- [2021-10-16] The i-voting in the 2021 local municipality elections took place from October 11th to 16th. A new i-voting record was set with 273,620 votes (46%) being i-votes. Around 24,000 i-votes were revotes. The biggest share of i-votes went to the Reform Party. I-votes cast for the Center Party tripled in Tallinn. Several voting related incidents were observed and are covered below.
- [2021-11-11] The State Electoral Committee (VVK) received an appeal from candidate Andrea Eiche demanding the i-voting results in Lüganuse municipality be annulled due to alleged vote buying activities. The complainant claimed that voters had been “persuaded” to cast an i-vote for a Center Party candidate, both at the Kiviõli Russian School and at a nearby store, with the latter providing gifts in return for doing so. The applicant requested VVK to ascertain how many i-votes had been cast from the store and also from the school’s IP address to specific candidates. The Supreme Court found that processing such data would breach the ballot secrecy. The court found that the allegations lacked sufficient proof, although the court ordered the police to investigate a potential criminal offense.
- [2021-11-03] Police detained a politician (Sergei Gorlatš) who is suspected of vote buying. According to preliminary data, almost 40 Narva residents were offered a trip, which included a guided walk in the park, a visit to a SPA, a picnic and transport. The trip took place during the election week and people were instructed to bring their ID card to i-vote. The i-voting took place on the bus. People who could not vote due to the lack of an ID card or PIN codes were asked to do so later at the polling station. Almost half of the people were able to vote on that trip.
- [2021-10-28] The international i-voting security audit procurement failed five times in a row as the companies that applied did not meet the conditions of the procurement. However, the state signed a contract for a total of 200,000 euro with KPMG Baltics OÜ to conduct a narrower scope procedural audit. The audit is supposed to assess all election-related information systems and has to be completed by April 2022. The audit is supposed to assess at minimum: (1) compliance to the OSCE/ODIHR report; (2) the implementation of the proposals made by the i-voting security working group in 2019; (3) compliance of the Council of Europe e-voting standard; and (4) current legislation and processes related to election information systems.
- [2021-10-28] EKRE submitted a complaint asking for i-voting in the ongoing elections to be declared illegal, as the translation feature of the Google Chrome browser distorted (translated) candidate names listed in the election website kov2021.valimised.ee. On the night of October 13th, the developers of the website added the translate=”no” flag to the candidate list, instructing browsers to not apply translation on that part of the page. National Electoral Committee (NEC) rejected the complaint as the names of the candidates were displayed correctly in the i-voting application. The Supreme Court rejected the appeal assessing the impact of the translation problem as unlikely.
- [2021-10-28] Virgo Kruve submitted a complaint asking for i-voting to be canceled for the local elections due to several issues: (1) the source code of the i-voting application was not publicly available; (2) the software was not audited and the i-voting server was not under the supervision of auditors; (3) paper voters and i-voters were not treated equally as i-voting was not possible on election day; (4) the i-voting application was signed after the i-voting trail; (5) VVK confirmed the results of the i-voting trail after the start of the i-voting period. NEC and the Supreme Court dismissed the complaint: (1) legislation does not require publication of the i-voting application source code or audit of the application; (2) the law does not impose an obligation to use the i-voting application provided by VVK; (3) the vote verification application can be used to check if the correct vote has been cast; (4) there are measures to verify the authenticity of the state-provided i-voting application.
- [2021-10-26] Jan Willemson (Cybernetica) used the unofficial proof-of-concept i-voting application to cast an i-vote in the local elections. The vote was accepted by the vote collector server and passed the mobile vote verification successfully. However, in the ballot box processing phase the vote was discarded as invalid. The cause of the bug is being investigated.
- [2021-10-23] Postimees wrote about indications that ID cards of nursing home customers are abused to cast i-votes. As an example, it was mentioned that a relatively unknown candidate, a close relative of the head of a nursing home, received as many votes as a well-known Estonian politician (nearly a hundred votes) and had an unnaturally high proportion of i-votes – four times as many as paper votes. However, so far none of the allegations that ID cards are being misused in nursing homes have been substantiated.
- [2021-10-21] A hacker (Artur Boiko) was able to capture a signed i-vote produced by the voting application. The hacker informed the Estonian media that the i-votes cast in the elections are not valid as the DigiDoc4 client showed that the digital signature attached to his i-vote was not valid. RIA explained that the formed signed BDOC container is not a fully completed digital signature, as the OCSP response and timestamp are added on the server side.
- [2021-10-19] Starting with the local elections this year, it is possible to cancel an i-vote in a polling station also on election day. Before 2021 this was not possible, because the voter lists were on paper. Electronic voter lists were used for the first time and it also enabled voters to vote in any polling station in their district as this information is now maintained in a central database. A total of 1,375 computers and 400 printers were used in polling stations all over Estonia. Most of the equipment was leased from Telia. Almost 2,000 people canceled their i-vote with a paper ballot.
- [2021-10-16] On the sixth day of advance voting, voting in polling stations experienced issues from 12:00 to 12:45. The cause was in RIA’s authentication service TARA that is used by the Election Information System VIS3. For security reasons, the number of queries processed from a single IP address was restricted to prevent DoS attacks. During the inaccessibility of VIS3, voters were able to cast paper votes using double envelopes. The electronic list of voters was updated as soon as VIS3 became available again.
- [2021-10-13] A designer (Stefan Hiienurm) criticized the design of the i-voting application as the application looks like “old-school pirated software” (has been largely the same for about ten years) and there is no indication that this is a service created by the Estonian state. The designer took 30 minutes and sketched how the i-voting application could look.
- [2021-10-12] I-voters who had their computer time more than 5 seconds off got an error, although their vote was cast successfully.
- [2021-10-11] During the first 11 minutes after i-voting started, a false message was shown to voters by the voting application, stating that it was a test vote that would not be counted. Around 900 of the first i-voters received such a message. The votes were actually counted, as this was a configuration error having effect only on the text displayed. The end time of the test vote was wrongly configured to be an hour later.
- [2021-10-11] Users of the latest version of MacOS were unable to i-vote with an ID card until a new voting application was released in the afternoon of the first day of i-voting. More than 30 complaints were registered by technical support service, but hundreds or more users could have been affected. The error was due to the fact that the application was not tested accordingly. I.e., before initially signing the application, the application was not given the right to communicate with the ID card software. The fault was discovered only after i-voting started as the combination of MacOS and ID card was not tested in the i-voting trial.
- [2021-10-11] The documentation for the MacOS voting application on valimised.ee was inaccurate. The file name of the voting application was different (in the documentation “selection.dmg”, actually “KOV_2021_mac.dmg”), and the cryptographic checksum of the voting application file did not match the checksum in the documentation. The differences arose because the MacOS voting application was updated without it being timely reflected in the documentation.
- [2021-10-10] The source code of the i-voting system was made public in GitHub only 10 hours before i-voting began.
- [2021-10-04] Arne Koitmäe, the head of the State Electoral Service (VVK), discusses the possibility to i-vote using smart devices.
- [2021-09-21] Postimees received sharp criticism for publishing a cartoon, which puts the Estonian i-voting system and the Russian i-voting system on the same stick. Postimees reacted by taking down the cartoon.
- [2021-09-09] A research article by Sven Heiberg (SCCEIV), Kristjan Krips (Cybernetica/UT), Jan Willemson (Cybernetica/STACC) and Priit Vinkel (Cybernetica/VVK): “Facial Recognition for Remote Electronic Voting – Missing Piece of the Puzzle or Yet Another Liability?”. The authors studied the applicability of facial recognition for verifying voter identities (not specifically for the Estonian i-voting context). The architectural aspects and the main technical and ethical issues were discussed.
- [2021-09-05] A research article by Bingsheng Zhang (Zhejiang University), Zengpeng Li (Shandong University) and Jan Willemson (Cybernetica): “UC Modelling and Security Analysis of the Estonian IVXV Internet Voting System”. The authors claim that the Estonian i-voting system achieves end-to-end verifiability in practice despite the fact that only 4% (on average) of the i-voters verify their votes.
- [2021-08-28] A research article by Arne Koitmäe (VVK), Jan Willemson (Cybernetica) and Priit Vinkel (Cybernetica): “Vote Secrecy and Voter Feedback in Remote Voting – Can We Have Both?”. The authors discuss the possibility for introducing a feedback channel that would inform a person if someone (or the person themselves) has cast an i-vote in their name. The Estonian i-voting system is used as an example for discussing the possible feedback channel.
- [2021-08-25] A Belgian cryptographer (Olivier Pereira) described a variant of the revoting attack for the vote verification feature of the Estonian i-voting. By forcing a voter to revote (e.g., by simulating a voting application crash before the verification QR code is shown), on revote a malicious voting application can display the verification QR code from the previous (non-modified) vote cast by the voter, while the revote is substituted with the attacker’s candidate. The benefit compared to the silent revoting is that malware does not have to interact with the ID card (or compromise the voter’s phone in the case of Mobile-ID). An obvious fix is for the i-voting system to allow the verification of the last vote only. The developers of the i-voting system have implemented such a feature, but this feature was not enabled by VVK for the local elections.
Cyber Security Newsletter 2021-12-10 (i-voting / KOV2021)
Leave a reply