Personal data processing by state systems wider than it should


The first issue concerns state systems querying more personal data from X-Road than required:

In March a service was added to the Eesti.ee online portal that allows users to see which government institutions have accessed their personal data. According to daily Eesti Päevaleht, there are plenty of illegal queries. As the paper wrote on Tuesday, the Unemployment Insurance Fund, the E-Health System, notaries, and plenty of others regularly break the law by accessing people’s personal data without a legally valid reason.

What happens is that every time e.g. someone’s general practitioner accesses their data, the system automatically also displays their immediate relatives and their personal ID codes. This data represents a series of illegal queries by the system. “Thanks to the data tracker it has become clear that the information systems of plenty of institutions apply only the broader query also for their services that don’t require the data of connected persons. Those institutions where the problem has come up are already improving their systems,” the Data Protection Inspectorate’s press spokeswoman, Maire Iro, said. According to Iro the inspectorate does not have a complete overview of all the institutions affected, but that local government, liquidators, and notaries had already begun to check their queries.

The second issue is about recent law amendments and interest of state institutions to perform mass data processing on wide range of personal data:

Director General of the Estonian Data Protection Inspectorate (AKI) Viljar Peep sent a letter to Minister of Jutice Urmas Reinsalu this week expressing concern about extensive data processing by state agencies, first and foremost by the Estonian Tax and Customs Board (MTA). An amendment to the Taxation Act entered into force on April 1 which granted the MTA access to a large number of databases for risk assessment, i.e. tax intelligence, purposes, reported daily Eesti Päevaleht (link in Estonian). The tax authority primarily requests information from transaction databases of the Central Commercial Register, the Traffic Register and the Land Register. The Police and Border Guard (PPA) and the Estonian Road Administration have expressed interest in similar access to databases.

“In the initial bill, data processing was in no way hindered, meaning that the MTA could have even looked at a person’s e-health data,” Peep recalled. “Thankfully this was limited somewhat during proceedings.” According to the director general, the issue is that Estonia lacks legislation that would regulate mass data requests. “Yes, it is specified in the Law Enforcement Act and the misdemeanor procedure how to conduct inquiries regarding specific violations, however mass data processing cannot be conducted by the same rules,” he stressed. “It is important that every authority not begin making up it own rules.”

Links:
http://news.err.ee/590473/state-systems-illegally-passing-around-personal-data-on-massive-scale
http://news.err.ee/591100/data-protection-inspectorate-concerned-by-state-agencies-data-collection

Cyber Security Support Group formed in the Riigikogu

Members of the Riigikogu formed the Cyber Security Support Group on Thursday, electing Arto Aas (he was chairman of the Riigikogu’s EU Affairs Committee at the time he had his Dropbox access data stolen. Source: ERR) as a chairman and Kalle Palling as a deputy chairman of the group.

The support group was founded with the objective of promoting the development of cyber security in Estonia, strengthening cooperation between the private and public sectors as well as raising society’s awareness of cyber security, according to a Riigikogu press release.

Others members of the Cyber Security Support Group of the Riigikogu include Keit Pentus-Rosimannus, Jüri Jaanson, Lauri Luik, Jürgen Ligi, Ants Laaneots, Laine Randjärv, Kalle Laanet, Madis Milling, Yoko Alender, Aivar Sõerd, Urve Tiidus, Taavi Rõivas, Remo Holsmer, Eerik-Niiles Kross, Kristen Michal, Erki Savisaar, Raivo Aeg and Jaanus Karilaid.

Will see in a year how productive the group will be.

Links:
https://www.riigikogu.ee/en/press-releases/others/cyber-security-support-group-formed-riigikogu/
http://news.err.ee/589915/cyber-security-group-formed-in-riigikogu

Employees of foreign embassies to be issued diplomatic eID card

The Ministry of Foreign Affairs on Friday acquainted heads of the representations of foreign countries and international organizations with a new diplomatic ID which will provide employees with a digital identity giving them access to Estonian e-services, spokespeople for the ministry said.

“It’s unique in the EU and hopefully will encourage other countries to make more rapid progress in e-Europe development,” said the minister.

Digital diplomatic IDs will enable both the physical and electronic identification of an individual as well as provide access to Estonian e-services. Users will receive an Estonian personal identification number that will make it easier for employees of foreign diplomatic representations to handle official business in Estonia.

New type of identity document. Probably will contain the same data as ID card, but will have a bit different look and will be issued to a specific group of people.

Links:
http://news.err.ee/588887/employees-of-foreign-embassies-to-be-issued-digital-ids
http://www.ituudised.ee/uudised/2017/04/10/valisriikide-saatkondade-tootajad-eestis-saavad-digitaalse-diplomaatilise-isikutunnistuse
https://twitter.com/Karen_van_S/status/850306183093211136

 

Ten years since cyber attacks following 2007 Bronze Night riots

Opinion by Jaan Priisalu, at that time the head of SIRT at Swedbank:

Jaan Priisalu, senior researcher at Tallinn’s NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), told ERR in an interview last week that through Estonia’s initiative and the public debate that followed the attacks, a topic was now getting attention that before was talked about only behind closed doors, and that some even looked at as an embarrassment.

Estonia’s 2008-2013 cyber strategy shows that after the attacks, development in the field went in several different directions. As Priisalu puts it, the strategy was a collection of the lessons learned, and based on them, a system to respond to this sort of incident was put in place.

People involved in cyber security were brought together and asked what could have been done differently, and what else should have been done. Instructions were written up, lines of communication laid out, and a cyber security curriculum put together at the Tallinn University of Technology (TUT). With it, systematic education in the field of cyber security began in Estonia.

Opinion by Klaid Mägi, the current head of CERT-EE:

Estonia’s capability to manage cyber crises has substantially improved over the past ten years, CERT Estonia chief Klaid Mägi said at a conference dedicated to the 10th anniversary of the April 2007 cyber attacks.

According to Mägi, compared to ten years ago, Estonia is substantially more capable of managing cyber crimes. “We have created systems that identify attacks and protect [us] from them, have practiced cooperation with public and private institutions, have substantially contributed to improving the knowledge of end users and are taking part in substantial international cooperation in order to manage crisis situations better,” he highlighted.

Links:
http://news.err.ee/592075/estonia-s-reaction-to-cyber-attacks-influenced-global-security-policy
http://news.err.ee/592250/cert-chief-estonia-s-cyber-crisis-management-capability-improved-in-decade

HITSA is looking for a chief information security officer

HITSA announces a competition for the post of information security manager.

The main area of work for information security manager is launching and maintaining an information security management system, evaluating its performance and making the necessary improvements to ensure an adequate level of security for information assets of HITSA.

Come to apply if:
• You have a university degree in the field of IT;
• You have worked in the IT field for at least three years;
• You have the knowledge of information security organization and security project design and implementation experience;
• You have knowledge of information systems and their principles of operation;
• Have Estonian language skills at advanced level, both oral and in writing, and you have a good level of sector-specific English speaking and writing skills;
• You show initiative and have organizational potential, teamwork and independent work skills, analytical thinking, reliable and good to increased levels of stress.

For our employees we offer:
• Opportunity to contribute to the development of Estonian education information system in the field of information security;
• Good working conditions;
• 35-day vacation;
• Supportive team.

Deadline for applications is 31 May 2017. Work starts in September 2017.

Links:
http://www.cv.ee/toopakkumine/hariduse-infotehnoloogia-sa/infoturbejuht-f3315468.html
http://hitsa.ee/uudised-1/tookuulutus-hitsa-otsib-infoturbejuhti

Oxford Training Session: Cyberspace and the State

This 3-day training session is centred around the topics of opportunities and threats emerging in an information society, involving discussions about digital services, personal authentication methods, international cyber threats and e-elections. These discussions are not only important from a technical point of view, but also need to take into account political, governance, social and legal aspects.
This training session is mostly aimed at students with non-IT background, who, as future leaders and experts in their own respective fields should still be aware of the opportunities created by the information technology, as well as of the risks involved.
The first two days of the training session contains topical lectures, on the third day of the event, a practical cyber crisis simulation exercise will be carried out.
The training session is offered free of charge, graduates will receive a certificate from the University of Tartu (2 ECTS), as well as a certificate of attendance by the University of Oxford

DAY 1: FRIDAY, APRIL 28
09:30 – 10:00 Registration to the training session
10:00 – 10:30 Welcoming and course introduction (Lucas Kello, Oxford)
10:30 – 12:00 Lecture 1: Computing and Networks: The Basics (Ivan Martinovic, Oxford)
12:00 – 13:00 Lunch break
13:00 – 14:20 Lecture 2: Computer Security: Authentication and Biometrics (Ivan Martinovic, Oxford)
14:20 – 14:30 Short break
14:30 – 16:00 Lecture 3: An Independent Assessment of the Procedural Components of the Estonian Internet Voting System (Jason Nurse, Oxford)
16:00 – 16:20 Short break
16:20 – 17:30 Lecture 4: National and International Security in the Cyber Age (Lucas Kello, Oxford)

DAY 2: SATURDAY, APRIL 29
08:30 – 09:00 On-site registration
09:00 – 10:20 Lecture 5: Russian Cyber Operations: Disruption and Subversion (Lucas Kello, Oxford)
10:20 – 10:30 Short break
10:30 – 12:00 Lecture 6: Government as a Platform (Robert Krimmer, Tallinn Univ. of Technology)
12:00 – 13:00 Lunch break
13:00 – 14:20 Lecture 7: Law Enforcement’s Access to Extraterritorial Data (Anna-Maria Osula, University of Tartu)
14:20 – 14:30 Short break
14:30 – 16:00 Lecture 8: Strategic Dilemmas in Cyberspace (Max Smeets, Oxford)
16:00 – 16:20 Short break
16:20 – 17:00 Simulation exercise briefing (Lucas Kello, Oxford)

DAY 3: SUNDAY, APRIL 30
08:45 – 09:00 On-site registration
09:00 – 09:30 Simulation exercise set up (Oxford teaching staff)
09:30 – 13:00 Cyber Crisis Simulation Exercise
13:00 – 14:30 Lunch break and group discussion
14:30 – 15:30 Post-exercise debriefing: Decision-making in a Crisis (Lucas Kello, Oxford)
15:30 – 15:50 Short break
15:50 – 17:00 Course conclusion (Lucas Kello, Oxford)

Links:
https://sisu.ut.ee/oxfordsessions/overview?lang=en
https://www.facebook.com/events/1144747528981361/

Estonian Internal Security Service (KaPo) Yearbook 2016

KaPo annual review 2016 discusses cyber security on page 21:

In 2016, Estonia also saw some attempts to access the information of the state’s high-level decision-makers. The attacks were extremely skilfully executed from the technical point of view with the use of credible fake e-mails and previously unknown technical methods. In view of the functioning mechanisms of the abovementioned APTs, it is clear that attacks cannot be avoided entirely, but they need to be identified, and major damage needs to be mitigated.
[..]
As far as Estonia is concerned, we forecast that cyber threats will increase in 2017 due to the EU presidency and the arrival of NATO units.

The section “Protection of state secrets” covers the case of Alexander Goncharov and Ivo Jurak on which we reported before.

Links:
https://kapo.ee/sites/default/files/public/content_page/Annual%20Review%202016.pdf

PhD thesis: “Remote search and seizure of extraterritorial data”

Anna-Maria Osula PhD thesis: “Remote search and seizure of extraterritorial data”
Defense date: 17.04.2017 – 12:00, Näituse 20, room K-03

Supervisor:
Professor Jaan Ginter

Opponent:
Dr Christoffer Wong (University of Lund)

Summary:
Due to increasing digitalization, criminal procedure has to take into account the characteristics of the Internet, related technologies and digitally stored or electronically transmitted data. The objective of the dissertation is to examine, building on the example of the Council of Europe Convention on Cybercrime (CoCC), the regulation of remote search and seizure in circumstances where the targeted evidence is extraterritorially located or where it is not possible to identify the exact location of the data (‘loss of location’). Remote search and seizure entails searches that are either carried out by extending the initial search and seizure to devices accessible from the originally searched device or by remotely conducting search and seizure from other devices such as the law enforcement’s own. In addition to discussing the traditional mutual legal assistance procedures and alternative measures for accessing extraterritorial data, the dissertation scrutinizes whether remote search and seizure of extraterritorial data entails an extraterritorial application of jurisdiction to enforce and whether it can thereby be viewed as a breach of territorial sovereignty of the other state.

Links:
http://www.ut.ee/en/events/anna-maria-osula-remote-search-and-seizure-extraterritorial-data
http://dspace.ut.ee/handle/10062/55683

Conference “The Present and Future of Cybersecurity”

Conference “The Present and Future of Cybersecurity”
April 26, 2017, National Library of Estonia

13.00-13.30 – Registration and welcome coffee
13.30-13.40 – Opening words – Urve Palo (Minister of Entrepreneurship and Information Technology)
13.40-14.00 – Keynote – Jaak Aaviksoo (Rector of TUT)
14.00-15.00 – Discussion “Evolution of cyber attacks – what has changed in ten years?” Klaid Mägi (RIA, head of CERT-EE) leader. Debating: Hillar Aarelaid (Police and Border Guard Board), Jaan Priisalu (TUT), Merike Käo (Farsight Security CTO)
15.00-15.30 – Cofee break
15.30-17.00 – Discussion “Discurses, paradigms and form of cyber policy in practice” Taimar Peterkop (Director General of RIA) leader. Debating: Sven Sakkov (Director of NATO CCD CoE), Heli Tiirmaa-Klaar (European Union, Head of Cyber Policy Coordination at European External Action Service), Lauri Lugna (Secretary General at the Ministry of Interior), Lauri Almann (Co-Founder of BHC Laboratory)
17.00-17.30 – Closing words – Toomas Vaks (RIA, Head of Cyber Security Branch)
17.30-19.30 – After conference reception. Appearance of RIA band VaRIA.

Work language of the conference is Estonian.

Links:
http://kyberkonverents.publicon.ee/registreerimine/

ETV “Suud Puhtaks” debate on internet voting security

Is the cyber security in Estonia ensured? Why the government wants to change the period of i-voting and what signal with that we send to the world? Talk show host Urmas Vaino helps to set things straight.

Debating:
Indrek Saar, Minister of Culture, Social Democratic Party
Jaanus Karilaid, Member of Parliament, Center Party
Priidu Pärna, Member of Tallinn City Council, Pro Patria and Res Publica Union
Anto Veldre, RIA analytic
Kristjan Vassil, UT senior researcher
Märt Põder, organizer of journalism hackathon
Arti Zirk, TUT IT faculty student
Tarvi Martens, Electoral Committee, Head of Internet Voting
Kristen Michal, Member of Parliament, Reform Party
Mihkel Slovak, UT senior researcher
Henrik Roonemaa, Geenius.ee editor
Erki Savisaar, Member of Parliament, Center Party
Andres Kutt, RIA, IT architect
Sven Heiberg, Cybernetica AS, Project Manager of Internet Voting System
Jaak Madison, Member of Parliament, Conservative People’s Party
Jaanus Ojangu, Chairman of Free Party
Agu Kivimägi, Stallion cyber security consultant
Jaan Priisalu, TUT researcher
Silver Meikar, Adviser to Minister of Culture
Kalev Pihl, SK ID Solutions, Board Member
Oskar Gross, Head of Cyber Crime Unit of Central Criminal Police
Klaid Mägi, RIA, Head of the department for handling incidents (CERT-EE)
Heiki Kübbar, Founder of ICEfire OÜ
Birgy Lorenz, Board Member of Network of Estonian Teachers of Informatics and Computer Science
Andres Kahar, KAPO Bureau Manager
Sven Sakkov, Director of NATO Cooperative Cyber Defence Centre
Heiki Pikker, TUT Cyber Security MSc student

Links:
http://www.err.ee/587007/suud-puhtaks-kui-turvalised-on-e-valimised
http://etv.err.ee/v/paevakajasaated/suud_puhtaks/saated/8d5babc5-cc33-4ed5-9bc0-927d4293ee21/suud-puhtaks
http://news.err.ee/310788/center-party-wants-to-shorten-e-voting-period