I visited Estonia in mid-July of this year at the invitation of Edgar Savisaar, the country’s first prime minister and current mayor of Tallinn. Mr. Savisaar is the leader of the Centre Party, which placed second in recent national elections. The Centre Party and Mr. Savisaar have been questioning the outcome of the Internet voting portion of those elections. They invited me to Estonia because of a presentation I made at a European Parliament panel on the risks of Internet voting.
I told my hosts that I was happy to discuss the risks of Internet voting, but I would not comment on internal Estonian politics. When asked whether or not I thought the national election was rigged, I refused to comment, aside from saying that no one could prove that it was or was not rigged, because there is no way to conduct a recount of an Internet election.
The Internet portion of the 2011 election lasted from February 24 to March 2, with paper balloting conducted on March 6. The Internet vote was counted the evening of March 6. Estonian law allows complaints to be submitted only during the 3 days immediately following the procedure being challenged. Since Internet voting is considered separate from paper voting, the final day for submitting complaints about Internet voting was March 5. Graduate student Paavo Pihelgas was the only person who submitted a complaint by the deadline. (The Centre Party and independent candidates tried to file complaints, but they did not do so within the required 72 hour time frame).
Pihelgas asked the National Election Commission (NEC) to cancel the election results, since the possibility of election-rigging malware meant that there was no way to be sure that the voters’ preferences had been correctly recorded. NEC rejected his complaint the following day, saying that they have all the necessary provisions to detect such cases, without specifying what those provisions are. When Pihelgas resubmitted his complaint, it was forwarded to the Supreme Court. The Supreme Court dismissed the complaint on March 21, say that the voter can file a complaint only when his/her rights have been breached.
I have communicated with several Estonians before, during, and after my trip. I have also read a report written by a team from the OSCE/ODIHR (Organization for Security and Cooperation in Europe/Office for Democratic Institutions and Human Rights) who observed the March 2011 election, and I have talked with a member of the OSCE/ODIHR team. Based on the information I have obtained, I have concluded that the Internet voting system used in Estonia is insecure.
1. There are a number of serious problems, as described by the OSCE/ODIHR report;
2. The voters’ privacy (secret ballot) is vulnerable;
3. The voters’ computers are vulnerable to election rigging malware;
4. There is an insider threat;
5. The server is vulnerable to attack from anyone/anywhere;
6. The system is not open or transparent;
7. There has been no security evaluation of the system by independent computer security experts.
The rest of this memo expands on the above concerns. To distinguish between OSCE/ODIHR report recommendations and my comments, I have italicized report comments and recommendations.
1. The OSCE/ODIHR report. Here are some of the problems uncovered by the report:
a) NEC has no IT experts; they relied on the IT department of the Estonian Parliament (Riigikogu). The Report recommended that the NEC create in-house IT expertise and retain written records of all stages of the Internet voting process. While the need for IT experts is obvious, the need for computer security experts is even greater.
b) One programmer “verified” the software, but the results were secret. The Report recommended that the test results be published on a website. We have since learned (this was unknown to the OSCE/ODIHR team) that the only source code audit was done by Martin Paljak, who became sick. Paljak may have given initial verbal feedback, but he did not provide a final written report.
c) The project manager could update software without any formal procedure. The project manager for electronic voting told Pihelgas that the last modifications to the voting application were made four days before the first day of election. This is a huge security vulnerability. The project manager could intentionally or inadvertently insert election rigging code into the software, or even trigger malware that had already been installed. There is no way to check or analyze any last minute code insertions.
The OSCE/ODIHR report recommended that formal procedures for software deployment be developed and deadline for updates be established. The report also recommended that maintenance of the Internet voting system during the entire Internet voting process be prohibited.
d) The electronic ballots were destroyed on April 11. This is because Estonian law requires all ballots to be destroyed within a month of the election. The result of the ballot destruction is that it is impossible to conduct any kind of post-election analysis of the ballots, something that clearly is undesirable.
e) Although the Election Act indicates that NEC can invalidate the results of the Internet voting, it does not specify on what basis and under which circumstances the results of the Internet voting could be declared invalid. It also does not specify how voters should be informed that they have to recast their votes on paper on election day. The report calls for the creation of a disaster recovery plan.
Even if the report recommendations were implemented, major problems would remain. If a successful attack (perhaps a Denial of Service attack, such as the one conducted by Russia against Estonia in 2007) were to occur just before the end of the election, people who had been planning to vote over the Internet may not have enough time to cast paper ballots. But even more serious is the possibility that an attack might be discovered, or even announced by the perpetrators, after a new government had been sworn in. What would happen then? How would the country react? Would the “losers” accept the new government? Would the previously announced winners allow a new election to take place? Would people question the results of previous elections that included Internet voting? How would Estonia’s new and still developing democracy cope with potential massive distrust?
And of course there is the ultimate threat, namely that the election is successfully rigged without detection. This could be done by attacking vulnerabilities in the system being used to collect and tabulate the votes and/or by planting election rigging malware on voters’ computers.
2. The voters’ privacy is not adequately protected. Quoting from On applying i-voting for Estonian Parliamentary elections in 2011, by Sven Heiberg (to be presented at VoteID 2011, September 28 – 30, Estonia; sent to me by Heiberg and quoted with permission):
For example, anonymization of i-votes can only occur in the presence of at least 2 election officials, auditor and possible observers. All procedures are defined beforehand in written form, all actions and outcomes are recorded on tape. Without enforcing those regulations, IVS owner could manipulate the election results on large scale by adding or removing votes from the digital ballotbox without getting caught.
“Anonymization of ivotes” refers to the separation of voters’ names from their ballots. (There is a cryptographic approach using “mixnets” for anonymization of votes that preserves the voter’s anonymity. But that approach is complex and must be carefully implemented. I have confirmed that mixnets are not being used in Estonia).
Observing the anonymization process means watching a technician type a command that runs a program. But who know what that program does? How can you verify that there is not another copy of the ballots somewhere with voter names associated with them? Indeed, there should be another copy for backup purposes, or else the vote data is at risk of loss. Hence, anonymization must be a multistep
process something like:
1) From a copy of the i-ballots attached to voters names run a script that separates the ballots from the voters names, outputting two files, one with the ballots only and one with the names only.
2) Sort one or both of those files in random order to destroy any order correlation between the names in the name file with the ballots in the ballot file.
3) Run a check that no data has been lost or corrupted in this process.
4) Make several backups of the separated files.
5) Destroy ALL copies and backups of all ballots that have a name associated with them. This last step is essential, but inherently unverifiable. There is no way to prove that all such copies have been destroyed; it will likely be so difficult to find ALL of the copies normally made in the course of routine system behavior that as a practical matter it probably will not be perfectly accomplished.
It is inherently not possible to “observe” or verify that there is no remaining data somewhere that would allow reconstruction of the association between voters’ names and their ballots. Vote privacy is not an observable or auditable property.
3. The voters’ computers are vulnerable to election rigging malware. There are many examples of very clever viruses and worms, such as the Zeus virus, that have successfully stolen large sums of money from, for example, users’ on-line bank accounts. Specially modified versions of Zeus are even available on the black market. It would be relatively straightforward to modify Zeus to steal an election. As Estonian cryptographer Helger Lipmaa says in his blog:
Voter computers are an obvious problem: most of the people are computer illiterate, and are not able to check if their computers are not infected. Even if they have the newest antivirus (which we can’t be sure of), that antivirus itself might not be able to detect a piece of new malware that has been written specifically for *that* election and is unleashed just before it. (Note: in Estonia e-voting lasts for 3 days.) That malware could do a lot of damage, like hijack the connection between you and the ID card (basically letting the ID card to sign wrong votes), between the GUI and what actually happens inside the computer, etc. I would *not* be surprised if such a piece of software was written by a high-school kid.
4. There is an insider threat. In addition to the threat posed by the ability of the project manager to make software updates with no formal procedure, the OECD/ODIHR Report stated:
“Daily update of the voter register during the voting period as required by the Election Act was performed together with the daily backup of data. The project manager accessed the servers for daily data maintenance and backup breaking the security seals and using a data storage medium employed also for other purposes.This practice could potentially have admitted the undetected intrusion of viruses and malicious software.”
Besides the malware risk, the daily update could facilitate an attack that singled out voters likely to vote for a particular candidate. For example, such votes could be “lost”. There is no way to check.
5. The server is vulnerable to attack. A serious China-based Internet attack on Google and dozens of other companies illustrates that even major corporate sites are vulnerable. The attack targeted Google intellectual property, including systems used by software developers to build code, as well as Gmail accounts of Chinese human rights activists. As many as 34 companies – such as Yahoo, Adobe, Juniper
Networks, defense contractor Northrop-Grumman, and Symantec, a major supplier of anti-virus and anti-spyware software – were targeted. The attacked companies employ large numbers of computer security experts and have considerable security expertise and resources.
Government sites, in the U.S. and elsewhere, are also vulnerable. In a March 2010 talk, U.S. FBI Director Robert Mueller said that the FBI’s computer network had been penetrated and the attackers had “corrupted data.” General Michael Hayden, former Director of the CIA and the National Security Agency, has stated: “The modern-day bank robber isn’t speeding up to a suburban bank with weapons
drawn and notes passed to the teller. He’s on the Web taking things of value from you and me.”
Given how insecure the Internet is, it is unlikely that the server receiving the Internet votes in Estonia could resist all attacks coming from another country, political party, individual hackers, etc.
6. The system is lacking in transparency and openness. The OSCE/ODIHR Report states [emphasis added]:
Firstly, the Internet voting project manager tested the software delivered by the vendor. This was, however, carried out without formal reporting. After that, the Cyber Defense League (CDL) conducted an exercise in January 2011 to test the software under given threat scenarios, and produced a report for the NEC that was made available to observers but not to the public. In February, the CDL tested the functionality of the Internet infrastructure under extreme conditions and decided to create a ‘whitelist’ that contained Internet addresses from where legitimate votes could be expected (including embassies abroad).
In a parallel process, a programmer, who was contracted by the NEC, verified the software code. The identity of the programmer and his report to the NEC was kept secret. It was not made available to the OSCE/ODIHR EAM, other observers or political parties.
…. Testing is a crucial exercise to find any deficiencies in the system. The NEC made a substantial effort to test various components of the Internet voting, including by members of the public. However, reporting on the performed tests was often informal or kept secret.
Pihelgas had requested all reports. Recently, he learned that there is no written report of the testing conducted by the project manager. He has also learned that the CDL did not audit the software. Since the CDL report is being withheld, Pihelgas has filed an appeal with the Data Protection Inspectorate. He is hoping to receive a copy of the report.
7. There has been no security evaluation by outside experts. Anyone wishing to review the code or examine the system must sign a Non-Disclosure Agreement (NDA). Several prominent computer security experts have expressed an interest in examining the Estonian system, but none is willing to do so if an NDA is required. One possible exception might be a time-limited NDA that would give the operators of the system time to implement fixes before the report is released.
I want to thank my Estonian hosts for affording me the opportunity to learn more about the Estonian Internet voting system. Thanks also to those Estonians who provided me with technical information about the system, especially Paavo Pihelgas, Priit Kutser, Helger Lipmaa, and Sven Heiberg. Finally, thanks to David Jefferson for his very useful comments.