The other day, I received a letter from Estonian President Toomas Hendrik Ilves. It came in the form of an unadorned Microsoft Word file called "wittes.docx." It did not bear President Ilves's John Hancock. Nor was it on the letterhead of the office of the Estonian Presidency.
Yet unlike the many emails I have received from deposed African presidents and potentates promising to give me hundreds of millions of dollars if I would only wire them $10,000 to get the ball rolling, I know that this letter actually came from President Ilves himself. I know this to a near certainty because of a fascinating combination of math and sovereignty that has the nation of Estonia and a lot of good encryption standing behind the digital signature Ilves attached to this Word file.
In prior posts in this series, I have described the process of applying for Estonian digital residency and the process of picking up my e-Residency card, and I have noted Ilves's thoughts on the e-Residency card in relation to the "going dark" debate in the United States. In this post, I am going to describe what's in that nifty blue box I picked up at the Estonian embassy, how the card works and what it can do, and why I think non-Estonians have a lot to gain—and even if not, certainly a lot to learn—from this fascinating experiment in cybersecurity.
I left the Estonian embassy with a box containing the card itself, a small USB card reader, a sealed envelope containing two PINs, and some legal materials about which I have already posted. The card looks like an ordinary modern credit card with a chip on one side of it. It is not, however, linked to a financial institution but to a registry of names, national identification numbers, and public encryption keys. Using an open source encryption system, it is designed simply to verify my identity, even remotely, in combination with the two PINs that come with it. The basic idea is that the combination of having my card and knowing the appropriate PINs is pretty good proof that someone is Benjamin Wittes. The PINs can be changed at any time, and the card itself is useless without them. The four digit PIN is for identity verification (logging into web sites, for example) . The five digit PIN, by contrast, is to authorize actions (signing documents and the like).
So in principle, you could use this card instead of all of the passwords you need to remember—if websites implemented the system as a login option, much the way many now let you log in using Facebook and Google as your identity agent. Assuming adoption by the right institutions, could also use it for financial transactions, to conduct government business, and to give permission to your health care provider to transfer your medical records to a new doctor. I will have more to say in a subsequent post about possible use cases for the card for non-Estonians.
The card reader plugs into any USB port. It also folds up into something the size of a large pen cap. When the card is plugged into a computer, software interfacing with the reader will recognize who the user is. So the idea is that you carry your card in your wallet, your card reader with your laptop, and your PINs in your head. Between them all, you have an indentity-proving system that works as well in person as it does online. You can prove to an interlocutor that you are whom you claim to be, whether that interlocutor is standing in front of you or halfway around the world.
If you happen to want to do business in Estonia, getting an e-Residency card is a no brainer. You can use it to log into government web sites, file your taxes, start a business, or open a bank account. Estonians have been using this system for years now and have the most electronically wired government service sector in the world. (I know of no reports that the card or the registry system has been successfully attacked, though that is always a concern.)
For non-Estonians who don't have specific engagement with the country—particularly those who do not want to be first adopters for a technology nobody uses yet so they can write about it—the current uses for the card are limited. That said, there are a few that, particularly in combination with one other, are rather interesting and I think should get more attention than they have. To wit, the card enables you to digitally sign any electronic document in a fashion that the government of Estonia recognizes as a legal signature and formally stands behind as having been made by you. In other words, you can send someone a letter that a sovereign government authenticates as having come from you and nobody else.
I wrote such a letter the other day and sent it to Ilves.
Instead of signing it physically, I downloaded two pieces of sofware that interface with the card.
With the card reader plugged into my Mac's USB port, the software recognized me and allowed me to sign the document using descriptive information of my choice. After asking me for one of my pins, the software created a container file, "President Ilves Letter.bdoc," which contained both the underlying letter file and the signature. The technical details of the signature are available for inspection.
The combination of sovereignty and math here is powerful. This signature means that a sovereign state has put its credibility behind the idea that this letter really is from me. And it also means that a publicly-reviewable enrcyption protocol says the same thing.
Yes, someone could be holding a guy to my head and forcing me to use my card and PIN to create this file. And yes, it's also possible that someone could have stolen my card and gotten my PINs and created the file before I had a chance to cancel either. And it's possible too that someone has compromised the system itself. But all of these are far less likely than, say, that your passwords have been compromised or your credit cards stolen, and you rely on those security measures every day. And an Estonian electronic signature is dramatically more reliable than emails we rely on every day, which contain no authentication mechanism whatsoever.
Consider this: If you got a letter in your email box purporting to be from the President of an Eastern European country, would you have confidence in it?
As an added measure of security, the software also lets the user encrypt a signed document (or an unsigned one) for the sole eyes of another card holder. This works very much like any other public key encryption system. To send President Ilves this letter, I needed his identity card number. This allowed me to encrypt the .bdoc file such that only he, using his identity card, would be able to decrypt it. The result is a file in the .cdoc format, which I then attached in Gmail to an email I sent to President Ilves's account.
Let's pause to consider that .cdoc file for a moment, for I think it is a unique type of file in the history of computing, law, sovereignty and communications.
It is file that—assuming for a moment that the card's algorithms and implementation have integrity—was verifiably encoded by a particular person (me), can only be decrypted by the addressee (President Ilves), has the legal status of a signed document (at least in Estonia), and has a national entity (the state of Estonia) acting as the verifier both of the security of the communication and of the legal authenticity of the signature. That's a lot of work for a little card.
President Ilves wrote back shortly after I sent this letter. His note was not encrypted but it did contain a digital signature, verifying that he was the real author.
How important is this kind of secure, signed communication? Honestly, I'm not sure. In a world that hasn't (yet) adopted this technology, going around signing documents with an Estonian digital stamp of approval would be pretty eccentric, a little like using sealing wax with a ring bearing a signet nobody recognizes. What's more, the technology could use some improvement—better integration with email, for starters, so that users can sign emails themselves, rather than simply documents attached to them.
That said, I think the central Estonian point here—that online interactions require trust, and that trust requires identity verification—is unassailable. And the country's approach to identity verification seems intuitive and sensible. When we travel abroad, our own countries issue us identification; the passport represents a means of verifying who we are using the sovereign authority of our home countries. Estonia is doing something similar, if far more cosmopolitan, here. It is saying that it will use its national authority to verify the identity online of anyone who wishes it to do so. That's an idea, and an offer, worth taking very seriously.