Digital credentials, such as e-ID cards used in Estonia, could improve protection of personal data.
As the Obama administration works on a set of voluntary online credentials for American Web surfers, some technologists say the government should examine Estonia's mandatory electronic identification cards as a model.
In the United States, opposition to national ID cards has long prevented the government from assigning citizens electronic credentials for online authentication purposes. But, certain aspects of e-credentials may protect personal information better than the passwords and PIN numbers people currently use for online transactions, according to some privacy groups, including the Center for Technology and Democracy.
A study on international e-identification efforts released Thursday by the nonprofit Information Technology and Innovation Foundation, noted that, "As of 2011, over 90 percent of the population in Estonia had an e-ID. . . In contrast, as of 2011, the United States does not have a national e-ID system. Most individuals still use a collection of poorly secured usernames and passwords to access online services."
Most Americans do not have a way to prove they are who they say they are online. This spring, the administration took a step toward developing voluntary digital IDs, with a venture called the National Strategy for Trusted Identities in Cyberspace. The public-private initiative, headed by the National Institute of Standards and Technology, is aimed at allowing Americans to transact with any secure website using one ID, without the need to repeatedly submit personal information.
Estonia began issuing mandatory e-IDs in 2002 as a means of improving government services, as well as commercial services. Some cities use the cards as fare passes for public transportation. Estonian citizens have been able to elect government officials online since 2005 with their cards. Estonian President Toomas Hendrik Ilves estimates 98 percent of banking transactions take place on the Internet.
This is all made possible, however, by additional technology -- particularly, card readers -- that costs money and can be tricky to install. To use a smartcard for online services, a person must insert the card into a separate piece of hardware connected to a computer and then enter a PIN or password to authorize the transaction, the report explained. "To use a smartcard at home, users need to have card readers on their PCs and the correct software installed on their PCs," it stated. "To meet the needs of all users, the software must also be available for multiple operating systems."
One reason for slow adoption of e-IDs in Belgium, according to the study, is that many users did not have readers, and those that did found the accompanying software difficult to load.
Estonia was more proactive with its e-ID program. Early on the government sold a card reader "starter package" for twenty euros and led by example, requiring government computers to have card readers.
Some Estonian officials say the design of their card has been key to overcoming privacy objections.
"We haven't heard any case of breaking the cryptoprocessor" -- the card microprocessor that carries out the secure operations," Helar Laasik, chief expert for Estonian Police and Border Guard Board, told Nextgov. "Therefore privacy problems are mainly emotional ones, people going around and talking about how government misuses and cross-links databases, etc."
Furthermore, he noted, the government and corporate databases already track these sorts of personal data.
As for technical difficulties, Laasik said the Estonian e-ID application was translated into all operating systems and Web browsers, including Internet Explorer, Firefox, Google's Chrome and Apple's Safari, within a year.
The "most time-consuming is to change the masses' mind," he said. "They have to understand that the new system is clear, plain, transparent and highly secure."
The cards do not contain traceable radio frequency identification chips, which also diffuses some privacy fears, Laasik noted.
"You have a mandatory document called a driver's license, we have an ID-card," he said. "The difference is in the secure communication channel. It's much easier to forge a driver's license than certificates that [are] in a heavily guarded server."
The front of Estonia's cards include a person's name, photograph, signature, personal ID number, date of birth, gender, citizenship status, card number and expiration date, the ITIF study explained. The back of the card shows the place of birth, card issue date and residence permit information if available. The card also is embedded with a chip containing non-visible data, such as machine-readable certificates for e-authentication and e-signatures.
The electronic innards of the ID program are maintained by a consortium of banks and telecom companies. The partnership provides a standardized technical framework, called DigiDoc, that makes it easy for private sector developers to program digital signatures into commercial software.
"The government has not placed any restrictions on the use of the e-ID in the private sector and the authentication mechanism is available to any outside developer," the report stated. Currently, businesses and consumers use e-IDs for authorizing online bank transactions, signing contracts and accessing buildings.
The ID cards also are available in a mobile format. The "Mobiil-ID" data is stored on a smaller card that fits into a smartphone.
The report conceded that Estonia may have been able to "be more nimble in its policymaking" for establishing e-IDs than the United States. "A small country with a homogenous population may not face the same political resistance when proposing new technology projects that would be found in a more politically divided nation," it stated.
But, according to the report, the United States may have a cost advantage because economies of scale could drive down hardware and software prices. In addition, the nation is an incubator for innovation.
"Although the United States is late in creating a national e-ID strategy, if it heeds the lessons from early adopters it can capitalize on an enormous opportunity to create an e-ID system that can leapfrog those of other countries and help invigorate our information economy," it added.