No More Paperwork: Estonia Edges Toward Digital Government

In the Estonian capital of Tallinn, three-day-old Oskar Lunde sleeps soundly in his hospital cot, snuggled into a lime green blanket decorated with red butterflies. Across the room, his father turns on a laptop. "Now we will register our child," Andrejs Lunde says with gravity as he inserts his ID card into the card reader. His wife, Olga, looks on proudly. And just like that, Oskar is Estonia's newest citizen. No paper. No fuss. From a report: This Baltic nation of 1.3 million people is engaged in an ambitious project to make government administration completely digital to reduce bureaucracy, increase transparency and boost economic growth. As more countries shift their services online, Estonia's experiment offers a glimpse of how interacting with the state might be for future generations. Need a prescription? It's online. Need someone at City Hall? No lines there -- or even at the Department of Motor Vehicles! On the school front, parents can see whether their children's homework was done on time.

Estonia has created one platform that supports electronic authentication and digital signatures to enable paperless communications across both the private and public sectors. There are still a few things that you can't do electronically in Estonia: marry, divorce or transfer property -- and that's only because the government has decided it was important to turn up in person for some big life events. This spring, government aims to go even further. If Oskar had been born a few months later, he would have been registered automatically, with his parents receiving an email welcoming him into the nation.

Re:First post from Tallinn, Estonia

[Applehu Akbar]

...and thumbs down on where this country is going.

In a backward and paper-based country, a cyberattack that disables things properly will hurt. Over here, it will cripple.

But at the same time, online access to government offices is a huge time saver. When people get it, they don't want to go back, any more than we would want to go back to having to schedule a library visit to look up any kind of reference information.

We can't avoid having to fix the online security problem.

Re:

[zlives]

move along non-citizen, we have no record of you

Ivan brings frost piss!

[Anonymous Coward]

This is place Russians keep do the hacking, da?

Re:

[Hognoxious]

No, it's that place Dilbert keeps visiting. Their economy is 100% based on mud.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Hognoxious]

Their neighbours wouldn't be my first choice.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[arglebargle_xiv]

Across the room, his father turns on a laptop. "Now we will register our child,"

"Unt now ve register our child. Ve haff permission from ze government to haff him, provided he doess his compulsory military serviss, vhich guarantees both citizenship unt voting riiights!".

How convenient

[quonset]

When I need information it's now one-stop shopping in Estonia. All the people's information in one convenient place. No muss, no fuss, Hack once and live a lifetime.

BTW, what happens when, not if, Russia decides that uppity former republic needs to be taught a lesson? We've seen what they're trying to do in the Ukraine. Imagine a country with a population less than the city of Philadelphia being taken down when nothing works because somehow, mysteriously, large amounts of data are lost or corrupted.

What's that saying about putting all your eggs in one basket?

Re:

[Freischutz]

When I need information it's now one-stop shopping in Estonia. All the people's information in one convenient place. No muss, no fuss, Hack once and live a lifetime. BTW, what happens when, not if, Russia decides that uppity former republic needs to be taught a lesson? We've seen what they're trying to do in the Ukraine. Imagine a country with a population less than the city of Philadelphia being taken down when nothing works because somehow, mysteriously, large amounts of data are lost or corrupted. What's that saying about putting all your eggs in one basket?

Estonia is a NATO member and an EU member and Britain and Germany have deployed forces in the Baltic nations. They are safe.

Those are token forces. Unless the Estonian, Latvian, and Lithuanian armies are able to deal with massive armour and airborne invasions and delay the Russians for a significant amount of time while NATO forces deploy to the theatre the Russians can overrun those countries in hours and judging from what I've seen in terms of training of Baltic forces by NATO that seems to be the strategy. Once the Ivans are occupying them these countries will become another frozen conflict like the E-Ukraine or those dispute

Re:

[dunkelfalke]

There is simply zero reason to invade since the Baltic states are already in the NATO.
Ukraine and Georgia both wanted to, but cannot anymore since the NATO statutes indirectly prevent countries with unresolved territorial conflicts from joining.

Re:How convenient

[Kjella]

Those are token forces. Unless the Estonian, Latvian, and Lithuanian armies are able to deal with massive armour and airborne invasions and delay the Russians for a significant amount of time while NATO forces deploy to the theatre the Russians can overrun those countries in hours and judging from what I've seen in terms of training of Baltic forces by NATO that seems to be the strategy.

They're token forces in military terms, but not in political terms. Pretty much all the front line troops are there to escalate it to a proper war and invoke Article 5, there's no country in Europe that can defeat Russia alone. And while the US might drag their feet on becoming involved in another overseas war no country in Europe is going to let Russia go on a Hitler-like series of annexations. They can take the Baltics, but then WW3 has begun.

Re:

[dinfinity]

And while the US might drag their feet on becoming involved in another overseas war no country in Europe is going to let Russia go on a Hitler-like series of annexations. They can take the Baltics, but then WW3 has begun.

I dunno, man. Europeans have gotten quite nationalistic and selfish of late. I know many of my fellow countrymen don't give a rat's ass about pretty much the entirety of Southern Europe, let alone the Balkans or the Baltic states. They see them as freeloading countries whose inhabitants only 'steal our jobs'. They refer to the EU as the EUSSR and would all rather retreat onto the island they regard their country to be.

Remember that one of the major reasons why Hitler could get so far as he did was that nobo

Re:

[AHuxley]

Re 'Those are token forces."
Thats all NATO needs as part of its eastward expansion to drag the rest of NATO into action.

Re:

[Anonymous Coward]

Estonia is a NATO member and an EU member and Britain and Germany have deployed forces in the Baltic nations. They are safe.

Ukraine gave up their nuclear weapons based on security guarantees from NATO, the EU, and the US.

They are safe...

Re: How convenient

[Anonymous Coward]

Ukraine had no formal guarantees from either NATO or the EU. Estonia is a NATO member, so any attack on Estonia would mean war with NATO.

Re: How convenient

[Anonymous Coward]

If you are under the impression that France or Britain or anyone else will be willing to put their nations' interests in harm's way to protect the Baltic republics, you're sorely deluded. It would take Russia very little to cripple the EU economy with minimal loss of life and everyone with half a brain in Brussels knows it. France matters. Germany matters. Lithuania... Not so much.

Re:

[rogoshen1]

Judging from the response to his adventures in Georgia and the Ukraine; I think Putin knows he's squaring off with the west which is currently more Chamberlain than Churchill.

Re:How convenient

[Moba Hup]

The data *isn't* kept in one convenient place. On the contrary. Each government agency only keeps data relevant to them. If they need information about, for instance, someone's company's mailing address, then they can request it -- straight from the agency that deals with this information -- over X-Road [e-estonia.com], a sort of secure intranet/SOA hub. Each agency publishes a set of SOAP services (with various access restrictions) to make use of the information they maintain, and other agencies can securely and directly access these services. Access from/by each agency is protected by standardised security servers that take care of encrypting, validating and logging the data. If a hacker gets access to, say, the local DMV, then they would only have access to DMV's information and could make some individual requests that other agencies allow DMV to make -- no more.

Re:How convenient

[Moba Hup]

It's transported over regular (and/or government-only) Internet strictly over TLS with known certificates, but the reference security implementation (software as well as hardware) is provided by the government. Basically, each agency only needs to implement the services and make them available for the security server, which takes care of publishing the service, validation, encryption, logging -- all the tricky and sensitive stuff. The common security solution is of course developed and maintained by competent people. But even if case that gets hacked, then the communication relies on public key cryptography, and the private keys of the security servers themselves are generated and stored in hardware, which is never accessible from server software.

Re:

[110010001000]

Baloney. Anytime you put information on a network it can be accessed.

"The common security solution is of course developed and maintained by competent people"

Right.

Re:

[Moba Hup]

I posted a link above regarding how it works exactly.

The point is that data isn't centralised, but kept at agencies that manage it. Different agencies offer different, secure interfaces (some more or less public, some not) to the data they do have. If one agency is hacked or DDOSed, then it doesn't affect the other agencies, or the traffic between them.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[mardu]

If a wide-scale denial of service occurs, most of your important paperwork can still be done using pen and paper. Although almost everybody uses e-services, there are still paper forms available and regulations for dealing with these. As there are hundreds of different digital government services, some of them have or have had minor issues at some point. In these cases, people just had to do it the old way, go to a government office and fill out their forms. So a DoS would be a huge inconvenience, the count

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[mardu]

Of course things can go wrong. But although the news article makes it seem like it is a new thing, the "digital government" has been around for more than 15 years. Some have tried to break in, some have tried (D)DoS attacks. People working with it already have experience with it. Although this is not a guarantee against idiots in charge, it certainly makes it less likely - experiences professionals are more likely to speak up before that. I don't think anybody has though of absolutely everything but at leas

Re:

[mardu]

Estonia had the luck of having no legacy regulations and basically no huge legacy databases when we regained our independence after the Soviet occupation. Everything had to be built from the ground up so it was easy to use new technology and ambitious ideas.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

Your lack of understanding of basic cryptography and PKCS#11 aside, the fact that there is absolutely zero evidence of any successful mass theft of Belgian eID data serve as evidence that you are mistaken in your assumptions. Or do you want us to believe that cybercriminals entirely have missed out on this supposedely easy to steal hoard of valuabe data?

Re:

[GNious]

Why bother with Estonia? Just go to Belgium.

As someone from a 3rd country, living in Belgium and very familiar with Estonia: No

Stay the fuck away from Belgium, it's a hostile little shithole of a country, you're better off pretty much everywhere else, and especially better off in Estonia

Re:

[account_deleted]

Comment removed based on user account deletion

Re:How convenient

[Kjella]

When I need information it's now one-stop shopping in Estonia. All the people's information in one convenient place. No muss, no fuss, Hack once and live a lifetime.

Actually the reason identity theft is such a big deal in the US is because having the information is generally sufficient. If I doxed myself here in Norway you could certainly do a lot of annoying things, but you'd find that for anything of real importance you'd either have to use an electronic signature or show up in person. Just having my person number (DOB + sex marker + unique counter), name, address etc. doesn't really get you very far. And while all my data is connected through the same unique identifier they're still kept by many different branches of government, you might say one common login gives access to everything but what happens in other nations? Surely there must be some level of standardization that DOB + SSN + whatever = ID. Unless you're going for the "the only way to win is not to play" solution by physically standing in line at a government office for everything.

Imagine a country with a population less than the city of Philadelphia being taken down when nothing works because somehow, mysteriously, large amounts of data are lost or corrupted.

Nobody's back end system is paper based anymore. Sure you might say that by exposing it over the Internet you're adding additional threats but the real high level hacks are often still an inside job or targeting the employees. We've had online banking here now for a couple decades, I've still not heard of anyone hacking their way to the core bank systems through the client, it's such an obvious way into the system that the protocol is completely locked down. It could make denial-of-service easier, but you still have to consider a power failure or an idiot with a backhoe and work on contingencies anyway. And don't forget how much else depends on the Internet these days, if it stops tons of B2C and B2B solutions won't work. It's not just the government's problem.

Re:

[110010001000]

" I've still not heard of anyone hacking their way to the core bank systems through the client"

This happens all the time. You just don't hear about it.

Re: Conspiracy angle

[del_diablo]

Could you reference anything? Like, i get the white hat angle where you hack the core and add a pop up.
But the way i understood it, as its presented in the media is that your goal as a hacker is to acquire unique information(i.e bank account number+ persona) and then you need a hack to get past the 2 factor authentication. And as the experts know, they are not that secure even if its unique password + offline key generator device
Once that is done, the goal is then to empty bank account as far as possible. W

Re:

[Kjella]

This happens all the time. You just don't hear about it.

No it doesn't. That they compromise individual accounts, sure. That they compromise the bank itself [securitynewspaper.com] via phishing or hacking yes. But those attacks pretty much never go through the front door, like you go to their public web server and run an exploit.

Re:

[wisse]

They have this neat idea of a digital embassy. They have got a copy of digital Estonia running in Luxembourg. When the russians do come the estonians who manage to get out of the country open their laptops somewhere else, and there are still part of digital Estonia.

Foolish

[Anonymous Coward]

You put everything on the Internet, you open it to an attacking nation:
https://www.bbc.com/news/39655415

"Online services of Estonian banks, media outlets and government bodies were taken down by unprecedented levels of internet traffic."

"Massive waves of spam were sent by botnets and huge amounts of automated online requests swamped servers."

"The result for Estonians citizens was that cash machines and online banking services were sporadically out of action; government employees were unable to communicate w

Re:

[mermeid007]

In DC, since they have no local government to speak of, they often have to choose between automating part of a process for some tangible improvement and changing nothing. Of course, they also have such a small population that in the past they simply did away with any paperwork or services that were not needed. I think various agencies would complain when they didn't get the data they needed, and this really is what drove their decisions on automation. A pull not a push.

Registering your child

[110010001000]

"The Mother looked on proudly as the Father inserted the chip under his newborns skin. After enabling the connection to the laptop, the programming of the child started. Within 10 minutes, the child was fully programmed and was now a full Estonian citizen. On his 17th birthday he would be eligible for ration level B and military service."

Truly a glorious accomplishment.

Re:

[cascadingstylesheet]

"The Mother looked on proudly as the Father inserted the chip under his newborns skin. After enabling the connection to the laptop, the programming of the child started. Within 10 minutes, the child was fully programmed and was now a full Estonian citizen. On his 17th birthday he would be eligible for ration level B and military service."

Truly a glorious accomplishment.

Meh.

What they are actually doing - as opposed to your dystopian fantasy - is an electronic version of birth certificates and ID cards that is nothing really new, just a new implementation.

It carries its own risks (and benefits), sure, but is nothing like what you are describing.

Do you object to birth certificates and ID cards in general? (Perhaps you do, some do.)

We're all still in the steam age ...

[Qbertino]

... compared to Estonia. What they're doing in terms of digital government is groundbreaking and has been going on for a few years now. All digital zero-fuss bureaucracy. Very nice and an example I'd wish some German authorities would follow more eagerly.

Re:

[Actually, I do RTFA]

I don't find the current system at all onerous. Hence, I'm happy to avoid the probable issues behind what Estonia is doing. For instance, I don't particularly want the government to have my fingerprints on file.

Re:

[account_deleted]

Comment removed based on user account deletion

Governance is the bottleneck

[wisse]

It sounds really simple: all information in one place, you own your own information (including your health information). And techniscally it *is* simple. But the governance can be made so complicated that no other country has pulled this off yet. Getting all your national institutes to work together on one digital government is no small feat.

Soon on Slashdot...

[grumpy-cowboy]

Estonia government servers have been hacked and ALL citizen's private information is available online.

Re:

[mardu]

No centralized data storage (each government body manages their own databases), so pretty much impossible to read about ALL private information being publicly available. Some, possible, but not ALL. Also, not much to do with this information as in Estonia you cannot steal someone's identity just by knowing some data about them. Identity codes (the closest thing to an SSN here) are public information and basically nobody validates identities without a valid ID card or passport (or another equivalent documen

Estonia's System Is Unique and Interesting

[organgtool]

There are a lot of comments here talking about hacking government servers and getting everyone's data. This is based on a misunderstanding of the Estonian digital record system. I've read several articles about it and if I understand it correctly, the system is more of an authentication system and records interface. Your data isn't stored on a single set of government servers - instead, public and private entities store their information about you on their own servers and are required to use the government's digital authentication system for access. The records are required to have access control layers so that citizens can control which people have access to their records. I believe there is also a required interface for presenting history data so that a citizen can see all attempted access to their records. It's a very interesting and pragmatic approach and it'll be something that people should watch closely and learn from.

Re:

[Danielsen]

His father turns on a laptop. "Now we will register our child,".

Pretty standard.. But why do the parents need to register..
In Denmark the mother is registered during prenatal care, and she also informs the social security number of the expected father.
One of my colleagues girlfriend gave birth to there baby a Sunday night, and they were unmarried.
The midwife registers the childbirth.
One hour later the father got a message from the 'stats amt' where the had to sign for the paternity.

Bio-chip

[p51d007]

Might as well have them implant a bio-chip in your skin. THAT would be the logical next step. No muss, no fuss, NO PRIVACY.