september 2013
the digital society The Newsletter of the Estonian ICT Demo Center
Should You Treat Cloud Services Like A Marriage? The process of securing your data comes down to three main criteria – accessibility, integrity and confidentiality. We talked about these three with Jaan Priisalu, the director of the Estonian Information System’s Authority. » Read PAGE 3
Big Data & Death of Anonymity What is Big Data, how has it impacted privacy and anonymity online and should the average citizen be worried about the “Little Sister”? » Read PAGE 4
Turning Around a Cyber Attack What are the major lessons learned from the cyber attacks that hit Estonia in 2007? Lauri Almann, former Chancellor of MoD explains. » Read PAGE 5
Foreword Christian Fredrikson, F-Secure Corporation CEO & President
Someone is always watching. This seems to be the bitter truth after data privacy issues have been spotlighted in the recent weeks. » Read PAGE 2
Who's Afraid of the Digital Signature? Estonia can be proud of its digital signature as the nation saves a paper mountain as high as the Eiffel tower in just two months. » Read PAGE 6
The Digital Society is the quarterly newsletter created on the initiative of the Estonian ICT Export Cluster. Subscribe to our e-newsletter at e-estonia.com
ICT Demo Center Lõõtsa 8 Tallinn 11415 Estonia info@demoestonia.com
3 Security Solutions from Estonia Here are 3 Estonian software solutions that share the objective of making your steps in the cyber-world more secure and private. » Read PAGE 8
» e-estonia.com
The Newsletter of the Estonian ICT Demo Center / september / 2013
Foreword Someone is always watching. This seems to be the bitter truth after data privacy issues have been spotlighted in the recent weeks. But even before hearing about PRISM, consumers were concerned about the security and privacy of content they store in the cloud. A recent survey for which we asked GfK to interview 6,000 people in 15 countries in April shows that six out of ten consumers were concerned about the security of storing their content in social networking and cloud storage services. According to the survey, the top five providers people upload their content to are Facebook, YouTube, Google Drive, Dropbox, and tying for fifth place are Microsoft SkyDrive and Apple iCloud. 59% of consumers expressed concern that someone else may be able to access content they store with these providers and now we know they were right. Privacy and security are priceless values in a world where users are always threatened by content losses or breaches of confidential information. So how to escape the ever-watchful eye of governments? The long-term solution can be building a European dotcom industry, and we are happy to be on the forefront of it. Already now users can choose services from European companies to e.g. safely store their personal data in the cloud without having Big Brother watching. Obviously, this industry has to be competitive on its own, not by protection. Consumers will not settle for anything less.
In the meantime, if you don’t choose a provider who can reassure to keep your information private and detain others from tracking you, encrypted connections are a good starting point to keep you away from the casual prying eyes. Enjoy your time on the web – safely. We are serious about privacy and security and encourage you to be, too!
Christian Fredrikson, F-Secure Corporation CEO & President
»2«
The Newsletter of the Estonian ICT Demo Center / september / 2013
Should You Treat Cloud Services Like A Marriage?
» e-estonia.com
Encryption guarantees security Talking about confidentiality, Edward Snowden’s case is a good example of US intelligence having access to data from the companies under their jurisdiction. “In Estonia, the situation with confidentiality is better from an individual’s point of view, although people are not fully utilizing the encryption functionalities that come with their ID cards. Encryption assures the integrity of data – if your signature is intact, you can be sure that no one has tampered with your data, and if you’re smart enough to encrypt your data and have sole access to your key, you can also be certain that nobody else is able to read the data,” Priisalu explains. “In order to send an encrypted message, you need to know the recipient’s key. In the past, a registry of public keys related to ID cards was helpful for that purpose. However, after the registry was closed down by the Chancellor of Justice due to data protection violations, the overall encryption capabilities have paradoxically decreased and in fact matters are worse in terms of data security.”
The process of securing your data comes down to three main criteria – accessibility, integrity and confidentiality. We talked about these three criteria that are also relevant for cloud services with Jaan Priisalu, the director of the Estonian Information System’s Authority. Accessibility means that your data can be found and accessed. Integrity implies that the data comes from the correct source and has not been tampered with. Confidentiality means that the data is only available for the authorized people. In cloud services, the most crucial pain point is the fact that the system processing your data is not under your control. This means that you rely on the owner and administrator of the system and their possible errors. However, it may also save you from making small mistakes of your own. Therefore, cloud services can simultaneously be a solution and a problem. Cloud services are like a marriage According to Jaan Priisalu, users of cloud services should first try to understand what the data is needed for and, should they end up in the hands of others, be changed or lost, what are the consequences. “As in a marriage contract, it should be clear what the terms are for getting out of the relationship or getting back your data should the necessity arise,” Priisalu draws an earthy comparison. A good example of getting back your data in a structured way was the case of Google shutting down their RSS-service, Google Reader. The customers were enabled to take their feeds with them and move them to other service providers.
Time stamps reassure GuardTime, the Estonian-rooted data security company, has helped to improve the situation. If a key that was once at your sole disposal should suddenly become public, you need to have the opportunity to say that the key is no longer valid. However, previous signatures with the same key should still remain in force. One thing that GuardTime helps to ascertain is the time when a change was made. “It would be rather expensive to constantly check if the service provider is correctly managing your data. GuardTime assists in keeping a log and having that as a proof for the integrity of your data. This makes checking much simpler and easier, also in the cloud,” Priisalu claims. 35 million hours saved Talking about future perspectives, Priisalu considers it likely that in the near future states will be initiating cross-border programs for digital signatures or IDs, much like the systems widely in use in Estonia. “The world clearly sees the benefits of digital signatures. In Estonia, we are seeing 35 million digital signatures per year, with as many hours saved. This makes up a week’s worth of time for a single person in just a year,” Priisalu brings an example. Focus on accessibility Today, confidentiality is clearly in the foreground of data security, with integrity lagging behind. “In the future, the focus will be on accessibility. It also depends on the specific field of operation – if a bank makes an error in counting the money, then this kind of bank with integrity issues will soon be out of business »3«
» e-estonia.com
The Newsletter of the Estonian ICT Demo Center / september / 2013
due to lack of trust. So for a bank, the list of priorities should be integrity, accessibility and then confidentiality,” says Priisalu.
(what he called) “Little Sister” – personal information collected in secret and used for targeted advertising and profile building.
With the Internet of Things becoming more and more powerful, people increasingly are trusting their lives to cloud service providers. In the case of smart homes, automated and interconnected systems are basically responsible for the things nearest and dearest to us. It is not yet fully clear how security should be maintained in these circumstances. “It’s likely that security will become an integral part of many of the services used. All the providers in the market need to start thinking about data and system security.”
Are we indeed living in an age where anonymity has been made impossible by the internet and the evolving methods of handling enormous datasets?
Also, a change needs to take place in the understanding of our interconnectedness. “Until now, risk management in organizations has been about who we depend on and what happens to us if something happens to them. But in fact, all organizations are responsible for others, so you also need to think about who is dependent on you,” Priisalu adds.
What is Big Data? Big Data is usually characterized by three Vs: Volume datasets that are extraordinarily large, e.g. location data for all users of a mobile network. Velocity datasets that exhibit a rapid flow of new records, e.g. customer purchase data for a large retail chain. Variety datasets that have a huge variety in the types of data, e.g. social network updates that include photos, videos, etc.
Big Data, “Little Sister”, and the Death of Anonymity
Datasets that display these three properties cannot be analyzed with traditional computing. However, modern computing has evolved methods to enable creating information out of this chaos of data. What is Big Data and how has it impacted our notion of privacy? What are the implications of Big Data on anonymity and should the average citizen be worried about “Little Sister”? “There’s no such thing as a free app,” joked Estonian president Toomas Hendrik Ilves, addressing the UK House of Commons in May this year. He said that citizens are often worried about “Big Brother”, but perhaps what they should be concerned about is
Technically, this has been resolved by substituting large and expensive servers with groups or clusters of servers by means of virtualization technology. These server clusters operate within a unified data processing framework that allows them to function similarly to Google’s search. The system maps large datasets across multiple servers, creating a summary of the data and aggregating it into a reduced stage. You could say that it generates a “table of contents” for an otherwise chaotic set of data. »4«
The Newsletter of the Estonian ICT Demo Center / september / 2013
What does Big Data say about you? In these days of computerized living, Big Data is everywhere. For example, it is created in retail organizations, logistics companies, healthcare systems, social media, and also the Internet of Things, i.e. networked devices that connect to each other without human intervention. According to Princeton University computer scientist Arving Narayanan, what modern science is finding is that nearly any type of data can be used to identify the person who created it, much like a fingerprint. The food items you shop for in your local store, the photos you upload to Flickr or Facebook, the location signals emitted by your cell phone – they all contribute to your digital profile. “The more data there is, the less we can say it is private, since the richness of the data makes pinpointing people ‘algorithmically possible’,” says Narayanan, talking to MIT Technology Review. Why should I be worried? A lot of people shrug off the implications of surrendering their privacy to Big Data. If I’m a law-abiding citizen, why should I care about anonymity? I don’t have anything to hide. However, anonymity can be a valuable asset in many situations. For one, it can help to overcome agism, racism, sexism and other -isms in an online environment, thus contributing to free speech and the right to one’s opinion. Also, we could say that anonymity has made events such as the Arab Spring possible. Although one can argue about the major role of social media in the protests, it definitely played an important part in providing the rebelling citizens with the means of communication that are available in democracies.
» e-estonia.com
Positive outcomes of Big Data In terms of privacy, we are indeed entering uncharted waters. On the other hand, this does not mean that Big Data is a threat – much to the opposite, it also creates wonderful opportunities. In the public sector, Big Data could help governments to prepare for civil unrest or pandemics. In the health sector, there are huge savings to be made if Big Data were to be utilized properly. And, up to a point, personalized services are the dream of every consumer. In the words of Richard Benjamins, Director of Business Intelligence at Telefonica Digital, which he stated at the European Data Forum (EDF) in Dublin this year: “We need people in the world to say – please use my data to improve my life. It’s a matter of trust. You need a trusted player to whom people are happy to give their data. And then a lot of innovation can happen.”
Turning Around the 2007 Cyber Attack: Lessons from Estonia
What is there to know about me? Interestingly, Big Data may be creating a situation where data owners know more about you than you do. In his interview to Postimees, President Ilves refers to the book “Big Data: A Revolution That Will Transform How We Live, Work, and Think”, written by Viktor Mayer-Schönberger and Kenneth Cukier. “They had one story of a company which has searched out products purchased by women during pregnancy. They received a phone call from an enraged father: why have you sent ads to my 16-year-old daughter? The company thought they would need to apologize. Sorry it happened, the profile must not have been to the point. The next day, it was the father’s turn to be humble. He had just talked with the daughter, who – lo and behold – was pregnant indeed.” It is clear that people who are using Facebook or other social networks are giving up on part of their privacy, even with their privacy settings turned all the way up. Are they risking a violation of privacy or creating a valuable service opportunity?
Estonia’s experience in handling the cyber attacks of 2007 has positioned the country as a thought leader in cyber security. This article outlines the major lessons learned from these serious instances of ultra-modern warfare, as told by Lauri Almann, the Permanent Undersecretary of the Ministry of Defence at the time of the attacks. A cyber attack against a country seems like something out of a science fiction movie. However, a perfect storm of political controversy and successful psychological warfare turned this into a reality »5«
» e-estonia.com
The Newsletter of the Estonian ICT Demo Center / september / 2013
in Estonia, when in 2007 the relocation of a Soviet World War II memorial started an unprecedented unrest in the country’s capital that has later been labelled the Bronze Night (Wikipedia). A group of high state officials, including several ministers and police chiefs, had been watching the events unfold in a secure location near the centre of Tallinn. “It was on the second day of the unrest and the riots had begun to settle when the government’s press officer Martin Jasˇko suddenly stepped into the situation room to report that he was unable to upload press releases to the government’s web portal. We were about to dismiss it as a trivial hiccup,” recalls Lauri Almann. In fact, the cyber attack had begun, with the first targets being different government web pages, as well as the homepage of the Reform Party that led the coalition at the time. Lesson 1: Have The Mental Readiness To Accept The Possibility Of A Cyber Attack “Estonia was extremely lucky,” says Almann. Namely, not long ago the Estonian intelligence services had briefed the government on the possibility of cyber attacks. This had been in the context of risks related to electronic voting. However, this provided the mental readiness that was necessary to recognize the possibility of being under attack. “The fact that all the leaders were aware of the reality of such attacks saved us a lot of time that otherwise could have been spent on turning around existing convictions about cyber warfare,” Almann argues. Lesson 2: Cooperate With The Private Sector & Think Outside The Box While the attacks on government portals were of a symbolic meaning rather than attempts to hurt the normal functioning of the state, the next phase was still to come. With major online news portals beginning to get hit by the attack, the threat became more evident. However, the gravest moment arrived when Swedbank, Estonia’s leading bank, suddenly became the target. “Targeting an important financial institution had real potential for creating widespread civil unrest. With people unable to get to their bank accounts, the ensuing bank run could have brought the country to its knees and created the havoc that the attackers wished for,” explains Almann. It would have been quite difficult to tie the attacks together and tackle them as one, would it not have been for the cooperation agreement that the state had recently signed with some of the biggest private sector enterprises in Estonia. (The agreement was initiated by the current director of the Estonian Information System's Authority Jaan Priisalu, who was chief of Swedbank’s IT security at the time.)
The attack was eventually mitigated by disabling the top domain for Estonia (.ee) temporarily. “It was effectively an Internet kill switch for the country, so nothing that a private sector company would have been able to do on their own,” says Almann, who believes that the cooperation between the public and private sector helped to defy the attack in a matter of hours, not in days or even weeks. Lesson 3: Be Public About The Issues According to Almann, there were moments during the process of handling the attacks when things could have taken a different turn. Going public with the attacks turned out to be the right thing for Estonia in a number of ways. Firstly, it saved the government from having to come up with mock explanations about what was going on and allowed it to be more efficient in mitigating the attacks. Secondly, it became the foundation of Estonia’s e-service boom by creating the basis of trust that is necessary between the state and its citizens. Thirdly, while it seemed to be a severe blow to the country’s reputation as an e-tiger, it actually launched a new episode in Estonia’s success story by positioning the country as a thought leader in cyber security. Today, Estonia is home to the NATO Cooperative Cyber Defence Centre of Excellence, as well as the EU Agency for large-scale IT systems. “The reason why we are being heard today on the matters of cyber security is that we decided to be open and public about our own matters,” believes Almann. In today’s world where little remains secret, this looks like the only way forward.
Who is afraid of the digital signature? Interview with Tarvi Martens
Estonia must not be ashamed of its digital signature, as every second citizen actively signs documents electronically and the nation saves a paper mountain as high as the Eiffel Tower in just two months. Tarvi Martens, development director of Estonia’s Certification Centre and one of the founders of the 13-year-old system, is now consulting cross-border digital signature issues and new regulations in the EU. He also has not given up his IT skills – on the day »6«
The Newsletter of the Estonian ICT Demo Center / september / 2013
» e-estonia.com
Why has Estonia succeeded in implementing the digital signature? The most important factor is that we gave tools to people, as well as to developers, for handling digital signatures – free of charge. Secondly, there was a common understanding of a definition of a digital signature and there was just one single service provider. It is not that simple a thing to accomplish because there could be numerous different software programs on the market making digital signing available. We did not have to deal with the banking sector using one solution and the public sector another. If different software programs are used, these cannot be compatible with each other. I think that incompatibility of different programs and file formats is the largest problem at the European level.
we spoke to him, he had just finished a new standard for Estonia’s digital signature, which will be internationally compatible. The meaning of “digital signature” is unclear. How would you define it in Estonia? Outside Europe, I have heard that a digital signature is defined as a scanned document or just an electronic signature on someone’s iPad. In Europe, there is a directive that defines the meaning of the electronic signature, however it is not exactly the same as in the Estonian law. In Europe, softer signatures are allowed, and this has caused quite some confusion. For example, an electronic signature can be given by entering your PIN code at a shop. Estonia, however, has kept a strong position from the very beginning – we have not allowed any of these soft signatures in our legislation, and the digital signature is based on the digital certificate. Proof that the certificate was valid at the time of signing is also a requirement. That is why there has been no confusion here about the essence of the digital signature: everybody knows that a digital signature can be used even in the courts. The (in)security of a digital signature has, however, been a hot issue in the media. How secure would you consider it? It is not possible to measure security, but you can measure insecurity – for example what has gone wrong or how many attacks there have been. During our 10-year practice, there has not been a single serious fraud case that we know of. Digital security depends mostly on its users – how they take care of their cards and PIN codes. People in Estonia realize that giving a digital signature can lead to legal consequences, and that makes them more careful. True, there have been smaller holes in the system, but nothing catastrophic. To sum up, the security of the digital signature has a lot to do with educating people, which is a long-term process. It takes 6–7 years to change human habits, and you cannot get results the next day.
People in Europe have asked me, “How many applications does our digital signature have?” At first I did not understand the question. It turned out that the use of digital signatures abroad is usually application-specific. Some website would ask you a signing PIN at one moment, and voila you have created a signature inside the system. In Estonia, we have digitally-signed files, so you can sign anything. Even if you create a digital signature in the web environment, you will be able to download the signature file created for your personal verification and archives. Later I learned to ask them back, “How many applications does your country’s telefax system have?” Receiving and sending, of course. Likewise, we have 2 functions – signing and validation of signatures. What kind of prerequisites should a government create in order for the digital signature to be successful? For some reason, it is thought in Europe that the digital signature is a question of a free market, which I do not agree with. There are many cases in Europe where the ID card is given out with the authentication certificate (meaning that you can log in with it), but with no certificate for digital signature. The user is then advised to go and buy digital signature certificates separately. People are usually not willing to pay extra for this or are just lazy and do not bother to go. One needs a change in thinking here: when you issue an ID card, what is the point of giving out only one certificate when you could have two for the same price? This free market thinking leads to a dead end – people have no opportunity to make digital signatures, and that kills the need to build applications where digital signatures are used. So, if the government is the issuer of ID cards, it should also include the digital signature certificate and not leave it to the free market.
»7«
» e-estonia.com
The Newsletter of the Estonian ICT Demo Center / september / 2013
What are the critical factors from the legislative side? We should see the adoption of a new Regulation in Europe next year which will replace the Directive from 1999. This Regulation will cover a broad range of Digital Trust Services such as e-signatures, e-identity, time-stamping, digital archiving, etc. The Regulation will also narrow down relevant standards and formats of digital signatures, which is good for cross-border activities. One particular aspect, which needs a change today, is the integration of the level of supervision upon certificate issuers. For example, this supervision is quite tough in Estonia, with thorough auditing, but in Finland there is no direct requirement for a regular audit at all. So the new regulation will make these requirements equal for everyone, and the system itself will be more trustworthy.
EU country. Cross-border consumption is slowly increasing that need, though. So as there are not so many people who sign documents on an international scale, one possible scenario is that domestically one software is used and cross-border another. Luckily for the digital signature, the EU’s common market directive says that all documents can be signed electronically. After this was brought up, there has been more fruitful work done to make cross-border digital signatures happen. The next step would be to make different digital signature formats compatible with each other, and this work is almost being finished. Countries must also have single contact points, and that makes things easier and more trustable. So, my optimism on having a cross-European digital signature has certainly grown within the past few years.
How realistic is the birth of a cross-European digital signature? So far there has been no real need for that – cross-border digital signatures could make up about 1% of all transactions within an
3 Solutions from e-Estonia For Securing Your Online Presence We introduce 3 solutions to come out of Estonia – Guardtime, Signwise and SecureMAIL – that share the objective of making your steps in the cyber-world more secure and private. 1. Guardtime – real-time authentication for electronic data exchange Guardtime’s key technology is called Keyless Signature Infrastructure or KSI. The technology is aimed at organizations that deal with large-scale digital data and the challenges of securing the integrity of that data. Simply put, if you want to be sure (either for business or regulatory reasons) that the data is not tampered with, you need a method to “stamp” it. How does it work: Guardtime generates an electronic stamp for the data called a signature. The signature acts like a lie detector, helping you to verify when and by whom a piece of data was created and if it has been changed. The revolutionary part is that instead of relying on humans to verify the data, it can
be done automatically, by means based on mathematics. This eliminates the unreliable part of the equation – the human. Who are the users of Guardtime: Typically, Guartime partners with distributors in different jurisdictions. These can be telecommunications companies or cloud infrastructure providers. However, Guardtime also has solutions for private individuals who need proof of authenticity for PDF content or want to sign their WordPress blog posts to establish ownership and time. Guardtime’s website: www.guardtime.com
»8«
» e-estonia.com
The Newsletter of the Estonian ICT Demo Center / september / 2013
2. Signwise - a simple, secure and legally binding e-signing solution Scanning signed documents into PDFs and e-mailing them is a procedure that should belong in the past. In Estonia, digital signatures are a common practice, however it can be complicated if you have parties without an Estonian ID, as is the case for multi-national companies. Signwise sets its sight on resolving this problem and bringing the ease of digital signatures to the world, enabling you to sign a contract online in minutes.
3. SecureMAIL – a new level in e-mail security SecureMAIL is a solution by the Estonian company BHC Laboratory that helps to keep your sensitive email correspondence authentic and confidential between you and your recipient. It challenges current e-mail encryption providers by being inexpensive and not interfering with the user experience. The creators of SecureMAIL imagine a future where encrypted e-mail is the standard and regular e-mail is referred to as “insecure” or “public” e-mail.
How does it work: Signwise works with government-issued smart cards or IDs, which contain electronic certificates confirming the identity of the signer and proving the authenticity of the electronic signature. After identifying yourself with your ID, the software transports your desired files or documents to the recipient, also identifiable with an ID, via secure channels so that it does not even travel through the open internet. This means that you can be totally sure who the document came from and also that no one else was able to view it. The founder of Signwise, Tiit Anmann, says that the software is meant to work regardless of operating system or browser.
How does it work: SecureMAIL provides users with a personal hardware security token that is instantly available for secure e-mail communication. The solution is compatible with all email programs. In the background, a token management system (TMS) operates with an integrated public key infrastructure (PKI), owned and controlled by the customer. Running the system does not require specific IT knowledge nor help from an IT professional. TMS deployment is made easy for the customer. It can be run from a server, a workstation or a laptop.
Who are the users of Signwise: Currently the company targets its services at organizations that have a lot of paperwork to be signed with their customers (e.g. banks). However, it is also being used in the public sector. The service is free for private individuals. Signwise’s website: www.signwise.me
Who are the users of SecureMAIL: Obviously, the investment makes sense for organizations that give high value to confidentiality – be it cutting-edge innovators or legal advisors. However, the user experience is where SecureMAIL most challenges existing e-mail encryption solutions that alter the user’s workflow and tempt the users to bypass the solution. SecureMAIL’s website: www.bhclab.com/en/services/col3/securemail
»9«