Slashdot Mirror

← Back to Stories (view on slashdot.org)

No More Paperwork: Estonia Edges Toward Digital Government (apnews.com)

Posted by msmash on from the marching-forward dept.

In the Estonian capital of Tallinn, three-day-old Oskar Lunde sleeps soundly in his hospital cot, snuggled into a lime green blanket decorated with red butterflies. Across the room, his father turns on a laptop. "Now we will register our child," Andrejs Lunde says with gravity as he inserts his ID card into the card reader. His wife, Olga, looks on proudly. And just like that, Oskar is Estonia's newest citizen. No paper. No fuss. From a report: This Baltic nation of 1.3 million people is engaged in an ambitious project to make government administration completely digital to reduce bureaucracy, increase transparency and boost economic growth. As more countries shift their services online, Estonia's experiment offers a glimpse of how interacting with the state might be for future generations. Need a prescription? It's online. Need someone at City Hall? No lines there -- or even at the Department of Motor Vehicles! On the school front, parents can see whether their children's homework was done on time.

Estonia has created one platform that supports electronic authentication and digital signatures to enable paperless communications across both the private and public sectors. There are still a few things that you can't do electronically in Estonia: marry, divorce or transfer property -- and that's only because the government has decided it was important to turn up in person for some big life events. This spring, government aims to go even further. If Oskar had been born a few months later, he would have been registered automatically, with his parents receiving an email welcoming him into the nation.

48 of 93 comments (clear)

  1. Ivan brings frost piss! by Anonymous Coward · · Score: 1

    This is place Russians keep do the hacking, da?

    1. Re:Ivan brings frost piss! by Hognoxious · · Score: 2

      No, it's that place Dilbert keeps visiting. Their economy is 100% based on mud.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    2. Re:Ivan brings frost piss! by szabo.m.peter · · Score: 2

      That is Elbonia.

      Other than its climate, Estonia is a pretty nice place...

    3. Re:Ivan brings frost piss! by Hognoxious · · Score: 1

      Their neighbours wouldn't be my first choice.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    4. Re:Ivan brings frost piss! by szabo.m.peter · · Score: 1

      Their neighbours wouldn't be my first choice.

      Except for one, I think they are okey.

    5. Re:Ivan brings frost piss! by arglebargle_xiv · · Score: 1

      Across the room, his father turns on a laptop. "Now we will register our child,"

      "Unt now ve register our child. Ve haff permission from ze government to haff him, provided he doess his compulsory military serviss, vhich guarantees both citizenship unt voting riiights!".

  2. How convenient by quonset · · Score: 4, Insightful

    When I need information it's now one-stop shopping in Estonia. All the people's information in one convenient place. No muss, no fuss, Hack once and live a lifetime.

    BTW, what happens when, not if, Russia decides that uppity former republic needs to be taught a lesson? We've seen what they're trying to do in the Ukraine. Imagine a country with a population less than the city of Philadelphia being taken down when nothing works because somehow, mysteriously, large amounts of data are lost or corrupted.

    What's that saying about putting all your eggs in one basket?

    1. Re:How convenient by MobaHup · · Score: 5, Informative

      The data *isn't* kept in one convenient place. On the contrary. Each government agency only keeps data relevant to them. If they need information about, for instance, someone's company's mailing address, then they can request it -- straight from the agency that deals with this information -- over X-Road, a sort of secure intranet/SOA hub. Each agency publishes a set of SOAP services (with various access restrictions) to make use of the information they maintain, and other agencies can securely and directly access these services. Access from/by each agency is protected by standardised security servers that take care of encrypting, validating and logging the data. If a hacker gets access to, say, the local DMV, then they would only have access to DMV's information and could make some individual requests that other agencies allow DMV to make -- no more.

    2. Re:How convenient by houghi · · Score: 1

      Why bother with Estonia? Just go to Belgium. At least the code of the ID reader and the whole security is out in the open. Somebody even put it on Github and anybody can see if an ID is valid.

      So much easier to hack if you know the source, No need to try to figure it out.

      --
      Don't fight for your country, if your country does not fight for you.
    3. Re:How convenient by Freischutz · · Score: 2

      When I need information it's now one-stop shopping in Estonia. All the people's information in one convenient place. No muss, no fuss, Hack once and live a lifetime. BTW, what happens when, not if, Russia decides that uppity former republic needs to be taught a lesson? We've seen what they're trying to do in the Ukraine. Imagine a country with a population less than the city of Philadelphia being taken down when nothing works because somehow, mysteriously, large amounts of data are lost or corrupted. What's that saying about putting all your eggs in one basket?

      Estonia is a NATO member and an EU member and Britain and Germany have deployed forces in the Baltic nations. They are safe.

      Those are token forces. Unless the Estonian, Latvian, and Lithuanian armies are able to deal with massive armour and airborne invasions and delay the Russians for a significant amount of time while NATO forces deploy to the theatre the Russians can overrun those countries in hours and judging from what I've seen in terms of training of Baltic forces by NATO that seems to be the strategy. Once the Ivans are occupying them these countries will become another frozen conflict like the E-Ukraine or those disputed territories in Georgia ... unless the Russians decides to annex Estonia, Latvia, and Lithuania to 'protect' the inhabitants. After that it becomes a question of whether NATO is willing to put up rather large armoured invasion force to liberate these countries. To that purpose they must first deal with a massive Russian SAM and fighter umbrella and judging from what Trump has been saying I'd be sceptical the US would ever agree to it and they'd be the ones who'd have to provide a large part of the air defence suppression assets in particular (read: cruise missiles and stealth bombers). As for the internet, I suppose the Russians would cause some damage in the event of an war, probably quite a lot, but I don't think it would be win-the-war-in-six-hours type damage and I'd also be surprised if there aren't plans to isolate Russia from the ROW internet by a button press in the event of a war.

    4. Re:How convenient by MobaHup · · Score: 5, Informative

      It's transported over regular (and/or government-only) Internet strictly over TLS with known certificates, but the reference security implementation (software as well as hardware) is provided by the government. Basically, each agency only needs to implement the services and make them available for the security server, which takes care of publishing the service, validation, encryption, logging -- all the tricky and sensitive stuff. The common security solution is of course developed and maintained by competent people. But even if case that gets hacked, then the communication relies on public key cryptography, and the private keys of the security servers themselves are generated and stored in hardware, which is never accessible from server software.

    5. Re:How convenient by Anonymous Coward · · Score: 1

      Estonia is a NATO member and an EU member and Britain and Germany have deployed forces in the Baltic nations. They are safe.

      Ukraine gave up their nuclear weapons based on security guarantees from NATO, the EU, and the US.

      They are safe...

    6. Re:How convenient by 110010001000 · · Score: 2

      Baloney. Anytime you put information on a network it can be accessed.

      "The common security solution is of course developed and maintained by competent people"

      Right.

    7. Re:How convenient by Kjella · · Score: 3, Interesting

      When I need information it's now one-stop shopping in Estonia. All the people's information in one convenient place. No muss, no fuss, Hack once and live a lifetime.

      Actually the reason identity theft is such a big deal in the US is because having the information is generally sufficient. If I doxed myself here in Norway you could certainly do a lot of annoying things, but you'd find that for anything of real importance you'd either have to use an electronic signature or show up in person. Just having my person number (DOB + sex marker + unique counter), name, address etc. doesn't really get you very far. And while all my data is connected through the same unique identifier they're still kept by many different branches of government, you might say one common login gives access to everything but what happens in other nations? Surely there must be some level of standardization that DOB + SSN + whatever = ID. Unless you're going for the "the only way to win is not to play" solution by physically standing in line at a government office for everything.

      Imagine a country with a population less than the city of Philadelphia being taken down when nothing works because somehow, mysteriously, large amounts of data are lost or corrupted.

      Nobody's back end system is paper based anymore. Sure you might say that by exposing it over the Internet you're adding additional threats but the real high level hacks are often still an inside job or targeting the employees. We've had online banking here now for a couple decades, I've still not heard of anyone hacking their way to the core bank systems through the client, it's such an obvious way into the system that the protocol is completely locked down. It could make denial-of-service easier, but you still have to consider a power failure or an idiot with a backhoe and work on contingencies anyway. And don't forget how much else depends on the Internet these days, if it stops tons of B2C and B2B solutions won't work. It's not just the government's problem.

      --
      Live today, because you never know what tomorrow brings
    8. Re: How convenient by Anonymous Coward · · Score: 1

      If you are under the impression that France or Britain or anyone else will be willing to put their nations' interests in harm's way to protect the Baltic republics, you're sorely deluded. It would take Russia very little to cripple the EU economy with minimal loss of life and everyone with half a brain in Brussels knows it. France matters. Germany matters. Lithuania... Not so much.

    9. Re:How convenient by 110010001000 · · Score: 1

      " I've still not heard of anyone hacking their way to the core bank systems through the client"

      This happens all the time. You just don't hear about it.

    10. Re:How convenient by dunkelfalke · · Score: 2

      There is simply zero reason to invade since the Baltic states are already in the NATO.
      Ukraine and Georgia both wanted to, but cannot anymore since the NATO statutes indirectly prevent countries with unresolved territorial conflicts from joining.

      --
      "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
    11. Re:How convenient by MobaHup · · Score: 1
      I posted a link above regarding how it works exactly.

      The point is that data isn't centralised, but kept at agencies that manage it. Different agencies offer different, secure interfaces (some more or less public, some not) to the data they do have. If one agency is hacked or DDOSed, then it doesn't affect the other agencies, or the traffic between them.

    12. Re:How convenient by wisse · · Score: 1

      They have this neat idea of a digital embassy. They have got a copy of digital Estonia running in Luxembourg. When the russians do come the estonians who manage to get out of the country open their laptops somewhere else, and there are still part of digital Estonia.

    13. Re: How convenient by Anonymous Coward · · Score: 1

      Ukraine had no formal guarantees from either NATO or the EU. Estonia is a NATO member, so any attack on Estonia would mean war with NATO.

    14. Re:How convenient by szabo.m.peter · · Score: 2

      I don't know...

      Putting data on a private network, with TLS, with known certificates (i.e. no easy man-in-the-middle), and then putting further encrypted data on it with private/public encryption sounds pretty solid to me... Certainly more dependable than some corporations I've seen.

      Also, AFAIK Estonia has a longer track-record of doing this, gradually adding more-and-more functionality to an existing system.

      What happens in case of a wide scale denial of service is an interesting question. Probably they have thought about this. As we depend on network infrastructure more-and-mode with our economies, I think generally all countries should be prepared for such an event.

    15. Re: How convenient by rogoshen1 · · Score: 1

      Judging from the response to his adventures in Georgia and the Ukraine; I think Putin knows he's squaring off with the west which is currently more Chamberlain than Churchill.

    16. Re:How convenient by Anonymous Coward · · Score: 1

      Your lack of understanding of basic cryptography and PKCS#11 aside, the fact that there is absolutely zero evidence of any successful mass theft of Belgian eID data serve as evidence that you are mistaken in your assumptions. Or do you want us to believe that cybercriminals entirely have missed out on this supposedely easy to steal hoard of valuabe data?

    17. Re:How convenient by mardu · · Score: 1

      If a wide-scale denial of service occurs, most of your important paperwork can still be done using pen and paper. Although almost everybody uses e-services, there are still paper forms available and regulations for dealing with these. As there are hundreds of different digital government services, some of them have or have had minor issues at some point. In these cases, people just had to do it the old way, go to a government office and fill out their forms. So a DoS would be a huge inconvenience, the country would be slower than usual but would not shut down.

    18. Re: How convenient by mardu · · Score: 2

      Estonia had the luck of having no legacy regulations and basically no huge legacy databases when we regained our independence after the Soviet occupation. Everything had to be built from the ground up so it was easy to use new technology and ambitious ideas.

    19. Re:How convenient by mardu · · Score: 1

      Of course things can go wrong. But although the news article makes it seem like it is a new thing, the "digital government" has been around for more than 15 years. Some have tried to break in, some have tried (D)DoS attacks. People working with it already have experience with it. Although this is not a guarantee against idiots in charge, it certainly makes it less likely - experiences professionals are more likely to speak up before that. I don't think anybody has though of absolutely everything but at least so far it seems that they have thought of everything necessary. If something fundamental breaks or if found to be flawed, access to the systems can just be shut off. Paper and related procedures still exist and work, people just choose to use online services. It would make it more difficult and slow the country down but you don't have to report to the government every day anyway.

    20. Re:How convenient by szabo.m.peter · · Score: 1

      I think you are right in that having paper based processes is harder to disrupt. My point, is that there are hardly any "pure" paper based processes left (1), and that the economy (outside of government) depends on information processing systems anyway (2).

      Short unavailability of government services is acceptable (as the benchmark paper processes rarely give real-time results anyway.) A sustained DoS on the other hand will harm the operation of the government also in the current case, as most of the time the information I provide on forms ends up in a government database already... The paperwork is mostly just an "input/output queue". As the queues fill up, the machine will halt.

    21. Re:How convenient by Kjella · · Score: 1

      This happens all the time. You just don't hear about it.

      No it doesn't. That they compromise individual accounts, sure. That they compromise the bank itself via phishing or hacking yes. But those attacks pretty much never go through the front door, like you go to their public web server and run an exploit.

      --
      Live today, because you never know what tomorrow brings
    22. Re:How convenient by Kjella · · Score: 3, Interesting

      Those are token forces. Unless the Estonian, Latvian, and Lithuanian armies are able to deal with massive armour and airborne invasions and delay the Russians for a significant amount of time while NATO forces deploy to the theatre the Russians can overrun those countries in hours and judging from what I've seen in terms of training of Baltic forces by NATO that seems to be the strategy.

      They're token forces in military terms, but not in political terms. Pretty much all the front line troops are there to escalate it to a proper war and invoke Article 5, there's no country in Europe that can defeat Russia alone. And while the US might drag their feet on becoming involved in another overseas war no country in Europe is going to let Russia go on a Hitler-like series of annexations. They can take the Baltics, but then WW3 has begun.

      --
      Live today, because you never know what tomorrow brings
    23. Re:How convenient by AHuxley · · Score: 1

      Re 'Those are token forces."
      Thats all NATO needs as part of its eastward expansion to drag the rest of NATO into action.

      --
      Domestic spying is now "Benign Information Gathering"
    24. Re:How convenient by houghi · · Score: 1

      If you are a hacker and need to go to the country itself, you are doing it wrong. Just stay wherever you are and hack the planet. HACK TEH PLANAT!!11!11

      --
      Don't fight for your country, if your country does not fight for you.
    25. Re:How convenient by dinfinity · · Score: 1

      And while the US might drag their feet on becoming involved in another overseas war no country in Europe is going to let Russia go on a Hitler-like series of annexations. They can take the Baltics, but then WW3 has begun.

      I dunno, man. Europeans have gotten quite nationalistic and selfish of late. I know many of my fellow countrymen don't give a rat's ass about pretty much the entirety of Southern Europe, let alone the Balkans or the Baltic states. They see them as freeloading countries whose inhabitants only 'steal our jobs'. They refer to the EU as the EUSSR and would all rather retreat onto the island they regard their country to be.

      Remember that one of the major reasons why Hitler could get so far as he did was that nobody wanted to get involved (with WWI fresh in the minds of their citizens). I have family in Estonia, so I dearly hope that Europe and NATO will stand strong as they should. I wish I could be as sure of that as I want to be, though.

  3. Foolish by Anonymous Coward · · Score: 1

    You put everything on the Internet, you open it to an attacking nation:
    https://www.bbc.com/news/39655415

    "Online services of Estonian banks, media outlets and government bodies were taken down by unprecedented levels of internet traffic."

    "Massive waves of spam were sent by botnets and huge amounts of automated online requests swamped servers."

    "The result for Estonians citizens was that cash machines and online banking services were sporadically out of action; government employees were unable to communicate with each other on email; and newspapers and broadcasters suddenly found they couldn't deliver the news. "

    "The 2007 attacks came from Russian IP addresses, online instructions were in the Russian language and Estonian appeals to Moscow for help were ignored. "

    Russia is a rogue nation at this point, and people like Rand Paul, and Devin Nunes should not put their political careers above their country.

  4. Re:Lies, damn lies, government propaganda by mermeid007 · · Score: 1

    In DC, since they have no local government to speak of, they often have to choose between automating part of a process for some tangible improvement and changing nothing. Of course, they also have such a small population that in the past they simply did away with any paperwork or services that were not needed. I think various agencies would complain when they didn't get the data they needed, and this really is what drove their decisions on automation. A pull not a push.

  5. Registering your child by 110010001000 · · Score: 1

    "The Mother looked on proudly as the Father inserted the chip under his newborns skin. After enabling the connection to the laptop, the programming of the child started. Within 10 minutes, the child was fully programmed and was now a full Estonian citizen. On his 17th birthday he would be eligible for ration level B and military service."

    Truly a glorious accomplishment.

    1. Re:Registering your child by cascadingstylesheet · · Score: 1

      "The Mother looked on proudly as the Father inserted the chip under his newborns skin. After enabling the connection to the laptop, the programming of the child started. Within 10 minutes, the child was fully programmed and was now a full Estonian citizen. On his 17th birthday he would be eligible for ration level B and military service."

      Truly a glorious accomplishment.

      Meh.

      What they are actually doing - as opposed to your dystopian fantasy - is an electronic version of birth certificates and ID cards that is nothing really new, just a new implementation.

      It carries its own risks (and benefits), sure, but is nothing like what you are describing.

      Do you object to birth certificates and ID cards in general? (Perhaps you do, some do.)

  6. We're all still in the steam age ... by Qbertino · · Score: 1

    ... compared to Estonia. What they're doing in terms of digital government is groundbreaking and has been going on for a few years now. All digital zero-fuss bureaucracy. Very nice and an example I'd wish some German authorities would follow more eagerly.

    --
    We suffer more in our imagination than in reality. - Seneca
    1. Re:We're all still in the steam age ... by Actually,+I+do+RTFA · · Score: 1

      I don't find the current system at all onerous. Hence, I'm happy to avoid the probable issues behind what Estonia is doing. For instance, I don't particularly want the government to have my fingerprints on file.

      --
      Your ad here. Ask me how!
    2. Re:We're all still in the steam age ... by szabo.m.peter · · Score: 1

      Well, when I get a passport my fingerprint is taken (-->my government has it). I am pretty sure other countries also have "biometric" passports already as it seems to be the norm nowdays.

      Then, I travel to the US, where my fingerprint AND my retina-scan is taken (--> the US has it)

      Then, I use a smartphone (--> who knows who has my fingerprint & retina data).

      Then, I log in to my laptop with a finger swipe (--> only god knows who has that data)

      I think we are all way past the point where our biometric data is not shared with governments, businesses, or the neighbor's cat. When you try to avoid the "possible issues", you are already having all the possible bad consequences while missing out on the good ones.

  7. Governance is the bottleneck by wisse · · Score: 2

    It sounds really simple: all information in one place, you own your own information (including your health information). And techniscally it *is* simple. But the governance can be made so complicated that no other country has pulled this off yet. Getting all your national institutes to work together on one digital government is no small feat.

  8. Re:First post from Tallinn, Estonia by Applehu+Akbar · · Score: 3, Interesting

    ...and thumbs down on where this country is going.

    In a backward and paper-based country, a cyberattack that disables things properly will hurt. Over here, it will cripple.

    But at the same time, online access to government offices is a huge time saver. When people get it, they don't want to go back, any more than we would want to go back to having to schedule a library visit to look up any kind of reference information.

    We can't avoid having to fix the online security problem.

  9. Soon on Slashdot... by grumpy-cowboy · · Score: 1

    Estonia government servers have been hacked and ALL citizen's private information is available online.

    --
    Will $CURRENT_YEAR be the year of the Linux Desktop?
    1. Re:Soon on Slashdot... by mardu · · Score: 1

      No centralized data storage (each government body manages their own databases), so pretty much impossible to read about ALL private information being publicly available. Some, possible, but not ALL. Also, not much to do with this information as in Estonia you cannot steal someone's identity just by knowing some data about them. Identity codes (the closest thing to an SSN here) are public information and basically nobody validates identities without a valid ID card or passport (or another equivalent document). Maybe the most delicate piece of information could be medical records but... this digital service does not properly work because the doctors are too lazy to fill the forms (althought mandatory by law).

  10. Estonia's System Is Unique and Interesting by organgtool · · Score: 4, Informative

    There are a lot of comments here talking about hacking government servers and getting everyone's data. This is based on a misunderstanding of the Estonian digital record system. I've read several articles about it and if I understand it correctly, the system is more of an authentication system and records interface. Your data isn't stored on a single set of government servers - instead, public and private entities store their information about you on their own servers and are required to use the government's digital authentication system for access. The records are required to have access control layers so that citizens can control which people have access to their records. I believe there is also a required interface for presenting history data so that a citizen can see all attempted access to their records. It's a very interesting and pragmatic approach and it'll be something that people should watch closely and learn from.

    1. Re:Estonia's System Is Unique and Interesting by Danielsen · · Score: 1

      His father turns on a laptop. "Now we will register our child,".

      Pretty standard.. But why do the parents need to register..
      In Denmark the mother is registered during prenatal care, and she also informs the social security number of the expected father.
      One of my colleagues girlfriend gave birth to there baby a Sunday night, and they were unmarried.
      The midwife registers the childbirth.
      One hour later the father got a message from the 'stats amt' where the had to sign for the paternity.

  11. Re: Conspiracy angle by del_diablo · · Score: 1

    Could you reference anything? Like, i get the white hat angle where you hack the core and add a pop up.
    But the way i understood it, as its presented in the media is that your goal as a hacker is to acquire unique information(i.e bank account number+ persona) and then you need a hack to get past the 2 factor authentication. And as the experts know, they are not that secure even if its unique password + offline key generator device
    Once that is done, the goal is then to empty bank account as far as possible. Which means to 0, or to whatever the credit limitation is.
    And thats a fairly common occurrence due phising and false webpages, among other things.

    But the bank angle?
    I am not even sure what secure measures there are. Transfer taking a word day might be one of them, for secure addresses. But i don't know any other security measures.
    I guess i would love to get a idea of the tech level, and the obscurity vs security level.

  12. Bio-chip by p51d007 · · Score: 1

    Might as well have them implant a bio-chip in your skin. THAT would be the logical next step. No muss, no fuss, NO PRIVACY.

  13. Re:First post from Tallinn, Estonia by zlives · · Score: 1

    move along non-citizen, we have no record of you