Your suggested attacks on client side PCs and smartphones are already known to the developers of the Estonian I-voting system. They aren’t anything new are they?
Of course we would be hugely surprised if Electronic Voting Committee’s risk analysis didn’t consider malware and client-end attacks. In fact, such attackers are exactly what the validation smartphone app discussed in our video and report is supposed to count. What we show is that the app is ineffective against a well constructed attack. The client-side attacks we demonstrate change votes despite the use of the verification app and other safeguards.
Even traditional elections can be disrupted by natural disasters or widespread power outages. Are the risks you describe any worse?
The attacks we suggest are credible for a well-resourced attacker to conduct would not necessarily be about disrupting the online voting system. We are most concerned about attacks which would never be noticed but would change the outcome of an election conducted using the online voting system. It is such attacks which we have explained could be possible through our research.
Internet voting is unsafe for most of the world, but doesn’t Estonia’s unique smartcard-based national ID card it possible there?
Some have argued that Estonia’s PKI-based electronic ID card system is the ‘magic stuff’ that makes secure online voting possible for Estonia but nowhere else in the world. While we agree there are many strong aspects of the Estonian ID card system, neither class of attack discussed in our research is hindered by the ID card system–they simply work around it. Thus we don’t believe the ID card system is sufficient to guarantee the security and integrity of online elections.
But computers can’t take bribes, surely an online election is safer from corruption than the old ways?
We’re not arguing that paper election processes are perfect, but paper has several key security benefits over online voting. It’s much harder for larger numbers of paper votes to be stolen or modified without anyone noticing. A paper voting system is not easily accessible for overseas attackers. And the properties of paper are well understood so can be meaningfully monitored and audited by a diverse set of people including citizens, political parties and election observers.
Moreover, new technologies can help make paper voting more secure than ever. Recently developed techniques for statistical risk-limiting audits and end-to-end voter verification can be used with paper ballots to vastly reduce the risks of undetected error or fraud. Unlike online voting, these are technologies that we can safely use today.
If we can bank and shop online why can’t we vote online too?
Voting is a uniquely challenging security problem because it must be both accurate and anonymous. The key challenge is the the secret ballot, a fundamental security feature that protects against voter coercion and vote buying . With online banking and shopping, the integrity of transactions can be checked by looking at statements, account balances, and so on. If there are problems a refund can be arranged. None of this can be done with votes. To keep the vote secret, the system can’t have the ability to go back and check with a citizen to see if they really meant to vote a certain way. If errors are later found, one cannot ‘refund’ or change a vote.
In any case, banks and online merchants suffer many billions of dollars in fraud every year, but the can write this off as part of the cost of doing business. Nobody argues that we should accept vast numbers of stolen votes.
Aren’t your team aligned to the Centre Party or some other political interests in Estonia?
No. This is not the case. Our research work and current visit to Estonia has been done without the funding or involvement from anyone in Estonia – no political parties and no other organisations. We have no desire to support or favour any political party in Estonia, we are simply offering the results of our research into a unique system which has gained international interest.
Have you undertaken responsible disclosure?
Responsible disclosure of security flaws is considered best practice in much of the computer industry. A disclosure is irresponsible if it helps the bad guys attack a system without first giving the good guys a chance to the necessary repairs.
Our disclosure is responsible. We have privately informed the Estonian Electronic Voting Committee of a number of technical issues in their systems, the details of which we have not made public. We have also not published any code for the attack we have explored, and won’t until after the current European elections are over. Most importantly, the central problems we’ve pointed out are flaws in the fundamental design of the Estonian system–no fix is possible in the near term, short of reverting to paper balloting. It’s safe to assume that the attackers we’re most concerned about, dishonest insiders and foreign states, are already well aware of these problems.
See also our Response to Estonia’s Electonic Voting Committee.
This work, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.