Last year I was in Tallinnn sitting in a fairly swanky office at a renovated industrial building, where civil servant was kind enough to receive us on a research trip to learn more about the e-Estonia, the electronic state popularly known as Estonia. The office was sparsely populated by some twelve people sitting on a port-themed office with anchors and naval knots as decoration, none of them seemed older than fifty, it was nearly indistinguishable from a startup hub in Hamburg. Indeed walking down the same corridor, somewhere else in the building there are startups, companies that make apps, a gym and a cafeteria. This was not a government building in the same way that one might be used in other jurisdictions. Everybody whom I have met in relation to e-Estonian affairs exudes youth, strong belief in the vision of an e-Government, unshakeable trust for their national institutions and a the go-getter attitude of the startup.
Last week I attended an event at Het Nieuwe Instituut where various speakers had the opportunity to present their ideas on how the meaning of national and individual sovereignties are being transformed by digital technologies. Among the speakers where Benjamin Bratton, who wrote The Stack, a monumental "design brief" that provides a new pair of glasses to analyze the impact that digital networks are having on sovereignty at every level: the individual, the city, the nation and the network itself. Bratton calls this layered understanding of sovereignty "The Stack", possibly in reference to software stacks, the way software developers call a specific set of dependencies upon which they build their software. The model that Bratton proposes is composed of seven layers, in many ways it is an echo of the OSI layer model, itself a classification of network activity and the different layers of abstraction at which they occur. Bratton's layered model provides a very productive optic to look at society with, cultural manifestations of computing can be more easily contextualized and understood with Bratton's model in mind. I found it instantly useful, when the last speaker of the night presented his pitch. Marten Kaevats is the National Digital Advisor in the Government Office of Estonia, trained as an architect, Marten is today one of the government officials in Estonia in charge of innovation and digital policy. Estonia is perhaps the most digitally integrated nation in the world. Each of the 1.8 million Estonian citizens has a national identity smart card that is used as a key to access all of the government's services. Anything and everything that a Estonian citizen might need to fill paperwork for, can be done through the e-citizenship portal. Everything, except buying property and getting married, which still require citizens to show up in person to such proceedings. The e-Estonia story is told as a glaring success, a revolutionary approach to running a government that is more efficient, more effective, cheaper to run and more convenient for all citizens. It is such a happy story, such a flawless fable, told so well by people so young and passionate that believe this story so closely that it is hard to resist, and just like Marten did in his intervention, not go around in the EU asking why-oh-why they are still so slow, so costly and why not move the whole of the EU to a model that more closely resembles the flawless Estonian e-State.
This perfect state has always triggered to emotional reactions in me, my inner geek is excited at the prospect of bringing the convenience of interaction that websites and apps provide, to all my interactions with government, from paying taxes, to renovating a drivers license. It just seems right for our age, that interactions with government systems should be as frictionless as hailing an Uber is today. Another side of me is troubled by the idea of having a government, any government, responsible for some 249 sources of highly personal data on each and everyone of its citizens, such level of centralization is just waiting for an abuser to become a living nightmare. No matter what the promises about security of that system really are.
Marten Kaevats makes such promises quite readily. Secure and distributed, that is the nature of the X-Road, how the system is named, a system that since 2012 implements a system analogous to the Blockchain. The government maintains 249 individual nodes, with the highest standard of security, no single node knows your entire data profile, each node only stores and services the data that it has the competence to process and store and it does so with the highest standards in data encryption and security. To break into the X-Road to obtain a person's data means to break into all these sources of information, which is highly unlikely. You can't hack the X-Road in the same way that you might have heard The Pentagon was hacked... hacking the X-Road would be like hacking 249 Pentagon's surely a discouraging thought for any would-be hacker. The X-Road derives its perceived sense of security from this distributed and encrypted architecture.
It's such a perfect happy story, I want it so badly to be real.
At the top layer of Bratton's stack is The User, his definition offers no further insight about who The User might be, could be human or machine, could be individual or institutional we don't really know, but The User, in tech parlance, is often another word for consumer. The person to whom the service is addressed. In the case of Estonia's X-Road the word User and Citizen are equivalent. A User, taking Bratton's model as well as the technical reality of the X-Road is in fact part of the X-Road, when users connect to the government's e-portal what they are in fact doing is becoming part of that network, as a kind of sink, the information on the X-Road is all streamed in an encrypted form to the User's computer, everything from their last visit to the doctor, to the last time their pet was vaccined is pulled from the X-Road diverse set of sources of information and transferred to the User's computer, where it will all be assembled in a single web page. Anybody working in the field of cybersecurity will tell you that a system is only as secure as its weakest node. In the architecture of the X-Road there's a whole layer, that pertaning to the User, where the Estonian government cannot possibly lay any claim about it security which is the User layer. One can make another claim that is just as valid, which is that the security of any given person's identity is only as secure as their own personal computer (or endpoint in cybersecurity parlance). We might of course, all find comfort in that an attempt at massive identity theft cannot be easily perpetrated at the level of the X-Road government network, but one cannot make the same claim if the targets are the users.
The logic that underpins the X-Road is the same techno-solutionist logic that shifts responsibility to the individual, the same logic we see at play in the self-checkout systems at supermarkets. It is the most unwitting layer of Bratton's model, to the end user, as the sovereign state builds its technical infrastructure, the end user must keep pace.
If you are subject to identity theft or any other nefarious side-effect that might result from a poor information management policy, it is not the fault of the government. It is your own.
Estonian's all start learning programming at school, aged five, this is perhaps where the other part of the plan comes into the picture. You can't expect all of the citizens to secure their endpoints unless they have an unusual level of technical competence.
But to those states, who are attracted to the sexy narrative of the electronic state, but have no intention to care for the User layer, beware of the e-Estonia sales pitch. A model that includes anything like Estonia's X-Road has no future unless everybody connected to it including the end users is taken into the equation of perceived progress.
To demand from EU institutions that they should adopt the nimble model of a small and pioneering state like Estonia or lose face, because they are seen as slow lumbering giants, as Marten Kaevats did at Het Nieuwe Instituut is childish and slightly irresponsible. The story of e-Estonia needs to be challenged so that it can mature, the happy-go-lucky attitude of its salesman is doing a poor service to the complexity and nuance of the subject of digital governance.