September 12, 2016

Estonia’s Information Society Development from a Privacy and Data Protection Perspective

Today Estonia has the most technologically advanced government system the world has seen. Even though the small Baltic state yields a population of only 1.3 million, it is known for its e-government system that has everyone applying to be an e-resident of Estonia, even the Japanese Prime Minister.

Putting Silicon Valley to shame, today almost all of Estonia’s government services are managed online. Citizens have chip-and-pin identity cards and can manage their errands from wherever there are wireless or fixed broadband connections that cover almost all of the country’s territory. Wireless Internet access points are available in many public places.* The e-state doesn’t stop just there; by 2000, cabinet meetings went paperless and by 2005, the government had introduced e-voting; something that states in U.S. have just begun to implement. But what about the rigorous task of completing tax returns every year or the bureaucratic nightmare of creating a business? No problem, Estonia has you covered here too as both can be done in a matter of minutes. Once an e-resident, one can even run their Estonian business from anywhere in the world. So what’s not to love? A visit to the e-Estonia Showroom in Tallinn leaves one in awe with the question of why other countries are stuck in the “stone age” and not getting on board with an e-government system. What’s the problem then?

There are various concerns from two different groups when addressing this question. While both issues deal with data protection and security, governments and citizens may address these priorities differently.

In April of 2007, Estonia underwent a series of cyber attacks consequent to political and societal tension after a Soviet-era memorial in Tallinn was relocated. The attacks lasted for several weeks and caused damage to the online government infrastructure, everyday life to citizens, and prevented media coverage of the attacks from Estonia as online media outlets were among the first to be attacked. Since the infamous cyber attacks from 2007, new measures and security systems have been implemented to prevent this from happening again. There are several checks put into place to deter hackers from gaining access to the online databases of information and the government takes several measures to protect the infrastructure from potential attacks.

Citizens have the power to log in to the State Portal and see which entities have access to what information. If one wishes to examine who has access to their personal data or when that information was accessed, then one only needs to submit a request or application. Some would yet argue that regardless of the measures implemented, technical measures (e.g. firewalls, security tokens, etc.) cannot guarantee 100% protection from a cyber attack. While this is true, it is only because a utopian 100% safe cyber security system does not exist.

While cyber attacks are a concern for a government and its citizens, the protection of data and privacy are also main concerns in analyzing the e-government system. A citizen may be more reluctant to transfer their tax information, medical history, prescriptions, and business information online, knowing that it may simplify access of the information to a third party. However, because Estonians trust the secure two-factor authentication they use through their digital ID, privacy and data is less of a concern for them. In other parts of the EU, concern for privacy and data protection was at its highest after the NSA-scandal of 2013. Furthermore, what may worry citizens does not just concern privacy, but also employment. When banking and tax returns are completed online, then the need to outsource for tax-return help or to take a trip to a local bank becomes obsolete. While Estonia maintains a healthy 5% unemployment rate, it is a small country and therefore the process to transitioning to an e-government system is arguably much smoother than it would be in larger countries. In the U.S. for example, there would be pushback from the healthy and wealthy tax-return service industry as an online government provided tax database would virtually eliminate their industry.

Do these questions and concerns mean that e-Estonia is a cul-de-sac and not really transferrable to other countries? Of course not. These arguments can also be applied to the “stone age” system the rest of the world uses. If a hacker gets access to the online database, it is possible that they may leave a trail and even though discovering the trace of a hacker takes time, if the breach is unveiled, it can be fixed, and the system most likely reviewed to learn how it can be improved. Unfortunately, attribution in cases of a cyber attack doesn’t come without its own flaws; if an attack can be attributed to be from a certain party, discovering the infiltration and the party responsible can take several months or years. On the other hand, if someone walks into a doctor’s office and makes a copy of a patient’s medical history, there is no trace or trail or system to improve besides maybe changing a lock and installing a surveillance system. Ultimately, neither system assures the complete safety from an attack or information leak so it is up to other countries to decide whether a national online government database is a step in the right direction.
* This post originally stated incorrectly that the government-built free Wi-Fi network covers 100% of the Estonia’s territory. Free Wi-Fi is provided in many public places, but it does not cover all of the country’s territory. The post has been updated to reflect this.

Filed under: CommentaryTagged with: