A group of Czech security researchers earlier this year discovered a way to steal identities from electronic ID cards used in a number of countries, known in the cryptography industry as a ROCA vulnerability. So far, the vulnerability has caused problems in Estonia — the country with perhaps the most comprehensive e-identification and e-government system in the world — and in Spain. Former Estonian President Toomas Hendrik Ilves, a tireless promoter of his country’s e-democracy, has said that other countries and institutions have the same problem, too; they’re just not talking openly about it. He’s very likely right.
The discovery poses an important question: Could we perhaps be overeager to adopt technological solutions to problems that don’t necessarily require them?
Cryptographic smartcards use two mathematically linked keys to encrypt and decrypt information: A public one and a private one. The owner is free to hand out the former but must hold on to the latter. She can, for example, sign a document with the private key, and the public one can then be used to verify the signature. The researchers from Masaryk University discovered that a software library from the German company Infineon, used in many smartcards, made it too easy to compute private keys from public ones. That potentially creates opportunities for identity theft or the dissolution of millions of electronically signed contracts.
Infineon has changed the key generation algorithm to fix the flaw, but millions of cards out there, including 750,000 Estonian ones, ended up needing a certificate update. For tiny Estonia, which has made advanced technology its global differentiation point, a single case of identity theft could be a reputational disaster, so the nation’s government decided to be transparent about the update. Predictably, though, when tens of thousands of people attempted to install the update, waiting times and failures mounted. After spending hours trying to update her ID card, Theresa Bubbear, the U.K. ambassador to Estonia, wondered in a tweet on Nov. 2 whether “eEstonia” might be “losing its shine.” Only on Nov. 16, she finally tweeted “Hallelujah!” as the update came through.
Spain, though, is a much bigger country with some 60 million electronic identity cards in circulation. Spaniards cannot use them to vote or conduct financial transactions as Estonians do, but now that the government has deactivated the digital certificates on the cards, they can’t use functionality such as signing documents at machines installed at police stations. The Spanish authorities haven’t been as forthcoming about explaining the problem as the Estonian ones have been, thus creating confusion.
The problem will eventually be fixed; if you’re worried that your crypto keys are affected, there’s a website associated with two of the Czech researchers where one can check that. But the big question is whether governments should push ahead with putting more critical services online.
When I visited Estonia in 2015 to talk to Ilves, who was still president then, and to the people running the country’s digitalization effort, I came away envious of what had been achieved. Transactions with the government hardly ever require a visit to an office. National databases are online and accessible with the digital ID. The electronic signature is ubiquitous. You can see your X-rays online, whichever doctor took them. A parliamentary election had just taken place, and some 170,000 people voted from home using their identity cards. I wondered why more countries weren’t adopting Estonia’s inexpensive, easily scalable system.
The ROCA flaw provides an answer to that question while doing little to dispel my envy. Estonia, with its manageable size and relatively close-knit, trustful society can deal with the occasional glitch, especially since it has taken up the mantle of an experimenting early adopter. Even if a major hack damages its global reputation, the conscious position of a testing ground, located right on the Russian border to boot, can help Estonia live it down.
It’s harder, however, for a country like the U.S., the U.K. or Germany to live with this kind of technological risk. Recent U.S. breaches, including the Office of Personnel Management hack that exposed the personal data of millions of government employees, or the Equifax disaster that affected 143 million Americans, show the danger of putting personal information online. As for e-voting, if the U.S. and U.K. used the Estonian system and the same key generation algorithm, hackers could have changed the results of the Brexit referendum or the 2016 presidential election — and nobody would have been the wiser today.
As much as I’d like never to have to visit a government office again — as I constantly have to do in Germany, with its time-honored, paper-based bureaucratic procedures — I have to admit that old-style pencil-pushing has its advantages, especially in countries big enough to make breaking into government databases massively rewarding for criminals and spies. We face an only subtly different dilemma when contemplating self-driving cars. I know I can make a mistake behind the wheel that will kill me. But I’d rather live with this risk than with that of an algorithmic malfunction or hack that will have the same effect.
Pushing ahead with digitalized government, or indeed with any major technological change, shouldn’t be a choice we make with our eyes closed. Societies should have the risks thoroughly explained to them before they vote to allow these breakthroughs.