The National Election Committee of Estonia have published a response to an article by The Guardian which reported the findings we have published on the Estonian e-voting system.
Here is our response to the claims of the Election Committee:
“The system has been used in six elections (municipal, national and European) without a single incident which have influenced the outcome.”
Our research argues that a well resourced attacker, such as a nation-state like Russia, would be able to undetectably steal votes in an election using the Estonian e-voting system. We maintain that the Election Committee cannot, by virtue of the failings in the systems used, irrefutably prove that the six elections thus far conducted were never influenced nor could they prove that for elections using the system in the future based on the current design.
This is one of the fundamental problems with Estonia’s design, which depends on complex software to report on votes stored invisibly within the `black boxes’ of servers. A key benefit of paper-based elections is that post-election audit and verification using proven techniques can provide a very high level of confidence in the integrity of the results.
“Estonia has conducted its online balloting in a unique spirit of transparency: every aspect of online balloting procedures is fully documented, these procedures are rigorously audited, and video documenting all conducted procedures is posted online.”
We have warmly welcomed these moves to transparency but they have not been sufficient. Video demonstrably does not cover all critical procedures conducted.
Even when a procedure has been taped, only portions of the activities were captured because there was one camera but two computer screens in use at the same time.
“In addition to opening every aspect of our balloting to observers, we have posted the source code of our voting software online.”
As confirmed at our meeting with Mr Martens and his colleagues from the Election Committee on 13th May 2014, the source code for both the voting clients and log server software has never been released. The committee never intend to release the code to those elements despite them being, by the Committee’s own admission, fundamental to its operations and security protections. Thus the claim that the source is posted online is a very partial claim. Furthermore source code availabilty, while an important basic requirement for transparency in such a system, is not in any way sufficient to ensure its security and accuracy.
“We believe that online balloting allows us to achieve a level of security greater than what is possible with paper ballots. “
The Election Committee have failed to demonstrate or prove this very significant claim. Our independent and detailed analysis of their system’s procedures, design and available source code suggests that the system provides security far below that of a well-run paper-based election.
“1. The researchers have not discovered any new attack vectors that had not already been accounted for in the design of our system as a whole.”
We disagree. The Committee are mis-portraying the client-side attack we have identified as using a ‘keylogger’ when this is not the case.
“2. It is not feasible to effectively conduct the described attacks to alter the results of the voting.”
We are surprised the Election Committee feel able to make such a strong claim given that in the same statement they also complain that they say, “At this point, we can give only preliminary answers to allegations published in the Guardian, as the researchers have not shared the full results of their work with us.” We don’t believe it is reasonable for the Committee to have such certainty in refuting our research when they acknowledge they don’t have the full details.
We regret that we have not been able to publish as much detail as we would have liked, as quickly as we would have liked. This has been a significant project which we have undertaken independently and without contact with any parties or groups in Estonia to ensure full independence. As soon as our research identified the seriousness of the vulnerabilities we prepared to explain the situation to Estonia as quickly as possible. To ensure our impartiality we wanted to make sure that nobody in Estonia had advance and unfair notice of our findings. We also felt ethically duty-bound to inform Estonia of the issues before the system was used again for the binding European Parliamentary elections later this month.
On Tuesday 13th May 2014 we privately met members of the Estonian Electronic Voting Committee to disclose technical details of our findings. We have been working hard to publish appropriate technical information in public.
“3. The electoral committee has numerous safeguards and failsafe mechanisms to detect attacks against the elections or manipulated results.”
It is unclear how meaningful or effective these claimed measures might be as the Election Committee will not disclose any details as to the type of safeguards in place. If the Committee was truly confident in the measures they would explain them to us and the citizens they are serving.
The attacks we describe are the result of architectural weaknesses in the Estonian system, and they could be virtually impossible to detect if carried out by a sophisticated state-level attacker.
“4. The website put up by the security researchers (estoniaevoting.org) contains numerous factual and detail errors, and does not provide technical details on the alleged vulnerabilities in our system.”
We are happy to correct any errors or misunderstandings but unfortunately the Election Committee have chosen not to identify what they might be referring to on our website. We remain open to hearing any corrections.
“Nevertheless, their last minute claims, published two days before the beginning of online balloting for elections to the European Parliament, give us no reason to suspend online balloting.”
We first published information late on Sunday 11th May 2014 and sent email notifications on Saturday 10th May 2014. Electronic voting in Estonia opens on Thursday 15th May 2014. Thus we dispute the claim by the Committee of ‘two days’ warning.
We look forward to the continuing debate around e-voting.
[Updated 14th May 2014 to clarify that we had privately met the Electronic Voting Committee to disclose technical information.]
Also have a look at our FAQ.
This work, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.