Estonia’s Digital ID Cards May Have a Serious Security Flaw
Estonia’s much-lauded digital identity cards may have a security vulnerability, an international research team says. The flaw affects almost 750,000 cards issued after October 2014 — including Estonian citizens and thousands of non-citizen “e-residents” around the world.
Flaw Could Compromise Elections, Businesses
A flaw could compromise the integrity of elections and legally-binding contracts, or possibly lead to identity theft. However the government said the risk is theoretical, and there’s no evidence any individuals have had their digital identity compromised.
It is continuing to verify the claims, but has confirmed the basic findings. Taimar Peterkop, director of the Estonian Information System Authority (RIA), said his agency has taken steps to mitigate risk. The risk is theoretical and there’s no evidence any individuals have had their digital identity compromised, he added.
Specific details of the flaw haven’t been revealed publicly. Although the government is playing down the risks, the Estonian Police and Border Guard said it would take two months to fix the issue. Additionally, the government is debating whether to allow digital IDs to be used in upcoming local elections and advises citizens to use device-based Mobile-IDs instead of cards.
Estonia Digital IDs Used Worldwide
Estonia was the first country in the world to issue all citizens with identity cards featuring a legally-binding cryptographic signature. Estonians can use them for banking, business and other contracts, as well as online voting in national elections. About 35 percent of Estonians use their cards to vote online.
In December 2014 it extended the program to everyone in the world under the “e-residency” program. For €100, a fingerprint and Estonian police background check, non-citizens receive a chipped card that enables them to sign contracts, start a business, and open a local business bank account.
The cards’ digital signatures are legally recognized throughout the European Union. However, E-residents do not have voting or residency rights in Estonia.
According to the official online portal, 23,735 people have applied for e-residency from 138 countries. Collectively, e-residents have established 3,877 Estonian companies. The system is reportedly popular with young “digital nomads”, especially those with business or connections in Europe.
Is the World Ready for Digital IDs?
Several other countries have expressed an interest in developing similar digital ID systems, including Singapore and Japan.
While Estonia’s digital ID system is often hailed as visionary, some have questioned whether it’s ready for mass adoption. The country’s system still depends on centralized authorities, technology and laws to function effectively.
Security writer and researcher Bruce Schneier expressed his concern, taking a jab at neighboring Russia:
“This is exactly the sort of thing I worry about as ID systems become more prevalent and more centralized. Anyone want to place bets on whether a foreign country is going to try to hack the next Estonian election?”
Are you an Estonian or Estonian e-resident? Tell us about it in the comments.
Images via Jon Southurst, Pixabay