[chrismeller]

As an American residing in Estonia, I’m not sure what the benefit of a state compromising the card crypto would be. There are four broad categories of uses for the ID cards:

1) Obviously, a government-issued photo ID

2) For an increasing number of shops, as your “frequent shopper” card, which admittedly is slightly related to...

3) Authentication, including: logging into your bank, government websites (the state portal, the tax authority, the the “digital story” - all your medical records, the online booking website for booking some combination of surgeons/specialists that operate under the public healthcare system), the (one) online pharmacy that exists, etc.

4) Signing things. I’ve signed my lease with it (though “paperless” Estonia still wanted me to sign a paper version as well) and more routinely you have to “digitally sign” any bank transfers... which are the standard way to pay bills in Estonia, so you do it a lot. Finally, voting online.

I don’t see how broadly compromising the crypto would really benefit anyone for any of those things, it would have to be a more specific individual attack, like draining your bank accounts.

Edit: formatting, added voting

[pisipisipisi]

Getting asked as an expert "can this id card thing be trusted?" my answer has been "for communicating with the government you inherently don't trust, the method or security of an authentication device does not really matter" (filing your taxes or logging to services being the scope). Some claiming encryption privacy issues ... Well, for any meaningful opsec you should not be using the id card for encrypting messages about overthrowing the same government issuing the encryption devices in the first place, if government reading your messages is a threat in your model.

[chrismeller]

Yeah, I think the biggest risk would be rigging an election, but we’re talking about a country of 1.2 million people. Not to dismiss the importance of their elections on Estonia, it doesn’t really have the same worldwide ramifications that compromising a US, UK, German, etc. election would have.

[Strom]

Rigging (digital or not) would be hard to hide, because it could only be a minor adjustment to remain plausible. All the election results end up roughly similar to all the various independent polling results. If some party suddenly receives a lot more votes than they polled for - it will be noticed.

Also Estonia already has a history of (non-digital) election rigging [1] so rhetoric of the "digital results in rigging, keep it physical for safety" kind isn't super convincing.

--

[1] https://en.wikipedia.org/wiki/1940_Estonian_parliamentary_el...

[dane-pgp]

> Rigging (digital or not) would be hard to hide, because it could only be a minor adjustment to remain plausible.

How many more votes would the party in second place at the last election have needed in order to have won instead?

> If some party suddenly receives a lot more votes than they polled for - it will be noticed.

Is there a mechanism by which the election could be run again (before the winners of the election have a chance to prevent this)?

> Also Estonia already has a history of (non-digital) election rigging

Or it's an argument that a voting system should have both hand-counting and digital counting, because rigging both counts is at least twice as difficult as rigging one.

[Strom]

> How many more votes would the party in second place at the last election have needed in order to have won instead?

5.8% of the total votes [1] but winning the election is just part of the game. This time around the winning party isn't in power because the runner ups formed a coalition.

> Is there a mechanism by which the election could be run again (before the winners of the election have a chance to prevent this)?

Several - the previous government would still be in power for some time to react, the president has to sign off on the winners, the defense police could intervene, and then there are the courts. None of these entities depend on the newly elected government.

> both hand-counting and digital counting

That would certainly be more secure, but like all security it would be a trade off.

--

[1] https://rk2019.valimised.ee/en/election-result/election-resu...

[ants_a]

> How many more votes would the party in second place at the last election have needed in order to have won instead?

It's a multiple party proportional representation system so who "wins" doesn't really matter that much.

> Is there a mechanism by which the election could be run again (before the winners of the election have a chance to prevent this)?

I'm not an electoral law expert, but complaints about election process go to National Electoral Committee, which can have its decision contested in Supreme Court.

> Or it's an argument that a voting system should have both hand-counting and digital counting, because rigging both counts is at least twice as difficult as rigging one.

The e-voting over here is actual e-voting - the vote is purely digital and done remotely. Not in any way related to the digital vote counting machines used in the US.

[dane-pgp]

> It's a multiple party proportional representation system so who "wins" doesn't really matter that much.

Obviously by "wins" I meant "becomes the (biggest party in a coalition) government", not "gains the most first preference votes" or some other strawman interpretation. And yes, I admit that it is hard to calculate the minimum number of extra votes that would need to be added to change which party leads the government, but I do think that a good proportional voting system should allow that number to be determined at least to a reasonable approximation.

> I'm not an electoral law expert, but complaints about election process go to National Electoral Committee, which can have its decision contested in Supreme Court.

I wonder how long that process would take in practice, and whether the Supreme Court would decide it had the power to invalidate an election. In particular, what sort of evidence would be required to satisfy the court that it had to demand that remedy? I imagine that "The opinion polls were wrong by 6%" might not be enough, and the political biases of the judges themselves might well be significant in such a situation.

> The e-voting over here is actual e-voting - the vote is purely digital and done remotely. Not in any way related to the digital vote counting machines used in the US.

Yes, the fact that the voting can be done remotely is another problem, since someone can be bribed or coerced into voting a certain way. I believe the mitigation for this is that the voter can supersede their online vote with an in-person vote, but an attacker could quite cheaply work around this by having tracking software on the victim's phone, and henchmen outside the polling stations.

[aj3]

> Or it's an argument that a voting system should have both hand-counting and digital counting, because rigging both counts is at least twice as difficult as rigging one.

Unless the party rigging the counts is the one currently in power. Which in my opinion is the main risk, however minuscule and unrealistic.

[themacguffinman]

> Rigging (digital or not) would be hard to hide, because it could only be a minor adjustment to remain plausible.

As candidates & parties become more competitive, the difference in their voting shares tends to narrow. Eventually you end up with large coalitions that split the electorate fairly evenly. A small adjustment is all it'd take to tip the scales. If landslide victories are common, I'd say your political system is doing something wrong.

[aj3]

> As candidates & parties become more competitive, the difference in their voting shares tends to narrow.

This reads like a pure American exceptionalism.

[LatNax]

A single leak can be bad, multiple leaks piled into a single actor can be life changing.