Category Archives: E-government

PacSec 2014: Internet voting and signing legally binding documents over the Internet


“Internet voting and signing legally binding documents over the Internet”
Harri Hursti, Margaret MacAlpine,

Internet Voting initiatives are discussed around the world and the common claim made is that no successful attack against an Internet Voting system have ever been demonstrated. This is not the case anymore.

Also, there has been a drive from Estonia to Taiwan to deploy national ID cards enabling paperless legal document systems. Important lessons are now learned about how not to do that.

Two countries in the world have been deploying Internet Voting larger scale : Estonia and Norway. In Norway the deployment of Internet Voting was always labeled as a trial, leaving Estonia as the only prominent country to perform general elections deployment, in the last election, over 31% of all votes were cast over the Internet.

After the recommendation of Mr. Hursti in October 2013, the Centre Party of Estonia invited an independent team of security researchers as election observers, a team of 4 international experts: Margaret MacAlpine, Jason Kitcat, Alex Haldermand and Harri Hursti. As a result, a variety of deficienies and vulnerabilities were discovered. Partially as result of publishing these discoveries, Norway announced the termination of their Internet Voting experiments, stating that the risks are outweighting the benefits.

Estonia published a partial source code of their election system, namely they have published most of the server-side code, but without the client. This allowed the researchers to build a fully functional copy of the Estonian election system into a laboratory environment to develop and test fully-functional attacks.

The Estonian government has also announced a new initiative: E-Citizenship. Under Estonian law, any document cryptographically signed with a National ID card is legally as binding as if the document were signed and notarized. Under the Estonian E-Citizenship initiative, non-residents and non-citizens can apply for E-Citizenship and enjoy various benefits for handling their business and lives as virtual EU citizen. The heart of this initiative is legal document handling with an ID card issued.

Client-side attacks developed and demonstrated against the Estonian Internet Voting system have extremely far reaching implications towards the heart and core of the Estonian E-government, and global implications as almost anyone can become an Estonian E-Citizen.