Estonia has just completed a nationally available legally binding online election and the media are causing a fuss. My head’s in a twist because I just wrote a great post on this topic before BBEdit crashed losting the post – BBEdit never crashes.
This sums it up:
He acknowledged that Estonia’s system was the most secure to date, but said no system was “good enough for a politically binding election.”
Yep, it’s a pretty good system, as far as I can tell. The Estonian National Election Committee has published the rather good General content:encoded of the E-Voting System. With a small population of 1.4 million and PKI based smartcards authentication is not the problem it is in many other countries, so I can skip that. (Though if anyone has any info on copied Estonian ID cards being found, that would be interesting).
Essentially voters cast their vote online through a Java or ActiveX applet which encryptes the chosen candidate with the vote-counters public key. The voter then signs the vote with the private key off their smart ID card. The votes need to be traceable, via the voter’s signature, as citizens are allowed to vote multiple times online and offline. Once the election closes and invalid ballots are removed, the voter’s signatures are removed from the votes and the encrypted votes are physically passed to a counting machine off all networks. On this machine the private key of the vote counter is used to decrypt the votes before counting.
Of course once the digital signatures are off the votes their uniqueness and authenticity cannot be verified. Potentially un-signed votes could be swapped, added to or removed. I hope they add in some unique number (like a timestamp) with the vote (which is otherwise purely a candidate number) as their logging works on the basis of hash(vote) but of course two hash(candidate 198) would be identical. The terminology in the document is a little unclear, perhaps the logs use the hash of the signed & encrypted vote, or perhaps not.
The logging system is one of the best I’ve ever seen in an e-voting system (I’m still pretty proud of GNU.FREE’s logging and there may be better logging designs cloaked in corporate secrecy). However there is no mention of what protects the logs themselves from tampering. They all use hash(vote) as a unique identifier so without protection of the log files one could remove votes successfully and perhaps replace them if one had the right keys. The public key for the vote-counter is embedded in the voting applet so that could be extracted.
There is no voter verifiability, though potentially the system would allow for a basic level of post-count checking, but it doesn’t currently. Once the voter has clicked to send their vote and received an acknowledgement back, that’s it. There’s no way to check the vote was stored as intended and no way to be sure it was counted. That’s disappointing but perhaps not surprising in a country which culturally less cynical of government’s motivations.
The following requirement ensures that the privacy of e-voters is maintained: at no point should any party of the system be in possession of both the digitally signed e-vote and the private key of the system.
There are many ‘coulds’ and ‘woulds’ in the general content:encoded document I’m using to explore the Estonian system. So for example they suggest splitting the private vote-counter key to reduce the possibility of compromise, but it reads more as a suggestion than what actually happens. Without knowing Estonian I can’t get more detail to find out what really happens. Certainly the above quote shows that they recognise a primary vulnerability in their system and whilst splitting the key could help, they also suggest having multiple keys because if they lose or corrupt the only one they can’t count the votes. Uh-oh.
Kudos to the Estonians for publishing accessible and detailed documents in English. They totally get this whole open government thing. For the size of country, it’s technological outlook and the low likelihood that anybody major (e.g. a superpower) would want to mess with their elections, the system is ok.
Considering how much time I spend talking to journalists, I often wonder which bit they’re going to choose to print (if anything!) so I’m glad my best argument was included:
“The benefits [of e-voting] don’t come anywhere near the risks,” said Jason Kitcat (…) “It’s a waste of money and a waste of government energy.”
With AP reporting less than 1% of registered voters using the e-voting system I think that once the publicity dies down, reality will set in. The system doesn’t offer the turnout boost hoped for and with such small numbers using it there aren’t cost savings to be had. In fact with voters still allowed to go for a paper ballot after e-voting, as protection against vote buying and coercion, new levels of election complexity are going to be more costly. These facts will be hard to avoid and, like most other places, e-voting will quietly die away.