The police say the situation is embarrassing, SK ID Solutions, the company responsible for the functioning of Estonian ID cards, says it isn't happy with the situation, supervision by the Information System Authority (RIA) identified infringements and ultimately everyone has their own view on whether and why more than 1,000 ID cards issued at Selver supermarkets early this year had to be recalled.
On February 16, the state notified more than 1,000 people that their ID cards which had been issued to their owners via Selver info desks would be replaced. Police and Border Guard (PPA) contracting partner SK ID Solutions had to revoke the affected cards' certificates, due to which the ID cards could no longer be used to provide digital signatures.
This order had come from the RIA, and RIA Supervision Department director Ilmar Toom explained at the time already that the company did not have authorization to issue these certificates at Selver stores. The company complied with the RIA's orders, however SK ID Solutions CEO Kalev Pihl said Tuesday that he is considering contesting the authority's orders.
"No one should think that we had considered that order as handed to us to be right and legitimate," Pihl said.
PPA Identity and Status Bureau director Margit Ratnik agrees. She noted that Estonia issues digital documents to e-residents via international company BLS International, for example, and no concerns regarding authorization have come up in connection with that.
"What has changed in the environment causing the Selver issue to be raised like this?" Ratnik said, expressing hope that an answer to that would soon be found together.
Company: PPA should have waited for auditor
PPA and SK ID Solutions are in the same boat on this one, but the boat begins to rock as soon as you ask why the RIA even initiated proceedings in the first place.
According to Pihl, six days after the first identity document was issued from a Selver store, the company itself contacted the RIA and alerted them to possible infringements. The CEO reiterated that he believed that the issuing of these documents at Selver stores was well within the scope of the company's existing authorization.
Instead, the trouble began the moment their hired auditor wanted to take a look at these plans. "That it still complies with all the conditions of the authorization," he explained.
Broadly speaking, the auditor reviewed the issuing process for ID cards and certificates and likewise examined whether Selver's premises were suitable for issuing them. Following the first inspection, the auditor issued several remarks to the PPA.
According to Ratnik, the auditor ordered some of the issues identified to be resolved immediately; for others, they provided a longer deadline, and the PPA got to work.
"One flaw was the fact that when a customer service representative at Selver issued a document, their screen was positioned in such a way that their coworker, moving behind them, could see the screen," she cited as an example. "Or that while they were serving a customer, the customer was able to lean across the counter and look at the screen."
The PPA official noted that anyone visiting Selver could confirm for themselves that computer screens were protected from prying eyes prior to January 27 already.
Pihl likewise found that the PPA was resolving problems prior to the start of issuing documents already.
"But the PPA had adopted these points prior to the auditor having reviewed the measures they came up with," he continued. "In other words, the auditor wasn't convinced by that time that everything was fine."
It was with this concern specifically that the company turned to the RIA.
PPA: Why only sound alarm at last minute?
The PPA, meanwhile, doesn't understand its partner's behavior. Ratnik noted that the PPA has made changes, both bigger and smaller, to the issuing of identity documents, but no one has ever demanded a dedicated audit in those cases.
"This particular procedure for implementing changes based on Selvers is a first," she stressed.
The official confirmed that she doesn't believe the PPA has broken any rules. She likewise doesn't understand why SK ID Solutions told the RIA about these issues, but not the PPA.
The entire project was drawn up together with the company, Ratnik stressed.
"If there is a trust service provider who is liable under law and under contract with the PPA for the implementation of trust services in accordance with the law and with contracts, then they also have to sound the alarm the moment they see something is wrong," she said.
"Why he waited until the documents were issued, having been involved over 11 months in the entire chain and knowing very precisely what the contractual obligations were for going live with this — that's a question Kalev Pihl himself should be answering," Ratnik added.
Pihl, however, said that potential problems had been discussed before already.
"Of course we had talked about this; there's no denying that," he said. The CEO noted that the PPA was aware of possible concerns, however the agency was in a hurry to issue documents.
Ratnik likewise acknowledged the fact that at one point, the PPA could no longer wait.
People were able to start ordering their documents to be delivered to Selver starting December 27. The PPA's latest meeting with auditors was in January, and documents began being issued at Selver supermarkets on January 27.
The PPA official confirmed that it wasn't possible to postpone the issuing of documents.
"This is where the law came in already, which states that you must issue an individual their document within 30 days — you as the state can't do so on day 31 or 35," she explained.
Nonetheless, she stressed that the Estonian police were not faced with a choice between breaking the rules one way or another; they believe they did everything right.
"Why anyone's attempting to make it look in this Selver case today like the PPA has forgotten or failed to coordinate something — this is embarrassing, and embarrassing before the residents of Estonia to whom we issue documents," Ratnik said.
Certificate revocation surprise to company too
When SK Solutions contacted the RIA, they didn't expect this would lead to having to revoke already issued certificates.
According to Pihl, the company stressed in its letter that there was no need to fear any actual security risk and that the mistakes were purely bureaucratic in nature.
The RIA likewise made it clear that the concern was bureaucratic, just a lot more serious.
Toom, the authority's Supervision Department director, noted that the authorization granted to the trust service provider, i.e. SK ID Solutions, are accompanied by certification principles.
"This is a vital document that essentially describes how this service is provided," he explained. "And stated as an essential part within this is where these certificates are issued. And currently listed there are PPA service offices and embassies of the Republic of Estonia. A Selver information desk doesn't fall under either of these."
As information desks aren't mentioned in this document, the RIA found that the certificates of ID cards issued at Selver must be revoked.
"In order for our electronic signature as provided by a PIN-2 to be equivalent to our handwritten signature, and for it to be valid both within Estonia and outside of it, it's very importat all established requirements and rules of the game are followed," the RIA official stressed.
Neither Pihl nor Ratnik agree with the RIA's handling of things. Both believe that it isn't necessary to amend the authorization in question in order to allow for the issuing of ID cards at Selver stores.
Nonetheless, SK Solutions has already submitted an application to the RIA to update it, and the parties involved are hopeful they will be able to continue with the project in a few months.
Yet unclear who will pay
Ultimately, both Pihl and Ratnik say that confusion still abounds over the matter. It is unclear who is liable for what and who has to speak up when things start going sideways.
Ratnik believes they need to work together to find answers to these questions, otherwise they can't
plan any new projects either. Pihl agrees.
"We're certainly not happy with where we are today," the SK ID Solutions CEO said. "This flurry of interpretations that various sides have come up with, and behavior — they are, we believe, certainly setting a precedent in a sense."
The PPA has promised to tally up how much this entire mess ended up costing within a month's time.
"The production cost of the cards themselves is a little less than €23,000," Ratnik said. "Add to that employees' overtime hours as well as logistics expenses."
The authority likewise promises to state its stance on who is liable for the cost at the end of March, once the matter has been thoroughly analyzed.
"That depends on what conclusion we reach," Ratnik said. "In other words, will this cost be borne by the trust service provider or by taxpayers, i.e. the state."
Editor: Aili Vahtla