back to article Estonia government locks down ID smartcards: Refresh or else

The Estonian government is suspending the use of the Baltic country’s identity smartcards in response to a recently discovered and wide-ranging security flaw. Residents of the Baltic country will still be able to use smartphone equivalent of the technology, which is used to access government services and online banking. Use of …

  1. Anonymous Coward
    Anonymous Coward

    Is there any chance

    That we could outsource our government to Estonia? They seem to have a clue.

    1. This post has been deleted by its author

      1. Lars Silver badge
        Joke

        Re: Is there any chance

        "The country that gave the world.......". Over many years I have come to understand that the English have a slight tendency to stretch the truth a bit when it comes to inventions, and being the first for instance.

        I would agree on rail and Cricket, still it's not a bad idea to have a look at the Wiki on rail:

        https://en.wikipedia.org/wiki/Rail_transport

        The radar is a long interesting story and very typical in that it builds on previous breakthroughs.

        https://en.wikipedia.org/wiki/Radar

        To call it a particularly British invention is to stretch the truth.

        The jet engine is a topic that seems to raise feelings and voices very high indeed in Britain. But as it was, the Germans came further and earlier than the Brits. Frank Whittle who was, no doubt, a clever guy did later write that the German version was technically more advanced but hampered (luckily, my comment) by lack of high quality material. Whittle had great difficulties selling his ideas in Britain, luckily the Germans had similar problems with the Luftwaffe and Hitler (rocket man).

        Regarding the German advantage you find this on the Wiki:

        "Following the end of the war the German jet aircraft and jet engines were extensively studied by the victorious allies and contributed to work on early Soviet and US jet fighters. The legacy of the axial-flow engine is seen in the fact that practically all jet engines on fixed-wing aircraft have had some inspiration from this design."

        https://en.wikipedia.org/wiki/Jet_engine

        Dear Brits, try to accept you are a part of the world.

        And now sit down with pen and paper and write down all the inventions you know, and to make it easy, just for France, Germany, Sweden and the USA. Hopefully that list will be long.

        For something lighter, and for earning the icon, I have come to the conclusion that it is as well Da Vinci was not British or some Brit would have told the French that the helicopter is actually a British invention and I suppose it's as well too that Jules Verne was not British either or some Brit would have told the Americans that going to the moon was actually a British invention.

        1. Anonymous Coward
          Anonymous Coward

          Re:try to accept you are a part of the world.

          Nope. The owners of the Daily Mail say we aren't, therefore we aren't.

          Anwyay, your list is missing the biggest British contribution to the modern Western world: the "masters of the universe" in the modern "financial services" sector (though in fairness to most of Britain, this is actually the City's contribution, it doesn't really exist much outsde the M25 parking zone).

          Does Estonia have local equivalents of outfits like Crapita, Serco, or similar outsourcers yet?

    2. John Smith 19 Gold badge
      Unhappy

      "They seem to have a clue."

      Perhaps because all ID card file access have an audit trail to them?

      Estonia was the poster boy for the UKG cradle-to-grave National Identity Register scheme (nothing to do with actually verifying you ID but a lot to do with tracking who you are and what you're doing for the rest of your life).

    3. Lars Silver badge
      Happy

      Re: Is there any chance

      I suppose one could point out that Estonia becoming independent again in 1988 they had an opportunity to start from scratch regarding the whole system and they did that with enthusiasm and a lot of energy. Estonia newer fell that much behind Europe during the occupation. One might remember that the USSR never gave up on STEM and they had the Finnish television across the very narrow Bay of Finland and were able to enjoy all the marvels of the western world like say Archie Bunker and Monty Python all in their original language as TV programs are not dubbed in Finland.

      Fuck you dubbers of the world, should you not think of the children learning a language and reading too.

      (Fuck you Danes who had me listening to John Wayne in Danish, I had to give up, the guy has an iconic voice after all).

      Then for the ID cards, I have followed that educated and intelligent soft voiced British discussion more or less from the beginning I must admit I don't quite get you, You do have to identify yourself at times, soon so much easier with that passport of the right and only colour. driving perhaps with some identification too. And I would presume you will not be able to open a bank account as Donald Duck (anymore?). I could get a Finnish one but as I have that other stuff and for logging into the "IRS" and similar we can use our bank logging credentials.

      So what is the big problem there, perhaps it's all about the two-party system and nothing else.

      But regarding electronic voting, no thanks, slow down there Estonians, you never know who could fuck up that system for you, and when. You will never be able to make it totally safe, unless you have started to overestimate yourself.

      1. Doctor Syntax Silver badge

        Re: Is there any chance

        "You do have to identify yourself at times, soon so much easier with that passport of the right and only colour. driving perhaps with some identification too."

        What we don't like is the idea of some jobs-worth coming up to us and demanding our identification. It doesn't sit well with our ideas of the assumption of innocence etc. The easiest way to stop that is to ensure that there is no such item that the jobs-worth could demand.

        1. Doctor Syntax Silver badge

          Re: Is there any chance

          "What we don't like"

          Perhaps I should qualify "we" as GB. During the troubles in we got used in NI to having to provide ID at checkpoints. It came as a major culture shock to my parents when they visited and we got stopped at a VCP on a back road from Aldergove to Listburn.

          I'm curious as to what's the attitude there now. Anybody?

        2. Lars Silver badge
          Happy

          Re: Is there any chance

          There is nothing "some jobs-worth coming up to us and demanding our identification." anywhere in Western Europe. Where do you get silly ideas like that, are you not trusting your government or Britain to be a democratic country. Hogwash Doctor.

        3. David Pearce

          Re: Is there any chance

          Except that you have to produce a driving licence for many purposes these days.

          I wonder how secure the driving licence system really is, with the claimed ~ 1 million uninsured cars on the road

        4. onemark03

          Re: Is there any chance

          The objection to ID cards has less to do with the jobsworths of this world and more to do with the historical and cultural objection in the UK that we associate ID cards with non-democratic forms of government. If you like (and I have said this before on El Reg.), being required to flash an ID card while walking or driving along the queen's highway is downright offensive.

          I also agree with the bit about the assumption of innocence.

      2. allthecoolshortnamesweretaken

        Re: Is there any chance

        20.08.1991, actually. But yes.

      3. Stork Silver badge

        Re: Is there any chance

        Now you shock me - I am Danish and lived there until I turned 25 in 1992, and the only occasions I heard JW speaking anything but English was when on German TV.

      4. Cynic_999

        Re: Is there any chance

        "

        So what is the big problem [about getting an ID card], perhaps it's all about the two-party system and nothing else.

        "

        There would be no problem for me if the proposals were *only* about having an ID card. But the ID card was being proposed as a mechanism for tracking people 24/7 and as the basis for a unified database containing all your personal details in one place.

        As soon as the law states that everyone must carry an ID card at all times, there will be reasons found why more and more services need to routinely see that ID card. So you will need to swipe your ID card to get served at a pub or buy rail ticket or enter a casino - etc. etc. And every swipe sends your location back to Big Brother where it is meticulously logged and kept forever. And you suddenly find your insurance premiums increase, or you are refused health treatment because the computer says your lifestyle is too unhealthy.

  2. Anonymous Coward
    Anonymous Coward

    Is there any chance...That we could outsource our government to Estonia? They seem to have a clue.

    Do they now? Creating a vast state managed ID scheme, and then finding that the security is flawed seems the sort of problem that one would expect of any bunglement. What advantage is it you're hoping for by being governed by the Estonians? Being invaded by Russia to protect the rights of ethnic Ruskies, or access to a flawed identity card system?

    1. Anonymous Coward
      Anonymous Coward

      They are high on the economic freedom index showing they have a transparent government.

      They are also members of Nato so the Ruskies aren't going anywhere near it.

      Finally I would rather have a government that see's a problem, admits it's a problem then fixes that problem than the snakes we currently have.

      What's not to like? Are you advocating our government is not worth outsourcing and that they are doing a stellar job?

      1. Anonymous Coward
        Anonymous Coward

        "Finally I would rather have a government that see's a problem, admits it's a problem then fixes that problem than the snakes we currently have."

        Exactly. In the UK Sir Humphry would spend six months obscuring the problem. Questions would be asked in the House by the Opposition who would be jeered by the government side. Then there would be a major data breach - say Boris Johnson being stopped from entering the country because a wanted terrorist had cloned his details. Then there would be a working party. Several years later a new ID card system would be trialled in a low population area and promptly fall over.

        Also, Equifax shows the US government is equally useless.

        1. Doctor Syntax Silver badge

          "In the UK Sir Humphry would spend six months obscuring the problem."

          It would, however, be Sir Humphrey, and not Jim Hacker, who'd be in favour of the ID card in the first place. Hacker would realise it could lose him an election. Sir H would, of course, not have to carry such a demeaning object himself; he'd excuse graduates of both Universities.

      2. lifetime security

        That is how you handle security issues

        There is no perfect security. There will be mistakes and errors. Estonia did the right thing and moved forward.

  3. Jason Bloomberg Silver badge

    Population 1.35 million

    "Acceptance of and trust in the technology is widespread, so the need to update cards will likely be regarded as an inconvenience rather than something that might undermine longer term confidence."

    Yet over half the population "have not yet been able to update their certificates" and the clock is ticking towards the midnight deadline. They might have a different opinion tomorrow.

  4. Slx

    What I don’t like a lot these eID systems is it’s a single point of failure.

  5. The Nazz

    The UK would be like Facebook

    In that whilst the UK's population is circa 65m, (increasing in 2016 by some net 583,000) there would be significantly more identity cards issued.

    Only yesterday did the BBC run a story on a Grenfell disaster fraudster, a single Vietnamese guy with 28 identities.

    The UK is a long, long, long way from getting it's act together accurately on any such matters.

    1. Anonymous Coward
      Anonymous Coward

      Re: The UK would be like Facebook

      "In that whilst the UK's population is circa 65m, (increasing in 2016 by some net 583,000) there would be significantly more identity cards issued."

      How many of those 65 million are the 27 alternative identities of various Vietnamese guys?

  6. John Smith 19 Gold badge
    Gimp

    Now imagine that flaw being found in a British ID card system....

    1) There is no flaw

    2) There is a slight flaw but we have fixed it. Nothing to see here. Move along.

    3) We have fixed it again.

    .

    .

    .

    n) We are invalidating all ID smart cards and issuing new ones starting Midnight tonight.

  7. Slx

    Ireland's currently and rather controversially rolling out a "voluntary" electronic ID card which is required for claiming all types of social payment, applying for a driving test or a passport and a number of other things, including oddly enough operating as a public transport ID for old age pensioners who all get free travel.

    It's a smart card that contains biometrics (facial recognition) and has good photos on the front. It looks for all intents and purposes exactly like Continental European ID cards and you register by attending an appointment at an ID verification centre.

    The card also uses 2 or 3 factor (SMS verification) security and secret question answers to authenticate things online for access to sensitive personal information like welfare records though a service called MyGovID which grants various levels of access depending on how many layers of security you've setup.

    At present the tax system (ROS) still has its own online sign in service using fairly complex digital certificates.

    It makes sense in that it gives you a definitive form of ID for accessing stage services, which is probably more secure than the current Irish gold standard form of ID, a utility bill in your name.

    We've also introduced a passport card as an extension of your existing passport. You apply this by downloading an app to your mobile, taking a selfie and that's then compared to your existing passport photo on file. They issue the card and you can use it for EU/EEA travel and as an alternative to ID cards so you don't have to carry your passport book while on the continent.

    For practical reasons you do need some of these things. It's crazy having to provide umpteen documents to various public bodies to prove who you are and prove your address everytime you need to access something and it does improve security.

    What worries me though is the potential single point of failure issues and also the possible function creep, if it's not tightly regulated. That's already happened with PPS numbers (equivalent or Social Security / National Insurance) where all of a sudden they're needed for everything from school registration to applying to University etc etc

    Add to that Ireland now has a postal code system called Eircode that assigns a unique 7 character alphanumeric code to every address, not to a street / area like UK or most other systems.

    It's incredibly handy for sat nav use when enabled. Like you can just whack in X12 A1B2 and Google maps will take you to the door. But it is starting to look like we are increasingly trading privacy for convenience.

    1. ad47uk

      Not really voluntary then if you need it do get benefits and driving licence, unless you don't want those things. The problem with voluntary is that it soon become compulsory, The tories in the UK wanted a voluntary one, but then Labour got in and they wanted a compulsory one, then the Tories got in again and shut it all down.

      Labour spent millions on an I.D card that never cam,e to anything and was not required. thankfully I do not think we will have an I.D card in my lifetime, even less chance now that are getting out of the E.u

      1. Slx

        Given that it's nothing to do with EU policy and you've elected a government that makes Big Brother seem fairly easy going and the alternative is a centre left party that also loves data mining citizens, I'm not quite sure how being out of the EU will help at all. It may actually become more extreme as any data gathered won't be subject to ECHR or EU data protection / privacy rules...

        The original rationale in Ireland was that it would cut down on welfare fraud (popular amongst centre with voters) but then it suddenly seems to have morphed into a quasi-compulsory National ID card, just without calling it an National ID card.

        The passport card is actually handy enough as it's genuinely 100% voluntary and just gets you around Continental European ID issues if you're spending a lot of time there. It's an absolute pain in the rear when you have to start bringing passports to access offices, or carry them around the place generally. The main reason the Irish Passport Office pushed the rollout was to avoid having to deal with as many lost passport books caused by having to constantly have them on your person on the continent.

        There's some push back on it here on the "Public Services Card", but I don't think it's turned into a huge political issue. Although, Irish voters can sink governments over less. Water charges here turned into a massive political issue and have basically been rolled back upon and may yet even lead to constitutional referendum to prevent anyone ever privatising Irish Water.

        1. Alan Brown Silver badge

          "The original rationale in Ireland was that it would cut down on welfare fraud (popular amongst centre with voters)"

          The amusing thing about that old saw is that usually XYZ country spends umpteen millions to implement a system to cut welfare fraud estimated at "umpteen * N", only to find that _actual_ welfare fraud is "some small fraction of umpteen" and that the vast majority of it is being perpetrated by welfare department staff (also that such frauds should have been trivially detectable using the pre-existing systems - picking up things like payments for different identities going to the same bank account. Crooks aren't usually smart)

          Once that gets discovered they have to start finding other ways to justify the system's existence (ie, a solution looking for a problem)

          On a similar note, areas which introduced mandatory drug testing of welfare recipients discovered that they were spending a hell of a lot of money to find one or two cases per year. It shouldn't be a surprise that people on welfare can't afford (illegal) recreational drugs and those who do partake when they can't afford tend to be quite obvious.

      2. John Smith 19 Gold badge
        Gimp

        "thankfully..we will have an I.D card in my lifetime,less chance now..out of the E.u"

        You might like to keep in mind that Tony Blair wanted to introduce them at the time when the IRA (the last serious threat to British security) had just about put their weapons "Beyond use."

        What makes you think leaving the EU will discourage this scheme?

        1. Anonymous Coward
          Anonymous Coward

          Re: "thankfully..we will have an I.D card in my lifetime,less chance now..out of the E.u"

          "What makes you think leaving the EU will discourage this scheme?"

          it will probably make it more likely, not less. No pesky GDPR for govt to worry about,and the alleged need to track the tens of billions of illegal immigrants the tabloids would have us believe are here ....

    2. Doctor Syntax Silver badge

      "What worries me though is the potential single point of failure issues and also the possible function creep, if it's not tightly regulated. That's already happened with PPS numbers (equivalent or Social Security / National Insurance) where all of a sudden they're needed for everything from school registration to applying to University etc etc"

      That seems to be a problem with the US SSN which is regularly part of the PII lost in data breaches.

      1. Alan Brown Silver badge

        "That seems to be a problem with the US SSN which is regularly part of the PII lost in data breaches."

        The thing about US SSNs is that they're only required for certain government-related interactions (not even for tax, you can use a Taxpayer Identification Number instead)

        Private companies were never supposed to process them and in most cases you don't have to give it.

    3. Alan Brown Silver badge

      "a unique 7 character alphanumeric code to every address, not to a street / area like UK or most other systems."

      FWIW, the US Zip code system has "to the house" precision - Not in the first 5 digits, but in the next 4+2 which aren't used much by humans. (ZIP+4 plus 2-digit delivery point code - this is encapsulated in the intelligent mail barcode applied to every piece of mail in the US postal system, either by sorting machines or by bulk mailers before posting)

      1. Slx

        Not quite, I had to read up on this stuff recently.

        Zip+4 only gets down to either a smaller geographic area, or an apartment / office building or a high volume mail recipient like a business that interacts a lot by mail. It's sort of assigned as needed by USPS rather than following any particular logic and is there to assist them with mail sorting.

        Eircode is an actual geolocation service with an intention to be used for much more than mail sorting.

        The main purpose of it was to deal with Ireland's issue with non-unique addresses and very verbose addressees that could cause a lot of confusion for couriers / taxies / emergency services etc.

        Some of our addresses are basically a short sonnet rather than anything that would actually tell you where the house / office actually is.

        Eircode looks a bit like UK or Canadian codes, but it's a different concept.

        A12 A1B2

        A12 = "Routing Key" (broad area. This varies from an area of a city to a large rural area)

        A1B2 = quasi-random code that links to an exact delivery point and includes its map coordinates.

        There's a fully developed API and all of that stuff to go with it.

        So for example if you put in:

        If you type in "K67 C3V1 Ireland" into Google maps it should take you directly to Dublin Airport for example.

        In an office block with multiple companies or an apartment building, each unit has a unique code.

        There are concerns over privacy as it's a unique code referencing every single address in the country and could end up being a bit like a permanent geo-cookie..

    4. katrinab Silver badge

      Our company has a login for ROS because we sell stuff in Ireland and therefore have to be registered for tax there, but presumably we wouldn’t be eligible for an Irish ID card or passport. For that reason, ROS would need to keep a separate authentication system, at least as an option, or they would need to introduce some sort of tax-payer only corporate id card.

      1. Slx

        ROS has been upgraded and is being actively developed, so I would suspect it's going to continue on as is for businesses and self-employed tax returns.

        MyGovID is being used for "myAccount" for personal tax and welfare services only. So it covers things like PAYE, shuffling tax credit assignments between life partners, PRSI, pensions, various tax incentive programmes for home improvements and all of that stuff.

    5. Anonymous Coward
      Anonymous Coward

      "Ireland's currently and rather controversially rolling out a "voluntary" electronic ID card which is required for claiming all types of social payment, applying for a driving test or a passport and a number of other things"

      Ireland already has a "voluntary electronic ID card" - the drivers licence.

      "Add to that Ireland now has a postal code system called Eircode that assigns a unique 7 character alphanumeric code to every address, not to a street / area like UK or most other systems." Millions of Euro spent to have some person generate an alphanumeric postbox identifier, carefully crafted so that snobs in Dublin would still have 'D4' in their postcode, when other systems could have been adopted for a fraction: Loc8 was offered, OpenPostcode is completely free.

      1. Slx

        To be honest, none of those systems are free as you’d have had to pay someone for any of the privately developed ones and you’d still have had an administration overhead with OpenPostcode.

        I don’t agree with the way it was rolled out and the tender was oddly constructed to eliminate smaller bidders, but I can’t really see it being totally free no mater how it was done.

        Also we don’t have any universal voluntary ID

        Driving licenses aren’t universal. A % of the the population doesn’t qualify for them - too young, too old, not drivers.

        Passport Card is OK as it’s sort of universal but you can be permanently resident in Ireland and not an Irish citizen. So you wouldn’t qualify for an Irish passport card. EU and other nationals are entitled to a PPS and a MyGovID / Public services card.

        I just think there are positives and negatives to having universal ID systems. They verify identify but if you accept them as the gold standard for proving ID, then the challenge becomes forgery or hacking.

        No system is 100% uncrackable and it makes some sense to run checks and not totally rely on tech.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like