Category: voting

On Saturday 10th May we (the Independent Team) informed key stakeholders in Estonia that we would be reporting our findings the coming Monday. We contacted the Estonian Elections Committee, other officials and agencies as well as media. We did this impartially and openly to avoid being seen to favour any one political party or media source.

Late on Sunday 11th May we launched our website summarising the findings and supporting them with photos and videos.

On Monday 12th May we held a press conference – to which there had been an open invitation – to present our findings and answer questions from anyone who wanted to. That day a first response to our work was posted by the Estonian Electronic Voting Committee’s Facebook page, to which we responded.

On Tuesday 13th May we met privately with members of the Estonian Electronic Voting Committee (which is part of the overall Elections Committee).  There we talked through our findings and shared technical details of issues and vulnerabilities that will not be published until the current elections are over. We also assured them that we would not publish any demonstration code until after the election, and would not interact with the live voting system if they chose to proceed with using it for the European Parliamentary elections. They confirmed they would proceed with using their system. I was particularly surprised when the Electronic Voting Committee members said they could think of no circumstances in which they wouldn’t proceed with using their system.

The same day the Elections Committee published a lengthy response to The Guardian’s reporting of our findings. We responded in full here.

Since Monday we have had significant interest from a range of people in Estonia’s tech industry who we have met or corresponded with. We have also seen local and international media reporting on our findings.

Sadly, despite repeated requests, we have not been able to meet with representatives of the Estonian government nor the key Parliamentary committees with oversight on these issues. The Estonian Prime Minister and President have used the media (and social media) to dismiss our work and suggest we are working to favour one political party over another in Estonia. That simply isn’t true, such a response would appear to be a case of trying to shoot the messenger rather than hear some uncomfortable truths.

On Saturday 17th May we published the detailed technical analysis report to expand on and support the findings we had published a week earlier. The paper has also been submitted to an academic conference.

• Read the full technical report
• Listen to or watch the Press Conference

I have been pleased to see such widespread discussion of our findings. However some have sought to shut down the debate by seeking to query our independence and integrity. These claims have no truth and team members have a strong record of examining the security of e-voting systems around the world without any fear or favour for political parties of any type.

Some have suggested that Estonia is uniquely able to deliver secure online voting because of their universal ID smartcards and cyberwar protections. They would argue that no other country than Estonia has the infrastructure to use online voting. Whilst I agree that Estonia has a highly developed online infrastructure, which is incredibly exciting for e-government applications, even that isn’t enough for the uniquely difficult problem of online voting.

The debate is for Estonian citizens to have now with input from the EU and NATO where they have obligations as a member-state. If I was an Estonian I would be voting on paper but happily making use of their online services for tax, health and more.

Originally posted on the Open Rights Group Blog.

In my capacity as an ORG Advisory Council member I’ve been working with an independent team of election observers researching the Internet voting systems used by Estonia. Why should anyone in the UK be interested in this?

Two reasons: Firstly Estonia is regularly held up as a model of e-government and e-voting that many countries, including the UK, wish to emulate. Secondly, after years of e-voting being off the UK agenda (thanks in part to ORG’s previous work in this area), the chair of the Electoral Commission recently put the idea of e-voting for British elections back in play.

Before our or any other government leaps to copy the Estonian model, our team wanted to better understand the strengths and weaknesses of the Estonian system. So several of us monitored the internet voting in operation for Estonia’s October 2013 municipal elections as official observers accredited the Estonian National Election Committee. Subsequently the team used the openly published source code and procedures for the Estonian system to build a replica in a lab environment at the University of Michigan. This enabled detailed analysis and research to be undertaken on the replica of the real system.

Despite being built on their impressive national ID smartcard infrastructure, we were able to find very significant flaws in the Estonian internet voting system, which they call “I-voting”. There were several serious problems identified:

Obsolete threat model

The Estonian system uses a security architecture that may have been adequate when the system was introduced a decade ago, but it is now dangerously out of date. Since the time the system was designed, state-level cyberattacks have become a very real threat. Recent attacks by China against U.S. companies, by the U.S. against Iran, and by the U.K. against European telecoms demonstrate the proliferation and sophistication of state-level attackers. Estonia itself suffered massive denial-of-service attacks in 2007 attributed to Russia.

Estonia’s system places extreme trust in election servers and voters’ computers — all easy targets for a foreign power. The report demonstrates multiple ways that today’s state-level attackers could exploit the Estonian system to change votes, compromise the secret ballot, disrupt elections, or cast doubt on the fairness of results.

Abundant lapses in operational security and procedures

Observation of the way the I-voting system was operated by election staff highlighted a lack of adequate procedures for both daily operations and handling anomalies. This creates opportunities for attacks and errors to occur and makes it difficult for auditors to determine whether correct actions were taken.

Close inspection of videos published by election officials reveals numerous lapses in the most basic security practices. They appear to show the workers downloading essential software over unsecured Internet connections, typing secret passwords and PINs in full view of the camera, and preparing election software for distribution to the public on insecure personal computers, among other examples. These actions indicate a dangerously inadequate level of professionalism in security administration that leaves the whole system open to attack and manipulation.

Serious vulnerabilities demonstrated

The authors reproduced the e-voting system in their laboratory using the published source code and client software. They then attempted to attack it, playing the role of a foreign power (or a well resourced candidate willing to pay a criminal organization to ensure they win). The team found that the Estonian I-voting system is vulnerable to a range of attacks that could undetectably alter election results. They constructed detailed demonstration attacks for two such examples:

Server-side attacks: Malware that rigs the vote count

The e-voting system places complete trust in the server that counts the votes at the end of the election process. Votes are decrypted and counted entirely within the unobservable “black box” of the counting server. This creates an opportunity for an attacker who compromises this server to modify the results of the vote counting.

The researchers demonstrated that they can infect the counting server with vote-stealing malware. In this attack, a state-level attacker or a dishonest election official inserts a stealthy form of infectious code onto a computer used in the pre-election setup process. The infection spreads via software DVDs used to install the operating systems on all the election servers. This code ensures that the basic checks used to ensure the integrity of the software would still appear to pass, despite the software having been modified. The attack’s modifications would replace the results of the vote decryption process with the attacker’s preferred set of votes, thus silently changing the results of the election to their preferred outcome.

Client-side attacks: A bot that overwrites your vote

Client-side attacks have been proposed in the past, but the team found that constructing fully functional client-side attacks is alarmingly straightforward. Although Estonia uses many security safeguards — including encrypted web sites, security chips in national ID cards, and smartphone-based vote confirmation — all of these checks can be bypassed by a realistic attacker.

A voter’s home or work computer is attacked by infecting it with malware, as millions of computers are every year. This malicious software could be delivered by pre-existing infections (botnets) or by compromising the voting client before it is downloaded by voters by exploiting operational security lapses. The attacker’s  software would be able to observe a citizen voting then could silently steal the PIN codes required to use the voter’s ID card. The next time the citizen inserts the ID card — say, to access their bank account — the malware can use the stolen PINs to cast a replacement vote for the attacker’s preferred candidate. This attack could be replicated across tens of thousands of computers. Preparation could being well in advance of the election starting by using a replica of the I-voting system, as the team did for their tests.

Insufficient transparency to establish trust in election outcomes

Despite positive gestures towards transparency — such as releasing portions of the software as open source and posting many hours of videos documenting the configuration and tabulation steps — Estonia’s system fails to provide compelling proof that election outcomes are correct. Critical steps occur off camera, and potentially vulnerable portions of the software are not available for public inspection. (Though making source code openly available is not sufficient to protect the software from flaws and attacks.) Many potential vulnerabilities and forms of attack would be impossible to detect based on the information provided to the public. So while the researchers applaud attempts at transparency, ultimately too much of how the I-voting system operates is invisible for it to be able to convince skeptical voters or candidates in the outcomes.

To illustrate this point, the team filmed themselves carrying out exactly the same procedural steps that real election officials show innearly 24 hours of videos from the 2013 elections. However, due to the presence of malware injected by the team before the recordings started, their count produces a dishonest result.

Recommendation: E-voting should be withdrawn

After studying other e-voting systems around the world, the team was particularly alarmed by the Estonian I-voting system. It has serious design weaknesses that are exacerbated by weak operational management. It has been built on assumptions which are outdated and do not reflect the contemporary reality of state-level attacks and sophisticated cybercrime. These problems stem from fundamental architectural problems that cannot be resolved with quick fixes or interim steps.

While we believe e-government has many promising uses, the Estonian I-voting system carries grave risks — elections could be stolen, disrupted, or cast into disrepute. In light of these problems, our urgent recommendation is that to maintain the integrity of the Estonian electoral process, use of the Estonian I-voting system should be immediately discontinued.

Our work shows that despite a decade of experience and advanced e-government infrastructure Estonia are unable to provide a secure e-voting system. So we believe other countries including the UK should learn from this that voting is a uniquely challenging system to provide online whilst maintaining the fundamental requirements of fair elections: secrecy of the vote, security and accuracy. The significant costs of attempting to build such a system would be better directed at other forms of e-government which can provide greater and more reliable benefits for citizens without risking the sanctity of elections.

Read and watch more about this work at https://estoniaevoting.org

PRESS CONFERENCE 12th May 2014 11:00am — Hotel Metropol, Tallinn

International Team of Independent Election Observers to deliver report on Estonian Internet Voting System

TALLINN, Estonia — An international team of independent experts will deliver their findings on the security of the Estonian E-Voting System this Monday.

This team of renowned experts on computer security and voting systems observed the use of Internet Voting in the 2013 Estonian municipal elections. Ahead of the 2014 European Elections, which plan to use the same internet voting system in Estonia, the International experts will introduce a report in which they explain their observations from 2013 and the results of their security analysis. Their analysis has identified serious flaws in the systems and processes used in Estonian internet voting.

The entire team will be at the press conference and available for interview afterwards to present and discuss their findings.

NOTES FOR EDITORS

For queries contact Jason Kitcat on jason@jasonkitcat.com or +44 7956 886 508

* The Press conference will be in the Hotel Metropol, Roseni 13, 10111 Tallinn, Estonia at 11am on Monday 12th May 2014. The press conference will be in English.

* The report and associated information will be later available from https://estoniaevoting.org

* The team who produced the report and who will be present at the press conference are:
J. Alex Halderman, University of Michigan
Harri Hursti, Independent Security Researcher
Jason Kitcat, Open Rights Group
Maggie MacAlpine, Post-Election Audit Advisor
Travis Finkenauer, University of Michigan
Drew Springall, University of Michigan

ENDS.