The idea of an Estonian national identity document in the shape of a card came up back in 1997. As a young generation and a new government were keen on using modern technology and IT solutions, from the very start it was decided that the card would have electronic capabilities. In this article, Helar Laasik discusses the development and possibilities of the Estonian ID card, which was first issued in January 2002.
An old proverb says that the lottery sells hope, the bank sells trust. By providing its citizens with a formal identity, the state acts as a banker providing trust. An identity is built up over time. From the viewpoint of national security it is important to manage only persons’ legal identities. An identity document or a certificate is in fact a secure communication channel.
The idea of a national identity document in the shape of a card came up back in 1997. A young generation and a new government were keen on using modern technology and IT solutions. In 1998 a card feasibility analysis was completed that paved the way for the development of the ID card. From the very onset it was decided that the card would have electronic functionality. Two pieces of legislation were introduced:
• The law on personal identification documents, in February 199.
• The Digital Signature Act, in March 2000.
These two acts provided a legal basis for the ID card, and digital signatures obtained the same legal recognition as physical ones. The physical card contract was awarded to the Swiss company Trüb AG and a contract for certification services was signed with Certification Centre Ltd. This company also created the ID card middleware and user applications. After winning the contract, Trüb AG established a subsidiary called AS Trüb Baltic with headquarters in Tallinn. The first card was issued on 28 January 2002 (see figure 1, and models 2007 and 2011 in figures 3 and 4 respectively). In October 2002 the first e‑signature was issued. To date over 1.2 million valid identity and EU residence permit cards have been issued by the Estonian Police and Border Guard Board.
E-capable identity documents
ID card/EU residence card
The ID card/EU residence card is the main and only mandatory identity document in Estonia. After Estonia reclaimed independence in 1992, people continued to consider a passport the ‘right document’ and many still share this view. People will not be tempted to apply for an ID card if they consider a passport or driving license to be sufficient. So to ensure that people would apply for an ID card, restrictions were placed on bank transfers requiring ID card identification for transfers over a certain limit. The ID card was also made a valid EU travel document. There are further benefits, such as the convenience of using digital signatures when dealing with government institutions online, which also has cost savings for governments compared to dealing with citizens face to face. A digital signature cost-profit calculator can be found on the website of SK (AS Sertifitseerimiskeskus), the Estonian Certification Centre which provides certificates for authentication and digital signing of Estonian ID cards.
Digital ID card
The first digital ID cards were issued in October 2010 (see figure 2). These cards can only be used in a digital environment. As many people rely on online services for their daily lives, losing their ordinary ID card could have serious consequences if it took at least five days to obtain a replacement. This was sufficient reason to create a new type of e‑document. The Digital ID can be issued within half an hour so people will not lose access to vital e‑services.
In 2007 the Certification Centre Ltd. and mobile operator EMT launched a means of identity verification and digital signing called Mobile ID (m-ID). In 2011 it became a state‑certified document which now has 30,000 users. A special SIM card with PKI capability is used to create a physically separate authentication channel in addition to the existing internet service used for authenticating persons and issuing legal digital signatures. With the m-ID no card reader is needed and it can even be used on 15 year old GSM phones, making it both a convenient and popular solution. The digital functionality of the SIM card makes it the only identity document in Estonia that can be issued without human intervention.
Since the very beginning there have been rumours about the functions of the new ID document, the wildest being that it would be possible to put someone’s entire life on it. Yet some of those have become reality albeit in a somewhat different way. However, the Estonian ID card does not have, for example, the following:
• A health card functionality.
• Bank access data – no wallet functionality.
• Social security data.
• Driving licence functionality.
At the same time the ID card is convenient, easy, effective and supported 24/7, 365 days a year.
Inside the card
The card is a standard smart card containing a cryptoprocessor. Two pairs of 2048 bits RSA keys are created on the chip during personalisation. Certificates are issued to the public keys stored on the chip. Of those key pairs one pair is for authentication and the other for creating digital signatures. A personal data file for offline use of the card is also included on the chip as the third component. The personal data file is most extensively used in public transport to prove the validity of a ticket and also as a means of access control, i.e. to open doors. The contact chip allows affordable and reliable card readers to be used. An RFID chip would not have met the standard for e‑government services. An additional benefit is that everyone who applies for the ID card for the first time gets a free national email address (first name.surname[.000-999]@eesti.ee).
From the very beginning the software for the ID card was entirely developed by Certification Centre Ltd. The software, which has always been free for both the end users and developers, was initially distributed via CD-ROMs and later via the internet. Now that virtually all desktops and laptops have broadband access, the download and installation procedure is simple and quick. Libraries and installation packages for developers can also be downloaded for free from the State Information System Authority website. The latest version is usually available about three months ahead of changes in the middleware.
Support from banks has helped to increase the use of ID cards. They also promoted the use of card readers, even giving them away for free during promotional campaigns. An entry-level card reader currently costs about €6,-.
DigiDoc (DDoc) is a proprietary digital signature format based on ETSI TS 101 903 which corresponds to the ‘XAdES-X-L’ profile. This format is specific for Estonia only. It is compliant with 1999/93/EC and COM (2012) 238. A new ASiC compatible version called BDOC is currently in development. Digital signatures can also be given via DigiDoc or Signwise portals.
The ID card currently serves two purposes:
• Personal authentication.
• Creating digital signatures, i.e. approving something.
File encryption increases security during file transfer, but is not recommended for archiving because there is no way to decrypt cryptograms after the validity of a certificate has expired. In other words: an ID card is only a personal key, all wisdom lies outside.
The data exchange layer X-road represents the main information highway which enables secure internet-based data exchange between the state’s information systems. Most of the participants are from the public sector but the private sector also has access to it. The configuration of the environment allows complex queries to be composed. For example: e‑Police equipped patrol cars receive information about a driver or vehicle from several databases simultaneously. A picture from Citizenship and Migration DB, the car’s technical inspection status and the driving license from Estonian Road Administration DB and car insurance data from the Estonian Traffic Insurance Fund DB can be requested at the same time. All those requests are logged and unlawful data mining is prevented. The X-road is maintained by the State Information Systems Authority (RIA). Among other activities RIA is responsible for the procurement, development and distribution of ID card middleware, development and customer software. Usually, two coordinated upgrade packages are issued each year.
Citizen’s Portal is a meeting place of private persons, business people, officials and the state. Via this portal anyone who has an ID card can get access to all national and local e‑services offered in Estonia. The portal is also used for official announcements. Users can change the forwarding settings of their state email service, view who has shown interest in their personal information and much more. All such requests are logged in real time and visible to the card holder at once.
Advantages of internet access in Estonia
Nowadays, there are a large number of advantages that come with internet access in Estonia:
- 99% of private and corporate banking is done over the internet. For three years now it has been legal to exclusively publish annual reports online.
- Registering a new business is possible in about 18 minutes whereas it took over five days at best some years ago.
- It has been possible to complete income tax returns online for several years and in 2013 95% of tax returns were completed online. Users are able to sign a prefilled declaration with an ID card, digital ID or m-ID. The first tax refunds are issued as early as five days after the government starts the annual tax return process.
- e‑School has eliminated the need for school diaries. All information about for example homework, progress, grades and school activities is now available to children and their parents via e‑School.
- e‑Health and e‑Prescription have made patients’ lives easier. Doctors have access to the full or partial medical history of patients. If a repeat prescription for medication is needed, a doctor can activate a new prescription without the need to see the patient in person. After a phone call the patient can collect the prescription from a pharmacy.
- Thanks to e‑Police there is no need to carry a driving license, a car insurance policy or other car documents if the driver can present their ID card. Police dispatchers also have real-time information of patrol cars’ locations and activities.
- i‑Voting is increasingly popular in Estonia. During the 2013 local elections 133,808 people voted via the internet. Though there have been many accusations of election fraud involving i‑Voting, so far no one has been able to prove such fraud. In addition, the source code of the software was recently made public and during the last local elections, every i‑voter had the opportunity to check the result of their vote.
- All this would not have been possible without widespread internet access. Currently, there are very few places in Estonia where internet access either via cable, WiFi, Wimax or 3G/4G mobile networks is not available.
Criteria for success
Both the user and the service provider must have a need and a motivation to use the digital signature. If the government takes the key initiative, many people will feel the state forces the system onto them. A partnership between the public sector and private sector can however ensure the e‑services are useful for both the people and the government.
In the case of Estonia, the initiative came from the private sector, but the public sector was involved from the very start. It was the service owners who implemented the system ensuring the interface standard and the middleware were freely accessible. A premature implementation would eventually have slowed down the project, wasting valuable time.
There are three main threats to success. State procurement processes can easily sink the ship, so clear objectives have to be set and the tendering process must be managed carefully. The second threat comes from the legal system. In many countries legalities make e‑services and certificates needlessly complex as certificates are considered government property, not a social benefit. The third threat comes from some politicians whose main objective is to ensure their re‑election after four years. They are often heavily influenced by the media.
Outsourcing must be considered with caution as third parties can often interpret the requirements in a way that suits their capabilities or interests. Creating an internal knowledge centre can prevent problems and help achieve results quicker and more efficiently. The use of standard solutions can make problems more predictable and by learning from mistakes of others, better decisions can be made.
[Not a valid template]Foreign success stories
In Azerbaijan a mobile ID system called ‘Asan Imza’ was based on Estonian e‑ID components and built and implemented within six months. The Ministry of Taxes of the Republic of Azerbaijan created the Certificate Service Centre for e‑signatures which was then integrated with the ‘Asan Imza’ centre created by the International Consortium of France, Sweden, Finland, Estonia and Azerbaijan. This formed a basis for a transition from e‑Government to m‑Government (mobile-Government).
On 10 December 2013 the heads of governments of Estonia and Finland signed a memorandum of e‑service cooperation. Reportedly, it was the first digitally signed agreement in the world between two countries. The Estonian Prime Minister Andrus Ansip first signed the document in his office in Tallinn, after which Jyrki Katainen, the Finnish Government leader, signed the document 15 minutes later in his office in Helsinki.
The agreement included Estonia granting Finland permission to use the X-Road concept, enabling the use of digital documents between different registers of both states across the Gulf of Finland. In the past, these services were developed individually and currently have serious compatibility issues as a result. The recent agreement aims to reduce costs for both countries, as well as to simplify government processes for the citizens of both countries, not having to repeatedly submit data which have already been filled in the other. As an example, a visit of an Estonian citizen to a Finnish governmental office does not require that person to take along a paper document, as the required identification documentation is already accessible for government officials in digital form.
The first applications for both businesses and citizens are scheduled to be launched during the first half of 2014. One of these involves the tax offices of both countries to allow entrepreneurs to send their declarations electronically to either tax office, for example giving the Finnish Tax Administration direct access to the Estonian tax office to clarify any questions or to check for any tax debts.
In 2011 a new generation of cards was introduced and the new chip and the operating system were certified to EAL 5+ standard. At the same time 2048 bits RSA keys were introduced. To make the environment more secure, either 2048 bits RSA or at least 256 bit elliptic curve cryptography will be introduced in Digital ID and m-ID in 2014. So far, the concept of one key to open all doors has remained intact and has been proven to be strong, so the Keep It Simple and Scalable (KISS) principle works well.
• Asan Imza: http://www.asanimza.az/asan-imza-in-english/
• Citizen’s Portal: http://www.eesti.ee; https://www.eesti.ee/eng/topics
• Digi-Doc portal: https://digidoc.sk.ee
• Digital signature cost-profit calculator: http://eturundus.eu/digital-signature/
• e-Estonia | The Digital Society: http://e-estonia.com/
• Estonian Certification Centre: https://www.sk.ee/en
• Estonian Information System’s Authority: http://www.ria.ee
• Estonian Police and Border Guard Board: http://www.politsei.ee/en/
• ICT Demo Centre: http://e-estonia.com/ict-demo-center
• ID-card installer: https://installer.id.ee
• Signwise: http://www.signwise.me
Helar Laasik holds the position of Chief Expert at the Identity and Documentation Bureau of the Estonian Police and Border Guard Board and has been involved in identity document design, procurement and issuance for the past eight years. He was project manager for the first generation Estonian e-Passports, during which he was active in the communication with producers, experts from other countries and also issuers, to achieve the current high security level of the Estonian identity documents.