Internet Voting the Estonian Experience

Similar documents
Estonian National Electoral Committee. E-Voting System. General Overview

General Framework of Electronic Voting and Implementation thereof at National Elections in Estonia

Office for Democratic Institutions and Human Rights REPUBLIC OF ESTONIA. PARLIAMENTARY ELECTIONS 4 March 2007

Internet Voting: Experiences From Five Elections in Estonia

Internet voting in Estonia

Addressing the Challenges of e-voting Through Crypto Design

Union Elections. Online Voting. for Credit. Helping increase voter turnout & provide accessible, efficient and secure election processes.

CHAPTER 2 LITERATURE REVIEW

Secure Electronic Voting: New trends, new threats, new options. Dimitris Gritzalis

Privacy of E-Voting (Internet Voting) Erman Ayday

Yes, my name's Priit, head of the Estonian State Election Office. Right. So how secure is Estonia's online voting system?

Key Considerations for Implementing Bodies and Oversight Actors

Response to the Scottish Government s Consultation on Electoral Reform

Swiss E-Voting Workshop 2010

Ballot Reconciliation Procedure Guide

Scytl Secure Electronic Voting

CRYPTOGRAPHIC PROTOCOLS FOR TRANSPARENCY AND AUDITABILITY IN REMOTE ELECTRONIC VOTING SCHEMES

Additional Case study UK electoral system

Citizen engagement and compliance with the legal, technical and operational measures in ivoting

Key Considerations for Oversight Actors

Designing issues and requirement to develop online e- voting system systems having a voter verifiable audit trail.

Blind Signatures in Electronic Voting Systems

The Impact of Technology on Election Observation

Secure Electronic Voting

Statement on Security & Auditability

OCSE Vienna 17/ Open Source Remote Electronic Voting in Norway

Uncovering the veil on Geneva s internet voting solution

An untraceable, universally verifiable voting scheme

Electronic Voting in Belgium Past, Today and Future

Areeq Chowdhury: Yeah, could you speak a little bit louder? I just didn't hear the last part of that question.

E- Voting System [2016]

User Guide for the electronic voting system

Office for Democratic Institutions and Human Rights OSCE/ODIHR DISCUSSION PAPER IN PREPARATION OF GUIDELINES FOR THE OBSERVATION OF ELECTRONIC VOTING

Rationality of Internet Voting in Estonia

Security Assets in E-Voting

E-voting at Expatriates MPs Elections in France

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE. Directorate C: Fundamental rights and Union citizenship Unit C.3: Data protection

TO: Chair and Members REPORT NO. CS Committee of the Whole Operations & Administration

The usage of electronic voting is spreading because of the potential benefits of anonymity,

L9. Electronic Voting

I-A. Voting Systems As Part of Cyber Security Critical Infrastructure.

Secretary of State Chapter STATE OF ALABAMA OFFICE OF THE SECRETARY OF STATE ADMINISTRATIVE CODE

M-Vote (Online Voting System)

Electronic Voting: An Electronic Voting Scheme using the Secure Payment card System Voke Augoye. Technical Report RHUL MA May 2013

COMPUTING SCIENCE. University of Newcastle upon Tyne. Verified Encrypted Paper Audit Trails. P. Y. A. Ryan TECHNICAL REPORT SERIES

Secure Voter Registration and Eligibility Checking for Nigerian Elections

Should We Vote Online? Martyn Thomas CBE FREng Livery Company Professor of Information Technology Gresham College

A Study on Ways to Apply the Blockchain-based Online Voting System 1

Electronic Voting Systems

Act means the Municipal Elections Act, 1996, c. 32 as amended;

M-Polling with QR-Code Scanning and Verification

Secure Electronic Voting: Capabilities and Limitations. Dimitris Gritzalis

Electronic Voting. Mohammed Awad. Ernst L. Leiss

City of Toronto Election Services Internet Voting for Persons with Disabilities Demonstration Script December 2013

PROCEDURES FOR THE USE OF VOTE COUNT TABULATORS

Voting Protocol. Bekir Arslan November 15, 2008

Conditions for Processing Banking Transactions via the Corporate Banking Portal and HBCI/FinTS Service

An Application of time stamped proxy blind signature in e-voting

Design of Distributed Voting Systems

Voting Corruption, or is it? A White Paper by:

Declaration of Certification Practices Certificates of the General Council of Notaries

Representation of the People Act

EVOTING BY INTRODUCTION THE SWISS POLITICAL CONTEXT

Colorado Secretary of State Election Rules [8 CCR ]

The Corporation of the Municipality of Trent Hills. Telephone/Internet Voting Election Policies and Procedures for the 2018 Ontario Municipal Election

Secure and Reliable Electronic Voting. Dimitris Gritzalis

Office for Democratic Institutions and Human Rights NORWAY. PARLIAMENTARY ELECTIONS 11 September OSCE/ODIHR Election Expert Team Report

Electronic Document and Electronic Signature Act Published SG 34/6 April 2001, effective 7 October 2001, amended SG 112/29 December 2001, effective 5

Electronic Voting For Ghana, the Way Forward. (A Case Study in Ghana)

Trustwave Subscriber Agreement for Digital Certificates Ver. 15FEB17

Conditions for Processing Banking Transactions via the Corporate Banking Portal

Relying Party Agreement. 1. Definitions

Security Analysis on an Elementary E-Voting System

Smart Voting System using UIDAI

RULES OF SECRETARY OF STATE CHAPTER ELECTRONIC VOTING MACHINES RULES AND REGULATIONS TABLE OF CONTENTS

The Economist Case Study: Blockchain-based Digital Voting System. Team UALR. Connor Young, Yanyan Li, and Hector Fernandez

Every electronic device used in elections operates and interacts

SEMINAR WORK: E- ELECTIONS AND E- VOTING - THE CASE OF SWITZERLAND AND FRANCE

On e-voting and privacy

FAQ s Voting Method & Appropriateness to PICC Elections

Telephone/Internet Voting Election Policies and Procedures SOUTH FRONTENAC

Subpart A General Provisions

THE PROPOSAL OF GIVING TWO RECEIPTS FOR VOTERS TO INCREASE THE SECURITY OF ELECTRONIC VOTING

TOWNSHIP OF CLEARVIEW. TELEPHONE/INTERNET VOTING POLICIES and PROCEDURES for the 2018 ONTARIO MUNICIPAL ELECTIONS

Aadhaar Based Voting System Using Android Application

Referendum Act. Passed RT I 2002, 30, 176 Entry into force

Volume I Appendix A. Table of Contents

ELECTRONIC DATA INTERCHANGE (EDI) TRADING PARTNER AGREEMENT

WHY, WHEN AND HOW SHOULD THE PAPER RECORD MANDATED BY THE HELP AMERICA VOTE ACT OF 2002 BE USED?

SMS based Voting System

Post-Election Audit Pilots, and New Physical and Cyber Security Requirements in Indiana Election Code

Curriculum. Introduction into elections for students aged 12 to 16 years

Estonian eid Infrastructure ITAPA 2009 International Congress November 3, 2009 Bratislava

Utilization of Information Technology for Electoral Management. Mr.Cholaraj Phewban Inspector General, Office of The Election Commission of Thailand

Life in the. Fast Lane PREPARED BY ELECTION SYSTEMS & SOFTWARE ELECTION SYSTEMS & SOFTWARE

Electronic Voting Machine Information Sheet

Elections in Egypt May Presidential Election

Representation of the People Act

PAPER VS INTERNET: IS ELECTRONIC VOTING A SOLUTION FOR ROMANIA?

Myths and facts of the Venezuelan election system

Transcription:

Internet Voting the Estonian Experience Sven Heiberg sven@cyber.ee Department of Information Security Systems Cybernetica AS Tartu, Estonia Abstract Estonia has offered Internet Voting as a method to participate in elections since 2005. In Local Government Councils Elections 2009 over 100.000 voters used Internet Voting. The rise of the activity re-opens the question about feasibility of the Internet Voting especially from the viewpoint of security: is it possible to guarantee that the voting results are not manipulated in a world where voters computer cannot be trusted. Keywords: e-voting, security 1 Introduction Increasing the voter turnout is a common aim for today s democracies. It can be approached by making the actual voting procedure as convenient as possible instead of voting in a particular place in a particular way, the voting period can cover a longer stretch of days, or the vote can be cast in a place chosen by the voter. Pre-voting before the actual election day, voting by mail, voting on ships, embassies abroad, or one s own home that is visited by an election official carrying a ballot box are examples of making voting easier for a voter with special needs. At the time of writing, the Internet Voting System (IVS) has been used in four Estonian elections the Local Government Councils elections in October 2005, the Parliamentary elections in March 2007, the European Parliament elections in June 2009 and the Local Government Councils elections in October 2009. Before the first use, a legally non-binding pilot was conducted in January 2005 in Tallinn. In Local Government Councils elections in 2005 there were 9 317 e-voters and 9 287 counted e-votes. E-voter turnout was 0.9% and 7.2% of advance voters were e-voters. Since then the number has grown steadily. In Local Government Councils elections in 2009 there were 104 413 e-voters and 104 313 counted e-votes. E-voter turnout was 9.5% and 44% of advance voters were e-voters. [ENEC] From the viewpoint of popularity Estonian IVS could already be considered a success - while less than 10 000 e-voters is not yet that significant number, more than 100 000 e-voters are already a big part of our society. Security and e-voting specialists are sceptical though - there are open questions about IVS's architecture that have to be answered before it is possible to go on with e-voting. Those questions are even more important now when the amount of users makes it really interesting and possibly beneficial to exploit the system. 2 System Description The elections in Estonia take place in electoral districts; each district is allotted a number of seats. For example, there are 12 districts for the elections to the 101-seat Parliament. The inputs to the election process are thus list of candidates for each district; list of voters for each district. During the election, each voter can cast her vote to one of the candidates in the same district. After the election period, the votes are counted the output of the election process is the number of votes each candidate received. From this data, the actual assignment of seats is obtained through a process specified in the law.

2.1 Requirements The requirements for a voting system stem ultimately from the Estonian constitution ([CRE]) which states: Members of [Estonian Parliament] shall be elected in free elections... Elections shall be general, uniform and [...]. Voting shall be secret ( 60). Here generality and uniformity means that each eligible voter has access to the same means and procedures for casting a vote. Also, each vote has to count the same; voting multiple times is not allowed. Secrecy of the voting means that noone else than the voter will know her vote. Freeness means that the vote of a voter is not unduly influenced from outside. The same properties also have to hold for the elections to local government councils ( 156). The same requirements have to hold for e-voting, and e-voting should resemble traditional voting as much as possible. The precise meaning of those requirements, as well as the accepted trade-offs can be a point of discussion, though. In addition to the basic requirements stated in the constitution, the legistlative acts issued by the Parliament and the National Election Committee (NEC) regulate more practical matters of voting, e.g. the layout of the lists of candidates in the polling places and voting booths, and the form of the ballots. While these acts can be and must be amended to accommodate electronic voting, the principle of uniformity must still be obeyed. Since 2002, Estonia issues to its citizens and permanent residents National Identity Cards (ID-cards) carrying a chip capable of performing RSA operations. Each chip contains two RSA secret keys, used respectively for authentication and for signing. To activate these operations, a PIN has to be given to the card (PIN1 for SSL challenge decryption, PIN2 for signing). The corresponding public keys are bound to the cardowner by certificates issued by the Estonian root Certificate Authority. The certificates are also stored on the card. Various governement and private sector services were supposed to use the ID-cards for identification / signatures. With the existence of such an infrastructure, the requirement that e-voters are identified using their ID-cards is an obvious choice. This identification method shall be available to all voters and (partially) ensures the generality of elections. The principle of using ID-cards to do Internet voting has been codified in Estonian laws since 2002 [REA], based on the analysis done by Lipmaa and Mürk [LiM01]. At that time, it was also legistlated that Internet voting will take place simultaneously with the advance voting (six to four days before the actual election day). Also for generality, the e-voting servers cannot suddenly become inaccessible (for a significant period of time). The e-voting system must contain means to mitigate denial-of-service (or other) attacks against the servers. As a last resort, NEC can opt to cancel e-voting altogether. In this case, paper voting at the election day is still an available option for casting one s vote. Uniformity of elections means that each person has just a single vote. In particular, it should be impossible to cast both an e-vote and a paper vote, or several e-votes. The principles of counting multiple votes by one person have also been codified in the election law a paper vote trumps the e-vote. In paper-based voting, secrecy and freeness are ensured by the voting booths where a voter alone is going to mark her choice on the ballot. Nothing similar exists for the Internet voting. This has been one of the most contentious issues in legistlating Internet voting [OSCE07]. To make vote buying less attractive, a voter can cast an e-vote several times, and only the last vote will be counted. Additionally, one s e-vote can be cancelled by casting a paper vote during the advance voting period. This voting procedure has been included in the election law in 2005 [LGCEA]. This measure was not accepted unanimously by the Estonian Parliament there were doubts whether it violates the uniformity of elections and secrecy of ballot [OSCE07]. The objection was that the traditional voting methods do not allow a voter to change her mind. As a mild compromise, the law left out the possibility to change an e-vote by casting a paper vote at the actual election day. The above requirements have pretty much fixed how a voter interacts with the e-voting system. They do not yet fix how a vote is encoded (encrypted, signed, etc.), how it is transmitted to the voting servers, and how it is counted. Obviously, the protocols and procedures for these tasks have to be secure, but simplicity can also be seen as a virtue one can expect the simplicity and the public acceptance of the system to be positively correlated. Also, as there are already complex parts of the entire election mechanism (assigning the seats based on the vote counts), other parts should be kept simple. 2.2 Technical Description Infrastructure The core e-voting infrastructure is following: Vote Forwarding Server (VFS) is responsible for authenticating e-voters, distributing

candidates' lists and accepting the signed e-votes; VFS is available over the public internet. Vote Storing Server (VSS) is responsible for storing the signed e-votes over the period of time and for the anonymization of the e-votes before the actual tabulation; VSS is kept behind a firewall, connections from VFS are allowed. Vote Counting Server (VCS) is responsible for the tabulation process. A part of VCS is the hardware-security module (HSM) that houses the RSA decryption key for decrypting the votes. This key is generated prior to each election. The corresponding public key is included with the e-voting client application (EVCA). VCS is an offline computer that is never exposed to internet. EVCA is end-user application which runs on several platforms - Windows, Linux, MacOS X. It is used to connect to VFS, download candidates' list, make one's choice, digitally sign it and send it to VFS. Auditing application (AA) is an application responsible for the integrity checks of audit-logs. Each server in Internet Voting System keeps a log-file about processed votes. Those log-files must maintain certain structure to provide evidence that the IVS is not tampered with. 2.2.1 Protocol E-voting is executed in several stages: pre-election stage - all server software is installed, candidates' and voters' lists are installed, EVCA is packaged according to the elections at hand. The packaged EVCA is digitally signed by NEC. election stage - the access to VFS is opened, people can e-vote by downloading the EVCA and using the ID-card for authentication and digitally signing the vote. Modifications to voters' lists are also possible in this stage. revocation stage - at the end of the election stage the electronic ballot-box is closed, a list of all e-voters' is calculated and distributed to polling stations. In those stations those lists are checked against the lists of pre-voters and any duplicated votes are written down to a revocation list. Those revocation lists are used to revoke duplicate votes on the VSS. tabulation stage - at the end of the revocation stage all e-votes that are not revoked are anonymized - digital signatures are removed from encrypted votes so that the tabulation application will not be able to see who voted for which candidate. 2.3 Organizational Security Measures Estonian IVS's components must be deployed in certain way to achieve the security requirements. For example hostile NEC could easily break anonymity by introducing digitally signed e-votes to VCS or modify the contents of electronic ballot box during the anonymization process. To enforce the correct deployment of components and to ensure that the server side can be trusted a rich set of protocols for organizational security are executed: certain rooms are heavily guarded by police and surveillance cameras certain operations can only be executed by at least 2 election officials together certified auditor must observe all key-processes during election days tabulation can be observed by official observers and media 3 Security Considerations Estonian IVS was developed in 2005. First overviews about e-voting were written in 2001 ([LiM01], [TaK01]) and conceptual risk analysis ([ABO03]) was made in 2003. This risk analysis states that: "The other side of the compromise or in principle the weak point of the scheme is the need to trust central servers and computers of the voters. Is such a compromise reasonable? In our opinion yes." [ABO03] The need to trust central servers means that the owner of the IVS can manipulate the election results without getting caught. This is not something that the society would accept - in order to use e-voting people must have trust in this voting method. In order to achieve the required trust level, organizational security methods described

earlier are applied. From the attackers point of view the most interesting target would be the VCS and tabulation process. The e-voting results are published in simple ASCII text-file that can be written by any-one in his favourite text-editor - the necessary information for doing that is public by its nature. As the VCS and IVS's servers are heavily guarded and monitored during the election days, it is relatively hard to get access to them. On the other hand - 100 000 voters have influenced e-voting results in last elections, what if it would be possible to influence maybe 20% of those 100 000 voters? The need to trust central servers calls for organizational security. What about the need to trust computers of the voters? The average e-voter uses his home or office computer to cast an e-vote. Average end-users computer is poorly maintained - security updates are not installed on regular basis, there is software of unknown or pirated origin, all fancy browser-features are turned on. Therefore we must assume that EVCA will be run in hostile environment and its operations will possibly be under attack. If the malicious program executes in the user rights (as the EVCA) it is possible to break the anonymity and integrity of e-vote. At some moment in time voters choice is in clear-text in computer's memory. If this moment can be detected (and usually it can) then it is possible to read and overwrite the memory without the user noticing. There are several methods to fight the problem - some methods try to protect the EVCA's memory and obfuscate the protection mechanisms, other methods are cryptographic integrity protection protocols that detect the ballot modification for e-voter, yet other methods execute vote-protection protocols that use computer only as mediator so trojan will see the exchanged data but will not be able to give any meaning to the data. Short analysis of various methods can be found in [AHL09]. 4 Conclusions The main lesson learned from the four applications of Internet voting so far is, that Internet voting is feasible, if The computer literacy of the population (or part of the population) is sufficiently high; There exists a reliable and widespread PKI for binding the identities of voters to public keys. In Estonia, this is achieved through the ID-card infrastructure which is enforced by the governement and heavily supported by major banks. The IVS of Estonia could be considered as a proof of concept and it has been successful as such. As the amount of e-voters steadily rises following questions must be answered in order to continue e-voting in Estonia or to enable e-voting in other countries: References How is the IVS protected from the large-scale manipulation from e-voting client-side? What feasible methods there exist to diminish the amount of trust needed on the e-voting server-side? [ABO03] A. Ansper, A. Buldas, M. Oruaas, J. Priisalu, A. Veldre, J. Willemson, K. Virunurm; "I-voting Conception Security: Analysis and Measures"; 2003; http://www.vvk.ee/public/dok/e-voting_security.pdf [AHL09] A. Ansper, S. Heiberg, H. Lipmaa, T. A. Øverland, F. van Laenen; "Security and Trust for the Norwegian E-voting Pilot Project E-valg 2011". In Audun J sang, T. Maseng and S. J. Knapskog, eds., 4th Nordic Conference on Secure IT Systems, NordSec 2009, volume 5838 of Lecture Notes in Computer Science, pages 207--222, Oslo, Norway, October 14--16, 2009. Springer-Verlag. [CRE] "Constitution of the Republic of Estonia", http://www.president.ee/en/estonia/constitution.php [ENEC] "Internet Voting in Estonia", Estonian National Electoral Committee, http://www.vvk.ee/index.php?id=11178 [LGCEA] "Local Government Council Election Act", http://www.legaltext.ee/text/en/x60031k2.htm [LiM01] H. Lipmaa, O. Mürk; "E-valimiste realiseerimisvõimaluste analüüs" (Analysis of e-voting implementation choices, in Estonian); 2001; http://www.vvk.ee/public/dok/lipmaamyrk.pdf

[OSCE07] "OSCE/ODIHR Election Assessment Mission Report in the 2007 parliamentary elections in Estonia", http://www.vvk.ee/public/dok/osce_report_est_2007.pdf [REA] "Riigikogu Election Act", http://www.legaltext.ee/text/en/x60044k2.htm [TaK01] T. Tammet, H. Krosing; "E-valimised Eesti Vabariigis: võimaluste analüüs" (E-voting in Estonia: analysis of possibilities, in Estonian); 2001; http://www.vvk.ee/public/dok/evalimisteanalyys24okt.doc (validity of URLs checked in March 21st, 2010)

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback