eGovernment in Estonia: Best Practices Ahto Kalja1, Aleksander Reitsakas2, Niilo Saard2 1 Inst. of Cybernetics at Tallinn Univ. of Technology, Tallinn, Estonia 2 Cell Network Ltd., Tallinn, Estonia Abstract—eGovernment in Estonia got started by developing a functional architecture that includes secure data transport backbone X-Road, distributed software systems and different hardware components like portals, elements of public key infrastructure (PKI), governmental databases and information systems. This is the very basis of hundreds of services that have been created today. The recent success with eGoverment services and the common architecture of eGovernment will be described hereunder. I. INTRODUCTION The eGovernment in Estonia provides state and local government agencies at all levels with the opportunity to offer citizens and businesses higher quality of services in a faster way. People expect eGovernment services to be quick and efficient, which makes the providing of such public services quite a big challenge. At the beginning of 2001, the Estonian government together with private companies started to develop an Information and Communication Technology (ICT) framework in order to create a common system for eGovernment services. A truly new environment of service management and service delivery was developed. The environment architecture was built on separated customercentered front and back offices and on seamless connections between organizations. II. THE GENERAL ARCHITECTURE OF EGOVERNMENT ENVIRONMENT IN ESTONIA The architecture of eGovernment was developed in the framework of the X-Road project. X-Road project was preliminarily initiated for interconnecting Estonian governmental databases to the common data resource accessible over the Internet [1]. After the successful start of sending database queries and answers over the Internet, the X-Road environment was expanded to send all kinds of XML-format electronic documents securely over the Internet. At the same time the X-Road started to become a skeleton of all the eGovernment services. The general architecture of eGovernment is described in the Fig. 1. The main backbone of the eGovernment environment is the X-Road network of distributed and central servers. The eGovernment project itself started parallel to the X-Road infrastructure project and the ID-card and PKI projects started parallel to the development of some back office information systems. Of course, there was a set of information systems, which had already been developed 500 before. The essence of the eGovernment is, that different information systems communicate with each other via security servers (SS), which are built up as a special type of firewalls that are storing all the messages (queries, services) in the logs. It means that after a long period of time it would still be possible to restore the situations taken place in the past: who has used the service and when, also, which kind of decision has been made. In our eGovernment environment, the information systems can provide and also consume services. Estonian commercial banks (more precisely Hansabank, Estonian Union Bank, Sampo Bank, Credit Bank and Nordea Bank) are playing three different roles in our eGovernment schema. First, they provide portals (connected to the eGovernment environment) with the authentication service for citizens. This is because all the Estonian citizens do not possess the ID-card yet, but more than half of the population already has contracts with commercial banks for using Internet bank facilities. The banks authentication is considered as trustworthy as the ID-card one and valid for using eGovernment services. Second, some of the services are priced and therefore we have developed a solution for paying for them. At first, the citizen transfers the money to the bank and right after money transfer the eService will start automatically. Third, the banks themselves are consumers of data and eServices and they are using our environment just like any other information systems. On the schema (see fig. 1) you can see that every information system is connected to the X-Road security servers via adapter servers (AS). Adapter servers are converters for translating X-Road XML format messages to special database query language (mainly SQL) and from query answers back to XML. The data transfer protocol that we are using today is SOAP. At the same time we are using the older XML RPC protocol as well. X-road center is actually the hearth of the eGovernment environment because all the central servers (central monitoring server, certification server etc.) of the whole network are connected and located in the X-Road center. In addition, the center has special staff for managing eGovernment hardware, software, Internet connections, agreements etc. The management group organizes courses, seminars, coordinates activities with the European Union etc. A new central register of databases has been added to the XRoad centers at the beginning of 2005. On one hand, this register includes the description of all Estonian public sector registers and databases. On the other hand the register collects all the descriptions of eServices in the WSDL (Web information portals, which can be used as users’ manuals and service portals for eGovernment services. Service Description Language) format, which enables to develop different automatic tools by using the library of eServices for automatic generation of new services on the basis of collected service descriptions. This is our new possibility of doing research and development projects in the near future. CA (Certification Agency) is responsible for ID-card, digital signature and other PKI infrastructure elements in Estonia. We will discuss the ID-card facilities below. The direct communication between citizens and eGovernment environment works over a set of communication portals. We have decided to work via the following portals: Citizens Portal, Entrepreneurs’ Portal and Civil Servants Portal. Citizens Portal (KIT) was developed two years ago and has been the main channel to mediate eGovernment services between a citizen and the government (www.eesti.ee). We started this portal two years ago with services from Estonian databases. By the Estonian law every Estonian citizen has the right to know what kind of data the government has collected on the citizen. At the beginning of 2005 we started to develop the first services for the Entrepreneurs Portal (EIT). The more popular of these first services at the moment is the “Application for alcohol selling license”. At the moment, the Civil Servants Portal (AIT) is implemented as a Mini Info System Portal (MISP), which is used locally nearly in 70 different central and local government offices. All the portals are organized as Information systems IS of Estonian Tax and Customs Board Population Register During the last 3-4 years we have finished different IT projects for implementing eGovernment architecture in the public sector of Estonia. As the result of the mentioned projects, the following service portals, environments and frameworks are now available in Estonia: a) Special citizens web portal with db-services. Portal has won an award Finalist with Honourable Mentions of the eEurope awards for eGovernment 2003 [2], [3]. The portals eServices will step-by-step be added to the KIT portal in the nearest future; b) Framework of the facilities for using Estonian ID-card (over 50% of Estonian population has already an electronic ID-card) with PKI technology for identification, authorization and digital signature operations; c) Citizens, civil servants and entrepreneurs web portals with almost 500 different eServices from different Estonian central and local governments. We will describe some of these environments projects more precisely in next chapters of this overview. Banks Estonian Motor Vechicle Registration Centre Services Services III. RESULTS OF ESTONIAN EGOVERNMENT PROJECTS X-road centre CA of X-road x5 Hansa bank Union bank. Kreditb. Sampo bank. Nordea bank … other IS for ex. MISP II a) authent. b) payment c) services HELPDESK Monitoring Centr.server II Services (Elion) AS AS AS AS AS SS SS SS SS SS Centr.server I X-road Information portal http://www.eesti.ee SS Central register of DBs Information portal for enterpreneurs SS Internet Riik.ee (for civil servants) SS SS ID-card KIT EIT AIT (Citizens’ portal) (Enterpreneurs’ portal) (Civil servants’ portal) CA Tallinn 2004 Environments developed by government Fig. 1. eGovernment architecture in Estonia 501 Certification agency IV. SPECIAL CITIZENS WEB PORTAL WITH DBSERVICES All services available through the citizen's portal have a common user interface, which is not dependent on a database management system for back office. We have used here the results of different theoretical works from different countries [4], [5], [6]. A standard authentication system for all citizens has been developed as well. The set of standard services available include typical queries, such as: a) "give me my data" from the population register; b) "give me my data" from the motor vehicles register. As an additional option for organizations that have data security problems, a special standard Mini Info System Portal (MISP) that is very similar to the citizen's portal, has been developed. MISP was primarily designed as a working tool for civil servants, including one additional function – the authorization of users. One of the framework development plans was that the next version of X-Road should have a similar portal and provide a set of standard services for private companies as well. A. Background Similarly to other countries, Estonian Parliament has passed a law on personal data protection (Personal Data Protection Act, enforced on 19.07.1996). Paragraph 29 says that chief processor or authorized processor is required to provide a data subject with information and the requested personal data or state the reasons for refusal to provide data or information within five working days after the date of receipt of an application. For implementing this right in ICT environment with a special citizen's web portal with standard DB-services has been developed. There are two possibilities for authentication of users: a) Using Estonian citizen ID-cards or b) The authentication service of Estonian commercial banks. Today over 50% (714,000 people) of the Estonian population (1.4 million) have an ID-card and over 50% have Internet service agreements with commercial banks and special authentication (PIN-code) cards. B. Objectives The specific objectives of the project was to guarantee a web-based service for the citizens (and government servants) to access nearly one hundred governmental databases and registers, which have been registered in the Center of Registers by the Estonian Informatics Center. Approximately ten of them are large registers and have thousands of local interactions per day. The processors of the large registers started to develop web services for citizens but the result of these first projects was very different. Every similar service had a different user interface, different forms of agreement 502 between the database user and the processor, different authentication services, etc. All these problems encouraged the project leaders to develop a new general solution. In the context of the European Community, the first objective was to implement the free movement of information across national borders, which guarantees the free movement of goods, people, etc. Access to this information is strictly implemented according to the Personal Data Protection Act and principles of data security. A good example is the possibility to link our services with the Schengen Information System, EUROCAR, etc. C. Resources The amount of financial resources used for this project is approximately one million euros. The project initiator was the State Information Systems Department of the Ministry of Economic Affairs and Communications in cooperation with the Estonian Informatics Center. Two private companies (Cell Network Ltd. as the main contractor and Cybernetica Ltd.) have developed the environment within two years and have used subcontract work from the following companies: Datel Ltd., Reaalsüsteemid Ltd., Andmevara Ltd., etc. The project realization schedule was planned in different steps and iterations. The main idea of the project was its realization with open standards and with internationally accepted standard protocols. The project uses two network protocols, the XML RPC (in the Alfa version) and the SOAP (in the final version). The digital documents and queries use the XML standard facilities; the monitoring system uses the SNMP protocol, etc. The number of potential users depends on the take up among Estonian inhabitants, which number 1.4 million. The number of interactions per day is not more than 125,000 yet. The testing of the central servers of the project showed that the servers enable 100 interactions per second and have the possible scalability of up to 1,000 interactions per second. The latter case is not probable in Estonia. The environment is using the Estonian Public Key Infrastructure because the authentication service of the portal was developed so as to use the Estonian citizen ID-card for authentication. Every IDcard has the card owner's certificate. Every login to the portal checks the validity of the certificate. From the security point of view the system is very well protected. In the sense of data security the functionality of X-Road is very carefully designed and developed. The security servers of databases and information systems, which are connected to the Internet, communicate over encrypted channels. All users must pass authentication and authorization. It is not possible for a citizen to read the data of another citizen or that a civil servant could read data, which is not related to his/her everyday work. D. Lessons learned Lessons learned from our project are very different. Naturally, there are advantages and disadvantages. 1). Advantages a) For the first time the databases are open to all citizens who are interested in knowing which of their personal data is in the databases. People have actually found a lot of errors in their data fields and have started to send information to the authorized processor. We believe that no such large data improvement could be carried out in any other way. b) The project has a lot of examples where the number of interactions performed by civil servants has risen remarkably. For example, last year the Estonian police had over 20,000 interactions with the passport register, but after providing them with the standard service ("give the passport data of person x") the number of interactions has risen to 10,000 per week. c) Another Estonian national ICT project “the ID-card project”, which uses Public Key Infrastructure (PKI) has established a new and very intensively used e-service, which tests the cooperation with other PKI projects and services. d) The project has developed very well protected data traffic over the Internet. This traffic has gathered a set of new users from other different projects, for example document management projects (for different ministries), and projects which had planned to use database services (for different organizations and offices). e) Our neighboring countries (Latvia and Lithuania) plan to elaborate the same services for citizens and civil servants. A different group of developers in these countries have prepared the theoretical background for similar projects [7], [8]. Similar developments have been initiated in many countries. According to our information, we are forerunners of implementing these services. f) The development and results of the project have called for necessary amendments in the legislation, which are in the process of being implemented now. 2). Disadvantages a) Different stakeholders, for example the project team, the ministerial officials, and civil servants that need data from databases, have received negative feedback to the effect that sometimes chief processors are not fond of the new technology and mistrust the knowledge of outside specialists. They feel that they can judge for themselves when and where to use new technology and services. b) The management system of the data resources does not work well in every situation, as every database has a chief processor and an authorized processor. Sometimes it is the case that the authorized processor manages the chief processor and there exists a risk that the central developers of the X-Road have to cooperate with the 503 chief processor, who has not got the real development results from the authorized processor at all. c) Such projects that call for the modernization of legislation should initiate technological development activities and legislation improvement at the same time. In our case we were already a bit late to amend the legislation. d) Sometimes civil servants tend to use the introduction of a new software environment only as a pretext for obtaining the newest computers. V. ESTONIAN ID CARD AND PKI INFRASTRUCTURE The purpose of Estonian ID-card project was to use nation-wide electronic identity and develop a new personal identification card that would be a generally acceptable identification document and contain both visually and electronically accessible information (see Fig. 2) [9]. On December 18, 2001 the parliament established ID-card as a compulsory identity document and the Estonian passport is thus only a travel document to travel abroad. On January 28, 2002 the first ID-cards were issued to Estonian citizens. Thus the project came to its logical end [10]. There have been different opinions and political debates over the ID-card. Perhaps the reason for different opinions lies in the fact that many do not easily see the ID-card as a component of the public key infrastructure. It is primarily an application of the Digital Signatures Act and a common infrastructure established for that [9], [11]. There exists a lot of similar project in other countries (Belgium, Finland, Italy etc.), but using of ID-card services at large you can find in Estonia as in pilot country [3], [12]. A. Common infrastructure The Estonian ID-card project focused on the digital signature, which is equivalent to the ordinary signature on paper. At the same time the technologies and standards for creating digital signature should be uniform in the whole country. The signature should identify a person directly to make the verification signatures easy without additional contracts being necessary. To achieve this aim the Identity Documents Act as well as the Digital Signatures Act was adjusted, which resulted in the following: a) The certificate inserted in the ID-card includes the personal identification code, which enables to identify the individual at once. b) A certificate, which enables to sign documents according to the Digital Signatures Act, is inserted in the ID-card chip. c) Certificates inserted in the ID-card lack field of use restrictions and therefore it can be applied in the public as well as private sector, and also in any kind of mutual relations between individuals. The primary purpose of information on the ID-card chip is to allow the digital unambiguous identification of the individual and the creation of the digital signature. The certificate includes only minimum information about the individual - names and the personal identification code. A firm decision was made initially not to add additional information to the ID-card, not to mention information that requires updating. B. ID-card applications ID-card is generally suitable wherever a person needs to be authenticated or when documents have to be signed. This means that ID-card has not been created only for a certain service or application. The authentication with an ID-card functions securely and it is convenient to use the card wherever user names, passwords, code cards etc. have so far been used - whether it be Internet banking services, internal applications of a company, intranets or public portals; shortly, wherever identification is necessary. It is convenient mainly because, on one hand, the system administrators need not bother themselves about the administration of user names and passwords and, on the other hand, a person needs not to deal with the multiple passwords and password cards. It is secure because a person can check whether his/her passwords (secret keys) are under control - whether the IDcard is still in his/her possession. In case the card is lost its usability can be blocked with one phone call. The application of the authentication function is quite easy; the user account based access to information systems has to be transferred to personal identification code based application (i.e. the personal identification code included in the certificate has to be connected to the user account). An application allowing ID-card based authentication in Windows computer workplaces has been completed as well. The ID-card can be used also for signing and encrypting e-mails. Every authentication certificate includes the person’s e-mail address forename.surname_XXXX@eesti.ee (XXXX is the random four-digit number assigned to the person). The person can register his/her daily e-mail address in the mail server and respective mails will be forwarded to that address. This service is elaborated together with the KIT portal. C. Signing applications The main function of the ID-card is to allow digital signatures. In February 2003, a format description (ETSI TS 101 903) extending the XML-DSIG standard was adopted in Europe and this allows providing a basis for common treatment of digital signature. The file signed can be an XML file or whatever binary file (.TXT, .PDF, .RTF, etc.). It is possible to sign one file or several files simultaneously, there can be more than one signature and the files can be situated by the signatures or separately. It is also possible to add certificates and their validations, etc. Additional information on the ID-card and its applications is available at http://www.id.ee (summary in English); information on applying for ID-card is available at http://www.pass.ee (in Estonian, English and Russian) and on the technological infrastructure at http://www.sk.ee (in Estonian and English). Fig. 2. Main physical security elements of an Estonian ID-card 504 VI. E-SERVICES At previous, Picmet’03, conference we introduced the software environment X-Road as an integration tool of government information systems [1]. Development of a new version of X-Road has an important aim to build up an environment for developing and managing eGovernment services [13]. The developing of X-Road technology has step by step followed the general development trends in distributed software systems design. For data transport and for remote program calls we have introduced SOAP protocol instead of (and in parallel to) the XML-RPC protocol. For web-service developing and web-services description we have used WSDL protocol and for description of database services UDDI standard facilities [14]. We have developed the next set of facilities for the information systems, which will be added to the X-Road environment: a) Authentication (ID-card + 5 Internet bank services); b) Authorization; c) MISP (Mini Info System Portal) portal services; d) Simple queries to Estonian national databases; e) The facilities for developing complex business model queries (queries to different databases and registers); f) The writing operation into databases; g) The facility to send large amount of data (over 10Mb) from database to database over the Internet; h) Secure data exchange, logs storing; i) Queries surveillance possibility; j) The integration with citizen portal for adding new services; k) The integration with entrepreneurs portal for adding new services; l) Central and local monitoring; m) The special database for storing services WSDL descriptions. A lot of last time services have developed by combining the functionality from the list above. The last best practice by developing eGovernment services includes eService “Parental benefit application”, eService “Results of secondary school tents”, “Family benefits applications” etc. VII. A NEW GENERATION ESERVICE “PARENTAL BENEFIT” IN INTERNET service was opened for civil servants of Social Insurance Board and at the beginning of February all Estonian citizens were able to use the service over the Internet. Of course, for the people (minority of young families in Estonia) who do not have access to the Internet, used the possibility of visiting the Social Insurance Board, where a civil servant asked his/her personal code and gave his/her application over the Internet. What is important here? It is the first time that not a single sheet of paper is used. All the different confirmations and certificates together with the application itself are generated automatically by the eService by using different databases and registers for the collecting the data about the applicant. eService runs as a distributed software in applicants personal computer, in the computers of Social Insurance Board, in the Computers of X-Road environment and in different database servers (as back office for the solutions). This is a different approach compared to solution, where the computer is used for coping the precise paper world business model activities into virtual world (you can find such solution in Estonia, in Germany etc. [15]). The Parental benefit solution has different advantages both for citizens and for civil servants and the functional schema of Parential benefit eService is given as in Fig. 3. 1). The first best practice for a citizen a) Citizen can submit applications over the Internet; b) Citizen does not have to give out data that the IS knows about the citizen; and therefore c) Citizen must not fill in long application forms and run from door to door; d) A good example how the state has simplified the payment system. 2). The best practice for civil servant a) Civil servant is free from revising mountains of paper documents (7); b) Civil servant is free from inputting the data from paper documents; c) Civil servant is free from checking data in different databases; d) Civil servant can start the process by inputting only the personal code of the client. e) There does not exist any paper applications at all. VIII. STATISTICS A. The best eService on X-road – Parental benefit The X-Road eService “Parental benefit” has won the Estonian Award 2004 for public administration eServices in Estonia. It was a good example of cooperation between public organizations. Let us try to analyze this service more deeply. The service was finalized a week later after the Estonian Parliament approved the special law on Parental benefit (before the Christmas holidays in 2003). In January 2004, the 505 Here are given the main statistics of using eServices over the eGovernment environment. At the moment (January, 2005) we have following clients: Organizations: • Number of agreements – ~338 Databases/Service providers: • All service providers: 32 Security servers: • Number of agreements for SS: 68 MISP servers: • Number of agreements for MISPs: 40 Services: • The number services from all the X-Road service providers ~500 The statistics of usage: • During the year 2003, the total number of X-Road queries was: 590 000. • During the year 2004, the total number of X-Road services was 7 700 000. • Average number of services per month in 2003 was 54 000. Year 2004: • November 1 150 000 • December ~1 000 000 The usage of eServices grows extremely fast. In January 2003 the number of services was 27 000, in January 2004 the number was 270 000 and in January 2005 we were not very far from the number 2 700 000. IX. CONCLUSIONS REFERENCES [1] [2] [3] [4] [5] [6] [7] [8] [9] We are sure that our projects for eGovernment framework development and portals are making significant contributions to the process of moving towards the information society. Our environment represents Estonian and European best practice in the application and usage of new technologies in order to provide eServices to citizens, to civil servants and to entrepreneurs. [10] [11] [12] [13] [14] ACKNOWLEDGEMENT This research is partly sponsored by Estonian Science Foundation under the grant nr. 5766. 506 [15] Kalja, A, “System integration process of government information systems,” in Papers presented at PICMET'03 [CD-ROM], Portland, OR, PICMET, July 2003. http://www.e-europeawards.org Leitner, Christine (ed), “eGovernment in Europe: the state of affairs,” eGovernment 2003 Conference Como, ISBN 90-6779-182-2, Italy, 2003. Manolescu, I., D. Florescu, D. Kossmann, “Answering queries on heterogeneous data sources,” in Proc. VLDB’01, pp. 241-250, 2001. Vestenicky, V., “Successful database integration through view cooperation,” in Databases and Information Systems, eds.: J. Barzdins, A. Caplinskas, IOS Press, pp.34-49, 2005. Özsu, M. T., P. Valduriez, “Principles of distributed database systems.” Alan Apt, New Jersey, 1999. Arnicans, G., G. Karnitis, “Semantics for managing systems in heterogeneous and distributed environment,” in Databases and Information systems II, eds.: H-M. Haav and A. Kalja, Kluwer Academic Publishers, The Netherlands, pp. 149-160, 2002. Caplinskas, A., A. Lupeikiene, O. Vasilecas; “Shared conceptualisation of business systems, information systems and supporting software,” in Databases and Information systems II, eds.: H-M. Haav and A. Kalja, Kluwer Academic Publishers, The Netherlands, pp. 109-120, 2002. Odrats, I. (ed), “Information technology in public administration of Estonia. Yearbook 2002.” Ministry of Economic Affairs and Communications, Department of State Information Systems, Estonian Informatics Center. ISBN 9985-819-10-1, Estonia, Tallinn, 2003. http://www.id.ee/file.php?id=122 http://www.pass.ee/64.html http://www.belgium.be/eportal/index.jsp Kalja, A., K. Kindel, R. Kivi, “The service-oriented environment of government databases and information systems in Estonia,” in Baltic IT&T Review, 03(34), pp. 7-11, 2004. Odrats, I. (ed), “Information technology in public administration of Estonia. Yearbook 2003.” Ministry of Economic Affairs and Communications, Department of State Information Systems, Estonian Informatics Center. ISBN 9985-819-13-6, Estonia, Tallinn, 2004. https://www.elster.de/
