Estonia is renowned for its e-government infrastructure. Its electronic ID card for public as well as private organisations, the X-Road infrastructure connecting governmental organisations since 2001 are leading examples for other European countries. No wonder that a trip to e-Estonia was a “must-do” for many governmental strategists over the last few years. At the same time, e-Estonia faced a severe challenge last September when a vulnerability was discovered in its ID card. A vulnerability that has been tackled through an update in the cryptographic algorithms used.


This week mr. Taimar Peterkop, the Director General of the Estonian Information System Authority, visited the Netherlands. InnoValor’s Bob Hulsebosch and Wil Janssen had the opportunity to discuss both Estonian as well as European developments in the field of electronic identity and services. 


Mr. Peterkop, what are key ingredients of the success of e-Estionia in your opinion? The development of e-Estonia can be seen as a technology success, but in fact, it is not. Important was the fact that we were able to tackle bureaucracy and legislation was crucial. The technology came from existing solutions. Our ID card, for example, was based on the Finnish card. In the first two years of its existence, the X-Road infrastructure was in fact illegal during the first years. We needed to show its importance to be able to adapt legislation to this model. 
Also, the Estonian mindset is very open. When visiting other countries I’m often surprised by the sensitivity of the privacy discussion I encounter. In Estonia, the development of the ID card was a joint development of the government, the Estonian banks and a telecom operator. The fact that all of them can use it was of vital importance for adoption and trust. When logging in to governmental services, Estonian citizens can choose between many different card and identification services, both private as well as public. 
 

Taimar Peterkop

The ID card is a contact based card now. How will this develop in the future? The card is contact based indeed now. Starting 2019 we will move to a contactless card. Moreover, we also have a mobile ID where the ID card is combined with the SIM card in the phone. In order to increase robustness, we are also considering two chips in the card. 


Robustness is important. The incident of September 2017 pointed out that the card infrastructure had become really vital: some services could only be used with the ID card and had no alternatives anymore. Therefore, the electronic services and ID cards need to be extremely safe and robust. Trust is key. The fact that we have been able to mitigate the incident indicates that the eco-system is becoming more resilient. This is something that we need to work on, constantly.

It would be great if the X-Road could be used to share more data between organisations. In principle, the infrastructure allows to do so freely in a transparent way. We had a strong debate on the default authorisations in accessing the data: open by default or closed. In the end, it was decided to have data closed and always let the user decide what to open up to others, of course except for data that is shared based on legal obligations. This hampers the development of pro-active services that could use the large amount of information that is available in our system. I think this is a missed opportunity. 

What role do you expect from Europe in the development of this type of services? I think the eIDAS development is very important. It will stimulate collaboration between different countries and reuse of ideas. We have initiated a Nordic Institute of Interoperability Solutions to foster the development of X-Road together with Finland. This initiative is open to other countries for collaboration.
In general, the starting points of different European countries differ enormously. This implies that our solution cannot be exported so easily. Each country has to develop a strategy that meets the requirements of their context. Top-down European strategies won’t work. As I mentioned earlier, the challenge is in tackling the bureaucracy, not in the technology.
 

The challenge is in tackling the bureaucracy, not in the technology.

Taimar Peterkop

How do you make sure the system is trustworthy in the eyes of its users? Trust can fade away easily. The X-Road system creates transparency. Every citizen can check what organisation used what information concerning him of her selves. Every transaction is logged. This creates trust, acceptance and reduces misuse of information by the government. 

What we see is that we are shifting from trusting the device and the technology, to trust in the eco-system. The trust service provider (TSP) in the system originally was a joint venture of the banks, the telecom operator and the government. Today, the government isn’t a shareholder anymore, but functions as a supervisor: we have delegated services to the TSP under strict performance conditions. The delegation can be revoked if needed. The business model of this TSP is partly covered by a governmental fee (about fifty percent of the total cost) and partly by transaction fees. So it is a commercially viable service the TSP provides.