“I gave my e-vote. This is not only convenient, but a vote of confidence to one of the best IT systems in the world, a vote of confidence to the Estonian State,” tweeted Toomas Hendrik Ilves , the president of Estonia on May 15th, marking the start of early voting for the European Parliament (the voting process will end on May 25th.) While undoubtedly convenient, e-voting in Estonia might not be as safe as President Ilves think. An independent group of researchers recently tested the Estonian I-voting system used during the last municipal elections, held in October 2013, and concluded that the flaws and lapses in operational security make it vulnerable to manipulations. Therefore, it cannot be considered safe enough. Last Monday, the Guardian reported on the research, whose results are available in a technical report published on Estoniaevoting.org, a website set up by the researchers, complete with photos and videos. “These computers could have easily been compromised by criminals or foreign hackers, undermining the security of the whole system,” declared Harri Hursti to the British newspaper. Hursti is an independent researcher from Finland with experience in testing e-voting system.
Today, Estonia is the only country that has been significantly and consistently using the e-voting system.
Starting in a 2005 local election, the system has being used in all subsequent elections, including the last European election in 2009; up to a quarter of votes are cast online, notes the Guardian. In the (contested) 2013 municipal elections, about 21 percent of voters used online voting.
In order to cast an online ballot, a voter identifies him/herself with the use of an activated electronic ID card, a system which has been available for several years.
The group of independent researchers recreated the system, using the real source code and the client software and simulated the kind of attacks the system could be subjected to, whether it be home computers or the central system.
“Estonia’s Internet voting system is actually quite sophisticated,” says Alex Halderman, one of the researchers in a video detailing the work on the e-voting system. He explains: “The system was built by people who had intimate knowledge of security. They made large parts of the system open source, they documented their procedures and they have videos of almost every step of the process.”
But this is not enough, he concludes: the system is still susceptible to being compromised.