Translated by
2017/11/07 14:29:45

The ID card in Estonia



The director of the strategy of the Estonian telecom provaylera Elion and one of project managers on creation of the ID card in Estonia Oleg Shvaykovsky tells (2012):

"Estonia is the small country, in it there live 1.3 million people, and a total quantity of the issued ID cards — about 1.1 million. It is very high level of penetration — no doubt, the highest in the world. And it is the longest project — it is ten years old. By the number of electronic signatures per capita Estonia absolutely precisely on the first place in the world, under the number of acts of identification on the Internet per capita — too".

Certainly, at two projects — Estonian and Russian (UEC) — absolutely different scale and the level of development of technologies in ten years significantly changed. But the most important distinction as Oleg Shvaykovsky considers — architectural. The Estonian ID card is not multifunction, it only the identity certificate — physical and electronic. As the physical document it is valid within the European Union and also in Norway, Iceland and Switzerland which are not the members of the EU, but enter the Schengen area (for trips to other countries the passport is necessary), in network provides electronic identification of two types — normal and using the electronic digital signature (EDS). Respectively the built-in chip contains the duplicate of the personal data of the owner printed on the card, two identification applications and necessary keys and certificates. At cards of new generation in addition there are still biometric data of the holder. And all this: it is more than any information neither printed, nor coded, on the Estonian ID card is not present.

It is also not necessary. The fact that the ID card is not either the bank card, or the policy of health insurance does not prevent to use it for access to banking or medical services at all. "Having shown" it to the computer or the terminal (for what the card needs to be inserted into the reader and to enter the PIN code), it is possible to come into Internet bank: the authentication system will check data of the client and will open access to its accounts. In the same way the patient will insert the card into the reader in an office of the doctor to open for him access to own clinical record which is stored in the medical database. (Usually this information can be obtained only with the consent of the patient as is his personal secret, but in force majeure — for example when the unconscious patient and it is necessary to help urgently him — the doctor can request necessary data without PIN code.)

Without record of any additional information ID card it can be used also for trips on city transport of Tallinn and Tartu. Here the next Russian analog — the train ticket which underwent electronic registration (the passenger gets into the car, showing only the passport; the document granting the journey right is not necessary). The Estonian ID ticket represents purely virtual object connected with the card ("not personalized" tickets which can use without card, also exist, but they are slightly more expensive). It is possible to purchase the ID ticket not only personally (for example, in the booth on the street), but also remotely — using bank payment or the Sms; information on the purchased ID ticket is entered in the central database and issued on demand at verification of tickets. To unload a wireless communication link, controllers work not with the most central base, and with its local copies which are periodically updated. Thanks to it need for the appeal to the central base (and use of wireless link) arises rather seldom — only when the ticket purchased after the last update is checked.

The general principle of use of the ID card consists that the service is implemented entirely on server side. The card serves only for user authentication at an input stage, being a peculiar embodiment of the known concept of the thin client. "Figuratively speaking the Estonian solution more cloud, than Russian though it is also more senior" — notices Oleg Shvaykovsky. "The cloud way", probably, is not closed also for UEC: neither legal, nor technical obstacles creating service — and many services — based on the available identification function of the card are visible. But Russia very much differs from Estonia as for the relation to the EDS, and it is essentially important.

Importance of a question of the electronic signature

In Estonia in December, 2000 the law equating the EDS to the notarized personal signature was adopted. It extended only to public institutions, but it quite was enough as the business interested in development of electronic document management actively supported the initiative. The project on creation of the ID card performed the Estonian certified center (only in the country) — the commercial enterprise de facto belonging in equal shares to two largest banks of the country and two directors of photography of communication, among which and Elion company. Activity of the certified center as Mr. Shvaykovsky tells, remained about eight years unprofitable, but shareholders did not complain as they thanks to the ID card saved on infrastructure of identification of clients very much. Everyone could receive from the certified center open API for connection to an authentication system by the ID card and in the same way remove from themselves care of creation of own such system. The state and four key players was followed by the energy companies, housing and public utilities companies, the medical systems, hospitals. Now in Estonia even comes to nobody to mind to build own authentication system — it would be purely excess costs and inconvenience for the client.

In Russia the law on the EDS was adopted not much later, than in Estonia — in January of the 2002nd — but its acceptance had a limited business impact, and practically did not affect everyday life. New law No. 63-FZ "About the electronic signature", adopted in March of last year, does not work yet: it had to become effective this June, but the time was postponed till June of the next year. We still should overcome mistrust to the electronic signature and electronic identification in general. Whether it will work well, the fact that the universal card is entered as an equivalent of other cards which became already usual for Russians, psychologically, probably, reasonably even if such solution is not optimal from the technical and financial point of view depends among other things on success of the UEK project, and.


Since fall of 2010 residents of Estonia had an opportunity in addition to the main ID card to receive one more, purely electronic identity certificate — the map called by digi-ID. Such card operates three years (The ID card — five years), and it cannot be shown as the physical document: on it there is no photo, and on the chip in the file with personal data only the card number is written. But the possibility of electronic use at digi-ID in accuracy same, as at the standard ID card, and can receive it in twenty minutes as it is made directly in Department of nationality and migration. If the ID card is lost or damaged, then before its resuming digi-ID will provide to the owner access to all electronic services — and so far in Estonia also about 90% private are via the Internet provided to 75% of all public services. Quite legally and parallel use of two cards.

Mobile ID

One more direction — mobile ID. The Estonian telecom operators since 2007 give to subscribers an opportunity to place the ID cards applications on the SIM card to use them for secure access to the Internet from the smartphone or the tablet. It is very interesting perspective and for UEC — it is probable, even more interesting, than for the Estonian ID card because in Estonia there is a tradition of work with ID cards from the personal computer and the corresponding infrastructure, and in Russia there is neither that, nor another.

Readers for smart cards

Use of smart cards requires special reader devices. In Estonia this problem was solved with the help of the special regulations prohibiting sale in the country of the computers which are not supplied with the reader in due time. In the Russian project it is supposed that citizens will use generally payment, information and other terminals installed in public places. Of course, everyone who will wish to work with UEC from the computer can purchase the external reader, and the UEK company developed the special protected option which will be certified and then will allow to execute banking activities without restriction of the amount. But hardly readers — normal or protected — will gain a little mass distribution: time for this purpose already passed, Russia together with the whole world entered a post-computer era. Therefore the UEK connection with the smartphone if it is implemented, will provide use of the map of the house — and also in any other place where there is a communication.

In general Oleg Shvaykovsky assesses UEC perspectives positively. In Estonia the fact of start of the uniform universal card worked as the catalyst for emergence of a huge number of services. In order that there was such spontaneous system, according to him many initial conditions are necessary not so: a certain level of informatization and a computerization, the means of identification recognized by all and interdepartmental interaction. It is absolutely confident that in Russia the first condition is satisfied, and thinks that most likely also two others are executed. Therefore UEC will develop, to it — raise trust, and all this will help to improve interdepartmental interaction.


2019: Hackers for the first time could forge the electronic passport

In Estonia hackers could forge the electronic identity certificate, reports the Postimees resource. The edition writes that it is the first case of this sort[1].

In February, 2019 malefactors began to send to residents of Estonia Sms, being covered with a name of one of the Estonian banks. In the message citizens were offered to update their personal data, having followed the link. The link directed several dozens of users to the page which resembled the real website of this bank superficially.

On the harmful website it was required to undergo authorization for what users had to enter two codes of the mobile electronic identity certificate (Mobiil-ID). These codes were necessary for criminals to create new accounts in the Smart-ID application, forging thus the identity of citizens.

The Smart-ID application allows to use different services and services, including to manage bank accounts. In total it has more than 2.2 million users, including 433 thousand — in Estonia. Swindlers managed to cause to users of the application only minor damage — in the amount of 1 thousand euros.

2017: Shutdown of 760 thousand electronic passports because of vulnerability

In the beginnings of November, 2017 of the power of Estonia announced access lock to the state online services to correct a gap in a security system of some ID cards. In result of the measures taken by the state about 760 thousand electronic passports were disconnected.

ID card of the Estonian
ID card of the Estonian

As notes Reuters agency, Estonia is considered the leader in providing public services on the Internet therefore security of so widespread digital ID cards puts the Baltic country in very uncomfortable position.

The national system of online identification allows citizens to get access to the majority of electronic services of the state and private companies, including banking, school reports, medical records, pension savings, recipes and also online vote on elections.

Service of electronic passports in Estonia faced vulnerability of enciphering before 2017. It endangers smart cards, security tokens and other protected chips of Infineon company which appeared under the threat of cracking.

In October, 2017 Infineon assured that the problem is fixed, but final resolving the situation requires updating of ID cards and the equipment. Both the Estonian government, and Infineon stated that there are no signs that used a gap in a security system.

The Estonian online services are blocked for vulnerable ID cards until the safety certificates including correction of the previous defects, said in the statement of the government of Estonia are updated.

"Functioning of electronic services is based on trust, and the state is not able to afford theft of personal data of owners of the Estonian ID cards" — the prime minister Jüri Ratas said.

On November 2 and 3, 2017 it was possible to see crowds of the people coming to police of Estonia and storming offices of service of security to update certificates of the ID cards because the online service of updating was overloaded.

On November 2 the ambassador of Great Britain in Estonia Theresa Bubbear made the following record on the Twitter blog: "E-Estonia loses the gloss? For two days I for hours tried to update my ID card according to instructions of the government/the MFA. Still I try …[2]"

You See Also