Estonia’s internet voting system should not be used for the European elections in May because its security vulnerabilities could lead to faked votes or totals, say independent researchers. The flaws were discovered by a team who were accredited to observe the October 2013 municipal elections. They said they observed election officials downloading key software over insecure internet connections, typing PINs and passwords in view of cameras, and preparing election software on insecure PCs. They have reported their findings to the Estonian government, but had had no response by Monday. As one of the highest-profile countries in its adoption of the internet, Estonia intends to use the e-voting system for its European elections in May, and already uses it for national parliamentary and municipal elections. Up to a quarter of votes are cast online in elections. The attacks could be carried out by nation states that wanted to compromise elections, or a well-funded candidate who hired criminal hackers with the capabilities to alter the vote, the researchers warned.
Harri Hursti, an independent researcher from Finland who works for the web security company SafelyLocked, said: “These computers could have easily been compromised by criminals or foreign hackers, undermining the security of the whole system.” Hursti has carried out a number of tests of e-voting systems, demonstrating weaknesses in systems used in the US and elsewhere.
The Estonian government has been developing its e-voting system since 2002, and used it for the first time in 2005 for local government council elections. In 2009, about a third of the electorate voted in the European elections – of whom 15% used e-voting. In the parliamentary elections in March 2011, 61% of the total electorate voted; just under a quarter of the votes cast came through e-voting.
The researchers, including Hursti and a team from the University of Michigan, replicated the Estonian system using its published software which was used in the 2013 elections. “This was essentially their system, but used in a laboratory environment,” Jason Kitcat, of the UK’s Open Rights Group, told The Guardian. “We couldn’t use their system that they used for real votes, because that would be unethical.”