In Estonia, every second citizen actively signs documents electronically and the nation saves a mountain of paper as high as the Eiffel Tower in just two months.
Tarvi Martens, the development director of Estonia’s Certification Centre and one of the founders of the 13-year-old system, is now consulting cross-border digital signature issues and new regulations in the EU. He also has not given up his IT skills – on the day we spoke to him, he had just finished a new standard for Estonia’s digital signature, which will be internationally compatible.
The meaning of “digital signature” is unclear. How would you define it in Estonia?
Outside Europe, I have heard that a digital signature is defined as a scanned document or just an electronic signature on someone’s iPad. In Europe, there is a directive that defines the meaning of the electronic signature; however, it is not exactly the same as in the Estonian law. In Europe, softer signatures are allowed, and this has caused quite some confusion. For example, an electronic signature can be given by entering your PIN code at a shop. Estonia, however, has kept a strong position from the very beginning – we have not allowed any of these soft signatures in our legislation, and the digital signature is based on the digital certificate. Proof that the certificate was valid at the time of signing is also a requirement. That is why there has been no confusion here about the essence of the digital signature: everybody knows that a digital signature can be used even in the courts.
The (in)security of a digital signature has, however, been a hot issue in the media. How secure would you consider it?
It is not possible to measure security, but you can measure insecurity – for example what has gone wrong or how many attacks there have been. During our 10-year practice, there has not been a single serious fraud case that we know of. Digital security depends mostly on its users – how they take care of their cards and PIN codes. People in Estonia realise that giving a digital signature can lead to legal consequences, and that makes them more careful. True, there have been smaller holes in the system, but nothing catastrophic.
To sum up, the security of the digital signature has a lot to do with educating people, which is a long-term process. It takes six-seven years to change human habits, and you cannot get results the next day.
Why has Estonia succeeded in implementing the digital signature?
The most important factor is that we gave tools to people, as well as to developers, for handling digital signatures – free of charge. Secondly, there was a common understanding of a definition of a digital signature and there was just one single service provider. It is not that simple a thing to accomplish because there could be numerous different software programmes on the market making digital signing available. We did not have to deal with the banking sector using one solution and the public sector another. If different software programmes are used, these cannot be compatible with each other. I think that incompatibility of different programmes and file formats is the largest problem at the European level.
People in Europe have asked me, “How many applications does our digital signature have?” At first I did not understand the question. It turned out that the use of digital signatures abroad is usually application-specific. Some website would ask you a signing PIN at one moment, and voila you have created a signature inside the system. In Estonia, we have digitally-signed files, so you can sign anything. Even if you create a digital signature in the web environment, you will be able to download the signature file created for your personal verification and archives.
Later I learned to ask them back, “How many applications does your country’s telefax system have?” Receiving and sending, of course. Likewise, we have two functions – signing and validation of signatures.