Text size: A A A

Australia has a ‘false understanding of privacy’, says Europe’s top rated CIO

“We are all numbered. It’s not a political question, it’s an engineering thing,” says Taavi Kotka (pictured), chief information officer at the Estonian government and deputy secretary general of ICT at the Ministry of Economic Affairs and Communications.

Estonia is perhaps the world’s leading country when it comes to fully integrated e-government. Estonians can vote over the internet, health records are available no matter where you are, and it takes 18 minutes to start a company online.

And if the unthinkable happened and Estonia’s giant eastern neighbour, Russia, decided to throw its weight around again, the country would even be able to run itself remotely, with the parliament and courts having the ability to be run from outside the country. “Data embassies” store public records at a range of offshore locations around the globe.

Last year it was announced Estonia would join the United Kingdom, Israel, New Zealand and South Korea to form the D5, or digital five, a global network of the tech-savvy countries.

“Basically all services are digitalised”, Kotka told the Connected Government Summit in Melbourne last week.

But this hasn’t come about by accident. Implementation began back in the 1990s, starting with taxation.

“Before e-taxation people had to spend a day to fill the papers and submit, but after e-taxation it’s a couple of clicks, and people love that, so they started to expect that kind of service from every ministry,” Kotka told The Mandarin.

That momentum, paired with government support, helped “push the lazy ones to move faster” he says, noting that now there are over 900 organisations connected to the nation’s e-government system, and more than 3000 different e-services.

Unique digital identity

He stresses that a cornerstone of the system is ensuring every person has a unique digital identity, which in Estonia’s case is linked to a compulsory ID card.

“My digital name is 37901214916,” he states, “it’s a public number, and I’m proud of that. My bank uses my real name, but there might be many Taavi Kotkas. To differentiate, in the digital world they use my digital name.”

In contrast, a US Social Security number is theoretically secret, a component of proof of identity, and poor security of it can result in identity theft.

“The best that could happen to the nation, to fix the privacy understanding, is to have a cyber war.”

Both the public and private sectors in Estonia use this government identity system for services, such as banking, where strong identification is required. Protecting a single, centralised ID system allows for greater security, argues Kotka.

“It’s a small country, so how many different authentication methods you can afford? It seems to be much easier to protect one system, together with the private sector, because we’re both concerned if something happens to that system, so we both build a roadmap. It’s way better protected than any security that banks create by themselves. And according to our knowledge, it has never been breached.” The ID card is also, he adds, compulsory, unlike in Finland, where an optional system has seen a low take-up rate.

Kotka has significant previous experience in digital innovation, having come from the private sector into government after leaving his position as managing director at the Baltics’ largest software firm Nortal. He is also an angel investor in technology start-ups. He was recently named European CIO of the year for 2014.

Despite the political arguments, he says, there are really only two options for creating an integrated e-government system — centralised and decentralised. Estonia chose decentralised, allowing each organisation to create its own system and connect on a peer-to-peer basis. Austria, he points out, has opted for centralisation.

There are pros and cons to each, suggests Kotka:

“If there is a cyber attack and one system goes down, first of all, we instantly know all the connections. It’s all registered. Yes, it affects the whole environment, but it doesn’t take the whole thing down.

“Taking down one system doesn’t take down the whole government. As they are all built in different ways, to take down the whole Estonian government, you have to basically design 900 different cyber attacks, which is possible of course, but bloody costly.”

Indeed, the prospect of a massive cyber attack is not merely a hypothetical for Estonia — in 2007 it endured a series of attacks widely believed to have originated in Russia.

Trusting Big Brother

This is one of the reasons Kotka is dismissive of arguments that e-government is a threat to privacy. “We don’t have the false understanding of privacy that you have [in Australia]. That you can’t trust the government, that government is Big Brother. Come on.

“One of the key things is how we taught our society to accept this and understand all these privacy and cyber security issues. The best that could happen to the nation, to fix the privacy understanding, is to have a cyber war. During a cyber war, things are discussed in a proper ways, how the attacks happen, how the systems are protected, and all this is in the news for a month, and people understand it.”

Holding up a smart phone, he continues: “This device registers my location every 30 seconds. My government does not know where I am every 30 seconds. Google knows more about my health than my doctor.

“These companies are connected to all this information because you allow them. You use Google as much as possible, Facebook same, you give so much of this information away. Sorry about my English, but they even know what kind of porn I’m watching. The government doesn’t.”

“It’s an engineering thing — don’t mix it with politics. There’s only one way in software engineering — everyone has a unique identifier … ”

Why agree to give huge amounts of data to companies — “they are protecting their shareholder value, they don’t care about you,” he says — but then refuse to allow government access, even if it could improve services?

Maintaining cyber security is made easier, he adds, if as much information as possible is already publicly available anyway. “I can search for what property the president owns. The only things that are private in Estonia is health, military things, and private sector incomes.

“Cyber security actually gets quite easy if there’s nothing to protect,” he jokes.

Strict data access rules and records help, too. All citizens can see for themselves who has accessed their data, and are able to bring charges if that information was accessed inappropriately.

Moreover, government can only request each piece of information from each citizen once. Subsequent requests must be directed to the agency that made the first inquiry, shielding citizens from repeated government requests.

A key component in keeping government IT up to date — which may sound shocking to those accustomed to using some of Australia’s ancient systems — has been the no legacy rule: no public sector IT system can be older than 13 years.

While the Commonwealth has just begun overhauling its 1980s mainframe-driven Centrelink payments system and New Zealand spends 80% of its IT budget on the maintenance of a system built on the 1950s programming code COBOL, most of Estonia’s systems are up to a decade old.

The rule has been successful because it empowers IT personnel to make the argument for upgrading, Kotka says, allowing them to tell their bosses “since we have to rewrite it anyway, maybe we should change some processes also.”

Moreover, online voting — which, as Kotka demonstrates, takes about 30 seconds to complete — has seen Estonian participation rates remain stable in a decade that has seen ever-lower voter engagement in Western Europe.

Estonia has been able to achieve all this despite having a GDP per capita one-third of Australia’s, and still maintains one of the lowest government debt rates in the world.

Kotka is astounded by how large Australian government blow-outs can be, arguing a big contributor is the use of multinationals to deliver projects. Estonian government IT projects are largely outsourced to local companies.

‘Render unto Caesar’

But it takes time to make reforms, points out Kotka:

“Reaching the level Estonia has or Singapore has I think it would take Australia minimum 10-15 years. What that means is that you have to make a couple of core political decisions. One crucial decision is you have to give unique digital identifiers to your people. You don’t have to give digital identities, but at least let’s agree that there’s a unique identifier. It has to be a number.”

The other is that the major parties need to agree to support the changes.

“It’s the Finnish model. It’s very important. Those reforms are painful. You can’t get any votes from it, but it should be agreed among all parties that we don’t touch these things for the next ten years. You can’t use it in elections because you all have agreed you don’t touch it.”

One point Kotka keeps coming back to is the need to give software engineers the backing to do their jobs without political interference.

“If you want to build a bridge across the river, that’s an engineering question. Whether to build a bridge, that’s a political question, but after that, how we build it is an engineering question.

“Software engineering is as complicated as building a bridge. It’s an engineering thing — don’t mix it with politics. You need to start to be able to connect objects. But to connect there’s only one way in software engineering — everyone has a unique identifier, so they know all the information that we compile will be connected to that particular person.

“The key element is that the numbering people is a policy question. Transparency is a policy question. Connectivity is a policy question. After those questions are answered, the rest is engineering.”

Access to the Connected Government Summit was provided by Association and Communications Events.

Join The Mandarin conversation below: Would a unique number for every Australian resident be a step too far?

Author Bio

David Donaldson

David Donaldson is a journalist at The Mandarin based in Melbourne. He's previously written for The Guardian and Crikey and holds a masters in international relations.