A project of the Centre for Internet and Society, India
Supported by Omidyar Network India
This short essay accompanies our first set of research maps on digital identity systems. The maps are a detailed account of Estonia’s e-ID system. Below we summarize key insights derived from the research process, mapping exercise and the maps themselves.
Post-soviet Estonia had to quickly find a solution to provide government services with relatively scarce resources to a largely scattered population. It came up with the solution of digitising these services. The Estonian Digital ID system enables citizens and residents to conduct almost all their affairs online and with great ease, being able to cast their vote from anywhere in the world, or start a company or file their taxes in a matter of minutes, without leaving their homes. The mandatory digital identity serves as the primary means by which Estonians can access almost all public and many private services. This has been posited as the most effective solution to the problem of establishing identity without the usual barriers and costs of bureaucracy and its associated paperwork. Estonia claims that by completely automating the disbursal of government services via this digital identity it has saved the equivalent of 2% of its economic output, and the workload of more than 1400 people annually.
The basis of this system of e-governance consists of a unique ID number (Personal Identification Code, or PIC) which would serve a single authoritative source of identity, a means by which the citizen can interact with these services with the required level of confidence and privacy (through smart cards or Mobile ID) and a system that would ensure that data collected is minimal and utilised meaningfully (via X-Road).
The different forms of digital identity available in Estonia are Digi-ID, which is a smart card; Mobile ID, which is a special SIM card inserted in the user’s phone; and Smart ID is an application for both smartphones and tablets. All three require additional hardware — the Digi-ID smart card requires a smart card reader, which each user receives along with their card; Mobile ID requires a special SIM card to be inserted into the user’s smartphone; and one needs a smartphone or tablet to use the Smart ID application. As illustrated in our diagram describing the process of enrolment for Mobile ID, even a single process can require a smart card, smart card reader, smartphone, special SIM, and internet connectivity, even if the resident seeks the assistance of a Telecom Service Provider official in activating the Mobile ID SIM.
Estonia is heavily dependent on technological solutions to provide identification to its citizens and residents. The only physical artifact is in the form of smart cards, and every other form of ID is completely digital. While this is a practical solution for Estonia’s small and technologically-forward population, such modes of identification may not be practical in countries that do not have the financial resources to issue smart cards to large populations, or develop and maintain the necessary digital infrastructure to support them. In India, for instance, residents are provided with a physical copy of their Aadhaar card in the form of paper copy with no smart capabilities. This is to account for significant sections of the population who may not have the means to access a digital copy (which is also available as an alternative), while keeping the cost of providing ID to millions of people as low as possible. In addition, in many developing countries, biometrics is increasingly being seen as a less expensive form of authentication, as against the comparatively high costs of smart cards, mobile phones or tablets required in Estonia.
The mandatory digital ID system serves as the primary means by which Estonians can access almost all public and many private services. The only government interactions that cannot be executed online are marriage, divorce, and transfer of property. The X-Road interoperability platform has brought many private service providers into the ambit of this system as well. Almost all engagement between citizens and the government and private sector therefore happens online, facilitated by each citizen’s unique PIC.
As an example of the vast range of activities encompassed within this digital ID ecosystem, a citizen can vote in local elections from anywhere in the world, start a company, receive advice about what crops to plant in their land holdings, apply for and receive benefits and subsidies, or monitor their children’s academic progress, without leaving their home. A newborn can be immediately registered on this system completely online. Due to the information exchange enabled by the X-Road framework, most of these actions can be completed in a few minutes.
If one looks at the healthcare map closely, one case see the use of the digital ID and its accompanying digital infrastructure in registering with healthcare providers, access medicines and pharmacy services, get access to patient summaries and reports and get health insurance. The same digital infrastructure is also used by the state for planning and research activities by accessing anonymized datasets, and use aggregate data for quarterly and annual reports.
Despite the obvious conveniences of such a system, the recording of every single action online creates a continual digital trail, and gives rise to concerns about the possibility of detailed citizen profiles, and the consequent harms that could arise from them. As more and more services and benefits are accessed digitally, a continual and granular digital trail of individuals’ activities and behavior is created. These concerns are addressed, to a limited extent, by ensuring that all databases are completely decentralised and encrypted.
The key distinctive feature of Estonia’s digital ID system is X-Road Interoperability, which forms its IT backbone. As illustrated in the diagram below, there is no central database in this system. Different organizations and public sector institutions, represented by Department A and B in the map, are linked to one another and communicate directly to share data. The resident authenticates themselves to the department where they want to avail a service from, and then the X-Road layer is used for data sharing. The use of such a data sharing system has significant repercussions —
Since different departments are interlinked and communicate with each other directly, data is not routed through a central point and this avoids creating a single point of failure.
The collection of data is minimised in such a system. If every resident is uniquely identifiable and different organizations and institutions are seamlessly interconnected, residents’ information can be pulled from existing records and pre-filled into other forms in order to avoid data and task duplication.
Note that departments not only have to share a “data query” with each other, but also the “purpose” of the query. This “purpose” is checked against the Rules of Information Sharing established by the Estonia Information Authority. In a system, where the resident has little control over how their data is shared after they authenticate themselves once, this helps to provide a small measure of control to them. The digital ID system allows for residents to check who has accessed their data and for what purpose. Residents are also empowered to approach the courts if they suspect that these reasons are not justified. However, a notable exception to this is law enforcement, which is not obliged to log its access during an investigation, but is required to inform citizens when an investigation concludes.
As described in the map, all incoming data is authenticated and logged, and outgoing data is digitally signed and encrypted. Despite these steps, X-Road raises concerns over granting access to personal data of residents to both public and private actors. The threat of cyber attacks is constant. A security flaw discovered in 2017 resulted in the revocation of security access of almost 800,000 identity cards. Although there were no recorded data theft, the flaw could potentially expose a person’s entire digital identity and allow their identity to be hijacked.
An ID system that is built around X-Road presupposes a high level of trust between the government and its citizens. For instance, while some registries contain information that is updated automatically (such as health records), other registries require the citizen to keep this information updated (such as official contact information). The citizen trusts that their information will not be misused by the government and the many institutions that access it, and the government trusts that the information provided by the citizen is up to date. This allows the government to take informed decisions based on government data.