Estonia, EU – Baltic States, Legislation, Security, Technology
International Internet Magazine. Baltic States news & analytics
Thursday, 27.09.2018, 13:02
Estonia seeking 152 mln euros contractual penalty from ID-card manufacturer Gemalto
The action
was filed with the Harju County Court in connection with a breach of
contract by Gemalto AG that has to do
with the generating of electronic ID-card private keys outside the card's chip,
which was disclosed in May of 2018. In the action, the Police and Border Guard
Board is seeking a contractual penalty in the amount of 152 mln euros,
spokespeople for the Police and Border Guard Board said.
The breach
of security requirements was revealed as a result of collaboration with
researchers at the University of Tartu and an analysis by experts at the
Estonian company AS Cybernetica,
which revealed that the contractual partner generated the private keys of some
ID-cards outside the card's chip.
"To
ensure the security of the ID-card, it is important to have confidence that
private keys can be nowhere else than in the chip of the card. Therefore we
have also set the requirement that private keys can be generated only inside
the chip. Unfortunately, it was revealed that the contractual partner breached
this requirement for years, and we view this as a very substantive breach of
contract. The analysis by experts at Cybernetica
clearly demonstrated that a breach like this could have taken place only as
a result of knowing and intentional action by the contractual partner,"
said Krista Aas, deputy director
general of the Police and Border Guard Board.
According
to Aas, over the course of more than a year several different and very serious
breaches have been revealed in the fulfilment of the contract concerning the
ID-card, which include the security risk that became known last fall and the
generating of private keys outside the chip that became public in May this
year.
The Police
and Border Guard Board is filing different lawsuits concerning the different
breaches of contract given the very complex nature of the cases both legally
and technically.
"This
is a specific field, and we wish to delimit each violation clearly. Therefore
we decided that we will file separate lawsuits concerning each violation. The
first lawsuit we filed is in connection with the prohibition on the generating
of private keys outside the chip, since this is the most serious violation for
Estonia, where the contractual partner has knowingly contravened the terms set
by the Estonian state and put into jeopardy the integrity of electronic
identities and the credibility of the Estonian eID," Aas said.
The faulty
ID-cards were issued between January 2011 and October 16, 2014 and the faulty
residence permit cards between January 2011 and December 17, 2014, and were
updateed at the service offices of the Police and Border Guard Board from July
2012 to July 2017. Altogether such cards numbered over 74,000, and on June 1,
2018, the Police and Border Guard Board declared the certificates of 11,111
ID-cards and residence permit cards invalid.
