Press Release

Personal computer used to build election client for distribution
Personal computer used to build election client for distribution

12th May 2014 – For Immediate Release

Ahead of European Parliamentary elections an International team of independent experts identifies major risks in the security of Estonia’s Internet voting system and recommends its immediate withdrawal.

Estonia’s Internet voting system has such serious security vulnerabilities that an international team of independent experts recommends that it should be immediately discontinued.

The team members, including someone from the UK’s Open Rights Group, were officially accredited to observe the Estonian Internet voting system during the October 2013 municipal elections. These observations — and subsequent security analysis and laboratory testing — revealed a series of alarming problems. Operational security is lax and inconsistent, transparency measures are insufficient to prove an honest count, and the software design is highly vulnerable to attack from foreign powers.

Estonia is the only country in the world that relies on Internet voting in a significant way for national elections. The system is currently used for Estonia’s national parliamentary elections, municipal elections and is planned to be used for the May 2014 European Parliamentary elections. In recent polls, 20-25% of voters cast their ballots online.

Independent security researcher Harri Hursti, who observed operations in the election data center during October 2013, said there were numerous security lapses. “We didn’t see a polished, fully documented procedural approach of maintaining the back-end systems for these online elections,” said Hursti. Videos published by election officials show the officials downloading essential software over unsecured Internet connections, typing secret passwords and PINs in full view of the camera, and preparing the election software for distribution to the public on insecure personal computers. “These computers could have easily been compromised by criminals or foreign hackers, undermining the security of the whole system” Hursti said.

Assistant Professor J. Alex Halderman from the University of Michigan, pointed to fundamental weaknesses in the I-voting system’s design. “Estonia’s Internet voting system blindly trusts the election servers and the voters’ computers”, Halderman said. “Either of these would be an attractive target for state-level attackers, such as Russia.” Recent reports about state-sponsored hacking of American companies by China and European telecoms by the NSA demonstrate that these dangers are a reality, Halderman explained.

To experimentally confirm these risks, Halderman and his Ph.D. students recreated the Estonian “I-voting system” in their laboratory based on the published software used in 2013. They successfully simulated multiple modes of attacks that could be carried out by a foreign power. “Although the Estonian system contains a number of security safeguards, these are insufficient to protect against the attacks we tried,” said Halderman.

In one attack, malware on the voter’s computer silently steals votes, despite the systems’ use of secure national ID cards and smartphone verification. A second kind of attack smuggles vote-stealing software into the tabulation server that produces the final official count. The team produced videos in which they carry out exactly the same configuration steps as election officials — but with the system under attack by a simulated state-level adversary. Everything appears normal, but the final count produces a dishonest result.

“There is no doubt that the Estonian I-voting system is vulnerable to state-level attackers, and it could also be compromised by dishonest election officials,” said Halderman. These attackers could change votes, compromise the secret ballot, disrupt voting, or cast doubt on the legitimacy of the election process.

The team recently arrived at these results and were so alarmed that they decided to urgently make their findings public ahead of the upcoming European elections, explained Jason Kitcat from the Open Rights Group. “I was shocked at what we found,” explained Kitcat. “We never thought we’d see as many problems and vulnerabilities as we did. We feel duty-bound to make the public aware of those problems.”

While some of the problems can be corrected in the short term through changes to the system, others stem from fundamental weaknesses that cannot be fixed. With the growing risk of state-level cyberattacks, the team unanimously recommends discontinuing Internet voting until there are fundamental advances in computer security.

“With today’s security technology, no country in the world is able to provide a secure Internet voting system,” said Hursti. “I would recommend that Estonia return to a paper ballot only system.”

Maggie MacAlpine, a Post-Election Audit Advisor said, “While Estonia has an excellent e-government system, which they should continue to develop, they should take the Internet voting element of that off-line. Estonia has a well organized paper voting system which they should revert back to.”

The full report and videos explaining the key findings will be published at https://estoniaevoting.org

NOTES FOR EDITORS

For queries contact estoniaevoting@umich.edu or Jason Kitcat at +44 7956 886 508.

The report authors are:

J. Alex Halderman, University of Michigan*
Harri Hursti, Independent Security Researcher*
Jason Kitcat, Open Rights Group*
Maggie MacAlpine, Post-Election Audit Advisor*
Travis Finkenauer, University of Michigan
Drew Springall, University of Michigan

* Authors who acted as election observers for 2013 Estonian local elections

Media reports so far

Here are links to media reports on our work that we are aware of:

Bloggers and others:

Creative Commons License
This work, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

A security analysis of Estonia's Internet voting system by international e-voting experts.