The Office for Democratic Institutions and Human Rights (ODIHR) is a division of the Organization for Security and Co-operation in Europe. The ODIHR has produced a report on the 3 March 2019 Estonian Parliamentary Elections.
The ODIHR reviews a wide range of election conduct against international standards. I will only extract selected parts of their report from section VII. Internet voting. Numerous issues were identified.
In extracts below, EET = Election Expert Team and SEO = Estonian State Electoral Office.
the detection and prevention of internal attacks has been largely omitted. A review of operational and technical frameworks by the ODIHR EET indicates that an internal attacker with privileged access to digital ballots could break the vote secrecy of any voter who published an image of the QR code online, even after the expiry of the code’s validity. This contradicts national legislation and international standards pertaining to vote secrecy.21
RECOMMENDATION: The SEO could develop strategies to mitigate the risk of internal attacks, conduct third-party risk assessments, and publish any findings and audit reports well ahead of the next elections.
21 See Article 1(2) of the Election Act. Paragraph 7.4 of the OSCE Copenhagen Document requires that votes are cast by secret ballot or by equivalent free voting procedure. Paragraph 19 of the Council of Europe Committee of Ministers Recommendation CM/Rec(2017)5 on standards for e-voting requires that “E-voting shall be organized in such a way as to ensure that the secrecy of the vote is respected at all stages of the voting procedure”.
above from page 8 of the report
Software Errors May Cause Election Errors
The Internet voting system is not software independent, meaning that software errors in its components, such as the key generation system or the processor, may cause undetected errors in the election results. Considering publicly available records the system has undergone quality control activities but, contrary to international good practice, no reports were published on the SEO’s website, while updates to the source code were made as recently as three days before election day and well after Internet voting commenced.22
In addition, a limited source code review of the system by the ODIHR EET indicated issues regarding the treatment of concurrency, error handling, and error reporting.
RECOMMENDATION: The SEO could integrate quality assurance activities into the maintenance schedule of the voting solution and publish the security rationale and all quality assurance results, including design review, security analysis, and penetration testing results.
22 Paragraph 42 of the Recommendation CM/Rec(2017)5 on standards for e-voting states that “Before any e-election takes place, the electoral management body shall satisfy itself that the e-voting system is genuine and operates correctly.”
above from page 8 of report
External Auditors Did Not Audit All Operations
A team of external auditors was dispatched to assist the SEO with establishing vote secrecy during the computation of preliminary Internet voting results and the integrity of final Internet voting results by verifying the correctness of the cryptographic shuffle and decryption proofs. The team did not audit other critical operations, most notably the correct transmission of the final aggregation of the decrypted Internet votes.23
RECOMMENDATION: The SEO could strengthen its auditing process by developing a complete strategy and requiring auditors to implement critical auditing tools independently and from scratch.
23 Software independence requires that other operations are also independently audited, such as digital signature checking of all e-votes, removal of all duplicate and other ineligible votes from the digital ballot box, revocation, and anonymization. Paragraph 39 of the Recommendation CM/Rec(2017)5 on standards for e-voting states that “the audit system shall be open and comprehensive, and actively report on potential issues and threats.”
above from page 9
Technical Specifications Need Improvement
some key properties are not precisely formulated and left open to interpretation by the SEO and the vendor tasked to implement the Internet voting system, including minimal acceptable levels of cryptographic strength, and accountability and verifiability requirements. This may negatively impact the system’s overall performance and future innovation. The specifications also lack information about timelines and milestones for software development and deployment, and quality assurance.25
RECOMMENDATION: The technological specifications accompanying the legal framework could define acceptable voting systems in more general terms, but include additional requirements related to cryptographic strength, quality assurance, software development and deployment, as well as accountability and verifiability.
25 The Supreme Court considered two post-election appeals against NEC decisions related to Internet voting. While appeals were rejected, the Court recognized the need for more clear procedures and called for a legal clarification of rules on the implementation of Internet voting, in particular regarding counting and mixing of electronic ballots.
above from page 9