One city, Tallinn Estonia, holds a conference on the risks of Internet voting, under apparent national and at least some media opposition to recognizing security concerns <read>
Yesterday, July 20, the City of Tallinn bolstered its drive to bar the nation’s much-touted e-voting system from local elections, holding a press conference where prominent US computer scientist Barbara Simons said that such systems are inherently vulnerable.
The University of California, Berkeley PhD and former Association for Computing Machinery president spoke about risks such as malware, attacks on the server managing the election, insider threats and false websites.
Speaking in general terms, not about Estonia’s system in particular, she said that the nature of e-voting makes it impossible to audit or recount the votes. She also warned of the possibility of software viruses or worms that could infect a computer, casting votes without the user’s knowledge.
Along with the technical information gleaned from Simons’s presentation, those present at the press conference were also able to gain a clear sense of the agenda behind the event.
The conference was conducted in a tightly-controlled manner, ending as journalists were cut off after only three questions. A 158-page book entitled “Today’s Internet is Not Ready for E-Voting,” produced by the City Council, was also distributed to those in attendance.
Was there an “agenda behind the event” or behind the article?
Counter Arguments
Tarvi Martens, architect of the nation’s e-voting system and a key figure in the Estonian IT and infosecurity field, shrugged off the US expert’s claims.
“Her story is nothing new,” he told ERR radio. All of the risks that Simons brought up, he said, are well-known and have been taken into account.
Martens said that experiments have been run with hackers hired to attempt to crack Estonia’s voting system. “Tests have been conducted repeatedly. Only low-level problems were found and these were addressed. No one has managed to ruin anything,” he said.
If something should happen, he added, there is a backup plan. “If an attack takes place, then we have a legal basis to annul the results of e-voting […] Electronic elections have already been held five times [in Estonia] and nothing happened. Everything works correctly,” said Martens…
Earlier this year, questions were raised about the system when a student claimed to have found a flaw that would theoretically allow a virus to block candidates from appearing on an affected voter’s ballot screen…
In May a report by the Office of Security and Cooperation in Europe (OSCE) gave the country’s internet voting system an overall clean bill of health, but cited a number of technical and procedural holes that they recommended plugging. Parliament later set up a working group to address the issues.
Let us look at that OSCE report and the ‘overall clean bill of health’ and ‘technical and procedural holes’ to plug:
Most actors involved in the Internet voting process had been involved in the past elections and collaborated very efficiently. However, the OSCE/ODIHR EAM was concerned that this led to an environment where critical questions were no longer asked and where detailed protocols of proceedings were too rarely part of the process.
The OSCE/ODIHR recommends that the NEC builds its own in-house IT expertise and capabilities on Internet voting and retains detailed written records at all stages of the Internet voting process…
In a parallel process, a [single] programmer, who was contracted by the NEC, verified the software code. The identity of the programmer and his report to the NEC was kept secret. It was not made available to the OSCE/ODIHR EAM, other observers or political parties…
Testing is a crucial exercise to find any deficiencies in the system. The NEC made a substantial effort to test various components of the Internet voting, including by members of the public. However, reporting on the performed tests was often informal or kept secret.
The OSCE/ODIHR recommends that the NEC issues formal reports on testing of the Internet voting system and publishes them on its website in order to further increase transparency and verifiability of the process.
The OSCE/ODIHR EAM was informed that the project manager was able to update the software of the Internet voting system until right before the elections started, and without a formal consent of the NEC. This was done without any formal procedure or documented acceptance of the software source code by the NEC, which limited the information on which version of the software was ultimately used…
The OSCE/ODIHR recommends that the NEC adopts formal procedures for software deployment and establishes a deadline for its updates...
As in previous elections, and despite the recommendation made by the OSCE/ODIHR in 2007, the time of casting a vote was recorded in a log file by the vote storage server along with the personal identification code of the voter. This could potentially allow checking whether the voter re-cast his/her Internet vote, thus circumventing the safeguards in place to protect the freedom of the vote...
Daily update of the voter register during the voting period as required by the Election Act was performed together with the daily backup of data. The project manager accessed the servers for daily data maintenance and backup breaking the security seals and using a data storage medium employed also for other purposes. This practice could potentially have admitted the undetected intrusion of viruses and malicious software.
It is recommended that no maintenance of the Internet voting system servers is performed from the start to the end of the Internet voting process...
During the counting, one vote was determined invalid by the vote counting application since it was cast for a candidate who was not on the list in the corresponding constituency. The project manager could not explain how this occurred – the investigation was still ongoing at the time of issuing the report.
It is recommended that a provision is introduced to provide clear criteria for determination of the validity of the votes cast via the Internet…
In addition, there are algorithms that enable universal verifiability, meaning that anyone is able to verify that the cast votes have been decrypted and counted properly. Estonia’s Internet voting system does not employ such tools. The OSCE/ODIHR EAM was given the explanation that this was due to concern that enabling verifiability might confuse voters.
The OSCE/ODIHR EAM was made aware of a program that could, if it was running on a voter’s computer, change the vote without the possibility for the voter to detect it. The case was brought to the attention of the project manager who assessed this threat to be theoretically plausible but nearly impossible to implement in reality. The author of the program filed a petition with the NEC that was dismissed and subsequently appealed to the Supreme Court. The introduction of an opportunity for the voter to verify that his/her vote was cast and recorded as intended would mitigate that risk.
The OSCE/ODIHR recommends that the NEC forms an inclusive working group to consider the use of a verifiable Internet voting scheme or an equally reliable mechanism for the voter to check whether or not his/her vote was changed by malicious software...
The 2004 Council of Europe (CoE) Recommendation on electronic voting and the CoE recent guideline on certification35 recommend that technical requirements are established and that its component are tested for their compliance with these requirements. The NEC made comprehensive and commendable efforts to test the Internet voting system, including by members of the public. However, this testing was not preceded by the establishment of comprehensive technical requirements and was only overseen by the Internet voting project manager, who also administered the necessary amendments. The NEC decided, as in 2007, not to have the Internet voting system certified by an independent third party.
The OSCE/ODIHR recommends delegating the responsibility for certification of the Internet voting system to an independent public body that would evaluate and then digitally sign the final version of the Internet voting software and publish a public evaluation report…
The NEC contracted an auditor to assess compliance of the Internet voting with technical, legal and procedural requirements. The NEC considered that the audit ensures the necessary accountability of the system which makes formal certification unnecessary.
KPMG Baltic was contracted by the NEC, after a public tender, to check the compliance of the NEC actions with an operation manual. The only obligation specified in the contract was that KPMG had to be present at the execution of procedures and check that they were followed in accordance with the manual. The OSCE/ODIHR EAM observed that both the auditor and the NEC only occasionally made detailed notes about deviations from the manual, thus limiting the opportunities for follow up on possible shortcomings.
The operation manual for the Internet voting comprised a number of separate documents that were originally written by the software vendor and were later updated by the project manager. The NEC published these documents on its website, but did not organize any review or a formal acceptance procedure for them.
It is recommended that an operation manual is consolidated in a single comprehensive document and describes all Internet voting procedures…
The OSCE/ODIHR recommends that an independent public body is appointed to perform a compliance audit of the whole Internet voting process with a consolidated operation manual…
While publicly-available documentation covers most stages of the Internet voting in a detailed manner, it is not presented in a way that makes it readily comprehensible to all interested actors. Similarly, the OSCE/ODIHR EAM notes that a substantial knowledge of IT was necessary for observers to follow the training sessions.
The OSCE/ODIHR recommends that further measures are taken to enhance the transparency of the Internet voting process, possibly through providing additional materials and training that are readily comprehensible by all interested actors and the public even without special knowledge of IT.
Hardly what we would call a clean bill of health.
Some good news amidst the government huffing and puffing. A city is fighting for election integrity and that the OSCE report was created and is so thorough.
Sadly, Estonia is the last place we would expect to dismiss as unrealistic, the real threats to government internet facilities.
Perhaps Connecticut will learn more from all this than Estonia has, before it is too late to actually implement risky, expensive online voting. The Constitution State could be the Tallinn of America.
