Estonia's Online Voting System Is Not Secure, Researchers Say
BY Antonella Napolitano | Wednesday, May 21 2014
“I gave my e-vote. This is not only convenient, but a vote of confidence to one of the best IT systems in the world, a vote of confidence to the Estonian State,” tweeted Toomas Hendrik Ilves , the president of Estonia on May 15th, marking the start of early voting for the European Parliament (the voting process will end on May 25th.)
While undoubtedly convenient, e-voting in Estonia might not be as safe as President Ilves think.
An independent group of researchers recently tested the Estonian I-voting system used during the last municipal elections, held in October 2013, and concluded that the flaws and lapses in operational security make it vulnerable to manipulations. Therefore, it cannot be considered safe enough.
Last Monday, the Guardian reported on the research, whose results are available in a technical report published on Estoniaevoting.org, a website set up by the researchers, complete with photos and videos.
"These computers could have easily been compromised by criminals or foreign hackers, undermining the security of the whole system," declared Harri Hursti to the British newspaper. Hursti is an independent researcher from Finland with experience in testing e-voting systems.
Estonia: Proudly Voting Online Since 2005
Today, Estonia is the only country that has been significantly and consistently using the e-voting system.
Starting in a 2005 local election, the system has being used in all subsequent elections, including the last European election in 2009; up to a quarter of votes are cast online, notes the Guardian. In the (contested) 2013 municipal elections, about 21 percent of voters used online voting.
In order to cast an online ballot, a voter identifies him/herself with the use of an activated electronic ID card, a system which has been available for several years.
The group of independent researchers recreated the system, using the real source code and the client software and simulated the kind of attacks the system could be subjected to, whether it be home computers or the central system.
“Estonia's Internet voting system is actually quite sophisticated,” says Alex Halderman, one of the researchers in a video detailing the work on the e-voting system. He explains: “The system was built by people who had intimate knowledge of security. They made large parts of the system open source, they documented their procedures and they have videos of almost every step of the process."
But this is not enough, he concludes: the system is still susceptible to being compromised.
Halderman, a professor at the University of Michigan, is a longtime skeptic of online voting.
Back in 2010, he tested a District of Columbia pilot project aimed at allowing overseas and military voters to download and return absentee ballots over the Internet.
“It may someday be possible to build a secure method for submitting ballots over the Internet, but in the meantime, such systems should be presumed to be vulnerable based on the limitations of today’s security technology,” he wrote at the time.
After the article was published by the Guardian last Monday, the Estonian National Electoral Committee (NEC) issued a statement with a preliminary rebuttal to the researchers' critiques. Here are some of their points:
1. The researchers have not discovered any new attack vectors that had not already been accounted for in the design of our system as a whole.
2. It is not feasible to effectively conduct the described attacks to alter the results of the voting.
3. The electoral committee has numerous safeguards and failsafe mechanisms to detect attacks against the elections or manipulated results.
4. The website put up by the security researchers (estoniaevoting.org) contains numerous factual and detail errors, and does not provide technical details on the alleged vulnerabilities in our system.
The NEC also argues that the system has been used in six elections “without a single incident which have influenced the outcome.”
The subsequent response of the researchers points out that there is no way to prove that there has been no interference because of the flaws of the system: “Our research argues that a well resourced attacker, such as a nation-state like Russia, would be able to undetectably steal votes in an election using the Estonian e-voting system. We maintain that the Election Committee cannot, by virtue of the failings in the systems used, irrefutably prove that the six elections thus far conducted were never influenced nor could they prove that for elections using the system in the future based on the current design.”
Security Flaws and Critical Questions Not Asked
This is not the first time that doubts about the security of the Estonian voting system have been raised.
In a 2011 report on Estonian national elections, the Organization for Security and Co-operation in Europe (OSCE) concluded that several parts of the voting process, from software testing to data storing, were exposed to manipulations.
“As in previous elections, and despite the recommendation made by the OSCE/ODIHR in 2007, the time of casting a vote was recorded in a log file by the vote storage server along with the personal identification code of the voter,” the report says. “This could potentially allow checking whether the voter re-cast his/her Internet vote, thus circumventing the safeguards in place to protect the freedom of the vote.”
The software test raised more concerns. According to the report, the NEC carried out a test of the software without formal reporting. The report explains that “the Cyber Defence League (CDL) conducted an exercise in January 2011 to test the software under given threat scenarios, and produced a report for the NEC that was made available to observers but not to the public. […] In a parallel process, a programmer, who was contracted by the NEC, verified the software code. The identity of the programmer and his report to the NEC was kept secret. It was not made available to the OSCE/ODIHR EAM, other observers or political parties.”
While the entire electoral process was conducted in a collaborative environment and no particular issues were detected, the OSCE report expressed concerns that this led to an environment “where critical questions were no longer asked and where detailed protocols of proceedings were too rarely part of the process.”
Another risk is that online elections can't be audited effectively because there's no paper trail, says Margaret MacAlpine, the Post-Election Audit Advisor featured in the video about independent researchers analyzing the voting system.
She later advised the Estonian government to keep working on their excellent e-government system but to take the online voting out of it.
Another round of analysis and counterarguments will likely come after the European elections.
“In my assessment, no country in the world today can do Internet voting safely” concludes Alderman in the video. “It's going to be a decade, if ever, before we're able to solve some of the central security problems at stake.”
Personal Democracy Media is grateful to the Omidyar Network and the UN Foundation for their generous support of techPresident's WeGov section.