Former Estonian ID card manufacturer Gemalto AG has filed a breach of contract action against the Police and Border Guard Board (PPA) following the latter's own action filed at Harju County court on 27 September.
"As announced on 27 September 2018, Gemalto regrets the PPA's sudden decision to suspend the almost completed negotiations without any cordial compromise agreement, followed by an unsubstantiated and unprecedented application by the PPA to the court, amounting to a total disproportionate amount compared with what PPA itself offered in a draft compromise agreement,'' Gemalto said.
A security flaw in the ID cards manufactured by Gemalto, a digital security company based in the Netherlands, arose in late 2017, after which the PPA cancelled its agreement and sought an apology and compensation. The compensation figure demanded rose to €152 million.
Private key codes compromised
The flaw concerned code keys generated off-chip and in breach of agreement, meaning they could theoretically be compromised in a way not possible if generated on-chip (Estonian ID cards contain a microchip). As many as 750,000 ID cards issued by the Estonian state and made by Gemalto could have been affected (in the event about 12,500 ID card certificates were deleted).
Gemalto subsidiary Trüb Baltic CEO, Swiss national and Estonian resident Andres Lehmann claimed, via a social media account, that he attempted to warn Estonian authorities of the potential flaw in summer 2017 but was rebuffed; the claims were strenuously rebutted by former president Toomas-Hendrik Ilves and prime minister, Jüri Ratas.
Gemalto, which found the €152 million PPA claim disproportionate and expressed hopes for a more amicable solution, noting it has not been in breach of contract, is in turn seeking redress in the courts in the absence of any solution.
Out-of-court settlement found wanting
Jüri Ratas himself supported an out-of-court settlement initially, but now sees the PPA court case as a logical follow-on to the breakdown of settlement talks, it is reported.
Krista Aas, Deputy Director General of PPA, said the private key security flaw was neither an isolated case, going on for several years, nor, according to analysis from Cybernetica, an Estonian firm specialising in cryptography and security, unintentional on the part of the cards' manufacturer.
"To ensure the security of the ID-card, it is vital to ensure that private keys cannot be located anywhere other than the card chip; consequently we also set the requirement that private keys could only be generated internally. However, it turned out the contractual partner violated this requirement for many years, which we see as a serious breach of contract. The Cybernetic analysis clearly demonstrates that such an infringement could only have occurred as a result of deliberate and deliberate action by the contractor,'' Ms Aas said.
Moreover, the private key codes flaw was not the only violation of the agreement which Gemalto was responsible for, the Deputy Director reportedly went on, without elaborating.
With Gemalto's agreement due to expire year end 2018 in any case, Oberthur Technologies are scheduled to take over the production of new cards, which will carry several new features including a contactless interface and, naturally, improved security.
Editor: Andrew Whyte