A longform look on the Estonian iVoting experience and our thoughts on why it’s not feasible here at home.
You may have heard of Estonia’s Internet voting system, which has been up and running since 2005, through seven national election cycles. Estonia is a small European parliamentary democracy, across the Baltic Sea from Finland and Sweden, and bordered on the north by Russia. It is the only country that has a permanent iVoting infrastructure in regular use.
We had the opportunity in D.C. recently to hear from and talk to the creators and implementers of the Estonian iVoting system and we thought you might be interested in what they had to say.
And for our readers who may still be contemplating iVoting, or have been asked by their management or legislature to consider the challenge, we offer our thoughts about how the Estonian experience contrasts with our voting systems here in America.
Oliver Väärtnõu is chairman of the board at Cybernetica, the private R&D lab in Estonia that built the original iVoting system. He appeared December 11th with Siim Sikkut, the information and communications technology adviser to the Estonian Prime Minister at a gathering of the Digital Diplomacy Coalition, a group of tech-savvy foreign embassy officials in Washington.
Their Internet voting system is based on a national identification card—a “smart” card with an electronic chip that is recognized in Estonia as a legal signature, verified voter ID and device to buy bus fare, file taxes, request government benefits and a lot of other things.
To vote via a computer or laptop, voters need to be connected to the Internet, have their national ID card, a card reader attached to the computer, and the smart-card software. Voters slide their ID card to verify who they are, enter a first PIN code that verifies an individual’s ID, then download a ballot customized for their district, fill it out and then record it with a second PIN code.
(The system is based on a Public Key Infrastructure or “PKI” using digital certificates of authority or “CAs”. If you have been following our blog and read our take on Bitcoin for voting, then you already have some understanding of the issues surrounding PKI for lay people.)
You can also vote with a mobile phone as long as you have the right mobile ID SIM card and your two PIN codes, the second one of which is sent to you via SMS text message.
Casting ballots via the Estonian iVoting system is permitted only from the tenth to the fourth days before an election. During that time you can change your vote as many times as you like, with the last one being the one recorded (an idea you’ve heard us describe in the past as one way to address fears of coercive behavior in absentee balloting—cast as many ballots as you like, but only the last one cast is counted). You can also vote the old-fashioned way at the polling place up through Election Day. That written vote takes precedence, it will cancel all earlier ballots cast digitally. In the most recent national elections 31.4 percent of voters used iVoting. The trend of voters using iVoting has grown steadily in Estonia since its inception in 2005.
The Estonians, friendly and open, are proud of their system, and it’s useful to note that they were in D.C. to pitch Estonia (where Skype software was first developed) as a great place to do business, particularly digital business, and to sell the notion that Estonia is the furthest along of any country on the planet to becoming a fully “digital society.” Indeed, their national website is e-estonia.com, and they have a new program in which if you do business with Estonia, or have some ties to the country, you can apply for “e-residency,” which doesn’t give you rights to be a citizen, but does get you inside the European Union for commercial purposes.
The hard question, of course, is how secure is Estonia’s iVoting? Various criticisms have been leveled against the Estonia system, not the least of which have been by our own CTO, but also by the University of Michigan in 2014 (Estonia’s system is eminently hackable), the Organization for Security and Cooperation in Europe in 2011 (Estonia’s system has not been examined or reviewed by any independent outside sources), and also in 2011 by Barbara Simons a good friend of ours with the Verified Voting Project in the U.S. (Estonia’s system has privacy, malware, server vulnerabilities, and lacks transparency and openness). And of course Estonia in 2007 experienced a massive cyber attack, probably from Russia that nearly shut down the country’s entire Internet system.
Väärtnõu, in response, talked about the security of the PIN codes and the advanced cryptography and Public Key Infrastructure that they use. He also noted that their system, which is not open source but proprietary, has evolved over the years with changes made when needed, and he said the system is constantly monitored for breaches. And no major voting disruption has happened, the two Estonians said. Väärtnõu explained that Cybernetica is open to sharing knowledge but he added that for something so important as voting, open source is just not a good idea (of course we beg to differ for several business, technical and practical reasons and had intellectually honest debates about this during our Stockholm open source summit earlier this fall—hang with me, we address this below).
Sikkut acknowledged that “Sure any system can be hacked, but it would be very, very hard to hack ours.” And he noted, interestingly, that digital security is really an agreement between the host of a system and its user. It’s like a compact, he said, and in that sense, the proof is in the pudding – Estonians are using the system in large numbers, so ipso facto, it is “convenient and secure enough,” to use, he said. Estonia, Sikkut said, is striving for a “balance among accessibility, security, and verifiability.”
Sikkut and Väärtnõu said they welcome criticism, that it “makes us better,” and that Cybernetica has shared parts of its proprietary source code on a nondisclosure basis with select groups of experts and academics for internal comment and criticism. But Sikkut noted that “We get outside criticism because we’re doing something. You always get criticism when you go forward and do something. We’ve done this through seven election cycles. We have a record.’’
Now, Let’s Look at it from the Other Side
OK, they have a record. But let’s look at what makes Estonia unique and not like the United States. Estonia is a small country about the size of New Hampshire and Vermont put together, but with a population even smaller than those two New England states—only 1.3 million people spread across Estonia’s 15 counties. Their elections are administered nationally, not locally (this is a huge distinction). As part of Estonia’s quest to be an all-digital society, it sent out tutors to instruct the portion of its population that was not computer literate. Now, according to Estonian officials, “84 percent of Estonia’s population is computer literate.” (“Query,” as they say in major eastern institutions, what is the definition of literate” as the term applies here.)
In contrast, the U.S. has 319 million people, over 3,000 counties, and our elections, even our national elections, are administered locally. And in a country of 50 states (plus U.S. territories), we don’t see local elections administrators, states, or localities wanting to give that control up anytime soon. And although it may surprise many of us, the fact remains America still has millions of people who are not regular users of computers and do not have mobile devices or smart phones.
Can you imagine the leaders of either political party stating, “Internet voting is secure enough?” If they did, the other party would attack-dog that like a T-bone steak. We think we can all agree that federalized voting and voting by Internet are simply more untouchable third rails of politics in America.
But the more important criticism is that the Estonian system is not open source. We can’t peer inside and see where it might be vulnerable. And the critiques of the Estonian system from all quarters have been in agreement that it is not transparent and that the Estonians have not been very open about their system. And apologies to all the hard working people in government who spend their lives making government work, but when something goes wrong, the first instinct of many people at the top of government is to, well, cover up, obscure, minimize, or dodge.
As regular readers of this blog know, we believe the opposite of the Estonians. Precisely because elections administration is the most critical infrastructure of democracy, open source is essential. Sunshine, openness, visibility, and transparency are always the best disinfectants for any system that is sick or ailing.
Pardon a minor digression here, but while we’re talking about the merits of closed vs. open software source code, let’s bear in mind a reality: How encryption works is a matter of public knowledge for anyone trained or skilled in the art and science of mathematics. There is nothing to hide in its structure and implementation. It is only a matter of brute force and ingenious mathematics that pose any hope of “breaking” encryption keys. And breaking the keys that the entire commercial Internet relies upon today will still require decades of continuous and enormous amounts of computational cycles to grind away at breaking the algorithms. So, attempting to “hide” or “mask” the encryption processes in closed source serves no purpose of increased security. Clarity and transparency in software design including how and when encryption is applied is imperative to making all bugs shallow and all problems quickly identified and addressable.
What’s more, the entire Internet has been and continues to be built and run on open-source software. When something is wrong, a whole bunch of people with knowledge can delve into a problem, identify it and fix it. So, we believe voting systems that are open source are more transparent, more verifiable, more secure and equally accessible.
And we insist that all voting must be verifiable—in fact, under the “VAST” mandate given to us by elections officials, a paper record is mandatory for audit purposes. By contrast, consider that the Estonians destroy their Internet voting records within days of their election. We don’t think that’s a good idea. So, the new elections administration system that The TrustTheVote Project is developing will always have a verifiable, auditable trail for votes cast. We understand the goal of Estonia to become “e” or “i” everything – that might be attainable for a small, relatively homogenous country who sees its economic future as being the digital gateway into the European Union.
But for the United States, a vast, diverse, contentious place with many voting traditions and differences, and polarized voters and elected officials, we say “We’ll pass for now.” Voting by digital means via the Internet is certainly an object on (or just over) the innovation horizon. There remains much to be done for it to work in this country—as matters of technology and policy. We continue to look at proposals and potential, but are focused on a framework, a platform, and more near-term innovations that will both increase confidence in elections and their outcomes, and bring convenience, ease, and dare we suggest, delight, to our civic duty and right to freely and fairly participate in our democracy.
Once we have made available elections administration and voting systems that are more verifiable, accurate, secure, and transparent (VAST), then we’ll put more weight behind pushing the innovation curve on ways to cast ballots outside of polling places, and how to handle absentee ballots by mail or other methods of delivery.