Monitoring Internet voting in Estonia (Source: OSCE/ODIHR)

• This photo is from the OSCE/ODIHIR Elections homepage with the caption “Computers at the National Election Commission in Estonia monitor Internet voting traffic during the 2007 parliamentary elections. (OSCE/Henri Snyers)”. It nicely shows how difficult it is to do meaningful observation and scrutiny of an e-vote. The graphs are probably showing something like traffic at various routers or servers. One screen is also showing what looks like CCTV feeds from the data center. These are all ‘interesting’ but not able to provide any assurances about what is happening to the votes – are they recording accurately, is someone changing them, will they be counted correctly?

• Observing Electronic Voting
  Kåre Vollan has written an excellent paper on observing e-voting which really clearly addresses the problems with e-voting and hence the challenges such technologies pose to observation missions.

• Voters to receive electronic ballot info
  The Swindon Advertiser tells us about Swindon’s plans for this May’s pilots. They seem very excited about the notion of ‘electronic ballot papers’, in other words kiosks, so that voters can use any polling station in the town. In other words e-voting. (Thanks Glyn)

It’s proving difficult to get first-hand information on the Estonian elections that closed yesterday. As previously reported, Estonia has raced to become the first country to hold a parliamentary election with a legally binding Internet voting channel.

Wired News have filed the most detailed report on Estonian Internet voting. There are some interesting quotes such as a member of Estonia’s National Electoral Commission saying that their goal is to boost participation whilst simultaneously admitting that nobody has proved that e-voting actually can achieve this.

A troubling quote:

“You trust your money with the internet, and you won’t trust your vote? I don’t think so,” said Tarvi Martens, project manager for the country’s e-voting project.

 

Surely Mr Martens should, of all people, know that e-voting is a fundamentally different problem to e-commerce; very troubling – it’s either ignorance or a he’s being deliberately misleading.

As reported by Wired News the system requires a card reader which much be purchased or received as part of certain banking services. Voting can only be done through Internet Explorer which means that voters must be running Microsoft Windows. This is extraordinary – you can only vote online if running a particular browser and operating system, how democratic is that?

Indeed, according to a BBC News report and FOCUS Information Agency report, only about 3% of eligible voters used e-voting with overall turnout being roughly 30%. EuroNews, in a brief report, contrasts Estonia’s Internet voting with socio-economic problems in the country, indeed is Internet voting the best way to spend tax-payers’ money?

Deutsche Welle has a report on the Estonian elections from a German perspective noting that OSCE “views the on-line development, with skepticism, with many officials doubting the level of protection and security of information.”

In reply to quotes that are generally positive about e-voting, Deutsche Welle have a zinger from the German Ministry of Internal Affairs:

“I-Voting, for judicial and technical reasons, does not do justice to the special requirements of political elections in Germany at the moment,” says Annette Ziesig of the Ministry of Internal Affairs.

 

Precisely, in fact Internet voting and e-voting in general does not and cannot meet the special requirements of political elections for any country that wants to meet international standards for free and fair elections as set out in the UN and Council of Europe declarations on human rights.

UPDATE: Margus has posted a comment pointing to pages on the Estonian e-voting website which indicate that voting is possible from Windows, Linux and MacOS. It looks like Wired News mis-reported the situation, my reading of the Estonian site is that you can only use Internet Explorer on Windows but Firefox on other platforms is ok.

Comments from the previous version of this blog:

actually linux and mac are supported.
also firefox for windows

http://www.valimised.ee/index_eng.html

17:55:47 GMT 04-03-2007 margus

Thank you!

I was surprised that the Estonians would make an Internet Explorer only system – thank you for that link. I will update my blog post right now.
20:31:21 GMT 04-03-2007 Jason Kitcat

more clarification

see this post here by someone in the know:

http://www.jaanuskase.com/en/2007/03/error_in_wiredcom_article_abou.html

22:36:24 GMT 04-03-2007 rayc

Having actually voted electronically these elections, i find the US-originating critique somewhat annoying.

First of all, every last US critic states they are not familiar with the local system. And they are the experts?
Then there is much talk about the elections not being fair and free.

Which elections are? There have been cases worldwide where people have been told to use their camera phones to take a snapshot of their ballots, etc. If a group wishes to apply pressure to voters such a way is found regardless of the election type.

In the same manner booth voting, mail voting and e-voting all feature some risk of vote tampering. Whether it is by means of accessing voter computers, stealing absentee ballots, buying local votecounting officials or tampering with mailed ballots, it is all possible.

So the critics dislike e-voting because it is as unsafe as the regular one? So let’s dump e-banking as well and pray that the bank branch employee doesn’t forge your signature?
11:56:19 GMT 05-03-2007 Fred

Waving the flag

Fred

Thanks for your comment (and thanks to Ray for the link about Estonia).

I am based in the UK and I am a dual British/Canadian citizen, this and many other background details are in the ‘about’ section of this site.

So I’m not a US critic but you’re right, I don’t have on-the-ground knowledge of the Estonian system, hence the first sentence of my blog post saying how difficult it was to get information. Nevertheless I get asked about the Estonian system and governments will use the Estonian experience as justification for their own experiments so I feel it is worthwhile commenting on my blog.

No election is perfect and to my knowledge I have never said so. When criticising e-voting I acknowledge the limitations of our existing paper-based systems and accept that they have room for improvement. While all methods of voting has some risk, the scale of undetectable fraud or error possible with e-voting is far greater than possible with any other method.

One million postal votes could not be stolen undetectably, logistically it’s too hard to move that much paper yet with e-voting those kinds of numbers are logistically entirely plausible. Note that banking is a very different problem to e-voting as it isn’t anonymous.

My criticism of e-voting is that it is much, much more unsafe than regular secret Australian paper ballots. E-voting is also more expensive, complicated, prone to error and less accountable and auditable to citizens.
22:43:50 GMT 05-03-2007 Jason Kitcat

The other competitors have fallen by the wayside leaving Estonia to take the medal when they cross the finishing line with their March 4th elections. These elections will be the world’s first national parliamentary elections conducted with an Internet voting channel. Their rush to implement this technology is driven by a desire to create positive press around the technological advancement of Estonia to attract inward investment. I can see no other reason expressed in the reports to justify this rapid introduction.

My previous analysis of the Estonian system showed that it wasn’t too bad and they’d been admirably open compared to other countries implementing e-voting. Nevertheless there are weaknesses in the system which could be manipulated by insiders and voters can’t be sure their votes are stored and counted as intended.

The Organisation for Security and Co-operation in Europe (OSCE) will be sending a mission to observe the Estonian elections but do “…not intend to carry out a systematic or comprehensive observation of the voting, counting and tabulation on election day.” Of course observing a computer in a server room isn’t go to do much good anyway. I wonder what the Estonian candidates think?

CNET News.com report
Monsters & Critics report

Estonia has just completed a nationally available legally binding online election and the media are causing a fuss. My head’s in a twist because I just wrote a great post on this topic before BBEdit crashed losting the post – BBEdit never crashes.

Anyway let’s try and get this back from memory… The BBC did a pre-election article and Associate Press did a post election article where they quoted me fairly accurately.

This sums it up:

He acknowledged that Estonia’s system was the most secure to date, but said no system was “good enough for a politically binding election.”

 

Yep, it’s a pretty good system, as far as I can tell. The Estonian National Election Committee has published the rather good General content:encoded of the E-Voting System. With a small population of 1.4 million and PKI based smartcards authentication is not the problem it is in many other countries, so I can skip that. (Though if anyone has any info on copied Estonian ID cards being found, that would be interesting).

Essentially voters cast their vote online through a Java or ActiveX applet which encryptes the chosen candidate with the vote-counters public key. The voter then signs the vote with the private key off their smart ID card. The votes need to be traceable, via the voter’s signature, as citizens are allowed to vote multiple times online and offline. Once the election closes and invalid ballots are removed, the voter’s signatures are removed from the votes and the encrypted votes are physically passed to a counting machine off all networks. On this machine the private key of the vote counter is used to decrypt the votes before counting.

Of course once the digital signatures are off the votes their uniqueness and authenticity cannot be verified. Potentially un-signed votes could be swapped, added to or removed. I hope they add in some unique number (like a timestamp) with the vote (which is otherwise purely a candidate number) as their logging works on the basis of hash(vote) but of course two hash(candidate 198) would be identical. The terminology in the document is a little unclear, perhaps the logs use the hash of the signed & encrypted vote, or perhaps not.

The logging system is one of the best I’ve ever seen in an e-voting system (I’m still pretty proud of GNU.FREE’s logging and there may be better logging designs cloaked in corporate secrecy). However there is no mention of what protects the logs themselves from tampering. They all use hash(vote) as a unique identifier so without protection of the log files one could remove votes successfully and perhaps replace them if one had the right keys. The public key for the vote-counter is embedded in the voting applet so that could be extracted.

There is no voter verifiability, though potentially the system would allow for a basic level of post-count checking, but it doesn’t currently. Once the voter has clicked to send their vote and received an acknowledgement back, that’s it. There’s no way to check the vote was stored as intended and no way to be sure it was counted. That’s disappointing but perhaps not surprising in a country which culturally less cynical of government’s motivations.

The following requirement ensures that the privacy of e-voters is maintained: at no point should any party of the system be in possession of both the digitally signed e-vote and the private key of the system.

 

There are many ‘coulds’ and ‘woulds’ in the general content:encoded document I’m using to explore the Estonian system. So for example they suggest splitting the private vote-counter key to reduce the possibility of compromise, but it reads more as a suggestion than what actually happens. Without knowing Estonian I can’t get more detail to find out what really happens. Certainly the above quote shows that they recognise a primary vulnerability in their system and whilst splitting the key could help, they also suggest having multiple keys because if they lose or corrupt the only one they can’t count the votes. Uh-oh.

Conclusion

Kudos to the Estonians for publishing accessible and detailed documents in English. They totally get this whole open government thing. For the size of country, it’s technological outlook and the low likelihood that anybody major (e.g. a superpower) would want to mess with their elections, the system is ok.

Considering how much time I spend talking to journalists, I often wonder which bit they’re going to choose to print (if anything!) so I’m glad my best argument was included:

“The benefits [of e-voting] don’t come anywhere near the risks,” said Jason Kitcat (…) “It’s a waste of money and a waste of government energy.”

 

With AP reporting less than 1% of registered voters using the e-voting system I think that once the publicity dies down, reality will set in. The system doesn’t offer the turnout boost hoped for and with such small numbers using it there aren’t cost savings to be had. In fact with voters still allowed to go for a paper ballot after e-voting, as protection against vote buying and coercion, new levels of election complexity are going to be more costly. These facts will be hard to avoid and, like most other places, e-voting will quietly die away.

• Summary of the Estonian e-voting process

 

• Learn about the pros and cons of e-voting