Privacy and security issues of IDcard based register services in Estonia

1
Privacy and security issues of ID-card based
register services in Estonia

• Jüri Voore - Project Manager
• AS Sertifitseerimiskeskus / Estonia

2
Topics

• AS Sertifitseerimiskeskus ?
• National ID card project how we did it
• Privacy security versus functionality cost
• Authentication or digital signature pro et
  contra
• Future scenarios
• Lessons learned

3
AS Sertifitseerimiskeskus Certification Centre
Ltd

• Private company founded in February 2001
• Owners Banks Telcos
• Offers certification and validity services
• The only registered CSP in Estonia
• Contract with government for certification and
  national ID-card delivery
• Develops PKI infrastructure and software

4
National ID-card Project

• Government guidelines May, 2000
• Single mandatory electronic ID card for all
  residents
• First card issued January 28, 2002
• September 2004 gt 600 000 cards issued
• Biggest national eID card roll-out in Europe ?

5
What is on the card ?

• RSA cryptochip contains
• Personal data file
• Certificate for authentication (along with
  e-mail address Forename.Surname.XXXX_at_eesti.ee)
• Certificate for digital signature

6
One Card - Multiple Solutions ( ideal picture )

• Identification to retrieve info from registers
• Civil servant authenticates into the infosystem
• Info is recorded as signed documents
• Documents are exchanged between organizations
• Citizen can access own personal data

Citizen
Civil Servant
Health insurance fund
1
1
Identification
Authentication
Signature
2
4
Signature
Hospital
3
4
Authentication
5
Pharmacy

e-Citizen portal
National Registers, E-Taxes, E-voting
7
DigiDoc ?

• DigiDoc - digital signature practice used in
  Estonia
• Made by Sertifitseerimiskeskus and Look_at_World
  Foundation
• Free distribution
• Complete system
• Program libraries
• Document format
• Client program
• Portal
• Not just one application
• A function that can be added in any system
• All systems are fully compatible with each other
  regarding digital signatures
• Based on European standards
• XAdES, XML-DSIG

8
DigiDoc tools

• DigiDoc Client
• Windows application
• Lets users sign, verify signatures etc
• ID Card not needed forverification
• Available at www.id.ee
• DigiDoc portal
• https//digidoc.sk.ee
• Signing, verification,co-signing by
  multiplepersons

9
Disputable statements

• ID-card is only electronic tool for accessing
• e-services
• Authentication via Web-bank gives less legal
  assurance if things go wrong
• Certificate-based authentication limited option
• Can you trace back-wards what happened ?
• Can you prove it at court ?
• Client is always less protected than civil
  servant
• Digital signature must confirm expression of
  will

10
e-Citizens portal log-in options
?
Log-in with ID-card
X-road 14 registers 30 sercices

Log-in via web-bank
11
Secure Log

• Secure log contains
• Changes in certificate validity
• Signed confirmations of certificate validity
• No actions will be performed if logging fails
• Guarantees existance of log record
• Log records are linked cryptographically
• Back-dated transactions are excluded
• System is auditable
• Periodical publishing system provides
  non-repudiation

12
Secure Log

• Database of certificates
• Activation
• Suspension
• End of suspension
• Revocation

SeqLog
OCSP Signed validity confirmations
13
Future scenarios

• eAuthentication new EU trend
• Dutch Burgerpin
• Biometrics privacy battle coming soon
• Standardisation late as always
• WPKI new favorite
• 2005 local elections with e-voting in Estonia

14
e-Ticketing in Tallinn Tartu
Population Register
Mobile
e-Tickets database
Internet
Cash
Person must possess and show an ID-card when
buying or verifying a ticket
15
What is UES ?

• UES stands for Universal Electronic Signature
• UES is a concept of electronic signature with aim
  to universally replace handwritten signature
• UES is going beyond AES (Advanced Electronic
  Signature as of EU Directive)
• Designed for international interoperability
• MoU Estonia Finland Belgium under work
• Open for other interested parties

16
Lessons learned

• Single card solution gives savings
• It takes time !
• Card reader to every PC
• Technology is not a problem but common
  understanding and practices are
• Problems
• Less secure options - first choise
• No common standards of data exchange (vs. paper)
• Different institutions - different regulations
• Motivation !!!

17
Useful Links

• PKI CA http//www.sk.ee
• ID-card practices http//www.id.ee
• eTicket http//www.pilet.ee
• UES http//openxades.org/ues
• Further information
• info_at_sk.ee