Hacker News new | comments | show | ask | jobs | submit login
Estonia, the Digital Republic (newyorker.com)
351 points by jkaljundi 10 months ago | hide | past | web | favorite | 110 comments



Just a fun geography tip, you can easily remember the locations of the 3 Baltic states because they go in alphabetical order from North to South. Estonia, Latvia, Lithuania.


Estonia, however, is more Nordic than it is Baltic, other than in geography: its people and language are Finnic (neither Indo-European nor related to Latvian/Lithuanian) and it's been part of Denmark or Sweden for most of its history; there were even Estonian vikings.


That's not quite correct. There were also 'Latvian vikings', the Curonians. Latvia was also ruled by Sweden for centuries. There's not much difference there, apart from language. They were a mix of Baltic tribes, some combination of which formed the modern nation states.


I know, this may be unpopular in context, but are there any updates on the Estonian ID-cards?

News as of November were that they were (temporarily) locked-down [1] and are to be reissued until next March [2] in reaction to the RSA related security flaws [3] in the libraries bundled with the Infineon chip. Is this even an issue, or is everyone using a phone app, instead of the cards, anyway?

[1] https://www.theregister.co.uk/2017/11/03/estonian_e_id_lockd...

[2] http://www.bbc.com/news/technology-41858583

[3] https://www.schneier.com/blog/archives/2017/09/security_flaw...


Most people who use ID card every day have updated certs remotely or went to police office. I would say government handled it pretty well.

Problematic was communication with card maker Gemalto, who didn't inform Estonia about security flaws properly. Gemalto was informed by researchers in March. These researchers informed Estonian government in August. Few days after that prime minister announced security problems.

Things would have been a lot of easier if Gemalto didn't hide the problem from the government.


Chances are that the contractual arrangements that routinely exist between governments and contractors like Gemalto make "blameless post mortems" non-profitable. It's a tricky thing to do right, because you do want to have accountability in the contract.

Governments (rightly) want contractors like this as experts-on-tap in the technology under consideration. But what you really want is not exactly a provider of the technology, but rather an advisor or partner in the process of implementing your process. I don't think we know how to structure a non-nepotistic relationship of that kind.


That's usually why projects of this size have multiple parties involved aside from directly contracting with the vendor.

As much as it's easy to hate on the Big4 consulting companies, they exist for this reason among others (some of which have more to do with how to grease the skids with pork).


[flagged]


> The Soviet Socialist Republic of Estonia would have had access to some of the best, but not anymore.

wat


Estonia was a part of the Soviet Union, and the Soviets had some pretty good crypto by Cold War standards.


yeah, and we see now how "democratic" is Russia now, so your observations about Soviet Union crypto specialists and this topic about Estonia's E-systems is totally unrelated.


Sorry, but calling todays Estonia 'the soviet socialist republic' is just plain stupid.

I haven't heard that Germany is called former na%i state when refering to country.


Do you mean Nazi? At least in the US, it's legal to use that word.


Comment was blacklisted when written with z.

Probably too many 'offensive' keywords.


Sovuets also had ever decreasing desire to do anything civilian.


Most people I interact with (here in EE) were not too much affected by the problem, since a lot of people actually use MobileID, with the crypto chip embedded in the SIM card of your smartphone, which was unaffected and available for like 10€ from each telco in Estonia. Saves you from lugging around a smartcard reader. Depending on your threat model, the fact that the PIN never enters computer memory is an advantage for MobileID, unless you prefer a proper PIN-pad reader.


We also have Smart-ID[1] now, a convenient alternative to Mobile-ID. Although not as widespread as Mobile-ID, most banks and government portals have already adopted it.

I personally prefer Smart-ID because of the low friction in getting started, compared to Mobile-ID where you have to get a SIM-card that supports it.

[1] https://www.smart-id.com/


It has to be said, however, that this is NOT a "legal" qualified digital identity or signing scheme, conceptually similar to any other commercial authentication tools like PIN calculators, codecards or what not. It is actually marketed as such and provided by the private sector.

The security assumptions for Smart-ID are far weaker than MobileID or ID-cards and actually no government institution will accept such signatures. You can sometimes use it for identity, for example the Tax Board allows you to authenticate via your bank, which in turn may support Smart-ID: https://www.emta.ee/eng

Since offering Mobile-ID actually costs a lot of money to banks (since there is no direct connection to the card via browser and a USB cable, you have to pay to use some API-s across SK.ee & telcos), it is the main motivation for developing it.


Conversely, it's a good tech demo of using the real power of the id card infrastructure, that is trust root federation. More of that kind of thinking could enable great things.


They released software that allowed you to update the certificates on your card.

They then gave a limited time frame for every one to migrate their cards over. Either with the software update or going to the police department and having them do it for you.

After the deadline they declared all older cards digitally invalid. Meaning that you can still use it as a physical ID but not for online auth or signing processes.


Not sure when physical replacements start shipping, but the latest companion software (https://id.ee) offers a pretty smooth online key regeneration feature.


Rolling out new physical cards in just a quarter of a year may be some feat. – Is there confidence in achieving this? Or is the key regeneration tool a complete replacement for the procedure?


The key regeneration is touted as a proper solution and the cards do not need to be replaced after the procedure. It takes advantage of ECDSA to circumvent the borked RSA.

https://github.com/open-eid/qesteidutil/commit/20ead85d31b0b...

There is a huge campaign going on with service points open even in shopping malls for people that do not manage the process at home. Initially there were some scaling problems, though..

Edit: to tell the truth, the information available in Estonia regarding the exact nature of the fix is still scarce. There has been some offhand remarks from RIA that the updater basically patches the microcode on the card to generate an EC keypair, but not a lot of details.. The basic premise that the new key is still generated on the card, still holds, apparently.


They asked for certificate updates to continue using the cards.

I don’t use them on a daily basis, because I use an app for authentication, much faster.


I updated the certificates using the tool they provide. Anyway I'm using the app most of the time.


Just opened a company in Estonia. The experience so far has been incredible. It's not quite the future - all the technologies should exist everywhere etc. It's the present that should have been, but somehow it's not.


I opened a company last year. In my country we can't access Paypal or Stripe and international bank transfers are painful. I had to travel to Estonia because of the KYC stuff from the bank, the rest of the process was completed remotely.

Also the deposit insurance in my country is quite low, so saving money in Estonia is a good option for me.

I'm using the LHV Bank, they give you a multi-currency account, a great mobile application and also access to different worldwide markets (for investments, etc.).


Curious to know: what's your home country? What are the tax implications for you locally?


Personally none - I pay taxes in my home country and everyone is happy. The company rules (delayed income tax, income tax rate) might be subject to treaty that defines "command and control" - that is if the company is really located in Estonia or is it effectively in your home country? If you have an actual office or co founders from other countries or some other vague "company is actually located in estonia", then there are no tax implications of that, other than your personal income.


Me too! I used leapin for the whole process. Never had a more pleasant experience with bureaucratic procedures.


I'm getting ready to do this but haven't figured out a way to open a bank account there without visiting the country. How did you do that? I saw there's a service that will do it for you but it seems like an expensive monthly fee.


I opened my company with Leapin. Easy and fast.

If you don’t need a bank account and you can live with PayPal you don’t need to go there. I needed a bank account and credit card so I traveled to Tallinn and opened a bank account at LHV. You have to sign the documents at the bank office.

I think LHV Bank is working on a remote process with an interview using Skype, but it was not available several months ago.

Still, I have faced several issues setting up my small SaaS service: Stripe is not available and my Braintree application was rejected because they did not understand why I wanted to create a company in Estonia! It took me two weeks to explain that I was a nice guy and then everything went fine. I also had issues creating a merchant account in Coinbase, so I had to use Bitpay.


I'm in the process of opening remotely a company with Leapin. My first intention was to use Holvi for banking but I realized you need to pay 30€/month if you are a e-resident so I probably will switch to Transferwise Borderless.


To be honest, you should visit the country either way. Estonia is a pretty wonderful place, at least it was when I visited.


Why did you do it in Estonia?


English, stable currency, ability to do stuff online, mature and working banking system. Does not leave many interesting candidates.


What are the advantages over using Stripe Atlas and having a US Delaware C Corp for $500?


I tried to sign up for stripe atlas in beta and they didn't want me :)

More seriously - owning shares in us companies create scary tax implications that require some advice when having us clients. US banking system is stuck is in the 1800s and dealing with it is a very serious pain. US legal system, unlike European is very unfriendly for individuals - its just infeasible to do stuff yourself on a shoestring budget, without hiring professionals.


> US banking system is stuck is in the 1800s

As someone who has to work integrating to banks, yeah this is sad but true.


> its just infeasible to do stuff yourself on a shoestring budget, without hiring professionals.

Millions of new businesses are started every year in the US on a shoestring and without hiring professionals.


For foreign owned companies there are a myriad of complex reporting requirements a US person would never see.

Despite not even being a tax form some of these (e.g. FBAR) have penalties of 50% of the unreported amount. It's not something you want to leave to chance.


> Millions of new businesses are started every year in the US on a shoestring and without hiring professionals.

I don't think that's meaningful. There are 320 million people in the U.S., and only a tiny proportion of people anywhere would consider opening their business in another country.

That doesn't mean there isn't a high barrier to accessing the U.S. legal system. For example, as we know, well-funded parties often defeat poorer parties by simply threatening legal action, because the poorer party cannot afford to use the legal system.


Maybe it needs to be in the EU.


What are you using (if you are using anything) for taking credit card payments? Stripe is not available there, right?


Stripe is not in Estonia, so we applied to Braintree. It took us a couple of weeks and we were rejected at the beginning, but finally they accepted us.

Also 2checkout can be an option too.


Dang, I should go try and reapply, also e-resident, also got rejected pretty quickly. Good to know the guys are open to re-evaluation.


I was a Braintree customer for more than three years in another company. My experience in my former company was very good, so I was a bit surprised when I was rejected.

I wrote to them and I asked them to explain to me why they have rejected me. I told them I was an ex-customer and I could prove it. So they came back and they asked for an insane amount of information and documentation. Something I learned is the 'no-paper' model of Estonia is something Braintree doesn't like at all.

I had a problem with a very specific request, and Leapin helped me to get it in less than 24 hours.

So yes, go and try again!


It's so unfortunate that Stripe isn't supported in Estonia yet! It would be a major boon given the good reputation Stripe has among developers.


I've worked with both Braintree and Stripe, and I'm honestly not sure why people harp on about Stripe so much compared to BT. In my experience, they're both super easy to work with.


Maybe it's a regional thing but I never encountered Stripe in the UK/EU. I don't think people know of it.


On the other hand of anecdata, I'm in the UK, and plenty of people I know have heard of and use it. It's the developer go-to for most projects I've seen, but BT does appeal with Paypal integration.


Stripe is used by https://pythonanywhere.com I believe they are based in the UK according to their payment statements.


What about Paymill?


What bank are you using? Apparently Stripe doesn't accept Holvi or Transferwise (which indeed are not banks)


Investigating that topic, but taking card payments is not a part of my primary business.


Can you open a company without visiting the country?


yes, but you cannot open a bank account. You can use holvi (https://about.holvi.com/e-residents/) but I haven't used it and don't know details on how it differs from a regular bank.


https://president.ee/en/media/interviews/13471-our-citizens-...

Article by Estonia's current president, Kersti Kaljulaid.

"As the President of Estonia, I represent the only truly digital society which actually has a state. And this position has made me question whether the state as we know it today is fit for the 21st century."


Meanwhile in Germany:

- you can't even send an email to tax authorities and have to print/send paper letters

- mobile internet is very slow and super expensive.

- until recently it was not even possible to share your wlan


I don't think something working for 2 mln nation scales up for 80 mln nation. Anyways the German paper and post fetish, and active fight against any internet in wireless form is obnoxious.


I don't think something working for 2 mln nation scales up for 80 mln nation

Why? There's proportionally more manpower, and even more than money than that.


Try to drive a small car. Then try the same with a big truck and you know there can be scalability issues ;)

In case of Germany the problem might be that they do not need to change much as everything is okayish. In Estonia they knew they had kind of nothing after the 90's and there was a real need to reinvent themselves.


This! I finished my 4GB with Blau and they don’t have any option to top them up. Just be ok with a limited connection at 64kbps, was their support reply. Insane.


This sounds so backwards to me. Usually us third worlders have markedly worse infrastructure than abroad, but I use a prepaid plan for ~$9 (not adjusted for PPP) which gives me 2.5 GiB 4G per day for 30 days. Limited monthly plans seem like a thing from the past.

Is there a lack of competition in the mobile service provider market? Bad regulation?


Wow, really 2.5GiB per day? May I ask which country?

> Is there a lack of competition in the mobile service provider market? Bad regulation?

Probably too few competition. I live in Germany and have not yet looked into this much, but I think Deutsche Telekom could be still a problem creating the majority of the infrastructure and offering usage for others probably only via higher fees. Similarly why there is no real competitor to Deutsche Bahn in the train sector.


I don't really know, but check this out. You don't need to understand German to see the crazy prices Telekom is asking for capped data plans:

https://www.telekom.de/unterwegs/tarife-und-optionen/smartph...

In Thailand last january I paid 9€ for a 4G Sim that lasted me 1 month with something like 21GB allowance.

Plus LTE's speed is limited here. Thanks to the EU rules on roaming I'm now using my Italian Vodafone seem for data :(


> May I ask which country?

India. I live in Mumbai and use Airtel; apparently the plan I was using got discontinued, so I'm going to bump myself up to the 3 GiB/day for 30 days plan at ₹550 (~€7.5). This is considered expensive here, with cheaper options like Jio readily available.


It's still not perfect but most messages to the tax authorities can be send electronically via Elster. Companies are even required to do their filings electronically and can't do them on paper anymore.

Many tax authorities will communicate with you via email if you sign a form that you understand that email is not encrypted (for regular questions, proper applications need to be done via Elster).


I got estonian e-residence and wrote about it here (for those interested).

https://impossiblehq.com/estonian-eresidency/


> unless you count the Consulate, which technically is sovereign ground

Actually, consulates are not considered sovereign ground [0]

[0] - https://www.quora.com/Is-an-embassy-sovereign-territory


I keep seeing a ton of ads for starting a company in Estonia.

To those who've done it, what are the pros/cons?

For the record, I'm based out of India and have been advised to setup in Singapore


For me, it’s cheaper to run a company in Estonia than my country (an EU country). You don’t pay taxes if you company has benefits. You pay taxes for the dividends only, which makes the company perfect for very early stages.

Also, for an international business a company based in Estonia looks more reliable and “techie” than other countries. And this is important if You sell digital goods or services.

I think Singapore can be a good place too, but it’s much more complicated for me.


>Also, for an international business a company based in Estonia looks more reliable and “techie” than other countries.

Not sure what you mean. Singapore seems quite international, reliable and techie, based on what I've read, as well as heard from friends and clients who work there. (There are tons of enterprises that have a base or regional office there, and many startups there too).

Interested to know if I got you wrong, or am wrong.


Absolutely, Singapore is a top place for tech companies. I was comparing Estonia and the country I live.


I guess you can only do this for some kind of companies? I've got a Belgian company and it's mostly just me doing consulting work. I live in Belgium and most of my clients are other Belgian companies. So I guess Belgian taxes wouldn't allow me to invoice from my Estonian company?


I don't know anything about Belgium but it's probably similar: If you have a branch located in Germany (which is definitely the case if you are the sole employee permanently living there) you need the pay the same taxes as an equivalent German company for all income derived from there.

The Belgian tax authorities must allow you to invoice from the Estonian company (that's part of EU freedoms) but it probably won't save you much taxes.


In this case you would still be subject to Belgian taxes and regulations, since your principal place of business is in Belgium. Arguing otherwise could be pretty complicated and would probably require an actual office with employees in estonia and a good tax lawyer.


>if you company has benefits.

By "benefits" do you mean profits?


Correct, 'benefit' is a very common English-Spanish false friend for profit. Sorry!


I believe he means dividends.


Terrible experience here. Endless problems with the ID card, slow, unhelpful support, clunky company admin portal with poor translations. Got spammed by random accounting firms as soon as I was on the company register. I gave up and decided to just continue using my NZ-based company in the end. They need to do a better job if they want to live up to their self-congratulatory marketing.


Yeah, sadly it is legally allowed to spam company contacts.


I think it’s much easier if you use someone like leapin to manage the company formation process.

I’ve not had any of the issues you’ve mentioned (maybe about 3 spam emails).


Depends on how good of a spam filter you are using. On Estonian mail host zone.ee, about 10 spam e-mails get through every day. Talking purely about Estonian e-mails: on GMail Gsuite, nothing lands in the Inbox, but about 2-4 spam mails per day land in the Spam folder.


I'm using gmail, which has a great spam filter, but have had a lot land in the inbox.


Well, if you're trading in Europe that's a huge benefit. But also the big selling factor is how much of their governmental services are digitised and unified. It makes dealing with anything like taxes quite convenient.

It's quite smart for Estonia to do this because they have quite a lot of brain-drain. Lots of up-and-coming educated Estonians end up leaving the country to persue jobs in Europe due to the lack of companies operating locally.

Trasferwise is capitalising on this, but the government sees it as a reason to heavily invest in making companies want to be in Estonia.


There seems to be a fair bit of tech work here, at least, but the average salary is low, and the personal tax burden (with social tax) is high.


It takes time, I think from initial application to having the company set up, it was about 2 months. One month waiting for authorization, another month for the card to arrive.

Setting up the company is then easy. To set up a full bank account you need to go to Estonia. You can setup a transferwise account which gives you a banking facility however.

There are other countries where you can setup companies quicker, or with better tax implications. But I don’t think there’s a good option in the EU.

If I were you, I’d get the e-residency card now and have it available if you want to quickly start a company later.


I think it's time we expected more from our government.


How closely does the KAPO (Estonian Internal Security Service) monitor e-Estonia?


Unauthorized collection of data is a crime, and there hasn't been much scandal. Fairly impossible to be certain, but there's no reason to suspect it is occurring.


https://freedomhouse.org/report/freedom-net/2017/estonia

It's either done really secretly or not at all.


I'm a big fan of Estonia, Estonians and during my many visits I admired how quickly they transformed their small but not insignificant country to an innovative model nation. I hope they can stop brain drain and our Estonian colleagues realise that they have a 10 times bigger impact on the world if they stay there than if they move to Silicon Valley or other bigger hubs.


E-government in Estonia, all fine and dandy[0]. But there is so incredibly much low hanging fruit to fix on an administrative level, all over the EU...

I recently completed an advanced level of "Kafka quest": a 40-day fight with the city administration of Leuven, Belgium. The goal? Change the marital status of my Latvian(EU!) girlfriend in the Belgian(EU!) civil registry. From "undetermined" to "single".

-"No, we can't accept printouts from an electronic service. It doesn't look like our examples, nothing at all like what we have."

-"But it's the only marital status the Latvian civil registry gives out since a few years. Have a look at this explanation on the relevant Latvian government website. In English. With a Dutch translation I made to help you."

-"I'll have to ask my boss."

-(two weeks, several emails and phone calls later) "OK, we can accept this document. You don't even have to get a court stamp to legalise it. But it needs to be translated. To Dutch. All eleven pages, even if we need only that single word "single". No, google translate for the relevant bits won't do. No, you can't translate it yourself. It has to be done by a certified translator. Here's a list."

- Leuven official sends me a list of certified translators. No certified translator for Latvian on it. I find one online, in a city 100km away.

- Certified translator translates the 11 page document for us. Gives us a discount because it doesn't need a certified translation.

- Make an appointment a week in advance (the fastest possible) with the city government, then back to the Leuven city hall.

-"Ah, when we said it the civil registry excerpt was free of legalisation, we meant the original only. The certified translated copy needs to legalised. By the court of the city the translator is attached to."

- Back to the translator in the city 100km away, to request legalisation by the local court of her translation of a source document that is free of legalisation.

- Wait another two weeks for the stamped document to arrive by snail mail.

- Make another appointment with the city services.

But fear not, for there is hope! In a few years, so I learned, standardised paper forms will be developed to exchange this kind of information within the EU, hopefully eliminating the need for certified, legalised translations.[1]

[0] ...except for the fundamental conceptual insecurity of voting from home of course.

[1] http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELE... for a bit more context.


In germany I'd call this tuesday and everyday that isn't tuesday. The amount of paperwar that I had to deal with at times was insane.


The most interesting part of an interesting article was the bit near the bottom about "kratt law"—conceptualising the idea of wanting to "make it possible to hold accountable whoever gave a drop of blood." It's a beautiful and highly comprehensible metaphor.


Estonia also has a very interesting and unique scheme for taxation of corporations: https://en.wikipedia.org/wiki/Taxation_in_Estonia#Corporatio...


How do things like director expenses work? If I setup a company that rents me a house, a company car, and caters all my meals, I don’t need to pay any taxes?


The Tax and Customs Board does not look too kindly on that, because those would be considered costs not related to your business and you would have to pay all the ordinary employee taxes (fringe benefit taxes) on that. If your company's office is located in the same apartment you live in, then you could argue that at least partially your costs are entrepreneurial costs - it is how sole proprietors (FIE - füüsilisest isikust ettevõtja) operate. Do not know of a way to get around food costs though, it is not as if you could mark down every lunch as marketing/sales/client meeting with the limit to representation expenses - 32 EUR per month + 2% from gross salary per month.

As an example, the latest hooplah around enterprise taxation is related to using company cars during private time. If an employer does not allow to use company cars for private purposes, then they will be marked as such in a public registry. If you have a feeling that your neighbor is using his company car outside of work, you can check it and report it to the TCB: http://www.err.ee/643218/erasoiduks-tooauto-kasutaja-saab-na... But if the company car is not registered as such, then you will have to pay fringe benefits tax 1,96 EUR per engine kW per month for newer cars and 1,47 EUR per engine kW per month for cars older than 5 years.

As an exercise to the reader, think about how flat taxation per kW affects companies with electric cars.


There's a principle concept that every expense has to be for the purpose of doing business. If it's not, then it will get hit with income tax, and sometimes even payroll taxes.

In practice nobody really monitors these things and many do abuse the system to cater for themselves etc. However if you find yourself an enemy who will report you (even just on suspicion), then you better have a convincing case for the tax authority and/or judge as your accounting gets audited.

There are a bunch of special benefit rules that can be used for lawful cost savings though. There are lawful ways to split car costs with company money, there are lawful ways to get a tax-free daily allowance if you're traveling for business, limited to some X days per month.

In general I think the company tax rates are low enough to do everything lawfully. Taking out profits as an owner incurs a 20% income tax to the company and zero taxes to the individual. In addition, if you've taken out profits before, then the company income tax is 14%, up to the amount that equals the average of the last 3 years. So if you take out similar profits on a regular basis, the tax rate is only 14% on everything.


> In addition, if you've taken out profits before, then the company income tax is 14%, up to the amount that equals the average of the last 3 years. So if you take out similar profits on a regular basis, the tax rate is only 14% on everything.

As I understood it, this is only so for distributing profits to legal entities. If you're distributing to a private person, the private person will have to pay a new 7% income tax which sums up to a total of about 20%. This of course only matters if the private person is tax resident in Estonia.

I find the PwC tax alerts very informative to be kept up to date on the tax laws in Estonia: https://www.pwc.com/ee/en/press-room/tax-alerts/estonian-tax...


You're very much correct, thanks for pointing that out!

I hadn't seen any mention of the new 7% individual rate in any newspaper articles or even accounting firm articles. I now inspected the actual income tax law [1], and sure enough the 7% clause is there.

One one hand this means a slight net tax increase to 20.02% [2], on the other hand if the total individual income is less than 25200€/year then a part of that 7% will be returned.

--

[1] Unfortunately not yet translated to English https://www.riigiteataja.ee/akt/107072017022

[2] 100 * 0.86 * 0.93 = 79.98


Indeed, I too had difficulty finding exact information on this new change. I then stumbled upon the PwC tax alerts where it was very transparently explained. Personally I wouldn't mind if they would take a bit longer to implement changes like this, so everyone can be accurately informed and optimise in time.



Imagine if they one day actually got invaded and we would see the start of the distributed republics of Neal Stephenson.


I might actually have an idea of what the article was talking about, but after reading 5 paragraphs about the road and lawn I just kind of gave up.


I agree - I prefer dry facts and really dislike the trend of news written like narrative. I usually turn off after the first sentence (invariably an attempt to write like a 19th century novelist) because I know its going to be 10 minutes before i figure out if there's anything of value to me in its content (I acknowledge that sometimes there is and I'll miss out).


It is disconcerting for an upstart like the New Yorker of co opt a dickens style. You’d think after 90 years they would realize it is just a fad.


Well that's New Yorker, they're the kings of long reads.


always good reads though


jou jüri




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: