ID systems analysed: e-Estonia | Privacy International
Our third research piece on some of the world’s most used foundational ID systems looks into e-Estonia. This analysis is part of PI’s wider research into the tech behind ID systems around the world. Click here to learn more.

ID systems analysed: e-Estonia

Our third research piece on some of the world’s most used foundational ID systems looks into e-Estonia. This analysis is part of PI’s wider research into the tech behind ID systems around the world. Click here to learn more.
Case Study
Post date
12th January 2022
Id card dummy
Overview

Estonia is widely considered one of the most digitally advanced countries in the world. Its e-ID is the gateway through which e-citizens are able to access most public services. Estonia’s e-ID is both designed and operated by a collection of private companies, and overseen by the Police and Border Guard agency.
X-Road® (implemented in Estonia as X-tee) is the free and open-source data exchange layer which provides a standardised method for transferring information between the data systems of private and public sector organisations. X-Road has recently been made available on GitHub under the MIT License, one of the most permissive Free and Open Source Software (FOSS) licenses available.
The data held by the Estonian government is decentralised and duplicated through the use of data embassies. These are essentially data centres that, despite sitting outside Estonia’s borders, remain fully under Estonia’s control and have the same rights as physical embassies such as immunity.
The X-tee pilot project was initiated in 2000 from the budget of the Ministry of Transport and Communications, Ministry of the Interior and the Government Office and co-ordinated by the state information system department (RISO) of the Ministry of Economic Affairs.
A two-stage public procurement was organised in April and May 2001 and it was won by Estonian IT company AS Assert. Several Estonian companies were then sub-contracted to develop different components of the project:

AS Cybernetica – architecture, protocols and security solutions;
AS Andmevara – test queries to the population register, Estonian Registry of Buildings;
Reaalsüsteemide AS – test queries to Commercial Register;
AS Datel – test queries to electronic Land Register;
Estonian commercial banks - authentication of users.

Gemalto (now part of Thales Group) was contracted to manufacture the physical ID cards used to authenticate against e-Estonia citizen services, and was later ordered to pay €2.2 million to the Police and Border Guard Board in compensation over security vulnerabilities in the manufactured cards. Since 2019, Oberthur Technologies has been in charge of manufacturing ID cards and maintaining their functionality.
Infrastructure makeup

In designing their identity system, Estonia harnessed widely-used technologies and applied them, in a novel way, to the state governance context. X-tee (Estonia’s version of X-Road) was the outcome of this application of existing technologies. This is one of the major reasons behind X-Road’s success; it is in fact a data-exchange layer modelled on tried and tested technologies, ambivalent to the authentication mechanism implemented.
Technically the X-Road ecosystem consists of Central Services, Security Servers, Information Systems, Time-Stamping Authority(ies) (TSAs), and Certificate Authorities (CAs):
X-Road architecture
X-Road architecture. Source: X-Road® — X-Road® Architecture

From X-Road’s documentation we can see that Central Services consist of a Central Server and Configuration Proxy. This Central Server contains the registry of X-Road members and their Security Servers as well as the security policy of the X-Road instance. This security policy includes a list of trusted certification authorities, a list of trusted time-stamping authorities, and configuration parameters. Both the member registry and the security policy are made available to the Security Servers via HTTP protocol. This distributed set of data forms the global configuration that Security Servers use for mediating the messages sent via X-Road.
A Security Server is the entry point to X-Road, and it is required for both producing and consuming services via X-Road. The Security Server mediates service calls and service responses between Information Systems and handles the security aspects of the X-Road infrastructure such as:

Managing keys for signing and authentication;
Sending messages over a secure channel;
Creating the proof value for messages with digital signatures;
Time-stamping and logging.

X-Road Security Architecture
X-Road Security Architecture. Source: X-Road® — Security

The Information System produces or consumes services via X-Road and is owned by an X-Road member. X-Road supports both REST and SOAP as communication methods, however X-Road does not provide automatic conversions between different types of messages and services. The Information System is capable of discovering registered X-Road members and their available services by using the X-Road metadata protocol.
All messages sent via X-Road are time-stamped and logged by the Security Server. The purpose of the time-stamping is to certify the existence of data items at a certain point in time. The Time-Stamping Authority (TSA) provides a time-stamping service that the Security Server uses for time-stamping all the incoming/outgoing requests/responses. Only trusted TSAs that are defined in the Central Server can be used.
The certification authority (CA) issues certificates to Security Servers (authentication certificates) and X-Road member organizations (signing certificates). Authentication certificates are used for securing the connection between two Security Servers. Signing certificates are used for digitally signing messages sent by X-Road members. Only certificates issued by trusted certification authorities defined in the Central Server can be used.
Encryption used

From X-Road’s publicly available documentation we can get a grasp of the encryption algorithms used within the different components of the platform. All the protocols mentioned in the documentation are widely used and well documented. In addition, X-Road has regular third-party security assessments, with a public bug bounty programme.
Estonia’s e-ID system, however, had fundamental implementation failures when in 2011 the government distributed 120,000 faulty ID cards that were found to have programming errors allowing the card to be used by whoever was physically holding it without the need of knowing the respective PIN code.
More worrying, and not limited to 120,000 faulty cards affected, is a core design feature regarding the way private encryption keys were generated and handled. The ID card’s private encryption key used to authenticate digital signatures should be generated inside the card chip to ensure only that card knows it - a good example of privacy by design. Instead, keys were generated in a server operated by the card manufacturer and copied to the card over the internet.
Another software bug was reported in which the same private key was copied to several different ID-cards, allowing cardholders that were assigned non-unique private keys to use one another’s identity.
These above bugs’ origins have been tracked down to Gemalto, the contractor tasked with manufacturing and maintaining functionality within Estonia’s ID cards. This resulted in Gemalto being ordered to pay €2.2 million compensation to the Police and Border Guard Board. Since 2019 another company called Oberthur Technologies has been in charge of manufacturing ID cards and maintaining their functionality.
De-duplication

Very little is publicly available about the deduplication undertaken in e-Estonia, except that the processes of verification and deduplication during identification are overseen by the Police and Border Guard Board (PBGB), according to the Identity Documents Act. Where the applicant for the digital ID has not previously been issued any ID under the Act, it is the PBGB that conducts the process of verification/deduplication. The Identity Documents Act also allows the Authority, who collects the personal data, to transfer it to third parties for the “identification and verification of facts relevant to the issue” and for the “issue and revocation of an identity document.”
The use of biometrics when registering is optional, but there are talks of turning to fingerprints for authentication when using ID cards instead of PIN codes.
Principles of Engagement

Estonia’s e-governance principles were published as follows:
e-estonian engagement principles
Estonia’s e-governance principles. Source: https://e-estonia.com/wp-content/uploads/eas-eestonia-vihik-a5-180404-view.pdf
Where

The story of the Nordic Institute for Interoperability Solutions (NIIS) is one of two European countries that throughout history joint forces to collaborate and face challenges together. In 2013, the challenge to overcome was data sharing in and between national governments. Estonia and Finland decided to find mutually beneficial solutions together. The framework for the collaboration was set up in 2017 and called the Nordic Institute for Interoperability Solutions, using X-Road as its underlying technology. Iceland joined NIIS on 1st June 2021 and became the third member government in the international consortium after initial founders Estonia and Finland.
NIIS partners are countries which implemented X-Road and have signed a partnership agreement with the NIIS aiming to deepen their cooperation, meaning they can one day may become members.
The remaining countries where X-Road is implemented have deployed the technology while not being tied to NIIS.
X-Road usage map
Implementation is based on the X-Road® open-source software and has full protocol-level compatibility with the official X-Road core. Both public and private implementations are included. Source: X-Road® — X-Road World Map

ID-card - e-Estonia

e-Identity

Estonia’s e-ID: The Cornerstone of a Seamless Digital Society

Every Estonian, no matter where they live, has a state-issued digital identity—known as e-ID. In use for over 20 years, the e-ID is a cornerstone of Estonia’s e-state, enabling secure digital transactions in both the public and private sectors.

People use their e-ID daily to:

• Vote online

• Sign documents digitally

• Access healthcare records

• Manage banking and business

• Shop securely and more

Multiple formats, one secure identity

The e-ID ecosystem includes:

• ID-card (chip-based)

• Mobile-ID (SIM-based for smartphones)

• Smart-ID (app-based authentication)

Each option offers strong security and legal validity for digital interactions.

Digital inclusion beyond borders: e-Residency

Since 2014, Estonia offers e-Residency—a unique program allowing non-residents to access Estonian e-services and build borderless businesses. Over 100,000 e-residents now benefit from Estonia’s trusted digital ecosystem.

Saving time, enhancing trust

Thanks to digital signatures, each Estonian saves an average of five working days annually. These tools make public administration faster and reduce bureaucracy—without sacrificing trust or transparency.

Shaping Europe’s digital future

Estonia has actively shaped the EU eIDAS regulation, ensuring cross-border recognition of electronic identities and signatures. As part of eIDAS 2, Estonia champions identity wallets—secure mobile apps for identification, signing, and document storage.

Pushing boundaries: Identity wallet & split-key technology

Estonia is exploring next-generation identity wallets and split-key technology, offering a more secure alternative to traditional mobile systems—especially where European certification is required.

These innovations make digital identity:

• More mobile

• More secure

• Easier to use—without compromising on privacy

Driving European interoperability

Through initiatives like POTENTIAL, Estonia is helping develop interoperable digital driver’s licenses and other identity solutions across the EU, fostering both legal alignment and technical progress.

Conclusion

Estonia’s e-ID system isn’t just a technical solution—it’s a visionary model for digital governance. By fully integrating e-identity into daily life, Estonia has created a secure, efficient, and inclusive digital society that sets the global standard.

ID-card

Estonia has by far the most highly-developed national ID-card system in the world. Much more than just a legal photo ID, the mandatory national card also provides digital access to all of Estonia’s secure e-services.

The chip on the card carries embedded files, and using 384-bit ECC public key encryption, it can be used as definitive proof of ID in an electronic environment.

for digital signatures
for i-Voting
to check medical records, submit tax claims, etc.
to use e-Prescriptions

To learn more about the ID-card, visit its webpage.

Here are some examples of how it is regularly used in Estonia:

as a legal travel ID for Estonian citizens travelling within the EU
as a national health insurance card
as proof of identification when logging into bank accounts
for digital signatures
for i-Voting
to check medical records, submit tax claims, etc.
to use the e-Prescription service

Developers of e-Identity:

eID, Mobile-ID, Smart-ID, time-stamping by SK ID Solutions
SplitKey by Cybernetica
Digital Identity by RaulWalter
eID Remote Maintainance by RaulWalter
Online verification by Veriff  
m-Residency by B.Est Solution

99% of Estonian residents have ID card
800M Digital signatures given so far
5 Days per year saved with digital signature

Secure data sharing - e-Estonia
Cyber security

As one of the world’s most advanced digital societies, Estonia knows that digital innovation must go hand-in-hand with strong cybersecurity. After facing coordinated cyberattacks in 2007, Estonia turned crisis into capability—becoming a global leader in cyber resilience.

Today, Estonia hosts the NATO Cooperative Cyber Defence Centre of Excellence and the European Union Agency for large-scale IT systems, reflecting its status as a trusted partner in international cybersecurity.

To secure its digital infrastructure, Estonia developed a blockchain-based technology to protect critical data in government systems from internal and external threats. This scalable and tamper-proof solution ensures the integrity of national data across services—from healthcare to justice.

Secure data sharing

It is often said that “data is the new oil” that fuels e-government services and private sector solutions alike. But there is more than meets the eye!

To stay with the oil analogy, you need infrastructure and transport vehicles to distribute the valuable resource around the world. And it’s the same for data: without a proper legal framework and the right technology for secure data sharing, the various ministries and government authorities would simply sit on the data that they amassed in their own “silos”.

For that reason, many Estonian companies have specialised in secure data sharing, whether it’s about the base infrastructure for encrypted data exchange between public sector organisations or privacy mechanisms that enable patients to decide what kind of medical data they want to share with their doctors.
Developers of secure data sharing:

Government Cloud by Proud Engineers
Sharemind by Cybernetica
MIDA by Guardtime.

Estonian e-Health Records

School management systems - e-Estonia

X-Road - e-Estonia

e-Services & registries - e-Estonia

Smart freight transportation - e-Estonia

e-Tax - e-Estonia

My Age Verification Solution Proposal

Solution:

Develop an open-source hardware token (similar to a YubiKey) for age verification that does not store any personal information just contains a key to confirm over 18. To keep anonymity as no personal information is ever exchanged during the device verification. Newly purchased online connected devices are locked until activated via age verification with said key (once the device is verified, The key will not ever need to be used on that device again. Unless factory resetting). So, once activated the device can always be used online or offline. Factory resetting will then lock the phone again. For age verification setup again.

• Mitigating Tracking via Serial Number: Serial number checks use anonymized, rotating identifiers to minimize tracking risks. With somehow including Zero-Knowledge Proofs or some similar privacy respecting technology.

• Global Scalability: Collaborate with international privacy organizations to create a framework for cross-border compliance, reducing resistance from global platforms.

• Organizational Use (Schools, Libraries, etc.): Organizations will have a separate key that will be based off how many devices the organizations got. The key will stop functioning once the number of devices have been verified. (Still can be reported lost or stolen) All done on device, pretty much like a self-destruct feature. In a library, there will be sections and verification for which computers can be used. A Child section, a Teen section, and an Adult section.

• Advocate to bake in the legislation that Congress or any government body—local or federal (executive included)—and corporations shall not infringe on the right of individuals 18 and up to view/access all content available on the web. Protections need to be in place to protect anonymity and access to anonymous tools (TOR, etc.). Nor shall any tracking, fingerprinting, or any other type thereof be allowed or able to be put in place on all Americans who participate in online age verification.

• Independent Audits: Monthly audits by trusted privacy organizations (e.g., EFF, Proton) to ensure no government overreach and verify system security.

• Public Accountability: Audits are funded by taxpayer money, with reports published online, including clear remediation plans for any issues.

• Pilot Program: A voluntary pilot in select states (e.g., Utah, Louisiana) tests feasibility, gathers feedback, and builds public trust. Before full implementation.

In-Person Verification: Users visit a local government office (e.g., DMV, post office) to verify age using legal documents (e.g., driver’s license, passport).

Accessibility Measures: Partnerships with community centers ensure access for those without transportation.

Duration and Use: The key is valid for one year with unlimited uses.

Loss/Theft Protection: A phone number on the key allows reporting for immediate deactivation via its unique serial number.

Privacy-Focused: The key stores a passkey that only confirms adult status (18+), containing no personal information.

Single Purpose: The key’s sole function is age verification; no additional features can be added to prevent misuse.

Open-Source Standard: Hardware and software are fully open-source for transparency and community auditing.

An adult uses the key to set up their device or a child’s device, requiring an internet connection for server validation of the serial number (routed through the Tor network for anonymity).

Upon validation, the adult selects a profile:

• Child (below 13): Fully restrictive, blocking unapproved apps/websites and enabling permanent safe search.

• Teen (13–17): Moderately restrictive, allowing limited app/website access with permanent safe search.

• Adult (18+): Unrestricted access.

Profile Security: For Child or Teen profiles, the adult sets a factory reset PIN or password (Separate from the unlock PIN). Changing profiles (e.g., from Child to Adult) requires a factory reset, preventing unauthorized changes even if the key is found.

Website/App Compliance: The device will detect the device profile and send an allowed/unallowed signal to block downloads or access and enforce safe search for Child/Teen profiles. That web sites and app stores must follow.

Tor-Specific Devices: For privacy-focused systems like Tails OS, access requires adult verification via the key.

Pros:

• Preserves user anonymity by avoiding personal data storage.

• No apps, devices, or corporations access personal information.

• Simple to obtain and set up.

• Open-source design ensures transparency and community trust.

• Unified verification method is easy to understand and implement.

Cons:

• Trust Concerns: Some users may distrust government-issued keys.

• Tracking Risk: Serial number checks could potentially enable device tracking.

• Accessibility Barriers: In-person verification may be challenging for those without transportation (mitigated by mobile units and digital IDs).

• Global Compliance: Websites and app stores may resist adopting the standard.