No hack detected does not mean unhackable

USA Today recently reported that Estonia has passed legislation to allow for mobile phone voting in their 2011 parliamentary elections. This is a very worrying development as Estonia’s previous electronic elections lacked proper scrutiny in my view.

 

The article quotes officials who ‘dismissed security concerns’ and stated that the 2007 elections ‘proved secure despite worries’. Nothing was proved secure… nobody was provably caught hacking. That does not mean that the system wasn’t or can’t be hacked. What it means is that either the attack was undetectable OR holes were exploited that time around.

 

Every system has vulnerabilities, these can be managed, fortified and monitored. When people claim absolute security they either don’t know what they are doing or they are being dishonest. Neither is what you want in people running elections.

 

 

UPDATE: Dan Wallach has a good, more technical critique of this news in Estonia.