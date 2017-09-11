The Estonian Police and Border Guard Board on Wednesday filed a court action by which it seeks a contractual penalty of 152 mln euros from Gemalto AG, the company that used to manufacture electronic ID-cards for Estonia, informs LETA/BNS.

The action was filed with the Harju County Court in connection with a breach of contract by Gemalto AG that has to do with the generating of electronic ID-card private keys outside the card's chip, which was disclosed in May of 2018. In the action, the Police and Border Guard Board is seeking a contractual penalty in the amount of 152 mln euros, spokespeople for the Police and Border Guard Board said.





The breach of security requirements was revealed as a result of collaboration with researchers at the University of Tartu and an analysis by experts at the Estonian company AS Cybernetica, which revealed that the contractual partner generated the private keys of some ID-cards outside the card's chip.





"To ensure the security of the ID-card, it is important to have confidence that private keys can be nowhere else than in the chip of the card. Therefore we have also set the requirement that private keys can be generated only inside the chip. Unfortunately, it was revealed that the contractual partner breached this requirement for years, and we view this as a very substantive breach of contract. The analysis by experts at Cybernetica clearly demonstrated that a breach like this could have taken place only as a result of knowing and intentional action by the contractual partner," said Krista Aas, deputy director general of the Police and Border Guard Board.





According to Aas, over the course of more than a year several different and very serious breaches have been revealed in the fulfilment of the contract concerning the ID-card, which include the security risk that became known last fall and the generating of private keys outside the chip that became public in May this year.





The Police and Border Guard Board is filing different lawsuits concerning the different breaches of contract given the very complex nature of the cases both legally and technically.

"This is a specific field, and we wish to delimit each violation clearly. Therefore we decided that we will file separate lawsuits concerning each violation. The first lawsuit we filed is in connection with the prohibition on the generating of private keys outside the chip, since this is the most serious violation for Estonia, where the contractual partner has knowingly contravened the terms set by the Estonian state and put into jeopardy the integrity of electronic identities and the credibility of the Estonian eID," Aas said.





The faulty ID-cards were issued between January 2011 and October 16, 2014 and the faulty residence permit cards between January 2011 and December 17, 2014, and were updateed at the service offices of the Police and Border Guard Board from July 2012 to July 2017. Altogether such cards numbered over 74,000, and on June 1, 2018, the Police and Border Guard Board declared the certificates of 11,111 ID-cards and residence permit cards invalid.