On 5 September, the Estonian ID card authority (RIA) said that an international group of researchers found a security risk affecting ID cards issued in Estonia since October 2014. This includes cards issued to e-residents.
According to Estonian officials, there are no known cases involving the actual exploitation of this vulnerability.
Cards issued before Oct. 17, 2014 use a different chip and are not affected by the fault.
The report of the international group of researchers will be published in autumn at an international conference.
Our take
The Estonian authorities have a proven track record of fixing security flaws in their digital infrastructure.
The current issue is considered important enough for the Estonian prime minister to cancel his planned official visit to Poland.
We therefore expect that the Estonian authorities will also move swiftly to address this latest vulnerability. Already on 6 September, they announced some first mitigating measures.
We conclude this problem should not adversely affect the Estonian e-residence program in the long run.
Other countries that also have electronic identity card programs can learn from the Estonian example - Belgium in particular.
Since the roll-out of the Belgian e-id program in 2003, (academic) discussion of possible privacy and security concerns has remained somewhat of a taboo in Belgium.
In this regard, it is telling that in contrast to the current swift response of the Estonian authorities to an ostensibly mostly theoretical issue, it seems to have taken the Belgian authorities at least six months to fix a well known, real and serious vulnerability in the software that manages the communication between the ID card, the host PC and e-id web applications. No warnings or announcements to the general public were made during all this time.
Mr. Pieterjan Montens, system and software engineer at the Belgian Conseil d’Etat (Supreme Administrative Court of Belgium), has even stated that Belgium today no longer puts privacy or security concerns at the forefront of its e-id program.
Like Estonia, Belgium now seems to be gradually making the switch from chip-cards to identification apps on smartphones. The current Belgian government envisions a first phase in which multiple competing solutions will exist, one of which may grow out to become the future standard.
We hope these new initiatives may foster a healthier security and privacy climate for the Belgian e-id. After all, security through obscurity has been proven, time and time again, not to work - something Estonia clearly knows.