Estonia’s information society development from a privacy and data protection perspective (7)
Today Estonia has the most technologically advanced government system the world has seen. Even though the small Baltic state yields a population of only 1.3 million, it is known for its e-government system that has everyone applying to be an e-resident of Estonia, even the Japanese Prime Minister.
Putting Silicon Valley to shame, today almost all of Estonia’s government services are managed online. Citizens have chip-and-pin identity cards and can manage their errands from wherever there is a Wi-Fi or fixed broadband connection, which is not difficult since the government-built free Wi-Fi network covers 100% of the country’s territory. The e-state doesn’t stop just there; by 2000, cabinet meetings went paperless and by 2005, the government had introduced e-voting; something that states in U.S. have just begun to implement. But what about the rigorous task of completing tax returns every year or the bureaucratic nightmare of creating a business? No problem, Estonia has you covered here too as both can be done in a matter of minutes. Once an e-resident, one can even run their Estonian business from anywhere in the world. So what’s not to love? A visit to the e-Estonia Showroom in Tallinn leaves one in awe with the question of why other countries are stuck in the “stone age” and not getting on board with an e-government system. What’s the problem then?
There are various concerns from two different groups when addressing this question. While both issues deal with data protection and security, governments and citizens may address these priorities differently.
In April of 2007, Estonia underwent a series of cyber attacks consequent to political and societal tension after a Soviet-era memorial in Tallinn was relocated. The attacks lasted for several weeks and caused damage to the online government infrastructure, everyday life to citizens, and prevented media coverage of the attacks from Estonia as online media outlets were among the first to be attacked. Since the infamous cyber attacks from 2007, new measures and security systems have been implemented to prevent this from happening again. There are several checks put into place to deter hackers from gaining access to the online databases of information and the government takes several measures to protect the infrastructure from potential attacks.
Citizens have the power to log in to the State Portal and see which entities have access to what information. If one wishes to examine who has access to their personal data or when that information was accessed, then one only needs to submit a request or application. Some would yet argue that regardless of the measures implemented, technical measures (e.g. firewalls, security tokens, etc.) cannot guarantee 100% protection from a cyber attack. While this is true, it is only because a utopian 100% safe cyber security system does not exist.
While cyber attacks are a concern for a government and its citizens, the protection of data and privacy are also main concerns in analyzing the e-government system. A citizen may be more reluctant to transfer their tax information, medical history, prescriptions, and business information online, knowing that it may simplify access of the information to a third party. However, because Estonians trust the secure two-factor authentication they use through their digital ID, privacy and data is less of a concern for them. In other parts of the EU, concern for privacy and data protection was at its highest after the NSA-scandal of 2013. Furthermore, what may worry citizens does not just concern privacy, but also employment. When banking and tax returns are completed online, then the need to outsource for tax-return help or to take a trip to a local bank becomes obsolete. While Estonia maintains a healthy 5% unemployment rate, it is a small country and therefore the process to transitioning to an e-government system is arguably much smoother than it would be in larger countries. In the U.S. for example, there would be pushback from the healthy and wealthy tax-return service industry as an online government provided tax database would virtually eliminate their industry.
Do these questions and concerns mean that e-Estonia is a cul-de-sac and not really transferrable to other countries? Of course not. These arguments can also be applied to the “stone age” system the rest of the world uses. If a hacker gets access to the online database, it is possible that they may leave a trail and even though discovering the trace of a hacker takes time, if the breach is unveiled, it can be fixed, and the system most likely reviewed to learn how it can be improved. Unfortunately, attribution in cases of a cyber attack doesn’t come without its own flaws; if an attack can be attributed to be from a certain party, discovering the infiltration and the party responsible can take several months or years. On the other hand, if someone walks into a doctor’s office and makes a copy of a patient’s medical history, there is no trace or trail or system to improve besides maybe changing a lock and installing a surveillance system. Ultimately, neither system assures the complete safety from an attack or information leak so it is up to other countries to decide whether a national online government database is a step in the right direction.
Jasmine Hernandez was a guest research fellow at the International Centre for Defence and Security (ICDS) in August of 2016. Her research focuses on transatlantic cyber-security and data-protection policy in reference to the United States and the European Union (EU). During her time at ICDS, Jasmine performed interviews and research in relation to Estonia’s e-government system and its cyber-security policy. Jasmine is based at the German Council on Foreign Relations (DGAP) in Berlin where she is leading an independent research project as a German Chancellor Fellow funded by the Alexander von Humboldt Foundation. She holds a Bachelor’s degree in Political Science with a special focus on pre-law studies and international political affairs.
This article first appeared on the blog of the International Centre for Defence and Security (ICDS). The center aims to advance the transatlantic community’s strategic thinking on the security challenges facing the Baltic-Nordic region, from armed or cyber attacks to threats against social cohesion and energy security.