Estonian identity card


The Estonian identity card is a mandatory identity document for citizens of Estonia. In addition to regular identification of a person, an ID-card can also be used for establishing one's identity in electronic environment and for giving one's digital signature. Within Europe as well as French overseas territories and Georgia, the Estonian ID Card can be used by the citizens of Estonia as a travel document.
The mandatory identity document of a citizen of the European Union is also an identity card, also known as an ID card. The Estonian ID Card can be used to cross the Estonian border, however Estonian authorities cannot guarantee that other EU member states will accept the card as a travel document.
In addition to regular identification of a person, an ID-card can also be used for establishing one's identity in electronic environment and for giving one's digital signature. With the Estonian ID-card the citizen will receive a personal @eesti.ee e-mail address, which is used by the state to send important information. In order to use the @eesti.ee e-mail address, the citizen has to forward it to his or her personal e-mail address, using the State Portal eesti.ee.
The Police and Border Guard Board on 25 September 2018 introduced the newest version of Estonia's ID card, featuring additional security elements and a contactless interface, which will begin to be rolled out no later than next year. The new cards also utilize Estonia's own font and elements of its brand. One new detail is the inclusion of a QR code, which will make it easier to check the validity of the ID card. The new design also features a color photo of its bearer, which doubles as a security element and is made up of lines; looking at the card at an angle, another photo appears. The new chip has a higher capacity, allowing the addition of new applications to it.

Scope

The Estonian ID cards are used in health care, electronic banking, signing contracts, public transit, encrypting email and voting. Estonia offers over 600 e-services to citizens and 2400 to businesses. The card's chip stores digitized data about the authorized user, most importantly: the user's full name, gender, national identification number, and cryptographic keys and public key certificates.

Categories of Estonian identity cards

typefrontback
Estonian citizen
EU/EEA citizen
EU/EEA family permit holder
long-term residence permit holder
temporary residence permit holder
e-Residency of Estonia

Cryptographic use

The card's chip stores a key pair, allowing users to cryptographically sign digital documents based on principles of public key cryptography using DigiDoc. Since 2016 the DigiDoc software can create files that follow the EU-wide ETSI standard called ASiC-e. While it is possible also to encrypt documents using the card-holder's public key, this is used only infrequently, as such documents would become unreadable if the card were lost or destroyed.
By 27 May 2014, 160,809,440 electronic signatures were given, thus averaging to 10 signatures per card user per year.
Under Estonian law, since 15 December 2000 the cryptographic signature is legally equivalent to a manual signature. This law has been superseded by the EU-wide eSignature Directive since 2016.

Uses for identification

The card's compatibility with standard X.509 and TLS infrastructure by providing a client certificate to each person has made it a convenient means of identification for use of web-based government services in Estonia. All major banks, many financial and other web services support ID-card based authentication. Adding support of Estonian ID-card based identification is very simple nowadays because majority of used browsers, web servers and other software supports TLS client-certificate based authentication and Estonian ID-card use exactly that system.

Web discussion forums

Web commentary columns of some Estonian newspapers, most notably Eesti Päevaleht, used to support ID-card based authentication for comments. This approach caused some controversy in the internet community.

Public transport

Larger cities in Estonia, such as Tallinn and Tartu, have arrangements making it possible for residents to purchase "virtual" transportation tickets linked to their ID cards.
Period tickets can be bought online via electronic bank transfer, by SMS, or at public kiosks. This process usually takes less than a few minutes and the ticket is instantly active from the moment of purchase or since the first use of the ticket.
Customers also have the option of requesting e-mail or SMS notification alerting them when the ticket is about to expire, or of setting up automatic renewal through internet banking services.
To use the virtual ticket, customers must carry their ID card with them whenever they use public transport. During a routine ticket check, users are asked to present their ID card, which is then inserted into a special device. This device then confirms that the user holds a valid ticket, and also warns if the ticket is about to expire. The ticket check usually takes less than a second.
Ticket information is stored in a central database, not on the ID card itself. Thus, to order a ticket, it is not necessary to have an ID-card reader. Ticket controllers have access to a local archive of the master database. If the ticket was purchased after the local archive was updated, the ticket device is able to confirm the ticket from the master database over mobile data link.

Electronic voting

The Estonian ID card is also used for authentication in Estonia's Internet-based voting program called i-Voting.
In February 2007, Estonia was the first country in the world to institute electronic voting for parliamentary elections. Over 30,000 voters participated in the country's e-election. In the Parliamentary election of 2011 140,846 votes were cast electronically representing 24% of total votes.
The software used in this process is available for Microsoft Windows, macOS and Linux.

Use as a travel document

Since Estonia's accession to the European Union in 2004, Estonian citizens who possess an Estonian identity card have been able to use it as an international travel document, in lieu of a passport, for travel within European Economic Area as well as French overseas departments and territories, Andorra, San Marino, Monaco, Vatican State, Northern Cyprus and Georgia.
However, non-Estonian citizens resident in Estonia are unable to use their Estonian identity cards as an international travel document.

Security issues

2017

Weak key vulnerability

In August 2017, a security threat was discovered that affected 750,000 ID and e-residency cards issued between 16 October 2014 and 26 October 2017.
The relevant Estonian organisations responsible for the ID card has since released a patch in the form of a certificate update, and published a detailed walkthrough on https://www.id.ee to check if an update is required, and how to perform it. The update can also be performed in the service offices of the Estonian Police and Border Guard Board. Online updating can be performed until 31 March 2018, after which the certificates of affected cards will be invalidated. Thereafter, a new e-residency or ID-card must be applied for in order to use it electronically.
On 2 November 2017, the Estonian government announced, that online updating of vulnerable ID-cards would be suspended to all users for between 3–5 November 2017 in favour of the country's officials and the 35,000 doctors, who use their cards most actively.
This temporary suspension of updates to all users has since been lifted, so that owners of ID cards and e-residency cards can now update their certificates.
In October 2017, it was reported that a code library developed by Infineon, which had been in widespread use in security products such as smartcards and TPMs, had a flaw that allowed private keys to be inferred from public keys. As a result, all systems depending upon the privacy of such keys were vulnerable to compromise, such as identity theft or spoofing. Affected systems include 750,000 Estonian national ID cards, and Estonian e-residency cards.
On 2 November 2017 the Estonian prime minister Jüri Ratas announced, that due to 'imminent risk' of attack, the authorities are to temporarily disable the certificates of affected ID cards at 00:00, 4 November 2017. According to government officials, the existing infrastructure is incapable of updating the certificates of this large amount of affected cards before the deadline. Priority updates are to be supplied between 3–5 November to government employees and 35,000 medical staff.