Cybersecurity

e-Residency in Estonia, Part IV: Wherein I Imagine How the Estonian Digital ID Card Could be Useful

By Benjamin Wittes
Monday, April 25, 2016, 8:12 AM

I have a confession to make: Since I used my Estonian digital ID card to swap letters with President Toomas Ilves, I have barely touched it. I keep it in my wallet, prepared to prove my identity at a moment’s notice to anyone online who demands proof that I really am Benjamin Wittes. I am ready, desperate even, to digitally sign things. I am eager to swap encrypted, signed documents with anyone who has important business to transact with me. I’m itching to do business with my government online.

But there’s a problem: It’s called network effects. I don’t know a lot of Estonians, and the digital ID card, nifty though it is, isn’t in widespread use outside of the tiny Baltic nation, where I’m not planning to do business. Among people I know, very few have the card; the only exception is the estimable Edward Lucas of the Economist, with whom my communications are not especially sensitive. And if people don’t have the card, companies don’t incorporate it into their systems. So while I can send secure, signed letters, I have nobody to send them to. And I can’t transact government business, because I don’t file Estonian taxes.

As they used to say in the 60s, what if you had a secure digital ID and nobody came?

The gap between the potential and the reality of the digital ID card is pretty stark. In principle, the card could be part of a major cybersecurity breakthrough. Using a combination of math and sovereignty, it allows online identity verification to a far higher degree of reliability than digital life normally offers. That’s potentially key to all sorts of applications, because it gives the recipient of a communication a far higher degree of confidence that the sender really is the person whose name is on the account. But in practice, users will not get the card unless service providers make it worth their while to do so. And without a large user base outside of Estonia, there’s no reason for service providers to incorporate it.

That’s a real shame, because it’s not hard to think of use cases for the card in day-to-day life, uses that would improve both convenience and security for countless people. For these use cases to work, however, a variety of institutions are going to have to take steps—leaps of faith, you might say—to encourage the card’s use and development.

First, there are improvements that the government of Estonia could make to the digital identification system that would make it far more useful for the average user. Currently, the card allows the holder to encrypt and sign a document, which can then be emailed. But it doesn’t allow for the encryption or signing of an email itself. As to encryption, this is not the biggest problem in the world. PGP has been around a long time; and users who want to encrypt communications have lots of ways of doing so.

What the card uniquely allows, however, is a legal signature whose validity a sovereign government will stand behind. There should be a way of affixing a signature to emails and to web-based content. I should be able to the sign this post, and a reader should be able to verify that my signature, and thus my byline, is for real. Such a capability would, over time, allow readers to factor a lack of a signature into their trust calculations for unsigned content and communications—just as we look askance at a piece of art said to be by a particular artist but not bearing her distinctive signature or at a letter from a financial institution that doesn’t have evidence of authenticity.

Second and relatedly, it is important that the card be readable by mobile devices. My Mac handles the card just fine. My iPhone has no way to interface with it. That’s a problem in a world that’s increasingly driven by mobile devices. If the card is to attract users, it has to be useful—and trivially easy to use—for the most routine of communications.

Third, even in the absence of widespread user adoption, technology companies should consider—after evaluating the card’s security and satisfying themselves that it is all the Estonians claim it to be—making the card an authentication option for logins. Facebook and Google, to a considerable degree, already play a user-authenticating role for many websites, which allow users to log in using their accounts with the internet giants. By allowing the tech giants to manage our digital identities, users can remember many fewer passwords, and Google’s and Facebook’s security are far better than individual users’ to boot.

The trouble is that both Facebook and Google still allow users to use weak passwords. They allow, but do not require, two-step verification. And they don’t require a physical token for access. The Estonian card, by contrast, has inherent two-step verification, because it requires both the card itself and the PIN associated with the card. It can’t be guessed, because it requires the physical chip on the card. So if companies were to implement login options through the card, they could both increase their own confidence that the logged in user is who he claims to be and, simultaneously, ease the password management burden on their customers. Widespread adoption of the card as a login option could thus increase security (because most passwords are duplicative and weak) and consumer convenience. If Facebook, Google, and Twitter led the way on this, a lot of other institutions would follow.

Fourth, the United States government should take a formal position on the Estonian card. I recently received an email from a gentleman with a security clearance asking if I knew what the implications of applying for the card are for people who hold security clearances. I don’t. Under the clearance guidelines, is becoming an e-resident of a foreign nation the same as acquiring dual-citizenship? I also don’t know how the U.S. government assesses the card from a security standpoint—they might view the card as reasonably secure, as mediocre, as weak, or as laughable. These questions seem to me very important. The card is a much more viable proposition for widespread adoption if other governments consider its use by their nationals as a constructive step toward greater cybersecurity hygiene than if they consider it an untoward act of affiliation with a foreign sovereign. The Estonian card is a very different animal if the American government encourages Americans to use it than if discourages it or stays mum on the subject.

So here’s an idea for the newly-transparent NSA: As part of its best practices guidance for personal network security, which includes recommendations on full-disk encryption and sandboxing with reference to specific products, how about some guidance on the Estonian card? Is this something that, in the view of the U.S. government, Americans should use?

Finally, other governments should consider issuing their own digital identity cards, perhaps using the Estonian algorithms if they assess them as secure, perhaps using their own if they think they can do better. Without getting into the thorny question of a national identification card, I think it’s safe to say that a purely voluntary program in which your sovereign government authenticates your digital identity online both to other individuals and to corporations and foreign entities is no more likely to bring on the black helicopters than is the issuance of passports. Right now, the only government willing to authenticate my digital self is a tiny Baltic nation in which I have never set foot. That seems odd. But the oddness only raises the question: Why is our own country not stepping up to do this?

The real answer to the network effects problem is for other countries to follow Estonia’s lead and bring their citizens—or perhaps we should call them users—along.

Topics: