Digital Identities:
Design and Uses

A project of the Centre for Internet and Society, India
supported by Omidyar Network

Mapping Digital Identity Systems:
Estonia

December 13, 2019

Conceptualization by Saumyaa Naidu and Pooja Saxena
Research by Shruti Trikanad and Yesha Tshering Paul
Mapping by Akash Sheshadri, Saumyaa Naidu and Pooja Saxena
Text by Shruti Trikanad, Yesha Tshering Paul, Saumyaa Naidu and Pooja Saxena
With inputs from Amber Sinha and Sunil Abraham

This is the first in a series of research maps, resulting from our global survey of digital identity systems. Read together with our glossary of core concepts and processes, these maps provide a coherent view of digital identity in Estonia. They shine a light on the pervasiveness of digital identity, as well as dissect digital identity systems in a way that brings attention to the actions of key stakeholders, and to kinds of data and how they are shared. Designed as stepping stones to further research, the maps facilitate the identification of points of accountability and intervention.


As a result of a national eID card being mandatory, nearly 1.3 million Estonian citizens have a permanent personal ID code, which forms the basis of the digital identification process. The different forms of identification in the Estonian Digital ID ecosystem are Digi-ID (in the form of a smart card), Mobile ID (via a special SIM to be inserted in a smartphone) and Smart ID (an application for smartphones and tablets that does not require a special SIM). These multiple forms of identification can be used to access various services and to digitally sign documents. These IDs are available to all citizens and residents, as well as e-residents, of Estonia.

Estonia’s e-solution environment empowers residents and citizens to avail of almost every government service online, in addition to many private services. This system entails each service having their own information system. X-Road provides an open-source interoperability platform between these different information systems. Different X-Road ecosystems can also be joined and federated.

The various actors in the Digital ID ecosystem (in addition to ID users) that avail of this ID include both public and private actors. These actors differ according to the form and purpose of ID. Major actors include state authorities such as the Police and Border Guard Board; state services such as the Estonian Health Information System; state databases such as the Estonian Population Register and Identity Documents Database; and private entities such as Telecom Service Providers.

Download as PDF

Download as PDF


Process Maps

The core processes within each digital identity system are being mapped in order to evaluate the existing technological and policy decisions. These process maps bring forward the advantages and barriers in the mechanisms of identification, authentication, and authorisation. These maps follow the Swim Lane Model to capture these processes. The use of this technique helps to read the processes with clarity, and also points out the multiple possibilities at different steps.

The Swim Lane Model represents a process as a sequence of steps, and places the entities in different lanes (or columns) to show who is responsible for taking those steps. Each column shows the action taken by the respective entity. The numbered rows establish the sequence of steps. The arrows connect the end of each step to the beginning of the next one (refer to the key to navigate the process maps). They also indicate multiple routes that can be taken within a step. Additionally, these process maps highlight the data being collected and digital identity artifacts being used in various steps.

1

Identification

1.1

Digi ID

The digital identity card (Digi-ID) is a smart ID card that can be used by citizens and residents of Estonia. The Digi-ID can be used for authentication and digital signatures, but cannot be used as visual identification, as its purpose is to be used in a digital environment. Use of the Digi-ID requires a card reader, and the validity of the Digi-ID is 5 years. This map shows the process of a resident obtaining a Digi-ID from the Police and Border Guard Board.



1.2

Mobile ID

Mobile ID allows users to use their smartphones as a form of secure digital identification in order to access e-services and digitally sign documents. Unlike the Digi-ID, it does not require the use of a card reader. However, it requires a special SIM card obtained from the telecom service provider. This map showcases the process of signing up for Mobile ID through a smartphone.



1.3

Smart ID

Smart ID is a free mobile application that allows a user to prove their identity online in the absence of a SIM card on their smart device. It can be used to access financial e-services, confirm transactions and agreements. In addition, Smart ID has been recognised by the European Union as a Qualified Signature Creation Device (QSCD), which means that digital signatures through it must be recognised by every European State. This map illustrates the process of signing up for a Smart ID through a smartphone or tablet.



2

Authentication

2.1

Digi ID

For authentication and digital signatures a Digi-ID card, a smart card reader, and the PIN1 and PIN 2 contained on the smart card are required. The resident opens the web interface, which asks the resident for their ID card. The ID card is inserted into a smart card reader, following which the resident enters PIN1 into the web interface, which then authenticates the certificate in the ID card. To authenticate digital signatures, the resident opens the web interface which shows the document to be signed. On clicking the option to sign, the web interface requires the resident to insert the ID card into the smart card reader. Once the resident approves the document, the web interface requires them to enter PIN2, following which the resident is able to submit the document.



Digi ID Login



Digi ID Digital Signature



Digi ID Service Authentication



2.2

Mobile ID

In the Mobile ID authentication process, the resident enters their phone number in the e-service, which sends an authentication request to the Digi Doc Service (DDS), which in turn receives a certificate from the Certificate Authority. The Mobile ID application sends the e-service provider’s name as a hash to the Short Message Service Centre through the DDS, following which the resident enters their private key and is granted access.



2.3

Smart ID

Authentication through Smart ID requires the resident to enter their ID number, following which the e-service generates and sends them a four-digit code. They enter the code Smart ID app, which sends an authentication response to the e-service.



Smart ID Login



Smart ID Digital Signature



3

X-Road Interoperability

X-Road is an interoperability service that links each separate public and private sector e-information system and enables them to communicate seamlessly with each other without human intervention. All information is held in a distributed data system which can exchange information instantly upon request and be accessed 24/7. It can write to multiple information systems, transmit large data sets and perform searches across several information systems simultaneously. All incoming data is authenticated and logged, and all outgoing data is digitally signed and encrypted in order to ensure data security. This map illustrates how X-Road enables interoperability between different services and departments.



Systems Maps

As part of the systems thinking approach, sectoral use cases have been mapped to understand how the digital identity system in Estonia has been conceptualised and implemented. Studying these sectors allows a closer look at the various purposes of the digital identity, and how the residents, and state and private actors interact with it. The ERAF technique of systems mapping has been used for these maps to give a holistic view of the system and connections within it. It is an analytical tool rather than a representational tool. The ERAF model helps to place the various constituents involved in the system and divides them into entities, relationships, attributes, and flows. This technique of mapping reveals missing connections and flows in a system, and leads to the identification of specific leverage points where a small shift can produce a big impact on the system.

In the ERAF model, entities are the key components. These could be individuals, institutions, laws, places, etc. Relationships describe the way in which different entities are connected to each other. Attributes are characteristics that describe the entities. These could be duration, dimensions, costs, etc. The Flows show the direction of action between entities. This includes transaction of data and resources. Data and its flow within the system, and digital identity artifacts have been highlighted in these maps (refer to the key to navigate the process maps).

1

Agriculture

The agriculture sector in Estonia allows users to access a range of information, aid, and support through a unified portal of Agricultural Registries using their digital IDs. They can also access real time information about land, its owners, and associated rights, to allow potential buyers consolidated access to information about any land in Estonia.



2

Education

The Estonian education sector introduced the use of digital IDs to improve efficiency in learning and teaching, effectively monitor the education system, and to provide one consolidated point to access digital learning materials. Digital ID holders can easily communicate with students, teachers, and parents; access basic, general, and vocational education learning materials; and access detailed information about education institutions, students, teachers, curricula, etc.



3

Finance

The Financial and Banking sector in Estonia embraced the use of digital ID with the intent of improving the ease of doing business in Estonia — customers can open bank accounts, access services, conduct transactions, and affix their digital signatures using only their digital ID.



4

Healthcare

The Estonian E-Health framework was envisaged as a means to overcome fragmented communication flows between healthcare service providers, to streamline services, and to improve coordination of care. It primarily consists of a system of mandatory uploading of electronic patient health records, with secure access to healthcare providers, and the creation of e-prescriptions for easy and monitored dispensation of medicines.



5

Welfare Schemes

The use of digital ID in the Estonian welfare sector was included with the intent of allowing residents easy access to welfare services and aid — digital ID holders can submit online applications to different welfare schemes through State portals, without ever having to visit physical offices or produce physical documents.



Stakeholders


Estonian E-Health Foundation

The Estonian E-Health Foundation is in charge of implementing e-health activities in Estonia, including the management of E-health registries and the publishing of standards of healthcare. It was established by the Ministry of Social Affairs, and comprises members from major Estonian hospitals, the Ministry of Social Affairs, the Tartu University Hospital Foundation, the Estonian Hospital Association, the Union of Estonian Emergency Medical Services, and the Estonian Society of Family Doctors.


Estonian Health Information System

The Estonian Health Information System is an integrated platform that contains Electronic Health Records uploaded by healthcare service providers, along with booking services, e-prescription services, and statistics and ambulance modules.


Central Prescription Centre

The Prescription Centre is a centralised database linked to the Health Information System, with the necessary services that provides access for doctors and pharmacies. It collects all e-prescriptions issued by physicians, and can be accessed by pharmacists anywhere in Estonia to dispense required medicines.


Population Registry

The Population Registry is a State database that contains basic information about all Estonian residents, including their name, ID code, date of birth, nationality, etc. It is connected by X road to several other databases and services, and allows access to entities performing public duties, or for legitimate purposes.


Unemployment Insurance Fund

The Unemployment Insurance Fund portal allows Estonian ID holders to register as unemployed, and therefore access services such as job opportunities, or receive unemployment insurance or allowance.


Estonian Information System Authority

The Estonian Information System Authority develops and manages the State’s information system, is in charge of information security, and handles the security incidents that have occurred in Estonian computer networks. It also monitors the information systems of providers of public services.


Estonian Social Insurance Board

The Estonian Social Insurance Board manages the social benefits available to Estonian residents, and handles applications and requests for parental benefits, maternity benefits, child allowances, pensions, etc.


Estonian Agricultural Registers and Information Board

The Estonian Agricultural Registers and Information Board maintains agricultural registries and other related databases, and processes the collected data. It is also in charge of awarding various agricultural and rural development grants.


ePRIA Portal

e-PRIA is the client portal of the Agricultural Registers and Information Board, through which ID holders can submit documents to ARIB and check their details in ARIB's registers. It can also be used by ID holders to apply for a range of support.


Estonian Land Board

The Estonian Land Board is a government body functioning under the Ministry of the Environment, that manages all land related information and is tasked particularly with ensuring more efficient management and use of land, organising geodetic and cartographic activities, establishing the land cadastre, organising land assessment and supervising the enforcement of land tax, issuing licences for land readjustment activities, etc.


E-Land Register

The E-land register is a web application that contains information on all ownership relations and rights for properties/land parcels in Estonia. It ensures total transparency by delivering real time geographical data, showing property boundaries and registered owners, displaying all encumbrances/restrictions, and providing all other information that potential buyers need.


National Register of Veterinarians

The National Register of Veterinarians is established by the Veterinary Activities Organisation Act, and contains information about veterinarians holding the required qualifications, the veterinary supervision and veterinary checks of veterinary practice, and the data required for producing statistics enabling the organisation of veterinary activities. It is managed by the Veterinary and Food Board.


Estonian Veterinary and Food Board

The Estonian Veterinary and Food Board, functioning under the Ministry of Agriculture, is a supervisory body that executes legislations governing veterinary, food safety, market regulation, animal welfare, and farm animal breeding. It aims to ensure the production of safe, healthy and quality raw materials for food, protect people and animals from infectious diseases, and to ensure productivity of farm animals and increase their genetic value.


National Register of Food and Feed Business Operators

The National Register of Food and Feed Business Operators, maintained by the Veterinary and Food Board, processes data concerning the food and feed business operators that hold the required activity licence to maintain records and ensure efficient official control.


Estonian Livestock Performance Recording Ltd

The Estonian Livestock Performance Recording Ltd is tasked with improving the efficiency of animal husbandry, primarily by recording the performance of dairy cattle, beef animals, pigs and goats, and performing genetic evaluation of livestock and independent testing of the quality of raw milk.


E-Kool Platform

E-Kool is a school management network (web application) that connects pupils, parents, schools and supervisory authorities, and allows the exchange of information about time tables, grades, homework assignments and other similar features.


E-Schoolbag

E-Schoolbag, developed by the Ministry of Education and Research, is a portal for digital learning materials containing materials for basic, general and vocational education, arranged by keywords on the basis of the curriculum.


Estonian Education Information System

The Estonian Education Information System is a State database that contains details about education institutions, students, teachers and lecturers, graduation documents, study materials and curricula. It is also intended as a tool to monitor the education system to ensure it prepares residents for the labour market of the future.


Police and Border Guard Board

The Police and Border Guard Board functions under the Ministry of Interior, and is responsible for law enforcement and homeland security in Estonia. It is also the issuing and supervisory authority for the Digital ID cards in Estonia.


Citizen Portal

The Estonian citizen portal allows ID holders to access all government information and e-services from one unified gateway, through their digital ID. It also allows access to their own personal information as well as information regarding the entities that have accessed their data.


Smart ID Application

The Smart ID Application is a mobile application that provides digital identification services without the need of a special SIM card. It involves the registration of an account and the creation of PINs to authenticate the users’ identity and to create digital signatures.



Bibliography


Identification

Andre Martin and Ivan Martinovic. “Security and Privacy Impacts of a Unique Personal Identifier.” Working Paper Series – No. 4 (2016). https://www.politics.ox.ac.uk/materials/publications/14987/workingpaperno4martinmartinovic.pdf.

“Home: Estonian Information System Authority”, Information System Authority, last accessed October 30, 2019. https://www.ria.ee/en.html.

“ID -card”, Politsei- ja Piirivalveamet, last accessed October 30, 2019. https://www2.politsei.ee/en/teenused/isikut-toendavad-dokumendid/id-kaart/.

“Digi-ID”, Politsei- ja Piirivalveamet, last accessed October 30, 2019. https://www2.politsei.ee/en/teenused/isikut-toendavad-dokumendid/digi-id/.

“Mobiil-ID”, Politsei- ja Piirivalveamet, last accessed October 30, 2019. https://www2.politsei.ee/en/teenused/isikut-toendavad-dokumendid/mobiil-id/.

“Application for e-resident’s digital identity card”, Politsei- ja Piirivalveamet, last accessed October 30, 2019. https://www2.politsei.ee/en/teenused/isikut-toendavad-dokumendid/e-residendi-digi-id/.

Police and Border Guard Board. “Estonian eID scheme: ID card: Technical specifications and procedures for assurance level high for electronic identification” (2018) https://ec.europa.eu/cefdigital/wiki/download/attachments/62885749/EE%20eID%20LoA%20mapping%20-%20ID%20card.pdf.

Police and Border Guard Board. “Estonian eID scheme: Digi-ID: Technical specifications and procedures for assurance level high for electronic identification.” (2018) https://ec.europa.eu/cefdigital/wiki/download/attachments/62885749/EE%20eID%20LoA%20mapping%20-%20Digi-ID.pdf?version=1&modificationDate=1531759815275&api=v2.

Police and Border Guard Board. “Estonian eID scheme: Mobiil-ID: Technical specifications and procedures for assurance level high for electronic identification.” (2018) https://ec.europa.eu/cefdigital/wiki/download/attachments/62885749/EE%20eID%20LoA%20mapping%20-%20Mobiil-ID.pdf?version=1&modificationDate=1531759816924&api=v2.

“How to apply for Mobiil-ID?”, ID, last accessed October 30, 2019. https://www.id.ee/index.php?id=36913.


Authentication

“ID-card”, E-Identity, last accessed October 30, 2019. https://e-estonia.com/solutions/e-identity/id-card.

“Mobile-ID”, E-Identity, last accessed October 30, 2019. https://e-estonia.com/solutions/e-identity/mobile-id/.

“Smart-ID”, E-Identity, last accessed October 30, 2019. https://e-estonia.com/solutions/e-identity/smart-id.

“E-Residency”, E-Identity, last accessed October 30, 2019. https://e-estonia.com/solutions/e-identity/e-residency/.

Police and Border Guard Board. “Estonian eID scheme: ID card: Technical specifications and procedures for assurance level high for electronic identification” (2018) https://ec.europa.eu/cefdigital/wiki/download/attachments/62885749/EE%20eID%20LoA%20mapping%20-%20ID%20card.pdf.

Police and Border Guard Board. “Estonian eID scheme: Digi-ID: Technical specifications and procedures for assurance level high for electronic identification” (2018) https://ec.europa.eu/cefdigital/wiki/download/attachments/62885749/EE%20eID%20LoA%20mapping%20-%20Digi-ID.pdf?version=1&modificationDate=1531759815275&api=v2.

Police and Border Guard Board. “Estonian eID scheme: Mobiil-ID: Technical specifications and procedures for assurance level high for electronic identification.” (2018) https://ec.europa.eu/cefdigital/wiki/download/attachments/62885749/EE%20eID%20LoA%20mapping%20-%20Mobiil-ID.pdf?version=1&modificationDate=1531759816924&api=v2.


X-Road Interoperability

World Bank Group, “Privacy by Design: Current Practices in Estonia, India, and Austria,” (2016), last accessed December 9, 2019, https://id4d.worldbank.org/sites/id4d.worldbank.org/files/PrivacyByDesign_112918web.pdf.

P. Herlihy, “Government as a data model: what I learned in Estonia,” Government Digital Service blog (UK), last accessed December 9, 2019, https://gds.blog.gov.uk/2013/10/31/government-as-a-data-model-what-i-learned-inestonia/.

Uuno Vallner, “Secure data exchange platform. Principles and implementation. X-Road,” e-Governance Academy, last accessed December 9, 2019, https://scoop4c.eu/sites/default/files/2018-03/Overview-of-Secure%20Data-Exchange-X-Road-6.pdf.


Healthcare

Developing an Integrated e-health system in Estonia: Case Profile https://www.integratedcare4people.org/media/files/CaseProfileEstonia.pdf.

World Bank Group. “The Role of Digital Identification for Healthcare: Emerging Use Cases” (2018) http://documents.worldbank.org/curated/en/595741519657604541/The-Role-of-Digital-Identification-for-Healthcare-The-Emerging-Use-Cases.pdf.

Kristjan Vassil. “Estonian e-Government Ecosystem: Foundation, Applications, Outcomes” World Development Report (2016) http://pubdocs.worldbank.org/en/165711456838073531/WDR16-BP-Estonian-eGov-ecosystem-Vassil.pdf.

“Healthcare”, e-estonia, last accessed October 28, 2019, https://e-estonia.com/solutions/healthcare/e-health-record/.

Jaan Priisalu, Rain Ottis. “Personal Control of Privacy and Data: Estonian Experience Health and Technology” Health and Technology (December 2017) pp 441-451 https://link.springer.com/article/10.1007/s12553-017-0195-1.


Agriculture

Ene Karner. “The Future of Agriculture is Digital: Showcasting -Estonia” Frontiers in Veterinary Science (September 21, 2017) https://www.frontiersin.org/articles/10.3389/fvets.2017.00151/full.

World Bank Group. “The Role of Digital Identification in Agriculture: Emerging Applications.” (2018) http://documents.worldbank.org/curated/en/655951545382527665/pdf/Digital-ID-Agriculture-Web12192018.pdf.

Uuno Valner et al. “State of play report of best practices” Stakeholder Community for Once-Only Principle Version 1, (August 10, 2017) https://scoop4c.eu/sites/default/files/2018-01/SCOOP4C_D1.2_0.pdf.

Establishment of Register of Farm Animals Regulation RT I 2008, 33, 205, 2008, https://www.riigiteataja.ee/akt/13000254.


Education

“Education and Science”, Services, Eesti.ee. last accessed October 28, 2019, https://www.eesti.ee/eng/services/citizen/haridus_ja_teadus/isikukaart_eesti_ee_portaali.

“Education”, e-estonia, last accessed October 28, 2019, https://e-estonia.com/solutions/education/estonian-education-information-system/.

“eKoolikott”, last accessed October 28, 2019 https://e-koolikott.ee/.

Birgit Lao-Peetersoo, “Introduction of Estonian Education Information System (EHIS)” (June 30, 2014) http://www.oecd.org/education/ceri/Birgit%20Lao-Peetersoo_Introduction%20to%20the%20Estonian%20Education%20Information%20System%20EHIS.pdf.


Welfare

European Commission. Your Social Security Rights in Estonia. July 2013. Last accessed October 28, 2019, https://ec.europa.eu/employment_social/empl_portal/SSRinEU/Your%20social%20security%20rights%20in%20Estonia_en.pdf.

“Online Services”, Republic of Estonia Social Insurance Board, last accessed October 28, 2019. https://www.sotsiaalkindlustusamet.ee/en/online-services.

“Social Rehabilitation”, Republic of Estonia Social Insurance Board, last accessed October 28, 2019. https://www.sotsiaalkindlustusamet.ee/et/puue-ja-hoolekanne/sotsiaalne-rehabilitatsioon#Sotsiaalne%20rehabilitatsioon.


Finance

“Business and finance”, e-estonia, last accessed October 28, 2019. https://e-estonia.com/solutions/business-and-finance/e-banking.

“Banking and Financing”, invest in estonia, last accessed October 28, 2019. https://investinestonia.com/business-in-estonia/financing/banks.


This website presents research undertaken by the Centre for Internet and Society, India on appropriate design choices for digital identity frameworks, and their implications for both the sustainable development agenda as well for civil, social and economic rights. This research is supported by a grant from Omidyar Network India.

CIS is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. Through its diverse initiatives, CIS explores, intervenes in, and advances contemporary discourse and regulatory practices around internet, technology, and society in India, and elsewhere.