e-Governance

Keeping the data safe

What if Estonia’s system is hacked? And what if an unsavoury government, domestic or foreign, got hold of Estonia’s information?

“In most countries the state owns data, and the citizens may see it. In Estonia, people own data, and the state may use it.” This pithy summary, by Doris Pöld of the Estonian Association of Information Technology, aptly describes a level of mutual trust not often seen, even in advanced democracies. But trust alone cannot protect a citizen’s data. The country’s e-Governance system relies on two features designed to protect the integrity of all data:

1. Decentralization of information

There is no single repository for the data on Estonian citizens. The police, population office, tax authorities, land registry and other services each have their own servers, protected in turn by a security server, linked within a sort of Estonian intranet called X-road. No department can see another’s data without explicit authorisation. The police, for example, can access the weapons registry but not the tax rolls. Citizens access their data – a traffic violation or medical record – with their ID cards or mobile phones. But neither the ID card nor the mobile phone contains actual data. They are merely encrypted authentication devices that, together with the user’s PIN code, confirm his identity.

data safe security KSI authentification fullwidth - Keeping the data safe

2. KSI (Keyless Signature Infrastructure) Technology

This is Estonia’s killer app. It is not a firewall but a system that protects the integrity of every shred of data by assigning it a unique fingerprint. Anytime anyone so much as looks at information, not to mention changes it, a transparent record is created. So if an official looks up your driver’s license, you can see who it was. If he checks your driver’s license too often, you can ask why. “Whatever you may think of Edward Snowden, he couldn’t have done what he did if the National Security Agency had KSI”, says Matthew Johnson, chief techno­logy officer of GuardTime, the Estonian company that created KSI. GuardTime now has a Washington office that sells KSI to the U.S. government.

Doris Pöld (Estonian Association of Information Technology),