eID and e-Signature in cross-border situations, the Estonian experience (Estonian eID and e-Signature)

Published on: 15/04/2016
Document

Since the first digital signature was given back in 2002, the e-signature service is fully part of the Estonian ecosystem. The number of submitted e-signatures followed an increasing curve since its go-live, to reach 130 million uses in 2013 and 270 million by 2016.

  Going beyond its national borders, Estonia successively launched concurrent initiatives on this track:
  • As from 2008: the development of a Business register including integrated possibility for digital signing for persons from partner countries (Finland, Latvia, Lithuania, Belgium and Portugal). 
  • As from 2013: bilateral co-operation on signature formats & software with Finland, Latvia and Lithuania.
  • As from 2014: partnership with SignWise, a private sector e-signing and e-ID solution company that works with 17 countries’ identities.
  • As from the end of 2014: the launch of e-residency. As of 13 May 2016, there are 9,878 e-residents from 129 different countries (see https://app.cyfe.com/dashboards/195223/5587fe4e52036102283711615553)
The chronology of the ID-card in Estonia is provided here.

Policy Context

Estonian e-signature is backed by the Digital Signature Act (DSA) passed by the Estonian parliament (Riigikogu) on March 8, 2000. This text entered into force on December 15, 2000. The law regulates issues that are essential for implementing a nationwide public key infrastructure (PKI) and digital signature infrastructure (Online version of the DSA is available at https://www.riigiteataja.ee/en/eli/508072014007/consolide).   According to the DSA, handwritten and digital signatures  (qualified e-signatures according to eIDAS definition) are equivalent in document management in both public and private sectors.   According to article 2(3) of the DAS, a digital signature shall: i) enable unique identification of the person in whose name the signature is given; ii) enable determination of the time when the signature is given; iii) link the digital signature to data in such a manner as to preclude the possibility of changing the data or the meaning thereof undetectably after the signature is given.   The DSA is based on the European Union Directive on Electronic Signatures (1999/93/EC) which is to be replaced starting from 1 July 2016 by the eIDAS regulation (Regulation 910/2014).  Additionally, in October 2014, the amendment of the Identity Documents Act (IDA) introduced the concept of e-residency which means that any person, regardless of his or her citizenship or residency has the possibility to apply for Estonian digital identity (digiID). (Online version of the IDA is available at https://www.riigiteataja.ee/en/eli/511042016001/consolide)   This allows the “virtual resident” to use the services provided by both Estonian state agencies and private sector connected to the ID card including the possibility to sign documents digitally (See https://e-estonia.com/e-residents/services-and-benefits/). The law entered into force on December 1, 2014.  

Description of target users and groups

Citizens, businesses and public administrations.

Description of the way to implement the initiative

Role and organisation

In Estonia, the state undertakes to assure the existence and functioning of PKI. A large part of the services related to the PKI is purchased from the private sector, e.g. the certification, the infrastructure for making enquiries about the validity of the certificate, the infrastructure for distributing the public key and the key creation environment (e.g. ID card chip).

  • Department of State Information Systems of Ministry of Economic Affairs and Communications – policy-maker in the field of PKI; drafts the legislation in relation to quality and trust requirements of the PKI.
  • Information System Authority – responsible for: i) the functioning, development and management of the ID card base software: ii) the mutual capacity of international electronic identities or the cross-country functioning, development and management of software solutions; iii) assuring the existence of the user service of the ID card base software (www.id.ee); iv) providing support for developers.
  • Police and Border Guard Board – responsible for the issuance and life-cycle management of the means (ID-card, digiID and mobile-ID) for secure electronic authentication and signing.
  • Certification Centre – provides the certification service and time-stamping services to the eID and eSignatures issued by the state; also offers the services of an ID card help centre in order to provide technical support for users in relation with the ID card base software.

The DSA sets out that:

  • The Certification Service Providers (CSPs) are subject to an annual audit to ensure their organization and system reliability (Article 19(2) of the DSA);
  • Time-stamping Service Providers (TSPs) ensures that the timestamped data (proving that certain information existed at a certain moment) can’t be changed without invalidating the timestamp; TSPs are, similarly, subject to annual audit (Article 26(2) of the DSA );
  • Data about all Estonian CSPs and TSPs is registered into the National Registry of Certification Service Providers. The Ministry of Economic Affairs and Communications, which manages this register, verifies the audit results and inspects the service providers’ premises and relevant information (Article 32 of the DSA ).

Achievements

As practical implementations of the cross-border e-signature projects, we count:

In the field of eID:

  • Online submission of tax declarations on the Internet
  • mID
  • document encryption

Technology solution

See:

For mSignature and mID, see https://e-estonia.com/component/digital-signature/

Main results, benefits and impacts

Electronic identity, in the form of an ID-card or mobile-ID is issued by the state. The ID-card is a mandatory identity for Estonian citizens and citizens of the European Union permanently residing in Estonia. An indicative list of e-services which the holder of an electronic identity can use is provided here.

According to www.id.ee, as of 2002 until 3 May 2016, almost 285 million e-signatures have been given by using the ID-card and more than 435 million identification processes have been conducted (See http://www.id.ee/?lang=en&id - 3 May 2016). According to id.ee, there are 1,267,547 active ID-cards (The population of Estonia is 1,311,800. See https://www.stat.ee/ee). However, the number of people who are actively using (at least once a year) the secure online identity is, according to statistics from 2015, 47 % from the number of active eIDs (See https://infoyhiskonnamoodikud.mkm.ee/home).

mIDs are becoming increasingly more widespread. The number of mID users has increased 40 % since 2015 and the total amount of mID users stands at 6% of the population (See http://www.id.ee/index.php?id=30217&read=37530. mID is a digital identity card in one’s mobile phone – the mobile operators issue a holder of an ID-card or digital identity card (e.g. e-resident’s digiID) a new SIM card which is activated from the website of the Police and Border Guard Board which is responsible for handling the issuance if eIDs and digiIDs). mID enables the user to enter web portals, use e-services, make payments and transactions, provide digital signatures and take part in electronic voting (See http://www.id.ee/index.php?id=36884 ).

The impact of the secure state-based eID and e-signature has enabled Estonia to become one of the most digitally-savvy countries in the world and, therefore, the impact has been enormous. DESI indicates that “Estonia has been at the forefront of online public services for a few years is the best performing country in Europe in 2016. Estonian internet users are well-versed in the variety of online activities available to them. They are at the forefront of Internet use in Europe in areas like online banking (91%) and the consumption of news content (91%)” (See https://ec.europa.eu/digital-single-market/en/scoreboard/estonia ).

With the eID and e-signature system of Estonia, the state apparatus has become extremely efficient and paper-based bureaucracy is by now become almost obsolete. It has been proposed that by using a digital signature, a whole workweek of time is saved for an average adult in a year (See https://vimeo.com/82941252). Also, the citizens have accepted the digital means of communication as the default. For example, 96% of tax declarations in 2015 were filed electronically.

 

Interoperability

The e-signature of Estonia is mostly using the .bdoc format (with RFC 2560 standard time-mark). However, the e-signature architecture also enables signing digitally in .asice (with RFC 3161 standard time-stamp) format which is more internationally accepted and enables cross-border compatibility. 

Lessons learnt

In 2015, Ernst & Young Estonia Baltic AS in collaboration with the Ministry of Economic Affairs and Communications conducted a study on the usage of qualified electronic signatures among 15-64 year-old citizens in the EU and in Norway, Switzerland and Iceland (Accessible - only in Estonian - at https://mkm.ee/sites/default/files/digitaalse_allkirja_kasutamise_osakaalu_uuringu_aruanne_printimiseks.pdf ). The results of the study are also relevant in this context as they indicated that it is of crucial importance to raise public awareness of the nature of electronic signing and its advantages over conventional signatures. According to the study, greater emphasis should be put on the fact that qualified electronic signatures provide even greater certainty regarding to the connection between the person and the document signed. Also, the study noted that it is of critical importance of harmonizing and generating common interpretations of the harmonized terms related to electronic signing. Different understandings have brought about different approaches.

 

Also, take-up of the electronic identities and e-signatures by the private sector in Estonia, especially by the financial sector, has been extremely important. As an output of the study, based on the eIDAS regulation, an option would be for the European Commission to work towards private sector in order to increase the level of qualified e-signatures infrastructures.

Scope: Cross-border

Categorisation

Type of document
General case study

Attachment

en