What, US Worry?: Estoina, like Connecticut, wrestles with Internet Voting

One city, Tallinn Estonia, holds a conference on the risks of Internet voting, under apparent national and at least some media opposition to recognizing security concerns <read>

Yes­ter­day, July 20, the City of Tallinn bol­stered its drive to bar the nation’s much-touted e-voting sys­tem from local elec­tions, hold­ing a press con­fer­ence where promi­nent US com­puter sci­en­tist Bar­bara Simons said that such sys­tems are inher­ently vulnerable.

The Uni­ver­sity of Cal­i­for­nia, Berke­ley PhD and for­mer Asso­ci­a­tion for Com­put­ing Machin­ery pres­i­dent spoke about risks such as mal­ware, attacks on the server man­ag­ing the elec­tion, insider threats and false websites.

Speak­ing in gen­eral terms, not about Estonia’s sys­tem in par­tic­u­lar, she said that the nature of e-voting makes it impos­si­ble to audit or recount the votes. She also warned of the pos­si­bil­ity of soft­ware viruses or worms that could infect a com­puter, cast­ing votes with­out the user’s knowledge.

Along with the tech­ni­cal infor­ma­tion gleaned from Simons’s pre­sen­ta­tion, those present at the press con­fer­ence were also able to gain a clear sense of the agenda behind the event.

The con­fer­ence was con­ducted in a tightly-controlled man­ner, end­ing as jour­nal­ists were cut off after only three ques­tions. A 158-page book enti­tled “Today’s Inter­net is Not Ready for E-Voting,” pro­duced by the City Coun­cil, was also dis­trib­uted to those in attendance.

Was there an “agenda behind the event” or behind the article?

Counter Argu­ments

Tarvi Martens, archi­tect of the nation’s e-voting sys­tem and a key fig­ure in the Eston­ian IT and infos­e­cu­rity field, shrugged off the US expert’s claims.

“Her story is noth­ing new,” he told ERR radio. All of the risks that Simons brought up, he said, are well-known and have been taken into account.

Martens said that exper­i­ments have been run with hack­ers hired to attempt to crack Estonia’s vot­ing sys­tem. “Tests have been con­ducted repeat­edly. Only low-level prob­lems were found and these were addressed. No one has man­aged to ruin any­thing,” he said.

If some­thing should hap­pen, he added, there is a backup plan. “If an attack takes place, then we have a legal basis to annul the results of e-voting […] Elec­tronic elec­tions have already been held five times [in Esto­nia] and noth­ing hap­pened. Every­thing works cor­rectly,” said Martens…

Ear­lier this year, ques­tions were raised about the sys­tem when a stu­dent claimed to have found a flaw that would the­o­ret­i­cally allow a virus to block can­di­dates from appear­ing on an affected voter’s bal­lot screen…

In May a report by the Office of Secu­rity and Coop­er­a­tion in Europe (OSCE) gave the country’s inter­net vot­ing sys­tem an over­all clean bill of health, but cited a num­ber of tech­ni­cal and pro­ce­dural holes that they rec­om­mended plug­ging. Par­lia­ment later set up a work­ing group to address the issues.

Let us look at that OSCE report and the ‘overall clean bill of health’ and ‘technical and procedural holes’ to plug:

Most actors involved in the Internet voting process had been involved in the past elections and collaborated very efficiently. However, the OSCE/ODIHR EAM was concerned that this led to an environment where critical questions were no longer asked and where detailed protocols of proceedings were too rarely part of the process.

The OSCE/ODIHR recommends that the NEC builds its own in-house IT expertise and capabilities on Internet voting and retains detailed written records at all stages of the Internet voting process…

In a parallel process, a [single] programmer, who was contracted by the NEC, verified the software code. The identity of the programmer and his report to the NEC was kept secret. It was not made available to the OSCE/ODIHR EAM, other observers or political parties…

Testing is a crucial exercise to find any deficiencies in the system. The NEC made a substantial effort to test various components of the Internet voting, including by members of the public. However, reporting on the performed tests was often informal or kept secret.

The OSCE/ODIHR recommends that the NEC issues formal reports on testing of the Internet voting system and publishes them on its website in order to further increase transparency and verifiability of the process.

The OSCE/ODIHR EAM was informed that the project manager was able to update the software of the Internet voting system until right before the elections started, and without a formal consent of the NEC. This was done without any formal procedure or documented acceptance of the software source code by the NEC, which limited the information on which version of the software was ultimately used

The OSCE/ODIHR recommends that the NEC adopts formal procedures for software deployment and establishes a deadline for its updates...

As in previous elections, and despite the recommendation made by the OSCE/ODIHR in 2007, the time of casting a vote was recorded in a log file by the vote storage server along with the personal identification code of the voter. This could potentially allow checking whether the voter re-cast his/her Internet vote, thus circumventing the safeguards in place to protect the freedom of the vote...

Daily update of the voter register during the voting period as required by the Election Act was performed together with the daily backup of data. The project manager accessed the servers for daily data maintenance and backup breaking the security seals and using a data storage medium employed also for other purposes. This practice could potentially have admitted the undetected intrusion of viruses and malicious software.

It is recommended that no maintenance of the Internet voting system servers is performed from the start to the end of the Internet voting process...

During the counting, one vote was determined invalid by the vote counting application since it was cast for a candidate who was not on the list in the corresponding constituency. The project manager could not explain how this occurred – the investigation was still ongoing at the time of issuing the report.

It is recommended that a provision is introduced to provide clear criteria for determination of the validity of the votes cast via the Internet…

In addition, there are algorithms that enable universal verifiability, meaning that anyone is able to verify that the cast votes have been decrypted and counted properly. Estonia’s Internet voting system does not employ such tools. The OSCE/ODIHR EAM was given the explanation that this was due to concern that enabling verifiability might confuse voters.

The OSCE/ODIHR EAM was made aware of a program that could, if it was running on a voter’s computer, change the vote without the possibility for the voter to detect it. The case was brought to the attention of the project manager who assessed this threat to be theoretically plausible but nearly impossible to implement in reality. The author of the program filed a petition with the NEC that was dismissed and subsequently appealed to the Supreme Court. The introduction of an opportunity for the voter to verify that his/her vote was cast and recorded as intended would mitigate that risk.

The OSCE/ODIHR recommends that the NEC forms an inclusive working group to consider the use of a verifiable Internet voting scheme or an equally reliable mechanism for the voter to check whether or not his/her vote was changed by malicious software...

The 2004 Council of Europe (CoE) Recommendation on electronic voting and the CoE recent guideline on certification35 recommend that technical requirements are established and that its component are tested for their compliance with these requirements. The NEC made comprehensive and commendable efforts to test the Internet voting system, including by members of the public. However, this testing was not preceded by the establishment of comprehensive technical requirements and was only overseen by the Internet voting project manager, who also administered the necessary amendments. The NEC decided, as in 2007, not to have the Internet voting system certified by an independent third party.

The OSCE/ODIHR recommends delegating the responsibility for certification of the Internet voting system to an independent public body that would evaluate and then digitally sign the final version of the Internet voting software and publish a public evaluation report…

The NEC contracted an auditor to assess compliance of the Internet voting with technical, legal and procedural requirements. The NEC considered that the audit ensures the necessary accountability of the system which makes formal certification unnecessary.

KPMG Baltic was contracted by the NEC, after a public tender, to check the compliance of the NEC actions with an operation manual. The only obligation specified in the contract was that KPMG had to be present at the execution of procedures and check that they were followed in accordance with the manual. The OSCE/ODIHR EAM observed that both the auditor and the NEC only occasionally made detailed notes about deviations from the manual, thus limiting the opportunities for follow up on possible shortcomings.

The operation manual for the Internet voting comprised a number of separate documents that were originally written by the software vendor and were later updated by the project manager. The NEC published these documents on its website, but did not organize any review or a formal acceptance procedure for them.

It is recommended that an operation manual is consolidated in a single comprehensive document and describes all Internet voting procedures…

The OSCE/ODIHR recommends that an independent public body is appointed to perform a compliance audit of the whole Internet voting process with a consolidated operation manual

While publicly-available documentation covers most stages of the Internet voting in a detailed manner, it is not presented in a way that makes it readily comprehensible to all interested actors. Similarly, the OSCE/ODIHR EAM notes that a substantial knowledge of IT was necessary for observers to follow the training sessions.

The OSCE/ODIHR recommends that further measures are taken to enhance the transparency of the Internet voting process, possibly through providing additional materials and training that are readily comprehensible by all interested actors and the public even without special knowledge of IT.

Hardly what we would call a clean bill of health.

Some good news amidst the government huffing and puffing. A city is fighting for election integrity and that the OSCE report was created and is so thorough.

Sadly, Estonia is the last place we would expect to dismiss as unrealistic, the real threats to government internet facilities.

Perhaps Connecticut will learn more from all this than Estonia has, before it is too late to actually implement risky, expensive online voting. The Constitution State could be the Tallinn of America.


Leave a Reply

You must be logged in to post a comment.