In surprise and indeed shock, someone has made smart card identity systems work on a national scale: The Estonians. Last week, I attended Conult Hyperion's rather good Digital Identity forum where I heard the details from one of their techies.
There are 1.35 million Estonians, and they hold an issued 650,000 cards. Each card carries the normal personal data, a nationally established email address, a photo, and two private keys. One key is useful for identification, and the other is used for signing.
Did I say signing? Yes, indeed, there is a separate key there for signing purposes. They sign all sorts of things, right up to wills, which are regularly excluded from other countries' lists of valid uses, and they seem to have achieved this fairy tale result by ensuring that the public sector is obliged to accept documents so signed.
I can now stop bemoaning that there are no other extant signatory uses of digital signatures other than our Ricardian Contracts. Check out OpenXades for their open source signatory architecture.
When asked, presenter Tarvi Martens from operator AS Sertifitseerimiskeskus (SK) claimed that the number of applications was in the thousands. How is this possible? By the further simple exigency of not having any applications on the card, and asking the rest of the country to supply the applications. In other words, Estonia issued a zero-application smart card, and banks can use the basic tools as well as your local public transport system.
Anybody who's worked on these platforms will get what I am saying - all the world spent the last decade talking about multi-application cards. This was a seller's dream, but to those with a little structural and markets knowledge this was never going to fly. But even us multi-blah-blah skeptics didn't make jump to hypersmartspace by realising that the only way to rollout massive numbers of applications is to go for zero-application smart cards.
A few lucky architectural picks written up in the inevitable whitepaper will not however make your rollout succeed, as we've learnt from the last 10 years of financial cryptography. Why else did this work for the Estonians, and why not for anyone else?
Gareth Crossman, presenter from Liberty, identified one huge factor: the Napoleonic Code countries have a legal and institutional basis that protects the privacy of the data. They've had this basis since the days of Napoleon, when that enlightened ruler conquered much of mainland Europe and imposed a new and consistant legal system.
Indeed, Tarvi Martens confirmed this: you can use your card to access your data and to track who else has accessed your data! Can we imagine any Anglo government suggesting that as a requirement?
Further, each of the countries that has had success (Sweden was also presented) in national smart card rollouts has a national registry of citizens. Already. These registries mean that the hard work of "enrollment" is already done, and the user education issues shrink to a change in form factor from paper to plastic and silicon.
Finally,it has to be said that Estonia is small. So small that things can be got done fairly easily.
These factors don't exist across the pond in the USA, nor across the puddle in the UK. Or indeed any of the Anglo world based on English Common Law. The right to call yourself John Smith today and Bill Jones tomorrow is long established in common law, and it derives from regular and pervasive inteference in basic rights by governments and others. Likewise, much as they might advertise to the contrary, there are no national databases in these countries that can guarantee to have one and only one record for every single citizen.
The lesson is clear; don't look across the fence, or the water, and think the grass is greener. In reality, the colour you are seeing is a completely different ecosystem.
Posted by iang at November 15, 2004 09:35 AM | TrackBackLong live Estonia a place worth moving to since they seem progressive enough to adopt a technology on a national scale. Maybe they achieve this because Microsoft is not buying their elected officials or paying others to do the same.
Posted by: Jimbo at November 15, 2004 04:34 PMEstonia does indeed sound like a wonderful place to live -- if only the weather was a tad better.
Posted by: Hasan Diwan at November 15, 2004 05:38 PMCan't say the fairy tale is so perfect. Admiring those, who had the courage to make a digital ID-card mandatory, I see it as overdaring to put valid certificates on the card by default! There are over 650,000 cards out there but how many of their owners know exactly what they are carrying on their wallet? I fear, the number is dangerously low.
Until now, this has not had serious consequences - the electronic signing is not widely-used yet and possibly criminals do not feel themselves quite comfortable in this area also, but my lead to problems if i-voting comes to life, in currently planned form. In that case it may impose even threath to democracy if ignorant citizens get used to gain votes.
Posted by: Joosep-Georg Järvemaa at November 16, 2004 09:03 PMActually the number of active ID-card users was recently cited as 8000, out of 650.000 issued... So Joosep-Georg is right, it is a bit early to call it a success yet.
But it is true we can use digital signatures in courts and in communication with state and local authorities, which is definitely a progess. There is a well-designed and open infrastructure that allows me to use digital signatures and I really like using it -- I actually do feel safer this way, as my non-digital signature (and identity) is probably easier to fake.
At the same time: J-G is also correct in pointing out potential problems with un-used (and un-understood) certificates. But I don't think the amount of ID-cards that can get stolen (together with PIN-codes) and not reported as "lost" by owners is far from being danger to democracy.
(and to everybody intrested in climate here in Estonia -- we are having our first snow this fall in Tallinn this morning :-)
Posted by: Peeter Marvet at November 17, 2004 03:33 AMTo use somebody's digital identity one haven't to steal it ;) I bet, if during card-payment process in shop one gets asked for identification and "enter that longer PIN, to make it sure" most who have remembered the PIN codes or carrying them together with card, will do it.
E-voting gives vote-buyers possibility to make sure their "investments" are useful by "collecting" votes (eg. in rural areas) with their internet-connected laptop. We can make sure nobody can't falsify given votes but we can't prevent giving false votes.
Yes, there is possibility to re-state your vote, but again - most will not do it and mostly because of their ignorance. Lack of internet access, (dis)ability to use computers and (im)possibility to vote by regular way also support vote-buyers in this case.
Posted by: Joosep-Georg Järvemaa at November 17, 2004 05:21 AMHey, guys, thanks for chiming in with local information. 8000 out of 650k sounds much more believable.
At the conference, I asked what experience they had had so far with crimes, thefts, and other perversions of the system. The answer was "None," to which we all agreed at my table really meant "none yet ... that we're saying :-)"
There's no doubt in my mind that the system will be attacked in many and various and elegant ways. The only question is when. If this was Internet cash, I'd say 10k active would be about the point of worry, and you're at that point more or less; that's what we've seen in the DGC world.
But this isn't a cash system, so I'd say it will need more active cards before persistent and popular hacking will take off. Just a guess, really, as you have to spread all those cards across a wide base of targets, which means that any given target doesn't concentrate enough users yet.
Should be very interesting. Keep us posted!
iang
Posted by: Iang at November 17, 2004 01:02 PMWell, I did a radio interview with chief of Estonian crimi-police today -- as they have been asking for rights to make sure new comm technologies remain accessible for their surveillance -- and asked if they want to control comm why issue 650th IDcards with pretty strong crypto, is there a backdoor so you don't consider this technology a problem? He went pretty... "mummm"
Which probably was typical "no-comments-speak", unfortunately that can be understood pretty wrongly in this case (like "we are not very sure if we can keep all these NATO secrets", which in some circles is definitely not considered a joke, specially as we just had a minister of defence who managed to have a burglar break into his home and steal his portfolio with some secret docs).
But just as a matter of journalistic integrity I have now to take Joosep-Georg's sceptical position, that the system is easily hackable by establishment, until they manage to prove otherwise :-D
Posted by: Peeter Marvet at November 17, 2004 05:08 PM