Author Archives: user469294

KaPo suspects defense forces’ officer of exposing state secret

ivo_jurak

Captain Ivo Jurak (38) has been in custody for a month already as the Estonian Internal Security Service (KaPo) suspects him of having exposed a state secret. Jurak served as junior staff officer at the Estonian Defence Forces’ Movement Coordination Centre, reported Estonian daily Eesti Ekspress. This center coordinates the Defence Forces’ strategic transport, including the movement of NATO forces and equipment arriving in Estonia.

The KaPo suspects Jurak of having taken documents containing a state secret along with him from work and keeping them at home. Accrording to Jurak’s lawyer Natalia Lausmaa, Jurak admits to his guilt. Jurak is suspected according to Paragraph 241 of the Penal Code, which means that the exposure of a state secret is unrelated to treason or spying. If found guilty, Jurak could face a fine or up to five years in prison.

Case similar to this one.

KAPO annual review 2016 mentions also an illegal surveillance charge, whatever it means:

Jurak took state secrets he possessed home from work. During the investigation, it was also established that Jurak unlawfully obtained and kept a weapon not related to the defence forces, and was involved with unauthorised surveillance after leaving employment.

Links:
http://news.err.ee/v/news/7199b45e-30d3-4e73-b487-fe4a5c5be9aa/internal-security-service-suspects-defense-forces-officer-of-exposing-state-secret
https://kapo.ee/sites/default/files/public/content_page/Annual%20Review%202016.pdf

UT Seminars on Blockchain Technology

Leave a reply

university_of_tartu_logo

bitcoin_logo

The course will consist of a number of seminars given by invited lecturers. Lecturers will be both from the University and from the industry companies. They will present the research results along with the practice best experiences and examples of the application of the blockchain and smart contract technology.

Kick-off seminar:
3.October, 10:15-12:00: Smart contracts and identity on blockchain – using e-Residency in Ethereum, Speaker: Thomas Bertani, Oraclize.it

Regular seminars (Tuesdays 18.15-20.00, Liivi 2-404, Tartu):

25.October: Introduction to Smart Contracts and Applications
Speaker: Kristo Käärmann, TransferWise

1.November: Blockchain as an Enabling Technology for Businesses
Speaker: Frederik Payman Milani, University of Tartu

8.November: Lightweight BPMN engine on ethereum
Speaker: Luciano Garcia Banuelos, University of Tartu

15.November: Cryptographic Foundations of Bitcoin
Speaker: Michal Zajac, University of Tartu

29.November: Introduction to KSI blockchain
Speaker: Andreas Sisask, Guardtime

6.December: Creation of Smart-Contracting Collaborations for Decentralized Autonomous Organizations
Speaker: Alex Norta, Tallinn Technical University

Links:
https://courses.cs.ut.ee/2016/blockchain/fall/Main/Seminars

CERT-EE is looking for a monitoring specialist

Leave a reply

RIA

Duties:
• information security incident monitoring and defense 24/7;
• state network (ASO) and RIA service monitoring;
• RIA service and state network incident monitoring and defense.

Requirements:
• at least year IT work experience;
• at least secondary education;
• computer skills on average level (MS Windows and UNIX work experience);
• interest towards information security;
• willingness to work in shifts.

Desired:
• international work experience;
• knowledge in administration of Estonian public information systems;
• clearance for access to state secrets (classification – ‘secret’).

If you believe that you are the right person we are looking for, please send your CV along with a latter of motivation to klaid@cert.ee. For additional questions, please call 6630243 or send them to klaid@cert.ee

In 2015 CERT-EE had 5 monitoring specialist positions.

Links:
https://cybersec.ee/wp-content/uploads/2016/09/CERT-seirespetsialisti-kuulutus.pdf

Checking who has accessed your personal data is a challenge in practice

Leave a reply

digilugu_peremeditsiin-debug

Peeter Marvet dispels the myth of transparency in finding out who has accessed your data in state databases:

For the past 20 years or so Estonian e-government and the X-Road backbone has been promoted with the promise of transparency. Yes, we keep a lot of data, but it is stored securely and you can always check who has accessed it. This means transparency and trust. Or “trust”, as in this The Guardian interview with Toomas Henrik Ilves.

Problem is, there is no such transparency – no notifications, no place to log in and see who has accessed your data. There was one system with such functionality, but it was shut down like 10 years ago (added: there is one system – E-Health’s Digilugu.ee “patient portal”). And even when it worked, it displayed only trivial amount of accesses [..].

The rest of the databases? I recall a meeting (in the government residence, no less) where the topic was discussed, possibly on a roundtable arranged by the National Audit Office. After some serious googling I found a contact address where to submit a request to get information about who has accessed my data in the Population Registry. It took some months to get the answer, it supposedly had information about who had requested my data available only in the “comments field” and had to be assembled manually. Promoting the idea to requesting such transparency is a good start for denial-of-service attack on Estonian e-government.

Then there was a case when somebody from the Ministry of the Interior was to promote some new legislation mandating more data storage with the argument, that everybody is able to see who has been accessing the data, so it is not a privacy violation. Our correspondence with her ended after couple of rounds, after she was unable to find any proof of solution where I could view the access log.

And don’t get me started on the question of who can purchase the data from our Population Registry or from Business Register. Want to get contacts of unemployed pensioners? Give us your monies! Want to spam every e-resident who has created a company? Sure, all addresses in registry must be business contacts so spam away (and give us some monies)!

Interesting research to conduct would be to submit bunch of requests for personal data access reports to various state database holders and analyze the response time and the detailedness level of the answers.

Links:
https://tehnokratt.net/2016/05/meme-based-trust-lockean-contract-la-e-stonia/

Woman sentenced for accessing ex-boyfriend’s Facebook account

Leave a reply

facebook_access

The agreement concluded with the South District Prosecutor’s Office on 16 May 2016:

In January 2015 Maarja Laanemetsa (32) without authorization logged into www.facebook.com account of L.L (her ex-boyfriend) and took a screenshots of L.L.’s private conversations (with other women). These actions qualify to Penal Code paragraph §217 “Illegal obtaining of access to computer systems” subsection (1) “Illegal obtaining of access to computer systems by elimination or avoidance of means of protection is punishable by a pecuniary punishment or up to three years’ imprisonment”.

Moreover, after entering social network and illegally taking the screenshots of L.L.’s private conversations, the accused forwarded the conversations to K.M (L.L.’s new partner) thereby violating Penal Code paragraph §156 “Violation of confidentiality of messages” subsection (1) “Violation of the confidentiality of a message communicated by a letter or other means of communication is punishable by a pecuniary punishment.”

Type and amount of the penalty:
Prosecutor pursuant to Penal Code paragraph §63 subsection 1 asks the court to sentence the accused for two month imprisonment. On the basis of the Penal Code paragraph §73 section (1) sentence imposed is not enforced in full unless during one year probation period the accused commits a new intentional crime.

The accused shall reimburse the costs of criminal proceedings:
State legal fees of EUR 48 and according to Code of Criminal Procedure paragraph §179 section (1) subsection 2 compensation of EUR 645 (1.5 times the amount of the minimum monthly wage).

Didn’t the accused violate the confidentiality of a message already when she read the private conversations? Is the disclosure to third person required to qualify according to Penal Code paragraph §156?

Links:
http://pluss.postimees.ee/v2/3808889/sotsiaalmeedias-nuhkimine-voib-tuua-kriminaalkaristuse
https://www.riigiteataja.ee/kohtulahendid/detailid.html?id=185111724

Homomorphic Tallying for the Estonian Internet Voting System

1 Reply

Estonian_internet_voting

Abstract. In this paper we study the feasibility of using homomorphic tallying in the Estonian Internet voting system. The paper analyzes the security benefits provided by homomorphic tallying, the costs introduced and the required changes to the voting system. We find that homomorphic tallying has several security benefits, such as improved ballot secrecy, public verifiability of the vote tallying server and the possibility for observers to recalculate the tally without compromising ballot secrecy. The use of modern elliptic curve cryptography allows homomorphic tallying to be implemented without a significant loss of performance.
[..]
The homomorphic tallying scheme described above is not new. The scheme was introduced in 1997 by Cramer et al. [6] and has been used in the Helios open-audit voting system [1] for years. The contribution of this paper is an analysis of the deployment of homomorphic tallying in the context of Estonian Internet voting, where the performance of the protocol is improved by the use of elliptic curve cryptography.

In the new tender specification published by National Electoral Committee (NEC) we can read that there is a plan to use some kind of mix-net-based technology to provide counted-as-cast verifiability for the local government elections in October 2017. While mix-nets cryptographically are more complicated than homomorphic tallying, the mix-nets are more universal and thus can be used also in elections abroad, where the ballot style is not as simple as in Estonia (e.g., elections where the voter can vote for more than one candidate).

Links:
http://eprint.iacr.org/2016/776.pdf

Kapo eavesdropped on Savisaar outside criminal procedure

Leave a reply

kaitsepolitsei

Lawyers defending Edgar Savisaar are hopeful to kill criminal case against the Centre chairman with just one move – asking that the initial evidence, the basis for all the rest, be declared invalid. This would be the piece of information acquired by security police which afterwards triggered the whole criminal case – by eavesdropping a private conversation between then Mayor of Tallinn Mr Savisaar and Meriton Hotel owner Aleksander Kofkin at the Balalaika.

While talking about the food, a topic slipped in which made police ears perk up. [..] After years of eavesdropping on Mr Savisaar, this for the security police seemed to be a sign that the mayor was involved in issues outside of official responsibilities. [..] While Mr Savisaar is contesting that, the main issue is the method of acquiring the information may not have been legally justified and thus the basis for all the rest of the case would fall off.

In Estonia, security agencies are allowed to eavesdrop on people and institutions outside criminal procedure to prevent danger and in the interests of security. For this, special permission is granted by an expert administrative judge. All related information and related issues (such as statistics) is state secret.

Years of eavesdropping without having a right to ever find it out, and overall statistics being a state secret. As EFF says: When electronic searches are done in secret, we lose our right to challenge the legality of law enforcement invasions of privacy.

Links:
http://news.postimees.ee/3785723/lawyers-of-savisaar-see-ray-of-hope

Estonian Internet voting system to be rewritten from scratch

1 Reply

e-voting_estonia

The new system should provide end-to-end verifiability features:

The current software, created in 2004, needs overhaul as the gradual updates (such as adding the Mobile-ID capacity and others) have rendered the grasp on the source code structure challenging. “The new system will be more universal, allowing more possible applications, in addition to using it for Estonian nation-wide elections and referendums – such as internal elections of large corporations, local government polls and also abroad,” said Tarvi Martens, chairman of Estonian Electronic Voting Committee.

The voting procedure will remain the same for the voter and the source code will remain open. “The planned changes will allow the observers to keep an eye on how the stored e-votes will become election results more efficiently, based on mathematical proof,” Martens explained. “In other words, mathematics will prevail over the human factor. Technical proof allows us to control the system with much more efficiency,” he added.

The full cost of the first contract is 236 800 euros (VAT excluded). The bid was open to all EU entities and received bids from three companies. Cybernetica has won the bid for developing the Estonian electronic voting system, entailing a renewal of the system for the local government elections in October 2017.

Links:
http://uudised.err.ee/v/eesti/fe86efd4-9811-48cc-ae2b-234acd4e6c60/vabariigi-valimiskomisjon-soovib-e-haaletamise-susteemi-uuesti-ules-ehitada
https://cyber.ee/en/news/cybernetica-selected-to-renew-estonian-internet-voting-software/

Database with non-anonymized judicial decisions available online

Leave a reply

Riigi_Teataja_anonymization_failure

Estonia features a punishments register with misdemeanours and crimes listed by all people. For the benefit of potential employers, for instance. Then there is a judicial decisions database where expired crimes can often still be detected. In these two, names and other data of victims and witnesses are almost never found – the occasional typo excluded. Turns out, there is a third database with judicial decisions prior to 2006. In it, glaring problems are obvious regarding personal data protection, as it holds details of entire criminal acts as well as names of criminals, victims, witnesses and experts. At times, names of close relatives are included, and home addresses at the time.

Estonian Data Protection Inspectorate PR-adviser Maire Iro agrees and says and claims people responsible at State Gazette (Riigi Teataja) database have repeatedly been notified of the problem. The justice ministry press rep Maria-Elisa Tuulik said the data has been uploaded pursuant to old legislation and the people had the right, and still do, to apply to relevant courts for removal of their data in such instances. Ms Tuulik admits people might have difficulty doing that and have insufficient knowledge. She cites the excessive amount of manual labour required to sort out the data. They may thus take it all offline as public interest is waning anyway, with time passing.

For some of the decisions State Gazette has tried to anonymize personal data, but using ineffective technical means (see picture above).

Links:
http://news.postimees.ee/3762007/the-national-victims-register
https://www.riigiteataja.ee/kohtuteave/kohtulahendite_otsing/kriminaalasjad.html
https://www.riigiteataja.ee/docs//public/dokument_279468.pdf

Privacy concerns over fingerprint collecting from e-residents

Leave a reply

Biometric data of all individuals who have applied for or own Estonian identity cards, irrespective of whether they are national identity documents or digital identity documents meant exclusively for e-identification, are stored in digital database, archived and retained for 50 years (in case of e-residency, this is done to avoid conferring duplicate identities to one person).

From the perspective of e-residents, this is immaterial — the digital identity documents issued do not serve as travel documents, as has been established above. Nevertheless, due to the fact that under the Estonian Identity Documents Act the term “digital identity card” denotes both the e-IDs of nationals as well as e-residents’ e-ID cards, the requirement of biometric identifiers also applies to both.

Drawing on the aforementioned, the authors of the given chapter claim that the failure to differentiate between the two types of documents leads to unnecessary collection of biometric data that is in contradiction with the Data Protection Directive Article 6 principles of purpose and proportionality.

Biometrics as security technology cannot be “thrown in” for good measure, as Estonia seems to have done, without proper analysis of risks for the protection of fundamental rights and freedoms, not considering whether the purpose to be achieved could not be achieved by less intrusive means.

The practice is indeed questionable, since in case EU citizen applies for Estonian residency, the objective of “avoiding conferring duplicate identities to one person” is achieved by less intrusive means without fingerprints being collected.

Links:
http://link.springer.com/chapter/10.1007%2F978-3-319-26896-5_4