First things first – if you’re interested in election security but haven’t heard of Estonia’s electronic voting system, I’d encourage you do some research, starting with this blog post. There’s a lot to Estonia’s e-Government initiative. Security is a key government enabler allowing it to be ultra progressive in elections security. I’ve always been a proponent of intelligent security, and when applied correctly, security can be a business enabler. Estonia’s e-Government system is a shining example of security enabling the government.
This blog post is about Estonia’s current election system; be mindful that the upstream and downstream mechanics of this process are complex and took Estonia time to build. Examples of this include the use of a universal digital identification card and the implementation of X-road. Someday if I’ll write more about X-Road and the positive impacts on Estonia’s GDP.
What’s the Deal With Internet Voting in Estonia?
In 2005, Estonia became the first country in the world to hold nationwide local elections where people could cast binding votes on the internet. Over the years, the Estonian government has successfully implemented electronic elections at the local, national, and European level. As of 2016, Estonia has held eight elections over 10 years in which people could cast their votes on the internet.
Estonia’s total population is small, roughly 1.3 million people. Today, one-third of all votes are cast online.
So How Does the Voting Work in Estonia?
The first and arguably the most important piece of the voting infrastructure starts with Estonia’s digital ID cards – the e-ID. The e-ID allows citizens and residents to digitally sign documents and use private and governmental online services that require secure authentication. The e-ID also allow citizens to cast to legally binding votes in a secure manner. Participation in the Estonian i-Voting system requires a computer with an internet connection and a smart card reader. Smart card readers are generally available for less than €10 at a local computer shops and supermarkets. Citizens may also access the voting system at public libraries and community centers. As of 2011, citizens can electronically identify themselves with “Mobile-ID“ which requires a special mobile SIM card with security certificates and two pin codes. The e-ID card is still the most widespread method of digital identification.
During the voting period, i-Voting is available up to the evening of the actual election day. The voting website is hosted by the Estonian National Electoral Committee. To vote online, Estonians are required to insert their e-ID into a smart card reader with an internet-equipped computer. Next, electronic voters must download a voting app which is a standalone program for Estonian i-Voting. Citizens use their e-ID and four-digit pin to identify themselves. At this point, the system checks whether the voter is eligible to vote in the election based on age and citizenship status. Once confirmed, voters can then browse for a list of candidates and decide who to vote for. To cast their vote, the voter must select a candidate and provide a separate five-digit pin. Once certified, the electronic vote is cast and sent to the server where it will be counted at the appropriate time.
The technical setup of electronic voting mirrors the process for postal voting. With postal voting, the two-envelope system is used to cast a vote. The inner envelope contains a ballot for the voter’s choices but has no identification markings. The outer envelope contains the voters identification information. When sent to the polling station, the information on the outer envelope is used to verify the voter eligibility, and if confirmed, the inner envelope will be separated from the outer envelope and put into a ballot box for counting.
When an Estonian citizen sets up their e-ID, they also set up two PIN numbers. The first PIN number is paired with the e-ID and used for authentication. The second PIN is used for digital signatures.
Estonia’s i-Voting system works the same way as postal voting. Once they’ve downloaded the election system voting application, the voter is forced to authenticate using their PIN and e-ID. The voting application checks for eligibility to vote. Once authenticated, the voter then selects their desired candidate and is requested to enter their second PIN number to digitally sign their vote. By digitally signing the vote, the voter’s personal data – or outer envelope – is added to the encrypted vote. Before the ascertainment of voting results on the evening of election day, the encrypted votes in the digital signatures are separated. Then the anonymous emails are opened and counted. The system opens the votes only after personal data is removed.
Sound confusing? In simple terms, the i-Voting application uses the smart chip on the e-ID with the four-digit PIN to authenticate the voter. Once the voter is authenticated and accesses the voting application, a second PIN is used to encrypt the actual vote, acting as the digital signatory. Votes are encrypted using an asymmetric pair. The voting application holds the public key, and the private key is used when the anonymous votes are tallied.
Election Security, Vote Secrecy, and Verification
One of the commonly debated issues around internet voting is the question of how to ensure secrecy in unsupervised environments. Because internet voting doesn’t ensure that voters cast their votes alone, the validity of internet voting must be demonstrated on other grounds. To ensure that the voter is expressing their true will, they’re allowed to change their electronic vote repeatedly up until election day or use a paper ballot. This mechanism ensures that coercion or vote-buying is meaningless. If a voter changes their electronic vote, only the last vote will be considered final, but a paper ballot supersedes all electronic ballots.
