Every week, we’re greeted with a new story about a cyber hack or attack. The 2018 Winter Olympic Games website was hacked during the opening ceremony last Friday night. Last week, it was confirmed that Russian operatives had hacked voter registration databases in multiple US states prior to the 2016 presidential election. Over the last month, a total of several billion dollars’ worth of crypto-currencies have been stolen in multiple cyber-bank heists. The biggest hack in the last year was of Equifax, the US consumer credit scoring company, whose 145.5 million records were stolen—including people’s names, social insurance numbers, drivers licenses, dates of birth and addresses. Globally, almost one billion Internet users were affected by a malware or virus in 2017.
All of which begs the question: How wise is it for us to build a ‘smart’ society—one that increasingly relies upon the digital medium for everything from filing taxes to driving cars?
I was in Estonia last week, escorting a delegation of government ministers from the Persian Gulf state of Oman, to help them find answers. Estonians were forced to ask this question sooner than most of us. Estonia is a small Baltic state of 1.3 million people. It’s a member of NATO. It’s one of the most digitized societies in the world. And it shares a border with Russia. In 2007, the Russian government hit Estonia’s digital infrastructure with a cyber-assault that temporarily shut down the country’s parliament, banks, ministries, newspapers and broadcasters.
Up until that attack, Estonia’s leaders, especially in government, were concentrated on building a digital paradise. And they’ve been succeeding. For most Estonians, calculating and filing one’s personal income taxes each year takes less than two minutes (and this year can be done with a few finger taps on the Tax Office’s Apple Watch app). Ambulance medics can know your medical history and medications before they arrive at the scene of your accident. Firefighters can know how many people are in your burning building (and if you have mobility problems) before they arrive at the scene of an alarm. Students can send their transcripts to a university with a single tap, and it takes less time to open a bank account or register a company than anywhere else in the world.
The government estimates that it has eliminated one full week—per year, per citizen—of time spent accessing government services: filling forms, standing in lines, filing taxes. The increased productivity across the whole economy is enough to fund the country’s entire national defense budget. Other benefits are harder to quantify. While Americans debate whether to add more polling stations or keep polls open later on Election Day, Estonians can vote online anytime (for a week until the polls close) from any device—anywhere in the world.
But the 2007 cyber attack forced Estonia’s leadership to admit that it had been too blasé about securing their digital way of life up to that point.
Safety. Security. Privacy. Sharing. Trust. The digital medium puts all these values in new tension with each other. And those tensions need to be resolved.
Take privacy and sharing. Amidst so many cybercrimes, data privacy has become a public concern. We’re learning not to trust governments and corporations with our data. Perhaps instead of following the Estonian model, we should insist that government only use our personal data for the explicit purpose for which it was collected—and destroy it afterwards.
Understood this way, data privacy stands in opposition to data sharing. Data sharing is the practice of exchanging and aggregating our personal data, for the sake of efficiency or, in this age of algorithms, to discover important patterns to help us do things better.
We can either share our data to make society ‘smarter’. Or we can preserve everyone’s individual privacy.
Dial Back? Or Double Down?
Estonia is trying hard to expose this choice to be a false one. Faced in 2007 with the question of reversing course or charging ahead with its digital agenda, the country’s leadership clarified a core belief: the digital medium is here to stay. A society can no more turn away from the digital medium than Europe could turn away from the print medium 500 years ago.
If that’s right, then the only way out of these new tensions is through. The Estonian argument I heard last week is that data privacy and data sharing are compatible, once the latter is properly understood. Part of our misunderstanding stems from the use of the word ‘sharing.’ This is a misnomer. It suggests: I give you my data, and you give me yours. Estonians do not ‘share data’ in this vague way. Instead, they break ‘sharing’ into two precise ideas: data ownership and data contracts.
For example: One of the most commonly used public databases in Estonia is the population registry: a database that contains every resident’s vital statistics (name, date of birth, gender, etc) and address. Such basic data is useful to almost every public- and private-sector organization, in almost any transaction. But it has only one, legally liable owner: the Ministry of Statistics. Before any other organization can access the data (say, the police or a bank), they must negotiate a contract with the Ministry that specifies their data privileges and responsibilities. Typically, such contracts are for the minimum data needed to satisfy a valid query. The Ministry of Statistics won’t reveal a resident’s full address when a Yes/No answer—‘Is this person a resident, Y/N?’—will suffice.
Every transaction involving my personal data is recorded (Which entity requested what data for what purpose?), and I can access a log of all those transactions online at any time. This transparency helps me to trust that my data isn’t being misused.
It was remarkable to see for myself the daily conveniences that Estonia has built atop this trust foundation. Perhaps most remarkably, all this trusted data exchange has actually increased data privacy for the average resident. As a Canadian in the UK, I’d need to show my passport to a letting agency to rent an apartment—which gives the letting agency far more information about me than they have any business knowing—or storing on their insecure office machines. In Estonia, all the letting agency needs to know is what their digital query to the Immigration Office tells them: Is this person an eligible resident, Y/N?
Estonia is also trying to find the way through hard choices on cyber security. No digital network is 100% secure, is its post-2007 security ethos. Everything is hackable. Therefore, securing a digital society must be about resilience (be the hard target, so that hackers target someone easier) and recoverability (when you get knocked down, how quickly can you get back up?).
Estonia demonstrated its resilience during the May 2017 WannaCry ransomware attack by North Korea, which crippled more than 200,000 computers across 150 countries—but did not affect a single machine in Estonia. And it is demonstrating its commitment to recoverability this month, as it formally opens the world’s first ‘data embassy’ in Luxembourg. (Its data embassies will backup all essential public data—and will be able to take over running public data services if the country’s own servers fall to cyberattack again.)
Hard Choices? Or False Choices?
My week of conversations in Estonia left me with two dominant impressions. The first is that hard choices under an old paradigm can become false choices under a new one. As the news, good and bad, of our digital capabilities and vulnerabilities continue to crowd the headlines, will we have the vision, and the wisdom, to make that distinction?
The other impression is that when it comes to the digital medium, the greatest risk may be to linger half-way between the analog and digital way. Judging by all our daily habits, we are all quite happy to reap the benefits of the digital medium. Are we prepared to adapt to the responsibilities as well?
Remember John Podesta, the 2016 campaign manager for Hillary Clinton whose emails were hacked and posted to Wikileaks? His Gmail password was runner123…