Month: July 2019

Estonian Parliamentary Elections 2019 – ODIHR Election Expert Team Final Report – Internet Voting

The Office for Democratic Institutions and Human Rights (ODIHR) is a division of the Organization for Security and Co-operation in Europe.  The ODIHR has produced a report on the 3 March 2019 Estonian Parliamentary Elections.

ODIHR Election Expert Team Final Report – Estonia – Parliamentary Elections 3 March 2019 (PDF)

The ODIHR reviews a wide range of election conduct against international standards.  I will only extract selected parts of their report from section VII. Internet voting.  Numerous issues were identified.

In extracts below, EET = Election Expert Team and SEO = Estonian State Electoral Office.

Internal Attacks

the detection and prevention of internal attacks has been largely omitted. A review of operational and technical frameworks by the ODIHR EET indicates that an internal attacker with privileged access to digital ballots could break the vote secrecy of any voter who published an image of the QR code online, even after the expiry of the code’s validity. This contradicts national legislation and international standards pertaining to vote secrecy.21

RECOMMENDATION: The SEO could develop strategies to mitigate the risk of internal attacks, conduct third-party risk assessments, and publish any findings and audit reports well ahead of the next elections.

21 See Article 1(2) of the Election Act. Paragraph 7.4 of the OSCE Copenhagen Document requires that votes are cast by secret ballot or by equivalent free voting procedure. Paragraph 19 of the Council of Europe Committee of Ministers Recommendation CM/Rec(2017)5 on standards for e-voting requires that “E-voting shall be organized in such a way as to ensure that the secrecy of the vote is respected at all stages of the voting procedure”.

above from page 8 of the report

Software Errors May Cause Election Errors

The Internet voting system is not software independent, meaning that software errors in its components, such as the key generation system or the processor, may cause undetected errors in the election results. Considering publicly available records the system has undergone quality control activities but, contrary to international good practice, no reports were published on the SEO’s website, while updates to the source code were made as recently as three days before election day and well after Internet voting commenced.22

In addition, a limited source code review of the system by the ODIHR EET indicated issues regarding the treatment of concurrency, error handling, and error reporting.

RECOMMENDATION: The SEO could integrate quality assurance activities into the maintenance schedule of the voting solution and publish the security rationale and all quality assurance results, including design review, security analysis, and penetration testing results.

22 Paragraph 42 of the Recommendation CM/Rec(2017)5 on standards for e-voting states that “Before any e-election takes place, the electoral management body shall satisfy itself that the e-voting system is genuine and operates correctly.”

above from page 8 of report

External Auditors Did Not Audit All Operations

A team of external auditors was dispatched to assist the SEO with establishing vote secrecy during the computation of preliminary Internet voting results and the integrity of final Internet voting results by verifying the correctness of the cryptographic shuffle and decryption proofs. The team did not audit other critical operations, most notably the correct transmission of the final aggregation of the decrypted Internet votes.23

RECOMMENDATION: The SEO could strengthen its auditing process by developing a complete strategy and requiring auditors to implement critical auditing tools independently and from scratch.

23 Software independence requires that other operations are also independently audited, such as digital signature checking of all e-votes, removal of all duplicate and other ineligible votes from the digital ballot box, revocation, and anonymization. Paragraph 39 of the Recommendation CM/Rec(2017)5 on standards for e-voting states that “the audit system shall be open and comprehensive, and actively report on potential issues and threats.”

above from page 9

Technical Specifications Need Improvement

some key properties are not precisely formulated and left open to interpretation by the SEO and the vendor tasked to implement the Internet voting system, including minimal acceptable levels of cryptographic strength, and accountability and verifiability requirements. This may negatively impact the system’s overall performance and future innovation. The specifications also lack information about timelines and milestones for software development and deployment, and quality assurance.25

RECOMMENDATION: The technological specifications accompanying the legal framework could define acceptable voting systems in more general terms, but include additional requirements related to cryptographic strength, quality assurance, software development and deployment, as well as accountability and verifiability.

25 The Supreme Court considered two post-election appeals against NEC decisions related to Internet voting. While appeals were rejected, the Court recognized the need for more clear procedures and called for a legal clarification of rules on the implementation of Internet voting, in particular regarding counting and mixing of electronic ballots.

above from page 9

Internet voting at the national level

National-level Internet voting

  • Norway discontinued Internet voting trials in 2014.
  • Australia recommended against Internet voting in 2014.
  • Canada recommended against Internet voting in 2016.  The 2019 national Parliamentary election will have hand-marked paper ballots, counted by hand.
  • Finland studied and recommended against Internet voting in 2017.
  • Lithuania has decided not to proceed with Internet voting in 2019.
  • Switzerland has decided to redesign Internet voting trials, rather than making Internet voting a standard option.  However the Swiss Post system has been “temporarily suspended” after critical errors were found in the source code, and the use of the Geneva system has also been suspended pending a review.  i.e. Switzerland has no Internet voting at all at the moment.

UPDATE 2019-07-07: Swiss Post has made a confusing press release, basically to say that it will continue with its new system and discontinue its old one.  The “new system” is the one that had the public testing.  The public testing in which, through access to the source code outside of the restrictive agreement, three serious flaws in the system were found.

Swiss Post has decided to pool its strengths in the e-voting sector and work solely on the new system with universal verifiability. It plans to make the system available to the cantons for trial operation from 2020. Swiss Post will no longer offer the system that was previously in use.

END UPDATE

Estonia continues to be the only country in the entire world that has national-level Internet voting for all voters (during the advance voting period).  And it has numerous issues with procedures and specifications, as well as low and declining turnout.

Although not directly about Internet voting, also note:

Internet voting in Norway

Norway conducted trials of Internet voting in 2011 and 2013.

Internet voting was discontinued after the trials found no improvement in turnout (including no increase in youth turnout), combined with security concerns.

An archive of reports in Norwegian and English is available: The e-vote trial.

Here are some highlights of the reports:

Evaluation of the e-voting trial in 2011 – English summary of Institutt for Samfunnsforskning (ISF) report

we find no evidence that groups of voters have been mobilized to take part in the election as a result of internet voting.

The analyses, in sum, indicate that the trial did not have an effect on voter turnout.

young voters prefer to walk to the polling station on Election Day. They defined traditional voting as a symbolic and ceremonial act that indicates adultness.

Evaluation of the e-voting trial in 2013 (PDF) – English text begins on p 135 (p 137 in PDF)

In line with previous research, our findings indicate that the trial with internet voting does not lead to increased turnout in elections.

The government announced in 2014 that Internet voting trials would be discontinued.

June 25, 2014 – Internet voting pilot to be discontinued

As there is no broad political desire to introduce internet voting, the Government has concluded that it will would be inappropriate to spend time and money on further pilot projects.

The Institute for Social Research evaluated the pilot project in 2013… The report shows that the voters have limited knowledge about the security mechanisms in the system.

“This shows how important it is that elections are conducted at polling stations where election officials make sure that the principle of free and fair elections and the secrecy of the vote is respected,” says [Minister of Local Government and Modernisation Jan Tore] Sanner.

In Norwegian – Ikke flere forsøk med stemmegivning over Internett

The BBC reported this as E-voting experiments end in Norway amid security fears.

As part of the project, in 2009 there was a report on security.  It notes the added risks from remote voting.

The system is no longer by necessity confined to the local polling station; conceivably it is accessible world-wide, thus increasing the potential number of attackers and attack vectors dramatically.

Also as part of the project, in 2012 there was 196-page report International Experience with E-Voting [with a focus on Internet Voting] (PDF).