Estonian ID card vulnerability and upcoming election

On September 5, 2017 the Estonian Information Systems Authority – Riigi Infosüsteemi Ametit (RIA) reported that researchers have found a vulnerability in the Estonian digital ID card:

Possible Security Vulnerability Detected in the Estonian ID-card Chip

This is a serious issue in general, as the card is at the heart of citizen digital interactions with the government, but has particular implications for Internet voting, as the ID card is key to the functioning of the voting system, enabling amongst other features the unique Estonian ability to vote multiple times with only the last vote counting (including choosing to vote in person on election day, cancelling all previous Internet votes).

There are local government council elections coming up soon, with online voting starting in a month, running from 5 October 2017 to 11 October 2017 (online voting is only available for advance polls, not on election day).

Estonia Local Gov Council Elections 2017

above from Municipal council election 2017

According to the Is the ID-card safe? FAQ, the National Electoral Committee (Vabariigi Valimiskomisjon) will decide whether to proceed with online voting.

UPDATE 2017-09-06: In its September 6, 2017 meeting, the National Electoral Committee decided to proceed with online voting in the October elections.  Reported by – Electoral committee: Online voting in October elections still on / Valimiskomisjon: e-hääletamine toimub.  ENDUPDATE

The analysis of the ID-card vulnerability, by “[a]n international group of cryptography scientists from recognized universities” will be “published in the coming autumn at an international scientific conference” according to the ID-card safety FAQ.

UPDATE 2017-09-06: There’s more detail about the specific vulnerability, which is appears to be a computationally-intensive, technically-challenging way to determine the private key from the security chip, in Postimees article Hackers could have made digital clones / Häkkerid võinuks luua eestlastest digikloonid.  ENDUPDATE

Links in English

Links in Estonian

Additional Context

Original story via Bruce Schneier – Security Flaw in Estonian National ID Card

As Estonia is the only country in the world with national Internet voting, I have written about it many times:

June 16, 2017  evaluation of Predicting the Future – online voting – Estonia
July 8, 2016 Estonian Internet voting and turnout myths
March 8, 2011 Estonian vote-counting system fails
November 11, 2004 e-voting in Estonia

For a perspective on security concerns with the Estonian system that predate the ID card issue, it is also important to read the materials on the website Independent Report on E-voting in Estonia as well as

Wales consults on electronic and Internet voting

The Government of Wales is running a consultation: Electoral reform in local government in Wales.  The consultation closes 10 October 2017.

A variety of questions are considered, but for the purposes of this blog there are three of interest:

  • Q21 electronic voting (this appears to be defined solely as paperless touch-screen voting in polling places)
  • Q22 remote voting (Internet voting)
  • Q23 electronic counting

In what I have found is fairly typical fashion, the main consultation paper (PDF) does not cite any references, and makes brief, broad, generally positive statements.  (The youth and “easy read” consultation versions in turn simplify and amplify these statements to an extreme degree.)

Responding to the Consultation

You can fill in an online form,

but in order to be able to provide more extensive comments, you may instead want to download the email response form (DOCX), complete it (or complete whichever sections are relevant to you) and send it to

Reminder that the deadline is 10 October 2017.

Q21 Electronic Voting

(page 18 in main consultation document)

This is defined solely as touch-screen voting. There is no mention of paper output, so presumably paperless touch-screen voting.

Extracts from statements + commentary

5.14. This implies the installation of equipment at polling stations (and possibly other locations) to enable touch-screen voting. …

5.15.  Electronic voting is already used widely internationally, particularly in India but also in Belgium and Estonia amongst others.

I think this is a misunderstanding of voting in Estonia.  As far as I know, Estonia doesn’t use paperless touch screens.  On voting day, voting is on paper.

There isn’t any serious examination of security risks to voting machines (voting computers), but there is the rather extraordinary assertion that electronic voting could lead to less challenging of “votes” (presumably this means fewer challenges to election results).

5.19. … there would need to be secure procedures in place to ensure the security of data being transmitted from the polling places to the central count operations. The challenging of votes could become less likely.

I, on the other hand, think paperless touch-screen voting would introduce not only high security risks, but would make challenges to election results both more likely and impossible to satisfactorily resolve (as there is no physical trail to audit).

Q22 Remote Voting (Internet Voting)

(page 19 in main consultation document)

It’s clear this means Internet voting.

Extracts from statements + commentary

5.20. This refers to a process of voting through access of the internet by an electronic device, using an individual recognition code. The use of codes of different sorts to ensure that only the intended person is accessing a system is now commonly used for purchasing, banking, voting in elections within political parties, trade unions and other organisations. Registration to vote is now routinely performed online, as is registering/taxing a motor vehicle and accessing a multitude of other public services or transactions.

Where to begin?  Voting doesn’t have the same requirements as banking; voting has much harder to satisfy requirements as the transactions have to be anonymous and aren’t reversible.  Voting is not a regular online personalised transactional service.

5.21. Remote voting was piloted in local elections at South Buckinghamshire in May 2007. Although only a minority made use of the facility, 10 years later the option is likely to be more popular. There were no particular technical difficulties but the Electoral Commission called for the pilots to be suspended – along with all others – until the system was generally more secure. There is a risk that, with registering being done remotely, fictitious voters could be created and that voting might not take place in secure environments. In addition, realistic concerns exist about cyber security, and any system needs to be as secure as possible from the dangers of hacking and manipulating votes. This must be weighed against this method becoming more and more commonplace in relation to other types of voting or completion of official forms and having likely efficiency savings. There are remote voting procedures operating in at least one European country allowing the casting of a vote more than once by the same person, with only the final vote cast before close of poll counting. This is to provide for the possibility that an elector may be subject to intimidation when voting but would take a later opportunity to vote in private.

In the list of examples that might have been chosen, South Buckinghamshire in 2007 is a rather oddly specific choice.  Plus which it’s very hard to locate those old voting trial documents online.

The usual assertion that online voting will be “popular”, without any context that online voting provably does not increase turnout.

I do like that there is at least some consideration given to security risks, but the idea that we should weigh “realistic concerns” about security against some vague notion of method popularity is odd.  One should weigh the security risks of one type of voting against the security risks of another, and optimise for voting system integrity.

While being oddly specific about South Buckhamshire, the document is oddly vague about “at least one European country” – in fact there is only one country in the world that offers national Internet voting, Estonia, and it is only able to have multiple vote casting because it has a comprehensive nationwide system of digital ID, something which the Wales document doesn’t mention.

There is also no mention of the many countries that have had reports recommending against Internet voting (such as Canada) or countries that have withdrawn Internet voting due to security concerns (such as France).

Q23 Electronic Counting

(pages 19-20 of the main consultation document)

I don’t really have the energy to examine the electronic counting piece in detail.  Basically what you need to know about electronic counting is that you MUST audit the counts because you cannot trust the counting machines (counting computers).  Which, if you have a simple count anyway, means that you’ve generated more work and expense, not less.  Electronic counting, with audits, only makes sense if you have a complicated count, and nevertheless distances the process of the election from direct public inspection and understanding.

UK Evidence

As I have mentioned, a lot of the UK evidence from previous voting trials is now hard to locate online.  But here are some nice clear statements from the UK Office of the Deputy Prime Minister (ODPM) in Implementation of Electronic Voting in the UK Technical Options Report circa 20031

A Comparison with Other Secure Transactions

It is useful to compare voting with other online transactions for which security is needed.

The most obvious comparison is with banking. Attacking an electronic voting system is unlikely to bring the immediate financial rewards that a successful attack on the banking system would, and thus some types of well-resourced attack are less likely. However, the likelihood of well-resourced attacks is still sufficiently high to be problematic.

The consequences of a successful attack are very different with electronic voting, than with banking, though. Banks can, and do, take a financial analysis of how much loss they can stand and insure against such losses. It may be that a political decision could be taken that the loss of a certain percentage of votes is acceptable, but in the absence of such a decision, security appropriate for banking cannot be considered sufficient for electronic voting. Banks have also maintained confidence in the face of repeated losses through computer crime by covering up the cause of those losses. It is inconceivable that, in the event of a successful attack on electronic voting, such a cover-up would be acceptable to the electorate if subsequently disclosed. In a similar vein, individuals can be, and are, compensated for financial losses due to disruption/failures/hacking of online banking. It is not easy to see how there could be equivalent compensation for disruption/failures/hacking of an individuals vote, even if somehow it was discovered which individuals were affected (which might not be possible with some sorts of disruption).

Another issue is anonymity: electronic voting differs from the aforementioned applications due to the fact that, in addition to the requirements for accuracy and privacy, there is the mandated necessity to provide … anonymity. In other words, banking applications can (in fact must) allow tracking back to the user of the system, but the [electronic voting system] must ensure that such tracking is impossible. (Mercuri, 2001, pp8-9).

Electronic voting also differs from financial transactions in that the risk that an election delayed by a few days will have a different result is unacceptably high. By contrast substantial financial transactions between two willing partners usually can be conducted a few days later if there are problems with ecommerce applications, since such transactions are rarely conducted on a whim.

The Mercuri citation above is to
Mercuri, Rebecca, 2001 Electronic Vote Tabulation: Checks and Balances PhD thesis, University of Pennsylvania.

1 From Paper Vote Canada blog post electronic voting in the UK – technical report, September 17, 2004. As the OPDM site is no longer available, a 31 July 2003 version from the Internet Archive is linked above.

evaluation of Predicting the Future – online voting

I want to give credit to Andrew Weinreich for the first two of his three Predicting the Future online voting podcasts.

Episode 7 (Online Voting episode 1): Can online voting defeat the broken Electoral College?

Episode 8 (Online Voting episode 2): Hacking elections, DDoS attacks, and online voting around the world

What I liked is that he gives people time and space to talk, in particular in episode 8 there is lots of time given to Dan Wallach, enabling Dr. Wallach to clearly articulate his positions around online voting.  As well, David Dill has an opportunity to provide his position.

(Both Dr. Wallach and Dr. Dill are on my list of Internet voting computer security experts.)

You can listen to this podcast and learn a lot about the computer science perspective, which isn’t often the case.  (In a similar vein of presenting computer science expertise well, consider Reveal’s podcast Internet voting is a bad idea.)

You know there’s a “but” coming, right…

Expert Assessment of Risk

Where things run into problems in the Predicting the Future podcast, particularly in episode 8 about hacking elections, are in the weighing of risk and in the summation of the computer science expertise.

I have seen similar disconnects in discussions about municipal online voting.  Basically what happens is the computer scientist says there are risks, and the counter-argument that is presented is that there are also benefits, but this misunderstands scientific communication.

What the computer scientists are saying is not that there are risks (everything has risks) but that it is not possible with current technology to adequately mitigate those risks.   Basically this is a problem of estimative language, and it’s why national security agencies have entire systems to describe what they mean when they say something.

Here’s an an example of estimative language from the Canadian Communications Security Establishment (Annex A of Cyber Threats to Canada’s Democratic Process).

CSE Annex A Estimative Language

You can see similar language in Annex B of US Intelligence report ICA 2017-01D.

What computer scientists are saying is that compromise of online voting is Very Likely, and that there is no way to mitigate the risk below Very Likely.

There is simply no benefit that outweighs an 80% or more possibility that your election results can be hacked.  And that would be even if Internet voting were implemented with all possible best practices, but the evidence is it almost certainly wouldn’t be.  There have been examples time and again of election technology security falling somewhere between lax and incompetent.

Sometimes I cite this language from the Utah iVote Advisory Committee Final Report (April 2015):

Given that sufficiently secure Internet voting systems do not yet exist, they would need to be built.
Of course, some systems, like a stone bridge to the moon, are impossible to build. Others, like a stone bridge to Hawaii, are so exorbitantly expensive as to remain a fool’s errand.

which is to say, there are some things that are either currently not possible or beyond the realm of affordability.  This is based on expert assessments.  You may not want to believe the assessments, but that doesn’t make them untrue.  Sometimes truth is inconvenient.

We are talking about adding a lot of additional security risks, unnecessarily

Security threats not found in current Canadian federal paper election system
(above from Table 1: Security threats to elections not found with in-person, hand-counted paper voting in Canadian online voting report, citing Dr. Essex)

Political System Issues and Turnout

Fundamentally, the goal of the podcast is to explore turnout.  But only from a technology lens.  Which is, basically, solutionism.  Technology is not always a solution, and it’s definitely not always the best solution.

I am ill-placed to comment on turnout in the United States, but there are two lenses one could apply.  One is process design.  For this I look to The epic journey of American voters.

Fix the process burdens described in the Center for Civic Design’s report, and a big part of voting will have improved.

Just as one example, in many countries, the state actively tries to ensure that voters are registered.  For Canadian federal elections, they used to literally go door to door to ensure people were registered, in a process called enumeration.  Now, checking a single box on your Canadian federal tax return ensures you’re registered to vote.

The second lens is what I would call voting constraints.  The US elections are not an unconstrained system in which the only thing preventing voting is convenience.  There are two significant constraints imposed that could be addressed through a combination of technological and political measures: one is the (to non-Americans) absurd level of gerrymandering of districts (enabled to a large part by what one could consider misuse of technology in order to microtarget the district designs) and the other is the deliberate attempts to suppress turnout through various measures (an evolution of the Jim Crow era, in which there were constraints like voting literacy tests).

If you want to talk cost/benefit, then fixing the process, removing gerrymandering and eliminating voter suppression would be (in my non-American opinion) far more impactful than online voting.  Make sure you’re solving the important problems, not just the technologically interesting ones.

So there are real problems, and real solutions.

Now let’s come to turnout.  Turnout is very complex.  It depends on lots of factors including the issues, the candidates, and the political culture.  It can vary from election to election in the same location.  Trying to compare across countries that have very different cultures and issues is a bit of a mess.  And trying to compare across vastly different sizes of elections is also a mess.  The evidence is that offering online voting just causes people to shift voting channels, it doesn’t bring in new voters.  I have blogged about this many times before, e.g. online voting doesn’t increase turnout.

I do want to mention three countries specifically however:

  1. Canada
  2. Estonia
  3. Switzerland


There is only online voting in municipal elections in Ontario and Nova Scotia.  Voting in Ontario was extensively studied and the result is a maximum effect of 3% increase in voter turnout.

Goodman, Nicole and Stokes, Leah C, Reducing the Cost of Voting: An Empirical Evaluation of Internet Voting’s Effect on Turnout (October 6, 2016). Available at SSRN:

As you will recall, I earlier assessed risks to online voting as “Very Likely” (80% or greater potential for compromise).

So if you want to do an apples to oranges comparison, you’re basically looking at 3% turnout increase in exchange for adding massive risks to the integrity of your voting system (in the shift from paper ballots to online voting).


Let’s be blunt: Estonia is a small country.  The total population is about 1.3 million.

The idea that we can trivially generalise from Estonia to Canada (30 times the population) or the US (300 times the population) is at best dubious.

In any case, Estonia provides all of its turnout numbers.  This gets presented in different ways according to the biases of the presenter.  I can, for example, use the numbers to say that after 8 years, less than a third of Estonians use online voting.  I can also say that Estonia’s turnout, with the magical boost of online voting was… only up 2.3% over 8 years and was lower than Canada’s completely paper-based turnout in 2015.

Statistics about Internet Voting in Estonia

Plus which, let’s be concrete about what less than a third means in real numbers of voters in Estonia.  It means approximately 176,000 votes cast online.

Do we seriously think countries are so interchangeable and voting cultures so universal that we can generalise from about 176,000 online votes in Estonia to about 128,000,000 votes in the last US Presidential election?  This is not about scaling up, this is a mouse and an elephant.  They’re not comparable.

And that’s setting aside the fact that the Estonian e-voting is not secure and that it relies on a every citizen having a national digital ID, which is spectacularly unlikely to ever be the case in the US.

As the only country with national online voting, I understand why Estonia comes up again and again, but let’s be realistic about the fact we’re talking about a system that 70% of the country’s voters don’t use, and that only represents 176,000 votes cast anyway.


Switzerland has voting in some municipalities in some cantons (not national or even state-level voting by any stretch).  Switzerland also has no culture of voting privacy (traditionally voting was done by show of hands, and in fact in many municipalities this is still the norm) and it has much more frequent votes on more things.  We are again talking about a small number of votes cast online (less than 300,000).  And we’re talking again about less than 25% of voters choosing to vote online.  And, as always, it doesn’t increase turnout anyway.  And in Switzerland one of the systems had to be removed because it was determined to be insecure.

How many ivoters in Switzerland

For more on Switzerland:

Country Examples Summary

Mostly we have small examples.  Without exception, the increases in turnout are between miniscule and nonexistent.  These are based on long-term, serious, analytical academic studies.  The evidence is in.  Online voting does not increase turnout.


I give lots of credit to Andrew Weinreich for doing really diligent and comprehensive research and for letting his guests clearly express their opinions.

Where I disagree is in the reframing following the computer science speakers, where Weinreich says (starting at 23:29 into the Hacking elections episode)

“Leading computer science academics are deeply sceptical of Internet voting and are actively campaigning against its utilisation, not because theoretically they don’t think it’s a solvable problem, but because they don’t think it’s worth solving.”

This misrepresents the computer science position (which is incidentally a consensus position of the 96,000+ member Association of Computing Machinery).  The computer science position is that based on known risks and known results (including the cases I have presented above), the risk is too high and the benefits are minimal at this time.  And that the properties of paper ballots cannot be replicated online.  This is an expertise and evidence-based conclusion.

The computer science position is that this is an interesting problem, and one worth continuing to research.  And indeed there is active research on online voting in many different computer science departments and organisations around the world, in part because it is such an interesting and difficult problem.  But we are nowhere near having a solution, so in the same way we aren’t trying to solve electricity problems by promising a Mr. Fusion in every house tomorrow, we shouldn’t creating the expectation that online voting will be workable any time soon.

And keep in mind the computer science conclusions about security were drawn long before the recent incidents of nation-state cyberattacks, which take the risk to an entirely new level.  You can mitigate against an amateur attack, and even against a moderately professional attack.  You cannot mitigate against a nation-state funded expert attack.  If the NSA wants to get into your system, they will.  That’s the level of threat we now know we face.

And that’s just the risks on the technical side, that doesn’t even touch on the possibility of coercion or online guided voting.  Vote online says Mark Zuckerberg.  How far from that to “Facebook has voted for you based on your preferences”?  (And to Weinreich’s credit again he explores some of the possible disruptions that online voting would cause for campaigns and advertising.)

Online voting doesn’t solve any of the very real problems of voter turnout.  In fact it’s so low down the list of potential solutions that when the City of Calgary wrote a 2017 report on increasing turnout (PFC2017-0259 Election Outreach) online voting was rejected deep down in an Appendix (Section 2.1 Internet voting in Attachment 3, to be precise).

I admire when people want to improve their democracy, want to increase turnout, want to improve the experience of voting.  But online voting is not the solution.  Solve the real problems instead.  They are big, and they are hard, and they are mostly political.

CSE releases report Cyber Threats to Canada’s Democratic Process

On June 16, 2017 at 10:30am, the Canadian Communications Security Establishment (CSE) released its report

Cyber Threats to Canada’s Democratic Process

Analysis to follow.

June 15, 2017  cyber threats to Canada’s democratic process – news conference
February 1, 2017  defend Canadian electoral process from cyber threats – Minister of Democratic Institutions Mandate

June 16, 2017 – cyber threats to Canada’s democratic process – news conference

Media Advisory from the Government of Canada – Democratic Institutions

News Conference by Minister Gould on cyber threat assessment

Jump to additional background information I have provided.

Media representatives are advised that the Minister of Democratic Institutions, the Honourable Karina Gould, and the Chief of the Communications Security Establishment, Ms. Greta Bossenmaier, will be holding a news conference to discuss an assessment of cyber threats to Canada’s democratic process.

Senior officials from the Communications Security Establishment will provide an embargoed technical briefing immediately before the press conference. The technical briefing will not be for attribution.

Technical Briefing
June 16, 2017
Time: 9:30 AM
National Press Theatre
150 Wellington Street
Ottawa, Ontario

Journalists who wish to participate via teleconference should contact the Minister of Democratic Institutions’ Press Secretary at the number below.

All information will be embargoed until 10:30 AM on June 16, 2017.The technical briefing will not be for attribution. No cameras will be permitted.

Press Conference
June 16, 2017
Time: 10:30 AM
National Press Theatre
150 Wellington Street
Ottawa, Ontario

For more information (media only), please contact:
Byrne Furlong
Press Secretary
Office of the Minister of Democratic Institutions


Here is some additional information and context from me.

Election Cybersecurity


In ICA 2017-01D Assessing Russian Activities and Intentions in Recent US Elections (PDF), the US intelligence community describes an influence campaign “strategy that blends covert intelligence operations — such as cyber activity — with overt efforts”.

The description is introduced with the term of art “We assess”, indicating an analytical assessment.  The US intelligence community asserts “high confidence” in the judgments related to the influence campaign.  High confidence is a term of art about confidence in sources that is defined in Annex B on Estimative Language: “High confidence generally indicates that judgments are based on high-quality information from multiple sources.”

For the technical background on the assessment, see Joint Analysis Report (JAR) JAR-16-20296A GRIZZLY STEPPE – Russian Malicious Cyber Activity (PDF)

The Netherlands, France, Germany, the UK and Australia

I am not an expert in nation-state cyber threats, so I cannot independently assess this material.

Hacking of Canadian Government is Real

Hacking of governments is a real threat.  The Canadian federal government has been successfully hacked multiple times.

above links from my blog post Canadian government departments have been hacked before

Online Voting

Canada has no online voting at the federal or provincial level, and in fact online voting has been rejected by multiple Canadian studies.

There is however online voting at the municipal level in Nova Scotia and Ontario.  With 97 municipalities using online voting in the 2014 election and potentially over 200 municipalities using online voting in the 2018 election, this is one of the largest uses of online voting in the world.  This includes some municipalities where online voting is the only option (all paper ballots have been eliminated).  There are no (none, zero) standards for provincial online voting security.  There is no guidance for decisionmaking and risk-assessment related to online voting.  Without exception, the online voting is contracted out to third-party, for-profit vendors.  The computer code and systems designs used by the vendors is confidential, and there have been no public security tests and no public examinations of the computer code used.

Online voting provably does not substantially increase turnout.  The most comprehensive study, conducted on the Ontario use of online voting, shows a maximum effect of 3% increase.

For more information see Wikipedia – Electronic Voting in Canada.  (Disclaimer: I am a substantial contributor to that Wikipedia page.)


If you want to cite the example of Estonia (the only country in the world with national online voting), you might want to mention:

Computer Security Experts

If you want to interview computer security experts about online voting, here is a list of over a dozen with contact information, including Canadians.


  • I tweet regularly about election security and online voting: @papervote

Detailed briefing

If you have made it all the way down here, you may also be interested in my 16-page briefing about online voting, written for the New Brunswick consultation on the topic.

Government of Canada statement on online voting and cybersecurity

May 30, 2017

Electoral Reform
Committees of the House
Routine Proceedings

Discussion introduced by Nathan Cullen (Skeena—Bulkley Valley, BC).

Madam Speaker, I move that the third report of the Special Committee on Electoral Reform presented on Thursday, December 1, 2016, be concurred in.

Above from Open Parliament

Later in the discussion, response (excerpt) by Andy Fillmore, Parliamentary Secretary to the Minister of Democratic Institutions

Another committee recommendation, number 4, advises against allowing online voting at this time. Again, we agree, and while Canadians who participated in agreed that online voting would improve voter turnout, their support was contingent on the need for solid assurance that such a system would not be vulnerable to manipulation by hackers. Similar concerns were heard from the experts before the special committee.

I want to touch briefly on the Minister of Democratic Institutions‘ mandate to protect our electoral system from cyber-attacks. Working with her colleagues, the Minister of Public Safety and Emergency Preparedness and the Minister of National Defence, the minister has asked the Communications Security Establishment to analyze proactively the risks to our electoral system and to release a public report. Further, we will ask the CSE officer for advice for political parties on cybersecurity best practices.

Above from Open Parliament

I do need to mention that, despite the survey-question-driven assertion that “online voting would improve voter turnout”, the evidence is that online voting does not increase turnout.

December 1, 2016  ERRE Electoral Reform Committee Recommends Against Online Voting
October 2, 2016  ERRE Presentation – Internet Voting: Making Elections Hackable – Dr. Barbara Simons