An Independent Assessment of the Procedural Components of the Estonian Internet Voting System
Working Paper No.6 (September 2016)
The I-Voting system that was designed and implemented in Estonia in 2005 is the first Internet voting system to have been adopted anywhere in the world. Since its inception, it has been met with both praise and scrutiny. Concerns include in-person election observations, code reviews, and adversarial testing on system components. As a result of these concerns, some parties have concluded that there are various ways in which insider threats and sophisticated external attacks could compromise the system’s integrity and thus the voting process.
This paper examines the procedural components of the I-Voting system, with an emphasis on the controls related to procedural security mechanisms, high-level operational security aspects, and system transparency measures. The methodological approach is based on both primary and secondary data sources, including interviews with key Estonian election personnel, in order to determine the extent to which the present controls mitigate the security risks faced by the system.
This study makes three main arguments. First, we found procedural controls to be fundamentally important to the design of the I-Voting system. While these mechanisms go a long way toward preventing cyberattacks, problems in the system still exist. For instance, some security situations appear to be addressed in informal ways which rely heavily on the knowledge, experience, and professional relationships between officials. Second, in terms of operational controls, we were generally impressed by the state of the controls adopted, particularly the incident handling processes during elections, as well as checks and investigations during and after elections. Our main concern regarding resilience is the increasing potential for more highly sophisticated attacks. As time progresses, attackers will naturally become stronger, and the system will have to adapt in order to accommodate this evolution. Third, the system’s transparency measures have had a noteworthy impact on building confidence and trust in the I-Voting system, both locally and internationally. Challenges still exist, however, especially pertaining to the difficulty in running voter awareness campaigns, as well as increasing voter usage of transparency measures.
Dr Jason R.C. Nurse is a Research Fellow (Department of Computer Science), Dr Ioannis Agrafiotis is a Research Fellow (Department of Computer Science), Dr Arnau Erola is a Postdoctoral Researcher (Department of Computer Science), Dr Maria Bada James is a James Martin Fellow (Global Cyber Security Capacity Centre), Taylor Roberts is a James Martin Fellow (Global Cyber Security Capacity Centre), Meredydd Williams is a Doctoral Candidate in Cyber Security (Department of Computer Science), Dr Michael Goldsmith is a Senior Research Fellow (Department of Computer Science), Professor Sadie Creese is Professor of Cybersecurity (Department of Computer Science)