The Estonian Internet Voting System - An Independent Assessment of the Procedural Components
This working paper was published by the Cyber Studies Programmme at the Department of Politics and International Relations, University of Oxford, in September 2016. Authors include the Capacity Centre's Maria Bada, Taylor Roberts, Michael Goldsmith, and Sadie Creese.
The I-Voting system that was designed and implemented in Estonia in 2005 is the first Internet voting system to have been adopted anywhere in the world. Since its inception, it has been met with both praise and scrutiny. Concerns include in-person election observations, code reviews, and adversarial testing on system components. As a result of these concerns, some parties have concluded that there are various ways in which insider threats and sophisticated external attacks could compromise the system’s integrity and thus the voting process.
This paper examines the procedural components of the I-Voting system, with an emphasis on the controls related to procedural security mechanisms, high-level operational security aspects, and system transparency measures. The methodological approach is based on both primary and secondary data sources, including interviews with key Estonian election personnel, in order to determine the extent to which the present controls mitigate the security risks faced by the system.
The authors make three main arguments. First, it was found that procedural controls to be fundamentally important to the design of the I-Voting system. While these mechanisms go a long way toward preventing cyberattacks, problems in the system still exist. For instance, some security situations appear to be addressed in informal ways which rely heavily on the knowledge, experience, and professional relationships between officials. Second, in terms of operational controls, the authors were generally impressed by the state of the controls adopted, particularly the incident handling processes during elections, as well as checks and investigations during and after elections. The authors' main concern regarding resilience is the increasing potential for more highly sophisticated attacks. As time progresses, attackers will naturally become stronger, and the system will have to adapt in order to accommodate this evolution. Third, the system’s transparency measures have had a noteworthy impact on building confidence and trust in the I-Voting system, both locally and internationally. Challenges still exist, however, especially pertaining to the difficulty in running voter awareness campaigns, as well as increasing voter usage of transparency measures.