While the state initially promised to fix ID-cards sporting a security vulnerability with a software update in November, it has become clear that hundreds of thousands of ID-cards will be deactivated before the update reaches them.
Head of the e-ID department of the State Information System Authority (RIA) Margus Arm admitted to news portal Geenius that the agency can currently update 15,000 ID-cards a day. Because the state will suspend the certificates of affected ID-cards in mid-November, the update to be released in the coming days will only reach the ID-cards of a few hundred thousand people in time. ID-cards hiding the vulnerability number around 800,000.
“It is just a technical restriction; the systems aren’t meant to handle such load. Around 2,000 cards are manufactured a day in normal circumstances. It is impossible to boost these volumes to desired levels in the short term,” Arm added.
Therefore, it cannot be helped that some ID-card holders will be cut off from e-services before their cards are updated. Manually downloading the new software will not help either as the bottleneck lies in the update software.
Margus Arm said that updating the ID-card will take approximately five minutes. The ID-card, inserted into the client’s computer, will communicate with several servers over the internet, which results in restrictions: information is exchanged with RIA information systems, certificates will be updated using the SK ID Solutions database, and further information exchanged with manufacturer Gemalto.
The date when current certificates will no longer be valid will be decided based on the likelihood of incidents.
Updates are required for the following documents: residence permit cards issued since December 17, 2014; ID-cards issued since December 1, 2014; e-resident cards issued since October 16, 2014.
Therefore, hundreds of thousands of people will only be able to access e-services using Mobile-ID from mid-November.