The FBI v. Apple flap exploded on the public scene just as I was learning my way around my new Estonian e-Residency card, which promises—among other things—secure communications between card holders. I am currently working on the next piece in my series about Estonian e-Residency, so more on the card later. But in the meantime, the Apple controversy made me wonder: What would and could Estonia do if the e-Residency program were put in the position that Apple is now in? What if, for example, the San Bernadino shooter were an Estonian digital resident and had encrypted communications? Could Estonia help decrypt them?
I did what anyone would do under these circumstances: I tweeted the question at the President of Estonia, Toomas Ilves—who seems to handle his own Twitter account:
@IlvesToomas ie, if the San Bernadino case involved e-Residency comms, not Apple, would Estonia have capacity to help or would FBI be dark?
— Benjamin Wittes (@benjaminwittes) February 29, 2016
Ilves, being the world's most digitally accessible head of state, quickly responded:
We couldn't do a thing @benjaminwittes
— toomas hendrik ilves (@IlvesToomas) March 1, 2016
None. The entire system is based on trust. With backdoors there is no trust. @benjaminwittes— toomas hendrik ilves (@IlvesToomas) March 1, 2016
I have no doubt that Ilves is telling the truth—and that this should instill confidence in the e-Residency card. Yet, at the same time, I think the e-Residency card, even were its use widely adopted, would probably not pose a significant "going dark" problem.
The reason is instructive. To decrypt someone's communications made with the card, the FBI would need two things: It would need the person's card, and it would need one of the two PINs associated with that card. Presumably, in a case like San Bernadino, it would get the card itself from the perpetrator. Even if it could not get the PINs from the Estonians, with the card in hand, it could relatively easily conduct a brute force attack against the PINs—exactly what it is now trying to do with the iPhone. With a living suspect still at large, this might not work, as the suspect might cancel his card once he notices it missing. But with a dead suspect, or a dead victim of the type that Director Comey has discussed in public, the combination of possession of the card and a brute force attack on the PIN is probably adequate.
At least until I hear of either security problems with the card or going dark problems associated with its use, I am tempted to think this may be an attractive model that potentially accomodates competing security and investigative interests.
I'm very interested in people's thoughts on this.