We told you about a potential security vulnerability. Here’s our update.
E-residents will soon need to remotely update their digital ID card certificates. Cards issued from November 2017 are unaffected.
The Estonian government announced one month ago that a group of international security researchers had identified a potential security vulnerability that affects the use of Estonia’s ID cards and digital IDs, including those held by e-residents.
Although the security risk is still theoretical and no one’s digital identity has been misused, immediate precautionary measures were taken to minimise the risk while the situation could be fully assessed and a solution developed.
The decision was also made to notify the public and keep them updated on key developments. This transparency is essential because our digital nation depends on the trust and support of everyone who lives within it. As a result, I also wrote to e-residents to explain the situation and said I would write again when we can provide an update.
The problem has now been fully assessed and I’m pleased to say that a solution is under development and is expected in the near future.
The security vulnerability uncovered makes it theoretically possible for an ID to be misused, although it would require considerable expertise and resources to do this with any single digital ID and we are still not aware of any incident in which this has happened.
The solution is that all existing e-residents will need to update their certificates (once ready) using the ID card software on their computer. If you haven’t downloaded the software yet then please do so here. Every e-resident who receives a digital ID card issued from November 2017 (including everyone now applying) will be unaffected by the security vulnerability. These two solutions will fully resolve the issue for everyone.
It will be possible to easily update the certificates remotely (without travelling to an Embassy) and you will be automatically notified by the Estonian Police and Border Guard Board when the update is ready — although we will also remind you through all our official e-Residency channels.
In order to ensure that fewer e-residents have to go through this process of updating the certificates, the creation of new e-Residency digital ID cards has now been temporarily paused while we switch to the new cards that will be ready in November.
As a result, existing and future e-residents will be contacted to explain the situation based on their circumstances, but I also want to give a broad overview of the advice here too.
What you’ll need to do
- If you would like to apply for e-Residency then please still do so. The application process is unchanged, although it will take longer to issue your card than usual for a limited period. You will receive an email to let you know whether your e-Residency has been granted and if successful you will receive a new card that is unaffected by this issue. No further action is required.
- If you are an e-resident and have already collected your card then you will be notified when the certificates are ready to be updated. As mentioned, we’ll also remind you on all our channels. This can be done at home and there is no need to travel to an Embassy or anywhere else to do this.
- If you have applied, but have not yet been granted e-Residency then the application processing time may take slightly longer than usual. However, you will be notified by email as normal if your application has been successful and then you will receive a new card that is unaffected by this issue. No further action is required.
- If you have been granted e-Residency, but not yet informed that your card is ready then you will be notified by email as normal once it is ready for collection. You should receive the notification within the following weeks. Your card will require the certificates update.
- If you have been granted e-Residency and already told that your card is waiting to be collected then please schedule a time to collect your card before 1 December. Your card will require the certificates update.
- If you were granted e-Residency more than 6 months ago but have not yet collected your card, please contact your chosen pickup location to confirm the status of your digital ID card. You will get further instructions from that pickup location.
However, if you are facing this slightly longer waiting time and urgently need to use your ID card then please do inform the Estonian Police and Border Guard Board. They will try to accommodate people as much as possible.
What we’ve learnt from this
I want to say a huge thank you to e-residents around the world who have written to us or commented on social media with such supportive messages from when the situation was first discussed.
I have to admit that it also came as a surprise because our team was instead ready to support e-residents who may have understandably been concerned or even annoyed. It confirmed what we already believed — openness is always the best policy and it’s one of the key values guiding our programme, our business environment and the development of our entire digital nation.
Estonia considers the security of its citizens, residents and e-residents to be among its very top priorities. I saw first hand the enormous amount of work and co-operation that people across government have put into resolving this situation. I would particularly like to commend the Estonian Police and Border Guard Board who are essential for preserving the integrity and legitimacy of our new digital nation. This is why we can welcome e-residents from around the world who wish to conduct business with greater trust online.
Finally, I would strongly recommend reading this very insightful article by Kalev Leetaru in Forbes about the situation. Here are some key points he made:
In the case of Estonia, as a pioneer and vanguard of e-government and a truly digital society, the country resides at the forefront of what it looks like to apply advanced technology, identity and cryptographic systems at a national scale to digitally authenticate and secure the communications and data of an entire populace. This necessarily means that it also resides at the forefront of the conversation and research around those fields and that as computing advances and new discoveries inevitably uncover weaknesses in algorithms or approaches, Estonia will be among the first to have to address each issue.
…the researchers had followed the traditional practice of “responsible disclosure” in which they notified the relevant Estonian agencies through official channels and are giving them time to implement mitigation measures prior to the researchers presenting their work at a forthcoming security conference. This is the way security is supposed to work — researchers identify a new weakness made possible by advancing computing power or algorithmic advances, report it and give the organization time to correct it.
Instead of overhyped headlines about the doom of e-government, the reality is merely the march of cryptography and life as usual in our ever-advancing digital world.
If you have any questions or feedback then please do contact our team on firstname.lastname@example.org.