GSMA-Mobile-Identity Estonia Case Study June-2013

8/11/2019 GSMA-Mobile-Identity Estonia Case Study June-2013

http://slidepdf.com/reader/full/gsma-mobile-identity-estonia-case-study-june-2013 1/20

Estonia’s Mobile-ID: Driving Today’se-Services Economy



2 Mobile Identity



3Estonia Mobile ID

Contents

I Executive Summary 4

Operator Profiles 5

II Estonia: A Digital Society 6

A. Digital Agenda 6

B. ID-cards and digital signature 6

C. Baltic & International cooperation 7

III Estonian Mobile-ID 9

A. Vision & principle 9

B. How it works 9C. Technical solution 10

IV Uptake and Scale 11

A. Rapidly changing consumer demand 11

B. Businesses increasingly turning to mobile 11

C. Early adoption and promotion by Banks 13

D. Public Sector recognition and promotion 14

E. Clarifying legislation 16

F. Wider availability of Mobile-ID 16

V Challenges 17

A. Awareness 17

B. Cost 18

C. Business model 18

VI Mobile-ID: A vision towards the future 19

Author: Alix Murphy



4 Mobile Identity

I Executive Summary

Estonia is swiftly gaining internationalrecognition as one of the most digitallyadvanced societies on the planet.Citizens in Estonia can access andconduct a broad range of services andtransactions either online or from theirmobile, including accessing privatehealth records, declaring taxes andsigning legal contracts. Estonia also boasts one of the world’s most advanceddigital signature systems, with over80,000 digital signatures made each day.99.6% of banking transactions in Estoniaare now done electronically and, in 2012,94% of people declared their incomeelectronically. In 2011, the country wasthe rst in the world to allow m-Votingin the national Parliamentary elections.3% of all votes were conductedvia mobile.1

Mobile-ID (Mobiil-ID) was launchedin 2007 as an extension of the digitalID scheme in which citizens can accessinformation and personal data, and

authenticate online transactions usingthe secure PKI infrastructure in theID-card. Currently, Mobile-ID can beused with over 300 organisations in boththe private and public sector, rangingfrom electronic banking to applyingfor a driver’s license, to entering oraccessing academic grades at universityto changing a pension plan, all throughthe electronic signature function of themobile which holds legal equivalence toa wet signature. According to e-Estonia.com, Mobile-ID users can legally registera new business in just 15 minutes.2

Contrary to what one may assume,uptake of Mobile-ID in Estonia has been very much private-sector driven.Currently, there are around 40,000Mobile-ID users in Estonia. Whileadoption of the service was initiallyslow during the rst few years sinceits launch, uptake of Mobile-ID has been increasing rapidly in recentmonths as consumers in Estonia are

increasingly demanding services whichcan be directly accessible via theirmobile device. As a result, there has been an explosion in the number of businesses rushing to meet this demand by directing more and more of theirservices through the mobile channel.As witnessed in many other countriesacross the world, these changingconsumer dynamics create a powerfulmarketplace in which mobile networkoperators can play a central role.

Policy makers around the worldhave come to Estonia hoping to learnfrom and replicate the open anddecentralised digital infrastructurewhich is making the country a toptarget location for private investment.This case study aims to showcase themany benets of Mobile-ID and theperspectives of both consumers and businesses across a range of sectors onthe role that mobile operators can playin this increasingly digital landscape.

1 Estonian Information Systems Authority, August 2011.2 http://e-estonia.com/components/mobile-id



5Estonia Mobile ID

EMT

EMT is Estonia’s largest operator and the largest mobile network provideroperating in the Baltics. The company was formed in 1991 as joint companybetween Estonian Eesti Telekom and TeliaSonera, a larger regional operatorwith subsidiary operators located in 16 countries across the continent andbeyond, including Denmark, Norway, Russia, Spain, Sweden, Turkey, andGeorgia. Today, the company hosts 875,000 mobile subscriptions in Estonia.(Q1, 2013, GSMA Wireless Intelligence)

Founded in the 1853, TeliaSonera is a pioneer of the telecom industry andis proud to be one of the early inventors of mobile communications andfounders of GSM. In May 2011, TeliaSonera united the company under

one common symbol and identity representing a total of 180 million totalsubscriptions (Q3, 2012, Operator’s own statistics).

“International strength combined with local excellence is what makes ustruly unique - and provides a world class customer experience, all theway from the Nordic countries to Nepal. This combination has broughtgroundbreaking 4G, a world class fbre network, and introduced 3G atMount Everest.”

Brief introduction to the operators:

Tele 2

Tele2 Estonia is a subsidiary of one of Europe’s largest telecommunicationsoperators, serving around 15 million customers in 10 countries and 510,000mobile subscriptions in Estonia. It serves as a fxed-line telephone operator,cable and Digital television provider, mobile phone operator and Internetservice provider. As Estonia’s third largest mobile operator, Tele 2 sees themarket as an opportunity for continued growth, particularly in smartphonerevenues; in 2012, the company experienced 10% growth in sales (Q1 2012,operator’s own statistics).

The company proudly states its ambitious goals of providing modern servicesto meet the widest possible range of customer needs, while continuallyadapting to meet the requirements of a rapidly changing telecommunicationsmarket. In 2012, Tele2 Estonia acquired Televörgu AS, an optical fbre operatorwith a network reaching across Estonia, which it hopes will provide essentialbackbone infrastructure for the company’s needs until 2025.

Tele2 operates in Austria, Croatia, Estonia, Germany, Kazakhstan, Latvia,Lithuania, the Netherlands, Norway and Sweden.

Elisa

Elisa Eesti is a fully-owned subsidiary of the Finnish telecommunicationsand ICT service group Elisa Oyj, hosting approximately 566,000 mobile

subscriptions in Estonia and serving 2.2 million customers in total(Q1, 2013, Operator’s own statistics). Elisa prides itself on being the fastestgrowing operator in the Estonian market, with an expanding consumer baseand revenues increasing by over 11.9% in 2012. The company also offersinternational services in partnership with Vodafone and Telenor.

With a vision statement that clearly defnes the company’s goal to extendits ICT services into a broader range of day-to-day consumer and businesstransactions, such as digital TV and broadband, home security, and enterpriseconferencing services, Elisa aims to position itself as “More than a networkand the brand of excellence”.



6 Mobile Identity

II Estonia: A Digital Society

A. Digital Agenda:

In the early ‘90s, as Estonia gainedindependence from the former SovietUnion, its leadership embarked on anambitious agenda for administrativereform, aiming to build a tech savvysociety that would be competitiveon the world stage. The Tiger LeapProject of 1996 prioritized InformationTechnology infrastructure, bringingcomputers and ITC training intoschools and businesses. As outlined

in the Information Society Strategy2006-2013,3 supporting the ICT uptakeand use of eBusiness by enterpriseshas formed a major componentto the national ICT infrastructuredevelopment plan.

Four principles were dened as theunderlying foundation for e-Estonia:4

1. Decentralization. Rather thanhousing a central database, everygovernment department, ministryor business in Estonia can choose

and develop its own system in itsown time.

2. Interconnectivity. Through a keytool named “X-Road”, all thedecentralized components of thesystem (including various databasesand registers in both the public andprivate sector) are linked togetherand can operate in harmonyregardless of what platform they use.

3. Open platform. Any institution canuse the public key infrastructure.

4. Open-ended process. As acontinuous project to keep growingand improving organically.

Underlying all of this, the eID is thenationally standardized system forverifying a person’s identity in anonline environment. Using a PKIinfrastructure, it allows access to allsecure e-services while maintaining thehighest level of security and trust.

By 2007, Estonia made internationalheadlines by becoming the rst nationin history to successfully defend itselfagainst a large-scale cyber attack,5 andTallinn is now the home of NATO’sCyber Defense Centre.

With over 10 years of experience tooffer, Estonia has provided a modelto over 40 countries around the worldin developing their own e-solutions.In February 2013, the UK CabinetOfce signed a memorandum of

understanding with the EstonianInformation System’s Authority (RIA)for the two countries to exchangeexperiences in creating user-friendlygovernmental e-services,6 and last yearRIA hosted a party of delegates fromBrazil’s National Congress to learnabout e-government.

“We had heard about Estonianoutstanding experience in e-governanceand decided to get a more detailedlook at it. Now, we are convinced thatmany of your e-governance projects

like x-road and mobile services can beimplemented not just in Estonia but alsoin much bigger Brazil. We are lookingforward to the cooperation between ourcountries.”- Paulo Pimenta, speaker ofthe budget committee of Brazil’s NationalCongress, August 2012

B. ID-cards and digital signature

In 2001 the rst nation-wide ID-cardwas introduced in Estonia. The ID-cardis the primary identity document forEstonian citizens and is a mandatory IDdocument for residents, who make upapproximately 15% of the population,from the age of 15. Valid for ten years,the card serves as an identicationmechanism for use both in the real anddigital world, and a travel documentwithin the EU. Most importantly, the

ID-card can also be used to afx adigital signature (legally equivalentto a handwritten signature) to digitaldocuments and transactions using thenational PKI infrastructure.

For more information on the EstonianID-card and PKI infrastructure, pleasevisit: www.ria.ee/id-card

3 http://www.riso.ee/en/system/files/Estonian%20Information%20Society%20Strategy%202013.pdf

4 e-Estonia website: http://e-estonia.com/e-estonia/digital-society5 BBC news, “The cyber raiders hitting Estonia”, Thursday 17 May, 2007.6 https://www.ria.ee/estonia-and-the-uk-sign-a-memorandum-of-understanding-on-cooperation-in-e-services/7 https://www.ria.ee/facts-about-e-estonia/

https://e-estonia.comhttps://www.ria.ee/facts-about-e-estonia

Facts about e-Estonia:

■ 78.4% of the Estonian population aged 16–74 uses the Internet and 75% ofhouseholds have Internet access.

■ Today 99.6% of banking transactions are done electronically.

■

Over 80,000 digital signatures are made each day in the country. More than100 million digital signatures have been made in Estonia since the system became available.

■ In 2012, 94% of people declared their income electronically.

■ 40% of Estonian ID-card owners have used them to authenticate themselvesor provide a digital signature.

■ It takes only 15 minutes to register a business electronically, using either anID card or a Mobile ID. The company will be legalized within a few hoursand can start conducting business the same day.

Source: e-estonia.com



7Estonia Mobile ID

C. Baltic & International cooperation

Key elements of Estonia’s economicstrategy have been the creation offavourable conditions for FDI andopenness to foreign trade. Estonia’s balanced state budget, stable economicpolicy and relatively low labour costsmake it an attractive location for foreigninvestors, the majority of which comefrom Nordic and Western Europeancountries. Over 600 million euroscame to Estonia in the form of foreign

direct investment in 2011, according toEnterprise Estonia.8 The country ranks21st out of all countries in the WorldBank’s Ease of Doing Business Index.9

Central to this attraction is Estonia’ssimple and transparent tax system,clear legal framework and relativeease with which a new business can be established, owing primarily to itsadvanced ICT infrastructure.

Since 2011,citizens of Belgium,Portugal, Lithuania and Finland can

access state websites, sign contractsand conduct business online in Estoniausing the national ID-card of theiroriginating country, such as in the StatePortal (above right).

Estonia and its neighbouringcountries in the Baltic region, Latviaand Lithuania, have a long-standinghistory of close economic and politicalcooperation, and have most recentlycome together for joint cooperationon ICT services integration. Forexample, between 2006-2008 the Baltic

WPKI Forum, consisting of mobileoperators, banks and certicationservice providers across a number ofBaltic States, was established with theobjective of fostering mutual economicdevelopment through improvedcommunication between the businesscommunity and government throughthe use of modern ICT technologies.

8 EnterpriseEstonia.com, February 20129 World Bank Ease of Doing Business Index, 2012

State Portal: one gateway to e-services

The State Portal, eesti.ee, is a gatewaysite enabling Estonian residentsto access hundreds of e-servicesoffered by various federal and localgovernment institutions through onesingle entry-point. To enter the system,the user only needs to login once withtheir Mobile ID or another electronicID, giving them federated access to allother sites housed in the portal. Thesite receives 72,000 visitors per monthand is actively used by over half theEstonian population.

Whereas, earlier, an applicant wouldhave had to visit a number of differentofces to collect various documentsproving their eligibility, now recordsfrom hospitals, the health insurancefund and other institutions areintegrated via a platform known asX-Road, eliminating the applicant’sneed to visit them in person. Inaddition, the site offers a service whichcan be used via the portal to create,sign and share documents usingdigital signature.

e-Business Register:

Entrepreneurs are able to set up new businesses online in under half anhour by using the e-Business Register.All that is required is an ID card, cardreader and Internet connection – or,more simply, a Mobile ID - and thedata from completed online forms isthen sent automatically to the Courtsand Central Commercial Register.

By 2011 98.2% of all companysubmissions were made usingthis advanced, secure, and simple

method. Through the State portal itis also possible to submit and viewannual reports, submit and verify a business name, change data in the business register in real-time andmake detailed inquiries into othercompanies. Due to cross-borderdigital signatures, Portuguese,Finnish, Belgian and Lithuaniancitizens can set up companies inEstonia, and vice versa, using theirnational ID cards or Mobile ID.



8 Mobile Identity

Mobile ID use cases

With a Mobile ID, users in Estonia can:

■ Submit tax returns (income tax, local council tax, business & property taxes) online with the national Taxand Customs Board

■ Register a motor vehicle with the Road Administration

■ Apply for a driver’s license (and obtain and submit therequired health certicate through the same portal)

■ Register a new company

■ File court cases, access and monitor legal proceedingsin civil, administrative, criminal and misdemeanorproceedings with the Centre of Registers andInformation Systems

■ Access and process real estate data and documents

■ Buy tickets online for railway travel, sports events,museums, zoo, recreational shing rights, etc.

■ Apply for and monitor personal and corporate pensions

■ Apply for a personal loan

■ Access student account, grades, class info atTallinn University

■ Purchase and manage accounts for home, motor,accident, travel and pet insurance

■ Pay water, electricity and gas bills, monitorconsumption and change contract informationwith utility companies

■ State agencies (hospitals, schools, defence agencies,sports clubs, etc.) can procure hospital beds, buildinginstallations, minivan hire, etc., with the Ministryof Finance

■

Sign and share documents using DigiDoc, an online portalfor storing, sharing and signing documents, photos, voicerecordings or even an instant messaging chats.

■ Access personal information (health insurance,disability assistance, school support benets,educational qualications, construction applications,public event applications, etc, etc.) from the StateAgency for Information System

■ Vote in national elections

Source: e-Estonia.com

Source: e-estonia.com

1994 Information Policy passed

1996 Tiger Leap project createdPersonal Data Protection Act First internet bank in Estonia

1999 Data Protection Department created

2000 Digital Signatures Act e-Tax ling begins Mobile parking introducede-Cabinet introduced Population Registry Law passed

2001 Introduction of X-Road Population Registry opens

2002 e-School project comes on line ID Card introduced Law on e-Election passed

2003 e-Vehicle registry opens Public Information ActLaunch of ID bus ticket State Portal launched

2005 First i-Elections e-Police system comes on line

2007 First Mobile-ID system comes on line

2008 Launch of e-Health system

2010 e-Prescription introduced

2011 Smart Grid introduced in Energy SectorFirst m-Voting in national Parliamentaryelections



9Estonia Mobile ID

Subscriber

Trust Serviceprovider

Mobile operator

e-Service provider

CertificationAuthority

III Estonian Mobile-ID

A. Vision & principle:

Mobile-ID is a service that allows thesubscriber to use their mobile phoneas a form of secure electronic ID.Introduced by the mobile operatorEMT as the commercially availabletechnical evolution of the NationalID-card, Mobile-ID was intended tomake the everyday transactions thatpeople conduct easy and uid. Likethe National ID-card, Mobile-ID can be used for accessing secure e-services,

transmitting and authorising payments,and digitally signing documents.The agreement can be made for bothprivate and corporate clients using theirmobile numbers.

Unlike other mechanisms ofauthentication, Mobile-ID does notrequire any additional hardware, suchas a card reader, and frees the userfrom password cards, PIN calculator,usernames and passwords. Moreover itworks on any handset so the user doesnot have to have a smart phone.

The PKI technology used in Mobile-ID offers the highest level of securityfor transactions involving payment orsecure data transfer.

B. How it works:

Here’s how ID-card would be used forlogging into a secure site, for instancethe SEB Bank account:

1. The user clicks the “Log in withMobile-ID” option on a supportedwebsiteand enters their user ID.When using it for the rst time, theuser also enters their mobile number.

2. The user then receives a pop-upmessage on their mobile phone,which prompts them to enter PIN1 of their Mobile-ID (a 4 digit PIN

known only to the user).

3. The user enters the correct PINonto their phone. The screen on thephone disappears and the websiteis automatically reloaded with alogged in screen.

(No other steps are required for access

authentication)4. For conrmation of transactions

(or signature of contracts, voting,permission authorisation, etc.), thesite asks the user if they would liketo digitally sign the information.

5. If the user clicks ‘yes’, a windowfrom a third-party Certicate Centerpops up, asking for the PIN codesconnected to the user’s electronicID-card.

6. The Certicate Center veries the

codes and sends a conrmation backto the websitethe user must to enterPIN 2 of their Mobile-ID (a 5 digitPIN) when prompted.

When using an ID-card, the process issimilar, except that an additional cardreader is required to link the PIN codeto the card.



10 Mobile Identity

C. Technical solution:

The system is based on a specializedMobile-ID compliant SIM card whichthe customer must request from themobile phone operator.

Private keys are stored on the mobileSIM card along with a small applicationfor authentication and signing.

The Mobile-ID compliant SIMcard contains both PIN and PUKsecurity codes.

The Mobile-ID codes needed for theservice are:

■ Cell-ID PIN1 - or 4-digit code foridentication purposes

■ Cell-ID PIN2 - at least 5-digit code forthe digital signature

■ Cell-ID PUK - code Cell-ID PIN codesto open if they are locked

Certicates are issued for a validityperiod of 3 years, after which the contractmust be awarded to a new SIM card.

The ID-card service must be activatedafter subscribing to the service.This can be done at the web page ofthe Police and Boarder Guardhttps://www.politsei.ee/using theID-card, ID-card’s PIN 1 code andID-card reader device.

To date, no known reports of falsied

or repudiated transactions have beenattempted with Mobile-ID during its 5years of operation.

Mobile ID: A Developer’s Perspective

Madis Aasla is a self-employed software developer whohas provisioned Mobile ID to over 15 private companies.He speaks about his experience as both a softwareprovisioning expert and personal user of Mobile ID.

“I’ve developed internal networks for companies that basically want to have a secure way of identifying theiremployees which doesn’t involve regular username-password combinations. It’s becoming a bigger issue inEstonia, and companies are beginning to recognise that theyneed to have better security measures.

“There isn’t a specic “type” of company that chooses to

use Mobile ID. Some companies decide to go straight toMobile ID, so it’s not true to say that the majority are thosemaking a transition from the ID card. Sure, the MobileID isn’t that common yet, but I’m seeing more and morecompanies interested.

“As a developer, I think Mobile ID is really easy toimplement. It’s well documented, so implementation doesn’ttake a lot of time and effort. I think a lot of businessesare hesitant because they think it must be expensive, butin business terms it doesn’t cost much. I’ve seen a lot ofdifferent solutions and Mobile ID is really cheap, even ifyou’re a small company.

“I think the biggest value that companies see in Mobile IDis that the digital signature has legal value - you can reduceall the paper pushing that takes for ever! When you thinkabout this, the private sector could easily do anything withthe Mobile ID. For example you can do a full credit check andautomatically apply online for a credit card, have it signedand validated in 5 minutes, with no paperwork whatsoever.You can even sell a car without going to the DMV – how coolis that?

“Having been accustomed to digital documents for over adecade, we in Estonia are pretty calm about it, we know itworks. What was life like before we went digital? It wasall hell…”



11Estonia Mobile ID

IV Uptake and Scale

Despite its introduction to the marketnearly 7 years ago, Mobile-ID has onlyrecently started to see strong levelsof growth. For example, year on yeargrowth rates for Mobile ID users in banking applications was 56% in 2012.

There are a number of explanationsfor this which provide useful insightsfor those looking to implement similarservices in their own markets.

A. Rapidly changing consumer demand:

i. Smartphone penetration is risingquickly in Estonia. While still ataround 30%, the introduction ofsmartphones is signicant. Aspeople switch to smartphones, theirconsumption of data and data- based services (both via apps or themobile web-browser) increases. Asa consequence, smartphone usersexpect to be able to access the sameservices – and, arguably, even moreservices (since they can browse fromanywhere at any time over a wi or

GSM connection) - than they wouldfrom a PC.

“I actually do most of my banking thesedays over mobile, like when I’m lying inbed or waiting for someone, I can paymy bills and everything.” – Mobile-ID user

“I basically use it every day. I use itwhenever I’m not at the ofce. I don’teven carry my identity card around withme because it’s in my phone.” – Mobile-ID user

ii. Similarly, the introduction of tabletdevices into the Estonian market hasmeant that using the physical ID-cardfor authentication and signatureprocesses has in fact become moreinconvenient to the user. Mosttablets do not have a USB port fora card reader, for example, whilethe perceived impediment to being“mobile” in terms of using the deviceon-the-go increases once the userhas to focus back and forth betweentwo items: holding the ID-card in

one hand while manually enteringinformation into the device inthe other.

“One way you could judge theusefulness of a technology like this isby asking yourself: Does it pass the‘trafc light test’? Can I send money tomy friend or pay a bill while waitingat the trafc lights? With Mobile-ID, Idenitely can.” – Mobile-ID user

B. Businesses increasingly turning to mobile

i. Consumer-facing businessesare increasingly recognising the

importance of the mobile channel forreaching and serving their customer- base and, as a consequence, arelooking to offer an greater amountof services and content via mobile.Fundamental within this is therecognition that consumers want onesingle, uid process from entry tocontent exploration to payment.

“Mobile-ID has reduced our customeracquisition cost because the dropoutrate at the point of payment is lower.If you note that the average attention

span is 3 seconds, you need to ensurethat you don’t lose the customer at thiscrucial stage.” – IsePankur, peer-to-peer lending

ii. The past few months have seen anincrease in the number of apps whichhave integrated Mobile-ID into theirservice. The two largest banks inEstonia, Swedbank and SEB, bothadded Mobile-ID as a login andauthentication option for transactions: banking customers using the appsare now able to view their account balances, issue a payment or transfermoney to a third party all in the sameinterface and entering their secure4-digit pin once (for authorisingpayments, the customer also needsto enter the 5-digit signing pin).Comparatively, authenticating atransaction using Mobile-ID throughthe PC is also possible, but wouldrequire the user to additionallymanually enter their phone numberin addition to the authentication PIN.

DigiDoc:

DigiDoc is an online service thatallows Estonians to store, share anddigitally sign documents. Users maylog in using their physical ID-card +reader or with Mobile-ID, and anytype of le can be uploaded, includingvoice recordings by phone. As digitalsignatures carry the same legal weightas paper signatures and the robustpublic key encryption meets EUstandards for security, DigiDoc is not

only popular with private citizens, but

is also commonly used in the publicsector (e.g. for court documents andmunicipal contracts) and banking.This system was introduced in 2005,and particularly focused on improvingcommunication between organisationsas a means to full the potential ofdigital signature. Other benets includethe fact that the process is cheaper,faster and kinder to the environmentthan using paper; the system is also

easy to use and entirely free.

Typical physical ID-card reader+ USB attachment cord.

Not available for all tablets.



12 Mobile Identity

Mobile ID: Changing the face of the financial services industry –A Client Perspective

Established in 2008 and operated by Sõbralaen OÜ, isePankuris the oldest operational peer-to-peer lending platform inScandinavia allowing individuals and businesses to borrow

and lend between each other. With customers in 28 countriesand investors from Europe, Australia and the United States,isePankur aims to establish an open pan-European peer-to-peer credit and payments platform connecting peopleand companies with excess capital in stable economies withgrowing credit-thirsty markets in Central and Eastern Europe.

In 2011, isePankur won the “Best Estonian E-service of 2011”and was a quarter-nalist at the World Summit Awards of2011. With a net income of 118,804 euro on sales of 208,664euro in 2011, the company is one of the few protable peer-to-peer lending start-ups in the world.

Pärtel Tomberg, CEO of isePankur, describes the reasoning behind his company’s decision to adopt Mobile ID:

“As a nancial services provider, security and safety are a corepart of our services; our investors rely on us to manage theirmoney effectively. It is therefore vital for us to be sure that therecipient is the right person. Mobile ID is currently one of thevarious mechanisms by which a person who comes to us fora loan can identify themselves. Around 30% of our customersare using Mobile ID, but I wish it was all of them!

“Our prime commodity as a nancial services provider isthe quality of our service. This is ultimately what makes thecustomer go through with the transaction. Mobile ID hasreduced our customer acquisition costs because the dropoutrate is lower. If you note that the average attention span is 3

seconds, you need to ensure that you don’t lose the customerat this crucial stage.

“For the customer, it’s ultimately about convenience.Consumers don’t worry about security. They assume theprocess secure because you’re offering it to them. Therefore,we need to make sure it’s secure! Mobile ID denitely meetsthis requirement.

“However, we don’t look at mobile as a completely differentsales channel, it’s part of our whole service offering to thecustomer. If you think about it, nancial services are all aboutdata services. It’s not technology driven; it’s process driven.A consumer is a consumer in every industry; regardless ofwhich shop they’re standing in or website they’re on, they behave the same and they want the same processes [forpayment, accessing information and content, etc. ] across allthe things they do.

“Identication and authentication are also a central part ofour internal processes, such as internal payment transfers,for which we already use 2-factor authentication. For everylegal transaction the customer does, everything needs to be

signed and authenticated. Operators could be capitalisingon this need by providing these types of strongauthentication services.

“I think the telcos should move a bit faster. From a businessstandpoint, if we want to grow our business in multiplecountries, we can’t build our entire infrastructure on MobileID as the service process needs to be as similar as possiblein every place. The problem in Estonia is that they [theoperators] concentrate on making the solution too technical,whereas they could be launching authentication services toother service providers who need them right now. You don’tneed to have a complex technology to provide a service. Thedevice is there. The demand is there. MNOs have the assets

now so should offer them before start-ups come and developsomething else in their place. Until the time when Mobile IDis offered in multiple countries, we’ll need to use a One-Time-Password mechanism as an alternative.”

10 Estonian Information Society Yearbook, 2011-2012.

iii. One of the more common use casesof Mobile-ID adopted by businessesis for secure enterprise access fortheir employees. As the numberof employees wishing to use theirpersonal laptops, tablets and mobiledevices for work increase, businessesare forced to adapt and developpolicies and processes that meet thesecurity requirements for accessingtheir corporate VPN and internaldata systems – part of a broaderphenomenon occurring aroundthe world known as BYOD (BringYour Own Device). In 2012, 89% ofenterprises used employee’s physicalID-cards attached to readers fordigital signatures and 67% used ID-

cards for establishing users in internalinformation systems.10 For many,using Mobile-ID is a much simpliedmethod for conducting the sameprocesses at a faster speed and withgreater exibility for their employees.

According to the 2008 Estonian LabourForce Survey, over 10% of Estonianswork from home, or spend the majorityof their time out of the ofce, making aMobile-ID solution perfect for this need.

“When we use Mobile-ID we can savetime and a whole lot of footwork interms of paper processes – otherwiseit takes a few days at least to registersomeone.” – Enterprise user, Mobile-ID

iv. In addition to the potential increasein revenue generation, businessesare also recognising the signicantrole that mobile also plays in termsof cost reduction. Paper processes,including printing and courierservices, cost businesses up tohundreds of thousands of dollarsper year in both nancial cost andtime. Many corporate entities, as wellas government departments, havealready made the transitionto paperless.



13Estonia Mobile ID

The mobile operator Elisa, for example,is among a number of companies nowcharging its customers for paper billsin an effort to encourage use of digitalresources and as part of its commitmentto carbon reduction. The EstonianParliament has gone as far as tomake all votes in the cabinet paperless:decisions are now voted on with aclick of a button and the results madeavailable to the public the same day.

C. Early adoption and promotion by Banks

While ease of use and convenience is atthe heart of growing adoption of Mobile-ID by consumers, this represents onlyone side of the equation. For companiesand organisations for whom thesecurity of their customer’s informationis of utmost importance, Mobile-IDhas become a crucial mechanism forensuring that this level of security is met.

i. Banks in Estonia were among the rstentities to adopt Mobile-ID, and havecontinued to be some of the product’s

most active proponents. Today, 99.6%of banking transactions in Estonia aredone electronically and, accordingto the national e-Estonia portal, thenumber of Internet banking users– including corporate accounts andusers with multiple bank accounts- is greater than 1.8 million clients(greater than the whole population ofEstonia, 1.3 million).

“Customer penetration is a key point from which we look at Mobile-ID:how to make it easier to attain the

customer, to make it easier to loginand use our services.” – Manager, Swedbank

Banks in Estonia allow a varietyof ways for clients to access theironline banking services, includingplastic code cards (cards listing aseries of series of codes to be usedonce each during the login process,after which the code is scratchedoff) and hardware tokens (one-time-

password generators), as well as theID-card and Mobile-ID. Unlike thephenomenon seen in other countrieswhere banks have resisted uptakeof Mobile-ID solutions for fear ofundermining their pre-existing bank-issued authentication methods,the Estonian banks recognised thevalue of the PKI infrastructuremethod within the ID-card andMobile-ID as a more secure methodfor authenticating transactions.Swedbank and SEB Bank, forexample, have now set a limit on thedaily transaction amounts authorisedusing methods other than the ID-card or Mobile-ID to 200 euros inan attempt to phase out these lesssecure methods and encourage use ofMobile-ID and ID-cards.

“We once thought the [plastic] ID-card would eventually be the defaultauthentication method for paymenttransactions, but now demand forsmartphones and tablets has changedour view. Mobile-ID is the only formwhich is both secure enough andconvenient enough for our clients.” – Manager, Swedbank

ii. Banks arguably were the catalystfor creating a broader infrastructurefor the identication of a personwithin an electronic environment.As commonly seen in other marketswhere mobile identity products have been introduced, a crucial driver forsuccessful uptake by consumers is thefrequency of use. Banks are thereforekey players in this space due to thefrequency with which clients viewor conduct transactions on theiraccounts (most commonly on adaily or weekly basis, as comparedto an annual tax income claim).Once banks in Estonia beganto use digital identication andauthentication methods on a regular basis, other entities followed suit.



14 Mobile Identity

Swedbank: A banks perspective

Swedbank is Estonia’s largest bank, holding around twothirds of the market share in terms of customer transactions.Around 900,000 customers in the client-base use electronic banking, of which around 0.5 million customers areconsidered active on a monthly basis.

Arno Pae, Head of the E-Channels Department at Swedankin Estonia, describes the strategic rationale behind thedecision to encourage Swedbank customers to use Mobile ID.

“Customer penetration is a key point from which we look

at Mobile ID: we want to focus on how to make it easier toattain the customer, to make it easier to login and use ourservices. One area where we see the greatest value in thefuture is mobile banking, which is a strategic focus area anda strong reason for us to support the take-off of Mobile ID.

“We saw the monthly uptake of new Mobile ID users morethan double as soon as we launched the Mobile ID feature onour mobile banking app (in May 2011).* Consequently, ourmobile banking app usage has grown 200 times as a year-on-year gure.* These two things clearly support each other in avirtuous circle. Although it’s a relatively new service for ourcustomers, the numbers are pretty clear:

■ 2.5% of our Internet banking customers use Mobile ID and

make up 2.5% of all logins■ 26% of mobile banking customers use Mobile ID and make

up 38% of logins*

“I think the reason for this rapid uptake of Mobile ID isclearly the increased usability of the service. It’s an easierway to get into the app and conduct transactions. It suddenly becomes an all-in-one process: the user only needs to

remember the universal access code they use across all onlineservices and the pin is generated on the spot.

“Other banks have similar user-base numbers (around 2%) but we know they are also actively welcoming Mobile ID.Unfortunately for banks, the default authentication methodfor the majority of online banking is still the code card, butwe don’t see this as extremely good security. In fact, we’vetried to actively discourage use of the code card by setting anamount limit on transactions that can be made with it.

“We’re glad to see that the operators and nationalgovernment are now making efforts to advertise Mobile

ID. EMT have been kind enough and smart enough to use banking as one of the main use cases for Mobile ID. We alsotry to actively promote Mobile ID use among our customers by encouraging them to tell others about it. We’ve had greatfeedback from our Mobile ID customers so far. They have been very happy.

“This leads me to the most important point value thatMobile ID represents, which is the ability to build all sortsof additional services based on the authentication feature.We’ve taken the view that mobile payment is about muchmore than just the payment; it’s a channel for innovationsin m-wallets and m-apps. For example, we use it in ourcall centre: Clients can now opt to “log in” to the call centre

before they are connected. An interactive voice recognitionprompts them for login details and, once the real call starts,the client is already authenticated. When you think about thepossibilities here, they seem endless.”

*Source: All statistics have been provided by Swedbank for the purposes of this study.

D. Public Sector recognitionand promotion

i. Mobile devices are being increasingly

recognised by governments aroundthe world as an important channel forenhancing reach and access to publicservices for their citizens. As mobiles become increasingly ubiquitous, anumber of countries are adoptingmobile strategies for facilitatingcitizen access to healthcare systems,transportation, border control andlocal government. In Estonia, anumber of public sector entities areplacing mobile at the heart of theircitizen engagement strategies.

ii. While the public sector has avidlypromoted the use of ID-cards foraccess to public services and digitalsignature, Mobile-ID has onlyrecently been placed at the forefrontof Estonia’s e-Society agenda.

The primary reason for this is that,up until relatively recently, Mobile-ID had been offered only a singleoperator (EMT), meaning thatofcial promotion of the servicehad to be limited in the interest ofneutrality. Once Mobile-ID becamecommercially available from allthree operators in 2009, publicsector entities were able to openlyadvocate the adoption of Mobile-IDin their processes.

One such entity is RIA (EstonianInformation Systems Authority), theentity responsible for developingand administering Estonia’s PKIand digital signature infrastructure.

RIA has recently undertaken anadvertising campaign through localmedia outlets and in shopping mallsaround the country to encourage theuse of Mobile-ID among Estonian

citizens. Likewise, EMT has also run anumber of advertising campaigns onlocal television channels, newsprintand online media in order to promoteMobile-ID among citizens.

“Mobile-ID is the next generationmeans of authentication. It’s mucheasier to implement because it doesn’tneed any extra infrastructure to be setup (such as card readers) and it’s mucheasier for people to use.” – Mihkel Tikk, Head of the State PortalDepartment, Estonian InformationSystem’s Authority

“The telcos have seen the customers,they know the customers, they’ve

already registered them, they knowwho they are, where they live, howthey transact, so why would weneed to go through this registration process again?” – Online fnancial services provider



15Estonia Mobile ID

“With Mobile-ID, you can comfortably and easily enter e-enviroments, make payments and conducttransactions, and provide a digital signature. Your smartphone can take care of things quickly and safely.”

EMT online campaign

https://www.emt.ee/ul/minuemt_jaanuar/

EMT Mobile-ID awareness campaign, Youtube

http://www.youtube.com/watch?v=WEzWgc1D4Tw

Mobile-ID: Health Records

The Electronic Health Record is anationwide system that integratesdata from Estonia’s differenthealthcare providers to create acommon record for each patientpresented in a standard format. Bylogging into the Patient Portal withMobile-ID, the patient can reviewtheir past doctor visits and currentprescriptions, control which doctorshave access to their les, and evenreceive general health advice.Within a few minutes, patients canrenew a prescription by callingtheir doctor directly from home; thedoctor then writes the prescriptionand forwards it to the nationaldatabase using their Mobile-ID.In emergency situations, doctors canuse the system to read time-criticalinformation, such as blood group,allergies, recent treatments, ongoingmedication or pregnancy.

Since launching the system, thestate has recorded an enormousreduction in paperwork in hospitalsand pharmacies, while the Ministryof Health is able to measure healthtrends, track epidemics and makesure that its health resources are being spent wisely using the datacompiled for national statistics.



16 Mobile Identity

Convenience at the heart of citizen access:A Government Perspective

RIA is the Estonian Information Systems Authority, the entityresponsible for developing and administering Estonia’s PKIand digital signature infrastructure. RIA is in the process ofdeveloping a mobile version of the State Information Portal(eesti.ee), which is an umbrella portal for accessing statee-services from information drawn from various separatedatabases.

Mihkel Tikk, Head of the State Portal Department, discusses

RIA’s vision for Mobile ID:“We want to make the portal into one single point of contactfor citizens. Here in Estonia, we view the State’s role as beingto make it possible for the citizen to do what he or she wants todo, and to make it more convenient. That’s why e-governancestarted in Estonia, because we saw people going online moreand more for banking and shopping, so we thought we shoulddo it ourselves.

“Our e-Success is very much supported by the private sector.People are much more likely to trust a bank or someone who’soffering them a service they’re paying for because they’re being treated well. You need to include the private sector ifyou want to build trust in the eyes of citizens. Right now,we have the technical means to do this, so we’re ahead ofother countries.

“Fundamental to RIA’s efforts is recognition of the enhancedsecurity of the PKI infrastructure which Mobile ID brings tothe process. For example, RIA is considering ways to phaseout or discourage use of login methods other than the ID card

or Mobile ID (see separate box). The organisation has recentlyundertaken an advertising campaign in shopping mallsaround Estonia’s major towns to encourage use of MobileID among Estonian citizens. In RIA’s view, the promotionof Mobile ID is simply an extension of the digital signatureinfrastructure already in place and in use by the majority ofEstonia’s citizens.

“Much still needs to be done to promote awareness among

citizens of the benets of digital access, even with the ID card.We have 2.1 million logins to the state portal each month, and3% of those logins last year were using Mobile-ID. Half of theEstonian population has been to the portal, which means thatwe need to reach that other half of the population who haveyet to try it.

“Part of the problem is that people take a long time to adaptto new technology. It took the older generations a few yearsto start condently using the physical ID-card for digitalpurposes. Because the ID-card was relatively complicated – interms of needing a card reader and using a PC, people assumethat the Mobile-ID is going to be even more complex. But infact it’s the simplest way of all.

“We are also conducting awareness programmes throughlocal media channels and in schools, teaching children how tosecurely browse data We want to encourage people to talk totheir kids about internet safety. Raising this kind of awarenesstakes years. If you talk to them now, they’ll be the ones actingsecurely online in the future.”

E. Clarifying legislation

With the onset of the February 2011

parliamentary elections drawing near,there was a push to recognise Mobile-ID as an ofcial proof of identity. Priorto this time, Mobile-ID was recoginsedas an identication medium that mettechnical security requirements, butwhich could only be used outside thepublic sector. There were two mainobstacles to ofcial recognition:

a. The Identity Documents Act 2000made no reference to Mobile-ID.In January 2011, the wording wasadjusted to include Mobile-ID as an

ofcial identity document equivalentto the national ID-card.

b. Mobile-IDs were, up until thispoint, issued outside of the state’s jurisdiction. The Police and Border

Guard were responsible forestablishing the identity of users, butthe Mobile-ID compliant SIM cardswere issued by mobile operators.In order to prevent users needingto make multiple trips to both theoperator and the Police and BorderGuard ofce to activate the Mobile-ID (a challenge which all recognisedwould signicantly limit uptake), asolution was established in whichthe Mobile-ID certicates could beactivated directly by the user onthe Police and Border Guard ofcewebsite by using their ID-card.

F. Wider availability of Mobile-ID

Until 2009, only one mobile operator,

EMT, offered Mobile-ID to itssubscribers. The service was lateropened up to other Mobile operators,Elisa and Tele 2, who started offeringand promoting Mobile-ID to theirsubscribers. Since opening the serviceto other operators, adoption rateshave increased rapidly. The majorityof Mobile-ID users (approx. 80%) arestill those of EMT. Since 2012, EMT hasoffered Mobile-ID to its clients for freeand has actively promoted the servicethrough advertising campaigns andpublic communications.



17Estonia Mobile ID

V Challenges

Despite increasing uptake of Mobile-IDacross many sectors, some challengesstill remain to the wide-scale adoptionof the product:

A. Awareness

“Once you see it, it’s magic. But youdon’t really understand it until youhave it.” – Mobile-ID user

i. A key obstacle to customer uptake islack of awareness about Mobile-ID.While much effort can been madetoward explaining how the serviceworks, the real switch comes when theuser is able to “see it with their owneyes” and to use it on a daily basis.Part of the challenge lies in the needfor repeated use of the service beforefully recognising and understandingits benet.

ii. One issue iterated by many differentservice providers interviewed forthis case study is the perceived

complexity of Mobile-ID whencompared to existing digital or“traditional” paper-based processes.As self-service technologies, both theID-card and Mobile-ID are inherentlymore convenient, but also requireresponsibility on the part of the user toensure that the equipment is in goodcondition and up to date. Because theID-card requires additional hardwareto work (including an electronic cardreader compatible with the PC/tablet,a driver for software installation, andphysical upgrade of the plastic card

itself – sometimes within less than oneyear, depending on the frequency withwhich the card is used), perceptionamong users is that the Mobile-ID willentail similar maintenance. Signicanteffort needs to be placed into dispellingthese myths.

iii. Additional distortions of currentperceptions regarding Mobile-IDoriginate from political groups whoare concerned that the digital agendaof the current government excludestheir traditional voter-base. Negativead campaigns during the 2011 elections(during which the law recognisingMobile-ID as an equivalent digitalsignature to the ID-card was signed toallow for voting via Mobile-ID), triedto paint both voting via ID-card andMobile-ID as lacking in the sufcientlevels of security required. Suchgroups worried that digital votingwould unfairly skew the outcomewith greater voter turnout for thoseparties who represented more digitallysavvy segments of the population (inthe 2011 elections, the e-voter turnoutwas 20:80 for Leftist versus Centreparty voters). These groups continue toportray Mobile-ID as easily “hackable”and open to security breaches, despitethe fact that the Mobile-ID has never been hacked during its 5 years of

commercial availability.iv. Anecdotally, older clients are

considered less likely to want to usethe “self-service” processes availablethrough the PKI digital infrastructure,and tend to be less tech-savvythan those of younger generations.However, this is not the case whenlooking at the data on current Mobile-ID users:

■ The age-range of Mobile-ID usersis between 18-75 years, with themajority of users aged between26-48 years

■ Male-female ratio is approximately61:49

Those wishing to implement similarservices in other countries need to becognizant of the fact that a small portionof citizens will always prefer to go inperson or speak directly to a serviceprovider rather than conduct their business online.

Mobile-ID: revolutionisingthe voting process

Estonian citizens can vote in local andparliamentary elections using MobileID or through any internet-connectedcomputer, anywhere in the world.This remote voting system is simple,elegant and secure, and avoids theproblems of electronic voting systemsused elsewhere which are costly andproblematic. Estonia is a true trailblazerin this eld; it was the rst nation to

hold legally binding elections over theInternet (utilising an ID card and cardreader) in a local election pilot in 2005,the rst nation to allow i-Voting forparliamentary elections in 2007, andagain in 2011 pioneered voting throughmobile phones, removing the necessityof a card reader. Whilst it is too earlyto speak of m-Voting (as an Internetconnection is still required), i-Votinghas become remarkably popular and24.3% of participating votes in 2011were i-Votes.



18 Mobile Identity

B. Cost

i. Similar to misconceptions on theperceived complexity of Mobile-ID is a misrepresentation of thecosts involved in subscribing to theservice. The Mobile-ID costs 10 eurosto the consumer to purchase theMobile-ID-compliant SIM card andthe certicates, and an additionalsubscription fee of between 65c and1 euro is added to the customer’smobile bill each month. While this

may appear minimal to some, forthose subscribers paying only 5 euros amonth subscription for basic voice andtext, this is a signicant additional cost.

ii. Nevertheless, the research for thiscase study showed that perceptionson cost are always multifaceted anddepend on the user’s perceptions ofthe alternatives. When compared withupgrading a lost or worn ID-card,for example, which costs around 30euros to replace (in addition to theoriginal cost of the card + card reader

+ software), the difference in cost between this and a one-time Mobile-IDinstallation plus subscription feeis signicant.

“65cents to me is nothing. I don’t evennotice it and I use Mobile-ID all thetime, so I think it’s great value” – Mobile-ID user

C. Business model

Complicating the cost perception furtheris the fact that the Estonian operatorscompete on the cost of offering Mobile-ID to their subscribers. In some cases,Mobile-ID is offered for free as part ofan incentivising scheme; in others, theoperator subsidises the cost of the tax tothe government for issuing identicationcerticates. While these incentives havesignicantly increased the number ofusers, others argue that this distorts the

perception of a fair price and makes itmore difcult to ensure sustainability ofthe service in the long run. Since 2012,EMT has offered Mobile-ID to its clientsfor free, which has encouraged greateruptake of the service. According to EMT,many users felt that the state fee chargedfor the certicates was too high for anaverage user.

For the operators, Mobile-ID is not amajor revenue driver, but is viewed as avehicle for more innovation of services onthe Mobil ID.



19Estonia Mobile ID

VI Mobile-ID: A vision towards the future

Within a short period of time, mobileidentity has become an issue ofconsiderable importance within thewider digital economy. Although themajority of activities that require digitalidentity validation and authenticationaround the world continue to take placeonline, changing consumer trendssuggest that the mobile channel will beused increasingly in this space. As aresult, mobile operators have a key roleto play within this space As this casestudy aims to show, Mobile Operatorscan successfully insert themselves intothe centre of the digital economy and become the trusted source of securityand convenience for consumers and businesses alike.

Despite the challenges, the future looksgood for Mobile-ID in Estonia. Changingdemand for services on-the-go meansMobile-ID is increasingly recognised asthe medium of choice for consumers and businesses. Commitment from theOperators and from SK to dedicate moreattention to raising awareness ofMobile-ID and its benets points to thestrong likelihood of further adoptionthroughout Estonia. As consumer-facingorganisations start to recognise theopportunity in offering Mobile-ID totheir customers, penetration is likelyto grow.



For further information, please visit www.gsma.com/mobileidentityor contact the GSMA Mobile Identity team [email protected]

GSMA-Mobile-Identity Estonia Case Study June-2013

Documents

Transcript of GSMA-Mobile-Identity Estonia Case Study June-2013