Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security EU

Estonia Urged To Drop Internet Voting Over Security Fears 116

wiredmikey (1824622) writes "A team of global IT experts have urged Estonia to drop electronic voting from this month's European elections, saying they had identified major security risks. They also said the system's operational security is lax, transparency measures are insufficient. and the software design is vulnerable to cyber attacks. 'Estonia's Internet voting system blindly trusts the election servers and the voters' computers,' said U.S. computer scientist J. Alex Halderman, a co-author of the report released Tuesday. 'Either of these would be an attractive target for state-level attackers, such as Russia.'" The source for the voting system is available for anyone to inspect. The Estonian National Electoral Committee released a statement dismissing the researchers claims: "At this point, we can give only preliminary answers to allegations published in the Guardian, as the researchers have not shared the full results of their work with us. The researchers met with officials from the electoral committee in October 2013, and could have contacted us at any point in the last 6 months to share the initial findings of their research. ... The researchers have not discovered any new attack vectors that had not already been accounted for in the design of our system as a whole. ... It is not feasible to effectively conduct the described attacks to alter the results of the voting. ... The electoral committee has numerous safeguards and failsafe mechanisms to detect attacks against the elections or manipulated results."
This discussion has been archived. No new comments can be posted.

Estonia Urged To Drop Internet Voting Over Security Fears

Comments Filter:
  • Ooh... (Score:4, Funny)

    by fuzzyfuzzyfungus ( 1223518 ) on Wednesday May 14, 2014 @10:53AM (#46999141) Journal
    "Numerous safeguards and failsafe mechanisms to detect attacks"

    In practice, doesn't that end up being an ass-covering official equivalent to "We're pretty sure that Norton hasn't expired and we probably ran Windows Update pretty recently unless the junior admin was out that day" fairly frequently?
    • Estonia has already weathered the brunt of a Russian cyberattack. They are recognized to be world leaders in cybersecurity at the government level, and host the NATO Cooperative Cyber Defence Centre of Excellence.

      http://www.zdnet.com/the-poste... [zdnet.com]

      So yes, I think their safeguards and failsafes extend beyond Windows Update and Norton. Open sourcing their code reduces the black-box vulnerabilities well beyond that level to begin with.

      • And on a different thread somebody was making the claim that nobody has ever posted such a comment.

  • by Anonymous Coward

    Hate on e-voting all you want, point out all the ways a malicious person could mess with it, but don't tell me that e-voting is not going to happen. Being able to instantly poll your entire population without having to go through the trouble of setting up polling stations nationwide and get people to those places will transform democracy.

    • Installation of blackhats as society's new ruling class would count as a 'transformation' of democracy, I suppose...
    • by Sique ( 173459 ) on Wednesday May 14, 2014 @11:05AM (#46999233) Homepage
      E-Voting per se is wrong. There is only one method to make sure that every vote counts, and that is public counting of the vote. Every tabulation of votes in a machine makes a public counting impossible.
      • E-Voting per se is wrong. There is only one method to make sure that every vote counts, and that is public counting of the vote. Every tabulation of votes in a machine makes a public counting impossible.

        That all depends on the implementation. For example: voter logs into secure site and enters vote. Secure site is connected to a card punch. After polls close cards are fed into card reader and counted. Hand counting can still be done.

        • by Sique ( 173459 )
          No. Doesn't work. We have examples of voting fraud where the election officials swapped ballot-boxes after the vote to manipulate the outcome in different distincts. The only way to make sure this doesn't happen is to have all votes collected in front of the public and the ballot-boxes then opened in public and immediately counted.
          • Sounds like the scrutineers were asleep at the switch. All bets are off in any system if there is no verifiable chain of custody.
      • That must be why we don't do that in the U.S.
        I wonder why my state closed all polling stations (vote by mail only) and made it ILLEGAL to ask for ID when signing up to vote.
        They allow registrations with a common address such as the county courthouse saying this is needed by the homeless.
        Nice follow up was the change in law to require you to know a voters name/age/address if you wanted to challenge votes even in districts whit more votes than registered voters.

    • It might still happen, but many among us will still fight for the population to understand the unavoidable security risks in doing so. We have the duty to do so.

  • The issue is that you only get real security when the people in charge of the security are both well funded and the organization as a whole takes security very seriously.

    To my knowledge, the only organizations that really tend to have good security are banks and government intelligence. And in both of these we've seen major security breaches.

    I think the attraction of corrupting the voting system simply outweighs the internal pressure to secure the system such that if implemented, a digital voting system wou

    • It doesn't help that voting is an inherently trickier problem: a lot of the easy and obvious ways of detecting tampering go out the window if you aren't supposed to be watching the behavior of the users in detail. You are also monitoring something that happens infrequently, for relatively high stakes, rather than something (like credit card transactions) that happens all the time, usually for relatively low stakes, which makes statistical detection of anomalies less useful. Cloning a mag-stripe card, or jus
      • Well... I think something that might help is if they had a two part secret key system. Where in the identity of any individual vote could only be unlocked by the person that cast it.

        Then make it possible for voters to query how their vote was calculated. So if I personally voted for X then I checked the system and it says that my vote was counted as Y then we know there was tampering or at the very least a mistake.

        This would make vote altering harder because they wouldn't be able to change the vote tally to

        • Oh, there are definitely some very interesting voting system designs (mostly cryptographic flavors) out there, though I'm definitely not expert enough to say much of use about them. My point was merely that lots of the really obvious verification systems (the ones that don't need crypto-fu) tend to assume a that total or near-total knowledge of the system by trusted insiders is OK, and that there are (mostly) trusted insiders, worst case not-entirely-trusted-but-know-they-are-being-watched-and-we-know-where
          • No one can know what you did in the voting booth without the voter's encryption key. Under the system I laid out, the vote could be counted without the voter's encryption key. However, the votes could not be verified without that key.

            The point of the encryption is to create an independent and untouchable tally of the vote.

            It would be very impractical to audit the list since it would require every voter personally decrypt their vote and cross check it. But it would be secure. No one besides the person that c

            • by gwolf ( 26339 )

              Your scheme is very similar to what we use in Debian for voting for the project leader [debian.org] (unlike the fully-open tally sheets for voting on issues, not people [debian.org]). However, this scheme is good only where people trust each other, for ocassions where you know there will be no vote buying/coercion. Not for a national elected government.

              • I don't see the problem with my scheme in regards to trust. Only I can identify which vote is mine. The votes are anonymous. The ID on each vote would at most say where the vote was cast not who cast it. I would know which vote was mine because I would record the ID number of MY ballot at the time of casting the vote. That ballot ID would not be associated with my identity in any way. Further, that ballot's encrypted ballot would only be accessible to me and only if decrypted it with my password. The point

                • The problem with voter-verifiable systems is that they are very prone to vote coercion or buying. If you can prove your "right way" vote was correctly counted, you can get the cheque. Or avoid the punishment for exercising your free will.

                  • As I said, that's a reasonable criticism. The alternative appears to be leaving the system so vague that insiders could easily fake votes, inflate voter roles, or simply miscount the votes.

                    Again, we've had many districts report in with more people voting then are registered to vote. That isn't possible... unless there is fraud.

                    You can't be complacient about that and then claim to give a shit about voter intimidation or vote buying. Because at the end of the day creating votes out of thin air is a great deal

        • If you can prove your vote was correctly recorded, then you might be more easily persuaded to sell it — be it that you receive a pay for it, or you receive the service of not getting your bones broken.

          A vote once cast is just a piece of paper among many. Nothing should tie it to a voter's identity. A voter should be unable to prove he voted a particular way.

          • by Rei ( 128717 )

            A voter should be able to prove to *themselves * that they voted in a particular way and it was registered and counted, but not be able to prove it to *others*.

            • Say this system is approved. Say you want to buy my vote. You demand proof that I voted the way you wanted me to — If the e-voting platform allows me to confirm my vote was properly counted. So, all you have to do is to promise me to hand over the money if I prove you I did what we agreed. (or you can threaten me with physical violence unless I can prove it to you, same reasoning).

              A secure voting system should never allow me to prove what was my vote — But that would make me very suspicious, as

              • by Rei ( 128717 )

                Like I just said, it should be able to prove it to *you*, but not in a manner you should be able to prove to *others*. Why did you ignore what I wrote and go on and on about a system wherein it would be possible to prove to others?

                You have a brain. Information can reside in your brain. You cannot (reasonably) prove to others what information exists in your brain, but you can use that information to validate what you see to yourself. Thus, if there is any piece of information in your brain that you cannot co

                • by gwolf ( 26339 )

                  I did read your previous comment, and did reply to it.

                  Again: I offer you $100 for your vote, if you prove me you voted for my candidate. You go in and vote. You generate this secret code, known only to you. Then, you come to my evil lair, connect via my computer to Teh Interwebz, and type in your secret code. The system verifies you voted for my Master, and I give you your well-earned money.

                  That should be impossible. But any system where you can prove *to yourself* you voted a certain way opens the door to

                  • by Rei ( 128717 )

                    . Then, you come to my evil lair, connect via my computer to Teh Interwebz, and type in your secret code. The system verifies you voted for my Master, and I give you your well-earned money.

                    And how do you know it's *actually* my secret code, and not a dummy code showing a vote registered for someone else or not registered at all?

                    But any system where you can prove *to yourself* you voted a certain way opens the door to vote selling or coercion.

                    This is simply false. You can prove things to yourself without bei

          • You make a good point. This was something that did happen in the US at one point. People were intimidated to vote a given way and bribes were offered for people that voted one way or the other. Typically the bribes were something cheap like free beer or something. The threats were as you said broken bones... or in some cases employers would hang out at the polling station and fire people that voted contrary to his instructions.

            So I really do appreciate your point. That said, I would like the confidence to k

  • ...we know that Russia won't be able to stuff 100,000 paper ballots marked "yes" for a plebiscite into ballot boxes if they keep the current system...

    Plus they might be able to make the vote look in favor of remaining away from Russia by simply manipulating the totals after Russia has manipulated them first...
    • by Rei ( 128717 )

      Seriously, A+. People act as if non-internet voting isn't already plagued with huge problems, many of which a secure net voting system can eliminate. I mean, come on, in the last presidential election Chechnya had 99.59% turnout with 99.82% voting for the "Butcher of Grozny" [nytimes.com], with one precinct in Grozny with turnout over 107%. Think that's legit? Vote corruption in places like Russia is often done at the precinct/district level, levels which are entirely eliminated by net voting. You also reduce the threat

      • by amorsen ( 7485 )

        Even in Chechnya, where bad guys control pretty much all parts of the voting process, it is obvious to an intelligent person that there is fraud.

        With electronic voting, the fraud will be much harder to spot.

    • And electronic voting solve any of these problems?

      The article points out that Estionian e-elections increase(!) risk of fraud. You just said, that since there can be fraud with conventional elections, it doesn't matter, how elections are done. It just makes no sense. If there are risks of fraud, they should be minimised, not increased.

  • > Source code is publicly available

    I'm going to suggest something: a publicly-accessible read-only port to the ROM where you can put in a USB and pull the entire ROM off automatically. Then people can confirm it matches the official binary, which people can confirm by compiling the source code themselves.

    It must be hardware-level and not under control of the processor or ROM so spoofing would require infiltration of the voting machine hardware.

  • by EmperorOfCanada ( 1332175 ) on Wednesday May 14, 2014 @11:12AM (#46999299)
    Quite simply it comes down to independent auditing. With my bank account, my email or even my Facebook; I can tell if I have been hacked or if these companies are playing fast and loose. I will look at my bank account and bloop I am $30,000 short. Where did it go? I will then begin an investigation and bring my previous bank statements as backup if needed. Worst case scenario the bank won't cooperate and I will take it to the courts where again my evidence will be brought to bare. Lastly I can switch banks. Quite simply it is because I have feedback as to what is happening.

    The same with facebook. If suddenly my posts are all encouraging people to help out a Nigerian prince then I've been hacked. I will then be able to take some action.

    The reason I mention the above technologies is that I think that we can all assume that our banks, facebook, and our email companies all are very good and work very hard at avoiding being hacked; yet they have all been hacked. Look at Target, they (to use the correct term) were PWNED.

    But when I vote online it is fire and forget. I don't know what happened to my vote. There is no physical record for me to point to. I can't check up on my vote after the fact. At least with a paper ballot system I take my physical ballot and I give it to some vaguely trustworthy government person who is closely watched by as many representatives of the various parties as there are parties. Each watching with the interests of their official in mind. So if they see something they don't like then they can call police/election officials/newspapers etc. I like this system. It is not impossible to thwart but close enough.

    In my city, Halifax, they added online to the municipal elections and I am truly scared. This should be illegal in 20 different ways. They justify it saying that it cuts costs and increases participation. Basically it didn't cut costs as they had to screw with the system so much, send out so many instructions, and answer so many questions. Plus in the end it basically didn't increase participation. I carefully looked at the votes and luckily none of the online voting was significant enough to have altered an outcome.

    But let's say that someone had screwed with the results (as a programmer you can't tell me that it isn't going to be that hard) the only people who are going to cheat are going to be bad people. People who, once they are in, will ensure that only they can continue to cheat. So to me every online voting system is basically waiting for the first set of evil and smart people to come along. That is it. But once it happens, by the altered rules of the voting system, how do I fight the vote? How can it be contested? How can there be a recount?

    Now I understand that some voting systems are complicated with many propositions, levels of government, etc being voted on in a single booth. So I have a very simple solution. You press your buttons which then produces a ballot on the screen, you then look at the ballot on the screen and see if you like it. Then you press print. It then produces a ballot that matches the one on the screen and you can compare. Then you say OK and then bring your ballot to the ballot box per normal. Then the computer tallies up the votes and announces a tentative winner. Then the humans can count the votes to see if the computer agrees with the paper ballots. But the key is that the paper ballots have the final say. The computer is only there to help. Then if there is a wild difference between the paper and the computer more interesting auditing mechanisms can come into play.

    As a computer programmer I am 100% certain that any online election can easily be rigged. But I am by far not alone. 100% of the time that independent security researchers have gotten their hands on electronic voting systems they have hacked them and usually with ease. So the solution is that these companies don't allow independent auditors but ones of their own choosing and ones that they pay well.

    This is a serious problem. Basically online voting is pretty much demanding that some evil person runs our government.
    • ...Online voting is pretty much demanding that some evil person runs our government.

      So... status quo?

      • Actually I think even worse. My guess is that while many people who go into office are ego-maniacal nitwits they aren't evil; they just discover (as they go into or arrive in office) that government is bought and paid for by big money.

        But if someone is cheating their way into office then they are planning evil from day one. Also even though big money has bought government they still have to fight over it. But if you had a single rich party cheat someone into office then there won't even be competing inte
  • by Catbeller ( 118204 ) on Wednesday May 14, 2014 @11:13AM (#46999303) Homepage

    Using computers to register, count, transfer, and archive vote tallies is impossible to do without an almost certain effort to alter the vote totals by parties interior to the project (people creating and maintaining the systems and the show runners) and outside the project ("hackers"). Of the two, the insiders are far more likely.

    This is not a failure of tech or of implementation. This is a human thing: those disposed to alter election tallies have infinite motivation to find a way to do it. They can either slip in during the coding phase or the implementation phase, or even during the elections. Like rats, they will find a way.

    The difference between paper and electronic is basic: paper leaves a physical trail. E-voting can be rigged to leave NO trace. IS rigged to leave no trace. No audit is possible: all audits are predicated that the datasets and code are correct to begin with. If someone slips in backdoors, they can alter vote totals in real time and therefore all recounts will be "accurate". Paper receipts are useless, because what is printed is not necessarily what actually happened. Paper printouts that are reviewed by the voter on site for accuracy and then stored in boxes by the voting agents *can* be a valuable check, for the paper should match the e-count. But why then the extra step of the computer? Just use paper to begin with. Canada does it (I hope still does) and they count elections by hand in three hours, no matter what the size, local or national, because human counting easily scales.

    Source code is worthless as a trace. One never knows what the machine is actually doing from microsecond to microsecond; the code executed need not match what you see on the source. This makes coders heads explode, but it is true. The machine can be programmed to lie. I know this, because I have done it, on orders from my bosses, in the past, to make a bit more money for my company. Cheating is easy and it is undetectable if you are even marginally clever about it. The count can also be altered far from the source tabulating machine and local system, at other levels. Such malignancy will not be accounted for by the counting company; their rep is on the line, they don't believe it is possible and further they don't want to know.

    Use e-voting and you will see the powerful grab control, one way or another. Use paper.

    • Use e-voting and you will see the powerful grab control, one way or another. Use paper.

      Or if you like, use both.

      Using some cryptographic design principles plus paper ballots for marking votes and computers for tallying them, and including some random verification processes to tighten the whole thing, Chaum and Rivest's Scantegrity II [wikipedia.org] system provides and end-to-end verifiable system which allows every voter to verify that their vote was counted correctly, without giving them the ability to prove how they voted to anyone else (an important anti-coercion feature). It also allows anyone to veri

    • Indeed.

      While there are ways to make electronic voting more secure, the systems as a whole are too complex for one person to audit. The more fancy crypto you add, the fewer people understand the components. The fewer potential auditors you have, the cheaper it is to buy them off / lock them up for political crimes.

      It's easy to audit a ballot box. Virtually everyone of average intelligence understands the technology.

    • Audits are possible. However the voting machine designers actively reject calls to add auditing by claiming they are unnecessary, and election boards who are ignorant of computing do whatever the manufacturers ask of them.

  • Electronic voting can only be secure if everyone knows how everybody else voted. Otherwise there is no way to know if the outcome has been modified at some point in the process.
    • A good point, which hooks into some of the above posts. Is it even possible to have an election that isn't secret ballot? I recall from history that the early elections in England were huge frauds until they instituted secret ballots. There were a lot of abuses such as the local landlord's thugs openly threatening anyone who voted for the wrong candidate. I don't think human nature has changed at all since then, so we would see the same sorts of problems. Maybe we could have a system where voters have to re
      • Your key idea does not work because while you could check who you voted for there would be no way to check that all of the votes were right...and it would not be that hard to have your key logged to who you entered to vote for without actually counting it that way. Without some way to compare how many real life people voted a certain way with the tallies that the computer lists for who voted a certain way there is no way to secure electronic voting. Just look at how hard it is to secure paper ballots where
        • True, we have the same weakness in the current system. It is just a lot harder to pull off since physical ballots are widely distributed.
        • by Mondor ( 704672 )

          I think the whole idea of assigning the single-use key is that there would be a complete list of keys and votes, so everyone would be able to look at the same document and see if his vote is registered correctly. Of course, there may be bogus keys in that list and of course that would make the whole event not secret anymore (as there would be a database of links between the key and the voter), but at least such system would be a bit more transparent.

          If your token would be known to you long before the vote,

  • by mwfischer ( 1919758 ) on Wednesday May 14, 2014 @11:30AM (#46999447) Journal

    Even though it's not on the ballot, Estonia overwhelmingly voted to join Russia.

  • Jealous? (Score:4, Funny)

    by Loki_1929 ( 550940 ) on Wednesday May 14, 2014 @11:58AM (#46999783) Journal

    I think everyone else is just jealous because they have low voter turnout while Estonia's going to get 3000% in their next election.

    The only downside is the overwhelming election of Moot to Prime Minister.

  • No worries, Estonia. NSA will make sure Russia will not hack into your internet voting system.
  • Firstly, people here should understand that e-voting as in voting machines and internet voting are completely different and not really comparable.

    One of the opposition parties of Estonia is strongly against internet voting, mainly because their voters are not using it a lot and they are able to mobilize their voters well to go voting on paper as opposed to most other parties. For various reasons they are in power at the capital city and the trip of the researchers to go and observe the current voting proces

  • ...how do you expect to get a much more complex system correct? Mind you, I'm aware that the problem is not necessarily the system itself, but the transparency of the system. People probably won't like to hear it but I'd suggest that the only way to eliminate fraud is to have votes linked to your ID so that every vote can be verified as A) not having voted multiple times, B) not voting if you don't exist in at least two separate systems e.g. social security and driver's license, and C) not voting outside of

  • There is really nothing to see here. The report was commissioned by the Estonian Centre Party (ostensibly by the City Council of Tallinn, but they are the same thing) and was strategically scheduled to be published a few days before the European Parliament elections. (The Centre Party has been denouncing e-voting for a long time, mostly because they don't do well at those because of the demographics of their core electorate, and of course their own constant campaigning against it.) The team was handpicked f
  • From the summary the points seems to be in the territory of just conjectures. This is confirmed by this disclaimer in the Downloads page: DOWNLOADS We will be providing partial code for our proof-of-concept attacks after the conclusion of the May 2014 European Parliamentary elections.
  • You're not living in a democratic society, if you cannot vote with https://en.m.wikipedia.org/wik... [wikipedia.org]
    In democracy it's your vote that counts; In "feudalism" it's your count that votes. -Jallberg

The unfacts, did we have them, are too imprecisely few to warrant our certitude.