Acceptance Speech at the Bertelsmann Stiftung’s Annual Mohn Prize Ceremony, 29 June 2017
I am deeply honoured to receive the Mohn Prize for 2017.
What Estonia has accomplished in the past quarter-century is the work of many people. I did outline back then what at the time was considered a quirky and impossible vision, but so many smart people took to the idea that soon Estonia and Estonians were racing ahead on their own. It took a spark to light a torch that was then carried by many. Call it the Zeitgeist—one of the few German words English-speakers know.
At times, when good ideas ran up against silly, old-fashioned or ill-informed policy, I did my best to unblock the path for those ideas to move forward and to prod those opposed to give them a chance. When bright ideas needed encouragement, I always recalled how hard it had been in 1995 to talk about digitisation to a sceptical, if not hostile, public—and yes, at times, an unconvinced government. This is hard to imagine today, when, regardless of which parties are in office, e-Estonia has overwhelming public support. So, thank you to all those courageous and creative people who have done so much to make Estonia what it is today.
Security in the Cyber Age Cannot Come at the Cost of Pre-digital Freedoms
I should begin with a cautionary note. After the past year or so, the digital world has become far more frightening than it was. We read daily of hacks, stolen data, invasions of privacy, massive malware attacks. We see our very own democratic systems under attack, in ways thought unconceivable or impossible a decade ago. Servers at the Bundestag, Emmanuel Macron’s campaign and the Democratic National Committee were broken into, and private correspondence stolen. This was posted online, at times in altered form, generating fake news. Robots or bots on social media rebroadcast these fake or falsified stories and hoaxes to millions of accounts, and they were rebroadcast again by people. Social media itself allows big data analytics companies to profile and then target individuals in ways never done in the past. And finally (at least at the time of writing), electoral rolls are hacked and voters’ data stolen by a foreign power. To what end? We don’t yet know.
All of the disruptions to democracy I just mentioned make us worry. Some, the Luddites, want to stop and turn back the clock to a paper age. Others, for different reasons, instead want to increase “security” by restricting our freedoms and privacy. And then there are those who do not wish to take the steps needed to guarantee both our electoral democracy in the digital age and our security, all because of a lack of understanding.
Let me be clear: security in the cyber age does not and cannot come at the cost of fundamental pre-digital freedoms. Estonia, my country, is proof of this. Last week, the International Telegraph Union, better known as the ITU—which is the UN body responsible for internet issues—published its survey of cyber-security around the world. Estonia ranks in first place in Europe, better than any other country on the continent, and the number two is Norway, which is not in the EU.
Internet security in Estonia has not, however, come at the expense of freedom. In its survey, Freedom House ranks and has continually ranked Estonia as number one in the world for internet freedom. Russia, on the other hand, which is number one in the CIS survey on cyber-security, ranks 65th out of 88 countries surveyed. So that gives you some contrast between security and democracy and how different solutions worked.
Of course, cyber-security can be achieved in a number of ways. As I mentioned, Russia is number one in cyber-security among the CIS countries, which is all the more reason to look at other measures, such as internet freedom, in order to assess the relationship between security and freedom, things that unfortunately governments even in Europe too often say are a trade-off—that you have to give up some freedom for security.
What these two studies, taken together, most clearly show is that there is no necessary trade-off or contingent relationship between security and freedom. You can have both. This is especially important to keep in mind amidst the barrage of proposals across the democratic West that, in the internet era, it is necessary to compromise on freedom in order to guarantee security. The UK government, the US Attorney General and EU Justice Commissioner Věra Jourová all want to mandate “backdoors” to get into encryption keys that guarantee the security of communications, backdoors that would allow someone or government to get into your private mails. These backdoors would be held in the hands of governments (or the EU Commission). There are a number of such proposals right now all over the West.
Of course, this recourse to backdoors is a result of a spate of terrorist attacks in Europe and the US, where it is asserted that terrorists used encryption to thwart the authorities’ efforts to listen in on their communications. Never mind the series of embarrassing revelations that the authorities had been given advance warning about concrete, known terrorists (in the Brussels, Berlin and recent London attacks). Backdoors wouldn’t have helped there—it would have been better to listen to allies. But politicians nonetheless continue to demand backdoors.
Rarely are such proposals reasoned. For one, even if backdoors are installed on one or another “app”, nothing prevents one from using a different encryption system. The only ones who would be subject to backdoors would be those who have no terrorist intent but value their privacy—which, as we know, is not guaranteed either in the case of telephony or texts.
Secondly, and I think much more importantly, as soon as a government—or, even more preposterously, the European Commission—adopts a backdoor, it becomes the Holy Grail of all hackers across the world. What could be more enticing, either for prestige or for financial gain, than to steal the Keys to the Kingdom? Would we really entrust the European Commission—or any national government, for that matter—to hold the keys to all encrypted communication? When even the CIA has been hacked with a series of zero-day exploits, and stolen malware—which we now experience, most recently with the WannaCry ransomware that , inter alia, brought down the UK’s National Health Service—means they can hack anything?
Nor do you need fear only hackers. As former NSA employees Edward Snowden and, more recently, Reality Winner have shown, “insider threats”—someone inside driven by personal disgruntlement, ideology or money—can simply steal the keys, simply steal that Holy Grail. The effect, though, is the same as for a hack: someone will obtain the keys to all encrypted communications, except for those who really want to use encryption and will use alternatives anyway.
What to conclude from this? First, there is an appalling lack of thinking about the implications of government-mandated “backdoors”. It strikes me, as a former political leader, that my colleagues don’t really understand what they are proposing, the impossibility and the impracticality of such proposals.
To understand this issue, I have to go back to Estonia and a lesson I’ve learned over and over and shown empirically in the World Bank Development Report, “Digital Dividends”, which I helped to co-produce and which was mentioned in the film here.
The lesson is this: how we tackle this Brave New Digital World is not a digital solution, it is an analogue task. It comes down to three things: policies, laws and regulation. None of these are digital. They are made by human beings, and only human beings can create them.
This is where a third study comes in. Yes, Estonia has the greatest internet freedom in the world, and it has the best cyber security in Europe; but a third study, the European Union’s Digital Economy and Society Index 2017, rates Estonia as first in provision of online public services.
In other words, in this Hobbesian world of the internet, Estonians are more secure and enjoy greater freedom, because we have taken care to offer our citizens security where it matters and let them be free where there is no need to force a fake security.
Technology is Digital, Societies are Analogue
Let me briefly tell you what I think is needed and what we have done in my country over the past 25 years.
1. You need a strong digital identity that is guaranteed by the government—in Germany’s case, either by the Länder or the Federal government. Today, bad actors can enter your life not physically but online. In the physical world, governments demand and also issue passports in order to know who is who, and who crosses their borders.
But in the digital world we don’t generally do this. In Estonia, we do—because in the digital world your borders are crossed by electrons and not by people. As we have seen over and over, and are seeing currently all over the world with the latest malware, they don’t have to cross your border physically to do damage, even physical damage. In a digital world where there are no borders, a digital identity is your passport; and you have to be your own border guard by using it.
Or, to put it a little differently, in the world there are 4.2 billion people using the internet. [US] Vice President Al Gore talked about the information highway; so we have now an information autobahn with 4.2 billion people driving on it, but only the cars owned by Estonians have licence plates.
2. To get the benefits of digitisation or digitalisation, you need to give this digital identity legal status, i.e. to make a digital identity something that can offer a legal signature, equivalent to a physical signature. All transactions requiring a physical signature must be possible with a digital one if we want all of the things that we do today on paper to work in the digital world too.
In Estonia, there are actually only two transactions that must be done physically, requiring a physical signature (and also the presence of witnesses)—when you get married and when you get divorced. Everything else, you can do strictly digitally. But to have a legal digital signature—and here is the hard part—you must tie the digital identity to a national registry, just as your passport is. The German Bürgerkaart, for example, lacks that feature, which is why you don’t have a legal digital signature in Germany. Apart from that, you have all the infrastructure in place. It is an analogue, a political, decision. That’s why I say: it’s not simply a digital issue, you need a political decision to do that.
3. A digital identity must be mandatory and universal. This is much more a by-product of socioeconomic motivation. Why must you make the digital ID mandatory and universal? Practice shows that if a digital ID is optional, optimally 15–20% of the population will take it up. Look at it, though, from the perspective of the private sector or even a government. Imagine only 15% of the population can possibly use a service—say, digital prescriptions, which we have in Estonia. Why would the government or the pharmacies bother spending the time and money to develop the service digitally when 85% of population can’t even use it? From a corporate or government policy perspective, though, our practice shows that if you develop it, they will come. In four months, Estonia went from single users of digital prescriptions to more than 98% being issued digitally. That was simply because the service was created, people discovered it and they started to use it—because they discovered a new use for their digital ID card, an immensely convenient use.
4. Use the power of the ID to transform bureaucracy, dramatically cutting costs, and—more importantly—saving time. Bureaucracy in the world is about 5,000 years old. One thing in bureaucracy has, however, never changed: it has always been a serial process. One step, followed by another, followed by another. A document—be it in hieroglyphics on papyrus 5,000 years ago or today as an attachment to an email—will go to one office, where it is approved, then to the next department, then to the next office, one after the other, and so on. Serially. With a digital ID, all the necessary searches and steps are done in parallel.
This is also why in Estonia we have a “once only” regulation; the government may never ask you for information it already has. This is also why you can register a company in Estonia in 15 minutes—and note that all the checks and controls used by the rest of the EU for establishing business are followed in Estonia. Because we are not serial but do things in parallel, it is done quickly.
5. Interactions with an identity must be highly secure. I shall not go into the details, but let me just say that all our communications are at RSA 2048, which is a level of encryption no one can break at this point. Some day they will be able to do it, but right now no one can, and we will have to do something new before it is cracked. It must also be secure from the government. We know our system can work if, and only if, the citizen knows the government cannot look at his or her data.
This is why I mentioned backdoors—if the EU adopts a backdoor that includes Estonian citizens’ encrypted data, our system will collapse. It is all based on trust: trust that the government is not going into your private data without your permission and that all data remain private.
6. Finally, you need the proper architecture for what people call the back end, the backbone of the system—what goes on when you log on to the system, where all the connections are made. We use something called a distributed data exchange layer, which means every interaction is directly between the user and a server, and it is authenticated each time to prevent anyone getting in who shouldn’t.
This also means that once you get in, you see only what you are authorised to see, and you also can see who has been looking when they are permitted, as in the case of, say, public property records. Which means one person can’t steal another’s data—let alone an entire database, as we have seen happen in the last several years.
All of these solutions are technological and digital, but they all require the analogue: policies, laws and regulation. That is the hard part—the technology is easy. Technology is everywhere and it is, if you think of its power, amazingly cheap. Any government or state can get the technology. Not every government, however, has the courage to adopt a policy or the right kind of laws.
Moreover, the technology Estonia mainly used was available to all 25 years ago. What was innovative, and what Estonia does, is to develop the policies, regulations and laws that enable us to use what actually is, by digital-era standards, old technology.
That is the really the difference. It’s not that what Estonia does is technologically so advanced—although sometimes in Brussels people will go up to an Estonian and say “Oh, you’re Estonian, can you please fix my computer?” It’s not quite like that.
So, what is it, then, that explains the huge difference between countries, even within Europe? It is the willingness of policymakers to make policy, lawmakers to enact laws and regulators, who have the backing of the laws, to regulate.
Technology is digital, societies are analogue. Unfortunately, for far too long they have been considered disparate realms—where the two worlds stand isolated and apart.
The “Two Cultures” in the Digital Era
Let me to go to the philosophical side of this for a bit. I’ll give you two examples.
The first dates to when the iPhone had just come out. I discovered an app that I could download to find out where I had been. I downloaded this app and on my screen appeared a map with a big fat line between my home and my office, and then smaller, grey lines to places in my country I had travelled to less. I looked at it and thought: someone can collect the data of where I have been and no one has asked if they may. Some geek simply thought this was a great idea. It probably is a great idea, but no one ever asked permission. So, the technology side is proceeding without thinking about the fundamental assumptions of a liberal democracy.
The second experience dates from when I gave a talk in the European Parliament in 2014 on the digital single market—Estonia’s big idea for its presidency, which begins this Saturday. I told the audience that Moore’s Law—that a microchip doubles in power every one and a half years—means that when you have your next election in four and a half years, that’ll be three iterations of Moore’s Law. This means that your computer will be two to the third power more powerful than today. And one of the members of the European Parliament just called out: “What is two to the third power?” That is sixth-grade mathematics. If the people in the parliament making our laws do not understand even something as basic as that, then how do we put these two worlds together? How do we do that?
Back in 1959, a British physical chemist at Cambridge, C.P. Snow—who was, incidentally, also a literary novelist, and coined the expression “the corridors of power”—published an essay titled, “The Two Cultures” about these two worlds.
His metaphor to describe these two cultures was the dining club of his college in Cambridge. As a physical chemist, he could sit with the physicists and the chemists and discuss quantum mechanics. And then he could go to have a drink with the poets and novelists at the other table, because he was a novelist. But he was the only person in the entire college who could walk between the two tables and have a discussion. People on the literary side or humanities side had no interest in or idea of what the physicists were doing. And the physicists felt exactly the same towards the people in humanities.
When he wrote this essay, he was describing the university. It didn’t really apply to society at large at the time, because technology in science was something that people did not experience directly. It was passive: you could watch the television but it couldn’t watch you. You could talk on the phone but, if you left your phone and walked outside, it didn’t know where you were. It was a passive relationship. Today all of our technology is intrusive, two-way, and it can come back and look at us. Which means that what we really have to deal with far more seriously in the context of the two cultures is not just to think of it as a problem of a university but as a problem of society today. This is what obligates us to understand technology if we are on the law side and, just as importantly, the technologists must understand what is appropriate in a liberal democracy and what is not.
So, I will end with this: a plea for policymakers to learn what technology is about, and a plea for the geeks—those who devise the programs, algorithms and the apps that we use—to learn to understand what a liberal democracy is, what the fundamental rights and freedoms are, when something intrudes upon the rights and freedoms of the people using the technology that you develop. To understand that liberal democracies stand on three pillars—free and fair elections, the rechtstaat or “rule of law”, and fundamental rights and freedoms guaranteed constitutionally—and that they must be preserved in this new digital age.
This is the real challenge of this brave new digital era: to maintain our democracy in the face of exponential change. That is a matter of policy, not electrons.