US citizen here trying to champion such a system in the US. Would you be willing to share pros and cons from your experience using the system day to day?
The e-resident system is a great idea though the banking support for e-residents is limited, mainly due to the (anti money laundering) and anti fraud issues. That being said it's still great: you can still open a company, have a local presence, open a bank account and do business as an EU entity, but certain domains are not accepted by every bank (e.g. cryptocurrency), especially for e-residents who are also resident (not necessarily citizens) of the USA.
Friends who are actually resident in Estonia tell me it's pretty handy in their actual life.
A strong counterexample is Germany whose ID card also has a similar SIM and robust encryption support. There the legal implementation was seemingly designed in a way to thwart adoption, by privatising the wrong part of the system such that uptake has been nonexistent.
You can still sign something with a government-guaranteed key by plugging your card into your computer, but that will only help you communicate with other nerds. Fun to do once, but other than that useless.
I am US citizen and resident and have Estonia e-Residence
Despite all the trouble to get it (fancy packaging though), transferwise (now WISE) as a real bank account is good enough. Not the p2p foreigner venmo system, the banking system. I have euro bank account through that and business banking too, its good enough. There are a lot of kinds of businesses they dont support so just dont say or advertise your business as one of those. The transaction limit is $1,000,000 per transaction, which you can send in quick succession if over that limit
Insightful comment. Wise is the future, with fintechs providing an interface where you can hold various currencies and plug ins to each country’s payment rails.
US policy entangles US citizens and permanent-residency holders in tax and banking nightmares for years. Often even after a person has renounced their citizenship or residency, banks in other countries will treat them as US tax subjects anyway and impose onerous and privacy-violating reporting requirements. I can’t imagine the USA becoming a popular country for e-residency until its tax policies are more similar to other countries.
I will probably post something somewhere when I actually get to availing myself of the Residency status for what it was planned for - the pandemic put the brakes on that a bit ...
So far, I can speak for the ease of the sign up process, quality of the documentation, clarity and community behind the effort. Oh, and, the tech. The tech is very well done. Thoughtful integration -everywere-. Deep buy-in from the state itself (this is a must, and - methinks - what makes it all tick).-
To clarify: the tech is not "ground breaking" (yet?). It is very run-of-the-mill cryptography, certificates, etc ...
It's the -degree- to which it has been implemented in the whole "administrative stack", from government to stakeholders (CPAs, SMBs, the self-employed), and how it has been integrated into a coherent effort, that makes it work.-
Edit: To add to the insightful point below. Yes. A modern, innovative and forward-thinking regulatory framework is a sine qua non, and what has actually made any of this possible. That regulatory overhaul (first) and support is the the most important form "government buy-in" takes ...
Are you working with a specific org or initiative? I'm also an American interested in this (and an e-resident who formerly worked for the Estonian government).
Mostly activist citizen efforts from the outside, as legislation is going to be required to appropriate funding and direction from Congress, and the legislators I interface with are busy with arguably more pressing work (unfortunate but entirely understandable, such are the times).
I intend to apply at the USDS for the Login.gov team in some capacity to help on the tech side if the necessary legislation can be put in place to support such an initiative. Their system already supports the DOD CAC (common access card), which is a short walk away from a citizen digital ID card (would be a different org and PKI root to administer and govern citizen cards, to grossly simplify).
Login.gov recently expanded to support city and local gov IAM needs (when they have ties to federal programs) [1] [2], so there is roadmap momentum and executive branch will. "Digital identity is a big deal. [3]" They're already serving 30 million users, and 500k DAUs, really just a matter of scaling up.
I get the spirit and a m familiar with the CAC and general benefits, and using that for all .gov stuff is attractive (taxes, bills, FASFA, etc)
I think you’re glossing over two major implementation factors that need to be part of the discussion from get-go:
* how much CAC use is dependent on fairly specific govt tech infra to be widely deployed, and how will that work for everyone (ever tried to setup a CAC on a civ computer)
* key control, either extremely decentralized like the iPhone (lock yourself out of your passport?), or extremely centralized and the newest honeypot OPM holds (root cert for all e-citizen PKI). US currently doesn’t have the internal cybersec chops to run that at all (closest equivalent is CISA).
You're right to point this out, but my counter argument is that these are solvable pain points for such an implementation (either done today in competent zero trust security architectures in progressive orgs or at nation state levels such as Estonia). You won't need a CAC reader on computers, for the most part, if you have mobile apps that can perform the identity proofing (such that's already done with examples like Apple's biometrics systems, FIDO2/WebAuthn, Apply Pay, etc). You'd still have the card for interfacing at endpoints (banks, postal service, IRS/SSA offices, other trust anchors and government services endpoints). I already login to my US CBP Global Entry account with Login.gov and 2FA, why can I not today use the same IAM system to login to my Social Security account? Or my IRS tax account? Or to attest to my citizenship or other attributes that I'd normally need a certified document for (yuk!).
I'm not arguing for such a system without robust support and reasonable downgrades for failure scenarios (identity reproofing if you lose your digital ID, for example). I'm arguing for, admittedly challenging, digital ID modernization without disenfranchisement. I genuinely appreciate you pointing out the challenges, as they must be addressed.
US DHS CISA is absolutely a resource that needs to be leaned on heavily to implement what I describe, and to ensure a strong security posture throughout the federal government's infrastructure.
Agreed CISA is probably the target for a lot of positive growth in US defensive security.
So I get the direction you're going, but then this stands out:
> if you have mobile apps that can perform the identity proofing
This is assuming folks have a certain tech pattern of:
a) smart phones on the right OS version
b) smart phones properly patched such that an Android vuln on a cheap phone doesn't lead to your e-SSN getting compromised
c) number locks on their phones to prevent SIM swapping, if there's a non-app option
d) have a smart phone in the first place!
The risk model there just gets nuts when phones are involved (as a specific counter), at the benefit of including 2FA reqs and somewhat hazy income equality judgements on users (a lot of folks don't have smart phones). If you're really into this, definitely look into mobile security concerns and the ideas around tying identity into it. Cellular network security is... not like internet security assumptions.
That's on top of some really generous trust in US identity security practices... the OPM hack really has to be accounted for in this discussion, if in fact we're unifying IAM.
Also, didn't Estonia's root cert get popped or something to do w/ low entropy keys on their ID cards from the manufacturer, leading to a total reissuance?
Value storage and transmission networks have developed standards and implementations for identity, authentication, and authorization. ILP (Interledger Protocol) RFC 15 specifies "ILP addresses" for [crypto] ledger account IDs: https://interledger.org/rfcs/0015-ilp-addresses/
> A verifiable claim is a qualification, achievement, quality, or piece of information about an entity's background such as a name, government ID, payment provider, home address, or university degree. Such a claim describes a quality or qualities, property or properties of an entity which establish its existence and uniqueness. The use cases outlined here are provided in order to make progress toward possible future standardization and interoperability of both low- and high-stakes claims with the goals of storing, transmitting, and receiving digitally verifiable proof of attributes such as qualifications and achievements. The use cases in this document focus on concrete scenarios that the technology defined by the group should address.
FWIU, the US Department of Education is studying or already working with https://blockcerts.org/ for educational credentials.
Cool, I've heard good things about USDS. My understanding from Estonia is that really the challenge here isn't technical (e.g. the tech exists and just needs to be implemented) and what is really needed is legislative changes but I certainly don't think it hurts to have advocates in influential agencies in apolitical role. I recently moved to DC and am trying to do some networking and figuring out how I can influence some of these topics. If you're considering USDS I recommend also looking at Techcongress and Presidential Innovation Fellows
