The original article (in Estonian) by Airika Harrik was published in Novaator.

Estonia has used the ID card system as a means to identify its citizens for almost 20 years. During those years, several security issues have emerged. A new PhD dissertation from the University of Tartu has shed light on those issues and pointed out possible lessons for the future.

“The Estonian ID card is a very interesting research object, as it is a nationwide electronic identity scheme that is actually used in practice,” said Arnis Paršovs. In his PhD thesis, he provided a comprehensive overview of all kinds of security problems and other incidents the ID card ecosystem has experienced throughout its 18 years of use. For that, he collected bits and pieces of information from hundreds of news articles, and additional information from the involved parties. He also performed experiments with actual ID cards.

Arnis Paršovs

Flaws and formalities
“After collecting and analyzing the data, we can see that security issues of different severity have been present in various parts of the ecosystem,” Arnis Paršovs said. Over the years they have been seen in the ID card chip, in the process of the ID card manufacturing, in the issuance of the ID card certificates, in the printing of PIN envelopes, in the ID card software and other places.

Paršovs also found quite a few issues with the legal compliance. “For example, the security certification of the ID card platforms has been just a formality,” he pointed out. This has allowed the involved parties to rapidly introduce new ID card platforms, but has also resulted in security flaws being missed.

The deputy director general of Estonian Information System Authority (RIA) Margus Arm noted that security is a process. “To ensure it, one must work for it every day both in means of technology and processes,” he said.

Still, Paršovs discovered that the current approach might not always be enough. “The most significant finding was the discovery that the previous ID card manufacturer Gemalto had breached the security requirements by generating ID card private keys outside the ID card,” he said. According to Paršovs the security audits were not able to discover this practice over the five year period while it happened. He finds this is noteworthy, as it shows that the current auditing mechanisms are not sufficient to detect misbehavior in the ID card manufacturing process.

Arm commented that procedural audits are not meant to lower all possible security risks. Rather, audits control whether an authority or a process meets its requirements and standards. “If those requirements and standards are already faulty, the internal audit also cannot detect the shortages,” he said.

As far as Paršovs knows, nothing has fundamentally changed in the ID card production process to prevent similar incidents from happening again. Procedural audit is not an effective security measure, anyway. “Preferably, we should have a technological solution that is secure even if the ID card manufacturer is malicious,” Paršovs suggested. Schemes based on threshold cryptography could help here, but according to him, that requires significant further research and development.

According to Arm, RIA has not changed the production of ID cards much, because every potential change in the system also means changes in the user experience. When scientists propose their suggestions, RIA and the Police and Border Guard Board (PPA) analyze them from both perspectives. “It is basically security versus comfort. You have both sides and you need to find the compromise somewhere,” Arm explained.

No system is perfect, but…
Despite the long list of security issues the ID card has experienced, according to Arnis Paršovs, the ID card so far has served us remarkably well. “There have not been too many high-profile cases documented, where the ID card would have been abused,” he explained. 

His guess is that the criminals interested in financial gain have simply chosen the easiest route. By “the easiest route” he means the cases of Mobile-ID and Smart-ID, where dozens of people every month get money stolen from their bank accounts in phishing attacks. “The ID card, Mobile-ID and Smart-ID all have the same legal status, but when it comes to security, the ID card in several aspects is far superior to the other two eID tools we have,” Paršovs pointed out.

So what is to be kept in mind in the light of his thesis? According to Paršovs, the findings show that security and other incidents are not being sufficiently investigated. There have been several cases where the same or very similar incidents have occurred again. “This means that the lessons are not learned and the system is not improved to avoid similar incidents in the future,” he said. He suggested that introducing transparency in the incident reporting process would help, as that would keep the involved parties accountable. 

“There is a broader question of how successful the state can be in supervising the eID field, as the state itself is heavily involved in the development of the eID,” Paršovs also pointed out. He added that the problem might also be in the resources, as in reality there are only a handful of people who fully understand the Estonian ID card and its ecosystem, but they are busy with keeping the system running, security improvements not being their priority.

Unique opportunity and unmentioned issues
According to Arnis Paršovs, there are several countries in the world where schemes similar to the Estonian ID card exist, but as far as he knows, in none of these countries are the schemes used as widely as in Estonia. “So there is a lot to learn from the Estonian experience, including the problems and security challenges that it has faced over the almost 20 years,” he said.

Although Paršovs is very thankful to everyone who responded and provided information, it was not possible to obtain detailed information in all cases, he said.For instance, the ID card security issue that was found in 2017 has been well documented and almost everyone in Estonia knows about it. However, the wider public does not know that an incident of a similar scale was discovered in 2012,” he explained. 

The 2012 flaw affected the chip of all the ID cards issued in 2011. Since at that time authorities discovered the flaw themselves, they made a decision to hide the details about the flaw from the public. “It is unfortunate that we don’t know the details even today, long after the flaw has been fixed,” Paršovs commented. “Hence, there might be even more security incidents with the ID card that we don’t know about.”

Margus Arm commented on the 2011 issue, saying, it’s hard to explain decisions made 10 years ago now. “I believe the decisions back then were made based on the risk and danger assessments available,” he said. In any case, RIA prefers to solve any issues first and inform the public after the danger is eliminated. Otherwise they themselves give criminals the means to do harm, he added.

What is more, the risks of 2017 and 2012 had some principal differences. “If in 2017 the fault could have been abused even without physically having the ID card and without its owner knowing, in 2011 the problem was rather that one could not do harm without actually having the card,” Arm explained. So in 2012 a careful person, who kept an eye on their card, was not potentially in danger.

Still, Paršovs added that historically authorities have considered the security of the ID card to be their internal issue and have avoided discussing it in public. “I hope that this is changing now, as the security of the ID card and eID in general is the concern of the entire digital society,” he said.

Arm agreed that the state might at times be more transparent in the future. “As Arnis’ work shows, that kind of hiding leads nowhere in the history and technology and everything else evolves on,” Arm said. Scientists will eventually find things out, so according to Arm, it is better to speak about issues yourself. “Then it is a matter of trust,” he added. “And I think it is better to speak than to hide.”

University of Tartu, Institute of Computer Science researcher Arnis Paršovs has spent almost a decade studying the security aspects of the Estonian ID card and its ecosystem. The findings of his work have been covered in a PhD dissertation “Estonian Electronic Identity Card and its Security Challenges” that will be defended on April 9, 2021.