Hacker News new | past | comments | ask | show | jobs | submit login
Estonian Electronic Identity Card: Security Flaws in Key Management (usenix.org)
222 points by dcbadacd 33 days ago | hide | past | favorite | 80 comments



Anyone wondering if this is a new issue; it's not, it's a more detailed writing of some previous issues, one of which being the Gemalto affair[0].

The new cards issued in 2018 are not known to have any vulnerabilities.

[0]: https://www.linkedin.com/pulse/timeline-estonian-id-card-vul...


Didn't read the paper but it appears to be fresh, so maybe the newsworthy part is that they are still not fixed?


The paper is half for giving a technical overview of the issues and part new analysis based on datamining old certificates. The issues have been mostly fixed, compliance violations however are still badly monitored.


Yup, true - from the end of section 2.3.4 jTOP SLE78: "The jTOP SLE78-powered ID cards were issued until the end of 2018. ID cards manufactured currently are powered by the chip platform supplied by IDEMIA (not covered in this work)."

Looks like the ID cards issued after 2018 are not covered, so I guess this really is "old news".


> The flaws of the ID-card is a very politically charged topic to discuss in Estonia, having any doubts about the ID-card or e-voting will make you a persona non grata.

I somewhat disagree, the discussion tends to get bent by some populist agent provocateurs and some of the initial reactions from the private sector media. (In Estonia, the government media is the most centered out of all news outlets, go figure). What these statements usually are is that "ID card has a flaw X, therefore we should immidiately ban it, close the R&D and burn it with fire", forgetting that crypto and computing in general, changes over time. My view is that, of course each flaw has to be resolved and sometimes this is political, but this just means the work has to continue.


Thinking that compulsory id cards "Papers Bitte" are not a good thing is not an uncommon view.


ID card is mandatory by law, but there aren't sanctions (in my knowledge). You need some kind document though, in US that is usually drivers license. I don't see big difference here.


In the US you are required to have your drivers license while driving, but I do not believe there are any blanket requirements (since it would vary from state to state) that you must be able to furnish identifying documents at all times.


Documents are two way streets. You need them to prove your rights. You need document to prove your identity to bank or notary. If you are younger side, document helps validate your age in liquor store. I trying use "american" examples here, but other countries can have other regulations or customs. Document, especially digital one, is very useful. For example, I like do encrypt with id card, when sharing materials over untrusty medium. You don't need worry about key exchange, you don't need to teach or install software to other party devices: they already have knowledge, how it works. It's also very comfy that I can send digitally signed documents and that isn't fringe thing, there is knowledge and bureaucratic processes, how to handle it.


I take the view that rights are inalienable, I don't have a problem with documents but with Id cards.

Given the structural deficiencies of the US police (And other police forces) giving them an excuse to stop people is to be avoided unless strictly required.


It's not about it being compulsory, but the system being unverifiable end-to-end and any criticism of that being laughed at.

If you put it into business terms, would you trust an employee or vendor who told you that everything was alright, did not allow you to perform checks and audits and mocked both your and external partners concerns [0] about it? I don't think so. If the government is indeed for the people and not vice versa, then this is not acceptable.

[0] https://www.youtube.com/watch?v=LkH2r-sNjQs Tom Scott's video about e-voting. Funniest rebuttal I saw on Estonian social media was that we are secure, since he is talking about e-voting, but we have i-voting. So I guess once we will call it c-voting, it will be even better...?


That video had outdated information regarding the Estonian e-voting system. The report from 2014 has been invalidated by the newer system, IVXV, which has been redesigned to address previous criticism. The newer system is open source, available at https://github.com/vvk-ehk/ivxv. A good source to quickly familiarize yourself with the architecure, is "Improving the verifiability of the Estonian Internet Voting scheme"[0] by Jan Willemson et al

[0] https://research.cyber.ee/~janwil/publ/ivxv-evoteid.pdf


I watched the video. It's a load of crap. I mean, here are his arguments (feel free to tell me if I missed something):

  - voting systems inevitably have to be closed source, loaded on easily compromisable USB stick, connected to internet unguarded and sitting that way for years. In what reality is this nihilistic fatalism a reasonable expectation?
  - voter has no way of independently verifying that their vote has been processed correctly. First of all, this is simply ignorant as there are many cryptographical schemes that allow verification, but most importantly - how do you know that your vote has been processed correctly in our current system? You don't, there is no way for you to do that.
  - US hacking machines are routinely exploited at Defcon. That's right. You know what else is routinely exploited there? Physical safes, which are used for storing you know paper ballots. Also cars. And Air Force has promised to bring a fucking satellite next year. Something having vulnerabilities in the past does not mean it still has them, something having vulnerabilities currently does not mean they are easy to exploit in practice or can't be detected and mitigated, some products in a certain category having vulnerabilities does not mean all products in this category will inevitably have vulnerabilities in the future and we should just give up on ever fixing them.
  - trusting a person in a voting booth to vote for you would be ridiculous, but filling a ballot yourself and trusting that it will get counted correctly along the way is somehow self obvious - I guess because in the first case you clearly see that a human is involved in the process and in the second example it sort of feels like the process is finished once you physically put your vote into a box?
  - the average voter won't understand checksums. Well, maybe the average voter shouldn't worry about bad bytes in that case? And how come deterministic and auditable cryptography is a problem while demonstrably non-deterministic process of current paper voting (look at how results always differ ever so slightly when votes are recounted) is a non-issue?
  - transferring votes over internet is problematic because you can't trust software on either end. Right, because you know (never mind trust) everybody that will handle your vote on the path from voting booth to the whatever-governing-body-is-announcing-results-in-your-country? 
  - central computer could be manipulating your votes and only a few people will have an opportunity to inspect it. Well, how many voting boxes have you been allowed to inspect in your life? Are you allowed to go to the central location where your votes are aggregated and recount all of them personally? How do you know that officials in your voting location, precinct or at a national level haven't agreed to manipulate the results?
  - casting doubts on the election is easy to do with electronic voting and nearly impossible with paper voting. Have you heard this cute story about medical masks becoming a conspiracy and symbol of oppression among certain population in US? Has nothing to do with electrical circuits and everything to do with politics. If a current incumbent happens to lose an election there you can be sure that election results will be called fake, no matter paper or digital.
  - malware exists, so voting from personal devices is ridiculous. Just as ridiculous as doing e-commerce or banking? Or in case of Estonia getting pretty much any other official business done, or so I hear.
  - a single vulnerability in someones computer can be scaled to millions of computers. Ok, let's say someone is still using Windows XP and got infected with something after downloading GTA from Pirate Bay. How does that affect people voting from their iPhones?
  - anecdotes, anecdotes, anecdotes
tl;dr: Stop spreading FUD.


Please try to think here in terms of probabilities, not absolutes and about the threat model.

1. Closed source and loaded on an USB stick is the simplest case. But in the end, how will you still know what is the actual code that the eventual tallying system is running?

2. Verification of votes is not about encryption. If you allow it to be unlimited, then you can actually sell your vote. In Estonia, you can verify your vote 3 times for 30 minutes after your vote was cast: https://www.oiguskantsler.ee/sites/default/files/field_docum... (point 14 on page 5)

3. Mostly agreed with you about the rate of vulnerabilities. But the issue here is that voting is such an important of how democractic society works that there should be no obvious vulnerabilities or any exploitations of vulnerabilities can be easily discovered. E-voting has neither of these because again, how can we know what code is actually being executed?

4., 5., 6., 7. Yes, one vote can get lost. Hell, thousands can get lost. But on average, I can still count on the process eventually working out due to the observability. Somebody will find ballots thrown in trash, pre-filled ballots, 117% of eligible people voting. Sure, in those cases the country is unsalvageable, but you will at least know that it is happening.

8. OK, but that is neither here nor there.

9., 10. If you open up Google Maps and look one country eastward, you will understand. As a reference, https://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia Not sure on what their planning divisions are cooking up, but I do not doubt that they will use any angle they can. What is the going price for a Windows 10 0-day anyway, on the order of a few hundred k to 1M, I assume? Peanuts.


You’re the one that seems to be thinking in absolutes (when it suits you).

  1. In cryptographical/philosophical sense that’s a tough problem. But our goal is to improve on existing solution not come up with an absolutely ideal scheme, right? So let’s look at what sort of trust our current system provides us. Do you get to see how the whole system works? No. Does any single person gets to see the whole system for that matter? No. But you are provided with the description of the process and large part of it is happening in the open even though though you can’t attend all the places / oversee everything in a single election due to real life and restrictions. Some people are also provided with the power to inspect arbitrary components of the whole scheme  when they see fit and even though they don’t inspect even the whole components all the time and no one is inspecting absolutely everything, these people are attracted from all interested parties and can act on random, so we believe that if there were any symptomatic fault play someone would have found it simply by chance. And we generally don’t believe in conspiracies but we try to counteract them by providing more incentives for people to speak up, get involved, become a whistleblower if that’s necessary so that any largish conspiracy would inevitably become public knowledge quickly enough. Well, we can arrange all of these in electronic voting as well and we can even double down on all the in depth mitigations by providing more monitoring capabilities in real time & possibly even making data openly available in whole after election.
  2. You can sell your vote in our current system as well. But somehow that’s fine because we have different standards for what we grandfathered already, am I right? Yeah, you could pay people if they film themselves voting, but there is no evidence of they being widespread so no need to worry. Mail ballots aren’t anonymous and could be spied/spoofed easily but there is no evidence of that ever happening, so no need to worry. Lack of strong ID requirements in US could lead to massive voter fraud but there is no evidence of they ever happening in a large enough numbers to skew the election, so no need to worry about. And yet when it comes to electronic voting, geek versions of Penn and Teller - cryptographers have shown us in their stage shows that they can conceive such situations where the victim gets unknowingly duped into disclosing their vote, or the vote being miscounted. So that means literally anyone could carry out the same attack in practice and at an arbitrary scale (or maybe not but we’d better err on side of caution).
  3. How do you know that that nice lady overseeing voting in your district isn’t a secret Trump/Clinton/Nazi/Communist sympathizer? You don’t, but you have a faith in the system as a whole that it won’t crumble because of a single person. Similarly we can use defense in depth tactics in designing election security. The hardware would only be able to run signed code in a minimal environment, you could even make the decided stateless, meaning the code gets reset before each new vote gets accepted, maybe even provide an option for voters to reflash the device themselves (with a click of a button on their phone). Devices themselves don’t have to be generic PCs with USB ports and what not, these could be a really dumb chips enclosed into sealed & transparent casing with each one being certified etc. You could make the system modular by having multiple devices each doing their small thing - like the Unix utilities but with each utility being separate hw and most of them disconnected from any networking / being air gapped with obvious input/output interfaces. There are so many things we could do it we approached this in a sane manner as a serious engineering challenge instead of trying to out-cynic each other.
  4,5,6,7 That’s exactly my point, electronic voting can be made even more transparent and with the records being forensically preserved they could be analyzed in full at any time after the votes have been casted (with the operational stuff being able to run all sort of threat hunting / anomaly detection during the Election Day). Granted this assumes the whole system uses the same protocols and is run/overseen by a joint committee which might or might not be viable in US, but the discussion started from Estonia - European country, where this would be totally expected.
  9, 10 Not all 0days are noclick RCEs present in a default configuration (of a desktop/mobile). In fact we haven’t seen such a beauty in a long time. So no, there isn’t a price for that as it’s not something you could buy off the shelf. And if you could get one you would burn it pretty fast by using it in such a campaign. Makes much more sense to keep it as a nuclear option as no matter how aggressive in your opinion nation state attackers are, their primary incentive is fear for the survival/integrity of their own country (yes the bears crap their pants thinking about possible armed intervention any year soon and so do the pandas). So no I don’t think there is any conceivable way to exploit large portion of private devices in a country in a uniform fashion. You totally could do that using top bottom approach - sort of like exploiting DC and pushing malware from it via group policy. But in case of Estonia voting apps would be the last tech to use for that. They are already mandated to use governmental services for various everyday tasks, they have centralized ID and there are just a couple of major banks - all of which require having an app for modern banking. So there are already plenty of avenues to wreck havoc for a skillful/motivated attacker. And yet we don’t have panic attacks over it, it’s just operational risk that we seek to understand & mitigate just like in every other enterprise.


1. Whole paper ballot process is monitored (and understood) by all parties. They keep each other in check. I can sign up for such monitoring and see for my self (at least in my country). Nobody will allow me to inspect actual machine used to count votes. 2. To hack paper ballot voting, conspirasy must include many more people than e-voting.


1. You feel that the process is well understood because that’s the only process you’re familiar with and likely it was taught to you since school. In reality other schemes such as electronic voting could be just as clear and transparent, while possibly even more natural as visiting websites and using apps is what people do every day as opposed to gathering physically in order to run an ancient form of poor cryptography manually. Also, no you never had an opportunity to see the whole process end-to-end, as you never were allowed to open and inspect voting ballots or boxes, or attending the central counting place in your state/at the federal level to make sure they are counting everything correctly as well. Think of the bits you saw this way: it your adversaries were evil versions of Penn and Teller, would they be able to fool you by presenting you completely boring looking yet larger than life process that feels completely fair yet of which - due to completely human reasons - you can only see a one facet at a time - all while in fact running a completely different play in the background? Sure, this isn’t how we normally think about adversaries in real life but that’s what the adversaries in cryptography are. When the guy in the video said that there have been some concerns about Estonian voting system which basically means anyone could have stolen the election - that’s what he meant really: Penn and Teller could have arranged in their stage show show such a contraption that would have fooled mock election participants into disclosing their vote or it being discounted, therefore basically anyone can steal our election. 2. This isn’t obvious at all nor substantiated by facts/reasoning. Parties still could hire/attract auditors to oversee the process, independent organizations and foreign counties still could be provided with visibility into the process, in fact the process could be made more verifiable by using preserving audit logs and forensic evidence for generations to come, so that single researcher could viably check their hypotheses across the whole election days, months or years later, not just one small fragment at a time in places they themselves got an opportunity to physically be present, like what you described. And the process could be made much more transparent to the public at large as their vote could be counted in soft real time, meaning they could verify it reached central tally right after voting.


> you never were allowed to open and inspect voting ballots or boxes

You are allowed to see that the boxes are empty in the morning, and you are allowed to see each ballot as it is retrieved from the box when it is being counted. Between those two points the box never leaves public eye. Why would you need to open it yourself?

> or attending the central counting place in your state/at the federal level to make sure they are counting everything correctly as well

Why not? All of those are open to the public in my country.

I think you are seriously underestimating the amount of openness that is possible - and practiced - with paper ballots.


It's an american view, mostly due to having only experience with ID documents through WW2 movies or cold War propaganda, mixed with religious voices against it ("mark of the beast", wish I was joking).

Elsewhere, "Papers, please" tends to be sign of excessive "stop-and-frisk" or movement restrictions, and the idea of having basic ID card seems to not have much of an opposition. Especially since it's much simpler than sometimes circular requirements of "web of trust" confirmations like in UK (though I heard it got better)


Correct, wikipedia even documents this:

https://en.m.wikipedia.org/wiki/Your_papers,_please


Wow - that's like 3 negative "modifier" words. I don't actually know what you're saying with that sentence and I've been reading it for about 3 minutes now.


"The jTOP SLE78-powered ID cards were issued until the end of 2018. ID cards manufactured currently are powered by the chip platform supplied by IDEMIA (not covered in this work)."

If my memory serves me right, there was an easy way to check if your ID card was affected and it got replaced for free. The flaws described in paper are not known to exist in cards issued since the end of 2018, beginning of 2019.


Yeah, an "offline tester" [0] was made available by the researchers who discovered ROCA [1] and a company with "close links" to the researchers created a "ROCA Vulnerability Test Suite" [2]. The Estonian government also had one on their web site [3] but it is, apparently, no longer available.

ROCA didn't just affect Estonian ID cards, though. It also affected also TPMs (from Infineon), certain Yubikeys [4], and even some PGP keys!

---

[0]: https://github.com/crocs-muni/roca

[1]: https://roca.crocs.fi.muni.cz/

[2]: https://keychest.net/roca/

[3]: http://www.id.ee/?lang=en&id=38239

[4]: https://www.yubico.com/support/security-advisories/ysa-2017-...


Yes, the Police and Border Guard has an online tool to check. They also supposedly contacted all the people with bad chips (my card was not vulnerable, so I can’t verify that).


The aftermath of the issue has been previously discussed here (2018): https://news.ycombinator.com/item?id=18104861


Brave guy to publish this, hopefully it won't end up similar to the Dreyfus affair — depends on which the media will roll due to it being "pickled cucumber season" (everybody is on vacation, nothing much happening during summer in Estonia). The flaws of the ID-card is a very politically charged topic to discuss in Estonia, having any doubts about the ID-card or e-voting will make you a persona non grata.


Regarding your last point, I have a hard time seeing what you mean. The system is audited both internally and externally fairly regularly, the latest report being released just December last year [0]. There is also frequent news coverage, both supporting and criticizing the system [1][2]. One of the current government parties [3] is an active critic of the system. So it seems like a fair stretch to say that discussing or criticizing the system isn't common or somehow not welcome.

None of this is to say that the system doesn't have flaws, as every other IT system, it does. It is however publicly discussed as you would expect in a democracy.

[0] https://www.mkm.ee/sites/default/files/e-valimiste_tooruhma_...

[1] https://www.err.ee/keyword/15389

[2] https://www.postimees.ee/term/15008/id-kaart

[3] https://www.valitsus.ee/et/peaminister-ministrid/valitsuse-k...


> The system is audited both internally and externally fairly regularly, the latest report being released just December last year

Can you please clarify the 'fairly regularly' part? One of the members of that commission said that this is the first time that this kind of audit has been undertaken: https://digi.geenius.ee/rubriik/uudis/e-valimiste-tooruhma-l... To be fair, there are lots of other reviews having taken place, but none of them are regular with the exception of the OECD ones happening during elections: https://et.wikipedia.org/wiki/Elektrooniline_h%C3%A4%C3%A4le...

> There is also frequent news coverage, both supporting and criticizing the system

ERR is government-funded and seems to me quite neutral, not sure how it is relevant here. But it still seems to me that mainstream media is supportive and you have to go to "alternative" news sources to find any true criticism.

> One of the current government parties [3] is an active critic of the system.

Actually 2, if you count both KE and EKRE. And this is one of the major criticisms against those parties and has been so for years.

A good example of the prevailing attitude can be seen in this thread from 2017 about the security hole back then from Hinnavaatlus, probably biggest IT-related forum in Estonia: https://foorum.hinnavaatlus.ee/viewtopic.php?t=715076&postda... The general tonality in the beginning was that this is a tinfoil problem and somehow brought up by KE and EKRE before elections until the reality of the situation sunk in.


There have been no code audits.


Being spammed with reviews after mentioning that there might be a disagreement about electronic id data collection drives the original point a bit.


While I try to sympathize, I'm not entirely sure I see what you mean. Neither the research linked in the submission nor anything that I linked to discusses data collection, unless I'm grossly misunderstanding you.

As for the things I linked, none of them are reviews. The first link is a ministry report from last year that outlines 25 shortcomings of the system and how to address them — a clear example that there's open discussion about any problems the current system has. The second and third links are national news coverage that clearly show articles from both pro and con sides. The last link is about the current government in general.


> "pickled cucumber season"

Funny, it's called "cucumber time" (agurketid) in Danish. I wonder if it's a related term in Nordic countries + Estonia.


We also call it "agurktid"/"agurknyheter" in Norwegian, and I know the Germans use "Sauregurkenzeit".

I've never heard any similar expression in English, nor in any Romance languages. The Brits use "silly season" for the same concept in journalism/news.


Ha, I'm an American who lived in Estonia for a bit, I'm not familiar with any related US term. Maybe we just don't have this as much as Europe - I know I was shocked at how slow business got in the EU in summer, there's for sure a dip in the US with people going on vacation but nothing like Europe in July/August


Most people in Europe have at least 5 weeks paid leave a year guaranteed by law.

The US does not sent a mandatory minimum, and consequently many employers don't offer anywhere near as much time off.


> I was shocked at how slow business got in the EU in summer, there's for sure a dip in the US with people going on vacation but nothing like Europe in July/August

Reminds me of back when I worked for a company that exported machines to the US and my boss told an American customer that we couldn't get a shipment sent in June which meant it couldn't be sent before somewhere in August since key personell was on holiday in July.

They then asked if he couldn't just tell us we had to work anyway, which -luckily for us- wasn't an option.


Yeah that sounds like a classic American move - who cares if they're on vacation, just make them work! Glad your employer stood up for you all (or that the law forced him/her to)!


One time here in the US I had to work late hours and weekends to hit an ambitious deadline for a French customer who wanted to review our work before they all went on their vacations.


Oh, that was a nice thank you from us pampered Europeans! /s

Sorry, hope you got some nice overtime bonus (but I fear not.)


Overtime? Ha. Almost all salaried jobs in the US are exempt from overtime laws.


Yeah, we also use 'time of pickled cucumbers' in Slovenia. So not just a nordic thing ;)


It’s also called “komkommertijd” (“cucumber time”) in Dutch. Not pickled, because we call pickles “augurken”.


and "sezon ogórkowy" (cucumber time) also in Poland :)


Okurková sezóna in Czech


He is a well-known researcher in Estonia, with his scope of work both known as well as appreciated (at least by the non-politicians). Of course some have the "too big to fail", thus "you don't talk about Vo..." attitude, but those want to turn technical argumentation into political "agreement" and it is hard to debate a 0 to become 1. You can't argue with computers, "lets agree this 0 is as good as 1, even better and greater!"


Having worked for the Estonian government for a bit, I'm not sure that it'll exactly make you a persona non grata but definitely you'll get a ton of pushback if you make any claims about e-ID and e-voting as people have very strong feelings about it.


I'm from the EU and considering incorporating my next company in Estonia.

Anyone else in a similar situation has any recommendations or ideas about this?


In general, I had a good experiences. There are a few annoying things, however: my Estonian bank (VUB) discriminates against non-Estonian customers (even if they are EU citizens/residents) by applying a foreigners fee. Also, the local business register seems to be above data protection laws and sells your information. I receive lots of spam just by being in the register. Also, if you think that because your company is private your financial statements will also be private, that won't be the case. They will still sell the information to anyone for a few euros.


> Also, the local business register seems to be above data protection laws and sells your information.

Jesus that sounds terrible...


Make sure to understand the tax laws when it comes to the company tax residency in scenarios where you're physically not operating in Estonia nor employing people there, nor having majority of your clients there.

See my older comment [1] for some related topcis to research.

[1] https://news.ycombinator.com/item?id=21321451


Yes, I'd definitely echo that, a huge amount of tax implications are based on individual residency/permanent establishment so if you're living in say, Germany, for 1/2 of the year + 1 day, you should be expecting to pay at least your personal income taxes there, and likely the business taxes if you're a sole prop without local employees and local business. Of course, if you're a true 'digital nomad' who doesn't establish residency anywhere it gets much trickier. But in general, my advice it to pay for 1-2 hours with an accountant up front before you go through setting up a new entity somewhere


Even if my personal account was in an Estonian bank?


Yes, the laws don't care about who you bank with. If your "center of life" is in Germany, you are required to pay income taxes. Although "center of life" is not defined in detail in german tax law, there are a number of known indicators that are considered. For example, if you reside in Germany for 183 days per year or more, you are required to pay income tax on all of your income.


Having a personal account in a local bank may be a data point if you want to make a case about where you should be taxed but it won't automatically make you have permanent establishment or tax resident in Estonia


Ah, right.

Yeah I should definitely check with an accountant in the country where I will end up residing.


Yeah, highly recommend that. You can also contact Estonian folks who do understand the idea of running a co in Estonia and living elsewhere which isn't common in a country like Germany as local accountants there may be confused, there's a bunch of people on this list that have gone through at least some govt vetting https://e-resident.gov.ee/marketplace/service-providers/

I personally had a good working relationship with 1Office in particular and recommend them (wasn't a client but they were a partner when I worked for the e-Residency program and a buddy's GF works there who I trust and who does good work)


Would you incorporate again in Estonia?


Thanks, I will definitely check this out.


> n this paper, we describe several security flaws found in the ID card manufacturing process ..

Like accidentally on purpose,secure up to a point, but weak enough to allow the spooks to generate their own IDs. I mean if the cards were unhackable how would a spy do his job :]


As an American residing in Estonia, I’m not sure what the benefit of a state compromising the card crypto would be. There are four broad categories of uses for the ID cards:

1) Obviously, a government-issued photo ID

2) For an increasing number of shops, as your “frequent shopper” card, which admittedly is slightly related to...

3) Authentication, including: logging into your bank, government websites (the state portal, the tax authority, the the “digital story” - all your medical records, the online booking website for booking some combination of surgeons/specialists that operate under the public healthcare system), the (one) online pharmacy that exists, etc.

4) Signing things. I’ve signed my lease with it (though “paperless” Estonia still wanted me to sign a paper version as well) and more routinely you have to “digitally sign” any bank transfers... which are the standard way to pay bills in Estonia, so you do it a lot. Finally, voting online.

I don’t see how broadly compromising the crypto would really benefit anyone for any of those things, it would have to be a more specific individual attack, like draining your bank accounts.

Edit: formatting, added voting


Getting asked as an expert "can this id card thing be trusted?" my answer has been "for communicating with the government you inherently don't trust, the method or security of an authentication device does not really matter" (filing your taxes or logging to services being the scope). Some claiming encryption privacy issues ... Well, for any meaningful opsec you should not be using the id card for encrypting messages about overthrowing the same government issuing the encryption devices in the first place, if government reading your messages is a threat in your model.


Yeah, I think the biggest risk would be rigging an election, but we’re talking about a country of 1.2 million people. Not to dismiss the importance of their elections on Estonia, it doesn’t really have the same worldwide ramifications that compromising a US, UK, German, etc. election would have.


Rigging (digital or not) would be hard to hide, because it could only be a minor adjustment to remain plausible. All the election results end up roughly similar to all the various independent polling results. If some party suddenly receives a lot more votes than they polled for - it will be noticed.

Also Estonia already has a history of (non-digital) election rigging [1] so rhetoric of the "digital results in rigging, keep it physical for safety" kind isn't super convincing.

--

[1] https://en.wikipedia.org/wiki/1940_Estonian_parliamentary_el...


> Rigging (digital or not) would be hard to hide, because it could only be a minor adjustment to remain plausible.

How many more votes would the party in second place at the last election have needed in order to have won instead?

> If some party suddenly receives a lot more votes than they polled for - it will be noticed.

Is there a mechanism by which the election could be run again (before the winners of the election have a chance to prevent this)?

> Also Estonia already has a history of (non-digital) election rigging

Or it's an argument that a voting system should have both hand-counting and digital counting, because rigging both counts is at least twice as difficult as rigging one.


> How many more votes would the party in second place at the last election have needed in order to have won instead?

5.8% of the total votes [1] but winning the election is just part of the game. This time around the winning party isn't in power because the runner ups formed a coalition.

> Is there a mechanism by which the election could be run again (before the winners of the election have a chance to prevent this)?

Several - the previous government would still be in power for some time to react, the president has to sign off on the winners, the defense police could intervene, and then there are the courts. None of these entities depend on the newly elected government.

> both hand-counting and digital counting

That would certainly be more secure, but like all security it would be a trade off.

--

[1] https://rk2019.valimised.ee/en/election-result/election-resu...


> How many more votes would the party in second place at the last election have needed in order to have won instead?

It's a multiple party proportional representation system so who "wins" doesn't really matter that much.

> Is there a mechanism by which the election could be run again (before the winners of the election have a chance to prevent this)?

I'm not an electoral law expert, but complaints about election process go to National Electoral Committee, which can have its decision contested in Supreme Court.

> Or it's an argument that a voting system should have both hand-counting and digital counting, because rigging both counts is at least twice as difficult as rigging one.

The e-voting over here is actual e-voting - the vote is purely digital and done remotely. Not in any way related to the digital vote counting machines used in the US.


> It's a multiple party proportional representation system so who "wins" doesn't really matter that much.

Obviously by "wins" I meant "becomes the (biggest party in a coalition) government", not "gains the most first preference votes" or some other strawman interpretation. And yes, I admit that it is hard to calculate the minimum number of extra votes that would need to be added to change which party leads the government, but I do think that a good proportional voting system should allow that number to be determined at least to a reasonable approximation.

> I'm not an electoral law expert, but complaints about election process go to National Electoral Committee, which can have its decision contested in Supreme Court.

I wonder how long that process would take in practice, and whether the Supreme Court would decide it had the power to invalidate an election. In particular, what sort of evidence would be required to satisfy the court that it had to demand that remedy? I imagine that "The opinion polls were wrong by 6%" might not be enough, and the political biases of the judges themselves might well be significant in such a situation.

> The e-voting over here is actual e-voting - the vote is purely digital and done remotely. Not in any way related to the digital vote counting machines used in the US.

Yes, the fact that the voting can be done remotely is another problem, since someone can be bribed or coerced into voting a certain way. I believe the mitigation for this is that the voter can supersede their online vote with an in-person vote, but an attacker could quite cheaply work around this by having tracking software on the victim's phone, and henchmen outside the polling stations.


> Or it's an argument that a voting system should have both hand-counting and digital counting, because rigging both counts is at least twice as difficult as rigging one.

Unless the party rigging the counts is the one currently in power. Which in my opinion is the main risk, however minuscule and unrealistic.


> Rigging (digital or not) would be hard to hide, because it could only be a minor adjustment to remain plausible.

As candidates & parties become more competitive, the difference in their voting shares tends to narrow. Eventually you end up with large coalitions that split the electorate fairly evenly. A small adjustment is all it'd take to tip the scales. If landslide victories are common, I'd say your political system is doing something wrong.


> As candidates & parties become more competitive, the difference in their voting shares tends to narrow.

This reads like a pure American exceptionalism.


A single leak can be bad, multiple leaks piled into a single actor can be life changing.


The spooks are the same government issuing the ID. They can just call up the department issuing the IDs and ask for a batch of new identities. No technical flaws necessary.


I know your comment was tongue in cheek but this has come up in the digital Id space before. All these things get bootstrapped off government sources and spooks have no problems because governments control those databases. You don’t need technical hacks if you control the systems of record.


So what's to stop the ruling party from issuing its loyal spooks thousands of ID cards in key districts, which they then use to cast fraudulent votes in the election?


So, an argument that I hear regularly is that having a mandatory centralised and cryptographic ID system really expedites certain ID-related tasks. Can anyone in Estonia comment on this? Within the US and U.K., there’s no mandatory ID, which I think is probably a good thing for civil liberties (no papers please, for instance), but also fosters certain industries such as credit reference agencies and has all sorts of weird side effects from bootstrapping things like SSNs and NI numbers into secrets. Are there companies like Jumio and Acuant in Estonia, or has the government rendered them pointless?


> I hear regularly is that having a mandatory centralised and cryptographic ID system really expedites certain ID-related tasks.

Paper signatures and fax are both considered obsolete, the latter is basically never used. Cheques? Never seen them. Logging into any high-value service is done using the eID. If you use local services there's rarely any need for any site specific passwords, password managers, U2F, FIDO(2), GPG or similar identity technology. There's no need to send a pic of yourself to verify your identity anywhere, zero shit like that.

You know how PayPal, Stripe or similar payment processors felt/feel really cool and fast? Yeah, we barely felt that because banklinks have fulfilled that use case for the majority for a really long time now.

There aren't any other examples on the top of my head right now, but they're really not the only things. By now, there's basically an entire generation in Estonia that literally have zero idea how things were before, and are thus often shocked by what and how much is required from them in other countries.

> Are there companies like Jumio and Acuant in Estonia, or has the government rendered them pointless?

They're basically nonexistent.


Seems interesting, but security flaws were in a countable (small) number of cases. Is this a general issue?


This shows the issues in process and attitude. Even in the case of ROCA, you do not really break the crypto part itself, you wiggle around the implementation and procedure issues to bypass it.


Are these things PIV or something else?


Are there any Estonians here on HN who would be willing to chat a bit about digital identities in your country? I'm working on bringing e-ID to more people (https://getpass.app/) and looking to get a better understanding of current solutions.

Feel free to reach out, my email is fabian (at) flapplabs.se




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: