CyberLex
CyberLex Insights on cybersecurity, privacy and data protection law

Estonian Blockchain-Based ID Card Security Flaw Raises Issues About Identity

Posted in Cybersecurity, Data Breach, Identity
Kirsten ThompsonEriq Yu

On August 30, 2017, an international team of security researchers notified the Estonian government of a security vulnerability affecting the digital use of Estonian ID cards issued to around half of the Estonian population. Affecting 750,000 ID cards issued to a population of 1.3 million, the Estonian Information System Authority (RIA) has taken measures to restrict some of the ID card’s security features until a permanent solution is found.

While there appears to be no sign of unauthorized use (the vulnerability appears to have been a “theoretical” vulnerability) the discovery of the vulnerability comes as Estonia continues to advance its national “e-Estonia” initiative to bring its citizens into a digital ecosystem of public and private services built upon the security and authentication provided by the Estonian ID card.

Blockchain and Identity

The e-Estonia initiative is notable for its technological innovation that currently makes Estonia a preeminent use case of blockchain technology and public-key cryptography in the delivery of government services. However, as this event shows, cybersecurity and privacy considerations must remain at the forefront of centralized security and authentication, especially in the case of multi-use identification cards.

Since 2013, Estonian government registers have paired cryptographic ‘hash functions’ with distributed ledger technology, allowing the Estonian government to guarantee its various records.

The ID card unifies access to a host of services. Citizens can order prescriptions, vote, bank online, review school records, apply for state benefits, file their tax return, submit planning applications, upload their will, apply to serve in the armed forces, and fulfil around 3000 other functions. Businesses owners can use the ID card to file their annual reports, issue shareholder documents, apply for licenses, and so on. Government officials can use the ID card to encrypt documents, review and approve permits, contracts and applications, and submit information requests to law enforcement agencies.

Digital authentication is convenient and saves both time and money for government, business and public services. However, in order to function effectively, it is critical for the government to know its records are the right records, and that they have not been altered. The underlying technology in the Estonian ID card is blockchain, which records every piece of data with proof of time, identity and authenticity – providing a verifiable guarantee that data has not been tampered with.

This immutable ledger identity was thought to be highly secure, and even believed to be unbreakable. However, the reported vulnerability in this case is notable due to the increase in computing power in recent years. A few years ago, exploiting such a vulnerability would have been significantly more expensive and thus more unlikely than it was today.

Identity Cards and Identity In Canada

Canada does not have a national identity card; Canadians (and others with appropriate residency status) have a Social Insurance Number issued which is used for certain permitted purposes, but the card itself is not an identity document and were phased out in 2014, in part because of creep in the scope of use and the lack of security features on the card.

The Office of the Privacy Commissioner of Canada has opposed the use of a national identity card in Canada. The provinces have dabbled with various “enhanced” driver’s licenses and other types of cards, with various success, and varying levels of resistance.

British Columbia and Manitoba have both moved towards a multi-use identification card, with significant privacy implications for individuals and businesses. The provinces of Quebec, Manitoba, Ontario and British Columbia have negotiated a Memorandum of Understanding with Citizenship and Immigration Canada the Canada Border Services Agency to implement  their  provincial “enhanced driver’s license” programs. For example, Ontario’s “enhanced driver’s licence” serves as an identity document and permits travel between Canada and the United States of America when travelling by road or water. Currently, the programs are voluntary.

More recently, the Digital Identity and Authentication Council of Canada (DIACC) spearheaded the creation of a national digital identity ecosystem, the Pan-Canadian Trust Framework (PCTF),  which would enable digital identity and, by extension, facilitate trustworthy digital transactions. The trust framework would define and standardise processes and practices, and specify data protection policies that government agencies, banks, telecommunication companies, health care providers, and businesses agree to follow with regard to information assurance practices.

The PCTF is backed by a public-private consortium that includes the governments of Ontario, British Columbia, Saskatchewan, and New Brunswick, along with Canada’s leading banks, telecom companies, and universities. It has been reported that the digital identity supercluster bid was able to raise $185 million of private sector investment for use over five years in just four weeks. If selected to move on to the second phase of the initiative, it will need to raise $250 million, the target for matchable funds set by the federal government.

Integrated identity products save time, money and can lead to increased security on a transaction by transaction basis. However, the consistent concern has be that while standalone services with discrete databases naturally limit the information accessible to intruders in the wake of a data breach, a data incident involving a multi-use identification card that permits access to a host of services could result in wide-ranging damage. Governments and businesses alike are well-advised to maintain a cybersecurity incident response plan to limit data loss and organizational disruption. Integrated identity documents have the potential to create disruption both for the public issuers of such documents, but also for the businesses that rely on them. Businesses and governments embracing new technologies (or reviewing older technologies) should be aware of the need to “future-proof” their investments.

For more information, see McCarthy Tétrault’s Cybersecurity Risk Management – A Practical Guide for Businesses