Article content
Estonia introduced digital identity more than 20 years ago. It is the cornerstone of the functioning e-Estonia that connects the physical identity to an electronic identity in cyberspace. In light of the updates to the current eIDAS directive, we discuss how Estonia has influenced the new European regulation. And what Estonia has to offer for its implementation.
Arguing for an interoperable Europe
During the development of the eIDAS 2 regulation, all European countries were duly consulted. With the fast developments in digital identity technologies and use cases, there is no shortage of extremely competent specialists. So, instead of technical discrepancies, the discussions on the European level have mostly been between schools of thought.
“The two general principles — that all member states must issue an eID and that everyone can give an electronic signature that is equal to a handwritten signature were Estonia’s positions that we defended in the negotiations and that were eventually included at a generalised level,” says Mait Heidelberg, counsellor to the ministry in the Ministry of Economic Affairs and Communications on information society issues.
“For one, being so used to using digital identity, Estonia has always wanted secure, sensible electronic identity tools to be available all over Europe. For two, electronic signing is so widespread in Estonia that Estonians often encounter problems in other European countries. Where the ideas about electronic signatures are different or absent. As with the new eIDAS regulation, both of these issues seem to be solved; this is a very good development from our point of view,” says Mr Heidelberg.
One of the key developments proposed in eIDAS is the electronic identity wallet. The wallet is an app that can be used for identification, signing, and storing digital documents safely on a mobile phone. For Estonians, this would be a nice development which would build on existing eID and interoperable systems. In many other countries, the wallet would actually make the eID more popular.
“For Estonians, having an digital identity in itself is important. Everyone uses it daily. If we finally have something like a wallet in our mobile phone, it is reasonable to put various other attestations besides the identity,” says Riho Kurg, architect at the Information System Authority’s (RIA’s) electronic identity department.
“However, in many European countries, it is the reverse. For example, the Austrian wallet lets you put a driver’s license in it. Since people want to have their digital license, they will get a wallet. But to make full use of the wallet’s other possibilities, such as electronic signatures, people apply for an ID card that is otherwise not compulsory.”
Estonia offers a security solution that works
Since the first eIDAS regulation in 2014, new technologies have become available that can alter the way the security concerns of the wallet can be addressed. Since some of these have come from Estonian companies such as Cybernetica, Nortal and SK ID, we can provide new solutions that were not thought about previously.
“In developing the wallet for a mobile phone, people are naturally concerned about how it is kept safe,” says Riho Kurg. “Indeed, security features of mobile phones by Samsung or Apple or others can be very good. And we know that, for example, Singapore uses a mobile security element in its wallet. But relying on mobile phone security features may be an issue.”
“The first question is whether they will ever get certified or the manufacturers are even interested in certification. Europe is a relatively small market. This whole topic of trust services is very “foreign” when viewed in America or Korea,” explains Mr Kurg.
“The other thing is that we will be dependent on the latest models of phones. Quite a few people either don’t have the latest model or never want one.”
Estonia is developing its wallet on technologies independent of mobile hardware. The “split-key” technology it relies upon is actually being used in a “smart-iD” app. A large percentage of Estonians have been using it, and it has been recognised as a QSCD (Qualified Signature Creation Device) since 2018.
“The benefit of our wallet is that we can already share our European experience that such solutions exist, and they work well,” says Mr Kurg. “What we need to make sure is that this is recognised also elsewhere in Europe. If the regulation states that the private key must always be in one place, this technology won’t work. Luckily, we are not alone; the Netherlands are arguing for the same principle.”
Implementing eIDAS 2 for creating a lasting change
eIDAS is still quite fresh, and some of the aforementioned questions still hang in the air. The technical implementation of the identity wallet is yet to come. A legitimate question is whether the dream of interoperability in Europe can be achieved after all. At least everyone interviewed for this article seems to be carefully optimistic.
Laura Kask, Legal expert and CEO of Proud Engineer, a consultancy, suggests that eIDAS is a step in the right direction. It forces countries to issue an electronic identity. With this, for example, entering state portals to get immediate information about state services in other countries should become possible soon.
“However, in the hope that in the tailwind of eIDAS, we will quickly develop more profound interoperability between countries, I am not very optimistic. This would require that we think about identity in a similar way. But identity is very much a cultural issue,” says Ms Kask.
More probable is the quick development of interoperable business register solutions. There are not such big cultural differences in Europe with the identification of companies.
Substantial hope comes from the consortia that are focused on a specific domain. Estonia is engaged in one, named Potential, which aims to develop an interoperable driving license.
“The developments are promising. Besides us, RIA, and the IT companies, the Estonian Transport Administration is on board and very enthusiastic,” explains Mr Kurg. “They are actually looking to add the vehicle’s registration certificate into the wallet, too. The technical standards are ready for the driver’s licence, and we are waiting for the lawyers to do their part.”
With the enthusiasm and working examples developed in Potential and other consortia, Europe is proceeding case by case towards international interoperability. New eIDAS regulation is just the first push. This can lead to a wider and deeper cultural turn regarding how we think about electronic identity in Europe.
Riho Kurg’s photo: Rene Riisalu
Laura Kask’s photo: Jaana Süld