The History of Digital Identity in Estonia

Estonia is widely recognised as having one of the world’s most advanced digital governments, with much written on the subject by the World Bank, Forbes, the Financial Times, and more. Two steps were taken that facilitated and led to the rise of the digital identity in Estonia; first, a personal identification number known as the “Isikukood” was assigned to every citizen and resident of Estonia, and second, 10-year passports were issued.

It’s often good to start with some definitions before diving deeper, so “Identity” is a set of attributes related to an entity that allows one to distinguish it from other entities. This is true for both real world communications and in IT systems. People can be identified, for example, using their name – but this attribute is not necessarily unique and will cause problems in larger systems. Passport numbers, or other personal codes or registration numbers issued by some governmental bodies are also available and more likely to be guaranteed unique.

“Digital identity” is identity used exclusively in a digital domain, by IT systems. In Estonia, each individual has their unique identifier, their “isikukood” that is used in all transactions – both in the real world and digital one, and so in Estonia, the “digital identity” coincides well with the real world “identity”.

We should also address another way “digital identity” is referenced; the authentication tool or token that is in widespread use across different organizations. People often refer to their national electronic ID-card or Mobile-ID as their “digital identity”. This double meaning can create some confusion, especially when multiple “digital identities” correspond to the same “digital identity”; i.e. you have several authentication tokens that you can use to return the same set of attributes that identify you, which is exactly the situation that we have in Estonia.

With the definitions out of the way, we can get back to the history, and a good place to pick it back up is in 1996, when internet banking was introduced, and with it, what could be seen as the first form of digital identity in Estonia. Banks created a digital identification service that individuals could use to interact with the bank online, which was subsequently made available to the tax authority for filling and submitting income tax returns. By ’98, every school had an internet connection, and in 2002, the mandatory digital identity smart card was released. It was actually the 10-year passports coming to an end that sparked the decision to look into a new kind of identity document, with Cybernetica carrying out the pilot studies for the smart cards in the late ‘90s. This, along with PKI (public key infrastructure) being implemented and the X-Road (a peer to peer, secure data exchange platform developed by Cybernetica) being established, meant Estonia began taking the lead on the global stage.

Estonia’s digital government has been broken down into two vital components; the X-Road and digital identity, these two working together to enable automation of business processes for e-government. The X-Road and Estonia’s smart card service were released around the same time and have worked together in harmony ever since, with almost one billion queries being put to the X-Road each year, 95% of which are automated.

X-Road uptake

So, it began with banks, who’s first authentication offerings were code cards and subsequently PIN calculators. Estonia recognised over 20 years ago that simple username and password methods were not sufficient to carry out high assurance interactions online, certainly not when it came to banking and taxes. But Estonians wanted more. In order to implement the Digital Signature Act (which Cybernetica researchers helped to develop), Estonia had to issue smartcards to all citizens and to create a nationwide PKI. A positive side effect of this was that now there was a very secure authentication tool available that offered assurance levels that were not achievable with code cards or PIN calculators. This high assurance authentication and signing method meant people could now sign legally binding contracts and interact securely with their government remotely, with no need to visit public offices to give a hand-written signature.

Government office staff numbers stayed low; the workforce could be a fraction of what might otherwise be necessary, and time spent physically interacting with citizens and processing their requests was minimised. In order to scale government services and ensure all citizens, including those in rural areas, received the best the government could offer, there really wasn’t any other option at the time, and it was in everyone’s interest to offer more and more services online, to the point now, where the only things you can’t do are purchase land and property, or get married and divorced (probably a good thing).

One of the more interesting services to be offered online in Estonia is voting. In 2005, Estonia was the first country to offer internet voting for local elections, and just a couple of years later, the world’s first general election to offer online voting to all voters took place. In the beginning, online voting numbers were small, but in 2019, the EU parliamentary elections saw 44% of votes cast online. Even in 2020, 15 years on, Estonia remains quite unique in this space.

Not long after internet voting began, with the list of online services growing, did the age of mobile phones begin to dawn, and the need for laptops and card readers start to appear cumbersome. In 2007, the very convenient Mobile-ID was released. This achieved the same level of security as a smart card by storing private keys on SIM cards. This meant when people signed or authenticated, they no longer needed their smart card, but could simply respond to a notification on their mobile phone. Estonians had long joked about how they only used their smart cards during winter, when scraping ice off their windshield, but with Mobile-ID, it didn’t feel so much like a joke anymore.

Digital identity didn’t stop there for Estonia, it didn’t even stop within its borders. In 2014, the e-Residency program began, enabling individuals from other nations to apply for digital residency, effectively giving them the ability to open bank accounts and start businesses in Estonia from anywhere in the world, with any nationality. As of its 5th anniversary, e-Residency hasn’t drawn in the hundreds of thousands it originally planned to, with around 62,000 e-Residents to date, but what’s worth noting, is that those 62,000 people have started over 10,000 businesses and created €31M in tax revenue for Estonia. This number has been doubling each year, and though it could still be looked at as in its infant state, it has created a door to Europe for entrepreneurs around the world and has the potential to show us what a borderless digital identity solution might look like.

Of course, innovation hasn’t stopped, with the big names in the smart phone industry threatening to remove the SIM card from upcoming devices and disrupting Estonia’s (among others) SIM-based Mobile-ID. This created a need for a new technology that achieved the same level of security and convenience the existing solutions offered. So, in 2017, Smart-ID was launched. Smart-ID is a mobile authentication solution, powered by Cybernetica’s SplitKey technology (you see a pattern here?). After release in Estonia, Latvia, and Lithuania, it went through pen-testing by the major Nordic banks and other third-parties before being offered as a method of authentication and digital signing for online banks and other service providers.

Timeline of authentication tools

It took almost two years to complete EAL4+ evaluation and achieve Qualified Signature Creation Device status (QSCD), but during that time, Smart-ID became the single most used authentication and digital signing solution across the three countries, reaching over 2.5M users by 2019, handling as many as 2.3M transactions per day. It’s worth noting that the five services most used by Smart-ID are all banks. This is not a surprise and, in fact, appears almost a necessity when it comes to achieving high penetration with a digital identity solution, but that’s for another blog.

Smart-ID has a growing list of services, with over 100 available across Estonia, Latvia, and Lithuania. It’s success and high penetration is due to it achieving the right balance of security and convenience, making it an easy sell to banks and their customers. Digital identity is a two-sided market and there needs to be buy-in from both customers and the service providers that offer it for access and signing. Requiring nothing more than a smart device and simply inputting four digits when prompted, people can access their bank accounts in around four seconds, but not only that, they could also pay their taxes and sign legally binding documents, all with the same, simple app. This is only possible when the security and assurance of the solution has been evaluated to a sufficient level, in this case EAL4+ and eIDAS High.

Following on from the above point, it’s well worth noting that it’s this openness to the private sector that has been one of the key success factors of Estonia’s identity solutions. The smart card, Mobile-ID, and Smart-ID have been offered to the private sector, as well as the public sector, from very early on, and have never really been just tools to access government systems, but tools that brought convenience and security to hundreds of online services. It’s hard to say where digital identity technology will go next for Estonia; high assurance remote enrolment, a mobile option available Europe wide under eIDAS, maybe even world-wide acceptance through e-Residency. Whatever the next innovation is, Estonia’s history has shown it’s worth keeping an eye on.

Written by Maximiliaan van de Poll