How to Ensure the Integrity of the Electronic Land Register and Digital Archives?

BY PIRET SAARTEE. Advisor, Legislative Drafting and Development Division, Judicial Administration Policy Department, Ministry of Justice & INGMAR VALI. Head of the department of Court Registers, Centre of Registers and Information Systems

I. Introduction

We live in a time and space where paper documents are being replaced by electronic ones. It is not quite safe to keep paperwork and paper registers nowadays, as paper is jeopardised by fire and water as well as unnoticeable changes or ill-intentioned disappearance. On the other hand, it is much easier to make backup copies of electronic documents and keep them somewhere else; on the other hand, it is much more difficult to make secret changes in them provided that they are well protected. Safety is one of the most important challenges in administering the land register, which is one of the main state registers. Unfortunately, digital record management has its drawbacks and we would like to address these in this article.

II. Overview of the land register

In Estonia, the land register is the register of immovable and related real rights and it is maintained by the land registry departments of county courts. The land register is maintained electronically, which in turn means that electronic register parts (where the entries are made) have legal effect, submitted registration applications are processed electronically, entries are made in the information system of the electronic land register and communication with persons is also electronic whenever possible. The archives of land registry departments, which mainly consist of land registry files, are hybrid archives, which maintain both paper and electronic documents. On 1 July 2006, notaries started to submit documents to land registry departments electronically by using the e-Notary information system and since then the portion of electronically submitted documents has been increasing gradually. The paper archives of land registry departments have not grown since 1 July 2010 and this means that over 90% of the documents are submitted electronically. Documents submitted on paper are immediately saved in digital archives by scanning them and paper copies are returned to persons submitting them.

III. About state information system and maintaining databases

Electronic land register is a database in the state information system, which is integrated with the data exchange layer (X-Road) of the state information system and in which organised data are processed. It is quite obvious that the rules regulating the preservation of the land register maintained on paper (including land registry files) do not ensure the preservation of the electronic land register or digital archives in an unchanged state or, in other words, the integrity of the database is at risk. The government of the Republic of Estonia has established systems to secure the maintenance of databases, including the ISKE – three-level IT baseline protection system, which is mandatory in maintaining state databases, i.e. it must be also implemented in maintaining the electronic land register.

The system of security measures consists of the procedure for specifying security requirements and the description of organisational, physical and information technological data security measures. In order to implement the system of security measures, it is necessary to define a security class based on the goals of information security and to select corresponding security measures from the ISKE manual.

To define a security class, the responsible specialist at the information system centre performs a security analysis by determining independent parts of security classes according to the goals of information security and by considering their importance. Based on the analyses, a security class is defined. Security classes are identified by the letters referring to relevant information security goals and security level numbers.

There are three security levels – high, medium and low. In order to define a security level, the following parameters are used:

1. integrity – guarantee on the correctness, completeness and authentic origin of data and the absence of unauthorised changes;
2. confidentiality – data can be accessed only by authorised persons or technical tools; and
3. availability – properly organised data can be accessed timely and with ease by authorised persons or technical tools at an agreed time.

In determining the above parameters, a four-degree scale (0-–3) is used, where the first is the lowest and the last is the strictest.

Based on the defined security level, audits are performed on the implementation of the system of security measures. Auditing covers the compliance of hardware to requirements, the correctness of defining security classes and security levels, the selection and implementation of security measures taken. The person responsible for the database must make sure that the auditor has obtained the certificate of Certified Information Systems Auditor (CISA) granted by the Information Systems Audit and Control Association or the certificate of the ISO 27001 lead auditor granted by the British Standards Institute or the certified auditor’s certificate granted by the German Bundesamt für Sicherheit in der Informationstechnik based on the ISO 27001 IT Grundschutz.

IV. Land register as a database of high security class

The ISKE security class of electronic land register is K2T3S1, which means that the system cannot be down for more than 2 hours per week (K2); the information source, its changing or destroying fact has evidential value, the correctness, completeness and relevance of information is validated in real time (T3); and access to data is granted to persons applying for it only if they have legitimate interest (S1). It is important to note, however, that the data on the real property (ownership titles, mortgages, encumbrances and notifications) is public information and everyone can see it, while the documents in a land register file (contracts, applications, etc.) can be accessed in case of legitimate interest only.

The highest level of integrity and the resulting high security level were prescribed to the information system due to the fact that the land register is one of the main state registers and the electronic data entered into it have legal effect and are used in civil circulation. The maintenance of paper register was stopped for environmental and practical reasons as keeping two parallel registers is both expensive and ineffective and a waste of natural resources. In assessing possible consequences, it can be said that if anything should happen to the information system of the land register or its data, it would be a national disaster with terrible consequences (e.g. imagine what would happen if one day a John Smith were the owner of every immovable or there were no registered properties in the land register or all properties had the same data and so on and so forth).

So, what does the highest security class of integrity of the land register actually mean? This means that the integrity of both electronic data and digitally kept documents, i.e. their unchanged state must be ensured. Requirements for integrity set out in the ISKE implementation manual can be divided into seven categories:

1. requirements for infrastructure;
2. requirements for organisation;
3. requirements for staff;
4. equirements for hardware;
5. requirements for software;
6. requirements for telecommunications; and
7. requirements for emergency preparedness.

Most of these requirements are procedural or easily implementable if sufficient financial means are available, but there are also some ‘tricky’ ones that cannot be met so easily. As mentioned above, we have given up maintaining paper register. We keep electronic data and changes made to them safe and intact. Every operation with these data is logged and saved.

The basic means of ensuring the integrity of data is a digital signature, which enables the person who made the change to be identified while protecting the data or document by not allowing them to be changed without violating validity confirmation. Pursuant to the provisions set forth in the Code of Civil Procedure, documents submitted electronically to a land registry department must be signed digitally by the sender or submitted in a similarly safe way which would enable the sender and the time of sending to be identified (e.g. submitting documents through other information systems integrated with the information system of the land register). As a registration application can be either authenticated by a notary public or signed digitally, documents are signed digitally and sent by e-mail, via e-Notary (tool for notaries for communicating with the state) or via other information systems. All electronically submitted documents are saved in the information system of the electronic land register with their digital signatures and thus their integrity is ensured.

Unfortunately, digital signing involves some problems too. Although verifying documents with a digital signature does ensure their integrity for a comparatively long time, it is not as simple as that as far as entries in the database are concerned – these must be accessible in real time and kept in unchanged state. How to ensure that unauthorised changing and changes in the database entries are immediately identified? How to develop the database and information system so the integrity would be maintained in the database entries after the changes as well? How to make sure that all unauthorized changes in the database are immediately discovered? Do digitally signed documents preserve as one whole forever? These are the questions we seek to answer in the future.

V. Transition to digital archives

Preparations for switching over to electronic land registry files started in 2008, when the work on developing scanning application began in order to digitalise the entire paper archives of the land registry department. The National Archives of Estonia were also involved in developing the technical application. The latter has worked out several guidelines on how to protect and store digital data, etc. Although the system of copies used by the National Archives did not accord with the electronic land register one-to-one, its staff helped a lot in designing the technical solution.

Protecting documents in digitalised archives with the scanner’s personal digital signature was not a suitable solution as it would have required too much money and time, and it would have been too time-consuming for users who would have had to enter their password every time in order to give their digital signature (as of 1 July 2010, the archives of the land register department contained more than 900,000 files, all in all over 8,000 shelf metres). In addition this might have created the problem of how to validate that the person was working or had worked as a scanner in the land registry department at a given time. Therefore it was decided to implement a relatively new solution in digitalising land registry files– a digital stamp that is yet another type of electronic signature besides digital signature. The certificate of digital stamp is issued to the land registry department and the trueness and conformity of the document to the original is confirmed on behalf of the land registry department. From the perspective of a reader of documents signed with a stamp it is not important who digitalised the given document but rather that it would correspond to the original and be integral. Similarly to digital signature, the digital stamp meets this goal. If necessary, the information system allows identification of the person who gave the digital stamp. A digital stamp is given to the document automatically by the system at the moment of transferring it to the information system, i.e. the user does not have to do anything else to stamp the document digitally. Every document in the paper file is digitalised as a separate PDF file and locked with a stamp container.

Persons who read digital files or the documents contained in these will first see the container confirming the validity of electronic signature (digital stamp) and the time of giving it. A container can include a file of one or several documents. The container furnished with electronic signature contains the signatory’s certificate and its validity confirmation at the moment of signing and this ensures that documents cannot be changed unnoticed. The time mark in the container confirms that the signatory’s certificate was valid at the moment of signing and therefore further validity check is not necessary. This means that signed documents can be safely stored in the archives and there is no need to renew them in the future or make enquiries on their validity in the server of the certification body.

Along with developing digitalisation application citizens, entrepreneurs and public officials got the opportunity to read the documents in files without leaving their home. This new service makes it possible to order the digitalisation of paper documents via the query system of the land register and submit register consultation requests, and if necessary, state the grounds for one’s legitimate interest. The owners of immovable can consult the files on their property without proving their legitimate interest.

The implementation of the digitalisation application is currently under way. Digitalisation is performed on the run based on the orders. The next step will be mass digitalisation by using additional staff and hardware so the paper archives could be digitalised as quickly as possible.

VI. For conclusion

As the issues of transition to electronic land registers and maintaining it concern or will concern all registrars, it is important to share one’s experience in this area. With this in mind, we have launched a project called CROBECO, which among other aspects also focuses on the issues of digital archives and its security. The project seeks to create a vision of secure solution by gathering the good and bad experiences of the member states together so that common rules for the secure maintaining of electronic archives can be established. If we know the challenges encountered by others in developing and implementing electronic land registers and digital archives and how they ensure the integrity of electronic land registers both technically and procedurally, we can contribute to creating a better and more secure land register.