Estonia's Guardtime follows the data trail

By bne IntelliNews May 14, 2014

Mike Collier in Tallinn -


We all know the feeling of waking up and thinking: "I really need an exabtye-scale digital asset authentication service. But where to get one?" The answer: Estonia.

While the description of Estonian firm Guardtime's core product may be meaningless to anyone not familiar with the in-house language of the cyber-set, a simpler rendition would be something like this: "We can tell you if your data has been changed."

In a world where the computing "cloud" becomes mightier by the moment and everyone from cyberwarriors to whistleblowers is trying to gain access to private and secret information, the ability to state with absolute certainty that data has not been compromised should be worth billions. 

"Our clients don't need to trust us – it's mathematics," smiles Martin Ruubel, one of Guardtime's directors. "It's like a law of nature. You may disagree with gravity, but gravity doesn't care. Guardtime is completely irrelevant. We came up with the algorithm and the infrastructure. We patented it and we're happy, but you don't need to trust us."

Speaking to bne at Tallinn's ultra-modern Ulemiste technology park, Ruubel is one chip in the grand hard drive of Estonia's remarkable mastery of ICT. Everyone seems to have at least one online start-up to their name and some – most famously Skype – have gone on to become household names. Relaxed and witty, Ruubel speaks English with the barest hint of an accent and has a talent for explaining technical complexities in straightforward language that even dim-witted reporters can comprehend.

"Most cybercrime is really committed by insiders, like Snowden," Ruubel explains. "He was the system administrator and he actually erased his own traces. He did that for a year and a half, quite a long period for a system breach to exist. And the only reason we know about it is because he went public.

"When you consider there is no security that cannot be breached by insiders, you have a problem. In the Estonian system you have medical records, police records, everything there. Even if no one wants to change that information, the privacy concern is huge. Administrators can go look at the data, erase the log files and you have a problem. Guardtime's point is that they cannot do all of the above and get away with that. They mathematically, logically cannot erase their trail."

"Guardtime's system doesn't have any secrets. It's an open algorithm that starts from the data, goes through several rounds of cryptographic hashing and ends with a publication code physically printed in a Financial Times magazine that everyone is able to use to verify the data Guardtime technology has secured.

"Basically it gives equal opportunity for governments, businesses and citizens to verify whether the information – be it log files or documents or whatever – is authentic or has been tampered with."

Government approved

Perhaps the most striking testimony to Guardtime's effectiveness comes in the fact that the company, founded in 2007, already counts both the US and Chinese governments among its clients – a remarkable feat in itself. Last year gross profits were in the black for the first time at around €5m and that figure is expected to leap to at least €20m in 2014, signalling that the company is on the cusp of major expansion. Ruubel says the company "expects to post the first meaningful net profit this year."

Ironically enough, Guardtime partially owes its existence to inter-governmental cyber espionage. After suffering a massive cyberattack in 2007 that no one has officially been blamed for (but which everyone knows Russia was behind), Estonia recognized that it needed IT infrastructure that could provide security verification. With government support, a team of cryptographers, network architects, software developers and security specialists was assembled to designed the aforementioned "exabyte-scale authentication and real-time alerting system for networked digital assets".

Thankfully they named their invention simply KSI (Keyless Signature Infrastructure) and the technology is available for all the government branches through the famous X-Road digital information system to provide the backbone of what has become "E-stonia".

"In the Estonian registries, all the files are verified every five minutes, including the log files in order to know whether unauthorised changes have been made. It creates an end-to-end independently verifiable audit trail meaning that the government registry is not a black box any more – you don't need to trust anybody. You don't need to trust the system, you don't need to trust the president or the government. And our clients don't even need to trust Guardtime," says Ruubel.

If the technology progresses as expected, Guardtime's potential could be every bit as big as Skype's.

On April 28, Guardtime launched a strategic partnership with Authentise, a leading provider of authentication services for 3D printing. While everyone agrees 3D printing will be the next big thing, there are worries that it could also introduce bootlegging and intellectual copyright theft on an unprecedented scale. Gartner estimates that by 2018, 3D printing will result in the loss of at least $10bn per year in intellectual property globally. Guardtime's technology could help reduce such a loss.

Ruubel sees great growth potential in the Far East, partly as a result of ongoing globalisation processes. "One client group we have is medical organisations who do medical diagnosis. For example, you take an X-ray image in the US, send it to the Philippines for diagnosis - because apparently there is a shortage of doctors in the US – and they send back the diagnosis. That's fine until something goes wrong. Then we have an argument – was the wrong X-ray sent, was it a misdiagnosis? When Guardtime technology is involved, you can take it step by step: this was the image that was sent, this was the diagnosis that was written and so on. You can establish exactly what happened without anybody having the possibility to change anything."

But perhaps the most striking use of Guardtime's technology comes when Ruubel casually remarks that it is used in drones, though he prefers not to mention exactly whose. "Our technology is used to validate the software inside the drones. It is impossible to inject malicious code into the drone software. It's kind of important that the software inside the drone is correct, that nobody hacks into it and takes over..."

He's similarly guarded about what will be a "big" announcement about another use of Guardtime technology in the next few months. "Everybody needs exabyte-scale digital asset authentication, it turns out," Ruubel laughs.

On the wall behind him, the list of major ICT companies with offices at Ulemiste reads like a shopping list of possibilities: Microsoft, Cisco, Ericsson, Skype, Hewlett Packard, Nasdaq OMX...


Related Articles

Latvia’s Citadele Bank pulls IPO

bne IntelliNews - Latvia's Citadele Bank has postponed its initial public offering (IPO), citing “ongoing unfavourable market conditions”, the bank announced on November 11. The postponement ... more

BOOK REVIEW: “Europe’s Orphan” – how the euro became a scapegoat for policy ills

Kit Gillet in Bucharest - The euro, conceived as part of a grand and unifying vision for Europe, has, over the last few years, become tainted and often even blamed for the calamities that have ... more

Mystery Latvian linked to Scottish shell companies denies role in $1bn Moldova bank fraud

Graham Stack in Berlin - A Latvian financier linked to the mass production of Scottish shell companies has denied to bne IntelliNews any involvement in the $1bn Moldovan bank fraud that has caused ... more