International digital security company and former supplier of Estonian ID cards Gemalto AG has said that it wants a compromise with the Estonian state. The stance of the latter so far has been to pursue a lawsuit against Gemalto regarding compensation to to the Estonian state to the tune of €1.5 million following a security flaw in ID cards made by Gemalto which came to light in summer 2017.
Gemalto has however emphasised that it has not disclosed to the press or any third party information regarding ongoing negotiations with one organ of the Estonian state, the Police and Border Guard Board (PPA). This includes not only any content of negotiations, but even whether they have been taking place at all.
PPA ending talks with Gemalto
In any case the PPA told representatives of Gemalto AG on Thursday that it will be ending compromise agreement talks regarding the compensation of expenses incurred in solving the ID-card security risk and in the next few weeks will file a statement of claim to court regarding breach of contract.
"The Police and Border Guard lack trust regarding contract partner Gemalto, which has not indicated a willingness to cooperate and actual interest in entering into a compromise,'' Deputy Director General of the PPA Krista Aas stated in a press release.
''The Police and Border Guard Board has collected enough information over the course of the control procedure carried out, regarding the circumstances that state institutions had no information on the security risk on June 15 and Gemalto's version regarding notification about the security risk published in Postimees today [Thursday] has been disproved with evidence,'' Ms Aas continued.
Postimees report inaccurate, say both PPA and Gemalto
Gemalto for its part stated that the Postimees reports were inaccurate: "Gemalto AG would never allow the press or any other third party interfere in similar negotiations, which by nature and in the interest of success must remain confidential," the company announced, according to the Baltic New Service.
An article in daily Postimees published on Thursday claimed that the PPA was indeed informed of the ID-card security breach as early as June 2017, two months before the PPA went public about the flaw.
The PPA and Gemalto had until now been in compromise negotiations concerning the three largest disputes between the parties. Postimees reports however that according to the compromise agreement, Gemalto would have withdrawn from the circuit court its action against the next ID-card production period tender (ie. French company Idemia, who took over the manufacture of Estonian ID cards).
Second, the PPA would have withdrawn a claim regarding one smaller ID-card flaw and Gemalto would have agreed to pay to the state only half of the direct expenses concerning the solving of the ID-card crisis, according to Postimees.
Flaw first came to light in 2017
Gemalto, via its Baltic subsidiary Trüb Baltic, claimed in November 2017 that it had warned Estonian authorities of a potential flaw in June of the same year, but that these warnings had gone unheeded.
The claims were met with rigorous denial by Prime Minister Jüri Ratas as well as former president Toomas Hendrik Ilves, who took to his social media account to call out Trüb Baltic CEO Andres Lehmann, a Swiss national and long-term resident of Estonia, in very stern tones for what Mr. Ilves saw as offensive nonsense on the part of an earlier social media post by Mr. Lehmann regarding the flaw.
Indeed it was a social media post by Mr. Lehmann which constituted the original claim that Estonian authorities had been warned about the defect, which could have affected up to 750,000 issued ID cards.
Margus Arm, eID domain manager at Estonia's Information System Authority (RIA), also stated in November 2017 that Mr. Lehmann had given, at best, hints that there may be a problem, but no direct information regarding a possible security risk.
Gemalto still wanting some sort of compromise
Nevertheless, despite being coy about the nature or existence of negotiations with the PPA, Gemalto still maintained on Friday that its aim was compromise.
"Gemalto AG still wishes to achieve a compromise with the Police and Border Guard Board during negotiations, the evidence of that being the numerous and constant exchanges of information and meetings in the name of achieving an agreement. We hereby affirm that we are still making great efforts to reach that objective and fully and conclusively solve conflicts outside the court as we believe that is in the interests of both parties," the company said.
Gemalto is an international digital security company, headquartered in the Netherlands, providing software applications, secure personal devices such as smart cards and tokens, and managed services. It is reportedly the world's largest manufacturer of SIM cards.
Estonia has long prided itself on the provision of digital solutions and its globally noted role as an e-state. Revelations about the ID card having a flaw, regardless of when they were made and by whom have thus been something of a cause for concern. The Estonian ID card is used not only by Estonian citizens on a day-to-day basis to confirm their identity online, sign digital documents, make payment, travel internationally and more, but also by foreign residents and, in a modified form, by external e-residents.
Editor: Andrew Whyte