First things first, if you are interested in elections security have not heard of Estonia’s electronic voting system I’d encourage you do some research starting with this blog post. There is a lot to Estonia’s e-Government initiative, security is a key government enabler allowing it to be ultra progressive in elections security. I’ve always been a proponent of intelligent security and that security applied correctly can be a business enabler. Estonia’s e-Government system is an example of security enabling their government.
I am going to write about Estonia’s election system, but in reading this you need to know that the upstream and downstream mechanics of this process are complex and took Estonia time to build. Some examples of this are use a universal digital identification card and the implementation of X-road. Maybe someday if I have time I’ll write more about X-Road and the positive impacts to Estonia’s GDP.
What’s the deal with Internet voting in Estonia?
In 2005 Estonia became the first country in the world to have a nationwide local elections where people could cast binding votes over the Internet. Over the years the Estonian government has been able to implement electronic elections at the local, national, and European levels. As of 2016 Estonia has held 8 elections over 10 years where people could cast their votes over the Internet.
Estonia’s total population is small, roughly 1.3M people. Today 1/3rd of all votes are cast online.
So how does the voting work in Estonia?
The first and probably most important piece of the voting infrastructure starts with the Estonian digital ID cards. This document allows citizens and residents to digitally sign documents and use private and governmental online services that require secure authentication. Digital ID cards also allow citizens to cast to legally binding votes in a secure manner. Participation in the Estonian e-Vote requires a computer with an internet connection and a smart card reader. Smart card readers are generally available for less than €10 at a local computer shops and supermarkets. Citizens may also access the voting system at public library’s and community centers. As of 2011 citizens can also electronically identify themselves with a so-called “mobile ID“ which requires a special mobile Sim card with security certificates and two pin codes. The ID card is still the most widespread method of digital identification.
E-voting is available during the period up to the evening on the actual election day. The voting website is hosted by the Estonian National Election Committee. In order to vote online people are required to insert their digital ID card into a smart card reader with Internet equipped computer. Next electronic voters need to download a voting app which is a standalone program for Estonian e-Voting. Citizens use their ID card and the four digit pin to identify themselves to the system. At this point the system checks whether the voter is eligible according to age and citizenship to vote in the election. Once confirmed, voters can then browse for a list of candidates decide for whom to vote for. In order to cast an e-vote, the voter has to choose a candidate and provide a separate five digit pin to vote. When certified correctly, the electronic vote is cast and sent to the server where it will be counted at an appropriate time.
The technical setup of electronic voting mirrors the process for postal voting. With postal voting, the two envelope system is used to cast a vote. The inner envelope contains a ballot for the voters vote choice, but has no identification markings. The outer envelope contains the voters identification information. When sent to the polling station the information on the outer envelope is used to verify the voters eligibility to vote and if confirmed the inner envelope will be separated from the outer envelope and put into a ballot box for counting.
When an Estonian citizen sets up their digital ID card they also setup two PIN numbers. The first PIN number is used as a pair with the digital ID card and used for authentication. The second PIN is used for digital signatures.
Estonia’s e-voting system works the same way as postal voting. Once the voter has downloaded the election system voting application, the user is forced to authenticate using their PIN and their digital ID. The voting application checks for eligibility to vote. Once authenticated, the voter then selects their desired candidate and is requested to enter their second PIN number to digitally sign their vote. By digitally signing the vote, the voters personal data or outer envelope is added to the encrypted vote. Before the ascertaining up voting results during the evening of the election day, the encrypted votes in the digital signatures are separated. Then the anonymous emails are “open“ and counted. The system opens the votes only after the personal data is removed.
If this sounds confusing, then are real simple way to think about this is that the computer e-voting application using a the smart chip on the digital ID card and PIN authenticates the voter. Once the voter is authenticated and in the voting application a second pin number is used to encrypt the actual vote, acting as the digital signatory. Votes are encrypted using an asymmetric pair. The voting application hold the public key, and private key is used when the anonymous e-votes are tallied.
Election Security, Vote Secrecy and Verification
One of the commonly-debated issues in terms of Internet voting is the question of how to ensure about secrecy in unsupervised environments. Because the Internet voting does not ensure that voters cast their votes alone, the validity of internet voting must be demonstrated on other grounds. To ensure that the voter is expressing their true will, they’re allowed to change their electronic vote repeatedly up until election day or place a paper ballot. This mechanism ensure that coercion or vote buying will be meaningless. If a voter changes their electronic vote, only the last electronic vote will be considered as final and any paper ballot supersedes all electronic ballots.