Statement regarding the research piece by Privacy International

On 12th January 2022, Privacy International published a research piece titled ID systems analysed: e-Estonia (X-Road). Unfortunately, there are several inaccuracies about X-Road® in the content, and on 18^th January, NIIS has approached Privacy International requesting a correction.

Because the inaccurate information regarding X-Road is already spreading on the Internet and NIIS has not received an answer from Privacy International so far, NIIS is releasing this statement to correct and clarify the essential points to the audience:

• e-Estonia is not X-Road, and X-Road is not an ID system.
• X-Road is a data exchange layer between information systems.
  
• If X-Road is used as a data exchange layer in a process that involves end-users and requires their authentication, the service consumer and service provider are responsible for the end-user authentication.
• X-Road is not an "underlying technology" in the ID system. The ID system (in Estonia) allows citizens to log in to different citizen services. X-Road operates in the background between different information systems only, and the citizens don't have any direct touchpoint with it.
  
• The physical ID cards and the digital identity are not used to access X-Road. The citizens only use citizen services, such as the services accessible through the eesti.ee state portal, and the information systems in the background are connected via X-Road.
• ID cards are one authentication alternative when using digital services, but there are other alternatives too, e.g., Mobile ID.
• X-tee nowadays is the name used for the Estonian X-Road environment. X-Road is the name of the open-source software.
• X-Road is regularly audited, and it has a public bug bounty program. More information about X-Road's security is available here.
• "The fact that Estonia's e-ID had fundamental implementation failures" has nothing to do with X-Road, unlike the text suggests.
• Citizens in Estonia don't have access to the log files (of X-Road). Instead, there's a system for controlling who has accessed your own data at certain Estonian authorities called "Andmejälgija".
• "X-Road Members" mentioned in the article are, in fact, NIIS Members. X-Road members are member organisations of a specific X-Road ecosystem (i.e. the Estonian X-tee).
• There are no X-Road members globally. There's the global X-Road Community (the open-source community of X-Road users and other enthusiasts; facilitated by NIIS) and X-Road Technology Partners, which provide commercial support and other services related to X-Road.
• "X-Road Partners" mentioned in the article are, in fact, NIIS partners. NIIS has a model for partnerships with administrations that have implemented X-Road. There are no "X-Road Partners".

NIIS respects the work of Privacy International and shares their ambition for a world where technology will empower and enable us, not exploit our data for profit and power.

Update: Privacy International contacted NIIS on 19 January 2022 at 18.50 EET with a promise to check the information.