Data security and blockchain solutions – lessons from Estonia

Published
Partner
External
Author
Henry Rõigas, Guardtime
Resource
BLING Mid-term magazine article
Reading Level
Mid
Readiness criterium
Blockchain architecture, Data handling, Legal Requirements, Mandate

Summary

Henry Rõigas talks about how Estonia developed the world’s first government blockchain service, and lessons learned about how and when to choose blockchain-enabled solutions, and the need to ensure you have access to people with real world blockchain experience.

Henry Rõigas works for the Estonian company Guardtime and is leading their research, development and innovation work to develop advanced data security solutions based on its KSI Blockchain technology.

Can you tell us a little bit about your current job?

I work for Guardtime, where I’m leading our research, development and innovation cooperation. Guardtime – established in Estonia in 2007 – is developing advanced data security solutions based on its KSI Blockchain technology. KSI provides massive-scale data authentication without reliance on centralized trust authorities.

I’ve been at the company for about two and a half years and it has been a great experience as the company is rather unique in the blockchain space. When the company was created in 2007, the term “blockchain” did not exist. Once blockchain became “the next big thing” and well known, Guardtime was ahead of the curve as we had already deployed solutions based on our KSI blockchain in production with many governmental, military, and enterprise clients. My team’s objective is to boost research, development and innovation cooperation with the EU, European Space Agency and other European research organisations.

I’m also a member of the board of directors of INATBA: The International Association for Trusted Blockchain Applications. INATBA is a multistakeholder organisation based in Brussels, bringing together all the relevant players in the distributed ledger technologies (DLT) community. INATBA has really grown to be one of the main organisations in the blockchain ecosystem with close to 200 companies that are developing or are interested in DLT and with very representative Governmental and Academic Advisory Bodies. My focus as a Board member is to enable and stimulate INATBA’s collaboration with research organisations.

2007 is quite some time ago! Why did Guardtime start then, and why in Estonia?

It is indeed! Guardtime’s core technology – the KSI blockchain – has its roots in the research of a few brilliant Estonian data scientists who were working on cryptographic problems (particularly on linked timestamping) before the creation of the company. And in 2007, as you may know, Estonia was faced with one of the world’s first politically motivated large-scale cyber-attack. This functioned as a wakeup call to Estonia and, actually, to the world. It was clear that novel technologies were needed to mitigate the growing risks that come with raising dependencies on information technologies. So, a combination of the academic research, living in the world’s most advanced digital society and the looming cyberthreat – these are the factors behind the creation of the company.

And as I said, back then, the term “blockchain” didn’t exist. Guardtime was initially created to solve a quite specific cyber security issue: ensuring data integrity. Our focus was on how to make tampering with data impossible and being able to prove the integrity of data without depending on any third parties or central authorities. In a country like Estonia, and in our modern digital world as a whole, data has essentially become the “fuel” of the 21st century – and ensuring its authenticity and integrity is a basic need. So Guardtime has taken a very pragmatic, problem-oriented approach to solve very fundamental data-security related issues.

Can you give us some examples of blockchain or distributed ledger technology being used by governments?

I can speak about what we have achieved with Guardtime in Estonia, which, in 2012 deployed a blockchain solution as part of the national Succession Registry (a registry of wills), becoming the world’s first nation state to deploy a blockchain-backed solution in production. Today, several national (Estonian) registries are backed by Guardtime’s KSI blockchain technology. For example, we have integrations with the Healthcare Registry, Property Registry, Business Registry, Succession Registry, the Digital Court System and the State Gazette. Estonia uses the KSI blockchain to enforce the integrity of government data and systems. The solution – integrated with the existing government infrastructure and ensuring privacy by not storing any data on the blockchain – makes it impossible for malicious insider (e.g. officials abusing their powers) or hackers to make changes to the highly sensitive data stored in these registries. It essentially provides blockchain-grade trust for the citizens about the processing of data, renders data immutable and allows for independently verification of the integrity of that data. This means that if there’s a question about trust or malicious actions, organisations hosting, and processing data can mathematically prove who has accessed a certain piece of data and when.

Take electronic medical records for example. Citizens need to be absolutely sure that, first, their medical data – such as their blood type – is not changed somehow, and, second, that the data is accessed, viewed and processed only by those who have the authority to do so. Every health record – and its access logs – is protected in this way in Estonia.

How does KSI’s massive-scale data authentication work?

Unlike traditional approaches that depend on asymmetric
key cryptography, KSI uses only hash-function cryptography, allowing verification to rely only on the security of hash functions and the availability of a public ledger. With this Guardtime guarantees data integrity without the need to keep secrets. Instead of putting all of the data up in the blockchain, we ensure privacy by operating only with the so-called cryptographical fingerprints of the data.

How did you get involved in blockchain? And why are you excited about blockchain?

Henry thinks for a bit.
Well, I guess part of it was by chance, as it usually is the case with many things in life. Before Guardtime and getting involved in distributed ledger technologies, I worked as a researcher for the NATO Cooperative Cyber Defence Centre of Excellence – a NATO-affiliated think-tank and competence centre where I did policy research on cyber defence and security. At some point, I wanted to move away from research to more practical things – I wanted to be involved in the development of innovative and potentially breakthrough technologies that have a more direct impact. And this is what really excites me: new technologies, solutions that solve serious, fundamental problems.

I see that there are some legitimate, and potentially high-impact use cases for blockchain, e.g. for cryptocurrencies, for self-sovereign identity, or for specific cyber security solutions. But there has also been a lot of hype and ideas that really do not appear to be realistic or useful. In some cases – during the peak of the blockchain hype – it almost felt as if people and organisations were more interested in asking themselves what they could do for blockchain. But people and organisations investing in blockchain should actually be focusing on asking what blockchain can do for us.

On the other hand, looking at today’s developments, it is also clear that we have moved past the hype. In 2019, the commercial investments into blockchain dropped drastically and with the current pandemic, this overall trend is bound to continue. Public funds are usually a bit slower to follow, due to the more complex decision-making and longer-term budgetary processes. So public investments are still relatively high, and sometimes rising. That being said I don’t always see a clear end goal in terms of the use-cases that are targeted by these public programmes… but this is how innovation works… you take risks, and then you find out what works and what does not. But organisations need to find a balance between unquestionable optimism and realistic pessimism. Easy to say, difficult to execute.

Do you have any advice for government officials and policy makers who are considering blockchain-enabled solutions?

My main recommendation to governments is on the methodology or approach they use when they want to develop or invest into blockchain technologies. As the very basic first step, you should define the problem that needs attention and can possibly be solved with a DLT-based solution. And then – only after this step – you need to analyse whether a blockchain-based solution is the most reasonable approach, in comparison to other “non-blockchain” alternatives. This point is really important – you need to conduct a thorough comparative analysis of all different technological solutions before creating some pre-set technological dependencies in your solution or service that have a long-term impact on how it will be designed, managed and used.

Another issue to keep in mind is the skills and knowledge gap – the lack of sufficient relevant technical competencies within public institutions. Blockchain-related technologies are quite complex, but this is a more general issue. In the labour market, the public sector – with its inflexibilities and particularities – often cannot compete to hire the high-level technical specialists who are bombarded with lucrative and interesting opportunities in the private sector, especially in the field of IT.

Being a non-techie by training myself, I find it best to acknowledge the limitations of my own knowledge, and to try to learn how to ask the right questions, and then to establish access to a pool of experts who can answer those questions.
At the government level, this requires acknowledging individual or organisational limitations and establishing cooperation mechanisms with the private sector and academia.

We talk about blockchain in general and the remarkable enthusiasm it has generated in the last few years. Is it blockchain that got people excited, or is it the philosophy and ideal of a decentralised world?

Oh, yes, discussions about blockchain can get confusing. There are different definitions, but also very different general understandings among the stakeholders. Indeed, blockchain sometimes does carry a ‘power to the people’ message to some. This sometimes generates a useful enthusiasm, and allows individuals and institutions to ask questions about existing business and governance models. Opening oneself up to such fundamental questions is the most useful, I think, for policymakers and governments.

In addition, there is this interesting dichotomy when it comes to the vision of decentralization in the context of governments who aim to develop and integrate blockchain technologies. To put it very simply, blockchain often adds value only when there are trust issues. How should governments position themselves here? Aren’t governments actually the main trusted “middle-men” in our societies? Should governments then rather look at the specific technological benefits that may be provided by the solutions? Such as increased security?

Or should the focus be on ensuring more take-up through increased trust by the users, criticizes? These are broad and simplified questions, but I just wanted to highlight that there is a tension between the promise of decentralization and public, state-provided services.

So far, it seems there are not a lot of blockchain use cases up and running in government. Why do you think that is?

As I have not been involved in many government-backed blockchain use-case developments, I can only make some guesses on the possible reasons. It may be that some blockchain-backed services are just too expensive to integrate and/or comparatively inefficient compared to existing or alternative solutions. Also, implementing and putting blockchain-based tech into actual use can simply be a very costly or a lengthy process. We also might be in a point where the technology is simply not mature enough.

A lot of investments by public institutions have gone to research and development, and we can hope that these yield results in a few years. There are also specific technical complexities around scalability, privacy and governance. In addition, the issues I mentioned in my previous answers are still relevant: the lack of experts involved in the technological decision-making, the lack of a brutally honest and comprehensive analysis of reasonable use-cases for the technology, and the decentralization versus control question. But – this is just to point out the possible reasons, and these are certainly not universally applicable. There are always problems when it comes to complex processes and issues. Time will tell.

What role do you see for the International Association for Trusted Blockchain Applications (INATBA) in the future?

I see a very important role for INATBA. The association has the potential to become the key player in bringing together the blockchain community to present a necessary unified voice for the industry and the community at large, be it for involvement in policymaking, agreeing on definitions, providing input to standardisation activities, or fostering collaboration with governments and the academia.

As many questions about how we can best use blockchain remain unanswered or open, INATBA acts as a collaboration hub and is becoming very useful for all the stakeholders
in the blockchain ecosystem. Governments who have blockchain-related projects or are planning to invest more in the technology, should certainly contact the organisation and get involved. INATBA is one of the tools to address the questions and issues that I identified that governments face when trying to innovate.