Case Study 2: The Solution Architecture

Let’s take a look at their solution architecture then. They created a digital backbone. This is known as the X-Road. And it uses a secure ID. So the previous example, the previous case study we looked at in Indonesia, something very similar happened in Estonia with the issuance of an identity that could be trusted. And this was then built into a wider set of government digital services. So the government became an identity provider for government services and other services, as well. So this became the trusted source of identity across the public and the private sector. Interestingly, Estonia exposed this to internet access. So this is known as the information path. We’ll look at an architecture overview in a second.

But this is actually something that people can access over the internet. There are granular privileges across the public and private sector. So not everybody has access to all of your information; it is tailored appropriately. Part of the success is because, during the implementation of these digital solutions, they were very keen on making sure that the solution was transparent. And so, gradually, trust between the government and the citizen through the use of digital services has grown. Lots of small, incremental steps. Each successive project for digital services brought additional trust, from implementing computers in schools, through to company registrations, through to the use of identity cards. Gradually, the citizens saw that none of these had adverse effects. None of them created problems.

In 2007, Estonia became one of the first countries to face an attack, a large government-scale attack, from Russia. And the consequences of this encouraged NATO to bring its cyber security headquarters to Estonia. So the system was attacked and successfully managed to defend from that attack. So Estonia has always tried very hard to suggest that the transparency of its solution is one of the foundation components. You can always log into your identity through a government portal and see who has inquired for information about you, how your identity has been used, whether this was a police officer, a doctor, or a tax official. And although Estonia built this solution before Blockchain occurred, it actually has some things in common with Blockchain.

So we have the transparency that is created by logging all transactions and the visibility of each of those accumulated transactions over time. The solution architecture heavily relied on PKI. And we can see the number of digital services that Estonia uses their central identity and the digital solution for. We have the identification. We have online voting, electronic voting. Health services. The annual census. Pensions. Banking. Education. Vehicle registration. And so on. Integration with private sector providers allows for private sector providers to confirm things like address details. They won’t have access to information like your health information or your tax information. But if you’re a utility provider, it means that you can provide your ID number.

And the government will federate any form, online form with your address data, just to save time. So this is a really good example of government digital services. Some of the challenges here, there was no precedent for this. So this hadn’t been done before. Estonia were leading the way. And they didn’t have a history in the delivery of digital services. So they tried very hard to build international links with other countries with similar ambitions. There was also a problem or potential issue around ensuring that people had digital access. If you’re creating lots of digital services, you need people who are educated in digital technology and have access to digital technology. We’ve referenced trust as a potential issue. Trust is important.

We need to be able to, if we’re going to use it use these services, as a government, with our citizens, then we have to have buy-in from the end users. If the users won’t actually use the digital services because they don’t trust them, then there’s an issue. So single sign-on trust issues. Kind of the same issues we outlined when we talked about single sign-on apply here. If your ID is comprehensively compromised, then everything you have is compromised. And that 2007 nation state attack that we talked about, had that been successful, then huge amounts of data would have been exposed. There was a security flaw in the smartcards more recently that was detected. And that affected 0.7 million citizens.

So a significant number of Estonian citizens. The government tried to address that in a transparent way, though. They were very honest. They provided information about the potential impact and tried to address it quickly. That was the way they tried to mitigate the impact of that security flaw. So this slide just shows the internet X-Road, the information path. And it shows some of the different services that are available across the internet to the public sector, there on the top left, and the private sector, on the top right. On the bottom right, we have our security services, spreading across to the bottom left.

And so, you have this huge array of services available to both the public and the private sector, covering things like population registers, health insurance, vehicle registers, document management documents, and spreading out there across the top right to your financial and utility sectors. The bottom right there, we do see the ID card and your mobile ID. So the work that Indonesia did in our first case study, we can see some of that being leveraged practically for digital services in our second example. And so, here we have the federation of data between multiple parties, not just government to citizen. Here, we see business to customer, as well. OK. So a brief activity for you to consider.

What future developments might be supported by this architecture? What else could we do? Are there any potential considerations that would require exploring to prevent problems? Are there any other things that we might want to consider?

What about international integrations? Would they be popular? Would they be possible? And if they’re possible, would we want to do them? What issues might we want to explore?