Estonia’s digital ambassador: Nele Leosk’s journey and insights

April 17, 2024

by Justin Petrone

Nele Leosk, ambassador-at-large for digital affairs at the Estonian Foreign Ministry since 2020, reflects on Estonia and e-Governance.

Nele Leosk has led extensive digital, economic, and governance reforms in various countries around the world. Whether working in academia, as a consultant, or for the government, she has become a highly sought-after expert in e-governance.

We recently interviewed Leosk about her current role as ambassador-at-large for digital affairs, the state of e-governance, and the global role that Estonia continues to play as a pioneer and instigator.

How did you get into GovTech? Was it a personal choice, or did someone encourage you to become an expert?

I have worked developing our digital space for the past 22 years. I got my first glimpse into the area in the early 2000s when I worked at the Estonian Ministry of Economic Affairs and Communications, which is also responsible for digitalisation in Estonia. When I was looking for new opportunities, my colleagues from the digital branch introduced me to the e-Governance Academy that the Estonian government had just founded, the United Nations Development Program, and the Open Foundation. I looked it up, and it seemed interesting, though I didn’t know much about e-governance back then.

It was the time of digital identity, the time of X-Road®, and the time of laying the legal framework that enabled the development of an open, inclusive and safe digital society. In a way, digitalisation gave the impetus for modernising Estonian culture. Quite a bit was happening even before 2000. Several preparations had started earlier, such as the introduction of the eID. We all know about the Tiger Leap and Look at World – the initiatives that introduced Estonian people to the internet and digital technologies. These also happened before then.

So, I started to work at the e-Governance Academy. Initially, I worked closely with questions about digital democracy; then, I served as a program director for digital education and skills. Later, I was involved in different areas of digitalisation. I led economic and government reforms all over the globe, from Haiti to Mongolia, from Tunisia to Ukraine. It was fascinating. Implementing reforms and achieving results in different economies and political, governmental, and cultural environments was also challenging.

Since then, my career path has always involved digital technologies from different fields and regions in other organisations. I have worked with political leaders and high government officials and have been hands-on in developing services and e-participation tools. I have experience in academia, international organisations, and the private sector. After 11 years abroad, I returned to Estonia and started to work on the foreign policy aspects of digital technologies at the Ministry of Foreign Affairs of Estonia.   

What does your current job as ambassador-at-large for digital affairs entail?

Digital diplomacy has been rooted as an essential domain in foreign politics in recent years. The space and scale of technological development and the impacts of these on the economy, democracy and security are immense. For example, comparing current developments to the 2000s is a very different scale. 

Digital technologies do not recognise borders. They bring along opportunities and globalisation. Estonia has benefitted from these. It is not an understatement that digitalisation put Estonia on the world map, with our digital services and startup scene. Estonia is looked up at around the globe, and rightly so. 

But, increasingly, digital technologies bring along risks. Privacy is being violated, and cyber-attacks and technological interdependencies are increasing. What is also a concern is that technological developments are concentrated in very few countries, and big tech and their platforms have increased influence. There is quite a race for digitalisation. 

So, how can we globally ensure technologies are used for good and not for bad? How do we make sure they are used democratically and not autocratically? How do we ensure that everybody benefits from technology, not just a few? How do we make sure that everyone has the necessary skills and capacity to use these technologies: countries, towns, companies, universities, schools, people, also public officials and diplomats? Finding answers to these questions unites diplomats working on tech issues.

But aside from these global issues, I also have the pleasure of representing Estonia globally, our developments, companies, and interests. We recently adopted our digital diplomacy concept paper, which includes several main work streams. Besides global technology governance, it also covers digital cooperation and economic diplomacy. As part of Estonia’s digital diplomacy, e-Estonia still has a substantial role. This is how Estonia is known to the world, and maintaining and increasing Estonia’s global position is one part of Estonia’s digital diplomacy.

Are there special conferences or forums for digital diplomats and cyber attaché where you talk about these issues?

Increasingly so, both in the EU and globally. There is an active network of EU digital ambassadors. We work closely with the European External Action Service, like the European Ministry of Foreign Affairs, and other EU and international organisations, such as the UN. Increasingly, big tech companies are at the table. We have a very close network that I am very grateful for, as this is where we share our views, discuss different topics, and support each other. 

We also gather globally and often attend events around digital and technology governance.

Is Estonia still seen as a pioneer when it comes to GovTech?

Estonia still has a strong global position and is known as a digital leader. And rightfully so. I have not come across a society where everything comes so holistically together. We can conduct most of our public and private business digitally and conveniently. Digital signatures, for example, have made my life so much easier, especially when living abroad, from selling my car to voting via the internet. Still, we also need to be mindful that though Estonia leads in the public sector in digitalisation, we also have to take our industry and companies to higher levels and complexity of the use of technologies. The other aspect we need to understand is that it is increasingly challenging to keep up with the technological developments and investments in infrastructure, as the need for computing power is increasing. But Estonia has always been an intelligent adopter and a brave implementer of technologies, and further investments are needed to keep this going. 

Of course, global expectations for Estonia are high, too. In my field, there are several areas that we need answers for. Estonians are expected to have many answers to these common issues that technology brings. AI governance, data governance, and cross-border data sharing require a lot of resources to understand the problems and what is at stake. 

Estonia has influenced several EU developments, such as the European Interoperability Act and European eIDAS, as Estonia had prior experience here. 

You have advised governments in Europe, Asia, Central Asia, Africa and the Middle East. What sets them apart or makes them similar?

Now that we are many years into digitalisation, we have come to realise that despite our differences, there are so many similarities, joint problems and solutions to these problems. For example, all countries need digital identity, data-sharing solutions, registries, and payment systems. This has put co-creation, sharing and re-use of digital solutions on the global agenda. Digital public infrastructure, digital public goods, and digital commons – these trends support openness, sharing, and building on existing experiences. 

Estonia’s X-Road is a perfect example of a global public good that has been re-used in many countries. GovStack – an initiative that Estonia co-leads with Germany, the International Telecommunication Union, and DIAl, is another excellent example of global cooperation that builds on similarities. Amidst these trends, we should not forget that digitalisation is much more than technology, and solutions comprise only a tiny part of the whole. 

But, of course, there are also differences. Differences in economic level, income, and size of a country influence our digital paths. We see countries in the Middle East moving fast, using cutting-edge technologies. However, some countries must consider illiteracy issues and require more electricity when designing digitalisation programs. 

Still, cooperation is essential, regardless of where we stand. Several of the emerging topics are common to all of us. There are challenges that Estonia, or any country alone, may need help to solve. We must find ways to fight disinformation, protect our citizens’ privacy, and regulate tech companies. The EU has been a pathfinder here, and I am glad that some of what we have done in Estonia or the EU could benefit others and the other way around. 

Resouce: e-estonia

GovTech for sustainable development goals

April 17, 2024 by Peeter Vihma

Governments worldwide are attempting to do their part to fulfill sustainable development goals. How can GovTech help?

Not just any “public good”

The world faces enormous challenges of unsustainable energy and material use, degradation of biodiversity, and crumbling of democracy and global justice. Governments are tackling this by, for example, setting up missions to solve problems in cooperation with the private sector. However, until recently, little attention has been paid to understanding GovTech solutions about the Sustainable Development Goals. This is a gap that Alena Labanava, PhD student at the Institute of Software Science at Tallinn University of Technology, is aiming to fill.

Educational gaps for public sector administrators

One of the first tasks that Ms Labanava set herself was assessing the role of an e-government education programme of TalTech in achieving SDGs. It is the study program where most current and future public administrators in Estonia come in close contact with the potential of GovTech. Her research was done on a cohort of students consisting of current mid-career public sector professionals.

The most significant finding from this research is the growing interest in the contribution of digital government to affordable and clean energy (SDG 7), reduced inequalities (SDG 10), responsible consumption (SDG 12), and climate action (SDG 13). 

“The results show that it is not just any solutions dubbed as “public good” that the administrators are interested in, but they are actively seeking solutions in specific areas,” says Ms Labanava. These areas of digital government education have the potential to improve. }

Evaluating GovTech by SDG-s

Ms. Labanava’s next step in her research is to create a catalogue of GovTech solutions and place them on the map. 

“Inspiration came from the GovTech Catalogue designed by the GovTech Connect project, but I think this can be improved,” says Ms Labanava. “It currently shows only labs and accelerators, but not individual solutions. We also want to classify them by SDGs so that public administrators can easily track what problem they solve.” 

Having assembled a small team, the work on the catalogue has just begun. The plan is to collect a list of companies and check how and where their solutions have been used (success stories and use cases) so that it would become a handy tool.

“The market for GovTech is global. Public sector employees need to know what solutions are being produced not only in their own country, Europe, and elsewhere,” says Ms Labanava.

A global picture is essential for accelerating the adoption of already well-working solutions across geographies and helping public sector procurers make better-informed purchasing decisions.

Addressing the bottleneck of implementation 

Providing a comprehensive overview is crucial, but implementing any solution requires cooperation. This is why governments in Europe and elsewhere are setting up InnovationLabs, Bootcamps, and Accelerators. Their main aim is to catalyse innovation between the private and public spheres. 

In Estonia, one promising initiative is Grab2Go, which aims to improve the health and well-being of vulnerable areas by developing automated pharmacies. For them, the main challenge is not technological but legislative. This is what their cooperation with Accelerate Estonia is focused on.

Grab2Go solution optimizes resources by enabling a single pharmacist to assist patients from any corner of Estonia through video consultations, breaking geographical barriers. It also grants pharmacists more time for face-to-face consultations, allowing them to apply their expertise effectively.

However, even testing automated pharmacies in rural areas requires amendments to the Medicines Act.  “We set up a test machine in one of the rural areas in Estonia, but due to legislative constraints, we were only able to operate it during the opening hours of the actual pharmacy,” says Olari Püvi, head of Accelerate Estonia. “This did not provide us with the necessary advantage nor the data that we required, and that would not bring out the benefits of an automated system.”

Hence, besides conducting risk analyses with mitigation strategies, the collaboration between Accelerate Estonia and Grab2Go is focused on legal changes. It would bring Estonia’s sustainable goals a step closer.

Resouce: e-estonia

Madis Tapupere: the evolution towards a more personalised, complex, and integrated digital state

April 17, 2024

by Peeter Vihma

Article content

Rare is a glance into the head of the Chief Technology Officer of Estonia. Having been in office for three months, Madis Tapupere agreed to share his ideas on some of the country’s challenges. We discussed the “personal state”, the EU integration and the development of systemic capabilities of a digital state of growing complexity.

The challenges for the state as a whole

How have the first three months in the public sector been?

I am settling in. In some respects, a country is unlike a big company with a complex digital system. What is new compared to the private sector is understanding how many activities are rooted in laws. In a private company, the board can decide instantly and move on. Important changes in the whole country, however, need regulation change. And it takes a lot of energy to change a big system. I am trying to get a feel for the suitable methods for driving change. Finding a balance between autocracy and collaboration is the key. I follow the “narrow waistline” principle: I try to focus on the most important things instead of controlling everything.

What is your vision for your time in office?

Although it is still in formation, I see multiple areas where we need to address the bigger challenges for the state as a whole: first, further development of general state capabilities, such as advancing the “personal state”; second, EU integration and, third, developing systemic capabilities to address business, data and technology management challenges, including cybersecurity.

And then, there is the task of finding a suitable approach to dealing with these topics. For example, the “personal state” aim can be tackled using a startup mindset, but several other challenges are like those of large companies. How can we innovate in the face of growing complexity and backlog? The existing must be preserved and renewed at the same time.

Therefore, in some areas, we need streamlining, but in other areas, we need to simplify the business and the process side, and hopefully, this will free up hands to deal with new capabilities.

Taking the idea of a “personal state” to the next level

What is your attitude towards the idea of a “personal state” – event-based, invisible, personalised, and integrated digital services for the citizen?

As a strategic goal, a “personal state” is valuable. It relies on principles such as citizen-centred and easy-to-use state services and the once-only principle of data clarity and findability prevalent in several countries. However, while some countries focus on goals we have already achieved, such as information exchange between databases, we should take it to the next level by improving the user experience.

I also recognise that the “personal state” idea goes a long way for Estonia. I have already mentioned that good information exchange between state systems is the foundation of our digital state. Event-based and as invisible as possible services have also been in the works for several years. The added values resulting from data usage are more future-looking and, therefore, blurrier. The challenge is providing a cross-country service within a distributed organisation like our country. And this is not a technology challenge, at least initially, but a governance challenge. Each register in Estonia has its own responsibility, as specified in the law. A citizen-centred view requires changing these basic principles.

In short, the “personal state” is the vision and the direction along which we are going, and our immediate task is to understand where the low-hanging fruit is. The criterion for finding them is the value to the citizen.

Giving people more control

What are the main challenges for developing the “personal state”?

The privacy control mechanism is one of the central questions in developing a more person-centred and invisible service. The more personal the state services become, the more means of control must be given to the person. Otherwise, there is a risk of growing resentment, because we already see that the digital state is not universally accepted by everyone. This tendency must not be exacerbated. Rather, we must find ways to ensure citizens are in control when interacting with the digital state. This can be done by developing consent services and data trackers.

Do you feel you understand things when you go to FB privacy settings? Using data in a large system is difficult for developers and users. How do you convey this info to people? How do you empower people to go along with it? These are the pressing challenges we need to address.

We have been taking the first steps in constructing consent management in Estonia. For example, everyone will have an overview of the use of their data at the Eesti.ee level. However, as we develop our personal state further, the consent service must also be developed to make the complex world understandable and manageable for people.

Innovators dilemma in integration with the EU

Where do you see the challenges and opportunities for EU digital integration?

I would phrase our biggest issue here as the “innovators dilemma”: what brought us here may not take us further. The prerequisites for Estonia’s success may not be applicable in the wider world, and vice-versa — the solutions of the wider world may not fit well with our digital society. My task is to maintain the prerequisites for our success, such as tightly integrated registries, and fit in other solutions and work methods that address the needs and situations of other European countries.

The Digital Identity Wallet is a good case in point. We have used eID and direct system-to-system integration in Estonia to handle personal data. The wallet introduces a new one whereas the data is carried along in the wallet as certificates. You ask for data directly from the register or transfer them through the wallet certificate. Adopting the Wallet logic in Estonia poses some challenges that must be addressed.

Estonia is developing a wallet as a nationally approved and functional authentication and identity verification method. The next step is to develop its capacity as a platform. We are developing a strategy along with the use cases for this.  We know, for example, that Estonia already supports using a digital driver’s license in the EU and elsewhere. However, making a comprehensive road map of the additional possibilities is too early.

In the bigger picture, I see an analogy with open banking. After forcing the banks to open their APIs, a whole ecosystem of certified startups and fintechs emerged. I suspect a similar pattern will also emerge in conjunction with the Wallet.

Estonia: an evangelist with a sense of empathy

What is Estonia’s role in these developments in the interoperable EU?

Regarding data interoperability at the EU level, we must distinguish between two options. First, where there are specific needs, such as stemming from regulations, the data exchange is built up specifically based on these needs.

Secondly, we are also building the foundation of a more general data exchange.  We are supporting the emergence of a broader data exchange ecosystem in the form of “data spaces”. It is a structured description of workflows, data exchange, and how data is agreed upon and monetised. Estonia is involved in the experiments at the EU level, and the future version of our X-road will integrate in this direction. It is an interesting time of emerging standards and proofs-of-concept, so we are closely monitoring this.

I see Estonia’s role in adding pressure to increase ambition. We have real-life experience of how a well-designed digital state can function. Sure, we must accept that everyone’s ability is not the same, but we can be the ones who say that things are possible if done well. Sort of evangelists in what we believe, but also with a sense of empathy.

Technology as an asset

How to deal with the common problem of all systems: legacy?

We must ensure we direct enough active interest towards managing the legacy. In Estonia, we constantly deal with legacy systems, and it is an accepted justification for current investments. However, there is little cross-national management information on the situation.

One of the sources of difficulties is that “a legacy system” does not have a clear definition. It is at least partly subjective. For example, a way to define a legacy system is “system that works”.

However, legacy needs to be addressed because this allows a country to be clear about its limitations. Strategic choices can be made when there is an understanding of what can and cannot be done. This allows meaningful portfolio management and directing of resources. Instruments for dealing with legacy are diverse: technological innovation, cutting the system into smaller pieces and changing them, or even completely rewriting the business process. In the end, we may even have to shut a system down. We need to ensure the pile of stones is not allowed to get too big so it can no longer be stacked around.

The principle I would like to establish is that technology is an asset. Technology is not only an investment that does something new. It is an asset with characteristics, risks, and costs; therefore, it must be managed so that the risks do not become too high and the costs do not become too high. In this way, we can get the maximum out of our portfolio.

Has digitalisation gone too far?

What is your attitude towards the “twin transitions” approach of aligning digital and sustainable transitions?

We need to take the turn to sustainability as one of the parameters of technological development. Some aspects we already share with it, such as optimisation and resource efficiency.

If we accept that all technology management has a cost and creates complexity, then we can clearly see that, in some places, digitisation has gone too far. We should start at the business process level and pressure our operations to optimise.

This capacity could be improved on the national level. The beginnings are there as the capabilities of service management and service portfolio management are already in place. Activities in this field will continue in the context of the green transition. Having a clear map of the scene is its prerequisite.

Resouce: e-estonia

A year of advanced threats and global tensions: Estonia’s cybersecurity scene in 2023

April 9, 2024

by Blessing Oyetunde

Last year, Estonia’s cybersecurity scene was heavily tested, with the Estonian State Information Authority(RIA) documenting 3,314 cyber incidents that impacted their annual assessment. The report details the growing complexity of threats Estonia faces, including an uptick in DDoS attacks and sophisticated phishing efforts, while reflecting on the nation’s ongoing efforts to bolster its cyber defences.

A year of unrelenting cyber storms

2023 witnessed an alarming surge in Distributed Denial-of-Service (DDoS) attacks, with Estonia grappling with a staggering 484 incidents – 182 more than the previous year. These attacks aimed to cripple critical digital services by flooding servers with excessive requests. A notable case targeted Ridango, disrupting the state-owned Elron train service’s ticket sales system for nearly a day.

Ransomware attacks also emerged as a grave concern, targeting diverse sectors, from healthcare to manufacturing. The Asper Biogene data breach was a particularly high-profile incident where the medical and personal data of approximately 10,000 individuals was compromised. This breach occurred when attackers, exploiting weaknesses in cyber hygiene, illegally accessed and downloaded sensitive information from the genetic testing company’s systems.

Global tensions ripple through cyberspace.

Exacerbating the cyber threats faced by the nation were the ripple effects of global crises, including Russia’s aggression in Ukraine and the Hamas-Israel military conflict. As Gert Auväärt, RIA’s Director of Cyber Security, stated, “Besides Russia’s continuing aggression in Ukraine, 2023 brought an outbreak and escalation of the military conflict between Hamas and Israel. We saw – and will continue to witness – a growth in ideological ‘hacktivism’ expressed in denial-of-service attacks against the government, financial, transport, and media sectors.”

Among others, one incident points to the far-reaching impact of these global tensions. In November, as Estonia grappled with a cold snap, cyberattacks targeting Israeli-made heating controllers disrupted the Estonian district heating network, demonstrating the vulnerability of local infrastructure to digital threats from distant conflicts.

Furthermore, the cyber threats of 2023 exhibited an advanced level of sophistication. For one, DDoS attackers engaged in dual-phase operations, initially probing defences with short attacks followed by more aggressive and sustained assaults. Many of which were, again, politically motivated, linked to Estonia’s support for Ukraine and the imposition of sanctions against Russia.

8.3M euros lost to fraud

The report also revealed a sharp increase in cyber fraud, inflicting financial damages of at least 8.3 million euros, with telephone fraud alone accounting for 3 million euros. This uptick signalled a strategic shift in cybercriminal tactics targeting individuals and corporate organisations. Prevalent schemes included sophisticated phishing emails, deceptive calls pretending to be from trusted authorities, and complex Business Email Compromise (BEC) attacks.

Meanwhile, cybercrime has transitioned from bare, deceptive acts to highly organised, sophisticated operations. Using cutting-edge technologies like AI and machine learning, criminals fine-tuned traditional fraudulent methods while innovating new strategies to exploit their targets effectively. The rise of BEC schemes further complicated the threat scene, where fraudsters executed carefully orchestrated plans to redirect corporate funds.

Proactive defence: Estonia’s cyber resilience strategy

Taking a proactive stance, Estonia reinforced its cybersecurity defences with several key initiatives. The RIA’s Red Team, established to test and enhance the security of information systems, engaged in sophisticated simulations, including phishing emails and physical penetration testing, to uncover vulnerabilities within governmental and corporate infrastructures. This proactive approach proved critical in preempting potential cyberattacks and ensuring the resilience of vital services.

Likewise, the RIA Red Team’s services were offered to government departments and companies aiming to fortify their cyber defences. Over the past year, the team conducted phishing attempts targeting more than 14,000 individuals across central and local government bodies and the private sector, revealing a 30% susceptibility rate among recipients. This, in turn, reiterated the need for continuous cybersecurity awareness and risk mitigation.

Complementing its security measures, Estonia launched comprehensive prevention campaigns to enhance cybersecurity awareness among businesses and the general populace. Additionally, implementing the Estonian Information Security Standard (E-ITS) across approximately 3,500 organisations highlighted a systematic approach to safeguarding the nation’s digital ecosystem.

The global cyber battlefield

As for the broader view, international cyberspace in 2023 was heavily influenced by geopolitical tensions, particularly Russia’s invasion of Ukraine and the escalating conflict between Israel and Hamas. These tensions manifested in a range of cyber activities, from state-sponsored groups engaging in espionage to widespread ransomware attacks disrupting critical infrastructure and businesses globally.

At the same time, the cybercrime scene continued to evolve, with financial motives driving sophisticated schemes like BEC attacks and ransomware campaigns. Notably, attacks on crypto trading platforms showcased the intersection of cybercrime and state funding, while hacktivism sparked DDoS attacks against various sectors in countries engaged in geopolitical disputes.

Ransomware attacks remained a significant threat, with the Lockbit group’s attack on the UK’s Royal Mail disrupting international mail services. At the same time, data breaches posed a serious concern, with T-Mobile admitting a leak affecting 37 million customers and the UK Electoral Commission’s data breach revealing the vulnerability of personal information.

The year, we also witnessed a collaborative international push to enhance cybersecurity measures, focusing on dismantling cyberespionage tools. Alongside these efforts, there was a unified movement toward strengthening cybersecurity protocols, which included restrictions on applications like TikTok on government devices.

Cyberspace in 2024

According to the report, the cyberspace scene in 2024 will be reshaped by two major forces: the pivotal role of artificial intelligence (AI) in cybersecurity and the enduring impact of geopolitical tensions on cyber activities.

AI is emerging as a double-edged sword, with its capabilities being harnessed by both defenders and adversaries. While security experts race to develop innovative AI-driven solutions to outsmart emerging threats, cybercriminals leverage AI to craft increasingly sophisticated cyber attacks.

Concurrently, the persistent geopolitical tensions between Russia and Ukraine, coupled with the escalating Israel-Hamas conflict, continue to cast a long shadow over the global cybersecurity domain. These crises are poised to influence cyber activities on a broader scale, with potential implications for high-stakes events like the European Parliament elections slated for June 2024.

Resource: e-estonia

Digital wallet and eIDAS 2.0: a boost for Estonian companies

February 14, 2024

by Peeter Vihma

In November 2023, the European Commission agreed upon the new eIDAS regulation that will change Europe’s digital identity and digital wallet landscape and beyond. Estonia has been the leading country in digital identity proliferation and use, and Estonian IT companies have always been part and parcel of its development. Now, these companies are at the forefront of domestic and international engagement with the new direction that eIDAS proposes: the digital identity wallet.

Building on Estonian e-ID track record

Cybernetica is an Estonian cybersecurity company with a special place in the development of e-Estonia, as it provided the baseline cybersecurity knowledge necessary for creating the foundations of digital identity in Estonia in the early 1990s.

Now, Cybernetica, in a strategic collaboration with the Estonian Information System Authority (RIA), has embarked on a pivotal analysis of the technical architecture of the forthcoming Estonian digital identity wallet that has the potential to influence the entire European market.

The new eIDAS regulation makes use of a digital identity wallet — a mobile application designed to serve as an alternative to conventional physical documents such as ID cards and driver’s licenses — mandatory for European countries. However, eIDAS allows member states to direct their citizens to whichever wallet they deem proper. This kind of regulation creates a market for developers such as Cybernetica. Since Estonian digital identity has a long and trusted track record, Cybernetica has a good starting position.

“Together with RIA, Cybernetica aims to craft a wallet solution tailored to Estonia’s needs and aligned with existing information systems. This wallet should seamlessly integrate with national information systems, ensuring compatibility and adherence to EU standards for authentication, citizen data submission, and creating digital signatures,” said Aivo Kalu, Cybernetica’s lead security engineer.

Technology-agnostic security solution for the digital wallet

Cybernetica is actively working on the SplitKey CSP product destined for the future digital wallet in tandem with the wallet development.

“Wallets will contain documents that can be used to access critical information systems such as online banks and public sector portals. Therefore, it is extremely important that these documents remain in the possession of the wallet user and that no one else can present your credentials under their name,” Cybernetica’s software architect Mattias Lass elaborated. “SplitKey CSP offers a solution by linking documents in the wallet to cryptographic keys utilising SplitKey technology. The other part of the key remains in the possession of the owner. In this way, copying becomes impossible. It is special because this approach does not require high-end phone hardware, and the technology behind the solution is transparent and certified.”

Despite these advanced and proven technological solutions, what makes the development of the digital wallet complicated is the ongoing policy development of the European Union. According to Yuliia Kravchenko, Risk and Compliance Expert at Cybernetica, the final technological solutions for the identity wallet depend on many simultaneous implementation acts.

„For example, the European Cyber Security Certification Scheme has just been adopted. Previously, the protection profiles were nation-specific, but to make the wallet interoperable in all European countries, there needs to be a unified cyber security protocol, its definitions and requirements,” says Ms Kravchenko. “However, to create one that is technology agnostic is quite complicated, and if it is unskilfully done, it may lead to poorer implementation of the wallet by technology lock-ins or extreme bureaucracy.”

Making international recognition easier

European Union’s digital policies are known to have a global influence, and the new eIDAS is a good case in point. Proud Engineers, a high-level consultancy that advises countries in digital development, sees the critical value of eIDAS in their work.

“We see how countries that we consult want their digital identity systems built based on eIDAS, or at least want their frameworks to be recognized in the European Union,” says Laura Kask, CEO of Proud Engineers. “The new eIDAS creates a clearer basis for mutual recognition of digital identity frameworks.”

“Hence, the new eIDAS directly influences our work. Ukraine was the first to achieve partial recognition under the old eIDAS, but this will have a strong legal basis.”

In our portfolio, Egypt and Armenia, whom we advise on their trust services framework, aim to base their upcoming digital identity services on eIDAS. Ideally, a document – such as a driver’s license or a university diploma — issued in Armenia, which is stored in its digital identity wallet, will be accepted by European Union’s countries.”

The critical question of Big Tech vs Digital Nations

While member states are now obliged and eager to start implementing eIDAS, the critical question is the relationship between government-issued and Big Tech-issued wallets. According to Laura Kask, since the market for wallets is theoretically open for everyone, it may be that the identity business is slipping from nation-states to technology companies. This may have detrimental consequences.

On the one hand, it is the question of user comfort. While states need to retain certain control over the issue of identity, they still need to value the ease of use. Otherwise, private providers who might not be keen to safeguard transparency but prioritize user comfort will have the upper hand.

On the other hand, it is the question of introducing the state-provided digital wallet into the big tech platforms and social media.

“In the case of eIDAS, what is interesting now is that this wallet should be mandatory for use on large platforms such as Facebook, Google and so on,” says Ms Kask. “In the future, we should be able to enable authentication to log in using this EU identity wallet. However, we have not seen their reaction yet. Hopefully, this won’t change the paradigm to the point where we end up using Apple Wallet instead, which isn’t actually audited or controlled by member states. I hope the basic principle will remain: the state issues the first basic identity, and a chain of trust can be built on it for the private sector to use it, too.”

Hence, the eIDAS is definitely a step in the right direction, but it opens up opportunities for different developments. A supportive but critical attitude is surely advisable.

Laura Kask’s photo: Jaana Süld

Resource: e-estonia

e-Estonia is collecting success stories for our 15th birthday

February 7, 2024

Article content

This year, the e-Estonia Briefing Centre is turning 15, and to celebrate it globally, we are looking for digitalisation stories worldwide.

During these 15 years, the centre has hosted over 6000 delegations and an impressive 87,000 guests from more than 130 countries worldwide.
Many of them have resulted in fruitful international collaborations by offering over 800 custom-made events to cater to their need for innovation. We frequently assist and consult other countries with digitalisation initiatives and match them with credible, leading IT partners to empower their efforts and boost innovation and international cooperation.

Of course, Estonia is not shy in sharing our experience of over 20+ years of building our digital nation with the rest of the world, and there are tens and tens of examples of digital solutions built with the help of Estonian experts around the world.

For example, did you know that the Mexican state of Queretaro uses Estonian-built interoperability software, the X-Road, that Roksnet helped them set up? Or that Nortal conducted the first-ever e-Census in the Sultanate of Oman, with 95% data quality.

Or how do you inspire a nation and scale innovation? Assisting in the digital transformation of Ukraine’s public sector is compelling evidence of Estonia, a relatively small nation, excelling significantly in exporting e-governance expertise. Ukraine’s path to digitalisation owes much to Estonia, which has been at the forefront of digital government and served as a model and early adviser to Ukrainian efforts. Even today, more than 30 Estonian advisers are embedded within the Ministry of Digital Transformation.

For our birthday, we are collecting stories. Share with us a spark of inspiration, a start to collaboration, or a lightbulb moment you had after learning about e-Estonia. Let us know your story in the comments or write to us: press.e-estonia@eas.ee

Resouce: e-estonia

Citizen Initiative portal empowering Estonians in digital age of democracy

January 24, 2024

by Carmen Raal

Article content

Trust in the state and democracy is in decline worldwide. Nobel Peace Prize winner Maria Ressa has warned that online misinformation significantly threatens democracy. In the face of a constantly evolving world and the rapid spread of misinformation online, it is crucial to confront modern challenges with modern solutions. I recently moderated a panel discussion in Estonian focusing on digital democracy, particularly highlighting Estonia’s unique Citizen Initiative portal, Rahvaalgatus.

I delved into the pivotal topic of participatory democracy with two experts – Maarja-Leena Saar, an expert from The Estonian Cooperation Assembly who also manages the Citizen Initiative portal, and Kristina Mänd, a senior expert on e-democracy from e-Governance Academy. Here are the highlights from our conversation with Maarja-Leena and Kristina.

A record-breaking unique platform

Established in 2016, Rahvaalgatus has demonstrated the remarkable engagement of Estonians in actively voicing their opinions alongside decision-makers. Rahvaalgatus allows us to make initiatives both on a national and local level. A proposal to the Parliament has to gather at least 1000 signatures, and for local government, a proposal has to gather signatures from at least 1% of its residents with voting rights.

"If the citizens have a user-friendly and convinient way to have a say in lawmaking, they will. The myth that Estonians do not like to have a say in 
law-making has been completely shattered with Rahvaalgatus," said Maarja-Leena during the panel. 

Rahvaalgatus serves as a potent weapon against the onslaught of populism. Social media tends to amplify extreme posts to garner more attention, often exacerbated by fake accounts. Thanks to Estonia’s secure eID system, Rahvaalgatus ensures a distortion-free representation of public views. This system effectively counters situations where a single individual could artificially inflate petition signatures, maintaining transparency. Notably, signatures are deleted once the petition completes its journey through all stages.

Moreover, Rahvaalgatus provides a comprehensive overview of issues concerning the Estonian public, distinguishing itself from social media algorithms that limit exposure to a fraction of conversations and opinions. This distinction allows for a more accurate reflection of true realities.

Last year Rahvaalgatus broke the record for e-elections in the Estonian Parliament with 313,868 digital signatures. On the platform, various collective appeals have already received more e-votes (313,868 as of December 2023) than the parliamentary elections (312,182) in 2023.

Initiatives undergo several phases after it has been published:

1. Co-Creation Period:

The initiation phase involves a minimum three-day co-creation period. During this time, anyone interested in the initiative can suggest ideas for its improvement, with the author having the discretion to incorporate or disregard these suggestions.

2. Signature collection:

The next phase focuses on collecting signatures, with a maximum duration of 18 months.

3. Submission to local government or Parliament:

Upon surpassing the required signature threshold, a simple click forwards the initiative to the local government or parliament.

4. Review:

Upon reaching decision-makers, the initiative is assigned to a relevant commission mandated to discuss it within three months. During this period, the initiator is invited to participate.

5. Decision declaration:

Within six months, a position on the initiative must be declared. Any decisions made are promptly published online as open-sourced data. Subscribers to the initiative receive immediate notifications of these developments.

After the time-consuming process is over, all the signatures get deleted.

Surprisingly, no initiative has necessitated removal due to hate speech. While some initiatives have teetered on the edge, their lack of widespread support led to the decision not to intervene at any stage of their progression.

Fostering a digital society with a pivotal role in participatory democracy necessitates a leadership attuned to the digital landscape. This involves public sector employees and politicians being well-versed in the platforms where discussions unfold. It’s crucial to note that speedy decision-making doesn’t inherently equate to a well-informed decision. Furthermore, the repercussions of hastily made decisions within a limited circle may take longer to resolve than if a broader discussion had occurred.

Inclusion is not a one-time act but rather a systemic approach, emphasizing the importance of adhering to established processes. This involves ensuring transparency and uniform rules applicable to everyone, irrespective of their political views.

Various initiative types include:

1. Demonstrations:

Primarily, it is a responsive action expressing dissatisfaction with a decision.

1. Reaction to legislative decisions:

A reactive approach towards hastily made legislation that lacks the involvement of essential stakeholders.

1. Long-term advocacy work:

Primarily focused on human rights and environmental issues, often led by organizations.

1. Grassroots initiatives:

It utilises less formal language than the former category but remains significant, involving individuals who may not frequently engage in participatory democracy.

In conclusion, Rahvaalgatus, has emerged as a powerful instrument, showcasing the active engagement of Estonians in shaping their nation’s discourse. In the face of rising populism and the distortions exacerbated by social media, Rahvaalgatus stands out as a countermeasure. Rahvaalgatus distinguishes itself by offering a comprehensive overview of issues, overcoming the limitations imposed by social media algorithms. This distinction results in a more accurate reflection of the diverse realities shaping Estonian public opinion. Rahvaalgatus continues to empower Estonians to actively participate in the democratic processes that shape their nation’s future.

Resouce: e-estonia

Fresh report: Internet Freedom remained protected in Estonia

October 4, 2023

Global internet freedom declined for the 13th consecutive year as conditions deteriorated in 29 countries and improved in 20 others, according to Freedom on the Net 2023: The Repressive Power of Artificial Intelligence. The report by Freedom House found that internet freedom in Estonia remained highly protected.

The report also found that Iran suffered the year’s worst score decline as authorities shut down internet services and blocked social media to stifle anti-government protests. In two record highs, people in at least 55 countries faced legal repercussions for expressing themselves online, and governments in 41 countries blocked websites hosting political, social, and religious speech. Both practices persisted in China, which retained its title as the world’s worst environment for internet freedom for the ninth consecutive year.

Estonia continues to hold the second position worldwide regarding internet freedom after Iceland. Although Estonia remains a front-runner in the index, the report emphasises developments that affect the state of internet freedom.

“Estonia, known for its good level of digital society, ensures the availability of network connection, and the country offers strong protection for users’ rights. The freedom of the digital environment to publish content is not limited, even during crises. Restrictions on online content and channels are related to preventing the spread of hostile propaganda and false information, as well as sanctions against Russian media channels,” is the summary of one of the Estonian reporters, Proud Engineers e-governance expert Hille Hinsberg.

Globally, internet freedom has declined for 13 years in a row. For example, the use of tracking tools and manipulation of online users through false information is constantly increasing. According to Hinsberg, “governments impose various restrictions on what billions of people can access and share online, whether it’s blocking foreign websites, tracking and collecting personal data, or increasing control over their own country’s technical infrastructure.”

The report also found that while advances in artificial intelligence (AI) benefit society, they have been used to increase the scale and efficiency of digital repression. Governments are leveraging automated systems to strengthen their information controls and hone forms of online censorship. Simultaneously, disinformation distributors have turned to AI tools to fabricate images, audio, and text, further blurring the lines between reality and deception.

The report calls on policymakers and their civic and private-sector partners to gain momentum in protecting overall internet freedom, especially as AI technology augments the forces driving the multiyear decline. An effective defence of internet freedom requires not just developing AI governance systems but also addressing long-standing threats to privacy, free expression, and access to information that have corroded the broader digital environment.

 Key findings for Estonia

• Since the beginning of the Russian aggression in Ukraine, the Estonian Consumer Protection and Technical Supervision Agency (TTJA) has ordered communication companies to block media and online channels related to the Russian state to prevent the spread of war propaganda. Together with the applied sanctions, a total of 51 TV channels and nearly 200 websites have been banned in Estonia.
• Facebook restricted access in Estonia to 163 items that violated EU sanctions on Russian state-controlled media sources between January and June 2022.
• Following parliamentary elections in March 2023, the new coalition government drafted a proposal to implement stronger penalties for hate speech.

Key report findings

• Global internet freedom declined for the 13th consecutive year. The environment for human rights online deteriorated in 29 countries, while only 20 countries registered net gains. The largest decline on the report’s 100-point scale occurred in Iran (−5), followed by the Philippines (−4) and then Belarus (−3), Costa Rica (−3), and Nicaragua (−3). For the ninth consecutive year, China was found to have the worst conditions for internet freedom, a title that Myanmar came close to capturing in this year’s report.
• Attacks on free expression grew more common around the world. In a record 55 of the 70 countries covered by Freedom on the Net, people were imprisoned or otherwise persecuted for expressing their political, social, or religious viewpoints, while people were physically assaulted or killed for their online commentary in 41 countries. The most egregious cases occurred in Myanmar and Iran, whose authoritarian regimes carried out death sentences against people convicted of crimes related to online expression.
• Generative AI threatens to supercharge online disinformation campaigns. Governments in at least 47 countries deployed commentators to manipulate online discussions in their favour during the coverage period, double the number from a decade ago. Meanwhile, AI-based tools that can fabricate text, audio, and imagery have quickly grown more sophisticated, accessible, and easy to use, spurring a concerning escalation of the associated disinformation tactics. Over the past year, the new technology was utilised in at least 16 countries to sow doubt, smear opponents, or influence public debate.
• AI has allowed governments to enhance and refine their online censorship. The world’s most technically advanced authoritarian governments have responded to innovations in AI chatbot technology, attempting to ensure that the applications comply with or strengthen their censorship systems. Legal frameworks in at least 22 countries mandate that digital platforms deploy machine learning to remove disfavoured political, social, and religious speech. AI, however, has not completely displaced older methods of information control. Governments in a record 41 countries blocked websites with content that should be protected under free expression standards within international human rights law.
• To protect internet freedom, democracy’s supporters must adapt the lessons learned from past internet policy challenges and apply them to AI. Democracies’ overreliance on self-regulation by private companies has left people’s rights exposed to a variety of threats in the digital age, and a shrinking of resources in the tech sector could exacerbate the deficiency. To protect the free and open internet, democratic policymakers—working side by side with civil society experts worldwide—should establish strong, human rights–based standards for both state and non-state actors that develop or deploy AI tools, including robust transparency and independent oversight.

The report identifies steps that policymakers, regulators, and tech companies can take to foster internet freedom. Click here to read the full report and policy recommendations.

Freedom on the Net is an annual study of human rights in the digital sphere. The project assesses internet freedom in 70 countries, accounting for 88 percent of the world’s internet users. This report, the 13th in its series, covered developments between June 2022 and May 2023. More than 85 analysts and advisers contributed to this year’s edition, using a standard methodology to determine each country’s internet freedom score on a 100-point scale, with 21 separate indicators pertaining to obstacles to access, limits on content, and violations of user rights. The Estonian report can be found here.

Freedom House is a nonprofit, nonpartisan organisation that works to create a world where all are free. We inform the world about threats to freedom, mobilise global action, and support democracy’s defenders.

Resouce: e-estonia

6 lessons in building a digital society

October 2, 2023

by Justin Petrone

Around the world, Estonia is still often seen as something of an innovative newcomer. But when it comes to digitisation, the country is quickly becoming the grandfather or grandmother of digital nations. With over 20 years of experience, Estonia has stories to tell about the lessons it has learned. 

This was also apparent during a panel discussion, “Building Resilient and Effective Digital Societies: Lessons and Opportunities”, at the recent Tallinn Digital Summit. Florian Marcus, a project manager at Proud Engineers, moderated the panel, which also included Proud Engineers CEO Laura Kask; Ave Lauringson, managing director of the e-Estonia Briefing Centre; Ants Sild, chairman of the Baltic Computer System (BCS) Digital Skills Academy; and Toomas Hendrik Ilves, who served as president of the Republic of Estonia from 2006 to 2016.

1. Offer digital skills to everyone

The topics discussed by the panel were varied and wide-ranging. Still, when asked about the lessons Estonia had learned from its early embrace of digitisation, dating back to the dawn of the online era in the 1990s, a consensus emerged that building a digital society required more than investing in equipment or software. Rather, public outreach was needed to educate citizens about using new technologies, improve their digital skills, and change their mindset.

According to Ants Sild, digital skills have been one source of Estonia’s success in creating a digital society. He said that the state began cultivating digital skills long before it began to transfer its services online seriously. “These were not just IT and technology skills, but more societal skills,” he said. Ilves, who was one of the initiators of the Tiger Leap Program in Estonia in the mid-1990s, agreed. Tiger Leap was an effort to modernise the country’s educational system, focusing on making computers accessible to all students, as well as connectivity to the internet, alongside teacher training and providing new courses in Estonian.

“At that time, the idea was just to get the digital skills out,” Ilves said. He said that the focus was on investing in education and infrastructure for the first few years, including understanding digitisation and coding. It wasn’t until 2000 that the X-Road data exchange layer was introduced, creating the backbone for an ever-expanding ecosystem of digital services.

2. Make it mandatory

Here, Ilves underscored that Estonia created a mandatory digital identity for all residents, a step he called “key to developing a digital society.” He said that digitisation efforts had failed to coalesce in countries where such identities were optional, as people weren’t motivated to use an optional identity. Governments were similarly not motivated to create digital services.

“You have to make it mandatory for it to be successful,” Ilves said. 

Estonia has borrowed ideas from other countries, too, though. Proud Engineers’ Laura Kask said that the idea to create a digital identity actually came from Finland, where non-mandatory electronic identity cards were introduced in 1999, three years before Estonia.

“The idea came from Finland, and we incorporated our ideas on top of it, tested it, made it compulsory, and now almost 99 per cent of the [Estonian] population uses it,” Kask said.

3. The need for political will

Other factors enabled Estonia’s digital transition. Ilves said that governments must be committed to undertaking reforms that may outlast current administrations. “You need to have the political will to do it,” Ilves said. “Too many countries think that digitisation is about buying stuff,” he said. It requires, he insisted, “knowledge and commitment on the part of political leadership.” The legal framework also has to be solid.

“Laws are the software of society,” commented Ilves. He said that Estonia would not have been able to achieve what it has had it not adopted the Digital Signature Act, enacted in 2000. “If you want to change society, you have to change some of that software, too,” he said. 

Private sector adoption has also spurred on change. Sild agreed that private investments from the banking and telecommunications sectors had played significant roles in digitisation, with almost no government support or engagement at all.

4. Exchange ideas with other governments

However, the creation of a digital society in Estonia has not only been solely a success story. The panellist said there are opportunities to innovate. Proud Engineers’ Kask said that Estonia should continue interacting with other countries to share ideas and learn about new concepts.

“It’s important to exchange ideas, to talk to each other and with government officials worldwide,” said Kask.

According to Lauringson, who directs the e-Estonia Briefing Centre, about 90,000 people have visited to learn more about Estonia’s digitisation efforts. “e-Estonia is the best-known brand of Estonia,” she said, adding that the impact of digitisation on both the government and private sector in the country has been “huge and difficult to measure.” Visitors are mostly interested in how Estonian e-governance works. “The fancy show about the ID card doesn’t give them much,” said Lauringson. “They want to see how the system is built and how we e-govern.”

5. Don’t expect quick success

Lauringson has told them not to expect quick success and said that within Estonia, more could be done to improve the skills of state employees. “We have done well in engaging Estonian citizens in the digital society but have not focused on our government people,” she said. Last year, Estonia rolled out a Digital Competence Initiative. As part of the initiative, courses in digitisation have been offered to state employees through the country’s e-Governance Academy.

“For 20 years, we have been engaging society but haven’t paid attention to high-level officials,” Lauringson said. “They are still a target group.”

6. Being a digital native requires a revolution in thought

Regarding educational outreach, Ilves has been heavily involved with creating a master’s program in digital administration at the University of Tartu, where he has given lectures. Ilves said that the program is intended for senior civil servants to understand the nature of transitioning to e-governance, and is geared especially toward students from developing countries. Ilves noted that digitisation has also entered an era where it is no longer focused on moving paper documents online but rethinking how to build services without a link to legacy systems. He called this perspective being a digital native and said it will require “a revolution in thought.”

Recorse: e-estonia

Academics in the front line of e-government problem-solving

September 20, 2023

by Peeter Vihma

Next Generation Digital State Research Group at the Department of Software Science at TalTech is a fine example of cooperation. It creates synergies between academia and the public and private sectors. According to Associate Professor Ingrid Pappel, the head of the Research Group, their main aim is to bring cutting-edge technology closer to people. This includes people who use it and implement technological solutions in the public sector. But how do they do it?

Connecting students to real-life problems

NextGen research group started alongside the creation of the e-governance MA program in 2013. This program produces students with a lot of potential and seeks to engage them in solving urgent problems outside academia. Since then, both MA and PhD students have been engaged with cooperative projects with which the leading NextGen group scientists are engaged.

An example of engaging students is the Future of Digital State Hackathon, organised jointly by NextGen Research Group and the Ministry of Economic Affairs and Communications (MKM) in October 2023. During two days, students will be able to tackle challenges and problems posed by the Ministry, present the solutions and win prizes. Topics include using voice or gesture commands, AI and blockchain to improve digital public services. The difference between a similar event in the private sector is that Estonian ministries will actually implement winning solutions.

MKM is only one of the public sector organisations that hurl challenges towards the research group. Similarly, The Innovation Team at the Government Office and RIA have been engaged in collaborative projects. With RIA, for example, the NextGen group studied the management of digital identities when EIDAS was implemented in Estonia.

Both short-term and long-term engagement of students in public sector-oriented research has proven extremely fruitful. Many former students are now employed by the public sector in Estonia and help to improve collaboration further.

Benefitting all sectors of society

The NextGen Research Group’s strength is engaging with the public sector. This creates a threefold connection between academia, the public and the private sector. One of the visible manifestations of such cooperation is the Eurora project. Triggered by the 2019 EU regulation that established the procedure for the transmission of VAT return data, Eurora Solutions OÜ wanted to take action. The company aimed to create a solution that would automatically help e-commerce providers calculate the amount of tax at the time of the purchase.

The goal was ambitious: to create a service platform software with wide-ranging benefits. The intended beneficiaries included e-commerce platforms, the EU and its member states, international couriers, logistic companies, tax administrators, and customs boards. The most difficult part of the project was to create a machine-learning algorithm that could determine the correct commodity code based on the description of the goods.

“It became clear very quickly that these calculations cannot be solved without the help of data scientists,” said Kaie Hansson, Innovation Manager of Eurora Solutions OÜ.

The cooperation with the NextGen group proved fruitful for both partners. During thousands of development hours, the data scientists created the core machinery to detect the commodity codes based on the product description. For Eurora Solutions, this resulted in the end product that numerous clients already use. For students and scientists, the process has produced several scientific articles and master’s theses.

Providing competence domestically and abroad

This three-dimensional cooperation has turned the NextGen group into a hub of knowledge extensively used domestically and internationally.

In Estonia, the group is one of the organisers of the Next Generation Government Symposium (NGGS) that brings together stakeholders from academia, government and the private sector to understand better next-generation government issues from interdisciplinary perspectives in technology, education, government, and law.

In cooperation with eGA, the NextGen group provides educational programs for CIOs abroad. It has also launched e-governance curriculums in Ukraine and Kenya. In Kenya, local academics are about to open a micro-degree program (an intense 1-year program) in digital governance in collaboration with the NextGen group.

“In all of our activities, we aim to benefit from and encourage interdisciplinary thinking,” says Ingrid Koppel. “We see that this kind of integration is increasingly valued and useful, and we as academics need to provide examples of how actually to do it.”

Resouce: e-estonia