Recently, during an eID ecosystem demo, a presenter took the Estonian national eID card of her two year old toddler and did log into the Estonian State Portal - to demonstrate the endless possibilities of Estonian eID ecosystem to our honourable guests. These possibilities are endless, indeed.
In Estonia, eID cards are made mandatory for citizens and residents. The Government has cleverly combined cryptographic certificates with the physical identification documents, thus leading to everyone having eID cards on hand. Cryptographically strong certificates are prepared during the personalisation of the card, and the PIN codes are handed over in security envelopes. Estonian eID cards thus are true 2FA devices.
The Digital Signature Law of Estonia was accepted by the Parliament on March 8, 2000, to recognise digital signatures as on par with handwritten signatures. And there is a myriad of popular services available - ranging from the State portal to banks, telcos and even small businesses. Our judges have pinpointed a little nuisance - as a part of their digital workflow, they have to apply their digital signature more than 100 times per day and, for obvious reasons, the signature PIN must never be cached. In this extreme case, it is understandable that digitally signing documents can get boring fast.
However, there is a little catch with the toddler situation described above. The State actually is issuing eID enabled documents to underage children. A possibility to disable electronic certificates or just not to use these is also there. This way, the parents actually have other options than to impersonate their children. Is it sounding weird? Is it important at all? Yes, because according to the legislation universals, the parents are responsible for their underage offspring in one way or another.
Around ten years ago, while developing the Internet safety rules for children, we here in Estonia got an excellent child safety checklist from our UK colleagues. It included a rule that a child, whenever requested, has to expose the passwords to the parents. And this is where the story turns really interesting - because that rule from British cultural space was absolutely unsuitable for Estonia.
We are trying to raise up our children with the mindset that nothing is more intimate than the PIN codes belonging to your eID card. Should you ask - why? - then the answer is evident - an eID card is a true Two Factor (2FA) access token. Therefore, if anybody has both in possession - the card and the PINs - he/she can remotely accomplish almost all the deals ever met during the life (mortgage and marrying being the notable exceptions). In this situation, we rewrote the rule to better suit our environment: “whenever your parent asks to supervise your social accounts, you should comply, still not handing over your login credentials.”
The difference is small but profound. Estonian children are raised up with the notion of digital privacy. All the society (including grandmothers of 80+ age) hold the experience to handle security tokens and most of us are wise enough not to write down the PINs on the back side of the eID card. However, to keep our grandmas confident using their hardware security tokens, we have to start from kindergarten.
The legal catch is, whether a two year old child has learned numbers well enough to independently call the 1777 helpline to report the security violations. Should the child ask the mother to actually initiate the call? Interesting ethical dilemmas that the digital society provides.
Published by Anto Veldre