[Stierlitz]

> n this paper, we describe several security flaws found in the ID card manufacturing process ..

Like accidentally on purpose,secure up to a point, but weak enough to allow the spooks to generate their own IDs. I mean if the cards were unhackable how would a spy do his job :]

[chrismeller]

As an American residing in Estonia, I’m not sure what the benefit of a state compromising the card crypto would be. There are four broad categories of uses for the ID cards:

1) Obviously, a government-issued photo ID

2) For an increasing number of shops, as your “frequent shopper” card, which admittedly is slightly related to...

3) Authentication, including: logging into your bank, government websites (the state portal, the tax authority, the the “digital story” - all your medical records, the online booking website for booking some combination of surgeons/specialists that operate under the public healthcare system), the (one) online pharmacy that exists, etc.

4) Signing things. I’ve signed my lease with it (though “paperless” Estonia still wanted me to sign a paper version as well) and more routinely you have to “digitally sign” any bank transfers... which are the standard way to pay bills in Estonia, so you do it a lot. Finally, voting online.

I don’t see how broadly compromising the crypto would really benefit anyone for any of those things, it would have to be a more specific individual attack, like draining your bank accounts.

Edit: formatting, added voting

[pisipisipisi]

Getting asked as an expert "can this id card thing be trusted?" my answer has been "for communicating with the government you inherently don't trust, the method or security of an authentication device does not really matter" (filing your taxes or logging to services being the scope). Some claiming encryption privacy issues ... Well, for any meaningful opsec you should not be using the id card for encrypting messages about overthrowing the same government issuing the encryption devices in the first place, if government reading your messages is a threat in your model.

[chrismeller]

Yeah, I think the biggest risk would be rigging an election, but we’re talking about a country of 1.2 million people. Not to dismiss the importance of their elections on Estonia, it doesn’t really have the same worldwide ramifications that compromising a US, UK, German, etc. election would have.

[Strom]

Rigging (digital or not) would be hard to hide, because it could only be a minor adjustment to remain plausible. All the election results end up roughly similar to all the various independent polling results. If some party suddenly receives a lot more votes than they polled for - it will be noticed.

Also Estonia already has a history of (non-digital) election rigging [1] so rhetoric of the "digital results in rigging, keep it physical for safety" kind isn't super convincing.

--

[1] https://en.wikipedia.org/wiki/1940_Estonian_parliamentary_el...

[dane-pgp]

> Rigging (digital or not) would be hard to hide, because it could only be a minor adjustment to remain plausible.

How many more votes would the party in second place at the last election have needed in order to have won instead?

> If some party suddenly receives a lot more votes than they polled for - it will be noticed.

Is there a mechanism by which the election could be run again (before the winners of the election have a chance to prevent this)?

> Also Estonia already has a history of (non-digital) election rigging

Or it's an argument that a voting system should have both hand-counting and digital counting, because rigging both counts is at least twice as difficult as rigging one.

[Strom]

> How many more votes would the party in second place at the last election have needed in order to have won instead?

5.8% of the total votes [1] but winning the election is just part of the game. This time around the winning party isn't in power because the runner ups formed a coalition.

> Is there a mechanism by which the election could be run again (before the winners of the election have a chance to prevent this)?

Several - the previous government would still be in power for some time to react, the president has to sign off on the winners, the defense police could intervene, and then there are the courts. None of these entities depend on the newly elected government.

> both hand-counting and digital counting

That would certainly be more secure, but like all security it would be a trade off.

--

[1] https://rk2019.valimised.ee/en/election-result/election-resu...

[ants_a]

> How many more votes would the party in second place at the last election have needed in order to have won instead?

It's a multiple party proportional representation system so who "wins" doesn't really matter that much.

> Is there a mechanism by which the election could be run again (before the winners of the election have a chance to prevent this)?

I'm not an electoral law expert, but complaints about election process go to National Electoral Committee, which can have its decision contested in Supreme Court.

> Or it's an argument that a voting system should have both hand-counting and digital counting, because rigging both counts is at least twice as difficult as rigging one.

The e-voting over here is actual e-voting - the vote is purely digital and done remotely. Not in any way related to the digital vote counting machines used in the US.

[aj3]

> Or it's an argument that a voting system should have both hand-counting and digital counting, because rigging both counts is at least twice as difficult as rigging one.

Unless the party rigging the counts is the one currently in power. Which in my opinion is the main risk, however minuscule and unrealistic.

[themacguffinman]

> Rigging (digital or not) would be hard to hide, because it could only be a minor adjustment to remain plausible.

As candidates & parties become more competitive, the difference in their voting shares tends to narrow. Eventually you end up with large coalitions that split the electorate fairly evenly. A small adjustment is all it'd take to tip the scales. If landslide victories are common, I'd say your political system is doing something wrong.

[aj3]

> As candidates & parties become more competitive, the difference in their voting shares tends to narrow.

This reads like a pure American exceptionalism.

[LatNax]

A single leak can be bad, multiple leaks piled into a single actor can be life changing.

[roywiggins]

The spooks are the same government issuing the ID. They can just call up the department issuing the IDs and ask for a batch of new identities. No technical flaws necessary.

[xyzzy123]

I know your comment was tongue in cheek but this has come up in the digital Id space before. All these things get bootstrapped off government sources and spooks have no problems because governments control those databases. You don’t need technical hacks if you control the systems of record.

[dane-pgp]

So what's to stop the ruling party from issuing its loyal spooks thousands of ID cards in key districts, which they then use to cast fraudulent votes in the election?