Security Analysis of the Estonian Internet Voting System

Halderman, Alex J.; Harri Hursti; Jason Kitcat; Margaret MacAlpine; Travis Finkenauer; Drew Springall 2014. Security Analysis of the Estonian Internet Voting System. Technical report.

Several countries have experimented with casting votes over the Internet, but today, no nation uses Internet voting for binding political elections to a larger degree than Estonia. When Estonia introduced its online voting system in 2005, it became the first country to offer Internet voting nationally. Since then, it has used the system in local or national elections five times, and during recent elections 20-25% of participating voters cast their ballots online. (Halderman et al. 2014: 1)

I recall that India supposedly had electronic voting, but that may be a different kind of system. Personally I have my own trouble with voting in Estonia. I can't partake of the Internet voting because my ID card is damaged. Twice it has happened that I wait for the day the elections are supposed to be (European Parliament elections were on the 25 of March this year) only to find out that in order to vote over the internet and elsewhere than my home district, I should have voted in the pre-elections. The first time this happened (that I couldn't vote on the voting day because I live away from my home district) I actually heard something about pre-elections (eelvalimised) and just didn't respond because I didn't know what it meant. This time there was no talk of pre-elections. Both times I had the false idea that on voting day I could go down to a voting station in the town I factually live and study at (Tartu) but find out that I can't vote because I'm officially registered to live in my homehown 90km away, I was supposed to travel there to vote. I had a long phone discussion with the voting information service about how they can't have a sensible system - vote wherever, but on the right day - because they need to send paper ballots to your home district on the voting day so as to somehow prevent falsification. The problem actually seems to be that although we have Internet voting, the process is not completely digital. It's a half-way deal, a mongrel of sorts. I would also be satisfied if there were other means to vote electronically that didn't require the ID card. You can approach some state matters through a bank-link. I would have no issue if I could "log in" via my bank and vote through a link through that system.

Many Estonians view Internet voting as a source of national pride, but one major political party has repeatedly called for it to be abandoned. (Halderman et al. 2014: 1)

Yup. That's the Center Party (Keskerakond). My ill-informed opinion on why this party and only this party is against the Internet voting system is that this party stands for Russian interest and the elderly. Having Estonians who are working elsewhere around the world and young people, (like me) who vote only on the condition that they don't have to leave their room, vote is not in this party's interests.

For these reasons, the Estonian Internet voting (I-voting) system represents a unique and important case study in election security. Its strengths and weaknesses can inform other countries considering the adoption of online voting, as well as the design of future systems in research and practice. (Halderman et al. 2014: 1)

Here's a trivial remark on cultural differences. The authors of this paper shorten "Internet voting" to I-voting. This makes sense firstly because I is the first letter of Internet, and secondly perhaps there's an American association between computer technology and Apple products (iTunes, iPhone, iPad) so that if America were to implement Internet voting, "iVoting" would be something they'd have to circumnavigate because of this association. In estonian, on the other hand, the name of the thing is eHääletamine that firstly stands for "elecronic voting" and secondly relies on the association between the Internet and the Internet Explorer icon that was an emblem of the Internet in the 1990s. These are subtle cultural differences with their own denotative and connotative aspects.

The weakness of the Estonian system stems from its basic design. Most e-voting schemes proposed in recent years use cryptographic techniques to achieve end-to-end (E2E) verifiability. This means that anyone can confirm that the ballots have been counted accurately without having to trust that the computers or officials are behaving honestly. In contrast, Estonia's design implicitly trusts the integrity of voters' computers, server components, and the election staff. (Halderman et al. 2014: 1)

Ah, yes. The weakness of the Estonian Internet voting system is that the Estonians rely on their officials behaving honestly. This could never fly in America. This is partly so because Estonia is such a small and insignificant country without any notable resources (the U.S. will never invade us to liberate the bog peat (rabaturvas) resources for the mass market, or at least one could hope...) and very little reason to presume that anyone would go out of their way to fix our voting results. Another part of the issue is actually cultural, again. It's a matter of difference in trust - a similar case could be made for the Canadians who don't lock their doors because they trust their neighbours. Neither trusting the integrity of the voting system nor trusting that your neighbour won't rob you blind the minute you leave your house unlocked would fly in the great U.S. (At this point I'm beginning to worry about the Anti-American sentiment I'm apparently giving off in this post.)

Cyberwarfare, once a largely hypothetical threat, has become a well documented reality, and attacks from foreign states are now a credible threat to a national online voting system. Given that Estonia is an EU and NATO member that borders Russia, it should not discount the possibility that a foreign power would interfere in its elections. (Halderman et al. 2014: 1)

The documentation of this reality involves references to China, U.S. and Iran. Only the fourth case involves Estonia and Russia and how the latter made DDoS attacks on Estonian sites ("Russia accused of unleashing cyberwar to disable Estonia").

Power to the People Party
Polly Politician
More Power to the People Party
Paul Politician
All the power to Drew Party
Dictator Drew
(Halderman et al. 2014: 2)

With all the talk of misogyny today I can't help but notice that Paul Politician is more forceful than Polly Politician. What if it were the other way around and Polly wanted more power to the people than Paul?

Our observation and analysis focus on the Estonian I-voting system as it was used for the 2013 municipal elections ("KOV2013"). In these elections, Internet voting was available for sever days, from October 10-16, and the main in-person polling took place on election day, October 20. (Halderman et al. 2014: 2)

Those are the first elections that I couldn't vote in because the information about Internet voting being available for seven days only didn't make it through to me. In hindsight it's mostly my own fault that I didn't research and invest more time into it. I was naive and thought that I could go in-person to any voting station on the main day and give my vote. Only this year, during the European Parliament elections, did I research and was unable to find any worthwhile information about how to vote. (To be true, I did find a lot of information on how the election was carried out internationally but nothing on the national level. A friend complained that he was equally unable to find even the candidate's list, so I guess I'm not the only one.)

At the start of each election, the election authority publishes a set of voting client applications for Windows, Linux, and Mac OS, which can be downloaded from https://valimised.ee. (Halderman et al. 2014: 3)

Welp, now I know where to turn when next elections are coming. It's kinda incredible that I only now stumble upon this site. Why am I so badly informed? (Could it have something to do with not following Estonian news, not watching the television, etc.?)

As a defense against coercion, voters are allowed to vote multiple times during the online election period, with only the last vote counted. All earlier votes are revoked but retained on the storage server for logging purposes. While the voting client indicates whether the user has previously voted, it does not display the number of times. The voter can also override her electronic vote by voting in person on election day. (Halderman et al. 2014: 3)

Wait. So why does the electronic voting option stop a whole four days before the main voting day? I don't believe that it takes up to your days for today's computer technology to process to electronic votes. Really, what is stopping the voting system from being my ideal of voting electronically on the main voting day?

Some procedures appeared to change several times over the observation period. For example, observers were initially allowed to film and photograph inside the server room, but were prohibited the next day because of the unsubstantiated claim of "possible electronic interference." In a similarly abrupt change in procedure, observers were required to leave their mobile phones outside the data center after multiple days where this was not the policy. Rewriting the rules on the fly suggests that the procedures had not been adequately thought out or were insufficiently defined for staff to implement them consistently. (Halderman et al. 2014: 4)

Presumably this was the first time the voting procedure was observed, so the accusation really amounts to "adapting to novel conditions by creating necessary restrictions". What for the observers is a rewriting of the rules might in fact have been a creation of rules (that is, writing, not rewriting).

Even when procedural safeguards were clear, they were not always followed. For example, procedure dictates that two operators will be present when performing updates and backups. Second-operator procedures like this are commonplace in situations, such as voting, where the outcome must be robust to a single point of foilure. On October 14 we observed that a lone staff member performed these tasks. The same staff member arrived with update disks and left with backup disks. Without a second operator present, the security of the system relies on the integrity of a single staff member. (Halderman et al. 2014: 4)

This sounds a lot like military. Two guards/operators are procedurally necessary, even though not really, because on guy can do it and the other would be there for the formality of having two guys. The idea seems to be that the integrity of a single staff member cannot be trusted but the integrity of two staff members surely can. Is if two staff members cannot be bought. I'd rather think that if one can, the other can, too. Ultimately, it seems to me, it doesn't matter how many operators you have checking up on each other, but whether you can trust the one person who is necessary to do the job. That is, I think it's a matter of quality, not quantity. (Then again I am way too naive and ignorant to have a say in this. My ignorance and naivete is exactly the reason why I'm reading this report that's so far removed from my own field and interests.)

In other instances workers inintentionally typed passwords and PINs in view of the camera. These included personal national Id card PINs and server root passwords. Similar problems were present during daily maintenance operations in the data center. Physical keys to the server room and rack were revealed to observers; these keys could potentially be duplicated using known techniques. (Halderman et al. 2014: 5)

If these kinds of things are considered, there can never be a completely secure voting system. The case is similar to the Bleeding Heart bug: we know in hindsight that there was a possibility for catching "bleeding" information, but there is no way to prove that anyone actually did so. Ultimately the question seems to be whether we can trust computers or people or anything or anyone, ever? Maybe it would be better to get some food storage and move to an underground shelter - then the only problem would be whether you can trust yourself not to slash your wrists out of boredom. This is getting hypebolic, but that's exactly the issue: you can always blow security questions out of proportion.

The most alarming operational security weakness during pre-election setup was workers using an "unclean" personal computer to prepare election client software for distribution to the public. As seen in Figure 5, the desktop has shortcuts for an online gambling site and a BitTorrent client, suggesting that this was not a specially secured official machine. If the computer used to prepare the client was infected with malware, malicious code could have spread to voters' PCs. (Halderman et al. 2014: 5)

Yes, the photographic evidence clearly shows that between OpeOffice, Opera, VLC Player, some Samsung software, there was a shortcut to PokerStars.ee - is this shortcut a security threat in and of itself? The argument that it was an "unclean" personal computer seems to hinge on this shortcut (did they ask the purported owner if this was a personal computer?). I don't see a BitTorrent client anywhere, but the question would again be: does a BitTorrent client make a government computer personal and "unclean"? This almost seems to hinge on the anti-piracy narrative that torrenting will inevitably get you malware.

Unencrypted daily backups were casually transported in workers' personal backpacks. DVDs holding updated voter lists from the population register were handled in a similarly casual way after having been created, as were told, by a member of staff at their own computer. We did not observe any audit trail or checks on the provenance of these DVDs, which were used daily at the heart of the I-voting system. (Halderman et al. 2014: 5)

These DVDs should be encased in bulletproof briefcases and carried with a four-member armed security team. A new computer must be set up to perform every simple operation and everyone must be treated as if they had ill intentions. That way, surely, there will be trust, safety and security.

After the votes were decrypted on the counting server, an unknown technical glitch prevented workers from writing the official counts and log files to DVD. Instead, they elected to use a worker's personal USB stick to transfer the files to an Internet-connected Windows laptop. (Halderman et al. 2014: 5)

Now imagine that the attackers were somehow omnisciently knowledgeable about this unexpected DVD-writing error and correctly predicted that a worker's personal USB stick and laptop would be used instead! My god, there are over 9000 potential attack vectors!

Keystrokes reveal critical passwords - Videos posted by officials during the election show operators typing, inadvertantly revealing critical system passwords. (Halderman et al. 2014: 6)

But the figure shows only the username ("root") and the official just about to write the password. There is no indication that an onlooker could see or camera could record the password. Since it's a linux system (as the figure clearly shows), the password doesn't even appear on the screen in any form. The attacker would have to be an expert "keystroke reader" and hope that the password was not changed after the video was posted.

Video shows national ID PINs - During pre-election setup, someone types the secret PINs for their national ID card in full view of the official video camera. (Halderman et al. 2014: 6)

The attacker would only have to steal that person's ID card and then he could falsify that person's vote. What a threat! Given that Estonia is an Orwellian state with telescreens on every wall, every vote can possibly be falsified using this method.

Posted Wi-Fi credentials - The official video of the server setup process reveals Wi-Fi credentials, which have been posted on the wall. (Halderman et al. 2014: 6)

Yes. If the video were only with higher resolution so that one could actually read the password and we could be sure that they didn't change passwords at all, this would be a possible attack vector.

At that point, the malware checks whether the voter's ID card is still present in the computer. If so, it opens a copy of the I-voting client in a hidden session and, through keystroke simulation, submits a replacement vote. In the case that the ID card has already been removed, the malware remains dormant until the card is inserted again. Since Estonian ID cards are utilized for a variety of applications, many voters are likely to use their cards again within the one-week online voting period. (Halderman et al. 2014: 9)

In this case you would have to hope that people do for some unknown reason hold their ID cards in the reader for extended periods of time. Since I don't use it myself I can't say for sure if this is the case or not. As far as I know the use of ID cards "for a variety of applications" is greatly exaggerated.

One core strength of the I-voting system is Estonia's national ID card infrastructure and the cryptographic facilities it provides. While the ID cards cannot prevent every important attack, they do make some kinds of attacks significantly harder. The cards also provide an elegant solution for remote voter authentication, something new countries do well. (Halderman et al. 2014: 10)

The problem here is that ID cards would be difficult to implement in larger countries. The U.S. reacted with kicking and screaming to universal healthcare. Just imagine what kind of threats could be imagined for having all of your personal information in a database.

As we have observed, the procedures Estonia has in place to guard agaist attack and ensure transparency offer insufficient protection. Based on our tests, we conclude that a state-level attacker, sophisticated criminal, or dishonest insider could defeat both the technological and procedural controls in order to manipulate election outcomes. Short of this, there are abundant ways thta such an attacker could disrupt the voting process or cast doubt on the legitimacy of results. Given the current geopolitical situation, we cannot discourst state-level attacks targeting the system in future elections. (Halderman et al. 2014: 11)

The current geopolitical situation is that Russia could stir some shit by rolling in with tanks and fleets of helicopters. Attacking the Internet voting system seems too subtle for Russia.

Due to these risks, we recommend that Estonia discontinue use of the I-voting system. Certainly, additional protections could be added in order to mitigate specific attacks, but attempting to stop every credible mode of attack would add an unmanageable degree of complexity. Someday, if there are fundamental advances in computer security, the risk profile may be more favorable for Internet voting, but we do not believe that the I-voting system can be made safe today. (Halderman et al. 2014: 11)

For some reason I'm reminded of some Fox News reporters: the day to talk about women's rights or gun control will come, just not today. Based on what I've read here, I' wouldn't discontinue the use of the I-voting system. Rather, I would set up some additional procedures and background contingencies - such as having an emergency USB stick and clean computer to transport data if DVD writing should fail, etc. It is impossible to negate all the threats, but in this case it doesn't seem necessary. I wouldn't recommend this system for the U.S., but for Estonia I think it'll do.

We have not accepted any financial support from within Estonia, except for travel and accommodations for the international observers during the Oct. 2013 voting period, which were paid for by Tallinn City Council. The only requirement for that arrangement was that we observe the elections. (Halderman et al. 2014: 11)

This actually speaks a lot about why this observation occurred and why the report was published. Tallinn City Council is under the control of the Central Party (Keskerakond) and far from unbiased towards the Internet voting system. At the end of the day, the Estonian party that doesn't want there to be Internet voting accommodated an international team to assess the security threats of said voting system. There are so many ongoing corruption cases against this party that it's doubtful whether anyone would even consider looking into the neutrality of the team that authored this observation/report. In any case, for me it was an interesting reading. Without paying much attention to news and television, this is how I learn about my own country.