- [2021-10-16] The i-voting in the 2021 local municipality elections took place from October 11th to 16th. A new i-voting record was set with 273,620 votes (46%) being i-votes. Around 24,000 i-votes were revotes. The biggest share of i-votes went to the Reform Party. I-votes cast for the Center Party tripled in Tallinn. Several voting related incidents were observed and are covered below.
- [2021-11-11] The State Electoral Committee (VVK) received an appeal from candidate Andrea Eiche demanding the i-voting results in Lüganuse municipality be annulled due to alleged vote buying activities. The complainant claimed that voters had been “persuaded” to cast an i-vote for a Center Party candidate, both at the Kiviõli Russian School and at a nearby store, with the latter providing gifts in return for doing so. The applicant requested VVK to ascertain how many i-votes had been cast from the store and also from the school’s IP address to specific candidates. The Supreme Court found that processing such data would breach the ballot secrecy. The court found that the allegations lacked sufficient proof, although the court ordered the police to investigate a potential criminal offense.
- [2021-11-03] Police detained a politician (Sergei Gorlatš) who is suspected of vote buying. According to preliminary data, almost 40 Narva residents were offered a trip, which included a guided walk in the park, a visit to a SPA, a picnic and transport. The trip took place during the election week and people were instructed to bring their ID card to i-vote. The i-voting took place on the bus. People who could not vote due to the lack of an ID card or PIN codes were asked to do so later at the polling station. Almost half of the people were able to vote on that trip.
- [2021-10-28] The international i-voting security audit procurement failed five times in a row as the companies that applied did not meet the conditions of the procurement. However, the state signed a contract for a total of 200,000 euro with KPMG Baltics OÜ to conduct a narrower scope procedural audit. The audit is supposed to assess all election-related information systems and has to be completed by April 2022. The audit is supposed to assess at minimum: (1) compliance to the OSCE/ODIHR report; (2) the implementation of the proposals made by the i-voting security working group in 2019; (3) compliance of the Council of Europe e-voting standard; and (4) current legislation and processes related to election information systems.
- [2021-10-28] EKRE submitted a complaint asking for i-voting in the ongoing elections to be declared illegal, as the translation feature of the Google Chrome browser distorted (translated) candidate names listed in the election website kov2021.valimised.ee. On the night of October 13th, the developers of the website added the translate=”no” flag to the candidate list, instructing browsers to not apply translation on that part of the page. National Electoral Committee (NEC) rejected the complaint as the names of the candidates were displayed correctly in the i-voting application. The Supreme Court rejected the appeal assessing the impact of the translation problem as unlikely.
- [2021-10-28] Virgo Kruve submitted a complaint asking for i-voting to be canceled for the local elections due to several issues: (1) the source code of the i-voting application was not publicly available; (2) the software was not audited and the i-voting server was not under the supervision of auditors; (3) paper voters and i-voters were not treated equally as i-voting was not possible on election day; (4) the i-voting application was signed after the i-voting trail; (5) VVK confirmed the results of the i-voting trail after the start of the i-voting period. NEC and the Supreme Court dismissed the complaint: (1) legislation does not require publication of the i-voting application source code or audit of the application; (2) the law does not impose an obligation to use the i-voting application provided by VVK; (3) the vote verification application can be used to check if the correct vote has been cast; (4) there are measures to verify the authenticity of the state-provided i-voting application.
- [2021-10-26] Jan Willemson (Cybernetica) used the unofficial proof-of-concept i-voting application to cast an i-vote in the local elections. The vote was accepted by the vote collector server and passed the mobile vote verification successfully. However, in the ballot box processing phase the vote was discarded as invalid. The cause of the bug is being investigated.
- [2021-10-23] Postimees wrote about indications that ID cards of nursing home customers are abused to cast i-votes. As an example, it was mentioned that a relatively unknown candidate, a close relative of the head of a nursing home, received as many votes as a well-known Estonian politician (nearly a hundred votes) and had an unnaturally high proportion of i-votes – four times as many as paper votes. However, so far none of the allegations that ID cards are being misused in nursing homes have been substantiated.
- [2021-10-21] A hacker (Artur Boiko) was able to capture a signed i-vote produced by the voting application. The hacker informed the Estonian media that the i-votes cast in the elections are not valid as the DigiDoc4 client showed that the digital signature attached to his i-vote was not valid. RIA explained that the formed signed BDOC container is not a fully completed digital signature, as the OCSP response and timestamp are added on the server side.
- [2021-10-19] Starting with the local elections this year, it is possible to cancel an i-vote in a polling station also on election day. Before 2021 this was not possible, because the voter lists were on paper. Electronic voter lists were used for the first time and it also enabled voters to vote in any polling station in their district as this information is now maintained in a central database. A total of 1,375 computers and 400 printers were used in polling stations all over Estonia. Most of the equipment was leased from Telia. Almost 2,000 people canceled their i-vote with a paper ballot.
- [2021-10-16] On the sixth day of advance voting, voting in polling stations experienced issues from 12:00 to 12:45. The cause was in RIA’s authentication service TARA that is used by the Election Information System VIS3. For security reasons, the number of queries processed from a single IP address was restricted to prevent DoS attacks. During the inaccessibility of VIS3, voters were able to cast paper votes using double envelopes. The electronic list of voters was updated as soon as VIS3 became available again.
- [2021-10-13] A designer (Stefan Hiienurm) criticized the design of the i-voting application as the application looks like “old-school pirated software” (has been largely the same for about ten years) and there is no indication that this is a service created by the Estonian state. The designer took 30 minutes and sketched how the i-voting application could look.
- [2021-10-12] I-voters who had their computer time more than 5 seconds off got an error, although their vote was cast successfully.
- [2021-10-11] During the first 11 minutes after i-voting started, a false message was shown to voters by the voting application, stating that it was a test vote that would not be counted. Around 900 of the first i-voters received such a message. The votes were actually counted, as this was a configuration error having effect only on the text displayed. The end time of the test vote was wrongly configured to be an hour later.
- [2021-10-11] Users of the latest version of MacOS were unable to i-vote with an ID card until a new voting application was released in the afternoon of the first day of i-voting. More than 30 complaints were registered by technical support service, but hundreds or more users could have been affected. The error was due to the fact that the application was not tested accordingly. I.e., before initially signing the application, the application was not given the right to communicate with the ID card software. The fault was discovered only after i-voting started as the combination of MacOS and ID card was not tested in the i-voting trial.
- [2021-10-11] The documentation for the MacOS voting application on valimised.ee was inaccurate. The file name of the voting application was different (in the documentation “selection.dmg”, actually “KOV_2021_mac.dmg”), and the cryptographic checksum of the voting application file did not match the checksum in the documentation. The differences arose because the MacOS voting application was updated without it being timely reflected in the documentation.
- [2021-10-10] The source code of the i-voting system was made public in GitHub only 10 hours before i-voting began.
- [2021-10-04] Arne Koitmäe, the head of the State Electoral Service (VVK), discusses the possibility to i-vote using smart devices.
- [2021-09-21] Postimees received sharp criticism for publishing a cartoon, which puts the Estonian i-voting system and the Russian i-voting system on the same stick. Postimees reacted by taking down the cartoon.
- [2021-09-09] A research article by Sven Heiberg (SCCEIV), Kristjan Krips (Cybernetica/UT), Jan Willemson (Cybernetica/STACC) and Priit Vinkel (Cybernetica/VVK): “Facial Recognition for Remote Electronic Voting – Missing Piece of the Puzzle or Yet Another Liability?”. The authors studied the applicability of facial recognition for verifying voter identities (not specifically for the Estonian i-voting context). The architectural aspects and the main technical and ethical issues were discussed.
- [2021-09-05] A research article by Bingsheng Zhang (Zhejiang University), Zengpeng Li (Shandong University) and Jan Willemson (Cybernetica): “UC Modelling and Security Analysis of the Estonian IVXV Internet Voting System”. The authors claim that the Estonian i-voting system achieves end-to-end verifiability in practice despite the fact that only 4% (on average) of the i-voters verify their votes.
- [2021-08-28] A research article by Arne Koitmäe (VVK), Jan Willemson (Cybernetica) and Priit Vinkel (Cybernetica): “Vote Secrecy and Voter Feedback in Remote Voting – Can We Have Both?”. The authors discuss the possibility for introducing a feedback channel that would inform a person if someone (or the person themselves) has cast an i-vote in their name. The Estonian i-voting system is used as an example for discussing the possible feedback channel.
- [2021-08-25] A Belgian cryptographer (Olivier Pereira) described a variant of the revoting attack for the vote verification feature of the Estonian i-voting. By forcing a voter to revote (e.g., by simulating a voting application crash before the verification QR code is shown), on revote a malicious voting application can display the verification QR code from the previous (non-modified) vote cast by the voter, while the revote is substituted with the attacker’s candidate. The benefit compared to the silent revoting is that malware does not have to interact with the ID card (or compromise the voter’s phone in the case of Mobile-ID). An obvious fix is for the i-voting system to allow the verification of the last vote only. The developers of the i-voting system have implemented such a feature, but this feature was not enabled by VVK for the local elections.
The main objective of this work is to check whether the vote verification applications distributed in the app stores can be compiled from the source code that has been made publicly available by Estonian National Electoral Committee. The experiments were performed using the Vote Verification application versions that were distributed in the I-voting period of the Estonian municipal council election held in October 2017.
The report will go through the different steps that were done during this experiment – monitoring the binaries, building the app from the source code, comparing build result with the distributed version and trying to reproduce it based on the differences found.
This is the report for UT course “Research Seminar in Cryptography (MTAT.07.022)”. The work deals with reproducible build problem of vote verification software used in Estonian i-voting held in October 2017.
The TL;DR; is that the source code available in GitHub is outdated and apparently was not the source code which was used to build the applications that were distributed to Android devices in Google Play Store.
The presentation was given in cybersecurity conference “Cyberchess 2017” held on October 5, 2017 in Riga. The presentation touched upon the recent events such as i-voting and the flaw found in the ID card chip.
The last question from the audience was worth a dime:
Is PPA considering any legal action against the vendor, because, as I understand, you have been informed by the researchers, but the vendor has not informed you.
And the second one: in the new procurement, what are are the lessons learned? Are you planing to change or include some clauses on liability?
The question was not answered in full, but the answer would be interesting indeed.
On Friday Sep 8th from 18:00 we will discuss next generation source code for Estonian e-voting software.
The code was published on GitHub Sep 5th, which leaves us exactly a month to check it out, test it and hack it. To give this new national sports of hacking e-voting a good kickoff we have a) invited coders behind the system to introduce the code to us and we will host b) a brainstorming session on what interesting hacks we can come up with. Let’s see where it goes!
Everybody is welcome, however some tehcnical knowledge about software and coding will help a lot to make the event meaningful for you.
According to the terms and conditions of the contract, the subject of audit is: ballot counting software, software for voters, election web site and other technical infrastructure related to e-voting.
Through this, the RIA wants to make sure that there are no vulnerabilities in the system or applications which would make it possible to see or change the voting results or otherwise manipulate the system. The security examiner must draw up a report on security threats in which the potential hazard scenarios are highlighted and suggestions on how to correct the errors are provided.
The testing is organized by the RIA before all elections, using the expertise of various experts. “We can not talk about the results of the earlier security tests, because this information is confidential in terms of security. As far as I can say, the current testing period is around one month, and it also leaves enough time to ensure that if there are any bottlenecks or security problems we will have time to fix them.” said RIA spokeswoman Helen Uldrich.
Indeed, the results of the penetration tests are kept secret. The terms of the procurement stipulate that at the end of the test the reports must be submitted digitally signed and encrypted. Security tests are performed in a test environment and if necessary a secure channel for testers can be created. The i-voting environment is open only to computers with specific IP addresses that are notified to RIA.
Two companies have been chosen to do pentest and two bugs have been found:
Penetration tests were carried out by Clarified Security from Estonia and the worldwide Finnish company Nixu, whose work resulted in detection of two errors in the new system. According to specialists, this is not something tragic, but part of the normal software development.
Is the cyber security in Estonia ensured? Why the government wants to change the period of i-voting and what signal with that we send to the world? Talk show host Urmas Vaino helps to set things straight.
Indrek Saar, Minister of Culture, Social Democratic Party
Jaanus Karilaid, Member of Parliament, Center Party
Priidu Pärna, Member of Tallinn City Council, Pro Patria and Res Publica Union
Anto Veldre, RIA analytic
Kristjan Vassil, UT senior researcher
Märt Põder, organizer of journalism hackathon
Arti Zirk, TUT IT faculty student
Tarvi Martens, Electoral Committee, Head of Internet Voting
Kristen Michal, Member of Parliament, Reform Party
Mihkel Slovak, UT senior researcher
Henrik Roonemaa, Geenius.ee editor
Erki Savisaar, Member of Parliament, Center Party
Andres Kutt, RIA, IT architect
Sven Heiberg, Cybernetica AS, Project Manager of Internet Voting System
Jaak Madison, Member of Parliament, Conservative People’s Party
Jaanus Ojangu, Chairman of Free Party
Agu Kivimägi, Stallion cyber security consultant
Jaan Priisalu, TUT researcher
Silver Meikar, Adviser to Minister of Culture
Kalev Pihl, SK ID Solutions, Board Member
Oskar Gross, Head of Cyber Crime Unit of Central Criminal Police
Klaid Mägi, RIA, Head of the department for handling incidents (CERT-EE)
Heiki Kübbar, Founder of ICEfire OÜ
Birgy Lorenz, Board Member of Network of Estonian Teachers of Informatics and Computer Science
Andres Kahar, KAPO Bureau Manager
Sven Sakkov, Director of NATO Cooperative Cyber Defence Centre
Heiki Pikker, TUT Cyber Security MSc student
Two papers on the topic. The first:
Abstract: After the Estonian Parliamentary Elections held in 2011, an additional verification mechanism was integrated into the i-voting system in order to resist corrupted voting devices [..] However, the verification phase ends by displaying the cast vote in plain form on the verification device. [..] In this respect, we propose an alternative verification mechanism for the Estonian i-voting system to overcome this vulnerability.
Abstract: Recently, Muş, Kiraz, Cenk and Sertkaya proposed an improvement over the present Estonian Internet voting vote verification scheme. This paper points to the weaknesses and questionable design choices of the new scheme. We show that the scheme does not fix the vote privacy issue it claims to. It also introduces a way for a malicious voting application to manipulate the vote without being detected by the verification mechanism, hence breaking the cast-as-intended property. In addition, the proposal would seriously harm usability of the Estonian vote verification scheme.
TL;DR: Turkish researchers see a privacy risk in the verification process which lets voter’s mobile device to learn for whom the vote was given. Estonian researchers in the counter paper argue why the proposed improvements do not solve the issue, instead decreasing the security of the scheme.
This paper user evidence from anonymized system log data on all Estonian e-votes from 2013-2015 to examine for patterns and combinations indicative of family voting.
Using logs we identify unique e-voting sessions coming from the same IP address and computer with the same operating system that happen in close proximity to each other, specifically with not more than 10 minutes between the end of one and the beginning of another unique voting act.
The results show that 7-8% of e-votes are cast in such pairs. The age and gender structure of these evoters also shows a set of distinct combinations. The age differences in these pairs are either very small or large. The largest group is formed by same aged pairs of opposite sexes, indicating same aged partners e-voting together. Another prominent pattern are pairs with large age differences of same or opposite sexes, indicating a parent voting together with a voting aged youth.
The new minister of Ministry of Economic Affairs and Communications (MKM) Kadri Simson sees this as a concern for i-voting:
“The Estonian Constitution says that the Election must be general and uniform. When the old man votes in the polling division, it is not allowed that his young cousin comes with him to polling booth and helps him to vote. However, in the Internet voting it is quite possible, since there is no control over who is assisting in the use of ID card.” said Kadri Simson, the chairman of the Center Party fraction in parliament.
“Real-World Electronic Voting: Design, Analysis and Deployment” is a new book about to appear on secure electronic voting. One chapter describes the Internet voting used in Estonia.
In Chapter 6, Dylan Clarke, an ERC research fellow at Newcastle University, and Tarvi Martens, the chief architect of the Estonian remote Internet voting system, describe the Estonian Internet voting system. Since the first pilot in 2005, Internet voting has been used for the whole country in three sets of local elections, two European Parliament elections and three parliamentary elections.
The draft is available in arXiv.org.
Abstract. We describe an update of the Estonian Internet Voting scheme targeted towards adding verification capabilities to the central system. We propose measures to ensure the auditability of the correctness of vote decryption and i-ballot box integrity. The latter will be improved to a level where it would be possible to outsource the vote collection process to an untrusted party and later fully verify the correctness of its operations.
The short summary is that I-voting system used for local municipal elections in October 2017 will use ElGamal cryptosystem that can be plugged into mix-net. Currently it is not clear whether the general public will be allowed to verify mix-net inputs and outputs.