Estonia is blocking access to its online identity authentication services because of a security issue affecting the country’s ID smartcards.
More than 760,00 citizens, residents and foreign nationals with e-residency will be unable to identify themselves to government services until the security issue is fixed.
The disruption to those services will be an embarrassment for the nation’s lauded e-Estonia movement, which seeks to offer formal regulatory activities online.
The Estonian government has been the target of both applause and mockery over a nation-wide online system which holds citizens’ identities.
The online identity authentication system allows citizens access to a range of services including banking, voting and their health records over the web.
Its e-residency scheme allows foreign nationals to be subscribed with government services, although it does not provide them with the statutory rights of citizenship.
A serious flaw affecting the ID smartcards that citizens can carry as physical tokens authenticating their identities has meant that these services will not be able to be accessed starting from midnight.
The issue affected the encryption used in a number of products manufactured by German company Infineon, which has designed an update to fix the problem.
The update needs to be applied, however – and Estonia will be blocking access to its online services for everyone who fails to update their smartcards.
The UK’s ambassador to Estonia, Theresa Bubbear, tweeted: “#eEstonia losing its shine? Spent hours over 2 days trying to update my ID card as per govt/MFA instructions. Still trying…”
Police and border guard service officers have been reportedly swamped over the past two days by crowds seeking to get their ID cards updated.
The vulnerability was discovered in Infineon products earlier this year and disclosed by scientists to the German company, whose chips are used in millions of devices globally.
A media relations officer at the Estonian embassy in London said the government is rolling out an update which would prevent hackers taking control of citizens’ smartcards after weeks of testing.
The Estonian government and Infineon denied that the security flaw had been exploited by hackers, but officials in Tallinn said the threat had been “elevated”.
Prime Minister Juri Ratas said: “The functioning of an e-state is based on trust and the state cannot afford identity theft happening to the owner of an Estonian ID card.”
In a statement, the government added: “We are sorry for inconvenience caused by this issue, but protecting the integrity of your digital identity must come first.”