Our article on the problems with the Estonian eID card attracted some criticism and non-specific allegations of inaccuracies. We recognise the sensitivities of the Estonian authorities on this issue, but stand behind the article.
For the sake of completeness and to allow our analysis to be verified, here is the timescale that we describe in the article:
30 August – Estonian Information System Authority (RIA) was informed about the vulnerability by a third party
5 September – RIA issued a statement about “a possible vulnerability” but that “the given security risk has not been realized” and that this risk was “not enough to cancel the cards”
28 September – RIA made a logically questionable distinction between advice to those who use their cards regularly – that they should renew their card – and advice to others, whose cards were equally compromised, who were not advised to renew their card
16 October – RIA issued a press release pointing to a “potential vulnerability” arguing that the “Estonian ID-card and the corresponding digital solutions continue to be safe”
30 October – RIA “recommended” that cards be updated
2 November – RIA announced that it will block all affected cards and urged “all holders of security risk affected ID-cards” to begin to remotely update their cards
We also received some comments by email and via Twitter with regard to the article. Again, we understand the sensitivity that led to some somewhat strident comments and are happy to respond appropriately. We have done our best to reflect all of the comments and deal with them comprehensively:
Comment: Article 17 was not deleted but simply moved verbatim to another instrument.
Our response: Yes, this is partially correct and was an oversight on our part (both the fact that it was moved and that the move itself was proposed by the previous presidency). Instead of strengthening this measure, as proposed by the European Parliament, the Estonian presidency proposed:
- moving it from a stronger instrument (Regulation) to a weaker instrument (Article 40.3a of the Directive establishing the European Electronic Communications code);
- moving to an instrument whose scope is significantly narrower than the e-Privacy Regulation;
- amending it in a way that is less clear and subject to varying interpretations in 27 EU Member States;
- amending it in a way that establishes a higher and less clear threshold for the provision to be enacted.
Tracked changes proposed by Council:
Member States shall ensure that, in the case of a particular and significant risk of a security incident that may compromise the security of in public communications networks and electronic communications services, the provider of an electronic communications such services shall inform end-their users potentially affected by concerning such risk a threat of any possible protective measures [sic] or and, where the risk lies outside the scope of the measures to be taken by the service provider, inform end-users of any possible or remedies which can be taken by the users. Where appropriate, providers should also inform their users also of the threat itself. , including an indication of the likely costs involved.
Comment: Other countries were affected by the same flaw
Our response: This was explicitly recognised in the article. However, due to Estonia being at the vanguard of eGovernment implementation, the flaw created vastly more dangers for Estonian citizens compared with elsewhere. It could credibly be argued that the Estonian authorities, despite the confusion described above, handled the matter better than some other countries.
Comment: Other technologies, such as credit cards, were affected.
Our response: Credit cards have liability rules and insurance, operate in a market, are not compulsory and subject to choice. The comparison is therefore not valid.
Comment: There was no harm.
Our response: This is impossible to know for certain. Furthermore, if there was no harm, this can be ascribed to good fortune.
Comment: There is no causal relationship between efforts to weaken Article 17 of the proposed ePrivacy Regulation and this incident.
Our response: None was alleged. We simply wished to draw attention to the importance of Article 17 for trust and security.
We always welcome feedback and requests for clarification and further information in relation to everything we publish. We are therefore grateful for the energetic response we received from our Estonian friends and hope that all outstanding issues have now been fully clarified.
Estonian eID cryptography mess – 750 000 cards compromised (15.11.2017)