Data tracker – tool that builds trust in institutions

September 2019

by Federico Plantera

Technology and new tools open wide the doors to new possibilities in e-governance, that’s out of doubt. Equally relevant, however, is to subscribe to basic principles guiding the journey of citizens and governments in a digital society. Transparency, and the privacy of people’s personal information in data exchange, are among those principles. They are fundamental to foster trust in the effective functioning of the whole system.

The right to the protection of personal data and the right to public information figure in the Estonian constitution. In the event of violations, the agency to turn to is the national Data Protection Inspectorate. But, in the meantime, the Information System Authority (RIA) has made another ally available to citizens – the data tracker.

We always know who sends the query

Since 2017, the tool gives citizens the possibility to always keep an eye on who is accessing their data, and for what reasons. In this way, anyone with an eID can log in to the state portal eesti.ee and review the full list of queries concerning their personal information.

Today, four major government agencies participate in the project, making possible the automatic tracking of personal data usage by subject. They are:

• The Population Register, under the jurisdiction of the Ministry of the Interior;
• The Health Insurance Fund;
• Eesti Töötukassa, the Estonian Unemployment Insurance Fund;
• The Social Insurance Board.

Sander Randorg is Product Owner of the data tracker at the Information System Authority (RIA). He told us how this level of transparency is necessary to enhance trust in both public and private actors.

“The inner workings of state IT systems can remain quite a mystery to the average citizen. Even more, when it comes to the knowledge of how their personal data is being used. How can the data usage monitor shed some light on this matter? By giving a detailed overview of the events in which their data was either shared to another party or processed internally,” Randorg explains.

Transparency enhances trust in institutions

At the time of launch, several government agencies were already offering a similar service, although in a pretty siloed way. The new data tracker allowed the implementation of a universal solution, adaptable to different databases and agencies. Moreover, the adoption of a ready-made solution lowered the cost of implementation in a wide area of different use cases. From the users’ side, it also made their experience more homogeneous when navigating access logs to their data across different government databases.

“We are now trying to achieve a situation where people can connect real-life events with data exchange logs on the computer screen. Even if there has not been a specific event, the behind-the-scenes should be as transparent as possible. This would prevent any kind of doubt or distrust towards the data processors. We have been blessed by relatively high citizen trust, and it is with this kind of efforts that we have to constantly maintain that bar high,” Randorg states.

People’s right to know who is using their data is also stated in the Estonian Data Protection Law and the European GDPR. As Randorg highlights, “Automating the process of using that right will definitely affect the overall state of personal data related matters in a positive way.” The data tracker is an important tool in increasing awareness about personal data use in the national IT system. “In some cases, law enforcement authorities – such as the Data Protection Inspectorate – can also benefit from the information people acquire from such tools, and can even track down possible offenders,” Randorg continues.

Everything flows on our digital highway

It should not come as a surprise that we are so careful about the way we handle data. 479 institutions and enterprises rely on the national data exchange layer X-Road – and over a million Estonian citizens and residents. Four core databases are currently covered by data access tracking, providing observers with an initial understanding of the volume of information exchange taking place every day on X-Road.

Among the five most popular service providers, as per number of queries received only in the last month, we can find indeed:

• The Employment Register (11 767 330 queries);
• The Health Information System (8 828 045 queries);
• The Population Register (7 298 599 queries);
• The Health Insurance Fund (7 182 244 queries).

X-Road is active since 2001, placing Estonia globally at the forefront of efficient interoperability in the public administration. As of the beginning of this month, over 5 billion queries have been exchanged on the X-Road – and counting. Almost 986 million requests took place in 2018, confirming how much the functioning of our e-state relies on it.

On their part, Estonians would agree that, to efficiently run public services, technological developments are the way to go. They see it in boring tasks becoming quicker, interactions with government offices running smoothly. But they also know that four eyes are better than two. The data usage monitor is a simple tool, but its main strength may lie in something else than access logs. It empowers citizens to participate in the building of a digital society based on a core, necessary ingredient for life in communities – trust. And by enhancing trust, we generate more of it in return.

Resouce: e-estona

Highlights from Tallinn Digital Summit 2019: living with AI

September 2019

This week saw the third annual Tallinn Digital Summit with a special focus on AI for public value. The event brought together more than 200 experts from 23 countries, including top leaders from the government level as well as private sector and scientists.

Prime Minister Jüri Ratas in his opening words compared innovation to the steam engine, except that now we have arrived in a time where every day we invent a new steam engine. “AI is here, and we have to learn to use it to make our lives better,” he said, talking about the Estonian government-initiated AI strategy and how there are already a little over 20 machine learning based solutions live in the Estonian public sector. He also emphasized that in Estonia the citizen is always the owner of their own data and our digital ecosystem, that relies on distributed architecture, does not include big brother.

Utilizing AI in governments and democracy, smart cities, healthcare, as well as legal and ethical aspects were discussed in panels. The day was wrapped up with a special focus on how AI can help in achieving UN Sustainable Development Goals.

How do we co-exist with AI

A lot of the discussions revolved around defining AI and the expectations that we have for it. Ben Cerveny, from the Foundation for Public Code, said that we expect AI to act like a human, a peer or even a godlike entity. “That is a very precarious position to be in. As governments, we should not frame these solutions as something mythical. Intelligence does not mean sentience, it’s much more,” he said speaking at the AI in smart cities panel.

Dr. Ralf-Martin Soe, also speaking at the same panel, said: “AI by default is designed to follow the rules, people are designed to break or rewrite the rules. You either limit human creativity to break the rules as much as possible or keep the robots in closes environments.”

Representatives from countries shared their examples of progress in co-existing with AI so far, most notably the Norwegian Minister of Digitalisation, Nikolai Astrup talked about testing self-driving vehicles and Norway having even allocated a fjord for testing autonomous ships.

Interoperability and inclusivity

Working together as countries and communities is crucial and this was stressed across panels and keynotes. Between Estonia and Finland data exchange is already in a very good position thanks to the X-Road. Need for similar solutions has already been identified by many other countries, but not only – there is need also on municipality level. For example, Stephen Lorimer from the Greater London Authority, spoke of need for interoperability between the 33 London boroughs.

Of course, the biggest question is how we can use AI and data to build a better society for us where nobody is left behind. Stina Billinger, State Secretary to the Swedish Minister for Business, Industry and Innovation said that faster policy innovation is crucial. “Digital exclusivity needs political answers to make sure that the opportunities and benefits of AI are creating a good environment for everyone,” she said. Maria Rautavirta from the Finnish Ministry of Transport and Communications illustrated how in Finland inclusivity begins from understanding – a public online course by the University of Helsinki aims to demystify AI. So far already more than 100 000 Finns have taken the course, according to Rautavirta.

Doing good with AI

The day concluded with how to utilize AI for good and solutions that help achieve the UN SDGs and relieve humanitarian crises around the world. Benjamin Kumpf from the UK Department for International Development, stressed the importance of designing for the actual user, not designing elsewhere and importing the solution to the end users. Julien Cornebise, from ElementAI, illustrated how satellite data and computer vision can help organizations doing humanitarian work channel their efforts better.

The Summit also saw Estonian tech companies coming together in the name of environmental sustainability by announcing the Green Pledge. It’s an initiative to make business operations fully sustainable by 2030.

Resource: e-estonia

Simplified tax reporting takes Estonia one step closer to the citizen

September 2019

by Federico Plantera

It is safe to assume that, globally, only one category of people enjoys the activity of tax reporting – accountants. For the rest of us, this usually represents a task we are not too fond of. That is one of the reasons why the Estonian Tax and Customs Board has implemented a new self-service system of tax reporting in their e-MTA environment. As of September 2019, the improved dashboard design and flexible structure make doing your taxes in Estonia easier and quicker than ever before.

Based on a no-legacy policy, the platform employs the latest technical advancements in information systems, to keep the public sector up to date with the pace of technological developments. It represents another crucial step in the building of a future-proof e-taxation environment. Naturally, this needs to be tailored to the needs of citizens and businesses alike.

The newly developed self-service is the result of a private-public partnership between the Information Technology Centre of the Ministry of Finance, and Estonian companies Cybernetica, Nortal, and Icefire. Once again, innovation and technical expertise in both sectors come together in Estonia with the common goal of making people’s lives easier.

We spoke to Triin Raaper, Deputy Director General of the Estonian Tax and Customs Board (ETCB), to explore the dynamics driving such change.

Triin Raaper, Deputy Director General of the ETCB

What are the main needs you’re aiming to tackle with the self-service system?

The main goal was to develop a more user-friendly and intuitive interface. This will simplify everyday operations both for internal and external users.

This approach is based on the following principles:

• Providing a more technologically advanced platform, that can be used from various devices;
• Simplifying navigation and structure of information;
• Giving the user the possibility to have all important information in one place (overview).

It is also important to note that the new technology allows us to quickly implement changes and updates to the environment, permitting further development based on user feedback

How does this latest development contribute to increasing the ease of doing business in Estonia?

The new self-service system offers improved clarity and is more modern, giving users an easy overview of their tax and customs affairs. This is very important if we consider that businesses use e-MTA every month.

Our main objective was user-friendliness. Customers now have a convenient, direct channel of communication with the agency, and can customise their desktop including links, as well as easily use services on smart devices. We also added multilanguage support, that will allow companies to use the system more conveniently – also in English.

The self-service system is an important milestone in updating Estonian Tax and Customs Board’s services, as we will continue to do in the next years.

The change is based on a no-legacy policy for what regards the technology used. Why such a choice? And can this element provide a starting advantage in designing the e-taxation of the future?

Our goal is to support the economic development of the country. It is necessary, then, to provide right and convenient tools to citizens and businesses. In doing so, we must be flexible and fast to adapt our technology to the new policies and requirements. The no-legacy approach gives us the possibility to be flexible in terms of future changes and, at the same time, keep costs on a reasonable level.

The old e-Tax/e-Customs consisted of more than 200 different services and applications. They were built at different times, and with different technological capabilities. It means that the old IT-structure had uneven capacity and user experience design. The no-legacy policy enabled us to build an IT-architecture from scratch. All IT-processes were reassessed, receiving new meaningful user experience design. In addition, it gave us the possibility to be more agile and react to customer needs timely.

The new e-MTA is also the result of public-private cooperation. What type of resources did you find so valuable in the Estonian private partners with respect to this project?

This project is a good example of innovation in partnership between the public and private sectors. E-MTA was co-developed by ETCB with the Information Technology Centre of the Ministry of Finance, Cybernetica, Nortal and Icefire. All the partners have their own department of valuable knowledge that we used in this project. They contributed to the general goal of further improving communication with the state.

For the users, the most striking change is the new UX design, based on the work of strategic brand agency Velvet. With the visual identity created by Velvet, e-MTA is now a simple, convenient, and efficient portal for every taxpayer. We are happy that all the partners contributed with their financial and technology-related competences to Estonian e-service development.

Will accounting ever become so easy in Estonia that people will start enjoying doing it?

We believe that already today we have achieved this level. Citizens can enjoy using our systems and having the ability to present declarations in minutes.

We are constantly improving our policies, processes and information systems. People have the possibility to focus on their job, while we support them in fulfilling their obligations towards the government. E-MTA is an intuitive and helpful environment that meets a user’s actual needs. Also, it does not require any special training for carrying out day-to-day operations. Each business owner or individual can use the environment by themselves to perform their tax and customs obligations.

Resource: e-estonia

Adventures of a digital man in America

September 2019

by Peeter Vihma

sociologist, filmmaker & authorshare

Adventures of a digital man in America is a  column where Peeter Vihma, an Estonian sociologist, filmmaker and author, currently a Fulbright Fellow at Cornell University, NY, is bringing you his personal monthly reports into the American digital economy, government and society.

Getting the wheels rolling

I am beginning with a personal story that I think beautifully cuts through the digital layers of the modern world for a regular fellow such as I.

This August a longstanding dream of mine came true. I left the familiar setting of Estonia behind and moved together with my wife Claudia and our almost-3-year-old daughter Amanda to USA. I have always wanted to experience living in this country. Sure, I have visited, but one thing is to take the subway for a drink in Manhattan and quite another is to be standing — the three of us and our six suitcases — in pouring rain in downtown Ithaca on a Wednesday morning and trying to figure out how to start a life in this small town.

In situations like this it becomes much clearer what digitalisation actually does for us. Both digital private and public services. What I did was instinctive for me. I called a cab. Why didn’t I remember to open my Uber or Lyft app earlier? Because the cab did indeed arrive. After an hour of waiting. And it had already other people inside.

This is not a joke!

Later I heard that no-one I know knows no-one who relies on taxis in Ithaca. No-one also knows why they still exist there. But that wasn’t until later.

It is not a myth that in America you can’t live without a car. Even in Ithaca, a cozy and small East Coast college town which has arguably one of the best public transport systems in the whole country. Since we are in Ithaca for a year, I had decided to buy a used one. But this takes time and life doesn’t wait.

Jump to a week later. We had just found a daycare for Amanda – but it was on the other side of the town, 10 miles from our house. Yes, we had taken Uber and Lyft for the first two rides to check the daycare out but this option would have been quite steep for my wallet, as you might guess. And pleased as we were in discovering that li.me electric bikes are well woven into the youthful Ithaca infrastructure, neither me nor Amanda is quite in shape for taking them that far.

So I was thankful to the Great Spirit when I discovered that Ithaca has a company that operates a network of pay-by-hour cars scattered around the town. Registering with them is quite simple and intuitive. I was almost through with it when I hit a bump. For insurance purposes I had to prove to them that I had not committed any traffic violations in the last five years. Since I have no previous record in the US, I called their office for instructions.

“Well we need something!” the polite voice on the other side instructed me. “Contact your government office for that.”

Does your government speak the analogue or digital language?

It would be “fun” to imagine how this process would have looked like back in the analogue days. I probably should have called some office in Estonia, sent letters, waited for them to return for weeks and months while Amanda would have not been able to get to daycare. Which would have put a whole lot of pressure on both, my wife’s and my own professional lives. Which would have put a whole lot of stress on our private lives. Which… Ok, enough. Let’s stop here.

Luckily, being a citizen of Estonia, I used my mobile-ID to log on to my digital dossier e-toimik.ee and within 2 minutes I had generated a document that said I was not a road maniac. (Well it didn’t exactly say that, but that is what I explained the line “Peeter Vihma has not
violated any of the following paragraphs” sort of meant.)

I have to be honest, there was a note of pride when I called them back to report on the task accomplished – 3 minutes after finishing my last call.

All they did was say “Wow” and ask me to send them a description of what I did so that the next Estonian in their system would already have guidance online.

Jump another week forward. I am finishing filling my mothers’ maiden name in yet another document for the university bureaucracy. Cornell is huge, 18 000 employees and 14 000 students. No wonder fitting something as irregular as a visiting Fulbrighter into the system is tricky. But I wish I could fill in the paperwork just once and be done with it even if I have to present it yet to another office.

As I wait for the clerk to take info from the form that I have just filled and type it into a computer I browse craigslist.com for used cars.

And I know that once I have found a suitable one the Department for Motor Vehicles awaits with its own forms – the MV82s and DTF-802s.

Just like the olden days.

Changing perspectives on digitalisation

What is a country? It is people and landscapes and buildings and things people do in them. People here are great. I have yet to grow cynical about the how are you’s and smiles that I get here and everyone feels truly polite and considerate. I love it.

Perhaps one of the reasons we Estonians love our digital services so much is that we are not very warm and welcoming person-to-person? I sure hope not. But underneath there is the structure that holds it all together. The system. The filing cabinet.

I hope to bring to you people and stories of how the American back-office is changing, what are the dreams and challenges in this field. The way I experience this as a sociologist studying environmental governance, and as an Estonian so used to digitalisation I have forgotten how it feels to fill in forms.

So that in my personal life I would have more time to pay attention to the people, buildings and landscapes.

Resource: e-estonia

Can you fake a digital signature?

September 2019

What is the digital signature and its accompanying timestamp? Can you fake both of them or verify the signature on paper? Can you print out the timestamp, what is the signature container, and can you use the open source code to create a fake DigiDoc programme to give the impression of a valid digital signature? Tanel Tammet, professor at the School of Information Technologies, Department of Software Sciences at TalTech, explains the inner workings of the digital signature.

What is the digital signature?

Essentially it is an encrypted string of text that originates from the file that’s being signed and the signee’s secret key – the private key is only on the eID of the person giving the signature. Anyone can check if the encrypted piece of text is in coherence with the file and if it complies with the signee’s public key. The digital signature cannot be falsified because if you don’t have the signee’s private key (as it is well hidden on their eID), then you cannot create a matching encrypted text string.

What is the timestamp on the digital signature?

In addition to the encrypted text, Estonian digital signatures also include a timestamp, which is essentially an additional digital signature. It’s an encrypted string of text that is created by the central server and it contains the time of the signature. The idea is that the timestamp is secure and reliable and everyone can use it to check when exactly the signature was given. In the Estonian digital signature system there is always essentially two signatures: one that is given using the secret private eID key, and another by the central server that validates the exact time of the signature.

Can you print out the timestamp?

The Estonian digital signature software DigiDoc does give the option to print out the confirmation sheet that contains information about the signature and its timestamp. Theoretically, you could use this to check if the signature and timestamp are real. In practice, however, it is almost never used for actual validation because you would need to type the text strings up on a computer again, use special validation software, and even then it wouldn’t have all the information you need to run the check.

If a paper document is marked as signed digitally and it is accompanied with the confirmation sheet, does this mean the signature is valid?

Typically it’s not really used since the additional sheet of paper does not enable full control over the validity of the signature. The idea behind the confirmation sheet is that it’s like an additional confirmation that the document appears to be signed, however, the paper itself cannot be used to check the validity of the signature.

Is it technically possible to falsify a digital signature?

Well, not so long ago the ID card software was discovered to have a weakness that, if attacked with a lot of computer power and time and cost expensive calculations, could have been exploited to fake a digital signature. Of course, provided that you actually knew the person’s public key. The software currently in use does not have any such known weaknesses, so technically it is not possible in practice.

Can you fake the timestamp – is it even possible and has it ever been done?

The timestamp is basically also just a digital signature that the central server adds to the signature given by a human by adding the time. To falsify that, you’d need to know the private key of the central server, which, of course, is securely hidden. It’s important to note that both of these “signatures” – one by human and the other by the server – are two different things and even if you could fake one of those, it wouldn’t help you with the other. Again, no digital signature can be 100 % safe from falsifying, but in practice, it would be unreal. Even if such an opportunity would manifest itself, it would be quickly discovered and the software fixed, like it was the case with the Estonian ID-card.

Are other countries using something similar to the Estonian solution?

The Estonian digital signature is in accordance with the cross-European eIDAS standard, but in reality the application and areas of use are different in different countries. Estonia is definitely a European leader in using the digital signature in daily life.

What is the digital signature’s container?

The container is just a compressed file containing the original signed document and the two signatures – the human signature and the timestamp by the server – than can easily be validated with the ID-card software.

If someone shows me a container where the signature is marked as valid, can I be 100 % sure it is really valid? The DigiDoc source code is public, can it be used to create your own fake DigiDoc where signatures are shown as valid?

In principle you could build software similar to the DigiDoc, that won’t actually check anything and just show on the screen that the fake signature is valid. You can be 100 % sure of the digital signature if you’ve downloaded the official DigiDoc software to your computer and used it to validate the signature yourself.

How long is a digital signature valid?

I’m not entirely sure of the legalities, but from my understanding it should be valid unlimited time. Of course, there is always a theoretical possibility that at some point a new way to fake the signature and its timestamp are discovered. This would render all old digital signatures unreliable and they would need to be re-signed with the new future system to show that the signatures were given before the falsification became possible.

If a document is signed digitally, is it automatically modified to show that it is signed and the date?

No, the digital signature won’t change the content of the actual original document in any way. The only confirmation of the signature is the signature file itself, that is created by the software.

Recourse:  digigeenius.