Estonia revisited: technology & security
Estonia’s e-voting system builds on the existing electronic citizens’ ID infrastructure which is used as a means of personal identification both for e-government and e-banking transactions.
Like any smartcard each citizen ID card comes with 2 PIN codes. A voter wishing to cast a ballot via the internet needs a computer with an internet connection, a smart card reader and the relevant ID card software which is made available on-line.
A voter then inserts the ID card into the card reader, opens the I-voting website, downloads and runs the voter application which encrypts the vote, and identifies oneself by entering PIN1 as for any other government transaction. But since when are elections considered the same as any other government transaction? Once the list of candidates of the voter’s electoral district is displayed, the voter makes a choice and confirms his/her choice by entering PIN2 which serves as a digital signature. By digital signing, the voter’s personal data are added to the encrypted vote on a separate file. At that point the voter receives a notice that the vote has been accepted by the intermediary server. To add some procedural safeguards, in order to ensure that voters express their true will, they are allowed to change their electronic vote by voting again electronically during advance polls or by voting at the polling station during advance polls. Advance polls are necessary in order to ensure there is time to eliminate double votes by the end of the Election Day.
Voters in 2013 could verify that a vote was cast as intended using a smart phone app provided by the election authority. If the ballot cast matched the stored ballot the app displayed the corresponding candidate, which the voter could check. The server allowed verification to be performed up to three times and up to 30 minutes after casting. The verification procedure however was partially deployed in 2013 and is expected to be fully launched for all available devices in 2015.
So what is so wrong with this picture that makes international observers indicate security inadequacies ever since the 2011 Parliamentary Elections? The OSCE in the report produced for the May 2011 Estonian elections had indicated advances in the field of cryptography that enable end-to-end verification of the votes cast and the existence of algorithms that enable universal verifiability, so that anyone is able to verify that the cast votes have been decrypted and counted properly, both of which were evidently missing from the Estonian internet voting system. Additionally the OSCE was made aware of malware which could penetrate a voter’s computer and change the ballot cast without the possibility for the voter ever detecting it.
A more recent report based on the 2013 Estonian e-voting deployment demonstrated that little progress had been made in the meantime. A series of further possible security inadequacies were highlighted with the most prominent one being the vulnerability of systems voters use for authentication and ballot casting, and the poor encryption that safeguards ballots cast. Both reports also referred to many cases of procedural security controls not being properly organized and executed.
So I guess we shouldn’t really wonder what made the Britons shout that Estonia shouldn’t have used its e-voting system for the 2014 European Parliament Election. As always when security is not up to the standards it all comes down to trust. We shall be exploring this parameter in the next post.