Valimised.ee pealeht
I-voting fact check: myth and reality
Before every election, rumours about i-voting start to circulate that have nothing to do with reality. Below is a selection of some of the most common myths, together with an explanation of how things really are.
Elections managers and the agencies exercising supervision over them are working every day to ensure that elections in Estonia are as secure and reliable as possible. We underline that manipulating election results is a criminal offence punishable by a fine or imprisonment. Therefore, if something seems to be really wrong, you should report it to the police as soon as possible.
✔️ REALITY: electronic votes have valid digital signatures
❌ MYTH: electronic votes have invalid digital signatures
Figure 1 / Figure 2
The electronic ballot box holds the encrypted declaration of intent of the voter along with a file including the digital signature, validity confirmation of the certificate, and time stamp as separate files. These files are kept separate to ensure the integrity of the ballot box. If anyone tries to open the encrypted will of intent and the signature file with the Digidoc4 programme, the text “Signature is not valid” is displayed (Figure 1). This erroneous message is displayed because Digidoc4 expects the information on the signature certificate and the time stamp to be located inside the file containing the signature. In case of need, the State Electoral Office uses a specially developed app which adds a validity confirmation of the certificate and a time stamp to the file containing the digital signature when the e-vote is removed from the e-ballot box. If we now want to look at the Digidoc4 encrypted declaration of intent along with the signature file, the message “Signature is valid” is displayed (Figure 2). All the e-votes are signed in the voter’s computer with an ID-card or mobile-ID and have a time stamp and validity confirmation of the certificates. All data conforming to the asice standard must exist for the container of an e-vote that is sent to processing, but this does not mean that a container verifiable with a Digidoc application must exist in the system at every step of the way. Consequently, the claim that “All electronic votes have invalid signature” is incorrect.
It is possible to reach the mistaken conclusion that all the electronic votes have invalid digital signatures when trying to view an encrypted declaration of intent along with a file containing a digital signature with a Digidoc4 programme, which generates a so-called error message (Figure 1). When investigating why this text appears in the app, it is easiest to first rename the .bdoc file into .zip file (.bdoc and .asice are ordinary ZIP format archive files), open it, and then look at the content of the signatures0.xml file, which reveals that some parameters are missing. For example, the parameter “UnsignedProperties” is missing (information on validity confirmation and time stamp). This could lead to the mistaken assumption that the validity confirmation and time stamp are missing. However, as explained above, the electronic ballot box holds the encrypted declaration of intent of the voter along with a file including the digital signature, validity confirmation of the certificate, and time stamp as separate files, and when the vote is removed from the e-ballot box by a processing app, the validity confirmation information and time stamp are added to the file containing the digital signature, while the parameter „UnsignedProperties“ is added to signatures0.xml, and a new file is generated. If we now want to look at the Digidoc4 encrypted declaration of intent along with the signature file, the message “Signature is valid” is displayed (Figure 2).
For example, the addition is made of <xades:UnsignedProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> |
It is important to note that the verification app of the State Electoral Office also loads the validity confirmation of the certificate and the time stamp in addition to the e-vote digital signature file.
References
✔️ REALITY: All i-voting operations are monitored in real time by experts and several in-depth audits have been carried out on the functioning of the system.
❌ MYTH: I-voting operations have never been checked by any external experts.
Facts: All i-voting operations are checked each time by internationally certified auditors of information systems. The e-voting system has been thoroughly examined on several occasions, the most recent audit was the process audit commissioned by the Ministry of Economic Affairs and Communications in 2021 and conducted by KPMG. The audit confirmed that Estonia’s i-elections ensure a high level of secrecy of voting, resilience of information systems, strength of security schemes and independence of the voter. I-voting has also been observed and analysed by OSCE Office for Democratic Institutions and Human Rights (ODIHR) observation missions and expert groups in the 2007, 2011, 2015 and 2019 elections. Each time before elections, both i-voting and election information systems are subjected to thorough security tests to check their resilience to cyber attacks.
Anyone who is interested can observe the i-voting procedures, and free training for observers is available before the elections. Within 15 minutes after casting the vote, every i-voter can verify with the help of a smart device if their i-vote reached the electronic ballot box correctly.
References
Observing and audits of i-voting
OSCE/ODIHR Estonian elections reports
Checking of an i-vote
Animations explaining the security systems of i-voting
✔️ REALITY: No political party gains an advantage at i-voting. The decision of the voter is not affected by whether they vote at the polling place or i-vote.
❌ MYTH: I-voting favours certain political parties that get more i-votes than others.
Facts: Kristjan Vassil and Mihkel Solvak, researchers at the University of Tartu, have analysed the behaviour of the e-voters and reached the conclusion that i-voting does not favour specific political parties. The voter makes their decision on the basis of the issues that are important to them and will not change it according to the way of voting.
However, the research shows that the share of i-votes and paper votes received by political parties is influenced by the attitudes of the specific party and its voters towards i-voting. It still does not influence the voting result. People would give their vote to the same candidate and the same political party also when using other ways of voting.
References
Article by Vassil and Solvak
Profile of a typical i-voter (animation in Estonian)
I-voting statistics
✔️ REALITY: The election results will be known on the evening of the election day when all votes cast on ballot papers and i-votes will be counted.
❌ MYTH: The candidates of a certain political party mystically receive several thousand more i-votes overnight.
Facts: The voter’s i-vote goes to the i-vote ballot box in an encrypted or secret form. The voter’s choice is not readable before the opening of the votes on the evening of polling day. At that time, the National Electoral Committee meets. Its members have the parts of the vote-opening key. The key is put together in front of the observers and after that, it is possible to “unlock” the election result. Only then will the result of the i-voting be known and added to the result of the polling places. As almost a third of voters i-vote, the number of added i-votes is significant.
Nobody can manipulate the results of i-voting. This is ensured by the structure of the i-voting process:
- The fact that the voter voted is recorded in the electronic list of voters.
- Each i-vote is also registered by a third party or the Registration Service. This ensures that voluntary adding of i-votes or blocking their reception is visible in the records of i-votes.
- Even after the end of i-voting, it is not possible to add votes to the i-voting ballot box unnoticed, because the i-voting ballot box will be handed over to the State Electoral Office digitally signed and adding or removing votes would change the checksum of the digital container of the ballot box. This means that it is not possible to change the integrity of the data without leaving a clear trace.
References
Animations explaining the functioning of i-voting
Public source code of electronic voting software, verification application, mixing application and audit application
Instructions for checking i-vote with a smart device
✔️ REALITY: All votes (both paper votes and i-votes) will be preserved until all complaints relating to elections have been resolved and the final election results have been declared.
❌ MYTH: I-votes cannot be checked later because they are deleted immediately after the elections.
Facts: Pursuant to the law, all votes have to be preserved until all complaints have been reviewed and resolved and the election results have been declared. This may take a month or more after the elections. Only then, both the i-votes (to be more exact, the key for opening the i-votes) and the paper ballots are destroyed. Declaration of election results means that all parties have accepted the results and after that no disputes will be re-opened.
References
✔️ REALITY: There are no proven cases of massive misuse of i-voting.
❌ MYTH: In social care institutions, the PIN codes and ID cards are taken away from the elderly and used to vote for them.
Facts: Vote buying and violating the freedom of voting in any other way constitute a criminal offence that is punishable with pecuniary punishment or imprisonment. If it is suspected, the police will deal with it. Allegations of collective i-voting taking place in social care institutions have been checked by the police, and the elections managers and the Chancellor of Justice have drawn attention to them. So far, none of these allegations have been proved. Researchers examined the i-voting logs of 2017 elections and found no pattern that confirmed that a large number of older people’s ID cards had been used for voting at the same time.
Elections managers have instructed social care institutions not to store the residents’ ID cards and PIN codes together. The codes must remain in the hands of family members. However, the rumours have had an opposite effect: the family members often also take the ID cards of the residents of social care institutions into their hands. This means that an elderly person no longer has an identity document, cannot identify themselves and cannot vote with a paper ballot. Thus, they are prevented from exercising their right to vote.
If a voter feels that their i-voting process was not secret, they can i-vote again and the last vote cast will count. If that is not sufficiently secure, the voter can go to the polling place and vote with a paper ballot. In such a case, the paper ballot vote will count.
References
Penal Code (Subchapter 3. Offences against Freedom of Election)
Study on the use of biometrics (in Estonian, i-voting logs p. 9-11)
✔️ REALITY: All i-voting operations are mathematically verifiable.
❌ MYTH: One dishonest elections manager is enough to put the results of i-voting at risk.
Facts: It is not possible for the officials of the National Electoral Committee, the State Electoral Office or the Information System Authority to manipulate the results of i-voting. This is ensured by the structure of the i-voting process:
- The fact that the voter voted is recorded in the electronic list of voters.
- Each i-vote is also registered by a third party or the Registration Service. This ensures that voluntary adding of i-votes or blocking their reception is visible in the records of i-votes.
- Even after the end of i-voting, it is not possible to add votes to the i-voting ballot box unnoticed, because the i-voting ballot box will be handed over to the State Electoral Office digitally signed and adding or removing votes would change the checksum of the digital container of the ballot box. This means that it is not possible to change the integrity of the data without leaving a clear trace.
References
Public source code of electronic voting software, verification application, mixing application and audit application
Instructions for checking i-vote with a smart device
✔️ REALITY: The possibility to change one’s i-vote ensures freedom of voting.
❌ MYTH: The opportunity to i-vote several times creates a favourable ground for vote buying and increases the possibility of electoral fraud.
Facts: The purpose of the possibility to change one’s i-vote is not changing one’s electoral preferences but ensuring the freedom of voting. The voter who finds that they could not vote freely or that they do not trust their computer can vote again. The last vote cast will be valid. It is also possible to change one’s vote even after the closing of i-voting by voting with paper ballot at the polling place.
✔️ REALITY: The organisation of i-voting builds on the foundations of Estonia’s digital governance, where ID card based digital services are a natural part of everyday life.
❌ MYTH: No democratic state considers i-voting sufficiently reliable to take it into use.
Facts: Estonia’s digital governance is based on the principle that the ID card, which is mandatory for all citizens, is an means of identification of equal strength in both the digital and the physical world. ID card based digital services, like bank transactions, submitting an income tax return, use of the e-school or visiting the Patient Portal, are also rather unique in the world. I-voting is one of the many electronic services provided by the state in Estonia. Therefore, we can expect that potential technological errors come to light in everyday use.
The organisation of i-voting is still unique in the world because other countries do not have such a system of electronic services like Estonia has. Besides technological solutions, a country needs to have a legislative basis and political will to conduct i-voting.
References
How does electronic identity make life easier in Estonia? (animation)
Identity Documents Act (Chapter 51 “Digital Identity Card”)
✔️ REALITY: Immediately after voting, the voter has the possibility to check whether their i-vote has reached the i-ballot box correctly.
❌ MYTH: The voter has no way of being sure that their i-vote reached the candidate for whom they voted.
Facts: Essentially, the i-vote is a digitally signed file that is sent from the voter’s computer to the i-ballot box. No-one can change that vote and, on the evening of the elections day, it will be counted in the same form. Within 15 minutes after casting the vote, every i-voter can verify with the help of a smart device if their i-vote reached the i-ballot box safely. In order to do that, an i-voting individual verification application has to be updated or downloaded from Google Play or App Store application store. Individual verification application is used to scan the QR-code displayed on the computer screen after casting the i-vote. Checking of the vote is an instrument that enables to verify that the voter’s computer behaves correctly and no malware that may disturb i-voting has been installed there.
References
✔️ REALITY: Each time before elections, the i-voting system is thoroughly updated and tested.
❌ MYTH: The Estonian i-voting environment is using outdated security measures that are not sufficient for preventing modern cyber attacks.
Facts: Before the elections, the i-voting system is updated according to the state of the art knowledge and technological solutions. Cyber security tests are conducted and security measures are audited for the whole system. Each time before elections, both i-voting and election information systems are subjected to thorough security tests to check their resilience to cyber attacks.
✔️ REALITY: Counting of i-votes is subject to strictly regulated and verifiable operations.
❌ MYTH: Voting district committees have at least five members and are politically balanced, therefore the counting of votes can be trusted. Only the persons appointed by the Head of State Electoral Office and members of the National Electoral Committee whose political views are not known are present at the counting of i-votes.
Facts: The i-voting ballot box will be handed over to the State Electoral Office digitally signed, and adding or removing votes would change the checksum of the digital container of the ballot box. This means that it is not possible to change the integrity of the data without leaving a clear trace.
Counting of votes can be verified mathematically. No person present can affect it. Each time, the auditor checks the correctness of the counting certificate issued by the i-voting system by a data audit. The auditor’s reports are published on the webpage valimised.ee.
As in polling stations, observers are also present at the verification of the results of i-voting.
References
✔️ REALITY: I-voting provides also those voters who are abroad the possibility to take part in the elections and saves voters time.
❌ MYTH: I-voting is not reasonable because it does not save expenses or increase voter turnout.
Facts: I-voting saves both costs and time. Researchers of Tallinn University of Technology used the cost of organising local elections in 2017 as a basis and found that i-voting saves more money than any other voting method. The researchers of the University of Tartu have found that if it takes voters more than half an hour to go to the polling place, they prefer to i-vote. The same study also showed that voters who i-vote are more likely to participate in the next election.
It is difficult to assess whether i-voting directly increases turnout. The greatest impact on voter turnout has been in regard to voting in foreign states – people who are travelling or living abroad can vote conveniently. For example, in the 2019 Riigikogu elections, i-votes were given in 143 countries around the world.