Keeping Elections Safe: The Estonian Example

Electronic voting, or the use of electronic means to record, process or tally votes is becoming more widespread with almost all election systems having some electronic components. In 2005 Estonia introduced the first national remote Internet voting system in the world; the I-Voting system. 

How The Estonian I-Voting System Works

Anonymous voting has a central contradiction: Individual votes must be entirely anonymous, however, we have to make sure that only those who have the right to vote can.

The I-Voting system has 4 main components. First, the I-Voting Client Application is used by voters to cast their votes, usually through their own devices. This data is then sent securely to the Vote Forwarding Server which is responsible for authenticating voters and then forwarding the votes to the Vote Storage Server. This stores all the votes that have been cast and checks and removes concealed votes and separates the voter identity from the actual vote, retaining voter privacy. Finally, the Vote Counting Application, an offline and air-gapped1 server is loaded with valid votes that are then decrypted with a private key possessed by members of the National Election Committee. The Vote Counting Application then tabulates the votes and outputs the results. 

An additional benefit is that the separate verification and count servers ensure that a person can change their vote before the deadline, but that only the final vote is counted. 

Procedural Controls, Operational Controls and Transparency Measures

The original e-voting system was created to be as secure as possible, but what makes the Estonian system unique is in addition to security protocols they also have a strong procedural system. Procedural controls were found to be fundamentally important to the design of the I-Voting system, these mechanisms going a long way toward preventing cyber attacks. 

 One of the procedures ensures that two individuals serve as auditors who observe key processes, such as when the server key is being generated. Since this key is central to making sure the election is secure, the observer system reduces the potential for malicious attacks and human error. In addition, unlike the UK there are also very clear mechanisms for contesting the validity of a vote or making a complaint if malicious actions are suspected. Election complaints can make it to the Estonian Supreme court within three days.  If you compare this to the 2018 North Carolina midterms which have taken over a month to verify, having this process makes a huge difference.

Crucial procedures are clearly documented, but some situations seem to be addressed in somewhat informal ways that rely too heavily on the knowledge of particular officials according to Oxford researchers. While it is very good to have a core set of professionals to rely on, the extent to which there are formalised procedures for staff training and planning for future knowledge sharing is unclear.

Operational controls seemed to be generally effective. There remains a concern about the system’s ability to resist the increasing potential for more sophisticated attacks. With time, attackers will become stronger and the system will need to be updated constantly to accommodate this concern.  However, the human voter that is the most vulnerable link in the I-Voting system and many things can happen to a voter’s computer. Nevertheless, a large scale attack affecting voters’ machines is considered highly unlikely by the National Election Committee. 

The system’s transparency measures have been effective at increasing confidence and trust in the I-Voting system, though challenges still exist when it comes to the difficulty in running voter awareness campaigns and increasing voter usage of the transparency measures. However, these issues are already known to election officials and committees, so it should be possible to take measures to improve the system, which would definitely aid in building voter confidence. Another issue is that observers often do not fully understand the voting system, and the two/day course of technical details for observers the electoral committee is obliged to offer has very low attendance.   However, there are also very good transparency measures, like the filming of critical processes with some of the videos being released for public consumption following the election. 

Assessment and Conclusions

A report produced in 2010 by the Estonian National Electoral Committee concluded with the opinion that security of the I-Voting System exceeds the security of conventional voting with ballot papers. However, some observers have raised concerns about some procedural and technical predicaments, including the possibility of infecting the PC of a voter and changing their vote, and lack of end-to-end verification and forensic audit trials of the system. Additionally, Marco Prandini and Marco Ramelli concluded that no e-voting system is ready to be implemented on a large scale quite yet.

So what can we learn from Estonia’s I-Voting system? The system is flawed in certain aspects of its security and probably not ready for use outside of Estonia. However, the I-Voting system is evidence that Internet voting is possible and, with some tweaks and changes can be used for small-scale elections. Moreover, the I-Voting system procedures are perhaps the best foundation that exists for others to build on when it comes to procedures, transparency and operational controls.