expanded to become an authentication mechanism for a variety of e-services. These eservices range from online banking to e-commerce and e-government. BankID is issued by
33
banks to their internet customers. Today 10 banks are issuing BankID and 2 million
BankID‟s have been issued of a potential market of 5 million online bank users.
BankID‟s main usage is for financial transactions (around 50% of the transactions) and egovernment transactions (40% of the transactions). The remainder is for transactions with
private companies and this percentage is growing. Today BankID has 10 million transactions
monthly. BankID has two usage modes: authentication and digital signing.
The power of BankID is that it is an open and scalable network allowing any consumer and
any type of e-service provider to easily get access to the service and the entire network.
Also, it leverages existing and trusted credentials.
Figure 20: The four corner network of BankID
Figure 20 shows clearly that the roles are similar to the ones depicted in the generic eidentity three-corner model, but that one corner is split in two. Since there can be multiple
e-identity providers and e-identity brokers, interoperability and scalability needs to be
ensured by the independent scheme organisation.
4.6.1
Registration: leveraging an existing relationship
One of the most important aspects of BankID is the way the identities are provided; by
banks to their account holders. This enables secure authentication, the leveraging of an
existing infrastructure and enabled the achievement of critical mass.
Banks generally have long lasting relationships with their account holders and know a great
deal about them. Users can only open a bank account after making a physical appearance at
a bank and offering some form of identification. Banks are also required to comply with
„Know Your Customer‟ (KYC) and anti-money laundering regulations that requires banks to
know who they are dealing with. These regulations were put in place to prevent financial
crime and to prevent financing of terrorism.
Since most Swedish banks participate, critical mass has been reached for further growth.
34
4.6.2
Transaction: scalable 4-corner model
In BankID, the role of identity provider has been decentralized to create a quickly scalable
four-corner model. The transactions are routed from the end user to the service provider,
via the e-identity broker and the e-identity provider.
The role of the single identity provider has been split into three roles. The reason for this is
scalability. In a three-corner model, all end users and relying parties must maintain a
technical connection and legal relationship with the same party. In small markets this may
not pose a problem, but it can stifle growth.
In a four-corner model, the role of the identity provider is split allowing end users to receive
their credential from their identity provider of choice. The service providers forwards the
credentials received from the end user to the e-identity broker for authentication. The
service provider only has a relationship with the e-identity broker and not with the eidentity provider.
The advantage of the four-corner model is that each actor in the network only needs to
connect to one other actor, even if the service grows very rapidly. The network is therefore
highly scalable.
The BankID network runs on a single infrastructure owned by the major banks. The Swedish
Payments Clearing Housing BGC handles the operations of BankID.
4.6.3
Business model
For banks the services strengthen their position as trusted party for end users and service
providers. Banks do not need to maintain their owned identity infrastructure, once they
issue BankID's. The end user does not pay for the basic service separately; it is part of the
online banking service. However, additional services are charged to the user. The service
provider pays- and the e-identity provider receives a fee for each transaction. It is a 4-party
model with bilaterally agreed interchange fees.
4.6.4
Privacy and trust
BankID is based on electronic signatures. Transactions with BankID are legally binding
throughout the EU, since BankID issuers serve as certificate authorities who are bound to
strong legal requirements regarding security, privacy and trust.
BankID certificates come on USB devices, smart cards and just recently on mobile phones.
4.7
SURFfederatie
SURFfederatie is an initiative of the Dutch organisation SURFnet. SURFnet is a subsidiary of
the SURF foundation, in which Dutch universities, universities for applied sciences and
research centres collaborate nationally and internationally on innovative ICT facilities.
35
The SURFfederatie is a federative, multi-protocol7, authentication facility, which has been
established to facilitate students and staff to access services provided by various
educational institutions as well as a selection of third-party service providers.
In the past, students who wanted to use services from different institutions were required to
have multiple accounts, one at each institution they wanted to access. Since students are
increasingly using facilities of different educational institutions, this situation needed to
improve. The SURFfederatie facilitates access to various service providers (including thirdparty commercial organisations, educational organisations and research centres), using only
one single account. The role of identity provider is assigned to the “native” institution of the
student, e.g. the institution at which the student is registered.
Figure 21: The four corner network of the SURFfederatie
Similar to BankID, the SURFfederatie is implemented as a four-corner model, in which
SURFnet acts as a broker and protocol translator. The SURFfederatie allows different
federation protocols to be used by both the service providers and identity providers.
4.7.1
Registration: leveraging an existing relationship
The federation utilizes the existing relationships between the student and the educational
institution at which the student is registered. The advantage of this approach is the
availability of critical mass, utilization of existing trust relationships between student and
educational institution and reuse of existing infrastructure (especially important given the
large amounts of changes occurring each year as students graduate and new students
arrive).
In order to connect to the federation, all providers are required to establish a contract
between the provider and SURFdiensten (a subsidiary of SURF and responsible for all
products and services provided by the SURF organisation). When the contract is in place, the
7
Since different service providers and identity providers might utilize different protocols, a unique feature of the
SURFfederatie is its capability to act as a broker and protocol translator. Currently, the federation supports the
SAML 2.0, WS-Federation, A-Select and Shibboleth federated authentication protocols.
36
provider can utilize one of the supported protocols to establish the technical connection. By
supporting multiple protocols, the barrier for providers to connect to the federation is kept
low.
4.7.2
Transaction: scalable 4-corner model
The SURFfederatie utilizes an award winning 8, decentralised, distributed model for identity
providers and service providers. This approach facilitates a scalable four-corner model (see
also chapter 4.6.2 for a description of the advantages of this model). The transactions are
routed from the end user to the service provider, via the e-identity broker and the e-identity
provider. The e-identity broker also performs protocol translation, thereby facilitating
providers to connect using different protocols.
4.7.3
Business model
Educational institutions leverage their existing infrastructure and position as trusted party
for end users and service providers. Without extensive changes in account management,
students can access services from multiple service providers. The federation thus provides a
compelling business proposition to both the educational institutions (who can offer a large
set of services to students) as well as third-party service providers (who get access to a
large potential customer base without the need to invest in an expensive identity
management infrastructure).
By supporting multiple protocols, the extra cost for providers to establish a connection to
the federation is kept low, thereby providing an extra stimulus for providers to connect and
thus pushing both the number of potential customers as well as the services offered to
those customers9.
Connected parties (service providers and identity providers) pay a fee to SURFdiensten for
services obtained. These services include the use of the federation and development of new
and/or updated features.
4.7.4
Privacy and trust
The federation builds on the existing trust relationship between students and educational
institutions. In many cases, identity information does not need to leave the institution (e.g.
the fact that a student is registered at an institution might be sufficient proof to obtain
access to a service).
An additional level of trust is provided by the contracts between providers and the SURF
foundation, which assures that all communication between providers and the federation
adheres to the strict policies implemented by SURF. A high level of trust exists between the
institutions and the SURF foundation, given that the joint universities founded this
8
In 2008, SURFnet and Everett have received the eema Award for Excellence for the SURFfederatie solution.
9
To illustrate the success of this approach, in February 2010, Google has signed a 3-year agreement with
SURFdiensten to connect to the federation and make available the Educational Edition of Google Apps, as well as all
third-party applications offered through the Google Applications Marketplace, to all connected educational
institutions. Google uses their SAML-based single sign-on facility (see chapter 4.3) to establish the role of service
provider with external identity providers.
37
foundation in 1987. Today, the foundation represents over sixty institutions (academic
universities, universities of applied sciences, research centres and centres for documentary
information services).
38
5 Conclusions
The e-Identity business is still in its infancy and it has often been a case of trial and error
when starting a service in this area. For achieving success, it is clear that scale, in terms of
the number of transactions and number of participants, is a major factor. In that sense most
initiatives discussed can be said to be successful, although the usage of dedicated
government initiatives and of the pure user centric approach of Cardspace is, to date,
limited.
Based on the analysis of e-identity as a two sided market, serving end users on one side and
service providers on the other, various aspects appear crucial in setting up a successful eidentity network. We have listed the cases of this report in the table below to provide an
overview of key aspects.
39
Domain
OpenID
CardSpace
DigiD
Estonian e-ID
Google
BankID
SURFfederatie
Technology, web
Technology, user
Government, easy
Government,
Cloud computing,
Re-use what‟s
Re-use what‟s
2.0 / social
centric
to use, only for
trusted transactions
SaaS
already there,
already there.
private and
Educational sector
citizens
government sector
Network
4 corner, Internet
3 corner, user acts
model
DNS acts as broker
as broker
Registration
Mostly self
Depending on
registration
InfoCard scheme
3 corner
3 corner
3 corner
4 corner
4 corner
Local government
Local government,
Self registration
Bank issued
Issued by
certificates
educational
institutions
Transaction
Authentication,
Card dependent
Authentication
profiling
Authentication,
Authentication,
Authentication,
signing
authorisation
signing
Authentication
Business
Low-cost trust,
Currently only
Subsidised,
Wide range of
Advertisement,
Wide range of
Wide range of
Model
more traffic
technology
government only
transactions
generating more
transactions
transactions
traffic
Privacy &
Minimal trust
User centric, privacy
Government
Government
Google policy
Government and
Educational sector
control
controlled
controlled
regulated privacy
bank regulated
regulated
Fits well for large-
User centric,
High penetration,
Re-use
World domination
Re-use bank-ID for
Restricted to
scale, limited trust
technology driven,
limited usage for
government-ID for
through attractive
private and public
education, high
networks.
still to be proven
citizens
private transactions
applications
transactions
usage.
Trust
Take away
Figure 22: Overview of e-Identity initiatives
40
Conclusions that can be drawn from the various cases investigated are
1. In terms of solutions, there is no one size fits all. E-identity is used for many situations
with different risks, trust and user profiles. From a privacy point of view it makes sense
to have multiple identities, per usage context. Hard privacy guarantees cannot be given
from a technology point of view only. This is why the scheme holder must be a trusted
party. What lacks in terms of convincing end users about their security and privacy may
be solved by technology only if the transactional stake is limited. This is exemplified by
the loose coupling between service providers and identity providers in common OpenID
and CardSpace scenarios where little trust exists between the parties in the network and
consequently the transactions served are perceived to be of limited risk.
2. The cost of the identity administration process and the handing out of means of
authentication, needed to establish trust for individual transactions, is a major factor in
the business model. Successful sharing or transferral of that cost is key in any eidentity network. This is illustrated in some of the cases that reuse existing
administration processes and authentication means, e.g. by government (DigiD, Estonian
e-ID Card), banks (BankID) or the educational sector (SURFfederatie).
3. E-identity seems to be underestimated as a two sided market serving end users on oneend and service providers on the other. An important aspect of a two-sided market is
that the propositions should be attractive to stakeholders at both ends. Successful larger
scale solutions do address this aspect and these can be, in the context of the framework
proposed, 3 or 4 corner models. In contrast, an initiative such as CardSpace seems to
focus on the end user only, providing a less clear business case to service providers.
4. Interoperability of e-identity solutions is the way forward for mass adoption. End-users
and service providers do not want to be bothered with the selection problem of which
technology or solution is the best. They just want a service delivered. The EU STORK
initiative (see text box in paragraph 4.3) clearly has this in mind from a cross border
perspective. A private solution such as Google‟s mitigates this by providing multiple
standards, including OpenID and SAML2.0, to bridge the gap between services and
communities. Another good example is the SURFfederatie, which offers multiple
protocols for providers to utilize, thereby significantly reducing the cost and effort to
connect.
Finally, we want to propose a thesis:
In successful e-identity networks, the business case and the gain for each party
(identity providers, service providers, users) is transparent to all parties.
If there is widespread doubt on what gain (money or otherwise) some party in the network
takes from it, trust in the network will erode and it cannot scale towards higher value
transactions. This may be the reason why some of the more successful initiatives have a
government supported scheme, which, at least in Europe, appears to provide the required
trust. However, the amount of interaction of citizens and companies with governments is
limited and involvement of the private sector is crucial for widespread adoption and growth
of e-Identity.
41
6 About Innopay
Innopay is an independent full service consultancy firm specialised in payments and related
transaction services. Our key practices include online payment, e-invoicing, e-identity,
mobile payment, cards and related regulation.
Given our independent position, we work for all players in the industry. We devote research
time and investments to help peer professionals ‘structure & understand’ these topics and
actively facilitate industry knowledge transfer, which we consider crucial for the further
development of global e-business. Our leading industry reports can be downloaded from
www.innopay.com.
With our in-depth knowledge and experience gained on both the demand side and the
supply side, we are ideally positioned to help our clients determine the direction of their
growth. This often results in new products and/or markets that we successively help to
‘develop & manage’ and bring to market in a controlled and effective way. We do this for
single clients but also for groups of clients. Consequently, we have extensive experience in
developing multi-party transaction schemes and accompanying messaging standards in
diverse industries such as financial services, insurance and document exchange.
On the other side, we help corporate users to ‘choose & use’ the transaction services that fit
their specific business needs from the wide array of often industry tailored transaction
services on offer. We use a multi-disciplinary approach covering commercial, operational
and technical aspects.
Innopay is a member of the European Payments Consulting Association (EPCA) and the
Payment Systems Market Expert Group (PSMEG) of the European Commission and an
associate member of the Euro Banking Association (EBA).
For more information visit www.innopay.com or mail to [email protected]
42
7 About Everett
Everett (www.everett.nl) is a systems integrator and consultancy firm specialized in
interaction, identity and integration. Everett has offices in Nieuwegein (Netherlands, head
offices), London (UK), Milan, Rome (Italy) and Bangalore (India). Everett also provides 24x7
solution support services via its ESSC support centre. Since its inception in 1999, Everett has
proven itself as a leading specialist on identity enabled services and middleware in general,
and portal, secure remote access, identity & access management, IT compliance and service
oriented integration technology in particular.
Our aspiration is the „identity enabled‟ enterprise, with its strategic objective of facilitating
secure, personalized and integrated ICT services with a minimal time-to-service.
Implementing these identity enabled services poses a challenge for the modern day ICT
organisation since it has to find a cost effective balance between user demand,
organisational goals and rules and regulations. Everett‟s core activity is assisting
organisations in this area with consultancy, implementation skills, knowhow and solution
support.
In the past ten years, Everett has realised a large number of projects. We are active in a
number of different business domains such as Education, Research & Development, Telecom
& Media, Finance, Transport & Logistics, Government, Energy, Manufacturing and
Healthcare.
Customer projects include the whole range of identity & access management infrastructure,
and the realisation of personalized web portals and composite applications, using Service
Oriented Architecture and most of the of Web 2.0 technologies. At the core of all of these
projects is an agile project approach aimed at producing immediate business value in the
context of a long-term vision and target architecture.
For more information visit www.everett.nl, or mail [email protected].
43
ESTONIAN
INFORMATION SOCIETY
STRATEGY 2013
2006
FOREWORD
Dear reader,
The document you are holding in your hands is called the „Estonian Information Society Strategy
2013”. The development plan serves as a good example of the systematic character of information
society development in Estonia – its elaboration was not initiated due to an unexpected need to
change course, but because the time frame of the previous information policy had come to an end.
The strategy is special for several reasons. Never before have activities related to the development of
the information society in Estonia been planned for such a long period. We have reached a level,
where these are not single projects, services and technologies that need to be focused on, but more
general and long-term goals rather. When reading the strategy, one might note the less frequent than
expected use of the prefix “e”. This is because the strategy seeks to contribute to the improvement of
the living standard, economy, and public services, not just to some individual phenomena beginning
with “e” that have been developed for a chosen few.
It is only natural and reasonable to use information technology for a more rationalized organization of
living. Preconditions and possibilities for this have, to a large extent, already been developed. The
more citizens, enterprise and the public administration get established in the information society, the
more important it becomes, how to employ the new possibilities in a manner that would benefit us all.
Information technology can help us in our daily lives, in entrepreneurship as well as in the public
administration. It allows us to continuously develop and achieve success – isn’t this the kind of future
we all wish for the years to come?
I hope that the following pages give you an overview of shaping a better future in Estonia from the
standpoint of the information society.
Enjoy reading!
Edgar Savisaar
Minister of Economic Affairs and Communications
2
Table of contents
FOREWORD .............................................................................................................. 2
INTRODUCTION ........................................................................................................ 4
1.
PRINCIPLES FOR THE DEVELOPMENT OF INFORMATION SOCIETY ....... 5
2.
CURRENT STATE OF AFFAIRS AND FUTURE CHALLENGES .................... 6
2.1.
State of affairs ......................................................................................................................................... 6
2.2.
Future challenges................................................................................................................................... 7
2.2.1.
Computer and internet access. Information society infrastructure............................................ 7
2.2.2.
ICT and internet use......................................................................................................................... 8
2.2.3.
Competitiveness of the Estonian ICT sector .............................................................................. 10
2.2.4.
ICT and public administration ....................................................................................................... 11
3.
VISION ............................................................................................................ 13
4.
ACTION FIELDS AND MEASURES ............................................................... 14
Action field I: Development of citizen-centred and inclusive society ................................................ 14
Action field II: Development of knowledge-based economy ................................................................ 16
1. Promotion of ICT uptake by enterprises:................................................................................................ 16
2. Increasing the competitiveness of the Estonian ICT sector................................................................. 17
Action field III: Development of citizen-centred, transparent and efficient public administration
17
1. Improving the efficiency of the public sector .......................................................................................... 18
2. Providing user-friendly public sector e-services .................................................................................... 20
5.
IMPLEMENTATION OF THE STRATEGY...................................................... 21
3
INTRODUCTION
In the modern globalizing world, economic success and high quality of living are achieved only in
countries attaching great importance to the efficient handling of knowledge and information and using
them for the benefit of the society. There is no doubt that information and communication technology
(ICT) has a significant impact on economic growth, employment and human behaviour. Thus, for a
small country with limited resources like Estonia, the development of knowledge-based economy,
compact yet efficient functioning of public administration and inclusion of all citizens in the organization
of public life are of particular importance.
According to the European Union’s information society strategy i20101, ICT accounts for 25% of GDP
and 40% of productivity growth in the EU. In Estonia, too, modern ICT solutions developed and used
both by the public and private sector give reason to regard the development of the information society
as a strategic choice.
The term “information society” usually denotes a society, where the majority of values created by
mankind are contained in information. Most of the information stored by the society is maintained,
transformed and transmitted in a universal digital form. By using a data exchange network, all
members of society have access to information. Furthermore, in the information society, all the routine
mental work is entrusted to machines2.
In Estonia, the development of the information society is based on the Principles of Estonian
Information Policy, adopted by the Estonian Parliament in 1998. A follow-up to the document, the
Principles of Estonian Information Policy 2004-2006, was elaborated and approved by the
Government of the Republic in 2004. The strategy you are holding in your hands right now – the
Estonian Information Society Strategy 2013 – entered into force in January 2007.
The Estonian Information Society Strategy 2013 is a sectoral development plan, setting out the
general framework, objectives and respective action fields for the broad employment of ICT in the
development of knowledge-based economy and society in Estonia in 2007-2013. Several international
and EU-level policy documents, notably the EU i2010 and eGovernment action plans, were taken into
consideration when elaborating the strategy.
Activities to be carried out in the framework of the strategy are in line with the priorities set out in the
Estonian Action Plan for Growth and Jobs 2005-2007 and the Estonian National Development Plan for
the Implementation of the EU Structural Funds 2007-2013. In addition, the strategy is mutually
complementary with several other sectoral development plans, such as the Estonian Enterprise Policy
2007-2013, the Estonian R&D strategy “Knowledge-Based Estonia 2007-2013”, the Strategy for the
Preservation of Estonian Digital Heritage 2007-2010 etc.
The development of the information society as well as the application of ICT for an increased
efficiency in economic and societal processes requires co-coordinated efforts from all government
agencies. Thus, the Ministry of Economic Affairs and Communications as the main co-ordinator of
information society related developments in Estonia involved all ministries, the State Chancellery, as
well as organizations representing the third sector and scientific circles in the elaboration of the
strategy.
1
2
”i2010 – A European Information Strategy for growth and employment”
An article entitled ”Information society and its signposts” by Valdo Praust in “IT in Public Administration of Estonia 1998”
4
1. PRINCIPLES FOR THE DEVELOPMENT OF INFORMATION SOCIETY
Principles for the development of the information society in Estonia were first set out in 1998. Though
most of them have maintained their topicality, the fast development of technology has necessitated
certain shifts of emphasis.
The principles to be followed in the development of the information society in Estonia are the following:
•
the development of the information society in Estonia is a strategic choice
with public sector leading the way in pursuing its principles;
•
the information society is developed in a co-ordinated manner in co-operation
between the public, private and third sector;
•
the public sector is a smart customer, ensuring that in public procurements as
much freedom as possible is left for innovative solutions;
•
the information society is created for all Estonian residents, whereas
particular attention is paid to the integration of social groups with special
needs, to regional development and to the strengthening of local self-initiative;
•
the consistency of the Estonian language and culture is ensured;
•
the interests of both the creators and the users of intellectual property are
taken into account;
•
the development of the information society must not undermine people’s
sense of security. The protection of basic rights, personal data and identity
must be ensured, and mitigation of non-acceptable risks in information
systems must be guaranteed;
•
activities aimed at the development of the information society are linked to the
R&D efforts in Estonia;
•
the information society and the opportunities it brings are taken into account
in the elaboration of all sectoral policies;
•
trends occurring in the EU and elsewhere in the world are taken into
consideration. Furthermore, as an active partner, Estonia shares its
experience and learns from others;
•
the public sector employs the already existing technological solutions (i.e. the
ID card, the data exchange layer X-Road) and avoids duplication of IT
solutions;
•
the public sector re-organizes its business processes so as to ensure a oneoff collection of data from citizens, entrepreneurs and public bodies;
•
the public sector gives equal treatment to different hardware and software
platforms and ensures interoperability of information systems by using open
standards;
•
the collection of data and the development of ICT-solutions proceed from the
principles of re-usability.
5
2.
CURRENT STATE OF AFFAIRS AND FUTURE CHALLENGES
2.1. State of affairs
Estonia has, on its way to the information society, made considerable progress. The following includes
some examples of that:
•
advanced communications network and good internet availability;
•
innovative mindset in the public sector and its high-quality IT solutions:
o
service-oriented approach to the development of state information systems and a
secure data exchange layer called the X-Road, which constitute the cornerstones of
the so-called common service space;
o
single-point-entry to the state at www.riik.ee;
o
Citizen portal at www.eesti.ee reflecting the state as an integral whole, where
authorized users have three possible roles: that of the citizen, the entrepreneur and
the official;
•
high-quality IT solutions in the private sector, in particular internet banking and mobile
applications;
•
success stories in the Estonian ICT sector (i.e. internet communications company Skype,
provider of various GIS and mobile positioning solutions – Regio, provider of different mapplications and m-solutions – Mobi Solutions etc);
•
wide use of ICT in education as a result of the Tiger Leap programme aimed at the internetization
of general education schools and improvement of IT skills among teachers;
•
the largest functioning public key infrastructure in Europe, based on the use of electronic
certificates maintained on the national ID card and allowing to considerably improve the security
and functionality of IT solutions. More than 80% of the population possess the ID card that
enables both electronic authentication and digital signing. Relevant legislation is in place, giving
the digital signature equal power with the handwritten one, and imposing a responsibility on public
authorities to accept digitally signed documents;
•
eagerness of the Estonians to use innovative solutions (wide take-up of IT solutions provided by
the Tax and Customs Board, internet banking, m-parking etc).
Estonia’s achievements in developing the information society have been recognized in various EU and
international surveys, such as the European Commission’s Information Society Benchmarking Report
2005, Global Information Technology Report 2004-2005 (published by the World Economic Forum),
Top 10 Who are Changing the World of Internet and Politics (compiled by the global eDemocracy
Forum in 2005) to name a few.
This success has been based on the implementation of priorities set out in the Principles of Estonian
Information Policy. So far, information policy related activities in Estonia have mainly been focused on
the development of ICT infrastructure and the creation of systems necessary for implementing sectoral
policies. However, in order to increase the competitiveness of the society, more emphasis needs to be
placed on the development of citizen-centred and inclusive society, knowledge-based economy as
well as transparent and efficiently functioning public administration.
6
2.2. Future challenges
2.2.1.
Computer and internet access. Information society infrastructure
Participation in the knowledge-based society presumes access to the internet and ICT-based services.
As a result of the early liberalisation of the telecommunications market and intense competition,
Estonia has a well-developed communications network: all central and local government agencies,
public libraries as well as educational and health institutions have an internet connection, as do 90%
of Estonian enterprises. Approximately 90% of the Estonian population lives in areas with immediate
availability of broadband internet. Technology convergence, development and increased supply of
triple play (digital TV, internet connection and telephone) solutions and mobile data communications
will facilitate access to the internet further. At the same time, it should be kept in mind that the use of
information society services will raise the bar for the speed and quality of data communications.
Though regionally the spread of the internet is rather even, significant discrepancies still exist locally.
The launch of new and advanced services tends to be focused in bigger centres, while in dispersed
areas high-quality broadband still remains a challenge. However, the internetization of rural areas
largely contributes to rural development, ensuring the availability of operational information and
services as well as helping to increase the quality of life in rural areas.
For a certain part of the population, in particular for the economically underprivileged and the elderly,
access to the internet is often restricted by lack of home PCs. Survey results reveal that for half of
non-users, lack of home PCs due to high computer prices is the main reason for not using the internet.
At the same time, a third of today’s non-users would start using the internet if their economic situation
improved. Thus, continuous efforts are needed to ensure internet access in public places. In addition,
awareness needs to be raised about intellectual property rights. Half of the respondents to a survey
carried out by the Estonian Software Association in spring 2006 claimed that their home PC contains
legal software, whereas a third of them did not consider the legality of software in their home PC
important at all.
Wireless Estonia
In Estonia, wireless internet is a rule rather than an exception – for its 45,000 square kilometres
surface area there are nearly 900 wi-fi hotspots in Estonia, most of them free.
In Tallinn, wi-fi is offered in numerous cafes and petrol stations; in addition, in summer 2005 wireless
internet was made available for free in all the capital’s beaches and many parks. Wireless internet can
also be used on commuter trains, allowing thus to stay in touch with your friends/colleagues and keep
working while travelling around Estonia.
Village Road 3 (KülaTee 3)
Village Road 3 is a target programme aimed at the internetization of rural areas. It serves as a followup to similar programmes Village Road 1 (aimed at the internetization of local government agencies)
and Village Road 2 (targeted at the internetization of public libraries).
The objective of Village Road 3 is to improve the availability of broadband internet in scarcely
populated areas, where the private sector has no economic interest to invest. By the time of the
completion of the programme, the availability of broadband internet in remote areas will be as high as
that in densely populated regions. The target group of the programme includes local government
agencies as well as people residing in areas of market failure.
7
2.2.2.
ICT and internet use
Internet use in households
Despite good and affordable internet availability, computer and internet use in Estonian households
still lags behind that in the public and private sector. In spring 2006, 58% of the population aged 15 to
74 used the internet and 39% had an internet connection at home. As mentioned earlier, one of the
challenges lies in raising the quality and availability of the internet in different regions, especially in
areas of market failure, where it is not profitable for the private sector to invest. However, internet use
does not solely depend on the availability of infrastructure, or the price of service, but, to a
considerable extent, also on motivation – the existence of useful and necessary content as well as
awareness of opportunities the information society offers. Though Estonia has been successful in
bringing public sector services online, further efforts are necessary to increase people’s awareness of
the population about new convenient services still needs to be strengthened.
Furthermore, for some non-users the use of the internet is restricted due to insufficient consideration
of their specific (i.e. regional, cultural and social) needs and expectations. A significant part of nonusers, in particular the skilled labour and the elderly, lack motivation to use ICT due to the shortage of
interesting and necessary content. As a result, they do not regard the internet as part of their life.
Survey results indicate that eHealth and other social services have a strong potential of boosting
motivation to use the internet and e-services. In addition, more can and should be done in the field of
eAccessibility. In the elaboration of centrally developed portals, such as www.eesti.ee, www.riik.ee,
etc, WAI (Web Accessibility Initiative) guidelines have been followed. However, compliance to WAI
standards still needs to be raised in individual public agencies.
The development of an inclusive society requires the creation of trust towards electronic channels.
The growth of internet-based attacks, limited awareness of IT security issues, and possibilities to
quickly copy and integrate voluminous data might pose a threat to people’s privacy, lower their sense
of security and, thus, their interest to use the opportunities of the information society. Trust in the
internet and motivation to use it depend on people’s skills to use the computer and e-services. Public
sector e-services are considered difficult to use by slightly more than a quarter of internet users in
Estonia, in particular by the over-60 age group. Thus, computer and internet training for the entire
population must be continued. It is also important to realize that ICT does not only create opportunities
for fixing bottlenecks, but also offers additional options for participating in public life (eDemoracy), for
continuous, flexible and personalized self-perfection (eLearning), entertainment, etc. Similarly, it has to
be kept in mind that more than half of today’s internet non-users have no intention of starting to use it.
In order to avoid the deepening of the digital divide between those with access to the internet and eservices and those without it, public service provision must be ensured via multi-channel systems.
eVoting
At local government elections of 2005, the Estonians could, for the first time, cast their votes
electronically, using the secure ID card as an authentication mechanism. eVoting does not aim to
replace the traditional voting methods, but provides, with the help of new technology, additional
options for enhanced inclusion. Thus, people could vote electronically on advance polling days with a
possibility to change their vote on the election day at the polling station, making the previously given
eVote void.
Estonia is the only country intending to make use of eVoting also at its general elections (to be held in
March 2007). This time, an additional feature will be added to the process: voters can request their
elector cards to be sent to them electronically, eliminating thus the need for the paper card and doing
one’s bit for the environment.
Computer Protection 2009
The objective of the joint project of the private and public sector is to increase public awareness about
IT security and teach people, how to use the internet safely. To this end, a number of sub-projects will
be launched, one of the priority fields being the promotion of ID card based authentication in the use of
e-services.
8
One of the first steps taken within the project was the launch of an IT security portal
www.arvutikaitse.ee, which provides information on how to protect one’s computer from cyber
criminals and gives advice on how to be safe and avoid falling victim to fraud when shopping online.
The project is carried out by the Look@World Foundation, which was established in 2001 by ten
leading companies in Estonia with the aim to considerably increase the number of internet users, and
raise, thereby, the living standard. The projects implemented so far include basic computer and
internet training for 100,000 people, development and implementation of the eSchool environment,
and opening nearly 500 public internet access points in Estonia. The state is represented in the
partnership by the Ministry of Economic Affairs and Communications.
ICT and internet use in enterprises
Though most Estonian enterprises have an internet connection, the use of ICT and the internet for
eCommerce and eBusiness is still limited. In 2005, 24% of Estonian companies received orders from
customers and business partners via the internet (e-mail excluded) and 69% of companies placed
orders to other companies online. The limited spread of eCommerce can be explained by Estonia’s
geographical size and unsuitability of the internet for the purchase and sale of certain service and
product groups. Without sufficient consumer demand investments in the development of internetbased purchasing and selling might not pay off. However, the competitiveness of enterprises is clearly
jeopardized by the limited use of eBusiness, i.e. use of ICT-ies in their basic business processes. The
development of ICT has reached a stage where, from the viewpoint of economic competitiveness, it is
not only the strength and export capacity of the ICT sector itself that plays a significant role, but also
the take-up of ICT in all sectors of economy. Despite the continuously fast economic growth the
productivity growth in Estonia still remains to be desired – in 2004, it only accounted for 50.6% of the
EU average. The use of ICT-ies allows enterprises to significantly increase their productivity and
launch more innovative products and services, in particular if organizational change and upgrading of
skills are accompanied with the implementation of new technology. While the public administration as
well as the banking sector and telecom companies have changed their business processes through
the use of ICT, the awareness of eBusiness among SMEs just as well as their capability to apply ICTies in their basic processes are more limited.
Furthermore, increased efforts are needed to improve companies’ understanding of the impact of ICT
on their economic activities. According to a survey on eBusiness carried out in 2006, only 16-18% of
Estonian enterprises found that ICT-ies play a significant role in cost reduction, increase of turnover
and profit, and launch of new products or services. The survey results reveal that the main reason
enterprises do not use eBusiness solutions lies in the need to make huge investments the profitability
of which is uncertain.
Understanding the impact of ICT on entrepreneurship and economy in general is, in fact, a challenge
not only for businesses, but for the public administration as well. Therefore, research efforts aimed at
analyzing the influence of ICT on economic growth and society at large will be increased.
Set up a business in two hours!
Beginning from January 2007, a business can be set up in Estonia by way of expedited procedure
over the web at: http://ekanded.eer.ee/.
One of the main differences between the traditional and expedited procedure lies in the fact that in
case of the latter, one does not have to go to the notary: persons are identified with the national ID
card and documents are concluded by digital signature.
In case of the expedited procedure, petitions for entry are reviewed within the next working day after
the receipt of the petition. The objective is to achieve a situation, where a business could be set up in
2 hours.
Initially, expedited procedure will only be applied to the first entries of limited liability companies, selfemployed entrepreneurs, general and private limited partnerships. In addition, businesses will be able
to change the data they have submitted in the Commercial Register – this possibility is open also for
public limited companies, commercial associations and branch offices.
9
2.2.3.
Competitiveness of the Estonian ICT sector
In 2004, the Estonian ICT sector contributed 9.2% of the country’s GDP. However, more should be
done to improve the competitiveness and added value generated by the sector. Many large ICT
companies mainly operate in a market segment determined by their international parent company or
perform subcontracting. In addition, the sector can be characterized by a rather high level of
fragmentation, which may pose problems for actively launching innovative products and services as
well as for entering new markets. Furthermore, lack of qualified IT professionals is a growing
challenge for the sector, both in terms of vocational and post-graduate skills. To ensure the
development of innovative products and services, co-operation between research institutions and
entrepreneurs needs to be intensified.
In the light of the above, the sector would benefit from re-orientation from low value-added activities to
those generating higher added value. This, in its turn, presumes sufficiency of qualified IT
professionals. In order to facilitate the internationalization of the Estonian ICT cluster, it is necessary,
among other things, to provide business support measures aimed at marketing and sales promotion,
to facilitate the migration of foreign labour with post-graduate degree, and to attract large corporations
to Estonia.
The convergence of IT, voice telephony and media will give rise to entirely new business models and
forms of partnership. In this context, issues related to the protection of intellectual property represent a
significant challenge in terms of avoiding a situation, where the desire to create intellectual property or
use it legitimately might be suppressed from the outset. The creation of intellectual property as well as
its legitimate use can be promoted by ensuring efficient legal protection and raising public awareness.
State orders constitute a considerable part of the ICT sector’s turnover. However, in public
procurements the determining factor usually tends to be the price, which is why the private sector
often lacks motivation to offer the best solutions. By becoming a smart customer, the public sector
can, in addition to meeting its own needs better than so far, contribute to the development of
competitive products and services that could be marketed abroad.
Information security has become crucial both in Estonia and in the rest of the world. Compared to the
situation several years ago, the volume of information assets has grown, threats and attacks have
become more massive, security measures have become more costly, and risks are higher. Information
security can no longer be guaranteed by one agency, enterprise, working group or a state – it requires
the co-operation of all stakeholders in Estonia and elsewhere.
Competence Centre Programme
The Competence Centre Programme was launched with the objective to increase the competitiveness
of Estonian enterprises through long-term strategic co-operation between research institutions and
companies. One of the recipients of the support is ELIKO – a competence centre for electronics,
information- and communications technologies – which brings together eight technology companies
and the Tallinn University of Technology.
The main objective of the competence centre is to develop innovative technologies and products
based on intelligent embedded systems. The main areas of its activities are embedded networks, selforganizing ad hoc RFID reader networks and non-classical signal processing.
Thanks to its shared competence, ELIKO has been able to launch a Europe-wide project on robotics
th
called ROBOSWARM. The project, funded by the 6 Framework Programme, aims to develop an
open knowledge environment for self-configurable, low-cost and robust robot swarms usable in
everyday applications.
10
Tiger University+
The objective of the programme is to support ICT academic staff and degree courses’ infrastructure as
well as to contribute to the development and modernization of ICT infrastructure at higher education
establishments.
Support is given, for example, for the participation of ICT professors in international conferences,
seminars and workshops, to promote the mobility of post-graduate ICT students etc.
2.2.4.
ICT and public administration
Wide use of ICT in the public administration allows to improve the efficiency of the state machinery,
influencing, thus, also the availability and quality of public services and increasing opportunities to
participate in decision-making processes.
Estonian central and local government agencies have developed and taken into use a number of
modern and well-functioning information systems. The development of the state IT architecture is
service-oriented, a data exchange layer X-Road has been developed and is fully operational, and a
number of e-services have been created both at central and local level. However, increased efforts are
needed in order to improve the functioning of different information systems as an integral whole. In
addition, more needs to be done in terms of semantic interoperability and re-use of geographical
information.
The shift of emphasis from the development of technological solutions to that of information society as
a whole poses new challenges also to the national ICT co-ordination model. Today, agencies primarily
proceed from an institution-based or local view. Modern ICT solutions, however, allow to develop
horizontal (cross-institutional) solutions based on an integral view and corresponding better to citizens’
needs.
Increasing the efficiency and transparency of the public sector through the wide take-up of ICT will
change the way the public administration functions and pose challenges in terms of skills of civil
servants. Organizational changes necessary for the efficient functioning of the public administration in
the information society need to be analyzed in depth and implemented. Besides, the fast development
of technology and paradigm changes it brings along necessitates an increase in socio-economic
research so as to ensure that policy formulation would respond to the needs of the information society.
As mentioned before, smart use of ICT allows to increase the efficiency of public service provision
both for citizens and enterprises. A number of convenient complex services have already been
developed (e.g. the parental benefit service, the service of informing about state graduation
examination results via e-mail, applying for the European health insurance card etc.) and gained
popularity in Estonia. Nevertheless, more efforts are needed in order to make service development in
the public sector more systematic and responsive to the needs of potential customers.
The use of ICT allows the state to communicate with its citizens in their different roles in a more
personalized manner. The Citizen portal at www.eesti.ee provides additional options for that and
needs, thus, to be developed further. In the light of the above, principles for the design and
development of public e-services are to be agreed upon. The development of e-services should give
more consideration to customer expectations and needs. While to date, the main focus has been on
the development of services for citizens, in the future more attention needs to be paid to the
identification and development of e-services for enterprises.
ICT-ies represent an efficient tool for increased inclusion of citizens in public debates and decisionmaking processes. Today, public sector websites are mainly used for giving information and, to a
certain extent, for the provision of e-services. Their role, however, in increasing citizen participation
should still be enhanced.
Public information is generally widely available, yet it is frequently scattered. The importance of an
integral systematic approach is increasing, as this would largely facilitate information search and use
of e-services. Citizens’ trust in the state can be boosted through proper handling of personal data,
allowing people to conveniently monitor, who and why uses their data.
11
Paperless document management
To increase the efficiency of document exchange in the public sector and to facilitate the transition to
entirely paperless management of business, a nationwide document repository has been developed in
Estonia. Figuratively, the information system functions as an intermediate storehouse where the
document sender sends the document to and from where the document receiver can download it.
The document repository is connected to the data exchange layer X-Road. As documents are
submitted to the system in a universal digital form, they can be automatically registered in document
management
systems.
Traceability of the use of one’s data
The wide take-up of ICT as well as the constant availability of information and data may raise
concerns over loss of privacy and, thus, undermine people’s trust in e-services and ICT solutions. In
order to ensure transparency when dealing with personal data collected by the sate, the Citizen and
Migration Board has made it possible on the Citizen portal (www.eesti.ee) to trace, who and when
has been checking the citizen’s data from their databases. In case any doubts arise regarding the
justifiability of such checking, the citizen can contact the respective agency and demand an
explanation.
12
3. VISION
Estonia is a constantly developing, inclusive society, raising the living standard of everybody. The
wide take-up of ICT in all fields of life (i.e. culture, education, health care, employment, and internal
security) allows to improve citizens’ quality of life as well as to actively involve them, risk groups
included, in public life. Estonian enterprises use ICT and reorganize their business processes and
management models, increasing, thus, their productivity and competitiveness. There are sufficiently
qualified IT professionals in the Estonian ICT sector, our ICT solutions are known worldwide, and the
ICT sector is successful in exporting its products and services. Rational use of ICT enables the public
administration to function efficiently and be inclusive for all. Public sector services for citizens and
enterprises are secure, optimized and accessible via one service space. In the governance of the
state, needs and expectations of citizens in their different roles are considered. To this end, ICT-ies
are made use of so as to ensure the development of individualized and citizen-centred solutions.
13
4. ACTION FIELDS AND MEASURES
In order to realize the vision, measures have to be elaborated and implemented in three dimensions
on which the functioning of the society is based – social, economic and institutional. Therefore, the
objectives of the Information Society Strategy are the following:
•
each member of the society leads a full life, using the opportunities of
the information society in every possible way and actively participating
in public life (“nobody will stay or will be left behind”);
•
Estonia’s economic growth is based on the wide use of ICT solutions;
•
public sector is citizen-centred, transparent and efficient.
Action field I: Development of citizen-centred and inclusive society
In the information society, most of the information is stored in a universal digital form. The availability
of information and skills to use it create preconditions for increasing the welfare and quality of life of
citizens. Citizens’ welfare also depends on how much their needs are taken into account when
organizing public life. Participation in the information society requires, on one hand, multi-channel
access to digital information and, on the other hand, skills and willingness to use the opportunities
created as well as motivation to actively participate in decision-making processes.
•
By 2013, 75% of Estonian residents will be using the
internet, while household internet penetration will
amount to 70%
•
By 2010, all public sector websites will comply with
WAI quality criteria
To achieve the objective, two measures will be focused on:
1. Broadening technological access to digital information;
2. Improving skills and widening opportunities for participation.
Within the two measures, the following activities are planned:
1. Broadening technological access to digital information
•
Development of data communications networks in areas of market failure and ensuring their
commercialization. The objective is to ensure the availability of high-quality internet service
throughout Estonia. Thus, the development of internet connections will be facilitated in
regions, where the private sector lacks economic interest to invest, and in areas, where the
quality of internet does not correspond to the needs and requirements of the information
society.
Responsible authorities: Ministry of Economic Affairs and Communications, Ministry of Internal
Affairs
•
Ensuring favourable environment for the development of new telecommunications
technologies and technological convergence, including the take-up of digital TV. The objective
of the activity is to ensure a smooth launch of new telecommunications-based services and
guarantee the possibility to use services of similar quality irrespective of technological
solutions used for their transmission.
14
Responsible authority: Ministry of Economic Affairs and Communications
•
Bringing public sector websites into compliance with WAI quality criteria so as to ensure their
accessibility for all, including people with special needs.
Responsible authorities: central and local government agencies, with Ministry of Economic
Affairs and Communications taking responsibility for the awareness raising and monitoring of
the process
•
Further development of the Citizen portal at www.eesti.ee. For citizens, the portal serves as a
secure personalized “virtual office” through which they can, in their different roles, manage
their affairs (use public services etc.) and communicate both with the state, enterprises and
other citizens. All public sector services will be made available via the Citizen portal.
Responsible authority: Ministry of Economic Affairs and Communications
2. Improving skills and widening possibilities for participation
•
Continuous upgrading of knowledge and skills of all members of society in order to ensure
their ability to cope in the information society. Provision of basic computer and internet training
for the elderly and people with special needs will be continued. It will be ensured that curricula
of all levels of education would facilitate the acquisition of computer and internet skills. In
addition, the development of public sector e-services will include relevant instructions and
guidebooks.
Responsible authorities: Ministry of Education and Research, Ministry of Economic Affairs and
Communications
•
Development and promotion of internet-based learning environments (eLearning). The
objective of the activity is twofold:
o
to facilitate the improvement of existing and the acquisition of new skills in continuing
education and retraining;
o
to make traditional learning processes more flexible and individualized.
Responsible authorities: Ministry of Education and Research, Ministry of Social Affairs
•
Raising public awareness about the information society. The objective is to increase the
awareness of the Estonian population about internet-based services as well as the
opportunities and threats related to the information society.
Responsible authorities: Ministry of Economic Affairs and Communications, Ministry of Internal
Affairs and other agencies
•
Digitization and digital preservation of cultural heritage, making it available via the internet for
citizens, and integrating it with eLearning environments. Information about objects of historic,
scientific, artistic, technological, social etc. value will be digitized and made available for the
public. Planned activities include the development of a digital library and a virtual museum,
establishment of a digital archive and a portal on cultural heritage.
Responsible authority: Ministry of Culture
•
Widening opportunities for participation in decision-making processes (eDemocracy).
Ministries and local governments will develop internet-based environments for the inclusion of
citizens and interest groups in decision-making processes. In addition, eVoting will continually
be used.
Responsible authorities: State Chancellery, Ministry of Justice
•
Implementation of flexible work arrangements. Barriers to teleworking will be identified and
solutions will be developed to overcome these.
Responsible authorities: Ministry of Social Affairs, Ministry of Internal Affairsr, Ministry of
Finance
15
Action field II: Development of knowledge-based economy
In its economic dimension, the strategy aims to increase the ICT uptake in all economic sectors. It will
contribute to the increase of productivity in enterprises, as well as their capability to develop innovative
products and services, and improve thereby the competitiveness of the Estonian economy. On the
other hand, the strategy seeks to create necessary pre-conditions for greater competitiveness and
internationalization of the Estonian ICT sector.
•
By 2013, the productivity per employee in Estonian
enterprises will account for 75% of the EU average
•
By 2013, the share of ICT enterprises in the national GDP
will amount to 15%
To achieve this, the following measures will be pursued:
1. Promotion of ICT uptake by enterprises;
2. Increasing the competitiveness of the Estonian ICT sector.
1. Promotion of ICT uptake by enterprises
•
Supporting the ICT uptake and use of eBusiness through business and innovation support
measures. The planned activities are the following:
o
elaboration and implementation of a specific ICT programme;
o
raising awareness about the opportunities of eBusiness in the framework of the
Innovation Awareness Programme;
o
supporting feasibility studies related to technology transfer;
o
giving investment support to manufacturing enterprises for the modernization of
technology;
o
provision of training and consulting for enterprises, including IT companies;
o
giving support for enterprise diagnostics to identify the development barriers and
opportunities of enterprises. A part of the diagnostics focuses on the level of ICT
uptake in a company and related possibilities.
Responsible authority: Ministry of Economic Affairs and Communications, implementing
agency: Enterprise Estonia
•
Re-organization of general, vocational and higher education so as to ensure conformity of
labour skills to the requirements of knowledge-based economy. The objective is to provide
workers of all professions with ICT skills and competence in order to cope in the knowledgebased economy. To this end, national curricula will be modernized and electronic study
materials, learning environments and e-courses will be developed and taken into use at all
educational levels.
Responsible authority: Ministry of Education and Research
•
Development of a common service space for the public, private and third sector to facilitate
communication between the three sectors.
Responsible authority: Ministry of Economic Affairs and Communications
•
Widening the opportunities of re-using public sector information by the private and third sector.
The objective is to ensure barrier-free use, both in terms of financial and administrative
obstacles, of public sector information, including for commercial use. To this end, the usability
of digital information created by the public sector will be increased through the modernization
of legal environment and development of relevant IT solutions.
Responsible authorities: Ministry of Justice, Ministry of the Environment, Ministry of Economic
Affairs and Communications
16
•
Ensuring a favourable environment for the development of eBusiness. Relevant legislation,
including privacy, consumer protection and information security related aspects, will be
reviewed.
Responsible authorities: Ministry of Justice, Ministry of Economic Affairs and Communications
and other ministries
2. Increasing the competitiveness of the Estonian ICT sector
•
Bringing IT education in accordance with the requirements of the ICT sector. To this end,
training opportunities will be widened for IT lecturers both at vocational and higher education
level; the apprenticeship system will be improved, and mechanisms will be developed for
increasing motivation among post-graduate students.
Responsible authority: Ministry of Education and Research
•
Supporting the internationalization of the Estonian ICT sector. Planned activities include,
among others, the following:
o
making the software procured by the public sector available in order to avoid
duplication of similar solutions and to facilitate the exports of Estonian ICT solutions;
o
facilitating the participation of Estonian ICT enterprises in EU and international
programmes and networks by supporting the preparation of project applications and
ensuring the availability of required national self-financing;
o
facilitating the migration of highly qualified foreign labour;
o
distribution, creation, and publishing of relevant standards.
Responsible authority: Ministry of Economic Affairs and Communications; implementing
agency: Enterprise Estonia
•
Facilitating the development of high-quality and innovative information society and media
services as well as settling intellectual property related issues. Favourable environment will be
ensured for the development of multimedia services provided via the internet, digital TV and
mobile communications. Legal questions related to the principles of service provision will be
solved.
Responsible authorities: Ministry of Culture, Ministry of Economic Affairs and Communications
•
Elaboration and implementation of principles concerning the outsourcing of services
necessary for the functioning of the state information system. The objective is to standardize
the requirements, guidelines and practices related to services outsourced in order to ensure
the functioning of the state information system (i.e. data communications, server hosting,
application hosting, support services etc) in a way that would, on one hand, improve the
service quality of different components of the state information system, and, on the other
hand, favour the development of the market offering those services.
Responsible authority: Ministry of Economic Affairs and Communications
•
Increasing the role of the Estonian ICT sector in the development of the country’s defensive
capacity. To this end, more use will be made of the potential of the Estonian ICT sector in
organizing military offset and in promoting civil applications related to development works in
the field of defence.
Responsible authorities:
Communications
Ministry
of
Defence,
Ministry
of
Economic
Affairs
and
Action field III: Development of citizen-centred, transparent and efficient public
administration
The strategy aims to achieve a situation, where the public sector functions efficiently while collecting,
using and maintaining data necessary for ensuring the provision of public goods in a common and
systematic manner. Public sector business processes are transparent and easy to understand; public
services for citizens and entrepreneurs are accessible via electronic channels, they are widely used
and take into account user needs.
17
•
By 2013, citizen satisfaction with public sector eservices will reach 80%
•
By 2013, satisfaction of businesses with public sector
e-services will be 95%
To achieve this, two measures will be focused on:
1. Improving the efficiency of the public sector;
2. Provision of user-friendly public sector e-services.
1. Improving the efficiency of the public sector
•
Transforming public sector business processes so as to make better use of advantages and
possibilities enabled by the application of ICT. The objective is to simplify and speed up
administrative procedures and ensure their efficiency.
To this end, the following activities are planned:
o
all management of business in the public sector, including proceeding and archiving of
documents, will be made electronic;
o
an analysis will be carried out about changes that have to be made in the legal
environment and organizational management in order to ensure paperless
management of business and automation of business processes. Necessary changes
will be implemented;
o
the availability of public sector information will be ensured in a unique digital form;
o
the capability of civil servants to cope with changes brought along by the development
of the information society will be ensured, leading to increased efficiency in their daily
work processes;
o
those responsible for the development of the public administration will have sufficient
ICT competence.
Responsible authorities: Ministry of Finance, State Chancellery, Ministry of Economic Affairs and
Communications, Ministry of Justice, and other ministries.
•
Increasing the efficiency of policy formulation through better use of data and increased research
about the impact and challenges of the information society. Research into different aspects of
the information society both from the economic, societal and individual perspective will be
increased. In addition, the definition of the ICT sector will be reviewed, and a system of ICT
statistics and economic analysis will be developed, allowing thus improved evaluation of the
impact of the ICT sector on the economy.
Responsible authorities: Ministry of Economic Affairs together with other ministries
•
Modernisation of state information systems so as to ensure their integration into a single
interoperable whole functioning on the basis of user needs, not institutional structures.
To this end, the following activities are planned:
o
ensuring that the data used in different parts of the state information system would
have a single meaning. To achieve this, the following actions will be undertaken:
development of mechanisms for the re-use of semantic assets; elaboration of XMLbased descriptions for main types of public sector documents; development of an
XML competence centre; development of a common thesaurus for the indexing of
services and websites; standardization of the structure of public sector websites and
development of mechanisms for their re-use;
o
transition of state databases and registers to a service-oriented architecture;
o
ensuring full traceability of all public sector services by stages;
18
o
development of the administration system for state information systems (RIHA), which
contains service descriptions and ensures the re-use of services and their fragments;
o
ensuring the re-use of geo-information generated by different public sector bodies;
o
establishment of a competence centre and a repository for open source software for
the re-use of developed solutions and knowledge.
Responsible authorities: Ministry of Economic Affairs and Communications with other ministries
•
Development of electronic authentication and authorization mechanisms, including participation
in cross-border eID (electronic identity) projects. The objective is to ensure the organizational
interoperability of public and private sector organizations providing and using the public key
infrastructure. Work planned under this activity seek to achieve a situation, where:
o
the ID card is the main personal identification tool in the electronic environment both
for the public and private sector;
o
digital stamp or the “Business ID” procedures have been taken into wide use;
o
the ID card and the respective software always correspond to new technological
possibilities and international standards;
o
legislation concerning the personal identification code and the ID card is reviewed so
as to ensure its conformity to the requirements of the information society.
Responsible authorities: Ministry of Economic Affairs and Communications, Ministry of Internal
Affairs and other ministries
•
Ensuring the functioning and development of support systems for the maintenance of the state
information system.
Responsible authorities: Ministry of Economic Affairs and Communications together with other
ministries
•
Development of systems necessary for increasing the efficiency of state and local government
agencies. The objective is to improve the provision of e-services at local level and avoid multiple
development of similar solutions by different local governments.
19
2. Provision of user-friendly public sector e-services
•
Integration of the public, private and third sector into one service space to improve the quality of
service provision in the public sector. Citizens will be able, in their different roles, to make use of
a common secure service space (based on the “single window” principle), allowing them to use
public services and communicate in one environment with the state, businesses as well as other
citizens.
Responsible authorities: Ministry of Economic Affairs and Communications together with other
ministries
•
Identification, development, launch and active implementation of high impact services
(eProcurement, eInvoicing etc).
Responsible authorities: central and local government agencies
•
Development of public sector e-services in different fields of life for citizens, businesses and
public sector agencies. Relevant information systems will be developed and implemented in
order to increase the efficiency of service provision through ICT, including making health and
social services available irrespective of one’s location.
Responsible authorities: central and local government agencies
•
Opening up of Estonian e-services for the citizens of other countries, especially those from the
EU member states.
Responsible authorities: central and local government agencies
20
5. IMPLEMENTATION OF THE STRATEGY
The Estonian Information Society Strategy 2013 sets out the basic principles of the Government of the
Republic for the development of the information society in Estonia. These principles are taken into
account and translated into relevant activities in the process of updating and elaborating of
organizational, sectoral and regional development plans by government agencies.
The strategy is implemented on the basis of annual Information Society Implementation Plans. At the
beginning of each year, agencies whose fields of activity and competence are encompassed by the
strategy submit to the Ministry of Economic Affairs information about the ICT development works they
intend to carry out during the following year. The Ministry of Economic Affairs and Communications as
well as other related ministries take this information into account when elaborating their organizational
strategies, which serve as an input for the State Budget Strategy. The Ministry of Economic Affairs
and Communications submits the draft of the Information Strategy Implementation Plan that has been
amended according to the State Budget Strategy to the Government for approval.
The implementation plan is realized in the form of project-based development works in accordance
with the principles set out in the Estonian IT Architecture and Interoperability Framework. Projects are
financed both from the state budget and the EU structural funds. Expenses related to the activities to
be funded from the state budget are planned by the respective implementing agencies, while central
and cross-institutional activities are financed via the Structural Funds.
In order to achieve the objectives of the strategy, sectoral expert groups will be established for all
three action fields. The expert groups will bring together representatives from respective ministries, the
third sector as well as from academic circles. Their task will be to continuously analyze the current
situation and evaluate the topicality and significance of objectives set out in the Information Society
Strategy. Based on their analysis, expert groups will make reasoned proposals to be considered in the
drafting of the priorities and activities of the Information Society Implementation Plan. In addition, the
results of their analyses will contribute to the updating of the Information Society strategy itself.
21
The Estonian ID Card and
Digital Signature Concept
Principles and Solutions
Ver 20030307
Contents
Contents .........................................................................................................................2
Status of the document...............................................................................................3
Introduction................................................................................................................3
Intended audience ......................................................................................................3
Current project status .................................................................................................3
Principles........................................................................................................................4
Digital signature regulation........................................................................................4
Digital signature concept .......................................................................................4
Certification Service Providers (CSP-s) ................................................................4
Time-stamping Service Providers (TSP-s) ............................................................4
Supervision – Registry and Ministry .....................................................................5
Foreign Certificates................................................................................................5
Identity Document Regulation...................................................................................5
Mandatory document .............................................................................................5
Card appearance and layout ...................................................................................5
Electronic data on card...........................................................................................6
Certificates .............................................................................................................7
E-mail address........................................................................................................7
Data protection.......................................................................................................7
Organizational structure, card issuing and operation.............................................8
Solutions ......................................................................................................................10
Certificate profiles and e-mail addresses .................................................................10
Certificate validity verification methods .................................................................10
OCSP, time-stamping and evidentiary value of digital signatures ..........................10
Document format and DigiDoc................................................................................11
Roles, authorizations and organizations' validations ...............................................12
New ideas: replacement and alternative cards .........................................................13
2
Status of the document
This document is prepared by AS Sertifitseerimiskeskus (www.sk.ee). You may
freely distribute it in original verbatim form (without making any changes). The
Estonian ID card project information, including the newest version of this whitepaper,
is available online at http://www.id.ee. You may contact us at [email protected].
Introduction
Estonia has implemented ID card as the primary document for identifying its citizens
and alien residents living within the country. The card, besides being a physical
identification document, has advanced electronic functions that facilitate secure
authentication and legally binding digital signature, in connection with nationwide
online services.
This whitepaper gives an overview of the principles behind the project and explains
the choices and decisions made while carrying out the card project. It also presents an
overview of how the associated services and applications are implemented.
Intended audience
The first part of the whitepaper, "Principles", is written for decision-makers and
potential common users from a legal and economic perspective. The second part,
"Solutions", is for implementers and assumes knowledge about basic PKI concepts.
Current project status
The first Estonian ID cards were issued in January 2002. In one year, more than 130
000 cards have been issued, and the total figure is expected to grow to more than 350
000 by the end of 2003 (about 25% of the whole population).
The card is meant to be universal and its functions are to be used in any form of
business, governmental or private communications. It is already helping people to
make everyday communications more convenient. You can find more details about
the implementation and applications below.
3
Principles
Digital signature regulation
Estonian parliament (Riigikogu) passed the Digital Signature Act (hereinafter DSA)
on March 8, 2000, and it entered into force on December 15, 2000. The law regulates
issues that are essential for implementing a nationwide PKI and digital signature
infrastructure. The law is available online at
http://www.legaltext.ee/text/en/X30081K3.htm.
Digital signature concept
According to the Estonian DSA, digital signatures are equivalent to handwritten ones,
provided that they are compliant with the requirements set forth in DSA and if other
laws do not regulate otherwise. Thus as a rule, digital and handwritten signatures
should be equivalent in document management in both public and private sectors.
DSA also states that public sector organizations must accept digitally signed
documents.
The requirements set forth in DSA to digital signatures state that digital signature
must uniquely identify the signatory, be bound to the signed data in such a way that
makes changing the data after signing impossible without invalidating the signature,
and identify the time of signing (assuming the use of time-stamping or equivalent
time establishment technology).
In the terms of EC directive 1999/93/EC, DSA only regulates advanced electronic
signatures. Other types of electronic signatures can of course be used, but DSA does
not give them legal power.
Certification Service Providers (CSP-s)
DSA regulates the work of CSP-s in Estonia, setting forth requirements to them and
regulating their operation and supervision. CSP-s may only be legal entities with a
regulated minimum share capital, they must be entered in the National Certificate
Service Provider Registry (see below) and must carry out an annual audit to ensure
organization and system reliability. CSP-s must also have liability insurance to
safeguard against compensating faults made while providing the service.
It is important to note that according to DSA, CSP-s certify only real persons
identifiable by name and ID code – issuing certificates to pseudonyms is not currently
covered by DSA. It was discussed in the parliament during the law adoption process,
but was considered to be an additional unnecessary risk and so far, no need for this
has been seen.
Time-stamping Service Providers (TSP-s)
DSA also regulates the work of TSP-s and the comparison of time stamps between
TSP-s. The requirements to service providers are generally the same as those to CSP4
s. According to DSA, a time stamp is simply a data unit that proves that certain data
existed at a certain moment. DSA does not define time stamps in more detail, but
states that they must be bound to the timestamped data and issued in such a way that it
would be impossible to change the timestamped data without invalidating the
timestamp.
Supervision – Registry and Ministry
The National Registry of Certification Service Providers contains data about all
Estonian CSP-s and TSP-s. Although it confirms the public keys of CSP-s, it is
technically not a root CA in Estonia. Instead, it functions as a supervisory authority,
confirming the results of service providers’ annual audits among other things. The
Ministry of Economy and Communications, in whose administration area the registry
works, has the right to verify audit results and inspect the service providers’ premises
and relevant information.
Foreign Certificates
DSA regulates the recognition of foreign certificates, stating that in order for them to
be recognized equivalent to those issued by Estonian CSP-s, they must be either
confirmed by a registered CSP, be explicitly compliant with DSA requirements or
covered by an international agreement.
Identity Document Regulation
Identity documents in Estonia are regulated by the Identity Documents Act. The law
is available online at http://www.legaltext.ee/text/en/X30039K7.htm.
Mandatory document
According to the Act, possessing an ID card is mandatory for all Estonian residents
and also for all aliens who reside permanently in Estonia on the basis of a valid
residence permit with a period of validity of at least one year. There are no sanctions
for not having a card, but it is expected that as the first Estonian passports were issued
in 1992 with validity period of 10 years and they are expiring, most people will apply
for either only ID card, or ID card together with passport when renewing their
documents in the period 2002-2006. By the end of 2006, one million cards will have
been issued.
There is only one version of the document: there are no different optional features that
users can opt out of or choose to (not) have. All documents are equipped with a chip
containing electronic data and certificates (see below). It is understood that some
users may have doubts or fears about electronic use of the card, but remedies are
provided for that: if users do not wish to use the electronic functions of their cards,
they can suspend the validity of their certificates, thus making it impossible to use the
card electronically. Certificate suspending or revoking also removes user's data from
public certificate directory.
Card appearance and layout
The card looks as follows.
5
Front side of the Estonian ID card.
Back side of the Estonian ID card.
The front side of the card contains the card holder's signature and photo, and also the
following data:
• name of card holder
• personal code (national ID code) of card holder
• card holder birth time
• card holder sex
• card holder citizenship
• residence permit details and other information (if applicable)
• card number
• card validity end
The back side contains the following data:
• card holder birth place
• card issuing date
• card and holder data in machine-readable (ICAO) format
Electronic data on card
Each ID card contains various pieces of data. All the above data except photo and
handwritten signature are also present on the card in electronic form, in a special
publicly readable data file. In addition, the card contains two certificates and their
associated private keys protected with PIN codes. The certificates contain only the
holder's name and personal code (national ID code). In addition, the authentication
6
certificate contains the holder's unique e-mail address. Read more about certificates
and e-mail address below.
Certificates
Each issued ID card contains two certificates: one for authentication and one for
digital signing. There are also two associated private keys, protected by two separate
PIN codes, on the card. The certificates contain no restrictions of use: they are by
nature universal and meant to be used in any form of communications, whether
between private persons, organizations or the card holder and government. They
contain no roles or authorizations: those most come using some out-of-band method
(also see below, "Roles, authorizations and organizations' validations").
The certificates contain the card holder's name and national ID code. It is agreed in
Estonia that this data is public by nature. The certificates identify the card holder
uniquely because even though there may be name overlaps, the national ID code is
unique. In addition, the authentication certificate contains the card holder's e-mail
address.
E-mail address
The authentication certificate on each ID card contains the card holder's governmentassigned e-mail address in the format [email protected], where
NNNN are four random numbers. The random numbers are necessary to provide
unique e-mail addresses even to persons with the same name. The address does not
change with subsequent certificate or card issuing – it is guaranteed to be a person's
"lifetime" address.
There is no real e-mail service associated with the address. It is a merely a relay
address which forwards e-mails to users' "real" addresses (e-mail accounts). Each user
must configure the forwarding addresses using an online service made available for
this purpose, and may reconfigure the addresses as often as he or she pleases. Up to
five forwarding addresses can be specified.
The address is supposed to be used in communications from government to the
person, but it can also be used in communications between persons and companies
and private persons themselves. The addresses are available online to anyone through
CSP-s certificate directory.
The address can be used as a simple e-mail address, but using the address and the
authentication certificate on the card, users can also digitally sign and encrypt their email. The digital e-mail signature is not legally binding and not covered by DSA, but
it provides receivers additional confirmation of sender authenticity. E-mail encryption
and signing using certificates on smart card is a standard function of various e-mail
applications.
Anti-spam measures are implemented in the forwarding server. In addition, spamming
is illegal in Estonia and spammers will be prosecuted accordingly.
Data protection
The data protection question is not very relevant in the context of Estonian ID card
because there is very little private data involved in the card issuing and further
7
utilization process. There is a broad Personal Data Protection Act in effect in Estonia
which regulates the use of personal data and databases containing personal data by
public authorities and private entities, and Estonian Data Protection Inspection is the
government body overseeing that the requirements of the act are met and enforcing
compliance if necessary.
The certificates on the card are available publicly in a directory service and contain
only the card holder's name and personal ID code, which are considered public data
by nature in Estonia. In addition, e-mail addresses in authentication certificates are
also available in the directory. The directory contains only valid (active) certificates:
if a person suspends or revokes his certificate, it is also removed from the directory
and the data are no longer available.
The public data file is not published anywhere online. The personal data on the card in
visual and electronic format are accessible only to those persons to who the card
holder physically presents the card.
The general stance to ID card and data protection in Estonia is that the card should
contain as little private data as possible. Instead, the data should be kept in databases
at relevant authorities, and a person can use the card as key (authorization method) to
access his or her data in the database.
Organizational structure, card issuing and operation
The card issuing as well as its further operation is done in close public private
partnership. There are three main organizations who are associated with issuing and
operating the ID card and the associated infrastructure.
Estonian Citizenship and Migration Board (hereinafter CMB) is the government
organization responsible for issuing identification documents to Estonian citizens and
alien residents, as required in the Identity Documents Act. CMB is in the supervision
area of Estonian Ministry of the Interior. CMB receives the card application from
citizens.
AS Sertifitseerimiskeskus ("certificate centre", hereinafter SK), founded by two
major Estonian banks Hansapank and Eesti Ühispank and two telecom companies
Eesti Telefon and EMT, functions as CA, maintains the electronic infrastructure
necessary for issuing and using the card, and develops the associated services and
software. SK also takes care of delivering the card to its holder through Hansapank
and Eesti Ühispank bank offices.
TRÜB Baltic AS, subsidiary of Swiss TRÜB AG, is the company that personalizes
the card.
The card issuing process consists of the following steps.
1.
person fills in application for the card, indicating the bank branch office where
he or she would like to receive the card
2.
CMB receives application from person
3.
CMB stores the application and forwards its data to TRÜB
4.
TRÜB personalizes the card
8
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
TRÜB gives the card the order of generating private keys (internal function of
the card, the keys will never leave the card) and prepares the secure PIN
envelopes
TRÜB formulates certificate requests (2 per card) and forwards them to SK
SK issues the certificates, stores them in its directory and returns the
certificates to TRÜB
TRÜB stores the certificates and personal data file on the card chip
TRÜB prepares the final delivery envelope, enclosing the card, secure PIN
envelope and an introductory brochure
TRÜB hands the final delivery envelope over to CMB
CMB hands the final delivery envelope over to SK (CMB has outsourced the
card delivery to SK)
SK sends delivery envelope to the bank branch specified in the original
application (done using security couriers)
person receives the delivery (containing card and PIN codes in separate
envelopes) from the bank branch office
upon receipt of the card, certificates are activated and published in directory
For further operation of the card, SK maintains the associated electronic services
including an LDAP directory service, OCSP validation service and other necessary
services for online validity and digital signature confirmations. SK also provides the
software to anyone interested in creating applications to the card and digital signature,
and provides a readymade client and web portal for giving and verifying digital
signatures (see below, "Document format and DigiDoc"). In addition, SK maintains a
24-hour telephone hotline which can be used for immediately suspending the validity
of certificates in case of card loss or theft.
9
Solutions
Following are a number of issues and questions that have been solved when
implementing the Estonian ID card and digital signature infrastructure.
Certificate profiles and e-mail addresses
The certificates on Estonian ID cards are standard X509v3 certificates. The
authentication certificate contains the card holder's e-mail address. The certificate
profile is available in a separate document.
Certificate validity verification methods
According to Estonian DSA, CSP-s must provide "a method of verifying certificate
validity online". SK as the issuer of certificates to ID cards provides users three ways
of checking certificate validity.
CRL-s are provided, containing the list of suspended and revoked certificates. CRL-s
are standard but outdated method, because as of January 2003, CRL size has grown to
over 1 MB in one year and it is not very convenient to use. CRL-s are mainly
provided for backwards compatibility and standards compliance. SK updates its CRL
twice a day. Delta CRL-s are not provided.
The second method is an LDAP directory, containing all valid certificates. The
directory is updated in real time – if a certificate is activated, it is uploaded to the
directory, and if it is suspended or revoked, it is removed from there. Among other
things, this provides everyone a chance of finding the e-mail address of any ID card
holder. Restrictions are in effect as to the maximum number of responses returned to
one LDAP query to protect against server overload.
The most convenient method of verifying certificate validity is SK-s OCSP service. It
can be used for simple certificate validity confirmations, but also for validity
confirmations ("notary confirmations") to digital signatures. SK provides a standard
OCSP service compliant with RFC 2560. An important detail is that according to the
RFC, OCSP responses are supposed to be based on CRL-s and therefore may not
necessarily reflect the actual certificate status. In contrast, SK has implemented its
OCSP service in such a way that it operates directly off its master CA certificate
database and does not use CRL-s. Thus, SK-s OCSP responses reflect actual (realtime) certificate status. In terms of the RFC, the response's thisUpdate and
producedAt fields are equivalent.
OCSP, time-stamping and evidentiary value of digital
signatures
For legally binding digital signatures, time is an extremely important factor.
According to the Estonian DSA as well as common sense, only signatures given using
a valid certificate are to be considered valid. On the other hand, to provide remedy to
the risk that the signing device (ID card) may be stolen together with PIN-s and
digital signatures could be given on behalf of the user by someone else, users have the
chance of suspending their certificate validity using a 24-hour telephone hotline
operated by SK. With these two concepts combined, users must be able to clearly
10
differentiate the signatures given using a valid certificate from those given using a
suspended or revoked certificate. Thus, there is a need for a time-stamping and
validity confirmation service which binds the signature, time and certificate validity.
Another important concept concerning signature validity is that the signature must be
valid also when the certificate has already expired or been revoked. If a certificate is
suspended by the card holder or anyone else, the card holder can reactivate it at a
bank office.
A number of experimental time-stamping protocols and technologies have been
proposed, but no common understanding or agreements of time-stamping is present,
the experimental technologies are under constant development and not in mass use.
Thus, an innovative approach was needed. SK chose to base its time-stamping
implementation on standard OCSP. The protocol contains a Nonce field, which
protects against replay attacks. Instead of cryptographically random data, the Nonce
field is set to contain the hash of the data to be signed, because it can also be
interpreted as just a random number. According to the RFC, the OCSP responder
signs its response which in SK-s case, contains the original nonce (document hash),
response providing/signing time and ID of the certificate used to give the signature,
binding the three pieces of data together and providing the validity confirmation for
the digital signature. SK stores the signed response in its log as evidence material.
SK has implemented all of the above, including both client and server parts, in its
DigiDoc digital signature architecture.
Document format and DigiDoc
In order to bring digital signatures into everyday life, common understanding and
signature handling practices are required. In addition, software and technology must
be available for anyone interested, in order to create compatible applications. After
all, the key to unleashing potential digital signature benefits lies in communication
between organizations, not within one organization. Therefore, it is vital that all
organizations in a given community interpret and understand digital signatures the
same way. In case of Estonia, the community is the whole country.
A number of digital signature implementations and applications are available on the
market, all claiming to be suitable for specific purposes. However, no known
application or implementation of the latest standards was found which would suit the
needs of the Estonian project, and reliance on foreign software providers guaranteeing
the functioning of a country's everyday life relying on digital signatures can also be
seen as a strategic risk. Therefore, a whole new approach – and a whole new software
architecture – was needed.
In 2002, SK together with its partners created an all-around digital signature
architecture dubbed DigiDoc. As the name suggests, DigiDoc aims to meet all the
needs users might have about digital signature creation, handling and verification.
On the server side, DigiDoc provides an RFC2560-compliant OCSP server, operating
directly off the CA master certificate database and providing validity confirmations to
certificates and signatures. On the client side, it provides a number of components.
11
The most important component is digital document format, which is key to common
digital signature implementation and practice. As of 2002, a number of standards have
been adopted or are in preparation. SK based the DigiDoc document format on XMLDSIG standard. However, it has several shortcomings such as allowing only one
signature per document, and in February 2002, ETSI published its extensions to
XML-DSIG as ETSI TS 101 903, also known as XAdES. DigiDoc document format
is a profile of XAdES, containing a subset of its proposed extensions. The DigiDoc
format is described in a specification document.
Based on the document format, a library was developed in C language which binds
together the following:
• DigiDoc document format
• SK-s OCSP validation service
• Interfacing with the user's ID card using Windows' native CSP interface or
cross-platform PKCS#11
The DigiDoc library provides easy-to-use interfaces to all of the above and there is no
need for application developers to know OCSP protocol specifics or DigiDoc
(XAdES, XML-DSIG) format internals. It can be embedded in any application and on
top of it, a COM interface has been implemented, making it easy to add DigiDoc
support to any Windows application supporting COM technology. A Java
implementation is also provided.
However, providing the libraries and formats was not enough because these do not
add value to end users without real applications. Although it is expected that DigiDoc
support will eventually be present in most Estonian document management systems,
web sites dealing with documents etc, a number of example or "reference"
applications are also provided. DigiDoc Client is a Windows application that lets
users simply sign and verify documents, and DigiDoc portal is an application that lets
users do the same online without the need to install any stand-alone software.
Naturally, both are based on the same DigiDoc library and thus fully compatible –
signatures given in Client can be verified in portal and vice versa.
The libraries, specifications and applications are provided to Estonian public free of
charge, and it is expected that digital signature usage in common life and everyday
business and government practices will grow significantly already in 2003. The first
official digital signatures in Estonia were given using DigiDoc Client only on October
7, 2002, and implementing the digital signature on a national scale naturally takes
some time.
Roles, authorizations and organizations' validations
In connection with implementing PKI and digital signatures, the question of roles and
authorizations has arisen in various projects. It is assumed that certificates for digital
signing may be issued for specific purposes only, and that a person's roles can be
embedded in role certificates that are then used for authenticating the certificate
holder into different systems and giving digital signatures in different roles. Thus, a
person needs additional role and signature certificates for each different role he or she
has, and the number of certificates grows, creating substantial interoperability and
scalability issues.
12
The Estonian approach states (as also said in the Estonian DSA) that a digital
signature given using a digital signing certificate is no different than a handwritten
one. A person's handwritten signature does not contain his or her role – the role and
authorization are established using some out-of-band method (out-of-band in the
context of certificates). The same approach also goes for authorization while
authenticating – a person's certificate should not contain his or her authorization
credentials. Instead, everyone has a similar universal key (authentication certificate),
and the person's role and authorization can be determined using some other method
(e.g. an online database) based on that key.
An exception to the above is organization's validation. Digital documents sometimes
need to be validated by organizations, so that other organizations can be sure of the
identity of the organization where the document originated. This is useful for e.g.
signing pieces of databases (e.g. bank statements) online, to be presented to other
organizations. For this, SK issues certificates to organizations that can be used to sign
documents digitally. Technically, they are equivalent to personal signing certificates
on everyone's ID card, but legally, they are not viewed as signatures and need not be
covered by law, because according to the Estonian law, only real persons can give
signatures. The "organizations' signatures" must therefore be viewed simply as
additional tools for proving information authenticity (that it really originated from a
specific organization) which may or may not be accompanied by a digital signature of
a real person working in that organization. Still, the PKI complexity stops here, and
besides personal and organizational signature certificates, there is no need for
personal role certificates or anything else more complex.
New ideas: replacement and alternative cards
As of the beginning of 2003, a number of ideas are being discussed for improving the
availability and usability of digital signatures in Estonia. One of them is the
"replacement ID card", or backup card. The main concern here is that the card issuing
process described above is quite complex and according to current regulations, it may
take up to 30 days for a person from the moment of presenting the application to
receiving the card. If a card is lost or damaged and a person needs to get a new one,
this may mean that he or she may not be able to give digital signatures for 30 days
which may not be acceptable in some high-stake business environments. Therefore, a
possibility could be established that current ID card holders might get a "backup card"
to minimize the extent of the above problem. However, this is currently not
implemented, and another remedy for the problem is that the above organizations will
just implement an "express service" which would be more expensive but quicker
method of getting an ID card in the "normal" way.
Another idea is that of "alternative card". National ID card need not be the only
carrier of digital signing certificates. Some large companies are already using smart
cards for their internal services, and would like to have digital signing certificates
issued by SK to be added to their internal cards. The company itself would then act as
Registration Authority, and SK would be responsible for issuing certificates in
response to certificate requests, as is also the case with regular ID cards. Still, this
"alternative card" will remain a niche solution and for the general public, the Estonian
national ID card is the universal signing tool for whatever role a person may be acting
in.
13
Towards cross-border use of digital signatures between the Baltic States:
Work programme for 2014 Estonia’s chairmanship of the Baltic Council of
Ministers (BCM) in the area of ICT cooperation
The Baltic States are frontrunners in the adoption of secure electronic identity (eID) and
digital signatures domestically. Furthermore, the eID solutions of Estonia, Latvia and
Lithuania are built on similar principles. This provides a good starting point for joint use of
digital signatures in daily business and life between the three countries.
Cross-border digital signatures would be a key step for enabling cross-border use of digital
services, both public and private. This would make the conduct of business and movement of
people between Estonia, Latvia and Lithuania much easier. It would also allow the Baltic
States to lead the way in developing the Digital Single Market in Europe, especially in the
crucial area of trust services.
In order to realize these benefits, we aim to reach the following targets by the end of 2014:
 Estonian, Latvian and Lithuanian eIDs can be used together for digital signing;
 Estonian, Latvian and Lithuanian eIDs can all be used for cross-border authentication
in at least one pilot electronic service in each of the three countries;
 a longer-term roadmap for further cooperation and developments in the area of eID
and digital signatures – the intention should be to make legally valid digital signing
possible and simple for Estonian, Latvian and Lithuanian citizens and enterprises in all
of their everyday devices and solutions by 2016.
In order to reach the targets, the following discussions and steps are planned:
1) Mutual recognition and joint use of each other’s eIDs
There exist 2 main ways forward in this regard:
a) supporting each other’s eID certificates in each country’s authentication solutions, i.e.
building support for other countries’ eID into services (e.g. Latvian shared
authentication service or all main Estonian and Lithuanian e-service portals);
b) adopting in full the solution created in EU STORK project, for which three countries
need to make technical-level agreements. Estonia and Lithuania as STORK members
can assist Latvia in implementation with technical know-how.
As first step, each country will conduct a feasibility analysis of these two approaches from
their national perspective. The results will be discussed and the way forward determined
together with next steps at a technical experts’ meeting in March 2014.
1
Once the technical approach has been decided, the experts will discuss and agree on the
electronic services that each country will pilot the joint use of others’ eID with.
2) Mutual use of digital signatures
A short term and quick-win solution would be to build support of all three countries’ eIDs
into each country’s digital signing solutions. This requires technical level agreements, e.g. on
contents and exchange of Trusted-Service Status Lists, and then work and investment by each
country themselves. Another option to consider would be building the support for each other’s
main digital signature file formats into each country’s digital signing middleware and provide
easy-to-find information online on validation possibilities. Consideration should also be given
to how to support development of cross-border private services in the area.
A meeting of technical experts in March 2014 will map out all relevant details, discuss the
options and agree on the next concrete steps forward.
For the longer term, discussion needs to focus on digital signature file formats. We should
seriously consider the option of moving to the same or at least compatible digital signature
file formats in all three Baltic States. The aim should be to make cross-border digital signing
as easy as possible for users. At the same time, we have to avoid investing into solutions that
are due to become outdated, e.g. when the new EU regulation on electronic identification and
trust services (eIDAS) comes into effect. A meeting of technical experts in March 2014 will
launch in-depth comparative discussion of possible models, file formats and specifications
together with the required next steps.
3) Joint procurement and development of eID related solutions
Joint procurement and development of eID tokens, software solutions (e.g. signing clients),
etc. could be launched in longer-term future. The idea would be to join forces for better
solutions and savings through cost sharing, while making interoperability and mutual
recognition matters easier. These options will be discussed in policy level meeting in autumn
2014, as the substance will depend on outcome of discussions under other points.
In summary, the work programme for 2014 will be as follows:
 March 2014 – meeting of three countries’ technical experts to discuss and agree on:
o technical details for mutual eID support in digital signing solutions;
o the way forward with digital signature file formats;
o the way forward with mutual recognition and joint use of eIDs.
 Continuation meetings, agreements and domestic work in three countries as required.
 September/October 2014 – policy level meeting between three countries to take stock
of the results of previous activities and prepare the longer-term cooperation roadmap,
incl. way forward in joint procurement and development.
 November/December 2014 – reporting on the results of work programme to Prime
Ministers in BCM meeting and agreement on further cooperation roadmap.
2
This work programme was prepared based on the meeting of Estonian, Latvian and
Lithuanian policy officials and technical experts in Tallinn on 27 January 2014.
The work programme was discussed and endorsed by the informal meeting of the Prime
Ministers’ Council of the BCM in Tallinn on 3 February 2014.
3
UNIVERSITY OF TARTU
FACULTY OF MATHEMATICS AND COMPUTER SCIENCE
Institute of Computer Science
Computer Science
Aleksei Gorny
Analysis of Chip-card Based Authentication
Bachelor’s thesis (6 EAP)
Supervisor: Sven Laur, PhD
Author: .................................................................... ”........” June 2009
Supervisor: ............................................................... ”........” June 2009
Admitted to thesis defense
Professor ................................................................... ”........” June 2009
Tartu 2009
Contents
Introduction
3
1 Background and technical details
1.1 ID-card hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2 The Transport Layer Security protocol . . . . . . . . . . . . . . . . . .
1.3 Software architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
5
6
8
2 Attacking the authentication process
2.1 Logging authentication codes . . . . . . . . . . . . . .
2.2 Logging authentication codes: implementation . . . . .
2.3 Phishing and substituting certificates . . . . . . . . . .
2.4 Phishing and substituting certificates: implementation
2.5 Session hijacking . . . . . . . . . . . . . . . . . . . . .
2.6 Session hijacking: implementation . . . . . . . . . . . .
.
.
.
.
.
.
11
11
11
12
15
16
17
3 Building a better driver
3.1 Security model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2 Suggested solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
19
20
References
21
Kiipkaardipõhise Autentimise Analüüs
23
2
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Introduction
Most chip card solutions for personal computers assume they are used in a secure environment and that the communication between the card and applications cannot be
modified. This assumption is largely unjustified, since most users lack technical knowledge to have sufficient control over their machines. Indeed, as yet another attestation
of the fact, earlier this year, a botnet comprising of approximately 1.9 million infected
devices, of which many belonged to government and business institutions, was discovered [15]. The scope of this work is the use of chip cards in untrusted environments.
The research has been conducted in accordance with the agreement between the author
and AS Cybernetica and some findings may have been left out from this paper version
due to contractual obligations.
For simplicity, we explain the basic concepts of chip card use by the example of the
Estonian ID-card. ID-card is the Estonian primary personal identification document,
issued by the national Citizenship and Migration board. As it is the case with national
chip cards of most countries, the card enables its holder to create digital signatures
and to authenticate to both state and private enterprise services. This functionality
can also be used online from a personal computer equipped with a smart card reader,
some third-party software and an internet connection. Important web-based services
accessible this way include electronic banks, e-voting polls, health and education related information systems etc.
In this work, we review the situation where a cardholder authenticates to a remote
server over a network. We show that due to implementation issues there currently
exists a way for a malevolent party with temporary user-privileged access to the cardholder’s computer to effectively tamper with the process. This may potentially result
in the honest user unintentionally authenticating to some other entity instead or the
server believing that the client resides at a different IP address. The consequences of
this may in turn include loss of privacy and personal data, financial losses and incorrect
depiction of the cardholder’s opinions and preferences to other entities.
In the following chapters we present a detailed overview of the authentication process
with the currently employed chip card software, describe possible attacks, evaluate
their feasibility and conclude by introducing obvious security-enhancing modifications
to the affected components. We also comment on the exploits as we implemented them
on the Ubuntu Linux operating system for demonstration purposes. The code itself
does not accompany this work, but is available on request from AS Cybernetica.
3
1
Background and technical details
Though the basic design principles of different chip cards are similar, specific cards
often have technical peculiarities and are subject to different standards and legislation.
In this section, we review the concepts by an example national chip card, the Estonian
ID-card. The development process of the card has been mostly open for public inspection and information found here can also be gathered from online sources.
Since the introduction of the ID-card to the public in 2002, the number of cardholders
and applications for the card has been steadily increasing. The Citizenship and Migration board reported that by the first of April 2009, there were 854 675 registered
ID-card owners, a large number, considering the population of Estonia. It is expected
that more than half of the cardholders use the card to access online services.
The reason ID-cards exist and are increasingly popular is the joint efforts of government institutions, security researchers and businesses. At the same time when the
Citizenship and Migration board became interested in replacing the passport with
a simpler modern identification document in 1997, researchers from AS Cybernetica
and Hansapank were working towards developing a solution for digital authentication
and signing. Eventually, the goals of both interest groups were united in the ID-card
and legislation was modified to accommodate electronic authentication mechanisms [5]
and acceptance of digital signatures [6]. Businesses and institutions were encouraged
to adopt ID-card based authentication methods and use digital signatures to reduce
paperwork and allow simple and secure digital access to various services, making it
favorable for citizens to switch to the new technology. The full timeline and the development story can be found at the ID-card support site [1].
As now, the card can be physically used for authentication in place of the passport
for travel in the European Union, customer cards of several Estonian shops and store
chains, library cards of most of the Estonian libraries, etc. A large list of web service providers allowing ID-card based authentication is maintained online [1]. The list
includes but is not limited to the following:
• Financial institutions: Swedbank, The SEB Group, Eesti Krediidipank, Sampo
Pank, Nordea Bank, BIG Bank, Parex Bank, Nasdaq OMX Estonian securities
market,
• Government services: the National Electoral Commitee, Estonian Motor Vehicle
Registration Centre, the Commercial Register, Estonian Tax and Customs Board,
• Education services: study information systems of the Tartu University and Mainor
Business school, the eKool system,
• Medical services: patient information systems of the East Tallinn Central Hospital and the Medicum health center.
For a cardholder, accessing these services from a personal computer is as easy as purchasing a smart card reader and installing software from the ID-card support page. The
necessary software consists of drivers for the card and the reader and extensions for the
browser that allow it to query the drivers to access the card functionality when needed.
4
What would happen if a vulnerability in the authentication process was found? Some
services like e-banks and e-voting polls would remain relatively secure from the functional standpoint, as they require digital signatures for finalizing critical transactions
like money transfer or vote casting. However, an attacker able to exploit such a vulnerability could still perform many potentially damaging, but non-critical operations
without the cardholder’s knowledge. Additionally, one could gain unauthorized access
to personally identifiable sensitive information contained in above-mentioned information systems, like financial status, health conditions, study grades, electoral preferences
etc. A possibility of large scale exploitation, for example, if the vulnerability was common to national chip cards of multiple countries, would serve as motivation for cyber
criminals and bear drastic consequences to card users.
In this chapter, we review the prerequisites for understanding the current state of
ID-card based online authentication. We look at the functionality the chip of the card
provides, the specification of the authentication protocol that is used and at how this
protocol is implemented in software.
1.1
ID-card hardware
From the hardware perspective, the Estonian ID-card is a chip card conforming to the
ISO-7816 standard [9] and based on the Orga Micardo Public 2.1 chip [7]. It hosts some
minor technical modifications that allow it to be used with a larger variety of smart
card readers and changes to the instruction set that forbid formatting and EEPROM
memory initialization. This way the card is better suited for wide-scale public use and
prevents users from deleting or improperly modifying important data it contains.
The data stored on the card and available operations are subject to a strict immutable
access policy. Significant objects accessible to a common user constitute of the cardholder’s personal information file, signing certificate and authentication certificate.
Figure 1: Objects on the ID-card. Translated from [3].
5
In addition to the operations for reading these objects, the card provides cryptographic
operations with internal secret keys – in the case of authentication, computing a response to a SSL/TLS challenge [13] using RSA or SHA1 with RSA. Cryptographic
operations require the cardholder to set different security environments on the card
by supplying appropriate PIN codes. Optionally, additional codes may be entered to
enforce the interaction between the card and host applications to be encrypted using
3DES.
PIN codes are protected from brute force attacks by counters of consecutive incorrect
entries. After three unsuccessful entries, a PIN is blocked and has to be revalidated
or replaced using the PUK code, that is itself subject to an analogous counter. The
PUK code can, however, be unblocked only at accredited Token Management Centers bank offices and the service offices of the Citizenship and Migration board. Other card
management operations, like updating user data and certificates, are also performed
under official supervision - either on-site and the centers or remotely over the network,
secured via cryptographic means. This again is beneficial for protection against unauthorized or accidental data modification and deletion.
For a full list of objects and operations supplied by the card, one may refer to its
reference manual [3].
1.2
The Transport Layer Security protocol
Transport Layer Security (TLS) [13], the successor of Secure Socket Layer (SSL) [14],
is a popular protocol for providing communication confidentiality and integrity by establishing a reliable private channel between two peers. TLS achieves its security goals
by using symmetric cryptography with unique keys generated for each connection and
message authentication codes. The TLS handshake sub-protocol provides a secure and
reliable way to negotiate the parameters of a connection and allows peers to authenticate to each other using asymmetric or public key cryptography. In a typical setting,
TLS dwells on an available public key infrastructure and is unilateral, meaning that
the server gets authenticated to the client, while the latter may remain anonymous.
Figure 2: Negotiation of anonymous or unilaterally authenticated TLS
In the first part of the TLS handshake, the negotiation phase (Fig. 2), the client and
the server agree on the strongest cipher suite and hash functions they both support,
exchange random values and agree on a common secret. During this phase, the server
6
usually shares its certificate with the user, who is expected to verify the server’s identity. If necessary, the server sends an additional message containing cryptographic data
allowing the client to communicate the premaster secret. Both parties then compute a
master secret key based on the premaster secret and random values. This key is used
for symmetric encryption of the final handshake messages and communication later on.
The handshake finishes with the peers validating its correctness. First, the client
informs the server that all of its following communication shall be sent encrypted using
the freshly computed symmetric key. Next, it sends an encrypted message containing
a MAC over the protocol transcript (Fig. 3). The server decrypts the message, verifies
the hash and responds with two analogous messages. Now, if either party fails to decrypt the received final message or verify the MAC inside, the connection is terminated
and has to be renegotiated. This ensures both peers agree on the generated security
parameters and keys and that the handshake has not been tampered with.
Figure 3: TLS handshake final messages
TLS also supports a bilateral mode, known as mutual authentication. In this case, the
client also sends out a certificate and afterwards proves that one indeed owns it by
showing one has access to the corresponding private key (Fig. 4). For this, the client
sends a certificate verification message, containing the concatenation of all previous
handshake interaction signed with the key. If the protocol is successful, then unlike
the unilateral case, both parties are assured of each other’s identity.
Figure 4: Negotiation of mutually authenticated TLS
After the handshake is finished, relevant data messages can be transferred in a way
similar to the final handshake message - encrypted with the negotiated symmetric key
7
and verified with a message authentication code.
TLS is one of the most common protocols for securing application layer data when
communicating over customized networks or the Internet. It can run on top of a reliable transport protocol such as TCP and beneath application layer protocols such as
HTTP, FTP, SMTP etc. TLS can also be used for creating virtual private networks
by tunneling the entire network stack. For our purposes, we are mostly interested in
the scenario where mutually authenticated TLS is used in combination with HTTP for
accessing various web services.
1.3
Software architecture
In practice, communication between a web service and a chip card passes through
multiple modularly composed software layers. The layers are similar for all operating
systems, so for conciseness we describe the detailed architecture as it is common for
Ubuntu Linux. Low-level operations, like communicating bits to and from the card, are
handled by a low-level driver for smart card readers, typically OpenCT [11] or PC/SC
Lite [12]. On top of the driver resides OpenSC [10], an open-source framework for
high-level operations with smart card tokens. It implements methods for recognizing
different card hardware and vendor-specific hexcode instructions.
For integration into existing applications, OpenSC compiles a dynamic library based
on the PKCS#11 standard [8]. PKCS#11, also known as Cryptoki, is a widely-used
standard for cryptographic token libraries that specifies common names for objects
and operations. This dynamic library interface is, for example, used by most of the
popular browsers, so that when the token is initialized, they are able to request data
and perform card-assisted cryptographic operations by communicating with the driver.
As an illustration, let us see how these components interact when a user attempts
to authenticate to a server using a capable chip card and TLS mutual authentication
(Fig. 5). In this case, the user’s browser takes care of the TLS protocol messages and
makes two requests to the driver. The purpose of the first request is to retrieve the
authentication certificate and the purpose of the second is to compute the response to
the protocol challenge using the secret key stored on the card and corresponding to
the certificate. As computing the response requires toggling the security environment
on the card, the driver expects the browser to obtain the PIN code from the user.
This architecture is secure under the assumption the user actually has full control over
the client machine. Indeed, an adversary is then unable to eavesdrop or modify the
communication between both the software and hardware components - effectively between the browser and the smart card. Also, properly executed mutually authenticated
TLS, as reviewed earlier, eliminates the possibility of client- and server-side identity
switching on the network.
The authentication process becomes insecure once we assume the adversary has temporary user-rights level logical access to the machine. Note, that on modern operating
systems, this type of access is sufficient for local installation of software packages and
browser extensions, but does not allow to change preferences of the system itself or
files of drivers and properly installed applications.
8
Figure 5: Authentication with a chip card
The main problem lays in the fact that the relation between the TLS session the
user is attempting to establish and the challenge message send to the driver is never
verified. This implies that in customized software, the PIN code of the user may actually be used for computing the a challenge response for another session. This problem
is not unique to any particular chip card, but common to all chip cards used with this
software framework.
An example exploit for this would be a custom browser extension that hijacks chip
card based authentication sessions by sending the driver challenges that are different
from the intended ones (Fig. 6).
Figure 6: A malicious browser extension
For a second example exploit, temporary access can be used for local installation of a
malicious Cryptoki-based library. Here the attacker can rely on the fact that pointing
out the location of OpenSC to the browser needs user rights only. The substitute
library could then act as a mediator between the browser and the chip card and perform
operations like publishing PIN codes, modifying user queries or establishing unwanted
TLS sessions (Fig. 7).
9
Figure 7: OpenCT is substituted for a malicious library in the browser
For the cardholder, the consequences of these exploits may be as severe as mentioned
in the beginning of this chapter. Note that active presence of the adversary that introduces software modifications is not necessary in either case. After the software is
changed, session hijacking and other activities, for example using the hijacked session
for gathering personal data, can happen in an automated fashion.
10
2
Attacking the authentication process
In this chapter, we review some attacks associated with authentication and evaluate
their successfulness and feasibility against chip-card based authentication. These attacks can be conducted by cyber criminals or otherwise malevolent individuals against
honest users using chip cards or other methods to authenticate to some entity over a
network. For each attack, we first give its general description and explain its background and then reflect on our experiments with it in practice.
2.1
Logging authentication codes
Keystroke logging in general refers to a practice of noting the keys pressed on the
keyboard, often without the computer user’s knowledge. It is a common method for
obtaining sensitive data from a user when the adversary has physical access to the machine or is able to either install or convince the user to install custom software. There
are various mechanisms for logging keystrokes, ranging from software based solutions,
for example hook based loggers that utilize the operating system functionality to subscribe to keyboard events, to acoustic and electromagnetic loggers that log the pressed
keys based on the physical behavior of the keyboard.
Countermeasures against this attack include drivers with signed code, anti-spyware
applications able to detect loggers either by their activity or resident files and alternative data input methods like speech-to-text applications or on-screen keyboards.
Key logging is effective against standard username and password combination authentication, but does not, for example, work against one-time-password methods, where
a password is rendered obsolete once it is used. Against two-factor authentication
methods, like the chip card based approach, key logging does succeed in collecting
PIN codes. However, the codes on their own are useless without the ownership of the
physical token.
One can circumvent the additional protection added by two-factor authentication, if
one knows the PIN code and is able to partially control the machine at the time the
chip card is inserted. Large scale attacks of this type, where the adversary has collected
several PINs and has control over the user machines, are, however, rather unlikely due
to the need for synchronization and in any case much more difficult then simple password logging. Session hijacking, an approach discussed later on, is a variation of an
automated attack against chip-card authentication, which does not rely on logging the
PINs, but instead utilizing them for chosen operations in real-time when the user is
trying to access some of the card’s functionality.
2.2
Logging authentication codes: implementation
For implementing a PIN logger, we wrote a simple patch to the OpenSC library. The
patch modified the function for forwarding the codes to Micardo cards. When the
function was accessed, it wrote down the PIN to a file on the hard drive (Fig. 8).
11
Figure 8: The PIN logging setup
Summary. This modification was trivial to write, once the correct place in the driver
code was located and the custom C structures used understood. Both tasks require
minimal knowledge of the C language. For setting up the logger up on the client computer, it is necessary to have temporary user- privileged access to either locally compile
or transfer a pre-compiled modified version of OpenSC to some chosen location on the
machine and point the Firefox browser to use it. This can be done via adding the
library directly to the secmod.db file stored in the browser user profile folder, adding it
via the browser graphical interface or adding it from a webpage using Javascript hooks
for handling PKCS#11 libraries.
The exploit enables an attacker to gather chip card PIN codes entered by the users of
the infected machines. To guard against this, the browser should secure the secmod.db
file storing the locations of token libraries by requiring administrative rights or alternative authorization for its modification. However, this might be hard to implement
and maintain in practice, as in multi-user machines it often makes sense for users to
have different token libraries installed.
2.3
Phishing and substituting certificates
The term phishing describes the process of a malicious entity masquerading as a trustworthy one in electronic communication, in attempt to acquire sensitive information
or involve an unsuspecting user in unsafe transactions.
For example, a user may receive an email or an instant message claiming to be from a
bank and requesting for some reason to reply with the password to the e-banking service
or follow a link to a webpage hosting a fraudulent password entry form. Alternatively,
a user browsing the web may, due to network anomalies or webpage vulnerabilities, be
redirected to a fake website that visually resembles some legitimate site, but employs
different functionality. The general mechanisms of phishing are well explained in [19].
Due to its relative technical simplicity and high success rates, phishing is a popular
form of electronic crime. PhishTank [17], one of the major phishing-report collators,
reported a monthly average of 6000-8000 websites positively identified as phishing sites
in the first months of 2009. Preventive measures to combat phishing include user education, spam filters that filter out phishing emails by general characteristics and publicly
12
maintained blacklists of servers that often host fraudulent websites. The prevalent reactive approach is issuing site take-down notices based on verified used reports.
One of the solutions browsers provide to remedy the problem is employing public
key infrastructure (PKI) to verify the server’s identity. PKI refers to a binding between the public key of a host and the host’s identity, established by the means of
a trusted authority. The authority verifies the authenticity of the binding claim and
issues a certificate to confirm it. In practice, an individual or a company interested
in obtaining a verified certificate for one’s webpage typically generates an appropriate
certificate request and forwards it to a commercial authority. The authority then takes
the necessary steps to verify that the webpage really belongs to the claimant, charges
for the service, and signs the request with its private key. For other parties to be sure of
the authenticity of the signature, the authority provides a self-signed certificate issued
to its own name. It is obvious, that these self-signed certificates have to be distributed
to the users in a secure manner, since if a malicious authority gets to be trusted, all
webpages certified by it will be seen as trusted as well. Modern browsers ship with a
built-in list of audited popular certificate authorities, so webpages certified by these
authorities are trusted by default. Trusted pages are typically identified by a padlock
displayed in a dedicated area of the browser’s graphical user interface (Fig. 9).
Figure 9: A padlock displayed in the lower right corner of the Firefox browser when
connected to a webpage with a trusted certificate
Firefox makes a clear distinction between authority certificates, private keys corresponding to which can be used for signing other certificates, and simple server certificates and has default assumptions about their trustworthiness. If a webpage aiming
to establish a secure connection presents a certificate signed by an authority unknown
to the browser, the user is shown an option to mark the domain name as a security
exception. An exception like this does not, however, grant trust to the certificate authority that had signed the freshly accepted certificate. This means exceptions set this
way are valid on per-domain basis only and cannot be used for gaining implicit trust
for websites not visited by the user.
Certificates still leave several problems open. First of all, due to organizational hurdles, browsers often contain certificates crafted using encryption or hashes that have
been rendered insecure by recent cryptographic research. For example, at the time of
13
writing, the latest version of Firefox for Mac OSX, Firefox 3.0.10, still had ca. 15%
of its about 150 built-in certificates using the MD5 hash function. MD5 was proved
not to be collision resistant by 2004 by the latest [20] and the fact was exploited to
fake certificate validity in practice in 2008 [21]. Firefox also holds several MD2-based
certificates, although MD2 is considered broken as well [25]. Second, as the number
of certificate authorities has grown, it has become increasingly easy and cheap to get
a domain name certified. There have been reported cases of well-known authorities
issuing certificates for arbitrary domain names without proper ownership verification.
As a result, a certificate alone cannot serve as an adequate indication of the website’s
identity.
Extended validation certificates, a concept developed by the certificate authority and
browser forum [16], add additional visual cues (Fig. 10) for convincing browser users
that the viewed page can be trusted. Before issuing such a certificate, the authority
has to take extra steps to verify the trustworthiness of the requesting party. The steps
include establishing the legal identity and the operational and physical presence of the
website owner, verifying ownership and control status for the domain name in question
and confirming the identity and authority of the individual representing the website
owner. The list of EV certificate authorities in the browsers cannot be modified using
trivial means.
Figure 10: A green address bar and additional information on a webpage with an EV
certificate
Studies of the effectiveness of visual notifiers of both common and EV certificates seem
to indicate, however, that uneducated users still find it hard to distinguish between
legitimate and untrustworthy sites and tend to ignore security warnings. For example,
see [18].
In our model, where we assume the adversary to have user-priveleged access to the
machine, all browser-related anti-phishing protection can be effectively circumvented.
The adversary can, for example, add self-generated certificates for arbitrary domains or
untrusted certificate authorities to the browser’s safe list, so chosen webpages would appear secure to the user. Alternatively, the adversary can just install a browser extension
that changes the graphical user interface of the browser so visual cues corresponding
to certified or EV-certified webpages would appear without actual grounds.
In regard to phishing, two-factor authentication methods like chip-card based authentication seem to have an obvious advantage over simple knowledge factor methods like
14
username and password combinations. By this we mean that since authenticating with
a chip-card requires both ownership of the physical chip card and the knowledge of the
PIN codes, then even if an adversary learns the PINs, one will not be able to establish
an authentication session to a third entity. The best one can achieve is to present a
user with fake functionality, which either simply deters the user from accessing some
real system or prompts the user to disclose further sensitive data and perform unsafe
transactions, for example issuing digital signatures for documents created by the adversary.
Some security experts have argued that two-factor authentication methods are inherently insecure against man-in-the-middle phishing attacks, where the malicious server
simply forwards the changing part of the authentication credentials is to the legitimate
server in real-time [22]. This may be true for one-time-passwords, but does not hold
for chip cards. Indeed, here the changing credential, namely the response to the TLS
challenge, depends on the identities of the peers participating in the protocol, as it is a
signature over all protocol messages, including the certificate messages of both peers.
Now, the adversary does not know the secret keys of the legitimate server and the chip
card, so if it forwards the certificate of the legitimate server to the client, one will not
be able to decrypt later communication. On the other hand, if the client is presented
with a different certificate, one will not be able to respond to the TLS challenge of the
legitimate server based on the user’s response. This again shows that in the case of
chip cards, phishing itself does not allow the adversary to authenticate to a third party
using the client’s credentials.
2.4
Phishing and substituting certificates: implementation
As a target website, we chose a site of a widely used information system. The particular choice was motivated by several reasons. First of all, the site has acquired its
certificate from AS Sertifitseerimiskeskus, an Estonian certificate authority not trusted
by default in Firefox. This implies, that for a first-time user, the webpage displays an
appropriate warning anyway, prompting to add a security exception for its certificate.
Sertifitseerimiskeskus does not issue EV certificates, so there is no visual indication of
the connection being secure, except for the standard padlock. Second, the information system offers optional chip-card based log-in, so we were able to play through the
phishing scenario with card based authentication.
Note, that as described in an earlier section, phishing alone is not sufficient to mount
a man-in-the-middle attack against the chip-card based authentication. Still, it can be
successfully used to provide fake functionality, deter the user from accessing the actual
system and obtain sensitive data via web-forms. In the case of our information system,
the attacker could use the fake website to request the user to update personal details
or preferences and prevent the user from accessing the time-critical functionality of the
legitimate system.
For the set-up, we generated a certificate chain consisting of three certificates having the same human-readable parameters as in the original chain using the OpenSSL
console utility. We then set up a wireless router with a fixed DNS entry for the domain
of the information system, pointing to a dedicated server computer, a Ubuntu desk15
top with the Apache 2.2.8 web server extended by mod ssl 2.28 and OpenSSL 0.9.8g
modules (Fig. 11). The server was configured to require a secure connection with
optional client authentication accepting chip cards, display a page visually similar to
the original and present the fake certificate chain.
Figure 11: The phishing setup
This situation corresponds to a scenario where the adversary gets hold of the configuration of a public WiFi access point or sets up a rogue access point. In most local
switched networks, the situation can also be achieved by successful ARP or DNS attacks that grant a man-in-the-middle status to the attacker. Based on the resulting
user view, we believe an incorrectly installed certificate makes it fairly easy to fool even
a technically competent user into thinking a connection to be legitimate.
As a side-note, during the course of our work we discovered that the server of the
information system was vulnerable to the automated HTTPS cookie hijacking attack
[24] and notified its adminstrators.
Summary. The attack requires the experience of generating and manipulating OpenSSL
certificates with various parameters, configuring a web server and creating simple webpages. It also requires the ability to lure the user to the set-up page, either by effectively
gaining man-in-the-middle status on the local network, poisoning entries of DNS servers
or using standard phishing practices like spam and social engineering. For creating an
illusion of a secure interaction, the attacker needs user-privileged access for adding
certificates to the victim’s browser.
Typical methods to combat phishing are described in the previous section. However,
even with good user training, it can be difficult to recognize that a fake webpage is
being served instead of the original one, when the look-and-feel are almost identical and
the browser displays visual security cues. In addition to using standard methods, one
can install additional extensions to the Firefox browser, that try to correctly identify
websites based on secondary parameters like behavioral differences in different sessions
etc.
2.5
Session hijacking
Session hijacking refers to the scenario, where a party attempts to establish a communication session with a certain entity, but an adversary-controlled session under the
name of this party is established with some other entity instead, possibly without the
victim party’s knowledge.
16
Session hijacking scenarios vary depending on the underlying technologies, in this section we will concentrate specifically on chip-card based authentication.
2.6
Session hijacking: implementation
The general idea of our exploit was to modify the OpenSC driver or specifically the
part of it that handles the functionality of Micardo cards to turn to an external script
when the challenge response computing operation was called. The script would then
initiate a TLS connection to some chosen remote server and switch the challenge bytes
sent to the card (Fig. 12).
Figure 12: Hijacking the TLS challenge request
The implementation process worked out as follows. We wrote a simple python script
that created a HTTP connection over TLS. For handling the TLS protocol, we used
a public domain python library tlslite [23], which we had to modify in order to
accommodate token-based client authentication. It was worth the effort though, as in
addition to taking care of the protocol, the library provided our sample script a convenient interface for later requests to the server. We then introduced changes to the
part of OpenSC concerned with the challenge response computation of Micardo cards.
The changes consisted of bindings using python/C API, so that our script was called
once the operation was accessed. The script initialized a connection to a chosen server
and returned the bytes needed to be signed to the driver, which took advantage of the
user’s authorized status to obtain a valid response from the chip card. The script then
used this response to complete the authentication to the server.
For testing the implementation, we used the same server software setup as in the
previous section. This time, the server was assigned a self-signed certificate and configured to require client-authenticated SSL/TLS on the index page and log all visits.
After the setup, we opened Firefox, linked it to the modified OpenSC and tried to
access the information system introduced in the phishing section. Indeed, our server
17
logged a successfully established secure connection and a HTTP-GET request to the
index page.
Summary. In theory, the attack requires only superficial understanding of the structure of the OpenSC driver suite and sufficient programming skill to write a script
interacting with a webpage via HTTP queries and to bind this script with an appropriate TLS library. In our case, some time was spent on linking the script and OpenSC
and on extending tlslite. As this was a proof-of-concept implementation, we also
made some simplifications: the script would only react to the signing event of Micardo
cards and a specific subset of possible cipher suites and fixed TLS protocol behavior was
chosen, so that the script would work with our server. These technical restrictions can
be overcome by spending more time on testing the TLS library with different servers
and testing OpenSC with different chip cards. For deploying the modified library, the
same methods can be used as in the case of the logging application. For users to guard
against the attack, we again recommend the current situation with the database file
storing locations of dynamic token libraries to be reviewed.
All in all, we believe it is moderately easy for an experienced programmer to develop
a session- hijacking module for all OpenSC-supported chip cards that can be extended
to communicate with chosen servers. This module could work in a covert manner and
activate with a certain probability, so that the only indication of its presence would
be the once in a while increased latency and connection failures when authenticating
online. The latency obviously results from the need to establish a new connection after the browser has contacted the driver. For additional stealth, the script could act
depending on the speed of the internet connection and seize its operations after a fixed
timeout. In our test case, the internet connection was fast enough for the script to go
unnoticed to a typical user.
The shortfalls of our current approach are the need for local compilation and the resulting dependence on the environment. Implementing the session hijacker as a browser
extension, as described in the first chapter, would solve these problems, as Firefox aims
to be a cross-platform browser. We started developing such an extension, but the task
grew rather complex. This came from the fact that Firefox provides many options for
extending browser functionality, but not always for modifying the existing one. For
example, graphical user interface components and their behavior can be easily replaced
or overloaded, but determining whether the next connection shall be mutually authenticated TLS is non-trivial. Nevertheless, such an extension can surely be engineered,
for example if it is to target authentication attempts to specific websites based on the
URL address. With the current policies for developing browser extensions, there would
be no way to guard against the attack but to monitor the list of the activated extensions in the browser. This list is implicitly stored in the user’s browser profile folder,
so an example solution would be an automated administrative process monitoring this
folder.
18
3
Building a better driver
By now we have shown, that the solution for smart card based authentication employed
as now may be vulnerable to certain types of misuse, most notably, session hijacking.
In this section, we investigate whether it is possible to change the current software and
hardware architecture so the implementation improves with respect to security against
the above-mentioned attacks. For this, we first formalize the strongest security we can
achieve assuming the operating system core and drivers cannot be compromised. We
then discuss the feasibility of changes that bring the architecture closer to the defined
security goal.
3.1
Security model
One can view a computer network as consisting of physical entities - network nodes
and computers - and logical entities, the users of physical devices (Fig. 13). We assume
that each physical entity is used by a single logical entity at a time. If necessary, servers
and other multi-user devices can be seen as groups of multiple network nodes. In our
model, the adversary is mobile, meaning it is able to dynamically corrupt any number
physical entities for arbitrary periods of time. The adversary is also assumed to have
full control of the network traffic.
Figure 13: A computer network abstraction
The goal of entity authentication protocols is to establish an association between physical and logical entities. In practice, if a protocol is successful, it is followed by a
communication session, as seen in the example of TLS. It is obvious, that if the adversary has compromised a network node, one can modify the contents of this session.
However, it is unclear, whether the adversary can still modify the session once one
has lost control over the node. Also, it is unclear, whether the adversary can force
the user to authenticate to some entity other than the user intended even if one has
control of the user’s node. This motivates us to say, that the architecture of a device achieves maximal security with respect to a entity authentication protocol if the
following conditions are met.
19
• The adversary cannot under any circumstances force a user to authenticate to
some other entity unintentionally.
• When the adversary does not actively control either of the physical endpoint
nodes, it cannot modify the content of the communication session.
One can see, that due to the possibility of hijacking attacks described in the previous
section, the current architecture of the chip card related software stack does not provide
maximal achievable security with respect to TLS.
3.2
Suggested solutions
There do indeed exist authentication schemes that provide the security level defined
above. Consider a network, where the device hardware is secure and all network cards
contain internal secret keys. When establishing an end-to-end connection, the operating systems of these devices specify only the physical address of the communication
partner and negotiate a TLS channel using the available infrastructure. The distribution of public keys does not have to be authentic, that is, the adversary can generate
key pairs, that claim to belong to some other address. Additionally, every client device
has a chip card reader with a pin pad and a display. For client authentication and
application data transfer, another TLS channel is created between the chip card and
the server. The display shows the user of the client machine excerpts from the TLS
protocol, notably the identity of the server and its certificate authority. It is easy to
verify that this configuration achieves the maximal achievable security. Indeed, the
display makes sure the user does not authenticate to any other party unintentionally.
Due to the end-to-end physical communication channel, the adversary looses the ability
to modify or listen to the communication session messages on withdrawal. However,
such a configuration is surely infeasible because of the organizational costs.
Let us see how we can achieve the security goals by improving on the technologies
used today. First, we need to eliminate the possibility of the attacks with a substitute
chip card library. This can be achieved by protecting the link between the browser
and the library by administrative rights. The second step is to transfer the client-side
mutual TLS protocol handling functionality to the driver level. This means giving up
the modularity of the software stack and engaging in browser- level protocol based
software proxying, but this way the TLS challenge is guaranteed to belong to the correct session, as it is computed by the driver based on its own communication. As the
graphical user interface of the operating system can be manipulated by locally installed
malicious applications, its authenticity generally cannot be verified, so an appropriate
security measure for securing PIN input and assurance of the peer’s identity in the TLS
protocol could be a physical pin pad reader with a display from the previous example.
The display would again show the user the appropriate parts of TLS messages, notably
the domain name of the peer and the certificate authority by whom its certificate was
signed.
Such changes can be implemented with reasonable means: some developing work on
the current software solutions and engineering of a custom pin pad reader. Purchasing
the latter would translate into additional costs to a single user, but surely make up in
the gained security.
20
References
[1] The ID-card support site. http://id.ee
[2] ID Süsteemide AS. EstEID Turvakiibi rakenduse kasutusjuhend, 2007.
http://id.ee/public/EstEID_kaardi_kasutusjuhend.pdf
[3] ID Süsteemide AS. EstEID Turvakiibi rakendus ja liides, V2.01.
http://id.ee/public/EstEID_Spetsifikatsioon_v2.01.pdf
[4] AS Sertifitseerimiskeskus. Sertifikaadid Eesti Vabariigi isikutunnistusel, 2004.
http://www.sk.ee/file.php?id=364
[5] Isikut tõendavate dokumentide seadus, RT I 1999, 25, 365. Up-to-date version
available at http://www.riigiteataja.ee/ert/act.jsp?id=742623.
[6] Digitaal-allkirja seadus, RT I 2000, 26, 150. Up-to-date-version available at
http://www.riigiteataja.ee/ert/act.jsp?id=694375
[7] Sagem Orga GmbH. Micardo 2.1 Chip Card Operating System Manual.
[8] RSA Laboratories. PKCS#11 Cryptographic Token Interface Standard.
[9] ISO/IEC 7816 standard for electronic identification cards with contacts.
[10] The OpenSC smart card driver framework, version 0.11.8, with libopensc 2.0.0.
http://www.opensc-project.org/opensc/
[11] The OpenCT smart card reader driver framework, version 0.6.14.
http://www.opensc-project.org/openct/
[12] PC/SC Lite
http://pcsclite.alioth.debian.org/
[13] RFC 5246. The Transport Layer Security (TLS) Protocol Version 1.2, 2008.
http://tools.ietf.org/html/rfc5246
[14] A. O. Freier, P. Karlton, P. C. Kocher. The SSL Protocol Version 3.0, 1996.
http://www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt
[15] Finjan security. How a cybergang operates a network of 1.9 million infected computers. http://www.finjan.com/mcrcblog.aspx?entryid=2237
[16] CA / Browser forum. http://www.cabforum.org
[17] The PhishTank phishing report collator. http://www.phishtank.com
[18] C. Jackson, D.R. Simon, D.S. Tan, A.Barth. An Evaluation of Extended Validation
and Picture-in-Picture Phishing Attacks. In proceedings of the Workshop on Usable
Security, 2007.
[19] T. Moore, R. Clayton. An empirical analysis of the current state of phishing
attack and defense, In Proceedings of the 2007 Workshop on the Economics of
Information Security, 2007.
21
[20] Xiaoyun Wang, Dengguo Feng, Xuejia Lai, Hongbo Yu. Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD, 2004.
[21] A. Sotirov; M. Stevens, J. Appelbaum, A. Lenstra, D. Molnar, D. A. Osvik, B. de
Weger. MD5 considered harmful today, 2008. Available online at
http://www.win.tue.nl/hashclash/rogue-ca/
[22] B. Schneier. The failure of two-factor authentication.
http://www.schneier.com/blog/archives/2005/03/the_failure_of.html
[23] The tlslite python TLS library. http://trevp.net/tlslite/
[24] M. Perry. Automated HTTPS cookie hijacking.
http://fscked.org/blog/fully-automated-active-https-cookie-hijacking
[25] L. R. Knudsen, J. E. Mathiassen. Preimage and collision attacks on MD2, Lecture
notes in computer science, Volume 3557, 2005.
22
Kiipkaardipõhise Autentimise Analüüs
Aleksei Gornõi
Bakalaureusetöö (6 EAP)
Kokkuvõte
Enamik kiipkaardiga töötavatest rakendusest eeldab vaikimisi, et liidestus kaardi ajuriga
ei ole pealtkuulatav ning et sellele saadetavad andmed pole muudetavad. Selline eeldus
pole üldjuhul mõistlik, sest tavakasutajal puuduvad vastava turvataseme tagamiseks
vajalikud tehnilised teadmised. Antud lõputöö käsitleb kiipkaartide autentimisfunktsionaalsuse turvalist kasutamist olukorras, kus pahatahtlikul kolmandal osapoolel on
olemas ajutine kasutajaõigustega ligipääs kaardi omaniku masinale.
Selleks uurime kõigepealt võimalikke ründeid teoreetiliselt, lähtudes standardsetest
lahendustest rakenduste ja operatsioonisüsteemide arhitektuuris. Seejuures loeme igasuguse kiipkaardi-vastase ründe edukaks, kui see ei nõua ründajalt jätkuvat aktiivset
osalust ning kui ründe käigus kasutatakse kaarti selle omaniku tahte vastaselt.
Teiseks, implementeerime vastavad ründed konkreetsel platvormil, mis koosneb Ubuntu
Linux operatsioonisüsteemist, OpenSC kiipkaardi-ajurist ning veebilehitsejast Mozilla
Firefox.
Kolmandaks, määrame, millised muutused mainitud platvormi komponentides tagavad
maksimaalse turvalisuse kasutaja-privileegidega ründaja vastu.
23
STORK / STORK 2.0: QAA-model and eID
eHealth Governance Initiative eID Workshop
11th February 2013, Brussels
Robert Scharinger
STORK2.0 WPL 5.4 eHealth
Austrian Ministry of Health
Stork 2.0 is an EU co-funded project INFSO-ICT-PSP-297263
BACKGROUND STORK 1
Quality of Authentication Assurance (QAA) and eID
Stork 2.0 is an EU co-funded project INFSO-ICT-PSP-297263
2
Government eID projects …
• Early birds started late 1990’s early 2000
 Finish eID card:
December 1999
 Estonian eID card:
from January 2002
 Austrian citizen card: from 2003, mass-rollouts 2005
 Italian CIE / CNS:
test phase 2003 (CIE)
 Belgian eID card:
from 2nd half 2003
National eIDs landscape
• Heterogeneous in various dimensions
 Technology
o Smartcards:
AT, BE,EE, ES, FI, GE, IT, PT, SE,
…..
o Mobile eID: AT, EE, FI, LU, NL, NO, UK, …
o Soft certif.: ES, SE, SI, …
o usern./pass.:
NL, UK, …
 Operational
o Issued by public sector, private sector, combined
o Issued at federal, local, regional level
o Use of identifiers
 Legal
o (limited) use of identifiers; flat, sectoral, combined
One problem tackled: Trust levels
Different technologies
and security levels:
•
•
•
•
Smart cards
Software certificates
Mobile Phones
Username-password
STORK QAA levels
(Source: STORK D2.3 – Quality authenticator scheme)
Stork 2.0 is an EU co-funded project INFSO-ICT-PSP-297263
6
STORK: eID profile of STORK countries (phase 1)
Technical factors influencing STORK QAA levels
Country & credentials
Token Types
Relation to 1999/93/EC
# of
cred.
Smart
card
mobile
eID
soft.certif.
qualified cert
Austria
3
yes
yes
-
Belgium
1
yes
-
Estonia
2
yes
Germany
1
Finland
Token Issuer
is a SSCD
public sector
private sector
all
all
yes
yes (all. qual.c.)
-
all
all
yes
-
yes
-
all
all
yes
-
yes
-
-
optional
all
yes
(opt. qual.certs.)
1
yes
-
-
qualified
all
yes
-
Iceland
2
yes
-
-
all
all
-
yes
Italy
2
yes
-
-
all
all
yes
yes (sig.-card)
Lithuania
1
yes
-
-
all
all
yes
-
Luxembourg
3
yes
yes
-
all
all
-
yes
Portugal
1
yes
-
-
all
all
yes
-
Slovenia
3
yes
-
yes
all
yes (QAA 4)
yes
yes
Spain
1+80
yes
-
yes
all
yes (QAA 4)
yes (QAA 3-4)
yes (QAA 3-4)
Sweden
12+
yes
yes
yes
-
tbc
yes
yes
(signature-cert)
Organisational factors
influencing STORK QAA levels
(Source: STORK D2.3 – Quality authenticator scheme)
Stork 2.0 is an EU co-funded project INFSO-ICT-PSP-297263
8
Technical & organisational
assessment of STORK QAA levels
(Source: STORK D2.3 – Quality authenticator scheme)
Stork 2.0 is an EU co-funded project INFSO-ICT-PSP-297263
9
Approach: Mapping to QAA levels
STORK I success story
• Six pilots live as “pioneering applications”
– Online authentication
– Safer Chat
– Student Mobility
– eDelivery
Affili
– Change of Address
ate
– ECAS
Example Austria: STORK Service
Signature “mobile phone signature”
• Developed during STORK
– Zero-footprint full-fledged eID
– Qualified electronic signature
– No changes on phone or SIM
• Key success
– Started piloting Q3 2009
– Full production in major
Austrian applications
(tax) in May 2010
– Promotion July 2012
– Outperforms smartcard eID
activation since Jan. 2011
Stork 2.0 is an EU co-funded project INFSO-ICT-PSP-297263
12
DEMO
– European Commission Authentication Service
» Authentication portal for EC staff and external
» Implemented an PEPS to link to STORK
• SEE IT RUNNING AT https://circabc.europa.eu
Stork 2.0 is an EU co-funded project INFSO-ICT-PSP-297263
13
STORK 2.0
Stork 2.0 is an EU co-funded project INFSO-ICT-PSP-297263
22
Introduction to STORK project
Main achievements
Implemented from 2008 to 2011, STORK Pilot A achieved to establish a
European eID Interoperability Platform that allows citizens to establish
new e-relations across borders, just by presenting their national eID.
• Common specifications
• Common code
• Framework for sustainable
deployment at a pan-European level
23
STORK 2.0 project
STORK 2.0
Secure idenTity acrOss
boRders linKed 2.0
3 year duration:
from 2012 to 2015
19 participating
countries
58 partners
24
Political framework
The Digital Agenda & its eGovernment Action Plan
2011-2015, ISA Work Programme (2009/922/EC),
the European Directive on Electronic Services
 address the importance of pan–European interoperability & of eIDs
as key enablers for eGovernment Services and for strengthening the
Digital Single Market
 stress the development and use of a pan-European infrastructure
for eID for citizens and businesses.
25
The Vision
STORK 2.0 will contribute to the realization of a single European
electronic identification and authentication area by:
– building on the results of STORK
– establishing interoperability of different approaches at national
and EU level, eID for persons, eID for legal entities and the
facility to mandate
26
Objectives
Accelerate the
deployment of
eID for public
services
Maximize the
take-up of its
scalable solutions
throughout the
EU
Seek & showcase
uses of eID for the
authentication of
both legal and
natural persons
throughout the
EU
Test in real life
environments
secure and
easy-to-use eID
and attribute
solutions in 4
relevant crossborder pilots
27
Work packages in STORK 2.0
Work packages
WP1
WP2
WP3
WP4
WP5
5.0
5.1
5.2
5.3
5.4
WP6
WP7
WP8
Description
Project Management
Existing Infrastructures & Resources
Legal & Trust Analysis
Common specs & Building Blocks
Pilots
Pilots Coordination
eLearning & Academic Qualifications
eBanking
Public Services for Businesses
eHealth
Pilots Evaluation
eID as a Service Offering
Marketing, Communication & Dissemination
WP Leader
Atos
IST
TIME.LEX
MINHAP
Atos
ES UJI
BUAS
IC
TUG
VKA/HEC
BUAS/UK CO
SU
28
STORK 2.0 Pilot
WP 5.4 eHealth
eHealth - Objectives
• The pilot is fully in line with Key Action 13 “Undertake pilot actions to
equip Europeans with secure online access to their medical health
data by 2015” of the Digital Agenda as well as with the patients’ right
of getting access to their personal medical data in crossborder
healthcare as a topic in the EU Directive 2011/24/EU.
• The pilot leverages the existing STORK infrastructure to processing
medical data, i.e. an area with the highest data protection
requirements due to special categories of data that receive particular
protection under the Data Protection Directive 95/46/EC.
29
STORK 2.0 Pilot
WP 5.4 eHealth
eHealth - Partners
Austria
Belgium
Italy
Slovenia
Sweden
Switzerland
Turkey
United Kingdom
(TUG)
(FEDICT, HEALTHCONNECT)
(LISPA)
(MoHRS)
(SU)
(BUAS)
(TUR)
(UK CO, YAP)
30
STORK 2.0 Pilot
WP 5.4 eHealth
(Source: STORK2.0 M5.4.1 – Draft eHealth Pilot Requirement Definition)
31
LSP Collaboration
• Interaction with the other LSPs building on gained
experience and lessons learned
• Close liaisons foreseen with epSOS for integrating
STORK 2.0 solutions for eID-based authentication with
eHealth infrastructure
• New: eSENSE
32
• Visit STORK 2.0 website www.eid-stork2.eu !
• Subscribe to STORK 2.0 Newsletter!
HOW TO GET
INVOLVED…
• Participate & “like” Stork eID Facebook page!
• “Follow” us on Twitter @StorkEid !
• Connect to Stork 2.0 EID LinkedIn page!
• Register in STORK 2.0 online groups!
• Contact us at [email protected] !
33
Thank you for your attention!
[email protected]
Stork 2.0 is an EU co-funded project INFSO-ICT-PSP-297263
eServices in Estonia: a success
story
A Secure Identity Alliance Visit Report
June 2014
Table of Contents
Table of Contents
1. Executive Summary ...................................................................3
2. The history of eServices in Estonia ............................................5
3. Key Success Factors ...................................................................6
4. Estonian eServices in action ......................................................9
5. Case Studies ............................................................................13
5.1. Case study #1 Income tax returns ..................................................... 14
5.2. Case study #2 e-Police ....................................................................... 14
5.3. Case study #3 Elections ..................................................................... 14
5.4. Case study #4 National census .......................................................... 14
5.5. Case study #5 ePrescriptions ............................................................. 14
5.6. Case study #6 eHealth services .......................................................... 15
5.7. Case study #7 Energy smart grids ...................................................... 15
6. Looking to the Future...............................................................16
7. Concluding observations ..........................................................16
June 2014 • eServices in Estonia: a success story
2
1.
Executive Summary
At the end of April 2014, the Secure Identity Alliance undertook a three day visit to Estonia to meet with
key players in the eGovernment and eServices ecosystem. The aim was to identify how eID, authentication
and the interoperability framework that underpins eGovernment in Estonia has enabled the creation of
state-of-the-art eServices and built the all important trust between citizens and government that has
powered the take-up of these services.
Universally recognized as one of the advanced electronic administrations in the world, Estonia’s
comprehensive e-Services platform has fundamentally changed how citizens access basic, daily services
from both the public and private sectors.
e-Government in action
The Estonian e-Government centralized system has two key aspects.
First, its data architecture allows agencies and private-sector entities
to retain their own records rather than combining all data on
centralized servers. Second, access is provided through a secure
nationwide electronic ID system. Users simply swipe their physical ID
cards through a reader and then enter their personal ID number.
Recently Estonia has added secure mobile access via smartphones.
This digital infrastructure has enabled a digital society to blossom,
transforming interactions among government agencies and between
the government and its citizens. As a result e-Services have become
a routine aspect of everyday life, with almost 100 percent of public
services for both businesses and citizens now available online: eelections, e-policing, e-healthcare, e-banking, e-tax filing and eschools are all standard practice.
Estonia: Fact File
Population: 1.3 million
Mobile Penetration:
128%
Internet Penetration:
78%
ID Card: Compulsory
Other eDocuments:
DigiID, Mobile ID,
Passport, eStamp,
Driving License, Resident
Permit
eID providers: Police and
Today, Estonia’s e-Government platform allows access to more than
Border Guards
550 e- and m-services. Citizens can register for unemployment
benefit, file for parental leave, undertake property registration, utilize
notary services, access digital medical records, and order prescription-drug renewals online – and more.
The implementation of e-Government has revolutionized citizen/government interactions in Estonia; in
2011, 94 percent of all personal income tax returns were submitted online and 25 percent of votes in the
last parliamentary elections were cast over the Internet.
“The only thing you can’t do online is get married or buy a house! However, contracts for these
activities can be generated online, ready for download and signature when you visit the public
notary’s office.”
Annela Kiirats, eGovernance Academy, Estonia
June 2014 • eServices in Estonia: a success story
3
Powered by eID
The Estonian e-Services ecosystem is underpinned by eID. In 2002 the first nationwide eID card was
launched to all Estonian citizens and aliens residing within the country. A multifunctional card containing
both visual and electronically accessible information, the eID acts as a regular identity document, can be
used to generate digital signatures, and also operates as an access key to eServices.
In 2010 two new derivations of the eID card were launched: a digi-ID (the first ‘pure’ identity document
that establishes a person’s identity in an electronic environment and can be used for digitally signing
documents) and a Mobile-ID (the second ‘pure’ identity document which allows citizens to use a mobile
phone as a form of secure electronic ID to access secure e-Services and digitally sign documents).
All transactions that take place over the X-Road (the Government’s interoperable ICT data distribution
architecture) are made possible using e-ID/digi-ID/Mobile-ID identification, giving people the confidence
that the person on the other side is the person they say they are, and that the digital signature is real and
will stand up in a court of law when necessary.
X-Road is the backbone of ‘e-Estonia’, allowing the nation’s various e-Services databases - both in the
public and private sector - to link up and operate in harmony. Launched in 2001, the X-Road data exchange
layer is a technical and organizational environment which enables secure Internet-based data exchange.
Both public and private sector organizations can connect their information systems with X-Road, giving
both institutions and citizens the ability to securely exchange data, and access data maintained and
processed in state databases.
Sharing expertise and learning
The SIA found a striking level of transparency in the Estonian eGoverment system. Indeed, Estonia has
already moved beyond eGovernment to the beginnings of true e-Democracy.
All the key agencies we met in Estonia strongly welcomed the new eIDAS Directive for European
interoperability and security, stating their belief that security levels should not be lowered.
“American Cloud players request you sign the ‘conditions of use’, just like a marriage contract.
When you marry, you sign up too, but you don’t know what for!”
Jaan Priisalu, Director General, Estonian Information System Authority (EISA)
Eager to collaborate, cooperate and share the practices that underpin its implementation of government
eServices, Estonia is only too happy to cooperate with other countries looking to initiate e-Government.
The SIA recommends that any country on the brink of making the move to e-Government should spend
some time visiting Estonia to see for themselves how the country’s eGovernment infrastructure and
eServices operate.
A number of countries have already taken advantage of Estonia’s development cooperation outreach
project, which is coordinated by the country’s e-Governance Academy, to discover how they could go about
delivering better, more transparent public services. In 2013 Estonia welcomed 250 international delegations
and is currently exporting its X-Road data exchange layer to several countries.
June 2014 • eServices in Estonia: a success story
4
2.
The history of eServices in Estonia
When Estonia first became independent in 1991, its leaders faced a
grim reality. As small country, with limited resources, the government
took the conscious decision to build an open e-society – a cooperative
project involving government, business and citizens that create a
brighter future for all. Estonia wanted to make bureaucracy a thing of
the past, ensuring that all levels of government ran more efficiently
than before. It also wanted to create a better community for citizens
and enable a prosperous environment for business and
entrepreneurship. To achieve this vision, they decided to use local IT
companies and make use of the standard Internet to digitize services.
In this decade, legislation was passed that would pave the way for
the creation of the national ID card and the X-Road platform; both
would be critical to developing the digital society systems that were
to come.
Estonia passed the Digital Signatures Act in 2000 and standardized
the national Public Key Infrastructure (PKI). Meanwhile the X-Road
data exchange layer became the basis for the creation of a new estate and the in 2002 the first electronic IDs were implemented.
Today every person over 15 years of age is required to have an IDcard; in addition to establishing an individual’s identity in an
electronic environment, the ID-card can also be used by Estonian
citizens as a travel document.
In general, all decisions taken in the development of the national
eServices program were based on pure pragmatics – the population
and the country’s resources where not overly abundant. It was
therefore critical to come up with something clever and future
proofed.
Estonia based its e-Services digital infrastructure on the Internet and
avoided the creation of separate and specific data networks to ensure
its people have constant access to the services built for them. It also
launched the innovative ’Tiger Leap’ project to seed technology savvy
skills among Estonia’s citizens to prepare them to use the developing
digital society systems that were to come. Today, Estonia ranks
among the most wired and technologically advanced countries in the
world, with free WiFi connections nationwide delivering direct access
to public and private eServices.
Key Milestones
1992: Personal Identity
Code (PIC)
1992
Population
register (holds PIC)
1996: Internet bank
authentication (1st elD )
2000:
Digital
Signatures Act
2002:
ID
card
introduced,
certificates,
PKI (2nd elD)
2007: Mobile ID system
comes online (3rd eID)
2009: Concept of digital
documents
2009: DIM becomes the
responsibility
of
the
Ministry of the Interior
2010: DigiID (1st “pure”
digital identity document)
2011: Mobile ID (2nd
“pure”
digital
identity
document)
2014: 4,000 e-Services
provided by the public and
private sector
2017 (?): Use of biometric
credentials: state issued
max
5
years
valid
compulsory ID document
from 15 years age. Usable
for visual and electronic
authentication.
The other crucial step taken was raising the awareness of the
population and promoting the use of the ID card. Introducing people
to the idea of using technology and e-services was done in stages –
for example, 10 percent of the adult population tried their first e-skills
out registering for national events, such as the Estonian Song
Festival, which became their gateway ’first experience’ of eServices.
June 2014 • eServices in Estonia: a success story
5
Public Internet access points were built at 500 locations in Estonia, such as libraries and post offices, to
cater for citizens with no access to the Internet at home or who do not own a computer. In addition, the
government-backed technology investment body - the Tiger Leap Foundation -ensured that all Estonian
schools were online by the late 1990s. Children and young people encounter electronic communications as
soon as they enter school. In a sense, e-school acts as a technological and educational partner for
Estonians.
Today the e-school system allows parents, students, teachers and school administrators to connect. Exam
marks, assignments and attendance in class are all available to parents at the click of a mouse.
Since the first eID cards were inaugurated in 2002, a total of 152 million documents have been signed by
means of digital signatures (as of March 2013) and 246 million authentications have been undertaken.
3.
Key Success Factors
All too often the success of e-Government in Estonia is attributed to the ‘green field’ situation or the small
scale of this tiny country. But what makes this country interesting is not just that people can elect their
parliament online, or get tax overpayments back within two days of filing their returns. It’s that is that the
level of service citizens today enjoy did not result by the government simply building a few websites.
Instead, Estonia took the decision to redesign its entire information infrastructure from the ground up with
openness, privacy, security and ‘future proofing’ in mind. Its vision was to combine all day-to-day
transactions and processes into one e-government infrastructure that’s easy to use and productive.
To maximize the successful evolution of digital-democracy, Estonia established an e-Governance Academy
– a non-governmental, non-profit organization established by the Government of Estonia, the Open Society
Institute and the UN Development Program – to increase the awareness and capability of Estonian local
governments in the implementation of open, transparent and engaging governance and the sharing of best
practices.
‘A can do, will do’ mindset
A strong political will to develop a convenient and transparent society, based on ICT, was the starting point.
Political leaders worked closely with the ICT community to implement initiatives that would support the
creation of a minimal, highly efficient state.
Viewed as a force of progress, the promotion of e-Government was widely supported by officials and the
private sector. This positive viewpoint led to the launch of initiatives such as the Tiger Leap program, which
provided information technology to schools in the 1990s.
The first building block was the introduction of a unique ID methodology across all systems – from paper
passports to bank records to government offices and hospitals - that identifies every citizen. To enable
citizens to transact with one another, Estonia passed the Digital Signatures Act in 2000 and introduced a
standardized national Public Key Infrastructure (PKI) which binds citizens’ identities to their cryptographic
keys – making a signature, a signature in the eyes of the law.
June 2014 • eServices in Estonia: a success story
6
Private public partnership
To accelerate innovation, the state tendered the building and securing
of its digital signature-certificate systems to private parties – a
consortium led by local banks and telecoms. Public and private players
can also access the same data exchange system (X-Road), enabling
truly integrated e-Services.
In 2002 the government introduced eID-cards to support online
transactions. At that time 57 percent of Estonian Internet users were
using Internet banking. This trust in e-banking helped to seed the
take-up of eID verification system which would enable government
services to work online.
Banks cooperated with the government to reap the benefits of
convenient and secure eID. Smartcard ID readers were distributed to
customers free of charge by banks, enabling them to authenticate and
transact online, and banks became hubs in the government network.
For banks, the advantages were clear: utilizing the highly secure
National ID was free and minimized the need for them to maintain or
manage an ID database – it’s the reason why increasing numbers of
retail and loyalty companies today utilize the government’s eID.
“‘People may not trust their government, but they trust their
bank. The early popularity of online banking was a gateway
for gaining acceptance of eGovernment services within the
population.”
Mary Pedak, Estonia’s eGovernance Academy
Estonia: creating
an information
society
100% of schools
government
organizations are
equipped
and
ICT
97% of businesses use
computers
76% of families have a
computer at home
75% of homes
broadband
have
78.6% use the Internet
(15-74 years)
93% of tax declarations
in 2013 were submitted
online
99.6%
of
banking
transactions
are
performed online
63% of people use
electronic versions of
Acts and laws
Keep it simple – but logical
1140 free WiFi areas
The foundational 2002 law forced all decentralized government
systems to become digital ‘by demand’ – no part of the government
can turn down a citizen’s digitally signed document and demand a
paper copy instead. Yet a social worker, in a small village, can still
provide the same service by handling the small number of digitally
signed email attachments the office receives.
In other words, Estonia did not try to change the way things are done
on paper overnight – instead, implementation has evolved, with
citizens and businesses receiving incentives to utilize eServices where
they exist.
“Instant access to the
Internet has become a
social right.”
Anna Piperal, ICT
Center
“Everything takes ten years.”
Mary Pedak, Estonia eGovernance Academy
June 2014 • eServices in Estonia: a success story
7
Everything hinges on the provision of a compulsory national ID card to citizens at a reasonable cost, and
full process automation: for example, when a child is born the birth certificate is automatically generated
by the hospital; by the time the mother returns home, the benefits she is entitled to are already in her
bank account.
More recently, a Mobile-ID service has been launched, giving Estonians the option of using their mobile
phone as a secure electronic ID. The system is based on a specialized Mobile-ID SIM card which users must
request from their mobile phone operator. Without installing additional hardware or software users can
access secure systems and affix their signatures by simply typing a mobile ID PIN code into the phone.
Transparent, open and accountable
The movement of data between systems relies on a fundamental principle to protect people’s privacy. In
Estonia, the citizen owns his or her data and retains the right to control access to that data. For example,
in the case of fully digital health records and prescriptions, people can assign access rights to the general
or specialized doctors of their choosing.
In scenarios where citizens can’t block the state from seeing their information – such as a policeman using
a real-time terminal – they’re able to get a record of who accessed their data and when. If, having visited
the online portal, a citizen sees a government official has accessed their personal data without good reason
they are able to file a complaint online and initiate an inquiry. The unauthorized access of citizen data is
punishable by law; individuals may lose their job or go to jail.
Incentivizing citizens
Alongside educating citizens on the benefits of secure ID in relation to the convenience and ease of access
to government and private sector eServices such as banking, the government has also introduced a number
of ‘soft handcuff’ style incentives to promote the acceptance and use of secure eID.
For example:
secure eID is required for any monetary transfer of 200 Euros or more
in 2007 all businesses were required to use the e-tax system exclusively and paper filing was abolished
citizens utilizing the e-Tax board to file their returns online are guaranteed to obtain any tax refund
within 3-5 days.
The introduction of the ID bus ticket proved – after e-banking – to be the second major trigger that
incentivized people to apply for ID cards: for example, the Municipality of Tallinn offers a 30 percent ticket
price discount for ID holders and today 90 percent of Estonians hold an ID-card.
Creating an open, decentralized system
The Estonian e-digital society has been made possible by the creation of an open, decentralized system
that links together various services and databases. The flexibility provided by this approach has enabled
new components to be developed and added.
June 2014 • eServices in Estonia: a success story
8
The interoperable ICT distributed architecture means that each Government agency has its own database.
Utilizing a “only-once” principle, no government agency is allowed to ask a person for information that
another government institution already has asked for.
“IT is about saving time and this is what we do: automate processes. Governments should use
budget crisis to move to eGovernment. X-Road was created because of the lack of Money in
Estonia. You also need to solve the ID issue; without ID, nothing works. Transparency is key
and you need to define interfaces between agencies.”
Jaan Priisalu, Director General, Estonian Information System Authority (EISA)
International collaboration
Estonia is now starting to provide citizens of other countries access to its own secure and convenient eServices. A virtual, or e-residency, service is being launched that will provide electronic identity in the form
of a digital ID to non-residents, including:
expatriates
foreign clients of banks
members of companies’ governing bodies
scientists and consultants
students
e-enthusiasts
Friends of Estonia.
4.
Estonian eServices in
action
Technical Overview:
Estonian eServices
Model: Centralized
eServices in Estonia are divided into three categories,
dependant on the status/role of the user:
•
citizen
•
entrepreneur
•
official.
Each citizen has a unique ID and may have several roles.
As a result, their access rights are determined by their
roles.
eID providers: Police and Border
Guard
PKI: Yes
Population Registry: Yes
Biometrics: No
Program access: Card reader, mobile
Certification Authority: SK (joint
venture between banks and telecom
operators)
June 2014 • eServices in Estonia: a success story
9
The Estonian ecosystem
In Estonia the Ministry of Economic Affairs and Communications holds political responsibility for the
development of the state information policy. It elaborates the state's economic policy and development
plans, and drafts legislation bills in a variety of fields - including informatics and the development of state
information systems.
The Estonian Information System Authority (EISA) is under the authority of the Ministry of Economic Affairs
and Communication. The Authority's mission is to "coordinate the development and management
information system so that Estonian citizens are served in the best possible way". It oversees the
coordination of all Public Key Infrastructures related to the operation of ICT and Information Technology,
such as the state portal www.eesti.ee, the middleware system X-Road, the Government backbone network
EEBone, the administration system of the State information system (RIHA) and the electronic document
exchange centre (DVK). It is also responsible for state information system development projects and the
preparation and participation in international projects. Finally, EISA monitors the legislation process
concerning the management information system requirements.
The Police and Border Guard Board, issuer of the ID-Card, is under the authority of the Ministry of Interior.
In March 2013, the Police and Border Guard Board had issued over 1.2 million active ID cards.
A total of 246 million authentications and 152 million digital signatures have been made (March 2013).
Source: Mark Erlich, Estonian Information System Authority
June 2014 • eServices in Estonia: a success story
10
ID-Card
In January 2002, Estonia started issuing national ID cards. The card, which fulfils the requirements of
Estonia’s Digital Signatures Act, is mandatory for all Estonian citizens and residing foreigners over 15 years
of age.
Applications can be made on line, and the card acts as the primary document for identifying citizens and
residents. It can also be used in any form of business – governmental or private and is a valid travel
document for domestic travel and movement within the European Union. In January 2007 the card, which
is issued by the Citizenship and Migration Board, became valid for five years (previously it was valid for 10
years).
The card contains advanced electronic functions that facilitate secure authentication and provide a legally
binding digital signature for public and private online services. An electronic processor chip contains a
personal data file, a certificate for authentication (along with a permanent email address: Name/Surname
@ eeesti.ee for eCommunications with the public sector), a certificate for digital signature and their
associated private keys, protected by PIN codes.
In other words, the chip carries two certificates: one for legal signatures and the other for authentication
when using a website or service that recognizes the government’s ID system (online banking, for example).
The certificate contains only the holder’s name and personal code (national ID code). The data file and
certificates are valid only for the duration of the identity card and thus have to be renewed every five years.
“There has been no fraud in 12 years. Estonia is the only country in the world where all IDs have
the same legal value. This is a powerful incentive for use.”
Helar Laasik, Chief Expert, Estonian Police and Border Guard Board
eID, digi-ID and mobile-ID – what’s the difference?
Technically they’re all the same; the only thing that differs is the issuance and identity management
process. State issued certificates (the mandatory national card) are issued by Police and Border Guard
Board and there are a number of services that require this state issued identity document for access; for
example, you can't vote or access some services with a mobile-ID that is not issued by the state.
Digi-ID is an additional token for electronic use only (it can’t be used as a physical document for travelling
like an ID-card) and is founded on the same concept: a pair of keys, certificate, same identity management,
etc. The level of eID penetration in Estonia has reached a point where people are required to use their eID
to do their daily work; issuing of digi-ID takes less than an hour as pre-produced cards are used (only the
physical identification and certificate issuing process takes time). Examples of how digi-ID is being utilized
by citizens include:
doctors working in hazardous laboratories can bring things into the workspace, but can’t take them out:
they need an additional token they can leave at work
if someone loses their ID-Card they can’t wait for weeks for a new one and can use an additional token
at work
June 2014 • eServices in Estonia: a success story
11
people who don’t want to use their personal identity document (the ID-card is a physical mandatory
document that can also be used as a travel document) as a working tool have the option of using a digiID instead.
The Estonian PKI mobile-ID has been developed as a convenient solution on a SIM card for authenticating
and digital signing. The mobile ID solution is used for both public and private eServices.
Certificates are issued by Police and Border Guard Board (http://www.politsei.ee/en/) to the user (a
certification authority acts on behalf of Police). First the user has to apply for a mobile-ID from his mobile
operator, to get special SIM card and apply for the appropriate certificates from the police (we call this a
following process for the activation of mobile-ID). The police system checks if the user is allowed to apply
for a mobile-ID and sends information to the certification authority (CA) which then checks if the application
data is correct (that given phone number is connected to the individual, for example) and the public key is
sent to the CA. When the certificate is issued, it is stored on a public repository and not on a SIM; the CA
is using an SMS service, which has a limitation on amount of data, as a communication channel. All
processes are automated and applications prefilled and can be done over the Internet (the user needs an
ID-Card to apply and sign digitally).
Charging for the state ID system has been kept low to encourage maximum citizen uptake and usage. The
ID-card price is 24.28 Euros, which includes 10 e-transactions; and mobile-ID costs 60 cents, with limited
transactions. Businesses are charged for all their e-transactions.
Currently uptake on mobile-ID remains low; it is mostly being utilized by mobile users keen to overcome
the no-reader obstacle. But mobile operators, in conjunction with the SK certification authority, are about
to launch a number of initiatives to further its adoption.
SK – Estonia’s primary certification authority
SK is Estonia’s primary, and currently only, certification authority (CA) providing certificates for the
authentication and digital signing of Estonian ID Cards.
Established in 2001 by two leading Estonian banks (Hansapank – a member of the Swedbank group, and
SEB) and two telecom companies (EMT and Elion) following the adoption of the digital signature law a year
earlier, this private company provides certification services for the state (the Estonian Ministry of the
Interior). Its services include:
certification and time stamp services for the ID-Card
technology for digital signature (the DigiDoc system is widely used in Estonia for storing, sharing and
digitally signing documents); checking certificate validation/file encryption
validation services
consultation services.
SK is paid by the Estonian government to issue certificates, and receives payment from private sector
eServices providers for transaction signing/verification services.
Aware that eID is a long term business, SK is also in charge of incentivizing the population to take up the
use of e-signature and eServices.
“We’re in the business of changing people’s behaviors!”
Tarvi Martens, Development Director, SK Certification Center
June 2014 • eServices in Estonia: a success story
12
X-Road provides a distributed, secure, unified web-services based inter-organizational data exchange
framework. Built to satisfy the highest security requirements, X-Road does not centralize the data and does
not change the ownership of the data.
Designed with no single point of failure, all components of the system can be doubled for resiliency against
failures and attacks. Components available over shared or public network employ protective measures
against denial of service (DoS) attacks.
All web-service requests and responses are digitally signed, time stamped, encrypted and archived by
security servers. Adapter servers - a custom component that implements the web-services that will be
shared via X-Road – contain the business logic of the particular X-Road service. The adapter server will
query the registry or information system using a suitable protocol (SQL, EJB, SOAP, etc.) and transform
the results back into a web-services response.
The platform for an adapter server can be freely chosen by the organization to suit its existing platform
and IT policies; adapter servers have been successfully implemented on .NET, JEE, Python, various ESB
and other platforms. The adapter server also includes a developer toolkit which consists of source codes,
manuals, and templates for developing a needed adapter.
X-Road is an open source software. This means that its owner knows the code it contains and no one from
the outside has the power to set its own limits or regulations, or change something in its structure.
In effect the eID is just the key to the data, which is stored at the service side. Each database is separate,
making fraud more difficult. The data itself is secured by a solution developed by Guardtime. To review
more about the technical structure of X-Road, visit www.ria.ee/x-road/
5.
Case Studies
Today around 3,000 eServices are available in Estonia: 600 government-to-citizen and 2,400 governmentto-business services.
From the top down, Estonia has embraced an open yet secure e-Society approach. In August 2000, the
Government changed its cabinet meetings to paperless sessions, using a web-based document system. By
2004, five information systems from five different government institutions were made interoperable so that
parental benefits could be delivered as an eGovernment service. Today, new parents can log onto the state
portal, register their child, select a link to the relevant state benefits and simply add their digital signatures
to complete the process.
The penetration of eServices has been enormous; today nearly 99 percent of all banking transactions are
done online in Estonia. Here we take a look at how eServices have changed the way people live their lives
and do business in Estonia.
June 2014 • eServices in Estonia: a success story
13
5.1.
Case study #1
Income tax returns
First launched in 2000, today 95 percent of all income tax returns are completed via the e-Tax board.
Citizens can log into the system and review the data which appears in a pre-filled form, implementing any
necessary changes before submitting their declaration. In countries where tax returns are still submitted
on paper it can take up to two days to collect the data and complete the form. The Estonian e-Tax system
enables citizens to complete their return in less than 10 minutes. The motivation for people to complete
their income-tax declarations online is that it is convenient, free-of-charge, provides pre-completed
information which is extracted from employers monthly tax reports – plus the government guarantees to
pay back overpaid tax in just five days.
5.2.
Case study #2
e-Police
Every police car is equipped with a mobile workstation that allows police to submit queries to police related
databases – including the Traffic Insurance Fund, the Motor Vehicle Registration Center, the Weapons
Register and the Population Register. Queries can also be submitted to Europol, Interpol and Schengen
Zone’s information system. All of which ensures that if a driver is pulled over there is a good reason. The
e-Police system also plays a role in wider-scale prevention work: for example, reminding owners if their
car is due a check-up. All of which adds up to faster response times, decreased road fatalities, and increased
security on the roads.
5.3.
Case study #3
Elections
In Estonia, voters can cast their ballots from any Internet-connected computing. The i-Voting system is
proving a powerful way to attract more people to participate in elections, especially the younger generation,
those that travel, soldiers and citizens not permanently domiciled in Estonia. The system eliminates the
need to visit a polling station or search out an embassy when travelling or living abroad. In 2013, 25
percent of all votes were cast over the Internet.
The online voting service adopts all the principles of paper voting, offering a convenient alternative to the
paper ballot. Digital voter registration is based on the national population register, with voters’ identification
being confirmed using eID.
5.4.
Case study #4
National census
Estonia holds the world record for census participation via the Internet. In January 2012, Statistics Estonia
held the first e-census in the country and 66 percent of the population completed their census form online.
The e-census questionnaire, which consisted of over 100 questions, was completed by 1.29 million
permanent residents.
You can find out more about the e-census program and its success factors at http://eestonia.com/estonian-e-census-winning-trust-and-breaking-world-records/
5.5.
Case study #5
ePrescriptions
More than 90 percent of medicines prescribed in 2011 were e-prescriptions. Today, citizens can get a
prescription renewal over the phone, e-mail or Skype; if a patient calls their doctor on the way to the
pharmacy, by the time they reach the counter their prescription is waiting for them. Patients can select
their specific brand of a prescribed medicine, as GPs simply fix the active medicine substance. For
pharmacies it has meant the end of having to decipher handwritten prescriptions, while licensed doctors
June 2014 • eServices in Estonia: a success story
14
are instantly able to access the patient’s medical history and medicine purchases – helping to avoid drug
misuse. For the state, the introduction of ePrescriptions has reduced paperwork in hospitals and pharmacies
and provided a clear overview of activities in the field of pharmaceuticals.
5.6.
Case study #6 eHealth services
The Estonian e-Health Foundation was established in 2005. Created by the Ministry of Social Affairs and
six medical institutions, the Foundation is responsible for developing e-solutions in health-related services,
assisting in the provision of high quality accessible health care services, and the development and
management of the nationwide electronic health record system (EHR). In 2008, health care providers were
obligated to forward medical data to the Estonian National Health Information System (ENHIS) and in 2009
the EHR system and the patient portal (Digilugu) were launched.
Today the EHR system integrates data from Estonia’s healthcare providers to create a common record for
each patient, providing doctors with access to a patient’s records from a single electronic file. Medical staff
can view test results as soon as these are entered, together with image files such as X-rays. In an
emergency, a doctor can use a patient’s ID card to view time-critical information such as blood group,
allergies, recent treatments, ongoing medication and so forth. Citizens can log into the patient portal with
an eID card to view their medical data and related information (such as recent appointments, prescriptions)
– and the records of their children. They are also able to control which doctors have access to their files.
The system also automates the compilation of national statistics data so government ministries can
measure health trends, track epidemics and ensure health resources are being spent wisely.
5.7.
Case study #7 Energy smart grids
Estonian entrepreneurs and software developers have created smart metering and billing management
software for use by utilities providers. The systems allow end users to monitor consumption in real time,
compare packages to find the best deal and select how much of their energy comes from renewable sources.
The same system can predict when a local electricity supply is likely to be under pressure, automatically
offering consumers an instant bonus for cutting their consumption at these times. The approach has
generated up to 25 percent savings on their electricity bill for residents in the village of Kelvingi.
June 2014 • eServices in Estonia: a success story
15
6.
Looking to the Future
Estonia has a number of bold plans for the future. For example, its e-Receipt program could see the paper
receipts you receive after every purchase become a thing of the past. Instead, you’ll be able to view every
item you’ve ever bought, together with the warranties associated with the goods you’ve bought. For
consumers, there’s no worry about losing receipts if you need to return an item and the environment will
be ‘greener’.
And, because every person in Estonia has been provided with an e-mail address that’s only accessible with
an ID-Card, the moment you move physical address, you’re always assured your mail gets delivered –
electronically. No more missing envelopes or post going astray.
Similarly, goods and services are imported – and exported, for that matter – on a daily basis. So, why
shouldn’t state provided e-Services move across borders too? The e-Business Register already allows
entrepreneurs to establish a business in Estonia using just their ID-cards from Belgium, Portugal, Lithuania
and Finland. And the list is growing longer every day.
But the ambitions don’t end there. Plans are afoot to introduce an e-Resident service for anyone living
outside the country. This will enable people to use Estonian online services, open bank accounts and start
companies without ever having to physically visit the country. The plan, which will require e-resident
applicants to pass a background check similar to the visa application process and sign up to identify
themselves with biometrics such as fingerprints or iris scans, could see the Estonian Ministry of the Interior
being ready to hand out the first ID cards for e-residents at the end of the year.
By 2025, the Ministry projects that potentially 10 million people could have gained Estonian e-identity,
boosting the potential influx of business and investment in the country and stimulating the digital economy
significantly.
7.
Concluding observations
From the very start, the mindset in Estonia was to utilize the Internet to maximize participation in a digitized
eSociety in which eGovernment would support the delivery of services to citizens and businesses alike.
Determined to get the key infrastructure right – creating a platform that was flexible enough to develop
and evolve – the Estonian government worked in collaboration with ICT companies and private companies
to develop the key components it needed to ensure eServices could function optimally: e-signatures, legal
frameworks, trust, eID.
The information platform Estonia has developed today enables citizens, businesses and government
agencies to transact with one another with openness, privacy and security.
June 2014 • eServices in Estonia: a success story
16
Prepared for the eGovernment Unit
DG Information Society and Media
European Commission
Good Practice Case
eID in Estonia
Case Study
17 October 2006
Case study prepared by Ralf Cimander
(ifib, Germany) in co-operation with
Andres Aarma and Ain Järv from AS
Sertifitseerimiskeskus, Estonia.
eGovernment Unit
DG Information Society and Media
European Commission
Table of contents
1.
eID in Estonia
2
1.1
Case Summary
2
1.2
1.2.1
1.2.2
1.2.3
Problem addressed
Specific Problem
General Background
Policy context and strategy
3
3
4
6
1.3
1.3.1
1.3.2
1.3.3
Solution
Specific Objectives
Principles of eID card
Implementation
- Workflow description
- Security and Privacy
- Awareness and Marketing
8
8
8
13
14
16
17
1.4
1.4.1
1.4.2
18
18
1.4.3
Features making it a candidate for good practice exchange
Impact
Relevance of the case for other administrations that could learn
from the experience
Transferability
1.5
Results
21
1.6
Learning points and conclusions
23
1.7
References and links
26
19
20
Annex 1: Assessment Questionnaire for the MODINIS Case Descriptions
GP - Case: eID in Estonia
10-2006, vs 1.0
27
1
1.
eID in Estonia
1.1
Case Summary
Estonia has implemented the ID card as the primary document for identifying its citizens and alien
residents living within the country. Before introduction of this card, no national personal
identification document - neither physically nor electronically - did exist in Estonia. The card,
besides being a physical identification document, has advanced electronic functions that facilitate
secure authentication and legally binding digital signature, in connection with nationwide online
services.
There is only one version of the national ID card — no optional features or variations exist. All
cards are equipped with a chip containing electronic data and a pair of unique digital certificates
relating to each individual. In emergency cases (e.g. loss of the card) the certificates can be
suspended if required — disabling the ability to use the card for electronic authentication and
transactions.
The Estonian ID card scheme is the overall responsibility of the Estonian Government's Citizen and
Migration Board (CMB) and is regulated by the government's National Identity Act. The process
itself is managed through a tight public and private partnership with two key private organizations,
the AS Sertifitseerimiskeskus which is a joint venture between banks and telecommunications
organizations in Finland – acting as Certification Centre - and TRÜB Baltic AS which is the
company that personalizes the card itself — both physically and electronically.
The overall aim of the CMB was the introduction of a reliable and trustworthy identification
infrastructure in Estonia, receiving high acceptance by citizens and businesses and hence
becoming a success in terms of effectiveness and efficiency of its use in everyday life. As an (e-)ID
infrastructure is a very sensible area in public administration of a country, which need to be highly
reliable and requires full-time technical support in case of problems, a solution had to found that is
based on already proven technology and that is provided by inner country software and vendors.
Besides, this infrastructure had to be scalable, flexible and standards-based for expansion to other
services as well as forward-looking to enable also cross-border use.
Considering these overall goals, specific objectives and the organisation of service delivery, the
interoperability requirement is that of different public services which have to use the same
auxiliary services, i.e. digital signature, authentication, document encryption. Beside the use for
application of public services or signing of documents, the approach is universal and is also
applicable to private use and services. The interoperability requirement is met by employment of
standardised workflows in form of a common document format applicable to each service
independent of its provider (DigiDoc) and a central common public, service-rendering resource,
connecting national databases (X-Road). In addition, a centralised infrastructure of a national,
unique identification number for each Estonian resident has been employed serving their
authentication (not only) in electronic processes. Each workflow where digitally signed data or
documents are integrated in the legacy systems, IOP in the front-office to back-processes has
been achieved, in the other cases front-office to front-office flows are concerned. Almost 70 per
cent of Estonian residents own an ID card out of which 2.5 per cent use the electronic features of
the card. Several applications are already working with eID, like e.g. e-voting pioneered at the
local government elections in 2005 and with the e-ticketing of public transport tickets as one of
the most massively used application.
GP - Case: eID in Estonia
10-2006, vs 1.0
2
1.2
Problem addressed
1.2.1
Specific Problem
Prior to introduction of the present ID card there was no personal
identification document which could be applied both physically as
well as electronically. The same applied to residence permits.
Specific problems
addressed:
• No personal
identification
document existed;
neither physically nor
electronically
In terms of interoperability in the Estonian eIDentity Management
project, interoperability had to be employed where auxiliary services
(digital signature, authentication, document encryption) are to
support different primary services.
IOP requirement 1:
IOP between eID card
functions (auxiliary
services) and different
services
As the main objectives of the Estonian eID card is to digitally sign,
documents, encrypt documents and to authenticate users, the
natural focus of service delivery is on the front-office to front-office
processes and where documents are directly integrated in the
respective legacy system, front-office to back-office processes are
also concerned.
Service delivery
model:
IOP among front-offices
and where data are also
integrated in the legacy
systems, front-office to
back-office processes
are also concerned
To meet the interoperability requirement, a central database of
unique identification numbers, allocated to each Estonian resident
has been established providing authentication of the card holder (i.e.
the applicant or signing person). To enable identification and
authentication for different services via a corporate infrastructure, a
common public, service rendering resource – X-Road - has been
developed. Based on Internet, X-Road connects public databases
and information systems, tools centrally developed by the state (i.e.
the State Portal Centre) and the X-Road Center (management and
control of the gateway) with the Certification Centre for the (e-)ID
cards. The eID card of citizens is just a secure token for different
purposes where access to these purposes, i.e. public services is
provided by a single point of entry - the E-Citizen Portal. To digitally
sign documents, a communication model using standardised
workflows in form of a common document format (DigiDoc) has been
employed. DigiDoc format is based on the XML Advanced Electronic
Signatures standard (XAdES) and is a profile of that standard.
XAdES defines a format that enables structurally storing signed data,
GP - Case: eID in Estonia
10-2006, vs 1.0
Basic organisational
model employed:
• Centrally provided
unique identification
number for each
Estonian resident
• Common public,
service rendering
resource to connect
national databases (XRoad)
• Central single point of
access to public
services (E-Citizen
Portal)
• Standardised
workflows in form of a
uniform document
format (DigiDoc)
3
signature and security attributes associated with digital signature
and hence caters for a common understanding.
1.2.2
General Background
Issued by the Estonian Government’s Citizen and Migration Board
(CMB), national ID cards represent the primary source of personal
identification for people living within Estonia and are mandatory for
all citizens and resident aliens above the age of fifteen.
The Estonian identification card carries two discreet functions:
−
Physical Identity – can be used as a regular ID in conventional
real-world situations — anywhere one would typically need to
prove identity, age and so on.
−
Electronic Identity – enables citizens to use the same card to
electronically authenticate to Web sites and networks, and/or
digitally sign communications and transactions as required.
There was no national ID card scheme in place in Estonia before the
launch of the new ID card project. Conventional ID card schemes
(e.g., corporate cards) have been in operation for some time within
Estonia; however the dual-purpose physical/electronic ID cards were
not so familiar. To fulfil the scheme's requirements, the Estonian
Government’s Citizen and Migration Board required a single, holistic
system which could process and provision users with a dual-purpose
smart identification card. The process had to be straightforward for
citizens (to register and receive), easy to administer (for technology
controllers) and above all, be secure and reliable. In conjunction
with the ID Card initiative, the CMB were also eager to drive the
adoption of electronic signatures within the region, thus streamlining
key public service and commercial processes for residents and
businesses.
The Estonian ID card scheme is the overall responsibility of the
Estonian Government’s Citizen and Migration Board. It is responsible
for the issuance of identity documents to citizens and alien residents
as required by the government's National Identity Act. The CMB is
the institution that physically receives card application forms from
residents. However, the process itself is managed through a tight
public and private partnership. Two key private organizations work
with the government to support the ID card project:
−
AS Sertifitseerimiskeskus (hereinafter 'SK') – a joint venture
formed in 2001 between two of Estonia’s largest banks
(Hansapank,
Eesti
Ühispank)
and
telecommunications
organizations (Eesti Telefon and EMT). SK functions as the
certificate authority for the Estonian ID card project and
manages a complete range of associated electronic services —
GP - Case: eID in Estonia
10-2006, vs 1.0
Service:
Electronic Identity –
enables citizens to use
the same card to
electronically
authenticate to Web
sites and networks,
and/or digitally sign
communications and
transactions as required
Types and level of
agencies involved:
• Estonian
Government’s Citizen
and Migration Board
• AS
Sertifitseerimiskeskus
as Certification
Authority which is a
joint venture between
two of Estonia’s
largest banks and
telecommunications
organizations
• TRÜB Baltic AS – a
subsidiary of the TRÜB
financial services
organization
• Certification Service
Providers (CSPs)
• Time-stamping Service
Providers (TSPs)
• As Supervising
Authority the Ministry
of Economy and
Communications, in
particular the National
Registry of
Certification Service
Providers
4
including the LDAP (Lightweight Directory Access Protocol)
directory service, OCSP (Online Certificate Status Protocol)
validation service, and other certificate-related services. SK also
manages the end-user distribution channel (through its parents'
retail bank outlets).
−
TRÜB Baltic AS – a subsidiary of the TRÜB financial services
organization — headquartered in Switzerland. TRÜB is the
company that personalizes the card itself — both physically and
electronically. TRÜB receives the card application from CMB and
manufactures the card, printing and engraving the personal data
on the card, generating keys on the chip and embedding the
certificates on the card.
Besides, for the processing and controlling of digital signatures,
following authorities and agencies are relevant:
According to the Estonian Digital Signature Act (DSA), Certification
Service Providers (CSPs) certify real persons identifiable by name
and ID code and must be legal entities fulfilling specific legal
requirements.
DSA also regulates the work of Time-stamping Service Providers
(TSPs). The requirements to such service providers are generally the
same as those to CSPs. According to DSA, a time stamp is simply a
data unit that proves that certain data existed at a certain moment.
The National Registry of Certification Service Providers contains data
about all Estonian CSP-s and TSP-s. Although it confirms the public
keys of CSP-s, it is technically not a root CA in Estonia. Instead, it
functions as a supervisory authority, confirming the results of service
providers’ annual audits among other things. The Ministry of
Economy and Communications, in whose administration area the
registry works, has the right to verify audit results and inspect the
service providers' premises and relevant information.
GP - Case: eID in Estonia
10-2006, vs 1.0
5
1.2.3
Policy context and strategy
The Republic of Estonia is a small, independent Baltic state with a
population of just below 1.4 million people. Estonia is structured into
15 sovereign counties. While Estonia is a relatively small country (in
terms of other European population sizes, land area, GDP levels,
etc.), the nation is an innovator when it comes to introducing and
adopting new technology products and services. According to spring
2006 data (TNS Emor Gallup e-Ratings study), 58 per cent of the
population regularly use the Web — the figure shows that Estonia
has one of the highest Internet-usage rate in Eastern Europe.
Internet connectivity is also very high and well accessible at homes,
offices and schools.
Institutional context:
• Estonia is structured
into 15 sovereign
counties
• Highest Internetusage rate in Eastern
Europe
The legal framework associated with the issuance and government of
ID cards was established through the Identity Documents Act, which
was passed in 1999 and took effect on January 1, 2000. The specific
legislation associated with digital signatures - the national Digital
Signature Act (DSA) - was passed separately by the Estonian
parliament (Riigikogu) on March 8, 2000 and came into force on
December 15, 2000. This law regulates the framework and rules
required to effectively govern a national PKI and digital signature
infrastructure.
Legal framework:
• Identity Documents
Act of 1 January 2001
• National Digital
Signature Act (DSA) of
15 December 2000
• Rules and regulations
for Certificate Service
Providers (CSPs)
• Rules and regulations
for Time Stamp
Providers (TSP)
• Personal Data
Protection Act
The primary aim of the DSA was to give electronic signatures the
same level of trust and assurance as handwritten ones. As a rule,
digital and handwritten signatures should be equivalent in both the
public and private sector. The DSA also states that public service
departments must accept digitally signed documents. The DSA
requires that each digital signature can:
−
Uniquely identify the signatory.
−
Bind the individual to the signed data.
−
Ensure that signed data cannot be tampered with retrospectively
— without invalidating the signature itself.
While there is no direct sanction for not holding an ID card, it is
expected that as the first Estonian passports were issued in 1992
(following independence from the Soviet Union) with a 10-year
validity period, most people will apply for a card when renewing their
passport — if not already done so independently. By 2007, the
government expects over one million cards to be issued (almost the
entire registered and qualified population).
In terms of EU status, all certificates issued in association with the
ID card scheme are qualified certificates as per the European digital
signature directive 1999/93/EC. The Estonian DSA only regulates
advanced electronic signatures with regard to the EU directive.
Naturally, other types of electronic signatures can also be regulated,
but the DSA does not give them legal power or status.
One of the core components of the DSA was the establishment of
rules and regulations with regard to Certificate Service Providers
GP - Case: eID in Estonia
10-2006, vs 1.0
Interoperability
Framework:
All certificates issued in
association with the ID
card scheme are
qualified certificates as
per the European digital
signature directive
1999/93/EC
6
(CSPs) — who issue digital certificates to users and manage related
security services. The Estonian DSA mandated a number of stringent
requirements (financial and procedural) to ensure that CSPs are set
up and managed properly — to perform their function to the highest
possible standard.
The DSA also regulates time stamping services which are provided
by dedicated Time Stamp Providers (TSP). These TSP service
providers have to adhere to similar laws and regulations as CSPs.
The time stamp is simply a piece of data which attests to the
occurrence of an event at a specific time. The DSA does not define
time stamps in great detail, but ensures that time stamped data
cannot be tampered with or amended without invalidating the time
stamp itself.
A national registry of service providers contains all the relevant
information associated with registered CSPs and TSPs.
A broad Personal Data Protection Act regulates the use of personal
data and databases containing personal data by public authorities
and private entities.
GP - Case: eID in Estonia
10-2006, vs 1.0
7
1.3
Solution
1.3.1
Specific Objectives
In order to drive the adoption of digital signatures within the region,
software and technology had to be available for parties looking to
incorporate compatible applications.
When technical experts looked for a generic application or
implementation that would fulfil this requirement, no ideal solution
was found. It was also not optimal to rely on a foreign software or
technology vendor to provide and guarantee support for a critical
piece of national infrastructure. This reliance could have detrimental
impact on the country’s day-today functioning going forward.
Because of these considerations, a bespoke software model was
developed specifically to cater for Estonia and its digital signature
constituents.
In order to issue and manage the PKI-based digital credentials, the
following objectives were set by SK:
−
Selection of a PKI product which is already value proven in a
range of successful deployments in similar environments;
−
Scalability and Flexibility of the product;
−
To have a technology structure that is based on standards since
the PKI has to interoperate with a broad range of
complementary technologies;
−
Consideration of internationalization aspects since the Estonian
language is rich in non-ASCII characters that need to be
correctly processed and embedded in the certificates;
−
Auditable security and the possibility to construct reliable
processes. Technology is just one aspect of security, equally
important are the organizational and physical security measures.
Estonian legislation requires annual external info system audits
from the PKI providers.
1.3.2
Objectives to be
achieved in general:
• Raise the adoption of
digital signatures
• Good availability of
software and
technology for
interested parties
• Not to rely on foreign
software or vendors
for this sensible piece
of infrastructure
Specific objectives:
• Implementation of an
already value proven
technology
• Scalability and
Flexibility
• Standards-based
solution to enable
expansion to other
services
• Processing and
embedding of nonASCII characters that
are common in
Estonian language
• Auditable security and
possibility to construct
reliable processes
Principles of eID card
The front side of the card contains the card holder's signature and
photo, and also the following data:
−
name of card holder
−
personal code (national ID code) of card holder
−
card holder day of birth
−
card holder sex
−
card holder citizenship
−
card number
−
card validity end
GP - Case: eID in Estonia
10-2006, vs 1.0
8
The back side contains the following data:
−
card holder birth place
−
card issuing date
−
residence permit details and other information (if applicable)
−
card and holder data in machine-readable (ICAO) format
Electronic data on card
Each ID card contains all the above data except photo and
handwritten signature in electronic form, in a special publicly
readable data file. In addition, the card contains two certificates and
their associated private keys protected with PIN codes. The
certificate contains only the holder's name and personal code
(national ID code). In addition, the authentication certificate
contains the holder's unique e-mail address.
GP - Case: eID in Estonia
10-2006, vs 1.0
9
- Certificates
Each issued ID card contains two discreet PKI-based digital
certificates – one for authentication and one for digital signing. As
said, the certificates contain only the holder's name and personal
code (national ID code). These certificates are standard X509 v3
certificates and have two associated private keys on the card – each
protected by a unique user PIN code. The certificates contain no
restrictions of use: they are by nature universal and meant to be
used in any form of communications, whether between private
persons, organizations or the card holder and government. They
contain no roles or authorizations: those where required must be
managed using some out-of-band method (see below, "Roles,
authorizations and organizations' validations").
The certificates contain the card holder's name and national ID code.
It is agreed in Estonia that this data is public by nature. The
certificates identify the card holder uniquely because even though
there may be name overlaps, the national ID code is unique. In
addition, the authentication certificate contains the card holder's email address.
In terms of the European Council and Parliament digital signature
directive 1999/93/EC, all the certificates on Estonian ID card are
qualified certificates.
- E-mail address
The authentication certificate on each ID card contains the card
holder's government-assigned e-mail address in the format
[email protected]. Random numbers can be used in
addition to provide unique e-mail addresses even to persons with the
same name. The address does not change with subsequent
certificate or card issuing – it is guaranteed to be a person's
"lifetime" address.
There is no real e-mail service associated with the address. It is
merely a relay address which forwards e-mails to users' "real"
addresses (e-mail accounts). Each user must configure the
forwarding addresses using an online service made available for this
purpose, and may reconfigure the addresses as often as he or she
pleases. Up to five forwarding addresses can be specified.
The address is supposed to be used in communications from
government to the person, but it can also be used in
communications between persons and companies and private
persons themselves. The addresses are available online to anyone
through CSP's certificate directory.
The address can be used as a simple e-mail address, but using the
address and the authentication certificate on the card, users can also
digitally sign and encrypt their e-mail. The digital e-mail signature is
not legally binding and not covered by DSA, but it provides receivers
additional confirmation of sender authenticity. E-mail encryption and
GP - Case: eID in Estonia
10-2006, vs 1.0
10
signing using certificates on smart card is a standard function of
various e-mail applications.
Anti-spam measures are implemented in the forwarding server. In
addition, spamming is illegal in Estonia and spammers will be
prosecuted accordingly.
Roles, authorizations and organizations' validations
In connection with implementing PKI and digital signatures, the
question of roles and authorizations has arisen in various projects. It
is assumed that certificates for digital signing may be issued for
specific purposes only, and that a person's roles can be embedded in
role certificates that are then used for authenticating the certificate
holder into different systems and giving digital signatures in different
roles. Thus, a person needs additional role and signature certificates
for each different role (s)he has, and the number of certificates
grows, creating substantial interoperability and scalability issues.
The Estonian approach states (as also said in the Estonian DSA) that
a digital signature given using a digital signing certificate is no
different than a handwritten one. A person's handwritten signature
does not contain his or her role – the role and authorization are
established using some out-of-band method (out-of-band in the
context of certificates). The same approach also goes for
authorization while authenticating – a person's certificate should not
contain his or her authorization credentials. Instead, everyone has a
similar universal key (authentication certificate), and the person's
role and authorization can be determined using some other method
(e.g. an online database) based on that key.
Case capitalises
mainly on following
layers of IOP:
• Technical and
syntactic IOP is
provided by the use of
the Internet-gateway
X-Road connecting the
national databases
and by DigiDoc which
is based on
OpenXAdES and hence
on ETSI standard.
DigiDoc provides a
common document
format and is a key
feature of the
semantic
standardisation. A key
feature enabling
semantic IOP is the
use of the national ID
number for
authentication
throughout any public
service
A practical example illustrating the above concept is signing
documents in organization using power of attorney. In traditional PKI
environments, this has been done using some form of attribute
certificates where issues described above arise. In Estonian and PKI
context, we could ask how power of attorney given in real life is, and
use the same principles in electronic document management.
Traditionally, power of attorney is granted in the form of a document
signed by the person giving the authorization. The document is then
given to the person who receives the authorization and who can then
present the document to relevant parties if necessary. The same can
be done electronically: the person giving the power of attorney can
sign the document using his/her own universal personal certificate,
and forward the document to the person who is given authorization.
The person can then enclose the digital power of attorney with any
further documents (s)he signs. The person receiving the document
can then verify both the original signed document and the enclosed
power of attorney that confirms that the person indeed had the right
to sign such a document.
Attribute certificates can of course be used in connection with the
universal certificates and documents outlined above, but the
Estonian concept is geared more towards universal certificates.
GP - Case: eID in Estonia
10-2006, vs 1.0
11
An exception to the above is organization's validation. Digital
documents sometimes need to be validated by organizations, so that
other organizations can be sure of the identity of the organization
where the document originated. This is useful for e.g. signing pieces
of databases (e.g. bank statements) online, to be presented to other
organizations. For this, SK issues certificates to organizations that
can be used to sign documents digitally. Technically, they are
equivalent to personal signing certificates on everyone's ID card, but
legally, they are not viewed as signatures and need not be covered
by law, because according to the Estonian law, only real persons can
give signatures. The "organizations' signatures" must therefore be
viewed simply as additional tools for proving information authenticity
(that it really originated from a specific organization) which may or
may not be accompanied by a digital signature of a real person
working in that organization. Still, the PKI complexity stops here,
and besides personal and organizational signature certificates, there
is no need for personal role certificates or anything else more
complex.
GP - Case: eID in Estonia
10-2006, vs 1.0
12
1.3.3
Implementation
In order to bring digital signatures into everyday life, common
understanding and signature handling practices are required. In
addition, software and technology must be available for anyone
interested, in order to create compatible applications. After all, the
key to unleashing potential digital signature benefits lies in
communication between organizations, not within one organization.
Therefore, it is vital that all organizations in a given community
interpret and understand digital signatures the same way. In case of
Estonia, the community is the whole country.
SK, together with its partners, delivered a comprehensive digital
signature architecture called DigiDoc. DigiDoc is a universal system
for giving, processing and verifying digital signatures created by AS
Sertifitseerimiskeskus. It can be connected to any new or existing
piece of software, but its components are a stand-alone client
program and a Web portal.
The core components of DigiDoc are:
− Client Program – DigiDoc Client is available to anybody to
download for free. Anyone can use it to verify digital signatures
or, if you have an Estonian ID card and smartcard reader,
generate digital signatures.
−
Web Portal – The portal is located at http://digidoc.sk.ee and is
available to all ID cardholders free of charge. Its functions are
similar to the client program — you can use it to generate and
verify digital signatures. In addition, you can use it to have a
document signed by a number of people. With a few clicks of the
mouse, you designate the people whose signatures you need on
the document, and they can all sign it in the same portal. Every
user has a directory of his or her documents which no one else
sees but where anyone can send documents to be signed by
you.
−
File Format – DigiDoc specifies the file format for storing a digital
signature and other technical data in a container file, together
with the original file that was signed. All DigiDoc-enabled
programs must support this format, and it must be possible to
export files from all the programs into stand-alone files, to be
verified with the stand-alone DigiDoc Client.
−
Software Library – The DigiDoc library is available to all
developers as a program library in C and as a Windows COM
component. It can be connected to any existing or new software.
For example, you could add DigiDoc support to accounting
software, document management system, Web and intranet
applications, and so on.
Supporting
infrastructure
employed:
• Web Portal to
generate and verify
digital signatures
• Software Library
(DigiDoc library
program in C
• DigiDoc document
format
• SK's OCSP validation
service
• X-Road, the Internetgateway connecting
the national databases
(public authorities),
Banks and the
Certification Authority
On the server side, DigiDoc provides an RFC2560-compliant OCSP
server, operating directly off the CA master certificate database and
providing validity confirmations to certificates and signatures. On the
GP - Case: eID in Estonia
10-2006, vs 1.0
13
client side, it provides a number of components — the most
important being the digital document format, which is key to
common digital signature implementation and practice.
SK based the DigiDoc document format on XML-DSIG standard. In
February 2002, ETSI published its extensions to XML-DSIG as ETSI
TS
101
903,
also
known
as
XAdES
(see
also
http://www.openxades.org). DigiDoc document format is a profile of
XAdES, containing a subset of its proposed extensions.
Based on the document format, a library was developed in C
language that binds together the following:
−
DigiDoc document format
−
SK's OCSP validation service
−
Interfacing with the user's ID card using Windows' native CSP
interface or cross platform PKCS#11.
Workflow description
The eID card is used for identification at the E-Citizen Portal. This
portal serves as a gateway to the services of approximately 20
different databases. Here, a person can check his or her data in
these various national databases and fill out application forms, sign
and send documents, and receive information about planned
electrical supply interruptions in the specific area. The DigiDoc
system described above is needed by citizens to start giving and
receiving digital signatures.
After identification at the E-Citizen Portal, services mainly of the
central public authorities like Benefits and Social Assistance,
Citizenship, Health Care or many others may be applied for (see
www.eesti.ee). The validity of the citizens' certificates will be
confirmed (OCSP) and a time-stamp given to the applications. Via a
common public, service rendering resource which connects the
national databases - the Internet X-Road - the application messages
are securely exchanged. More than 350 organisations already joined
this Internet-gateway.
GP - Case: eID in Estonia
10-2006, vs 1.0
14
Architecture of service delivery via eID in Finland
GP - Case: eID in Estonia
10-2006, vs 1.0
15
In 2004, The Parental Benefit Service was awarded for the best
government agencies cooperation solution.
Five information systems interact the data (real time).
−
Citizens' Portal
−
Register of Social Insurance Board
−
Population Register
−
Information system of Health Insurance Fund
−
Information system of Tax and Customs Office
Security and Privacy
The data protection question is not seen to be very relevant in the
context of Estonian ID card because there is very little private data
involved in the card issuing and further utilization process. There is a
broad Personal Data Protection Act in effect in Estonia which
regulates the use of personal data and databases containing
personal data by public authorities and private entities, and Estonian
Data Protection Inspection is the government body overseeing that
the requirements of the act are met and enforcing compliance if
necessary.
The certificates on the card are available publicly in a directory
service and contain only the card holder's name and personal ID
code, which are considered public data by law in Estonia. In addition,
e-mail addresses in authentication certificates are also available in
the directory. The directory contains only valid (active) certificates:
if a person suspends or revokes his/her certificate, it is also removed
from the directory and the data are no longer available.
GP - Case: eID in Estonia
10-2006, vs 1.0
Warranty of security
and privacy:
• Only little data is
saved on the ID card
• Estonian Data
Protection Inspection
controls that
requirements of the
Personal Data
Protection Act are met
• Personal ID code is
held publicly together
with card holder's
name and are
considered public data
by law in Estonia
16
The public data file is not published anywhere online. The personal
data on the card in visual and electronic format are accessible only
to those persons to whom the card holder physically presents the
card.
The general stance to ID card and data protection in Estonia is that
the card should contain as little private data as possible. Instead, the
data should be kept in databases at relevant authorities, and a
person can use the card as key (authorization method) to access his
or her data in the database.
Requests by third parties (e.g. representatives of authorities) for
private data are logged and logs are available online for the
individual upon request (via the citizen's portal). Thus such approach
presumes justified interest on behalf of authorities. An individual can
submit additional queries regarding the requests.
Warranty of security
and privacy:
• Card holder can
suspend or revoke
their electronic
certificate form the
card (for only "offline"
use of the card)
• Public data file is not
published anywhere
online
• Card is used as key to
access his/her data in
databases in public
authorities instead of
containing these data
Awareness and Marketing
Till now, the electronic usage of eID cards has been mostly the
realm of professionals and enthusiasts. This mainly due to:
-
the time required to change the mindset;
-
lack of inevitable applications (e.g. compared to free Internet
telephony);
-
initial technical glitches which discouraged some first-movers
and resulted in lack of hype for the ID card;
-
relative expensiveness of ID card readers (currently readers are
offered at more than three times cheaper price than some years
ago).
However, currently the card is used very actively as the token for
verification of a valid e-ticket in city public transport. One of the key
drivers behind a rapid and successful adoption of e-tickets is the
price difference between e-tickets and paper tickets.
The eID function of the bank card is currently much more often used
as that of the ID card. However, in order to strengthen the use of
the eID card instead of the bank card citizens as well as banks shall
be convinced by economic logic: As Internet use is affected by
viruses and other similar things updated security features and other
applications are permanently required in order to provide secure
services. This costs lots of money for the banks for services which
are not directly related to their own business. Also citizens need to
update their systems for these purposes which would not be the
case if they use the eID functionalities.
Currently, the Computer Security 2009 initiative has been launched
with the aim to ensure a more secure use of internet by application
of PKI products and services. E.g. internet banking transaction limits
which presume usage of higher security means (e.g. PKI tokens)
shall be decreased significantly. Also, new PKI products and services
are in production.
GP - Case: eID in Estonia
10-2006, vs 1.0
Awareness and
Marketing:
• Currently, the use of
the e-function for
identification is mostly
the realm of
enthusiasts
• However, card is
widely used as token
for verification of valid
e-tickets in public
transport
• e-tickets are cheaper
than paper ones and
force their use
• Increase of Internet
security envisaged by
development and use
of PKI products and
services
• As the use of the eID
card saves costs for
banks and also for
citizens in terms of
Internet security,
economic logic will
support the change
from using banking
cards to eID cards for
public service
applications
17
1.4
Features making it a candidate for good practice exchange
1.4.1
Impact
The Estonian eID roll-out is known to be one of the most successful
in Europe. It has been organised in a valuable public-private
partnership and there are already many applications working with it.
E.g. Estonian citizens can use it to buy e-tickets for public transport
and it allows drivers permit verification. Citizens can browse through
their information in the population register; they can digitally sign
documents or check their telephone bill. The card is also be used for
health insurance and banking purposes.
Outreach:
• > 950,000 residents
own an ID card, i.e.
almost full national
roll-out
• e-functions are active
by default and 2.5%
are using it
The first Estonian ID cards were issued in January 2002. In the first
year, more than 130,000 cards were issued, and the total figure up
to now (mid 2006) is more than 950,000; i.e. almost everybody has
one, considering that citizens under the age of 15 do not need one.
2.5% are users of the e-function of the ID-card in terms auf
identification and authorisation in public services.
Estonia has a PKI penetration of more than 67%. The reason for its
major success is that Estonia is a relative small country with almost
1.4 million residents.
The card is meant to be universal and its functions are to be used in
any form of business, governmental or private communications. It is
already helping people to make everyday communications more
convenient.
Although the ID card project is a success it took five years instead of
the originally expected 14 months to implement the infrastructure
and raise awareness and high uptake due to legislative and political
issues. Another challenge was to promote the use of the card and to
make people getting used to it.
Like in many cases the take-up of eGovernment service applications
based on the eID card was very slow due to the reasons mentioned
in the Awareness and Marketing chapter above.
With the DigiDoc library easy-to-use interfaces to the signature
relevant features are provided and there is no need for application
developers to know OCSP protocol specifics or DigiDoc (XAdES, XMLDSIG) format internals. It can be embedded in any application or on
top of it. A COM interface has been implemented, making it easy to
add DigiDoc support to any Windows based application supporting
COM technology. A Java implementation is also provided.
Despite these strengths, providing the libraries and formats was not
enough — because these do not add value to end users without real
applications. Although it is expected that DigiDoc support will
eventually be present in most Estonian document management
systems and Web sites dealing with documents, a number of sample
or reference applications were also provided. The parental benefit
service, the health care services or taxation services are good
GP - Case: eID in Estonia
10-2006, vs 1.0
Performance:
• DigiDoc support will
eventually be present
in most Estonian
document
management systems
and Web sites
• Easy to use function
as DigiDoc client is a
Windows application
• No need to install
stand-alone software
on user side as
functions are provided
via a web portal
• Libraries,
specifications, and
applications are
provided free of
charge to Estonian
public
18
examples in this regard. DigiDoc Client is a Windows® application
that lets users simply sign and verify documents, and DigiDoc portal
is an application that lets users do the same online — without the
need to install any stand-alone software. Both are based on the
same DigiDoc library and thus fully compatible e-signatures given in
Client can be verified in portal and vice versa. The libraries,
specifications and applications are provided to the Estonian public
free of charge, and it is expected that digital signature usage in
common life and everyday business and government practices will
grow significantly through 2003–2008. The first official digital
signatures in Estonia were given using DigiDoc Client on October 7,
2002.
1.4.2
Relevance of the case for other administrations that could learn from the experience
With the national eID card the Estonian government follows a
pragmatic and simplicity approach avoiding some of the contentious
aspects of ID cards in general:
−
ID cards do not contain any digital biometrics;
−
ID cards do not contain any roles or authorizations. Where such
is required these must be managed using some out-of-band
method;
−
The certificates are simple and only contain the holder's name
and personal code (national ID code);
−
There is not central aggregation of loads of user data as the card
is only the 'key' to user data stored in public authorities;
−
The certificates contain no restrictions of use: they are by nature
universal and meant to be used in any form of communications;
−
The use of the eID card is easy to understand for users as it only
contains two functions to be used with two different PIN codes,
one for digital signing and one for authentication;
−
Users may disable the electronic functions of the card in case
they have lost it or they have doubts or fears about using these
functions;
−
Users do only need card and card reader for using the system.
Innovativeness:
• Simplicity of the card
(no digital biometrics)
• Simplicity of the
certificates (only
contain name and ID
code)
• Simplicity of its use
(only two functions:
digital signature and
authentication)
• No restrictions in use
since certificates are
universal
• No central aggregation
of loads of user data
• Possibility to disable
the electronic
functions of the card
However, the use of a unique national ID code for identification still
bears some risks for abuse and privacy concerns are present. The
success of such applications is highly dependent on the trust users
have in the system including the legal regulations encompassing also
the control of its use. In addition, as an objective and a possible
killer application of the card is its multifunctional use, in particular in
the private sector, one has to consider whether it is appropriate that
these private sector organisations know the identity of their clients.
GP - Case: eID in Estonia
10-2006, vs 1.0
19
1.4.3
Transferability
Foreign Certificates
DSA regulates the recognition of foreign certificates, stating that in
order for them to be recognized equivalent to those issued by
Estonian CSP-s, they must be either confirmed by a registered CSP,
be explicitly compliant with DSA requirements or covered by an
international agreement.
DigiDoc and OpenXAdES
Estonia launced the OpenXAdES initiative which is, as the name
indicates, an open initiative where anyone is welcome to join.
OpenXAdES is a free software development project aiming at
profiling XAdES (XML Advanced Electronic Signatures), technical
standard
(TS
101
903)
published
by
ETSI
(European
Telecommunication Standards Institute). With digital signatures,
common understanding of the document format is critical as digital
signatures can't be converted. Open XAdES' mission is to
concentrate efforts on developing a common document format and
share implementations supporting this. With DigiDoc, a uniform
platform based on XAdES has been developed which has the
following important features:
−
Can be verified offline without any additional information;
−
Signature can be given to several original documents at the
same time;
−
Protection against format attacks – type of signed document is
also signed;
−
Original document can be in the container or stored separately;
−
Original document can be XML or any binary file (Word, Excel,
PDF, RTF etc);
−
Zero, one or more signatures per container;
−
One validity confirmation per signature.
Transferability:
• Foreign certificates
can be dealt with
when they are
confirmed by a CSP or
are compliant with
DSA requirements
covered by
international
agreement
• Launch of the Open
XAdES Initiative
aiming at commonly
(with other countries)
profiling XAdES which
is a standard
published by ETSI
• Agreement on IOP
between Estonia and
Finland
In
June
2003,
AS
Sertifitseerimiskeskus
and
Finnish
Väestörekisterikeskus (Population Register Centre, PRC) signed an
agreement for improving digital signature interoperability between
the countries, with the goal of making digital documents a reality
within and between Finland and Estonia. Estonia and Finland invite
other parties from other communities to join the project and thus
expand the network of "digital countries".
GP - Case: eID in Estonia
10-2006, vs 1.0
20
1.5
Results
The Government's objective is to reach one million ID cards issued
by 2007. Besides the use of the national ID card, Estonian residents
can also use their Internet banking identification data to access
online public services (more than 70% of Estonian residents use
Internet banking, the highest proportion in Europe).
The most important application for public services, - the e-Citizen
portal – can be used by both cards for authentication purposes. As
internet banking already started in 1995, citizens are more used to it
and tend to login to their bank and then go to the portal. E.g. many
people (65%) declared their tax online with bank codes but not
through the eID card. Hence authentication is currently not the killer
application for eIDs in Estonia though the main purpose of the eID
card is to authenticate its owner.
Benefits:
• Unique identification
throughout public and
private services
• Provision of secure email account and
unique e-mail address
• Possible encryption of
documents
• e-tickets for public
transportation is a big
success as it is used
110,000 times per day
Beside authentication, the card can also be used for secure e-mail.
The idea was to give a lifetime e-mail address to the citizens so the
authentication certificate contains an e-mail address. The e-mail
address provided by the government looks like the perfect
communication channel. Since it works voluntarily, and the citizen
has to login to the citizen portal and register the address, not
everyone does this.
The card can be also used for encryption of documents so that only
the person intended to view the document can decrypt it. This is a
very efficient means for secure transfer of documents using public
networks.
One of the most successful applications is the electronic ID-ticket
which can be used for travel in the public transport of Tallinn, Tartu
and Viimsi as well as in the county of Harjumaa. During year 2005,
passengers using this e-ticket service purchased a total of 975,263
electronic ID-tickets. Today, more than 110,000 persons use the ID
ticket system every day.
Another application is Internet voting piloted in 2005. As the
infrastructure was in place, it was desired to use it via the eID card.
I-voting was based on an envelope scheme. The citizen makes a
choice and the choice is then encrypted with the public key of the
whole system. Many international observers were present at its first
run. However, there were and still are some privacy concerns about
the I-voting and the buying of public transport ticket with the eID
card mentioned above. E.g. even if the personalisation of tickets
actually eliminates the risk of forgery (which is an issue with nonpersonalised paper tickets) the transport company knows the
identity of the person who bought the ticket. The success of these
applications is highly dependant on the trust users have in the
system. Of course one can always travel anonymously by buying a
paper ticket.
GP - Case: eID in Estonia
10-2006, vs 1.0
21
In May 2006, the largest banks and telecoms (SEB Eesti Ühispank,
Hansapank, Elion, EMT) as well as the Ministry of Economic Affairs
and Communications of Estonia signed a co-operation agreement to
launch a nationwide "Computer Protection 2009" initiative, pledging
to invest up to EEK 60 million to increase end-user PC protection and
awareness in Estonia.
The initiative aims at making Estonia a country with the most secure
information society in the world by year 2009. To this end, a number
of sub-projects have been launched, one of the priority fields being
the promotion of ID card-based authentication in the use of eservices. Thus PKI should become the main method of authentication
as well as transaction verification within the three years with a total
of ca 600,000 active users. Parallel to the existing ID card, mobile ID
will be launched by the beginning of 2007 enabling secure
authentication and digital signing using a mobile phone.
GP - Case: eID in Estonia
10-2006, vs 1.0
Future developments:
• Launch of the
nationwide "Computer
Protection 2009"
initiative in order to
making Estonia leader
in secure information
management
22
1.6
Learning points and conclusions
Critical success
factors for IOP:
Many lessons were learned while organising, developing,
implementing, and running eIDs in Estonia and are presented below.
As Estonia is a main driver in the OpenXAdES initiative and eID
adheres to this standard, many lessons can also be stated on a
rather general level which stem from the OpenXAdES group.
Digital signature is universal
Think of your handwritten signature. Whether you sign a paper as a
citizen, the CEO of your company, the head of some non-profit
hobby association or as a bank customer - the scribbling that you
draw on paper and that is called a signature always looks the same,
regardless of your role. Whether you were indeed authorized to sign
the document or did agree to its content or other such questions are
totally different matters, just as in the traditional world. Aim merely
at providing users a way of working with legally binding digital
signatures.
Document must be self-contained
No additional validation services should be needed for verification
after the signature has been created and saved. Documents should
contain the digital signature, original signed data and all other data
necessary for document verification. Using the data in the document
file, it is possible to firmly establish whether the digital signatures
are valid (whether the certificates were valid at the time of signing
etc).
Legislation is important
Since we are talking about legally binding signature, legal framework
for digital signatures is critical. Different countries have different
digital signature regulations and you should provide solutions which
are as flexible and universal as possible. OpenXAdES is such a
solution which fully complies with the Estonian digital signature
regulation, as well as the EU directive 1999/93/EC, regulating the
general use of digital signatures within the EU. There is also a
chance that OpenXAdES is already compliant also with the regulation
in your country.
• Aim merely at
providing users a way
of working with legally
binding digital
signatures
• Document must be
self-contained - no
additional validation
services should be
needed after the
signature has been
created
• The use of legally
binding signatures
requires a valuable
legal framework
• As different countries
have different legal
frameworks, provide
flexible and universal
solutions to be
connective with these
countries
Additionally, when talking about legislation, we cannot only
concentrate on strictly digital signature and PKI-related acts:
whether you can use digital signatures or not depends also on the
legislation of other generic areas of life, e.g. administrative
procedure, civil relations, court proceedings etc. A number of
European countries are at a disadvantage in this respect: although
digital signature law is in place, other laws foresee that documents
can only be used on paper. Estonia is in a good position because
many of the country's laws have recently been passed or updated to
GP - Case: eID in Estonia
10-2006, vs 1.0
23
reflect the vision described above: digital documents and paper
documents should be used interchangeably in everyday life in private
and business relations and should be considered equivalent in all
respects.
PKI hype is over, business value is important
It is no more the year 2000 where technology opened all the doors
(and buzzwords guaranteed immediate funding). Set the focus on
added business value to organizations and end users. This may
sound painful to some PKI enthusiasts: many PKI projects carried
out so far do not justify the costs made and do not add significant
value to anybody. Avoid this pitfall by trying to be as simple as barebones as possible, while adding considerable value to any business
process which uses legal documents. This ensures hat the business
requirements would take precedence and that the most appropriate
technology would be used to implement them.
Open standards and trust are critical for user confidence and
interoperability
Digital signatures and the whole PKI is based on trust and confidence
- implementers and end users need to be aware of what actions
cause what outcomes in the system, and that the system is really
doing what it claims to be doing. Open source and free software,
based on public standards enable that anyone can examine the
project and document internals if necessary. E.g. do not use any
heavyweight and cutting-edge time-stamping protocol for signature
timing and validation - instead, use lightweight and proven
standards such as OCSP.
Our main competitor is pen and paper
Remember that we are talking about giving signatures to
documents. This has been done the same way for many hundreds
and thousands of years. Telling people that it can also be done
differently is a very complex task and you are facing fierce
competition from traditional signing tools, pen and paper. If you
cannot explain the benefits of the new method to people and
organizations and do not credibly demonstrate that it is more cost
effective to them, you will fail and people will continue using paper
documents.
PKI business model must be based on certificates and
corporate services, not end-user services and transactions
This is a direct consequence of the above point: Understanding and
accepting the new system is already hard enough for people. If you
want to charge them lots for using the digital signature, they won't
ever use it. A place where persons can be charged is issuing a
certificate for them, but after that, it should be free, both the
services and the software.
GP - Case: eID in Estonia
10-2006, vs 1.0
Critical success
factors for IOP:
• Business requirements
should be the driver
not the most
sophisticated PKI
solution
• Base your project on
open standards to
enable trust in the
system
• Use open standards to
be prepared for
interoperability
• Demonstrate the
additional benefit by
using the new solution
in contrast to the
traditional way
• Base your business
model on certificates
and corporate services
in stead of end-user
services and
transactions
24
Critical success
factors for IOP:
Capitalize on already existing IT investment
Much of the infrastructure that is necessary for using digital
signatures is most often already in place. Most people and
businesses have access to PC-s and the Internet. Countries and
communities are starting to distribute universal national or regional
ID cards. Having an ID card and access to smartcard-reader
equipped PC should be the only thing a person needs for using the
digital signature.
The costs to businesses and end users should be limited
We do not need to construct complex expensive PKIs for each
different service: single PKIs, perhaps even on a national scale such
as in Estonia, are suitable for all purposes.
People should be able to understand digital signatures
Complexity has been the key inhibitor in successfully providing PKI
services to end users, and much of that complexity is due to the fact
that current services and products have been specific to one service
or organization only. People have to learn new approaches and new
interfaces for each communication pattern, and it is very frustrating.
Having a single certificate and PIN code for all digital signature
purposes is all that a person needs, and people can also understand
this, exactly as they can understand using ATM cards and mobile
phones.
Single tokens are more secure
When people have only a single token to look after, they know they
have to be very careful with it. If a single card carries the
authentication and digital signature functions such as in Estonia,
security-critical functions can be easily established and maintained,
such as a round-the-clock helpdesk for suspending card and
certificate validity in case of loss or theft. Problems associated with
outdated or insecure passwords are eliminated, as smartcard- and
certificate-based authentication gains momentum.
GP - Case: eID in Estonia
10-2006, vs 1.0
• Capitalize on already
existing IT
investments in to
protect investments
also on user side
• One unique PKI
system for all public
services would be
more beneficial than
having one for each
service
• Provide easy to
understand services in
order to drive their
dissemination
• Provide single tokens
as they are more
secure than having
different solutions
25
1.7
References and links
All URL's worked out on the last visit on 04.09.2006:
The Estonian ID card project information, including the newest version of their Whitepaper, is
available online at http://www.id.ee. Contact at [email protected].
Important papers which also build the basis of this case study are:
Cybertrust 2005: Managing Digital Identities and Signatures through Public/Private Partnership
(http://www.cybertrust.com/media/case_studies/cybertrust_cs_easton.pdf)
The Estonian ID Card and Digital Signature Concept. Principles and Solutions. Whitepaper.
Version: June 5, 2003 (http://www.id.ee/file.php?id=122)
Acts:
Digital Signature Act: http://www.esis.ee/ist2004/101.html or PDF:
(http://www.esis.ee/legislation/digital_signatures_act.pdf#search=%22digital%20signature%20ac
t%20estonia%22)
Personal Data Protection Act: http://www.esis.ee/ist2004/103.html
Further useful references and websites:
−
AS Sertifitseerimiskeskus: http://www.sk.ee
−
DigiDoc
Format
Specification.
Version
1.3.0,
12.05.2004
(http://www.id.ee/file.php?id=342#search=%22digiDoc%20format%20specification%22)
−
Modinis IDM 2006: National profile for eGovernment IDM initiatives in Estonia. In: D 3.5: IDM
Initiatives
Report.
(Estonian
example:
https://www.cosic.esat.kuleuven.be/modinisidm/twiki/bin/view.cgi/Main/EstonianProfile)
−
OpenXAdES group: http://www.openxades.org
−
Web Portal to generate and verify digital signatures: http://digidoc.sk.ee
−
E-Citizen Portal: http://www.eesti.ee
GP - Case: eID in Estonia
10-2006, vs 1.0
26
Annex 1: Assessment Questionnaire for the MODINIS Case
Descriptions
In order to ensure the case descriptions meet the information needs of stakeholders in
interoperability at the local and regional level, we ask you to complete this short assessment
questionnaire. Your feedback will be used to improve the next version of the present case and will
also be taken into consideration when writing up more cases to be described in the course of the
project.
Case being reviewed:……………………………………………………………………………………………………………………….…
1.) Information content
a) Completeness of description
1
5
|-----------|-----------|-----------|-----------|
only few
all
relevant
relevant
aspects
aspects
b) Detail of description
1
3
5
3
1
|-----------|-----------|-----------|-----------|
too
right
too many
general
level
details
2.) Length of description
1
3
5
3
1
|-----------|-----------|-----------|-----------|
too
right
too
short
length
long
3.) Structure / headings
1
5
|-----------|-----------|-----------|-----------|
unclear
clear
GP - Case: eID in Estonia
10-2006, vs 1.0
27
4.) Margins
1
3
5
|----------------------|-------------------- --|
misleading
not necessary
good
orientation
5.) Learning potential
1
5
|-----------|-----------|-----------|-----------|
none at all
many new insights
6.) Usefulness for your own work
1
5
|-----------|-----------|-----------|-----------|
not at all
very much
7.) Transferability of case to your country
1
5
|-----------|-----------|-----------|-----------|
not at all
very high
8.) Will you get into contact with the contact person?
1
5
|-----------|-----------|-----------|-----------|
certainly
for sure
not
Comments
______________________________________________________________________________
______________________________________________________________________________
Your affiliation
local/regional
government
GP - Case: eID in Estonia
national
government
IT
business
10-2006, vs 1.0
academia
28
Prepared by:
Ralf Cimander and Herbert Kubicek
Institut für Informationsmanagement Bremen GmbH (ifib)
Am Fallturm 1, D-28359 Bremen, Germany
www.ifib.de
Tel.: (+49 421) 218 26 74, Fax: (+49 421) 218 48 94, email: [email protected]
http://www.ifib.de/egov-interoperability
European Institute of Public Administration (EIPA)
Center for Research and Technology Hellas / Institute of Informatics and Telematics
(CERTH/ITI)
Prepared for:
European Commission
Information Society and Media Directorate-General
eGovernment Unit
Tel
Fax
(32-2) 299 02 45
(32-2) 299 41 14
E-mail
[email protected]
Website europa.eu.int/egovernment_research
GOVERNMENT OFFICE Estonia’s Open Government Partnership Action Plan: Self-­‐Assessment Report Tallinn 2013 TABLE OF CONTENTS
1. Introduction ......................................................................................................................... 3
2. The preparation process of Estonia’s action plan ............................................................... 4
3. Implementing the action plan.............................................................................................. 6
4. Summary ........................................................................................................................... 24
Appendix 1. Open government round table: People’s Assembly in Estonia – crowd-sourcing
solutions for complex problems ............................................................................................... 26
Appendix 2. An open governance partnership case study from Estonia – the development of
the government portal eesti.ee .................................................................................................. 27
2 1. INTRODUCTION
The Estonian experience proves it: a modern successful state means freedom of speech and
press, the supremacy of law, eliminating corruption, the involvement of citizens - everything
without which democracy and the rule of law would be unthinkable.
Toomas Hendrik Ilves, the President of Estonia
Estonia has been an official participant in the Open Government Partnership1 since April
2012, joining the initiative in its first group of expansion after the first eight founding
countries. Becoming a member of the Open Government Partnership was initiated and
coordinated by the Ministry of Foreign Affairs.
For Estonia, the main goal when joining the Open Government Partnership was to draw
the attention of the government and the entire society to the quality of state governance,
learn from the experience of other countries and share Estonia's experience with other
countries in the Partnership.
Each country in the Partnership follows an action plan that has been prepared in accordance
with the goals and principles of the Open Government Partnership. In Estonia’s action plan
for participation in the Open Government Partnership the activities of the government
were focused on two of the key areas of the Partnership – the development of public
services and addressing public official ethics2. The goals and activities in the Action
Programme of the Government of the Republic 2011-2015 were taken into account as well as
those in national development strategies. The implementation of the action plan will be
evaluated annually and the plan will be amended as deemed necessary.
Estonia's action plan was prepared by the Government Office, which is the institution in
charge of coordinating the implementation of the Action Programme of the government. The
goals and activities in the action plan were consulted and coordinated with the civil society
organisations in the Open Government Round Table3 network who represent the third sector,
as well as with the ministries contributing to the implementation of the action plan. The draft
action plan also went through a round of public consultation via Estonia’s public engagement
website osale.ee.
The key areas of the action plan were identified on the basis of the realisation that the
principles of open government can be implemented in Estonia in the most effective way
if these two – the development of public services and addressing public official ethics –
will be focused on. This does not imply that the principles of open government in other key
1
See the overview of the Open Government Partnership at http://www.opengovpartnership.org/.
Descriptions of all key areas can be found at http://www.opengovpartnership.org/.
3
http://www.avatudvalitsemine.ee (in Estonian),
http://translate.google.com/translate?sl=et&tl=en&js=n&prev=_t&hl=en&ie=UTF8&u=www.avatudvalitsemine.ee (in English via Google Translate)
2
3 areas are less important – it is the aim of the government to implement them all throughout
the government sector.
The development of public services is one of the central goals of the government in the
coming years. Three main fields of activity have been identified, one of them being the
development of public e-services with the aim of improving their user-friendliness and
accessibility, and increasing their security level. The second field of activity is granting free
use of public sector data with the aim of developing new applications, increasing the
transparency of governance and creating new business opportunities for companies. The third
important field of activity is a more open and predictable policy-making process, the aim
being to increase the role of civil society organisations in the government policy formation
and enhancing the dialogue between the government and citizens.
Upon addressing public official ethics, the government will focus on preventing corruption
and conflicts of interest among politicians and officials. In 2012, Estonia ranked 32nd in the
Corruption Perceptions Index of Transparency International. The fact that Estonia's rank has
not improved significantly in the last few years is a motivator for efforts in this key area. The
government’s goal is to achieve a situation whereby citizens actually find that corruption has
decreased in Estonia.
The present self-assessment report has been prepared by the Government Office about the
first implementation year of the action plan. The guidelines from the Open Government
Partnership and the Good Engagement Code of Practice4 have been followed in the process.
The report will be supplemented by an independent evaluation from experts.
The implementation of the Open Government Partnership principles is a journey. We have
much to be proud of, but we also have enough things to be critical about and to improve in the
future. Last year has enabled us to take some significant steps in this journey. In addition to
progress in the planned activities, this period is characterised by a strong increase in the
activity of citizens and in the expectations for a more open government. The People's
Assembly5 is a landmark event of 2012, presented also to the Bright Spot competition of the
Open Government Partnership by the Estonian Open Government Round Table, and gaining a
chance to share the experience at the Open Government Partnership Annual Summit in
London on 31 October 2013.
2. THE PREPARATION PROCESS OF ESTONIA'S ACTION PLAN
The preparation of Estonia's action plan for participating in the Open Government
Partnership started in January 2012. Coordinated by the Ministry of Foreign Affairs,
preliminary consultations concerning the activities and conditions of Estonia’s joining the
Partnership had been held beforehand with the representatives of civil society organisations
and the Steering Committee of the Open Government Partnership. Also, Estonian
4
5
http://valitsus.ee/en/government/engagement-practices
An overview of the People's Assembly can be found in Appendix 1.
4 representatives from the Government Office and the Ministry of Foreign Affairs had
participated in the international Open Government Partnership conference in Brazil on 7-8
December 2011, giving the overview of Estonia's plans in preparing the Action Plan related to
the goals of Open Government Partnership.
By mid-January 2012, a draft action plan had been prepared by the Government Office
and it was introduced to the Open Government Round Table, which comprises the
representatives of Estonia's civil society organisations. The representatives of the round table
presented their comments and proposals to the draft action plan by 31 January 2012. The
same time frame applied for collecting input from the ministries.
After incorporating the feedback from the Open Government Round Table and the ministries,
a new draft of the action plan was again presented to the Open Government Round Table for
input on 15 February 2012. Improved by the new proposals made by the Round Table, the
updated draft was then presented to the Round Table for another round of consultation on 28
February. Taking into account the proposals that had been submitted by 5 March, the
Government Office prepared an amended action plan draft that was presented for public
consultation for a two-week period.
Public consultation was held on 13-28 March 2012 on the public engagement website
osale.ee. The general public was informed of this process and its schedule through the media.
The opinions obtained in the course of public consultation together with the feedback from
the Government Office were published on the engagement website6.
In parallel with the public consultation, the activities in the action plan were coordinated with
the appropriate ministries. The action plan was completed by late March 2012 and it was
made publicly available in both Estonian and English7.
During the whole process of the action plan preparation, interested civil society
organisations were actively engaged through the Open Government Round Table, which
is a network open for everyone who would like to have a say in implementing the
principles of open government. The Round Table was established in autumn 2011 so that
the third sector could be a strong partner for the government in the Open Government
Partnership activities. The Round Table served as a contact point, collecting the proposals of
the citizens and acted as a dialogue partner. A representative of the government was present at
the meetings of the Round Table.
6
The documents are available at https://www.osale.ee/konsultatsioonid/index.php?page=consults&id=210 (in
Estonian).
7
https://valitsus.ee/UserFiles/valitsus/et/uudised/istungid/istungitepaevakorrad/AVP%20Eesti%20tegevuskava.pdf (in Estonian),
http://www.opengovpartnership.org/country/estonia/action-plan (in English).
5 3. IMPLEMENTING THE ACTION PLAN
In the first implementation period, the main focus was on two key areas of the Open
Government Partnership: the development of public services and addressing public
official ethics. A total of 15 activities were planned, which were divided into four fields of
activity: the development of public e-services; granting public use of the state’s information
assets; greater openness and predictability of policymaking; and, avoiding corruption and
conflicts of interest. The first three fields of activity contribute to the development of public
services, while the fourth is for addressing public official ethics. The activities are coordinated
by the Ministry of Justice, the Ministry of Economic Affairs and Communications, the
Ministry of Finance, the Ministry of the Interior and the Government Office.
During the report period, 9 activities were fully implemented, i.e. 75% of all activities
initially planned for this period, and 60% of all activities of the action plan. At present, 6
activities are being implemented; of those, 3 are being implemented according to the initial
schedule, while in the case of the other 3 the schedule has been updated. All planned activities
continue to be topical and meaningful, including the fully implemented activities – further
activities have been initiated.
Starting from next page, more detailed information is presented about each activity across key
areas and fields of activity, following the structure of the action plan. An overview of the
activities’ implementation statuses has been added to the structure.
6 The Structure of Estonia's Action Plan in Participating in the Open Government
Partnership
Key Area 1: Development of public services
Field of Activity A: Development of public e-services
Activity 1: Drawing up a green paper on organisation
of public services
Activity 2: Implementation of the eesti.ee action plan
Field of Activity B: Granting the public use of state
information assets
Activity 1: Drawing up a green paper on making
public data available in a machinereadable form
Activity 2: Creating a repository of public data
Activity 3: Launching pilot projects of public data
services based on the cloud technology
Field of Activity C: Greater openness and predictability of
policymaking
Activity 1: Interactive guidelines and training for
implementing the Good Practice of Public
Engagement
Activity 2: Launch of the impact assessment system
Activity 3: Overview of ministries’ work processes
Activity 4: Integration of impact assessment into the
process of public engagement
Fully implemented
In process, updated
schedule
In process, updated
schedule
Fully implemented
Fully implemented
In process, updated
schedule
Fully implemented
In process according to
the schedule
In process according to
the schedule
Key Area 2: Addressing public official ethics
Field of Activity: Prevention of corruption and conflicts
of interest
Activity 1: Creation of a database of declarations of
economic interests
Activity 2: Adjustment of the system of funding nonprofit organisations and establishment of a
disclosure system
Activity 3: Preparing the proposal for drawing up anticorruption strategy
Activity 4: Draft Anti-corruption Act
Activity 5: Establishment of the Public Ethics Council
Activity 6: Organisation of ethics training for
employees of various public sector
organisations (incl. public servants)
7 In process according to
the schedule
Fully implemented
Fully implemented
Fully implemented
Fully implemented
Fully implemented
Key Area 1: Development of public e-services
Field of Activity A: Development of public e-services
Activity 1: Drawing up a green paper on organisation of public services
Status: Fully implemented.
Purpose: Analysis of problems relating to the organisation of public services,
suggestion of possible solutions, setting the focus of development of
services and drawing up and discussing the further action plans for
resolution of main issues relating to the organisation of public services.
In charge: Ministry of Economic Affairs and Communications
Deadline: 2012
Expected result: The green paper on the organisation of public services has been drawn up
and prerequisites for drawing up the Action Plan for the resolution of
problems relating to the organisation of public services have been created.
Contents and By drawing up the green paper on the organisation of public services
schedule: (henceforth: GPOPS), the following was achieved:
• the concept of public services was verbalised,
• the problems of citizens and entrepreneurs utilising public services
and those of the state and local governments providing them were
gathered in a generalised form,
• possible solutions to the problems were presented,
• the measures for solutions were identified,
• the basic principles for developing the services in the future were set.
The first draft of the GPOPS was presented to almost 80 institutions and
interest groups for discussion in May 2012, and it was also discussed at
various round tables. After incorporating the input from the discussions, a
new version of the document was made public in the Draft Information
System and the public engagement website osale.ee in September 2012.
This version was also separately introduced to the Open Government
Round Table. The draft was improved based on the feedback received
from the consultation and various meetings.
At the same time, officials in charge of preparing the green paper were
also starting pilot projects developing the basic services in a new way
(e.g. the project of business processes analysis within the governing area
of the Ministry of Social Affairs) in order to test future development
directions and, based on that experience, to improve the content of the
GPOPS with good practices.
The government approved the GPOPS on 16 May 2013 and the GPOPS is
publicly available8.
Results and The goals were achieved: a common approach to the present situation was
impact: agreed upon together with the possible solutions and the preparation of a
further action plan. The focus for developing the services in the future was
set.
Additional Further pilot projects have grown out of the GPOPS preparation process,
8
http://www.mkm.ee/avalike-teenuste-roheline-raamat (in Estonian)
8 expected results
and plans for
their
implementation:
Risks:
Challenges:
Lessons
learned:
e.g. services’ redesign in the Estonian Road Administration. The solutions
identified in the GPOPS will be implemented in 2014-2015 in the
framework of the programme “Improvement of the Quality of Public
Services”, which is financed by EU structural means.
GPOPS is also direct input to the Estonian Information Society
Development Plan 2014-2020, which will form the basis for the
development of public e-services and e-state in general in the coming
years.
Implementation of the planned solutions: administrative capability and the
availability of sufficient resources.
Because of the complexity and the scope of the topic and the whole
subject area, there were many of the stakeholders with whom numerous
agreements had to be reached in substantial matters. This took longer than
expected as there was a need for more discussion and consultation on the
drafts.
• It is a good idea to start practical pilot projects in tandem with the
theoretical planning of policy: this is a source of valuable experience
that can be extended and passed on as a part of policy
recommendations.
• When dealing with complex topics, time should be allowed for
discussing and agreeing on basic principles even if this means not
meeting the activity deadline – the end result will be more solid.
• If the subject is too large initially (e.g. the development of public
services), it should be focused and narrowed down as necessary (e.g.
to a part of public services – in the case of GPOPS, the focus was set
on transactional services), so that the work could start from
somewhere instead of endless discussions with no action and no real
results.
Back to Action Plan structure
Activity 2: Implementation of the eesti.ee action plan9
Status: In process according to an updated schedule.
Purpose: The purpose is to improve the functionality and user friendliness of the
eesti.ee portal.
In charge: Ministry of Economic Affairs and Communications
Deadline: 2012
Expected result: a) By the end of 2012 Estonia’s information gateway eesti.ee will be a
secure, fast, high-quality and user view-oriented public sector service
and information portal that offers the citizen updated and relevant
public sector information and public services.
b) Eesti.ee is the common point of contact for Estonian and European
entrepreneurs / citizens in Estonia where one can get information
about services available to them and use services involving simpler
information obligations.
c) Eesti.ee is ready to render authenticated electronic services to
entrepreneurs / citizens of 11 EU Member States and allow
9
The story of development of the eesti.ee portal has been submitted as an inspiring example of Open
Government Partnership. See Appendix 3.
9 entrepreneurs / citizens of 9 EU Member States also to sign
documents in addition to authentication.
d) Eesti.ee is the main channel through which the citizen can subscribe to
notifications to be sent to their e-mail and mobile phone.
Contents and The main projects completed so far:
schedule: • In August 2013, a new "My Things" view was opened at eesti.ee that
lets the user see information and services relevant to her/him
specifically when entering the portal, i.e. eesti.ee has become more
personal;
• The notification module has been developed further and notification
services have been added (e.g. notification about the expiry of a driver's
license);
• Citizens / entrepreneurs of 11 EU member states can log in to eesti.ee
with their eID – the required interfaces have been developed.
Results and
impact:
Additional
expected results
and plans for
their
implementation:
Risks:
Challenges:
Lessons
learned:
Additionally, a widespread eesti.ee campaign was carried out in 2012 to
increase the number of people using the portal and to better acquaint the
present users of eesti.ee with its features.
The number of users of eesti.ee has grown. A more significant orientation
of eesti.ee on the user view has been achieved which is expected to make
the portal much easier to use. The entrepreneurs / citizens of 11 foreign
countries can be authenticated and use Estonian e-services.
The goal for the first half of 2014 is to finish the major developments that
have been planned so far. The following developments are under way:
• The development of the mobile version of eesti.ee (work in process, the
aim is to come up with at least a beta version by the end of 2013 – for
increasing the usage, which will be a result of increased ease of access
due to the possibility of using the portal on mobile devices);
• Adding notification services in cooperation with various institutions,
and informing users of this service;
• Expanding entrepreneur-orientated functionality.
With these developments and marketing activities carried out in 2014 and
beyond, additional results are expected to be achieved, including
becoming the common contact point for entrepreneurs and achieving an
increase in the number of users of notification services.
Delays and growing expenses of IT development. Low user awareness of
the features offered by eesti.ee.
• Determining the owners of services: eesti.ee is only a channel where
the owners of various services from various institutions can offer their
services. Today, the owners of services in institutions (responsible
officials) have often not been determined, which causes deficiencies in
the development and the quality of the services (e.g. not all individual
services within eesti.ee are easy to use).
• Finding the resources required for development – this, together with
procurement procedures, is the reason for not meeting activity
deadlines; the solution was found in redirecting the means within IT
investment measures.
In order to achieve the expected results, not only the development should
be concentrated upon, but also the “recruitment” of new users and
10 informing the existing users of the new services. It is very important to
ask users for feedback as this helps the development of better solutions
and services, e.g. the personal view of eesti.ee "My Things" was
significantly improved as a result of direct feedback received from test
users.
Back to Action Plan structure
Field of Activity B. Granting the public use of state information assets
Activity 1: Drawing up a green paper on making public data available in machinereadable form
Status: In process according to an updated schedule.
Purpose: The goal is to map the starting position and possibilities of making
Estonia’s public data available in machine-readable form and to develop
and discuss with stakeholders the conceptual solution of proceeding with
making public data available in Estonia.
In charge: Ministry of Economic Affairs and Communications
Deadline: 2012
Expected result: The green paper on making public data available in machine-readable
form has been drawn up and specific activities for making public data
accessible have been developed.
Contents and In December 2012 a partial draft of the green paper was prepared on the
schedule: basis of existing research and initial discussions; the draft mostly
contained guidelines for state institutions on starting the process of
making data publicly available.
Additional
expected results
and plans for
their
implementation:
After that, the scope was widened from being just the green paper: in
2012 a draft for changing the Public Information Act was started. The
main aim of it was to adopt the provisions of the EU Directive about the
re-use of public sector information, as there was a threat of infringement
proceedings being started against Estonia. With the same draft, the
government also proposed making data publicly available in machinereadable form. The law was passed in the Parliament on 5 December
2012, setting the deadline for data making the data publicly available by 1
January 2015.
The work on the preparation of the green paper will continue in 2013 so
that its contents will be in accordance with the law: the paper should
support the implementation of Public Information Act with the relevant
workflow organisation and recommended actions. The aim is to present
the green paper to the government in early 2014.
The green paper should offer the conceptual solution for moving forward
with making public data available in Estonia, including the fulfilment of
the obligation to make all databases freely available by 1 January 2015 –
the solution that was initially sought after.
Risks: Continued lack of administrative capability, i.e. delays in recruiting new
specialists.
Challenges: • Reaching agreements on the best policy steps – the idea that open data
is necessary and valuable is not shared within all state institutions:
there is a need to increase awareness and allow time for discussions.
11 • The completion of the activity has been somewhat delayed by the
departure of specialists who were leading this topic in the Ministry of
Economic Affairs and Communications.
Lessons The movement towards open data is not accepted by default: economic
learned: approach or some priority-grounded approach is needed, as various
administrators of databases have opposed interests on the basis of
practices deployed so far (e.g. requiring a fee for making data available).
Back to Action Plan structure
Activity 2: Creating a repository of public data
Status: Fully implemented.
Purpose: To create a single window for citizens and entrepreneurs to access public
machine-readable data.
In charge: Ministry of Economic Affairs and Communications
Deadline: 2012
Expected result: A single window for accessing public data in machine-readable form has
been created and it also works as a channel for exchanging information
and allowing citizens and entrepreneurs to make proposals for opening
new data or developing new services.
Contents and As a first step in encouraging access to public data in machine-readable
schedule: form, a common window, the web-based repository opendata.riik.ee was
opened in January 2012 in cooperation between the Ministry of Economic
Affairs and Communications and the researchers of Tallinn University of
Technology. This is a beta version that has all the basic functionalities for
making the data available.
Results and To date, five data collections have been referenced and shared through the
impact: repository, including data that was shared in pilot projects. In addition to
the repository, the website also includes guidelines for making databases
available in machine-readable form, entrepreneurs and citizens can make
proposals, the initial applications that have been created on the basis of
open data are referenced and a forum is open for users. This has created
the basic functionality for easy access via a common web window to open
data and also to the applications that have been developed based on it.
Additional Growth in the number of users of the repository and securing the addition
expected results of available databases. For 2014, a renewal of the repository is also
and plans for considered – for making it more user-friendly (including the design of a
their new user interface).
implementation:
Risks: • The solution is not user-friendly enough, i.e. it is not easy to use and it
is not visually attractive.
• The sharers of data and potential users will not reach the repository, i.e.
the solution will not become a comprehensive repository.
Challenges: Creating a solution that is as simple as possible, so that adding and finding
datasets would be as convenient as possible. Researchers’ help was used
for this, following best practices and examples from other countries.
Lessons Putting up beta versions of technical solutions is a good idea; this will
learned: allow their gradual development, and not remaining waiting for major
(political) steps which may take time.
Back to Action Plan structure
12 Activity 3: Launching pilot projects of public data services based on the cloud
technology
Status: Fully implemented.
Purpose: To lower the barriers of access to public data as much as possible using
new technologies and launch specific pilot projects.
In charge: Ministry of Economic Affairs and Communications
Deadline: 2012
Expected result: Specific services based on public data have been launched as pilot projects
– the monitoring of navigation marks, planning public transport routes
and an innovative query system of the construction works register being
first in line.
Contents and Four pilot projects were started in 2011 to try out different solutions for
schedule: opening the data and making it publicly available, and for trying out
different technical solutions for developing the services on their basis (e.g.
data formats, cloud solutions, etc.).
The pilot projects included the following data:
• Public transport routes,
• Database of the construction works register,
• Financial data of local governments,
• Markings of water routes and ports.
Results and
impact:
Risks:
Challenges:
Lessons
learned:
All four pilot projects were completed in 2012, reaching the stage of
publication of data and starting services. Most attention was attracted by
the publication of local governments' financial data in September 2012 in
cooperation with the telecom company Elion. In the course of the project,
the website www.riigipilv.ee was launched as well as the application LEO
(Läbipaistev Eesti Omavalitsus - Transparent Estonian Local
Government) based on it, which offers substantial visual overview of the
financial status of various local governments, including their expenses.
All four pilot projects were launched. They have been the expected source
of knowledge and experience regarding barriers (incl. legal and technical)
that hinder the process of making public data accessible, as well as
solutions (incl. formats, organisational structure, etc.). This knowledge
will be used in the future when preparing the green paper of making
public data accessible in a machine-readable form, notably when
developing guidelines and policy actions.
Unsustainability of services born as pilot projects, i.e. not finding
resources for maintaining them.
Certain experiments had to be made in the case of each pilot project, and a
learning curve was gone through, as these were innovative initiatives in
Estonia. It took somewhat longer than expected.
• It may be necessary to change legal acts regulating data collections to
facilitate the process of making public data accessible in required
volumes and ways.
• The awareness of data collection administrators needs to be increased
as well as the capability to move towards open data.
• As demonstrated by the publication of the financial data of local
governments, which was met with significant public interest, there may
still not be a sustainable business model behind the publication of data
13 of interest. Therefore, the state will have to finance the publication of
important data, at least in the initial stage of the project.
Back to Action Plan structure
Field of Activity C. Greater openness and predictability of policymaking
Activity 1: Interactive guidelines and training for implementing the Good Practice of
Public Engagement
Status: In process according to an updated schedule.
Purpose: Smooth implementation of the Good Practice of Public Engagement
approved by the Government of the Republic in 2011.
In charge: Government Office
Deadline: 2012
Expected result: Online guidelines on the use of the document of Good Practice of Public
Engagement have been drawn up and relevant training has been carried
out.
Contents and The purpose of the trainings is to give officials practical experience for
schedule: increasing participation in their institution.
Results and
impact:
The trainings started in March 2013. There is a plan to train 300 officials.
By May 2013, the number of people who had passed the training was 115.
It is too early to assess the impact of this measure, but the trainings on
public engagement have been met with enthusiasm. The number of
targeted participants for the training is approximately 15% of the whole
workforce of the ministries.
The engagement handbook is being updated and will be ready by early
October 2013. The preparation of interactive guidelines has been delayed
because of the delays in preparing the handbook.
Additional
expected results
and plans for
their
implementation: A new website of the government will be launched in November 2013,
which entails the unification of the content of the webpages of ministries.
In the course of that, engagement will become one of the 5 main menu
topics, so that information about engagement possibilities will be more
accessible.
Risks:
Challenges:
Lessons
learned:
For the evaluation of the state of public engagement, a survey is planned
for 2014 and a thorough overview of engagement will be based on that
survey.
The number of officials going through the trainings is not sufficient for
the critical effect; the time frame for them to obtain the necessary skills
and get acquainted with the system is too short.
Lack of suitable trainers hinders organising training courses in the
required volumes.
The need for training is greater and sometimes more specific than planned
initially. The readiness to react quickly and flexibly to arisen needs is
required. Therefore, trainings have also been carried out by officials of the
Government Office instead of relying on outsourced trainings only.
Back to Action Plan structure
14 Activity 2: Launch of the impact assessment system
Status: Fully implemented.
Purpose: To initiate the impact assessment co-financing programme which supports
the application of the impact assessment methodology (as part of the
Smart Decisions Fund) – through which the assessment of the impact of
strategies, legislation and Estonia's positions in the European Union.
In charge: Government Office
Deadline: 2012
Expected result: Impact assessment of the major effect of strategies, EU positions and
legislation is carried out.
Contents and Starting from 2013, an initial impact analysis is required for all EU
schedule: matters, for subject area development programmes as well as for 50% of
legislation drafts and drafts of secondary legislation based on them.
Results and To date, the system has kicked off more actively with EU-related matters,
impact: less with the strategy documents and legislation drafts. Initial impact
assessments are carried out in all EU-related matters every week, which is
also where the initial (best) practice is being developed.
The understanding of the necessity of impact assessment has increased
among officials and initial skills to implement it are developing.
Assessment of the functioning of the impact assessment system is planned
for 2015.
In recent years, the government has approved the need to perform a more
thorough impact analysis in most important policy matters; the analyses
are partially funded from central funds. Financing decisions have been
made in four cases so far, and there is the experience with all three kinds
of impact analysis (EU-related matters, strategy documents, draft
legislation).
Additional In 2014, the system will be implemented in full, which means that no
expected results important legislation draft can be passed to the government for discussion
and plans for unless impact analysis has been performed.
their
implementation: Government regulations will also be added to the list of things for which
impact assessment is required, and the impact assessment requirements
will apply 100% to the preparation of legislation and drafts of secondary
legislation.
Risks: The main risk is the chance that impact assessment will devalue, i.e. that
too little added value is seen in impact assessment compared to the
relatively large volume of work it requires.
Challenges: • The need for training is remarkable and it is difficult to supply it
quickly. There are still many officials who are not acquainted with the
requirement of impact assessment.
• Change in the organisation of work in ministries so that the capability
of analysis would increase considerably (e.g. collaboration between
policy departments and analysis units, increase in analytic skills etc.).
• Change of culture in the public sector towards more open public
discussion and analysis of impact.
Lessons The need for training and dissemination of information is significant in
15 learned: the starting phase of the system; satisfying this need should have begun
earlier and the readiness to provide support should have been bigger
(including initial feedback, e.g. in the form of good practices, guidelines
and examples for working with templates etc.).
Back to Action Plan structure
Activity 3: Overview of ministries’ work processes
Status: In process according to the schedule.
Purpose: Smooth implementation of the Good Practice of Public Engagement
approved by the government in 2011.
In charge: Government Office
Deadline: 2014
Expected result: The legislative drafting process of the ministries can be monitored at an
earlier stage and at a larger scale.
Contents and The minimum requirement: making sure public e-consultation of the
schedule: drafts is always carried out in cases where it is required.
Through the public engagement contact persons inside ministries and
through trainings10, the message that the requirements of The Good
Practice of Public Engagement must be fulfilled has been constantly
promoted. This will continue to be the case in the coming period.
Results and In 2013 in the ministries’ public engagement related self-assessment it
impact: became clear that in general the ministries have become used to planning
public engagement consciously in case of the drafts that presume or
require it – it is considered, who, why and when should be involved. This
proves that participation has become more systematic. As a rule, clear
objectives are set in the course of public engagement planning, but it is
rather rare that the required public engagement plan is prepared.
The Government Office is ready to start stopping drafts and not passing
them on to the Government of the Republic if the public engagement
requirement has not been fulfilled.
There is a plan to discuss with the ministries’ public engagement contact
persons about how the effective practices of public engagement could be
transferred to other ministries as well. It is also a question how to have
more homogeneous public engagement practices within ministries.
Additional
expected results
and plans for
their
implementation:
Risks: Top-level administration will not see the need to reorganise work and to
change the work planning processes towards being more open.
Challenges: Raising the awareness among stakeholders outside the public sector about
the benefits of a more open planning process.
Lessons More time should be planned for carrying out major changes and change
learned: agents found from inside as well as outside of the public sector.
Back to Action Plan structure
Activity 4: Integration of impact assessment into the process of public engagement
Status: In process according to the schedule.
10
More information can be found on public engagement trainings at Key Area 1, Field of Activity C, Activity 1:
Interactive guidelines and training for implementing the Good Practice of Public Engagement.
16 Purpose: To integrate public engagement and the impact assessment methodology
that was approved by the government in 2012.
In charge: Government Office
Deadline: 2014
Expected result: Through impact assessment, the society and the stakeholders have better
opportunities to assess whether the decisions of the government are
reasoned.
Contents and Impact analysis reports have become a part of public consultation
schedule: materials. At the same time as there are practically no reports to this date,
there is also no immediate experience as to how they should be presented
in the course of a public consultation and what role do they play in the
explanation of a draft act.
Results and The Good Practice of Public Engagement refers to the Impact Assessment
impact: Methodology and vice versa, creating the basis for integrating these
processes. Whenever there is a chance to convey messages (e.g. trainings,
presentations), the Government Office always refers to them together.
As there are generally different officials in a ministry who are in charge of
the two different processes, the processes do not yet work together
smoothly.
The awareness of ministries about each of the processes separately has
improved. In practice, this means that when drafts are prepared, the need
to plan time for both impact analysis and public engagement is
recognised, but there are not enough skills yet to combine the two.
Additional There are no additional expected results.
expected results
and plans for
their
implementation:
Risks: If the awareness of the necessity of impact assessment and public
engagement (as well as the development of relevant skills) does not reach
each and every official in departments overseeing policies, there is a
danger of having these processes being completed with either insufficient
quality or in a hurry. The risks and challenges related to these topics have
been highlighted earlier.11
Challenges: Continuous need to raise awareness on all levels.
Lessons It is too early to point out.
learned:
Back to Action Plan structure
Key Area 2: Addressing public official ethics
Field of Activity: Prevention of corruption and conflicts of interest
11
More information can be found on public engagement risks and challenges at Key Area 1, Field of Activity C,
Activity 1: Interactive guidelines and training for implementing the Good Practice of Public Engagement; more
information can be found on impact assessment risks and challenges at Key Area 1, Field of Activity C, Activity
2: Launch of the impact assessment system.
17 Activity 1: Creation of a database of declarations of economic interests
Status: In process according to the schedule.
Purpose: Prevention of conflicts of interests and strengthening the anti-corruption
attitude of public sector employees; further cultivation of ethical behaviour.
In charge: Ministry of Justice
Deadline: 2014
Expected result: The created database contributes to the prevention of conflicts of interest
and corruption in the public sector.
Contents and The Anti-Corruption Strategy was passed on 6 June 2012 and it became
schedule: effective on 1 April 2013. Section 13, subsection 4 of the law, which will be
the basis for establishing a registry of economic interests by the
Government of the Republic, will become effective on 1 January 2014.
On 12 December 2013, a lead group of the development of the registry of
interests was established on the basis of a directive of the Minister of
Justice, with participating officials from the Ministry of Justice, the
Ministry of Finance, the Tax and Customs Board, the Centre of Registers
and Information Systems and the Information Technology Centre of the
Ministry of Finance.
Results and
impact:
To date, the vision and functionality of the electronic declaration of
economic interests have been developed as well as a substantial description
of the form of declaration of interests. There was a public tender for the
organisation of the electronic declarations. The deadline of the tender was
30 September 2013.
Declaring interests will become significantly easier and quicker for officials
with the creation of the new registry of interests; at the same time, it allows
for much quicker and more efficient monitoring.
By the end of October 2013, the statutes and the form of the registry will be
developed. Until the opening of the registry of economic interests in April
2014, technical development works will be taking place. The first round of
declaring economic interests will be completed by 31 May 2014.
Additional
expected results
and plans for
their
implementation:
Risks: Not adhering to the schedule because of a heightened need for coordination
between the two ministries and various agencies.
Challenges: The effective and fruitful organisation of work.
Lessons It is too early to point out.
learned:
Back to Action Plan structure
Activity 2: Adjustment of the system of funding non-profit organisations and
establishment of a disclosure system
Status: Fully implemented.
Purpose: Prevention of corruption in the private sector and non-profit sector.
In charge: Ministry of the Interior
Deadline: 2013
Expected result: A system of disclosure of non-profit organisations’ funding from the state
budget and from the budgets of local authorities has been created inside the
concept of the development of a common system for funding non-profit
18 organisations from the state budget (the public has an overview of allocated
support).
Contents and The aim of the activity is to create a consistent system of state financing for
schedule: non-profit organisations on state as well as local government level,
strengthening the civil society and contributing to the sustainability and the
growth of the institutional capabilities of the non-profit organisations.
For the creation of a consistent financing system, common financing
principles were established by spring 2012, and by 31 March 2013,
financing guidelines were prepared along with sample documents. In
between, the guidelines were tested in late 2012 in the Ministry of the
Interior and three local government units and the guidelines were improved
based on the feedback from the test participants. The guidelines are publicly
available12.
To apply the guidelines, a total of 18 trainings were organised in the period
from 8 November 2012 to 27 March 2013 in towns of various counties, with
the total of 379 people participating from ministries, local governments and
non-profit organisations. Also, a consulting service was offered regarding
the guidelines in December 2012 and January 2013. Also, a financingrelated public debate was held with the representatives of public sector and
civil society organisations in January 2013 and Frequently Asked Questions
was drawn up along with the answers.
Results and
impact:
Additional
expected results
and plans for
their
implementation:
The development and the implementation of the guidelines was supported
by marketing activities that had been planned so that they would attract as
much attention as possible in the local and national media.
Guidelines’ implementation monitoring will be carried out in 2014 to
evaluate the impact. To date, some ministries and institutions have already
redesigned or adjusted their financing systems for non-profit organisations
in accordance with the guidelines.
In order to ensure that all parties will start following the principles in the
guidelines which are not required, but “recommended”, and that the
practices of financing non-profit organisations would become
homogeneous, follow-up activities are planned in the Civil Society
Development Programme 2011-2014 implementation plan for 2013-2014.
The monitoring, mentioned in the previous subsection, will be carried out in
order to get an overview of the present state and the potential barriers in the
implementation process of the guidelines. The everyday work of the
cooperation network of financers will also continue as well as the fostering
of cooperation of the units who provide state budget financing for nonprofit organisations – in order to improve the financing procedures of the
projects. There is a plan to organise experience-sharing round tables for the
representatives of local governments.
In 2014, additional trainings will take place. The trainings are designed for
the officials of ministries and local governments who work with non-profit
12
https://www.siseministeerium.ee/public/juhendmaterjal13032013.pdf (in Estonian)
19 organisatsions and allocate funds to them.
Risks: Application of the recommended guidelines is a long-term process that may
show real results in a couple of years' time only. The nature of the
guidelines, being “recommended” may impede their implementation.
Challenges: Hosting the processes of engagement and giving and collecting feedback:
the guidelines have been worked out through the cooperation of
approximately 300 people.
The guidelines need implementation. The closer the financing of non-profit
organisations is to the processes and examples described in the guidelines,
the more certain the financer can be that the financing is following the
principles of good financing practice.
Lessons • No period of time was planned for practical application of the guidelines
learned:
in the programme framework, but it would have been valuable.
• The implementation of the guidelines must be strongly lead by the
Ministry of the Interior and more public debate is needed.
Back to Action Plan structure
Activity 3: Preparing the proposal for drawing up anti-corruption strategy
Status: Fully implemented.
Purpose: To analyse the performance of the effective anti-corruption strategy and lay
down the objectives and courses of action of the new strategy that would
best contribute to a decrease the corruption to a maximum extent possible in
both the private and public sector.
In charge: Ministry of Justice
Deadline: 2012
Expected result: The objectives and courses of action of the new strategy have been widely
debated and approved by the government; the drafting process of the new
strategy has started.
Contents and Although the current activity foresaw the preparation of the proposal for the
schedule: Anti-Corruption Strategy 2013-2020, by the time of the current reporting it
is also possible to give an overview of the preparation of the strategy that
followed the proposal. The proposal was completed as of 3 January 2013.
More than 100 people from approximately 60 organisations (including the
Chamber of Commerce and Industry, the Association of Estonian Cities, the
Association of Municipalities of Estonia, Network of Estonian Non-profit
Organisations, Estonian Qualifications Authority, Estonian Service Industry
Association, NGO Transparency Estonia etc.) participated in the preparation
of the new strategy.
Both the proposal for the preparation of the new strategy as well as the
strategy itself went through public consultations, the consultation
documents are available13. The Anti-Corruption Strategy 2013-2020 was
sent out for approval to the relevant authorities in May 2013 and was
submitted to the government in September 2013. While preparing the
strategy, the implemented and not implemented actions of the previous anticorruption strategy were analysed and, alongside the new activities,
13
http://www.korruptsioon.ee/58421 (in Estonian)
20 attention was given to the issues in the previous strategy.
The Anti-Corruption Strategy 2013-2020 focuses on three main objectives:
• Promoting awareness of corruption,
• Increasing the transparency of decisions and actions,
• Developing the investigating capabilities of investigation institutions and
to prevent corruption that would threaten security.
To achieve the objectives, approximately 70 actions have been agreed upon.
Results and The impact of the anti-corruption strategy can be assessed over a longer
impact: period of time, primarily based on studies and international evaluations as
well as recommendations given to Estonia. Criminal statistics are also
analysed.
Additional Actions in the anti-corruption strategy are aimed at the following measures:
expected results • Raising people’s awareness of corruption and shaping their attitudes,
and plans for • Shaping attitudes towards corruption and raising awareness in the public
their
sector,
implementation: • Raising awareness in the private sector and drawing attention to
corruption prevention related issues,
• Increasing the transparency of the legislative process and political
decision making,
• Increasing the transparency of municipal financial transactions and
procedures,
• Increasing the transparency of public authorities and endorsing the
culture of corruption prevention,
• Corruption prevention and increasing the transparency of public
procurements,
• Increasing the transparency of financial allocation decisions,
• Preventing corruption and biased decisions in law enforcement
authorities and courts,
• Increasing the transparency in healthcare,
• Enhancing the analytical capacity for investigating corruption related
crime.
Risks: Potential risks may arise from the failure by the responsible authorities to
carry out activities. To avoid that, the new anti-corruption strategy
implementation foresees designating a person responsible for the
coordination of corruption prevention in every ministry.
Challenges: • As the strategy combines the authorities of different ministries, ensuring
smooth cooperation between the ministries.
• In ministries anti-corruption activities are considered the responsibility of
the police and public prosecutor’s office and therefore they fail to realise
the importance of their own actions in corruption prevention.
• As the strategy is a government level development plan, the anticorruption strategy cannot impose obligations or activities on the
parliament.
Lessons It is too early to point out.
learned:
Back to the structure of the action plane
Activity 4: Draft Anti-corruption Act
21 Status: Fully implemented.
Purpose: For the purpose of improving prevention of corruption, the restrictions and
duties of officials are clarified, the system of declaration of interests is made
more efficient and liability arising from violation of law is stipulated. The
draft Act decreases the administrative burden, increases transparency in the
public sector and raises Anti-corruption awareness in society.
In charge: Ministry of Justice
Deadline: 2012
Expected result: The system of the restrictions and duties of officials has been clarified and
the system of declaration of interests has been made more efficient for
the prevention of corruption.
Contents and The Draft Anti-Corruption Act was sent for consultation on 16 May 2011.
schedule: On 7 November, the bill was sent for a second round of consultation.
Results and
impact:
Additional
expected results
and plans for
their
implementation:
The bill was sent to the government on 8 February 2012, and the Parliament
started hearing the matter on 8 March; the Act was adopted on 6 June 2012
and took effect on 1 April 2013.
The new Anti-Corruption Act allows for using arrangements corresponding
to the nature of the functions and the corruption risk in a public entity, and
does not aim to impose uniform restrictions. In practice, this may lead to a
certain rise in administrative burden because corruption risks have to be
analysed and appropriate legal tools must be identified to mitigate these
risks. The public entity also has to ensure that public officials are aware of
corruption threats and legal obligations.
The Ministry of Justice leads the implementation and drafting of anticorruption policy, and will make amendments the Act when necessary.
Risks: • Problems may arise from implementing the Act due to lack of
implementing practice.
• As the new Act imposes the absolute obligation to declare one’s interests
in a register on a certain number of people, it will be a challenge to
implement the system in such a way that other officials would be subject
to declaring their interests only if there are no other efficient tools for
preventing the corruption risk. The implementation of such a system
requires careful analysis and implementation anti-corruption measures.
Challenges: It is too early to point out.
Lessons It is too early to point out.
learned:
Back to the structure of the action plane
Activity 5: Establishment of the Public Ethics Council
Status: Fully implemented.
Purpose: To create an independent Ethics Council with the aim of strengthening the
core values and ethics of public official’s tenure.
In charge: Ministry of Finance
Deadline: 2013
22 Expected result: The Ethics Council has been founded and it operates on a regular basis. The
Ethics Council gives advice to authorities and public officials in public
service ethics matters and delivers opinions on the compatibility of
behaviour with applicable public official’s ethics requirements.
Content and The founding of the Ethics Council was prescribed in the Public Service Act
time frame: that took effect on 1 April 2013. The Public Service Ethics Council was
established by the Government regulation no 294 on 27 June 2013. The
Ethics Council has nine members with the majority comprised of active
public officials. The first meeting of the Ethics Council where the time
frame for future actions of the Ethics Council will be set is to take place in
autumn 2013.
Results and The founding of the Public Service Ethics Council enables the preparation
impact: of the new code of ethics of public servants, which the Ethics Council will
approve and support its uniform application.
Expected It is important to ensure regular operation of the Ethics Council, the
supplementary engagement of public authorities in the activities of the Ethics Council and
results and the communication of the opinions of the Ethics Council to public
plans for authorities and to the society.
implementation:
Risks: • Considering the limited availability of time of the members of the Ethics
Council, ensuring the regular operation of the Ethics Council is critical.
• It is impossible to predict the number of requests that the Ethics Council
will receive.
Challenges: The negations over the composition of the Ethics Council took longer than
expected.
Lessons It is too early to point out.
learned:
Back to the structure of the action plane
Activity 6: Organisation of ethics training for employees of various public sector
organisations (incl. public servants)
Status: Fully implemented.
Purpose: Increasing the awareness of the public sector target groups of the main
values of the public sector and the development of skills of ethical
resolution of problematic situations.
In charge: Ministry of Finance
Deadline: 2012
Expected result: The target group of public ethics training has been extended to cover all
public sector employees. Regular trainings are carried out under the Central
training programme.
Content and 18 trainings were planned for public servants and 10 to more wide ranging
time frame: target groups from the public sector under the Central trainings 2012-2013
programme. The trainings received €33,909.18 of financing with 85% of the
sum covered by the European Social Fund. The trainings are organised by
the Estonian Academy of Security Sciences Public Service Development
and Training Centre.
Results and The trainings took place as planned. In addition to public service target
impact: groups, the programme covers the members of municipal governments and
councils and the employees of partially government or municipally owned
enterprises, foundations, non-profit organisations and bodies under their
23 administration.
In relation to the new Public Service Act and Anti-Corruption Strategy
taking effect, the training programmes were updated in 2013 to increase the
emphasis on explaining the operational and procedural restrictions that
come along with the new legislation.
Expected The need for continuation of ethics trainings is foreseen for 2014. Since no
supplementary resources have yet been allocated, actions are planned for raising the
results and necessary resources.
plans for
implementation:
Risks: As of 2014, there is a risk of not finding resources for financing the
activities since the current programme ends and the financing principles of
the new programme may change.
Challenges: To ensure the continuation of public service and public sector ethics
trainings in 2014.
Lessons With the new Public Service Act taking effect, changes had to be made to
learned: the content and target groups of the training programmes. As the employees
of public authorities do not fall under the code of ethics of public servants,
they were redirected to the public sector ethics training programme. This
change needed further clarification in the months after the Public Service
Act took effect.
Back to the structure of the action plane
4. SUMMARY
Estonia is committed to implementing the principles of Open Government Partnership and
continues to pursue the originally set objective of drawing the attention of the government and
the society to the quality of governance, learning from other countries’ experience and sharing
Estonia’s experience with other partnering countries.
The biggest challenge lies in establishing a more open culture of governance, which presumes
high expectations on the part of the society towards the political elite and civil servants. The
shaping of civil servants’ attitudes and skills as well as designing new technological solutions
to support a more engaging policy-making will takes place in that context. The support of the
political elite is an additional resource for more effective fulfilment of the set commitments.
One of the most important lessons learned from the reporting period is that besides the usual
ways of engagement (including voting, making proposals to the government and expressing
one’s opinions about bills) people can constructively convene to express their dissatisfaction
and to make suggestions regarding better governance as proven by the example of the
People’s Assembly. In such cases the sensible reaction of the government is to support the
citizens’ initiative and to create conditions for taking the feedback on board. The strength of
the People’s Assembly process was achieved through cooperation between the leaders of civil
society and public institutions (the President, the Parliament). All parties contributed to
creating an appropriate environment for channelling dissatisfaction into constructive value
24 adding proposals to the Parliament as the highest representative body, offering everyone the
possibility to participate in the process. It is too early to assess the long-term impact of the
People’s Assembly, but the suggestion of creating a legal basis for such a process shows the
high level of confidence in the setup among the participants.
From the very beginning, we have believed here in Estonia that in order to successfully
participate in Open Government Partnership we need to integrate domestic endeavours with
international objectives and principles. Through that, we are able to ensure that the set
objectives are relevant and realistic and the progress towards their achievement is monitored
and reported. The cooperation between the Ministry of Foreign Affairs and the Government
Office, with the Government Office coordinating the work of ministries contributing to the
Open Government Partnership action plan, and the Ministry of Foreign Affairs representing
the Open Government Partnership initiative as a whole, can be considered rather productive,
but the lack of a clear and visible leader has had a somewhat holding back effect in terms of
the perception of the importance of the Open Government Partnership among both the closer
circle of participants and the broader society.
For the Open Government round table and the representatives of the public sector, the first
year of participation in the Open Government Partnership has been a time to get to know each
other. The round table has the task of generating new ideas and monitoring government
actions, which has occasionally also meant expressing dissatisfaction with the relative
slowness or low ambition of the developments. Constraints and opportunities related to the
planning and implementation of government actions are closely linked to the provisions of the
Action Programme of the government.
The above-mentioned aspects should be taken into account when preparing the next action
plan for Open Government Partnership participation. The levels of ambition, the willingness
among parties to take responsibility and available resources should be aligned. It is time to
suggest new activities; the selection of the most viable and feasible will follow in the
upcoming months when the action plan will be revised. None of the actions in Estonia’s first
Open Government Partnership Action Plan has lost its relevance and will continue to be
implemented over the new period. We are also eager to learn from international practice and
are willing to share our experience in order to globally promote open governance values.
25 Appendix 1. Open government round table: People’s Assembly in Estonia – crowdsourcing solutions for complex problems
A former Estonian MP, member of the ruling Reform Party, announced in 2012 that the
party’s officials gave him 7600 euros of unknown origin that he then had to donate to the
party. He claimed that dozens of members had donated funds to the party this way, including
MPs.
Although the party rejected the accusations and the subsequent investigation was ended due to
a lack of hard evidence, the public did not find party’s denials convincing. Widespread protest
yielded to the street demonstrations and petitions in autumn, demanding more transparency in
party funding as well as more dialogue and openness in the political system.
How to turn this wave of activism into something constructive? Civil society activists
proposed crowdsourcing as a method for finding solutions to these complex problems.
A working group of CSO and political parties’ representatives gathered in November, 2012.
Five weeks later a website was opened where everyone could propose ideas for improving the
situation in the areas such as elections, public participation, political parties and their funding.
Within three weeks, it gained 60’000 visitors; 1’800 registered users posted nearly 6’000
ideas and comments. All these were grouped and provided with impact analysis by scholars
and practitioners. These were sent to the Deliberation Day on 6th of April, where a
representative sample of 314 people discussed the pros and cons of ideas and casted then their
preferences. The outcomes were presented to the Parliament who has then set a timetable
when these legislative changes will be discussed in the formal procedures.
The impact of this process, called People’s Assembly, is yet too early to summarize. None of
the legislative changes has been done so far, but they are in the agenda. The process clearly
proved that if good conditions are created, people are willing and capable to participate in the
policy making. Crowd-sourcing mechanisms can provide a valuable tool for implementing the
principles of open government and bridging the gap between government and the public. 26 Appendix 2. Open Government Partnership case study from
Estonia – the development of the government portal eesti.ee
A strong focus of the Estonian Open Government Partnership Action Plan is to develop public
e-services. This means various structural changes in the administrative processes that will
result in the improvement of the availability and user-centeredness of public services. A key
commitment in this area is to improve the state portal eesti.ee in terms of functionality and
user-friendliness. The aim is to build it into the primary e-service and government information
gateway for Estonian residents and entrepreneurs – thereby making access to government
easy and accessible for everybody.
There are several developments ongoing with eesti.ee in this aim, but one truly key step was
the creation of personal data and service view. It was launched in August 2013, although
some beta versions had been out already since the beginning of the year.
The idea of personal view is that after the user logs in securely with Estonian national eID
(either ID-card or mobile ID)14, he/she will be able to view all of his/her core data and service
statuses on one web-page. Each line of information also comes with links to related e-services
in order to easily take the user to further data viewing or applications or other transactions
within the portal.
For example, up-to-date information bits will be listed about the person’s family, real estate or
business matters; notifications about his/her documents’ validity and various due deadlines
(e.g. taxes or applications); basic health insurance related information; etc. In this way there is
no need for him/her to waste time on searching and navigating the portal any longer for core
services, allowing desired services to be reached faster and more conveniently.
After the launch of personal view, the feedback from users has been very positive as they
have longed for such easy access to core data and services – most users have very basic
service needs only, so they want to get things done fast.
People are especially appreciating the newly added notifications service. Only very few of
us regularly check and remember whether our driver’s license is about to expire or when our
pet should get the next annual vaccine or when the next tax declaration is due. In all these
cases, the duty to perform some steps lies with the individual. At the same time, the
government does know via various e-services which deadlines are coming up and when. Thus,
the government might as well take a step towards the users and provide this information as a
notification service. Then it will be easier for people to avoid getting into trouble with
deadlines, while legal compliance also rises and this benefits the government.
The motivation behind the initiative was that a) people expect a rising level of userfriendliness from government e-services, b) private sector online services have offered similar
possibilities for some time already (e.g. banks). Thus, user expectations and needs were the
driving force. The initiative arose bottom-up from the state portal development team like is
the case with most Estonian e-governance innovations.
14
See http://e-estonia.com/components/electronic-id-card and http://e-estonia.com/components/mobile-id for
more info on Estonian nation-wide eID system.
27 Building of the personal view page that combines data from a big variety of governmental
databases and services was possible because of X-road: the data exchange system that
Estonia has been using since 200115. X-road is the interoperability solution that carries highly
secure Internet-based data exchange between all governmental as well as some private
information systems. It enables connecting of any independent datasets and systems into
comprehensive e-services like the personal view page – and to do all this in a simple, uniform
and cost-efficient manner. At the same time there are very high levels of accountability.
Anyone accessing the system leaves a record, something that is viewable by the citizen.
There is still much to do to make this personal view of state portal services even more
personalized. For example, we can offer customized page views based on smart analytics on a
person’s activities in the portal and other data known to service provider. Also, we are
currently preparing to take the state portal to a mobile platform. This will make the personal
data and service view even more conveniently accessible for all users.
It’s things like these that often make a difference. They might not seem too big-of-a-deal at
first glance. Yet, in the end they contribute much to the e-service user experience and thereby
help to bring government closer to people.
More information: Siim Sikkut, Government Office of Estonia, [email protected]
15
See for more information: https://ria.ee/x-road/
28 Estonian Informatics Centre
eGovernment in Estonia: Best
Practices
Ahto Kalja1, Aleksander Reitsakas2, Niilo Saard2
1Inst. of Cybernetics at Tallinn Univ. of Technology,
Akadeemia 21, 12618 Tallinn, Estonia
2Cell Network Ltd., Toompuiestee 5, 10142 Tallinn, Estonia
[email protected], [email protected],
[email protected]
PICMET´05
1
Estonian Informatics Centre
Content
I Introduction
II The general architecture of eGovernment
environment in Estonia
III Results of Estonian eGovernment projects
IV Special citizens web portal with db-services
V Estonian ID card and PKI infrastructure
VI eServices
VII A new generation eService “Parental benefit” in
Internet
VIII Statistics
IX Conclusions
PICMET´05
2
Estonian Informatics Centre
I Introduction
eGovernment in Estonia got started by developing a functional
architecture that includes:
-  secure data transport backbone X-Road,
-  distributed information systems functionality and
-  different hardware and software components like portals,
elements of public key infrastructure (PKI), governmental
databases and information systems.
This is the very basis of hundreds of services that have been
created today. The recent success with eGoverment services
and the common architecture of eGovernment will be given in our
presentation.
PICMET´05
3
Estonian Informatics Centre
II The general architecture of eGovernment
environment in Estonia
The architecture of eGovernment was developed in the framework of the
X-Road project.
X-Road project was preliminarily initiated for interconnecting Estonian
governmental databases to the common data resource accessible over
the Internet.
After the successful start of sending database queries and answers over
the Internet, the X-Road environment was expanded to send all kinds of
XML-format electronic documents securely over the Internet.
At the same time the X-Road started to become a skeleton of all the
eGovernment services.
PICMET´05
4
Information systems
IS of
Estonian
Tax and
Customs
Board
Population
Register
CA of X-road
Estonian
Motor
Vechicle
Registration
Centre
x5
…
other IS
for ex.
MISP II
Services
Services
Estonian
Informatics Centre
X-road
centre
Banks
Hansa bank
Union bank.
Kreditb.
Sampo bank.
Nordea bank
HELPDESK
Monitoring
a) authent.
b) payment
c) services
Centr.server II
Services
(Elion)
AS
AS
AS
AS
AS
SS
SS
SS
SS
SS
Centr.server I
X-road
Information portal
http://www.eesti.ee
SS
Internet
Information portal
for enterpreneurs
SS
Central
register
of DBs
Riik.ee
(for civil servants)
SS
SS
ID-card
KIT
EIT
AIT
(Citizens’ portal)
(Enterpreneurs’ portal)
(Civil servants’ portal)
PICMET´05
Environments developed by government
CA
5
Certification agency
Estonian Informatics Centre
3-layers architecture I
Services
Data transport
X-road
Databases
PICMET´05
6
3-layers architecture II
Technology
Estonian Informatics Centre
Components
III layer
WSDL
UDDI
II layer
SOAP
XML RPC
LDAP
…
I layer
Oracle
Progres
MySQL
…
Services
Data traffic
X-road
Databases
PICMET´05
Parential benefit
My vehicles
My penalties
…
Security server
Central server
MISP
Citizen portal
…
Traffic register
Population register
Passports register
…
7
Estonian Informatics Centre
III Results of Estonian eGovernment projects
ring the last 3-4 years we have finished different IT projects for implementing
overnment architecture in the public sector of Estonia. As the result of the
ntioned projects, the following service portals, environments and frameworks
now available in Estonia:
• 
Special citizens web portal with db-services. Portal has won an award
Finalist with Honourable Mentions of the eEurope awards for
eGovernment 2003. The portals eServices will step-by-step be added
to the citizen portal (KIT) in the nearest future;
• 
Framework of the facilities for using Estonian ID-card (over 50% of
Estonian population has already an electronic ID-card) with PKI technology
for identification, authorization and digital signature operations;
• 
Citizens, civil servants and entrepreneurs web portals with almost 500
different eServices from different Estonian central and local governments.
er we will describe some of these environments projects more precisely.
PICMET´05
8
Estonian Informatics Centre
IV Special citizens web portal with db-services
All services available through the citizen's portal have a common user
interface, which is not dependent on a database management system for
back office.
A standard authentication system for all citizens has been developed as well.
The set of standard services available include typical queries, such as:
"give me my data" from the population register;
"give me my data" from the motor vehicles register.
PICMET´05
9
Estonian Informatics Centre
Authentication
Users
CA of
servers
CA of
citizens
Portal
Citizen
Central
Central
server
server
Adapterserver
Database
Security
Security
server
server
Internet
SSL channels,
Security
Security
digitaly signed
server
server
encrypted messages
Civil
servant
Central
monitoring
Local
monitoring
MISP
Local
monitoring
IS of an
organizat.
Database
processors
Functional scheme
PICMET´05
10
Estonian Informatics Centre
V Estonian ID card and PKI infrastructure
The purpose of Estonian ID-card project was to use nation-wide electronic
identity and develop a new personal identification card that would be
a generally acceptable identification document and contain both visually and
electronically accessible information.
On December 18, 2001 the parliament established ID-card as a compulsory
identity document and the Estonian passport is thus only a travel document to
travel abroad. On January 28, 2002 the first ID-cards were issued to Estonian
citizens. Today (25.7.2005) over 50% (803 000 people) of the Estonian
population (1.4 million) has an ID-card.
There exists a lot of similar projects in other countries (Belgium, Finland,
Italy etc.), but using of ID-card services at large you can find in Estonia as
in pilot country.
PICMET´05
11
Estonian Informatics Centre
Estonian ID card and PKI infrastructure II
The Estonian ID-card project is focused on the digital signature, which is
equivalent to the ordinary signature on paper. To achieve this aim the
Identity Documents Act as well as the Digital Signatures Act were adjusted,
which resulted in the following:
•  The certificate inserted in the ID-card includes the personal identification
code, which enables to identify the individual at once.
•  A certificate, which enables to sign documents according to the Digital
Signatures Act, is inserted in the ID-card chip.
•  Certificates inserted in the ID-card lack field of use restrictions and
therefore it can be applied in the public as well as private sector,
and also in any kind of mutual relations between individuals.
PICMET´05
12
Estonian Informatics Centre
Estonian ID card
PICMET´05
13
Estonian Informatics Centre
Estonian ID card
PICMET´05
14
Estonian Informatics Centre
VI eServices
The set of facilities for the IS, which are joined to the X-Road environment:
• Authentication (ID-card + 5 Internet bank services);
• Authorization;
• MISP (Mini Info System Portal) portal services;
• Simple queries to Estonian national databases;
• The facilities for developing complex business model
queries (queries to different databases and registers);
• The writing operation into databases;
• The facility to send large amount of data (over 10Mb) from database
to database over the Internet;
• Secure data exchange, logs storing;
• Queries surveillance possibility;
• The integration with citizen portal for adding new services;
• The integration with entrepreneurs portal for adding new services;
• Central and local monitoring;
• The special database for storing services WSDL descriptions.
PICMET´05
15
Estonian Informatics Centre
VII Best practice
•  Parential benefit in Internet
• 
5 information systems interact the data
–  Citizens’ portal
–  Register of Social Insurance Board (+MISP)
–  Population register
–  IS of Health Insurance Fund
–  IS of Tax and Customs Office
PICMET´05
16
Estonian Informatics Centre
DBs
Users
Register of Social
Insurance Board
Citizens’
portal
Citizen
Population register
X-road
MISP
IS of Health
Insurance Fund
Civil servant
IS of Tax and
Customs Office
Parential benefit in Internet
PICMET´05
17
Estonian Informatics Centre
Best practice for citizen
•  Citizen can give applications over the Internet
•  Citizen does not give data, which the IS knows anyway about the
citizen
•  Citizen does not fill long application documents and run from door to
door
•  A good example how the state has simplified the payment system
PICMET´05
18
Estonian Informatics Centre
Best practice for civil servant
• 
• 
• 
• 
Civil servant is free from revising mountains of paper documents (7)
Civil servant is free from inputting the data from paper documents
Civil servant is free from checking data in different databases
Civil servant can start the process by inputting only the personal
code of client
•  There does not exist any paper applications at all
PICMET´05
19
Estonian Informatics Centre
VIII Statistics
At the moment we have following clients:
•  Organizations: Number of agreements – ~350
Databases/Service providers:
•  All service providers: 34
Security servers:
•  Number of agreements for SS: 76
MISP servers:
•  Number of agreements for MISPs: 41
PICMET´05
20
Estonian Informatics Centre
Statistics
Services:
•  The number services from all the X-road service providers ~500
The statistics of usage:
•  During the year 2003, the total number of X-road queries was:
590 000.
•  Number of queries made via thr X-road in 2004: over 7.75 million
•  Daily record of queries in 2004: 118 000 queries per day
PICMET´05
21
Estonian Informatics Centre
IX Conclusions
We are sure that our projects for eGovernment framework development
and portals are making significant contributions to the process of moving
towards the information society. Our environment represents Estonian
and European best practice in the application and usage of new
technologies in order to provide eServices to citizens, to civil servants
and to entrepreneurs.
PICMET´05
22
Estonian Informatics Centre
PICMET´05
23
Estonian Informatics Centre
PICMET´05
24
Estonian Informatics Centre
PICMET´05
25
Estonian Informatics Centre
PICMET´05
26
Estonian Informatics Centre
PICMET´05
27
Estonian Informatics Centre
Thank you!
PICMET´05
28
The Estonian ID Card and
Digital Signature Concept
Principles and Solutions
Ver 20030307
Contents
Contents .........................................................................................................................2
Status of the document...............................................................................................3
Introduction................................................................................................................3
Intended audience ......................................................................................................3
Current project status .................................................................................................3
Principles........................................................................................................................4
Digital signature regulation........................................................................................4
Digital signature concept .......................................................................................4
Certification Service Providers (CSP-s) ................................................................4
Time-stamping Service Providers (TSP-s) ............................................................4
Supervision – Registry and Ministry .....................................................................5
Foreign Certificates................................................................................................5
Identity Document Regulation...................................................................................5
Mandatory document .............................................................................................5
Card appearance and layout ...................................................................................5
Electronic data on card...........................................................................................6
Certificates .............................................................................................................7
E-mail address........................................................................................................7
Data protection.......................................................................................................7
Organizational structure, card issuing and operation.............................................8
Solutions ......................................................................................................................10
Certificate profiles and e-mail addresses .................................................................10
Certificate validity verification methods .................................................................10
OCSP, time-stamping and evidentiary value of digital signatures ..........................10
Document format and DigiDoc................................................................................11
Roles, authorizations and organizations' validations ...............................................12
New ideas: replacement and alternative cards .........................................................13
2
Status of the document
This document is prepared by AS Sertifitseerimiskeskus (www.sk.ee). You may
freely distribute it in original verbatim form (without making any changes). The
Estonian ID card project information, including the newest version of this whitepaper,
is available online at http://www.id.ee. You may contact us at [email protected].
Introduction
Estonia has implemented ID card as the primary document for identifying its citizens
and alien residents living within the country. The card, besides being a physical
identification document, has advanced electronic functions that facilitate secure
authentication and legally binding digital signature, in connection with nationwide
online services.
This whitepaper gives an overview of the principles behind the project and explains
the choices and decisions made while carrying out the card project. It also presents an
overview of how the associated services and applications are implemented.
Intended audience
The first part of the whitepaper, "Principles", is written for decision-makers and
potential common users from a legal and economic perspective. The second part,
"Solutions", is for implementers and assumes knowledge about basic PKI concepts.
Current project status
The first Estonian ID cards were issued in January 2002. In one year, more than 130
000 cards have been issued, and the total figure is expected to grow to more than 350
000 by the end of 2003 (about 25% of the whole population).
The card is meant to be universal and its functions are to be used in any form of
business, governmental or private communications. It is already helping people to
make everyday communications more convenient. You can find more details about
the implementation and applications below.
3
Principles
Digital signature regulation
Estonian parliament (Riigikogu) passed the Digital Signature Act (hereinafter DSA)
on March 8, 2000, and it entered into force on December 15, 2000. The law regulates
issues that are essential for implementing a nationwide PKI and digital signature
infrastructure. The law is available online at
http://www.legaltext.ee/text/en/X30081K3.htm.
Digital signature concept
According to the Estonian DSA, digital signatures are equivalent to handwritten ones,
provided that they are compliant with the requirements set forth in DSA and if other
laws do not regulate otherwise. Thus as a rule, digital and handwritten signatures
should be equivalent in document management in both public and private sectors.
DSA also states that public sector organizations must accept digitally signed
documents.
The requirements set forth in DSA to digital signatures state that digital signature
must uniquely identify the signatory, be bound to the signed data in such a way that
makes changing the data after signing impossible without invalidating the signature,
and identify the time of signing (assuming the use of time-stamping or equivalent
time establishment technology).
In the terms of EC directive 1999/93/EC, DSA only regulates advanced electronic
signatures. Other types of electronic signatures can of course be used, but DSA does
not give them legal power.
Certification Service Providers (CSP-s)
DSA regulates the work of CSP-s in Estonia, setting forth requirements to them and
regulating their operation and supervision. CSP-s may only be legal entities with a
regulated minimum share capital, they must be entered in the National Certificate
Service Provider Registry (see below) and must carry out an annual audit to ensure
organization and system reliability. CSP-s must also have liability insurance to
safeguard against compensating faults made while providing the service.
It is important to note that according to DSA, CSP-s certify only real persons
identifiable by name and ID code – issuing certificates to pseudonyms is not currently
covered by DSA. It was discussed in the parliament during the law adoption process,
but was considered to be an additional unnecessary risk and so far, no need for this
has been seen.
Time-stamping Service Providers (TSP-s)
DSA also regulates the work of TSP-s and the comparison of time stamps between
TSP-s. The requirements to service providers are generally the same as those to CSP4
s. According to DSA, a time stamp is simply a data unit that proves that certain data
existed at a certain moment. DSA does not define time stamps in more detail, but
states that they must be bound to the timestamped data and issued in such a way that it
would be impossible to change the timestamped data without invalidating the
timestamp.
Supervision – Registry and Ministry
The National Registry of Certification Service Providers contains data about all
Estonian CSP-s and TSP-s. Although it confirms the public keys of CSP-s, it is
technically not a root CA in Estonia. Instead, it functions as a supervisory authority,
confirming the results of service providers’ annual audits among other things. The
Ministry of Economy and Communications, in whose administration area the registry
works, has the right to verify audit results and inspect the service providers’ premises
and relevant information.
Foreign Certificates
DSA regulates the recognition of foreign certificates, stating that in order for them to
be recognized equivalent to those issued by Estonian CSP-s, they must be either
confirmed by a registered CSP, be explicitly compliant with DSA requirements or
covered by an international agreement.
Identity Document Regulation
Identity documents in Estonia are regulated by the Identity Documents Act. The law
is available online at http://www.legaltext.ee/text/en/X30039K7.htm.
Mandatory document
According to the Act, possessing an ID card is mandatory for all Estonian residents
and also for all aliens who reside permanently in Estonia on the basis of a valid
residence permit with a period of validity of at least one year. There are no sanctions
for not having a card, but it is expected that as the first Estonian passports were issued
in 1992 with validity period of 10 years and they are expiring, most people will apply
for either only ID card, or ID card together with passport when renewing their
documents in the period 2002-2006. By the end of 2006, one million cards will have
been issued.
There is only one version of the document: there are no different optional features that
users can opt out of or choose to (not) have. All documents are equipped with a chip
containing electronic data and certificates (see below). It is understood that some
users may have doubts or fears about electronic use of the card, but remedies are
provided for that: if users do not wish to use the electronic functions of their cards,
they can suspend the validity of their certificates, thus making it impossible to use the
card electronically. Certificate suspending or revoking also removes user's data from
public certificate directory.
Card appearance and layout
The card looks as follows.
5
Front side of the Estonian ID card.
Back side of the Estonian ID card.
The front side of the card contains the card holder's signature and photo, and also the
following data:
• name of card holder
• personal code (national ID code) of card holder
• card holder birth time
• card holder sex
• card holder citizenship
• residence permit details and other information (if applicable)
• card number
• card validity end
The back side contains the following data:
• card holder birth place
• card issuing date
• card and holder data in machine-readable (ICAO) format
Electronic data on card
Each ID card contains various pieces of data. All the above data except photo and
handwritten signature are also present on the card in electronic form, in a special
publicly readable data file. In addition, the card contains two certificates and their
associated private keys protected with PIN codes. The certificates contain only the
holder's name and personal code (national ID code). In addition, the authentication
6
certificate contains the holder's unique e-mail address. Read more about certificates
and e-mail address below.
Certificates
Each issued ID card contains two certificates: one for authentication and one for
digital signing. There are also two associated private keys, protected by two separate
PIN codes, on the card. The certificates contain no restrictions of use: they are by
nature universal and meant to be used in any form of communications, whether
between private persons, organizations or the card holder and government. They
contain no roles or authorizations: those most come using some out-of-band method
(also see below, "Roles, authorizations and organizations' validations").
The certificates contain the card holder's name and national ID code. It is agreed in
Estonia that this data is public by nature. The certificates identify the card holder
uniquely because even though there may be name overlaps, the national ID code is
unique. In addition, the authentication certificate contains the card holder's e-mail
address.
E-mail address
The authentication certificate on each ID card contains the card holder's governmentassigned e-mail address in the format [email protected], where
NNNN are four random numbers. The random numbers are necessary to provide
unique e-mail addresses even to persons with the same name. The address does not
change with subsequent certificate or card issuing – it is guaranteed to be a person's
"lifetime" address.
There is no real e-mail service associated with the address. It is a merely a relay
address which forwards e-mails to users' "real" addresses (e-mail accounts). Each user
must configure the forwarding addresses using an online service made available for
this purpose, and may reconfigure the addresses as often as he or she pleases. Up to
five forwarding addresses can be specified.
The address is supposed to be used in communications from government to the
person, but it can also be used in communications between persons and companies
and private persons themselves. The addresses are available online to anyone through
CSP-s certificate directory.
The address can be used as a simple e-mail address, but using the address and the
authentication certificate on the card, users can also digitally sign and encrypt their email. The digital e-mail signature is not legally binding and not covered by DSA, but
it provides receivers additional confirmation of sender authenticity. E-mail encryption
and signing using certificates on smart card is a standard function of various e-mail
applications.
Anti-spam measures are implemented in the forwarding server. In addition, spamming
is illegal in Estonia and spammers will be prosecuted accordingly.
Data protection
The data protection question is not very relevant in the context of Estonian ID card
because there is very little private data involved in the card issuing and further
7
utilization process. There is a broad Personal Data Protection Act in effect in Estonia
which regulates the use of personal data and databases containing personal data by
public authorities and private entities, and Estonian Data Protection Inspection is the
government body overseeing that the requirements of the act are met and enforcing
compliance if necessary.
The certificates on the card are available publicly in a directory service and contain
only the card holder's name and personal ID code, which are considered public data
by nature in Estonia. In addition, e-mail addresses in authentication certificates are
also available in the directory. The directory contains only valid (active) certificates:
if a person suspends or revokes his certificate, it is also removed from the directory
and the data are no longer available.
The public data file is not published anywhere online. The personal data on the card in
visual and electronic format are accessible only to those persons to who the card
holder physically presents the card.
The general stance to ID card and data protection in Estonia is that the card should
contain as little private data as possible. Instead, the data should be kept in databases
at relevant authorities, and a person can use the card as key (authorization method) to
access his or her data in the database.
Organizational structure, card issuing and operation
The card issuing as well as its further operation is done in close public private
partnership. There are three main organizations who are associated with issuing and
operating the ID card and the associated infrastructure.
Estonian Citizenship and Migration Board (hereinafter CMB) is the government
organization responsible for issuing identification documents to Estonian citizens and
alien residents, as required in the Identity Documents Act. CMB is in the supervision
area of Estonian Ministry of the Interior. CMB receives the card application from
citizens.
AS Sertifitseerimiskeskus ("certificate centre", hereinafter SK), founded by two
major Estonian banks Hansapank and Eesti Ühispank and two telecom companies
Eesti Telefon and EMT, functions as CA, maintains the electronic infrastructure
necessary for issuing and using the card, and develops the associated services and
software. SK also takes care of delivering the card to its holder through Hansapank
and Eesti Ühispank bank offices.
TRÜB Baltic AS, subsidiary of Swiss TRÜB AG, is the company that personalizes
the card.
The card issuing process consists of the following steps.
1.
person fills in application for the card, indicating the bank branch office where
he or she would like to receive the card
2.
CMB receives application from person
3.
CMB stores the application and forwards its data to TRÜB
4.
TRÜB personalizes the card
8
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
TRÜB gives the card the order of generating private keys (internal function of
the card, the keys will never leave the card) and prepares the secure PIN
envelopes
TRÜB formulates certificate requests (2 per card) and forwards them to SK
SK issues the certificates, stores them in its directory and returns the
certificates to TRÜB
TRÜB stores the certificates and personal data file on the card chip
TRÜB prepares the final delivery envelope, enclosing the card, secure PIN
envelope and an introductory brochure
TRÜB hands the final delivery envelope over to CMB
CMB hands the final delivery envelope over to SK (CMB has outsourced the
card delivery to SK)
SK sends delivery envelope to the bank branch specified in the original
application (done using security couriers)
person receives the delivery (containing card and PIN codes in separate
envelopes) from the bank branch office
upon receipt of the card, certificates are activated and published in directory
For further operation of the card, SK maintains the associated electronic services
including an LDAP directory service, OCSP validation service and other necessary
services for online validity and digital signature confirmations. SK also provides the
software to anyone interested in creating applications to the card and digital signature,
and provides a readymade client and web portal for giving and verifying digital
signatures (see below, "Document format and DigiDoc"). In addition, SK maintains a
24-hour telephone hotline which can be used for immediately suspending the validity
of certificates in case of card loss or theft.
9
Solutions
Following are a number of issues and questions that have been solved when
implementing the Estonian ID card and digital signature infrastructure.
Certificate profiles and e-mail addresses
The certificates on Estonian ID cards are standard X509v3 certificates. The
authentication certificate contains the card holder's e-mail address. The certificate
profile is available in a separate document.
Certificate validity verification methods
According to Estonian DSA, CSP-s must provide "a method of verifying certificate
validity online". SK as the issuer of certificates to ID cards provides users three ways
of checking certificate validity.
CRL-s are provided, containing the list of suspended and revoked certificates. CRL-s
are standard but outdated method, because as of January 2003, CRL size has grown to
over 1 MB in one year and it is not very convenient to use. CRL-s are mainly
provided for backwards compatibility and standards compliance. SK updates its CRL
twice a day. Delta CRL-s are not provided.
The second method is an LDAP directory, containing all valid certificates. The
directory is updated in real time – if a certificate is activated, it is uploaded to the
directory, and if it is suspended or revoked, it is removed from there. Among other
things, this provides everyone a chance of finding the e-mail address of any ID card
holder. Restrictions are in effect as to the maximum number of responses returned to
one LDAP query to protect against server overload.
The most convenient method of verifying certificate validity is SK-s OCSP service. It
can be used for simple certificate validity confirmations, but also for validity
confirmations ("notary confirmations") to digital signatures. SK provides a standard
OCSP service compliant with RFC 2560. An important detail is that according to the
RFC, OCSP responses are supposed to be based on CRL-s and therefore may not
necessarily reflect the actual certificate status. In contrast, SK has implemented its
OCSP service in such a way that it operates directly off its master CA certificate
database and does not use CRL-s. Thus, SK-s OCSP responses reflect actual (realtime) certificate status. In terms of the RFC, the response's thisUpdate and
producedAt fields are equivalent.
OCSP, time-stamping and evidentiary value of digital
signatures
For legally binding digital signatures, time is an extremely important factor.
According to the Estonian DSA as well as common sense, only signatures given using
a valid certificate are to be considered valid. On the other hand, to provide remedy to
the risk that the signing device (ID card) may be stolen together with PIN-s and
digital signatures could be given on behalf of the user by someone else, users have the
chance of suspending their certificate validity using a 24-hour telephone hotline
operated by SK. With these two concepts combined, users must be able to clearly
10
differentiate the signatures given using a valid certificate from those given using a
suspended or revoked certificate. Thus, there is a need for a time-stamping and
validity confirmation service which binds the signature, time and certificate validity.
Another important concept concerning signature validity is that the signature must be
valid also when the certificate has already expired or been revoked. If a certificate is
suspended by the card holder or anyone else, the card holder can reactivate it at a
bank office.
A number of experimental time-stamping protocols and technologies have been
proposed, but no common understanding or agreements of time-stamping is present,
the experimental technologies are under constant development and not in mass use.
Thus, an innovative approach was needed. SK chose to base its time-stamping
implementation on standard OCSP. The protocol contains a Nonce field, which
protects against replay attacks. Instead of cryptographically random data, the Nonce
field is set to contain the hash of the data to be signed, because it can also be
interpreted as just a random number. According to the RFC, the OCSP responder
signs its response which in SK-s case, contains the original nonce (document hash),
response providing/signing time and ID of the certificate used to give the signature,
binding the three pieces of data together and providing the validity confirmation for
the digital signature. SK stores the signed response in its log as evidence material.
SK has implemented all of the above, including both client and server parts, in its
DigiDoc digital signature architecture.
Document format and DigiDoc
In order to bring digital signatures into everyday life, common understanding and
signature handling practices are required. In addition, software and technology must
be available for anyone interested, in order to create compatible applications. After
all, the key to unleashing potential digital signature benefits lies in communication
between organizations, not within one organization. Therefore, it is vital that all
organizations in a given community interpret and understand digital signatures the
same way. In case of Estonia, the community is the whole country.
A number of digital signature implementations and applications are available on the
market, all claiming to be suitable for specific purposes. However, no known
application or implementation of the latest standards was found which would suit the
needs of the Estonian project, and reliance on foreign software providers guaranteeing
the functioning of a country's everyday life relying on digital signatures can also be
seen as a strategic risk. Therefore, a whole new approach – and a whole new software
architecture – was needed.
In 2002, SK together with its partners created an all-around digital signature
architecture dubbed DigiDoc. As the name suggests, DigiDoc aims to meet all the
needs users might have about digital signature creation, handling and verification.
On the server side, DigiDoc provides an RFC2560-compliant OCSP server, operating
directly off the CA master certificate database and providing validity confirmations to
certificates and signatures. On the client side, it provides a number of components.
11
The most important component is digital document format, which is key to common
digital signature implementation and practice. As of 2002, a number of standards have
been adopted or are in preparation. SK based the DigiDoc document format on XMLDSIG standard. However, it has several shortcomings such as allowing only one
signature per document, and in February 2002, ETSI published its extensions to
XML-DSIG as ETSI TS 101 903, also known as XAdES. DigiDoc document format
is a profile of XAdES, containing a subset of its proposed extensions. The DigiDoc
format is described in a specification document.
Based on the document format, a library was developed in C language which binds
together the following:
• DigiDoc document format
• SK-s OCSP validation service
• Interfacing with the user's ID card using Windows' native CSP interface or
cross-platform PKCS#11
The DigiDoc library provides easy-to-use interfaces to all of the above and there is no
need for application developers to know OCSP protocol specifics or DigiDoc
(XAdES, XML-DSIG) format internals. It can be embedded in any application and on
top of it, a COM interface has been implemented, making it easy to add DigiDoc
support to any Windows application supporting COM technology. A Java
implementation is also provided.
However, providing the libraries and formats was not enough because these do not
add value to end users without real applications. Although it is expected that DigiDoc
support will eventually be present in most Estonian document management systems,
web sites dealing with documents etc, a number of example or "reference"
applications are also provided. DigiDoc Client is a Windows application that lets
users simply sign and verify documents, and DigiDoc portal is an application that lets
users do the same online without the need to install any stand-alone software.
Naturally, both are based on the same DigiDoc library and thus fully compatible –
signatures given in Client can be verified in portal and vice versa.
The libraries, specifications and applications are provided to Estonian public free of
charge, and it is expected that digital signature usage in common life and everyday
business and government practices will grow significantly already in 2003. The first
official digital signatures in Estonia were given using DigiDoc Client only on October
7, 2002, and implementing the digital signature on a national scale naturally takes
some time.
Roles, authorizations and organizations' validations
In connection with implementing PKI and digital signatures, the question of roles and
authorizations has arisen in various projects. It is assumed that certificates for digital
signing may be issued for specific purposes only, and that a person's roles can be
embedded in role certificates that are then used for authenticating the certificate
holder into different systems and giving digital signatures in different roles. Thus, a
person needs additional role and signature certificates for each different role he or she
has, and the number of certificates grows, creating substantial interoperability and
scalability issues.
12
The Estonian approach states (as also said in the Estonian DSA) that a digital
signature given using a digital signing certificate is no different than a handwritten
one. A person's handwritten signature does not contain his or her role – the role and
authorization are established using some out-of-band method (out-of-band in the
context of certificates). The same approach also goes for authorization while
authenticating – a person's certificate should not contain his or her authorization
credentials. Instead, everyone has a similar universal key (authentication certificate),
and the person's role and authorization can be determined using some other method
(e.g. an online database) based on that key.
An exception to the above is organization's validation. Digital documents sometimes
need to be validated by organizations, so that other organizations can be sure of the
identity of the organization where the document originated. This is useful for e.g.
signing pieces of databases (e.g. bank statements) online, to be presented to other
organizations. For this, SK issues certificates to organizations that can be used to sign
documents digitally. Technically, they are equivalent to personal signing certificates
on everyone's ID card, but legally, they are not viewed as signatures and need not be
covered by law, because according to the Estonian law, only real persons can give
signatures. The "organizations' signatures" must therefore be viewed simply as
additional tools for proving information authenticity (that it really originated from a
specific organization) which may or may not be accompanied by a digital signature of
a real person working in that organization. Still, the PKI complexity stops here, and
besides personal and organizational signature certificates, there is no need for
personal role certificates or anything else more complex.
New ideas: replacement and alternative cards
As of the beginning of 2003, a number of ideas are being discussed for improving the
availability and usability of digital signatures in Estonia. One of them is the
"replacement ID card", or backup card. The main concern here is that the card issuing
process described above is quite complex and according to current regulations, it may
take up to 30 days for a person from the moment of presenting the application to
receiving the card. If a card is lost or damaged and a person needs to get a new one,
this may mean that he or she may not be able to give digital signatures for 30 days
which may not be acceptable in some high-stake business environments. Therefore, a
possibility could be established that current ID card holders might get a "backup card"
to minimize the extent of the above problem. However, this is currently not
implemented, and another remedy for the problem is that the above organizations will
just implement an "express service" which would be more expensive but quicker
method of getting an ID card in the "normal" way.
Another idea is that of "alternative card". National ID card need not be the only
carrier of digital signing certificates. Some large companies are already using smart
cards for their internal services, and would like to have digital signing certificates
issued by SK to be added to their internal cards. The company itself would then act as
Registration Authority, and SK would be responsible for issuing certificates in
response to certificate requests, as is also the case with regular ID cards. Still, this
"alternative card" will remain a niche solution and for the general public, the Estonian
national ID card is the universal signing tool for whatever role a person may be acting
in.
13