Let’s talk about digital identity with Margus Pala, Founder and CEO at eID Easy, and Johan Nyman, Project Coordinator at Åbo Akademi University.

In our 50th episode, Margus and Johan discuss eSignatures. Coming from Estonia and Finland, they explore the use (and potential future use) of simple, advanced and qualified eSignatures in two of the world’s most digitally advanced countries. They also delve into how we can standardise the use of eSignatures in Europe, and advice for business owners on what to ask from an eSignature provider.

[Scroll down for transcript]

Margus Pala

Margus Pala

Margus is from the world’s most digitally advanced country, Estonia, and has seen the future many years ahead of most other countries. He started his professional career as a programming teacher before being part of multiple start-ups, including one unicorn – Playtech. He is also an officer in the Estonian army’s National Guard Cyber Unit and has a master’s degree in Cyber Security. For the last 5 years he has been running eID Easy, whose mission is to help everyone benefit from the future of digital identity and electronic signatures – not by breeding faster horses, but going to a whole new level.

Find Margus on Twitter @MargusPala @e_id_easy and on LinkedIn.

Johan Nyman

Johan Nyman

Johan’s interest in digital identity, and specifically electronic signatures, is manifested in two areas: 1) the citizens’ perspective; how citizens can take advantage of national PKI (public key infrastructure) available on their ID cards to produce and use qualified electronic signatures, and 2) the public sector; how organisations working within the public realm, e.g. universities, can use national PKI for issuing e-signed documents, and also how they can raise their awareness and knowledge to handle qualified e-signatures in incoming correspondence from persons using e-signatures. He works as a project manager in university administration at Åbo Akademi, in Turku/Åbo, Finland.

Find Johan on Twitter @Johan_Nym and on LinkedIn.

Margus refers to the Finnish Trust Network. Find out more about the FTN here – https://www.ubisecure.com/authentication/finnish-trust-network-ftn/

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

­Go to our YouTube to watch the video transcript for this episode.

Let's Talk About Digital Identity
Let's Talk About Digital Identity
Ubisecure

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.

 

Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello and thanks for joining into a new episode of Let’s Talk About Digital Identity. And today, we are coming back with a fireside chat format in which we have two guests. And this time, two guests are going to talk about electronic signatures. For that, let me introduce them. We will have Johan Nyman, who is Project Coordinator, Research and Education Services at Abo Academy University in Turku.

His interest in digital identity and specifically electronic signatures is manifested in two areas. First, the citizens’ perspective, how citizens can take advantage of national PKI, public key infrastructure, available on their ID cards to produce and use qualified electronic signatures. And the second is the public sector, how organisations working within the public realm such as universities can use PKI for issuing electronic signed documents and also how they can raise their awareness and knowledge to handle qualified eSignatures in incoming correspondence from persons using electronic signatures.

And our second guest is Margus Pala, who is founder and CEO of eID Easy. Margus come from Estonia. He proudly says that it is the world’s most digitally advanced country, country which has seen the futures many years ahead of most other countries. He started his professional career as a programming teacher before being part of multiple start-ups, including one unicorn, Playtech. He’s also an officer in Estonian army, the National Guard Cyber Unit and has a master’s degree in Cyber Security. In the last five years Margus has been running the company eID Easy, whose mission is to help everyone benefit from the future of digital identity and electronic signatures, not by breeding faster horses, but going to a whole new level.

Welcome, Johan. Welcome, Margus.

Johan Nyman: Thank you very much Oscar.

Margus Pala: And Oscar, yeah, it’s really good to hear the familiar voices here.

Oscar: Fantastic. It’s great having both of you being experts in electronic signatures in these two neighbouring countries, well advanced in this matter. So, it’s going to be an amazing conversation. So I’ll jump, telling the first questions and you can follow the conversation after that. So I would like to hear of course, how each of you got involved with eSignatures, with electronic signatures. So where were the drivers for your involvement?

Margus: I can say from my side that Estonia is quite unique country that has online voting with national eID card since 2005. But I saw that this is not enough. And I wanted to take this to next level and replace the parliament entirely. And that is term called direct democracy, where actually people themselves vote on the items that parliament vote. Usually it’s not possible because you cannot fit millions of people into parliament rooms. But when you have national ID cards, then you can do that. So I started this project, but had some other better things to do. Now, this has grown up to be eID Easy where we help people to take full advantage of the eID methods to identify people securely, using ID cards, different apps, much faster, better, cheaper and accurate than regular passport scanning and also great qualified electronic signatures, the holy grail of the signature.

Johan: My interest in eSignatures started on a theoretical level really back in 1999, that year I was in Spain. That spring, I studied a course of cryptography and asymmetric encryption. That’s really where it started for me.

In December the same year, Finland rolled out its Public Key Infrastructure on the ID card, the citizen certificate. A few years later, I got an ID card on my own and from there on it went. So I have been following the Finnish project very closely from a citizen perspective, examined the eSignature, its possibilities, its usage. Later on, I also got the possibility to work in some other neighbour countries, Sweden and Denmark, this was from 2012 already.

Then I got the possibility to also use their national e-signing solutions to do some benchmarking and comparing with the Finnish one. During that period, I also applied for and got myself the Estonian e-residency card, enabling for me a fourth national solution to compare with the others. So, my background and entrance into this field is really from the citizen perspective. And in the last few years, it has widened to be also an organisational perspective and overall customer perspective when it comes to eSignatures.

Margus: So there are three different levels of electronic signatures. These are like simple or basic, how they say it’s like different names, then advanced and qualified. eIDAS is saying that electronic signature is data in electronic form, which is attached to or logically associated with other data in electronic form. This is a really broad definition and means that almost anything is electronic signature in these days. You don’t need to have any middleman, no service provider. And if you just exchange emails, or SMS, for example, I send to Johan that I will sell you my house for 1,000 euros, Johan says I agree, then we have electronic signature. And this is the simple signatures that which level is actually most widespread all over the world.

Johan: What I find very flexible with the eIDAS, or eIDAS as I would pronounce it, is that it doesn’t say in itself, as I have understood it, where you have to use, for example, a qualified electronic signature level. But it merely says that if you’re using a qualified electronic signature, then at least then it shall always be admissible. It also says that lesser levels shall not automatically be dismissed. And I think this is a very dynamic way of putting it, it says that, at least when you have the qualified level, it should be admissible. But it doesn’t say that you always have to use that. And I can surely think of contexts and situations where a lower level is good enough.

Margus: So, be very careful when you promise somebody over Facebook message that you’re going to visit their birthday. If you’re not showing up, then you can legally be sued in court because it’s legally binding electronic signature.

But the next level of signature is advanced signature, where you already need to have clearly identified the signer and make sure that only he is capable of producing the signature. And if the service provider generates the PDF file, says that you will have signed, but actually he’s signing this PDF file with his own private key, then it’s still a simple signature. It’s considered to be same level as a simple email exchange.

To provide or to create the advanced signature, you need to have fully verifiable cryptographic trail back to the signer that cannot be faked by anyone in the middle of the chain. So usually it is in the form of certificates, somebody signing it with private key, or let’s say eID method, they should give out the proof that actually this person was signing.

And to add more, for the simple and advanced signatures and qualified signatures difference or one of the main differences for this simple and advanced, you always need to have additional evidence for it to be valid in court. As eIDAS said that court should not automatically dismiss, they take it into consideration. But then you need to bring additional evidence, which could be a number of email threads, mails you have exchanged, whatever you can produce to prove that this is how you agreed the document contents and you actually wanted to sign the document.

Johan: Yeah, and of course, in many or most of the countries around here, there is a freedom of form for how to make an agreement between two parties. But if one of the part of the contract parties wishes to use the highest level, the qualified level, then it’s probably a good idea that both of them use the same level. Or could you Margus give some good example on how to understand what it means to use or not use the highest level of signature.

Margus: Yeah, I actually have really good example of that. For example, if you want to take a loan, I’m short on money, I want some more. I go to bank, I cannot go to office, I do it online. So I should always prefer the simple signature, where they send a link to my email. I click this and say I sign. And it’s especially recommended if you use, maybe your friends or some general email address because in this case, you can always claim that you did not sign and court will take your side.

But if you give out loans, then you should always request qualified electronic signatures, because there is a burden of proof. And in this case, you do not need to prove anything anymore if you have that qualified signature in your document, then you give it to court, and court says everything is OK, signature is valid. This is one of the differences of qualified electronic signatures.

Johan: Yes, I see it whenever you deal with a signatory party, that can be whomever that is not from the same context, the same organisation as yourself, I would find it a good idea to use a qualified electronic signature to agree that this is the level we will use. Then again, on the other hand, if you have a need to sign documents or workflows within an organisation, where you and your colleagues and the entire staff is trusted within the same system, then it is probably good enough just to use some kind of form where you are logged in with your organisational login, and you just press sign. And all the others involved will for sure know that it was you because you were logged in with the credentials that are trusted within the organisation. So of course, there are settings where it might be overkill to use the qualified level. But whenever you deal with or agree something, sign something with an external party, I find it a good idea to use the qualified level.

Margus: Yeah. I know we’re already talking these usages. But remember what qualified electronic signature is. And it’s something that’s actually fully standardised and accepted all over Europe in all the governments in everywhere. And then another benefit is that they can verify it by anyone fully offline using a standardised process. If somebody sends me a qualified electronic signature in one document, then I don’t need anybody, I can just see if it’s valid or not, I don’t need to upload it to some website, only this website to tell me if it’s valid or not.

Qualified electronic signature is equal to handwritten signature, by law, whatever you can sign with your handwritten signature on the paper and then same goes with qualified also. But actually, qualified electronic signature is much better than handwritten signature, because you can very easily verify who was the one who was signing, and you know exactly when the signature was created. If somebody is giving me some paper, and I see some strange marking on the bottom of the page, saying that let’s say Johan has signed, then I cannot do this on the paper, I need to have experts who take a lot of money to verify. But with qualified, I can just say, yes, Johan was signing and there’s no question about it.

Johan: What I find very convenient with the qualified electronic signatures is, as you said already Margus, they can be validated and verified offline independently. So you don’t need a third-party provider or their system or service to validate them. But you can really do it just from the document or the file against generic validation service. I think that’s a really good direction to go. For sure, I see that there is also some benefits of using commercial services. But it should really go in the direction of taking advantage of this that qualified signatures can be validated independently. For that specific purpose, the third-party service and their audit trail is not needed.

Margus: Qualified signatures are very good, but the simple signature have templates also, especially for example, let’s say if you’re making 10 million investment into some company, then you will say that this is like a really important document and you need to definitely only have qualified signature. But actually, for in this case, when you make these really big deals, that simple signature is good enough, because you have been doing extensive due diligence, you know exactly what was happening there, you have plenty of evidence. So for this use case, simple signature is perfect. I cannot say perfect. I don’t know why somebody would use simple signature if they can use qualified. But people using and it’s good enough.

However, if you want to give out small loans, let’s say 1,000 euros to strangers who fill in that form on your website without any other interaction, then you do not need evidence to prove in the court that the signature is valid and this person was signing it. So, in this case, in these small little deals, you should actually definitely prefer qualified signatures all the time.

Johan: That’s a very good way of shedding light on the usability of them. Having gotten a bit insight in how they can be used and what is the advantage of using qualified signatures, I was thinking maybe we could move on to ponder the equalities and differences between our countries, Finland and Estonia. Our countries have had some interaction on this field. We started in Finland with our Public Key Infrastructure on the ID card in December 1999. And I believe you, in Estonia, got inspired from what we did, and you carried it on from there. What would you say Margus lies behind the success story that Estonia has now on this field?

Margus: Yeah, we are really happy about Finland to show us the right path and how to make country completely digital. Because in Estonia, absolutely everything is done digitally online, all the signatures are qualified. Some exceptions are when we do international agreements, if other party for some reason do not want to use qualified, then we go with simple signatures.

And actually, qualified signatures are very easy to create. What you need is that you have mobile app. Let’s say Estonia, we have app called Smart-ID. We install this app, you do the verification. This actually is done in bank, you go to bank, you say that you want access, they will verify a document say “Here is your Smart-ID app, now you can create qualified electronic signatures.” And the process itself is that you make a transaction in bank or you want to say sign some document, then you get prompt in your phone, “Do you agree to sign this document?” You say yes, with your pin code and qualified electronic signature is created.

And in Finland and in Nordics and in many other countries, there’s also bank IDs, where the process from the user point of view is exactly the same. You go to bank, your identity will be verified, you install some app. But when you create a signature using Finnish Trust Network, then you are creating simple or advanced depending how you interpret this signature.

And for the banks, it’s just flipping one switch. And even in Finland and other Nordic and other countries, the signature would be qualified, not simple signature. So why they have not done it is really interesting. Myself, personally, I think that banks are all about avoiding risk. This is why they have not done that. They don’t want to take additional responsibilities, because if you are a qualified trust service provider, and you give a certificate to wrong person, let’s say I go to bank with Johan document, I managed to get the certificate on Johan’s name, and I signed documents, then qualified trust service provider needs to pay for all the damages. And for that actually qualified trust service providers are required to have enough money in cash, or they need to have insurance policies for these kinds of things. Maybe Johan that is why Finland banks do not create qualified signatures.

Johan: Yeah. I will approach that question with a counter to question to you Margus. Isn’t it the case in Estonia that you can use the National ID solution, that is either the card, the mobile ID or the Smart-ID to access your online banking services for almost any and every bank in Estonia?

Margus: Yes, this is exactly a case to have your national ID card issued by government, mobile ID, where the certificates are actually on the SIM card, and also the Smart-ID. And you can use all of these methods to access the banks. And for banks, I would say it’s, actually it’s even benefit because they take the risk away. So if you approve all the transactions with qualified electronic signatures, then bank has much less risk, he knows that this person definitely was approving the transaction. And if he did not prove because of the qualities of qualified electronic signature, then it’s the fault of the certificate owner. If I give my card to Johan and Johan does something, then it’s my problem. Or if the pin codes with the card are stolen and somebody create signature, then it’s my problem until I notify the trust service provider that my card has been stolen, and the card is closed.

Johan: Yeah, I think this is a really important point there that you, in Estonia, you can use the national e-identification solution to get access to every bank and its online services. Here in Finland, we still do it the other way around. We have the banks provide the ID solution. Not only for the customers, the people to get access to their own banking services in that bank, but also to be used to access public digital services.

So, I think the right way for us to continue is to swap it. Instead of having the banks provide the ID solution, as you said, Margus, the National eID solution should be made available as a robust and secure means to access not only public services, but also the online services of each and every bank. It’s already available to implement but we haven’t quite gotten there yet.

Also, when the banks in Finland provide the ID solution, they are just thinking about authentication and identification, to access a service and to prove your identity. But then there for most part, leave out the other aspect, which is the electronic signatures, which is an equally important aspect, which is unfortunately often left out and all emphasis is put on the identification side only.

So to answer your question, so far, I have not seen any bank ID used for proper certificate signatures. It is mostly or probably only used for signing documents, either in the bank’s own service, so it will just leave some kind of mark in a database that you have pressed a button after you have been logged in with your ID that you approve to the document or contract presented to you. Or then, they are used within third party commercial e-signing solutions as a mean to login to the service. You log in with your bank ID but then you do not sign the document yourself. It is the third-party service provider that signs with their electronic seal on your behalf. So strictly, even there, you cannot be sure that what the provider signs or seals really has connection to you as the person that is supposed to be signing it.

Margus: A really risky part because to maintain the actual cryptographic trail, if it exists at all and is possible – in some case it is possible, some case it is not. Only very technical people can understand it if this specific electronic signature portal or API is maintaining the cryptographic trail or not.

In comparison, we’re comparing Estonia and Finland, but we can also travel not far away to Norway, and their banks are actually qualified trust service providers. And Norway is not even part of European Union. So we can see that this thing is really possible.

One more thing, what’s preventing the banks to take this ID card into use? The thing is that if you use ID card, it’s completely free for the website. If I want to, let’s say add Finnish ID card support to my own website, identify people, then I don’t need to pay anybody. I just read the certificates from the card and verify if it’s valid. That’s it. You can do it completely offline. And some people say that this is actually self-sovereign identity. It’s like very similar. But if you use bank ID to log into the government websites, then for every transaction, bank is getting money. So it’s in bank’s strong interest that nobody is using these ID cards and government provided free systems that they will use something that brings money to the bank.

Johan: Sure. And to wrap up that part, my reflection is really that, as you said, Margus, you have already in Estonia come to electronic voting. I think we, in Finland, an indicator for when we are mature to reach that level is, speaking about the banks, when each and every bank accepts the national strong qualified means of identification. When that trust has ended and everyday use has been established, then we are ready to move on to think about electronic voting. But then getting back to the eSignatures, how could we standardise them on a broader level, European or even broader levels? What would you say?

Margus: Actually this European Union, they have trust list of all the providers who can create qualified and also who can create advanced signatures. If you create qualified signatures, then you’re definitely part of this list, it’s easy to verify. And same thing is also for advanced. But advanced does not need to be there if you do some kind of hacks and you use some customary processes to lock in your customers. So they cannot change the vendors. So this is very profitable for them.

But to standardise everything, you know at the European level, then I would say that main way how we can do it is to move everything to qualified, because it is very easy to create, it’s just basically like I just said, a matter of flipping the switch, is it simple or qualified signatures? And we just need to provide users an opportunity to use qualified signatures.

In many cases, even what is the most sad is that in government level, when you need to sign documents, then you even do not have option to use qualified signatures. And especially because quite a lot of qualified electronic signatures are free. In Estonia, Baltics, or you can use digital for application with your ID card, just upload documents, sign them. Finland has it. You can use Finnish ID card and Finnish DigiSign application. Latvia has this application. And even Adobe Reader, you can open Adobe Reader and connect any ID card or USB token and can create free qualified electronic signatures.

So, cost is not a problem. The difficulty is not a problem. It’s just if the providers want to offer it. And I think most importantly is that do the customers, they even know that this is possible and this is better? Or they just believe blindly what their highly paid salesman are telling them that law in this case does not require qualified signature so let’s go with simple signatures. And I think here Johan has something to say, “Why do you try to avoid all the qualified signatures?”

Johan: Yeah, exactly. The commercial providers do try to avoid them, I would say, because as I said earlier, they, most of the time, put their own electronic seal on the behalf of the person signing, when instead, they should allow the customers to use their own qualified certificate signatures. So what often happens so far at least is that when a commercial provider encounters the requirement for a qualified level signature, they take on what I would call a detour, for example, through live video authentication of the person to sign the document. And through that live video authentication, temporary or short time qualified certificate is issued for that signing transaction.

This makes sense in some contexts. For example, if the signatory is from a country that does not have eIDAS type public infrastructure or access to a national qualified certificate, then it makes sense, but it is definitely an unnecessary detour when it comes to any European country that can access an eIDAS signature. And as I see it, this is often why many of the providers wish to say that a qualified level is not needed. And I would really say that the commercial providers should go more into the direction of providing a workflow, a flexible and well working workflow for eSignatures, rather than providing the signing certificate themselves.

The services should allow the customer to, if he or she so wishes to use their own qualified certificates signature. Even in that commercial solution, it should not be blocked out so that only the commercial solutions certificate can be used. But any qualified signature should be able to be used so that the solution merely takes the form of an electronic workflow that allows for any qualified certificate signature to be used. So this is really the direction I would want to see more of.

Margus: And I would add two more points regarding standardisation all over Europe that recently was announced – eIDAS2 – it says that anybody in Europe can install themselves application that you can use to identify yourself and also, most importantly, create qualified electronic signatures, and it must be free for the people. For example, in Germany currently, you need to pay like 40 Euros or more per year to get a signature card and smart card and wait three months to get it. But then you have application, it’s even easier and for free. And this is going to happen in a couple years now.

And another trend is that – let’s take Finnish Trust Network. If I ask any bank or anybody in Finnish government, they say that this is bulletproof and there’s absolutely no way how to fake the user identity. If you identify the user using this method, then you can be absolutely sure that this user is the one who she says.

From that, of course, this question that why it is not notified in the EU level, why other countries are not accepting it. There needs to be a couple of steps from Finland’s side. But after that, if you identify user uniquely, then you are also able to issue qualified certificates after this kind of user identification. So even if banks do not want qualified electronic signatures, they need to still possible to use the same bank ID and issue a qualified certificate for the user to sign the document.

I find even less and less reasons to stick with simple signatures if qualified signatures are so available. And when use qualified signature then it’s fully standardised all over the European level, there’s no vendor lock in, you can always change the providers and everything is like followers.

Johan: Yeah, if we would have some final reflections on this discussion, what would you say would be a good advice for business owners who do know that they need signatures and are thinking of what kind of solution to choose?

Margus: I would say from my side that everyone who is implementing electronic signatures in their processes must have one requirement. Let the people create qualified signature if they want to. Maybe there is not everybody who wants to do that. It’s like saying with Corona vaccines, some people want, some people don’t want. But especially in public sector, when you have a project that involves qualified electronic signature, the number one requirement is that all local possible, qualified electronic signature methods must be included in that.

Johan: Yeah, I think that’s a good advice. And from my side, I would add to that, let’s say from a public sector perspective, that those that do procurement within, for example, the public sector for an electronic signing solution, they have quite a lot of power. And the first thing I think they should make sure is part of the specification when they do public procurement, is that the signing solution should never add any extra audit trail page or any extra text to the signed document that would invalidate any certificate signatures that have been formerly added to the uploaded document. Every information should be only in the certificate signature and its metadata fields. So with this point added into the procurement specification, you will get a very long way because it will give you that flexibility that allows for qualified signatures to be used.

And then finally, I think I would like to give advice from the citizen perspective. And that would be just start using the qualified electronic signature that you already have access to. This would be a non-issue in Estonia, because you have it all rolled out to the entire population already, since I would say decades back by now. But for us in Finland, for example, the advice would be for the citizens, just start using the certificate, the citizen certificate you already have. And if your laptop doesn’t have a card slot, then think about going that small extra step and order a card reader online for your ID card. Nowadays, they are not big and bulky devices with a cord, but you can even get them as small as a memory stick. That’s one thing.

Then of course, there are providers already that issue qualified electronic signatures, not only for citizens of their own country, but for any European citizens. So that is also another possibility if you don’t want to use a card. Then also, if you use them and it is not accepted by a public authority, let’s say, then stand your ground and refer to eIDAS because you are entitled to use them, so a little pushiness might be needed sometimes to really get the awareness raised.

Margus: And Johan also mentioned these card readers. I can actually say that most of the business class like Lenovo and Dell computers have the card readers built in. I know myself because in Estonia, there’s a lot of used business class computers sold that’s coming from Nordics and most of them have so I have personal experience that I have seen that they have card reader. You even have a card reader even you maybe do not realise that you have. When you’re, let’s say, in Finland then you have also ID card, if you have it. I think that 50% of people have it. You can already create signature if you go and look at your pin codes, where did you put them when you get the ID card.

Oscar: Good. Thanks a lot. It’s been a truly fascinating conversation. I think that the best conversation I ever heard about electronic signatures. Yeah, it’s time to embrace qualified signatures as you both agree. Thank you for sharing your knowledge, expertise, perspective from all these countries, Estonia and Finland, who are doing this in a very advanced way. Hopefully, we’ll see more widespread not only in Europe, but also in the rest of the world. So, thank you for that. Finally, I would like to hear from each of you how – if people would like to continue this conversation with you, what are the best way to get in touch with you, please?

Margus: From my side, we have actually quite active Twitter account that’s not done for sales, but like this call that just to educate people. You can follow @e_id_easy. Or you can come to eideasy.com and get in touch with us, if you want to learn more about electronic signatures and qualified levels.

Oscar: Thank you, Margus.

Johan: Yeah, and I would be happy to carry on the conversation, either from a citizen perspective or customer perspective or even from an organisational perspective, for example, the public sector or university sector. And I can be reached at my email johan.nyman, that’s [email protected]. Thank you very much, Oscar. It was really great to be here with you.

Oscar: Thanks a lot Johan as well. Again, it was a great conversation. Thank you Margus Pala, Johan Nyman and all the best.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

[End of transcript]