More on this Estonian e-voting system

WRITTEN ON March 6th, 2007 BY William Heath AND STORED IN Political engagement

The Estonians have published a helpful overview of their e-voting system for the English-speaking lay reader. Extract:

Public key cryptography is used here. E-voter (application) encrypts his/her choice (number of candidate) with the system’s public key and signs the result digitally. The votes are collected, sorted, voter’s eligibility is verified and invalid votes are removed (double votes, votes of ineligible voters).

Next the outer envelopes (digital signatures) are separated from inner envelopes (encrypted votes). Voter lists are compiled from outer envelopes. Inner envelopes (which are not associated with the identity of the voter any more) are forwarded to the vote-counter who has the private key of the system. The vote-counter (application) outputs the summed results of e-voting.

The following requirement ensures that the privacy of e-voters is maintained: at no point should any party of the system be in possession of both the digitally signed e-vote and the private key of the system.

Wow. Sounds really cool.

But hang on. This means a central agency checks the signatures in one room, and passes the encrypted votes to another room for counting. Would this work in a “hostile” democracy or one-party state?

I thought the last 20 years had brought some pretty big advances in cryptographic techniques…is this really multiparty security? As the late Mr Brown would say when he fell over during an ecstatic dance: “Help me, people!”

5 Responses to “More on this Estonian e-voting system”

 
Ideal Gov administrator wrote on March 6th, 2007 2:25 pm :

by email I get this:

The Estonian way is the most bone-headedly obvious. It simply depends on trusting the central authority not to cheat or look at who has voted which way. The elaborate protocols developed over past 20 years have aimed at using very cunning crypto to ensure voting is anomyous but verifiable, or at least that trust is distributed to a number of nodes to make collusion impossible.

See for example

http://lorrie.cranor.org/voting/hotlist.html

http://theory.lcs.mit.edu/~cis/voting/greenstadt-voting-bibliography.html

and the work of David Chaum and Stefan Brands

If you explained the Estonian way to that research community, they would shake their heads and giggle nervously.

Geoff wrote on March 6th, 2007 4:09 pm :

You have to remember that in the UK system all ballot papers are tracable to the voter. So the Estonian system is not that different really.

Richard S wrote on March 6th, 2007 11:33 pm :

What a lovely clear document: I’ll look forward to seeing the UK authorities publish *anything* in such clear English, let alone in Estonian!

However, it concentrates on the electronic security rather than on the overall election process:

As problems in the USA have shown, there are many other factors, and many ways of “distorting” democracy without having to compromise the actual count.

The proposed Estonian system seems to depend on all voters having an ID card, and presumably having registered their current address etc.: With all the resulting issues!

The report does accept the possibly of coercion, but still leaves loopholes.

The UK’s quaint pencil & paper system and network of draughty school halls has evolved to provide very effective safeguards:

Rather than automatically changing to an unproven electronic system, the UK should concentrate on solving the fairly minor problems with our current system (eg. people’s busy, commuting lifestyles; low turn-outs; effect of powerful media moguls; etc.).

Disclosure: I have the privilege of a “permanent” postal vote, but my vote makes little difference!

Jason Kitcat wrote on March 7th, 2007 2:41 am :

Some thoughts:

* The document linked to in this post is virtually identical to the 2004 overview document: Same diagrams, same number of pages, very very similar text. Was anything new done to the system since then?

* The document is very optimistic about technology, what happens when things go dramatically or mildly wrong isn’t convincingly dealt with.

* Insider collusion is always the most likely source of fraud yet trust of insiders is needed more than ever with an opaque technical system that candidates and citizens can’t observe in a meaningful way.

* It’s true, with a judicial order, British votes can be matched back to voters – this setup is a historical anomaly not standard to the secret Australian paper ballot that we use. Furthermore the failure to provide fully secret ballots breaches the Human Rights Act as well as our human rights treaty commitments to the Council of Europe and the United Nations. Indeed we are being investigated by the Council of Europe due to failings in our electoral system, part of that being that remote voting (e.g. postal and Internet) does not provide secrecy. We should have a proper secret ballot in polling stations, not use our throwback method to justifies others ignoring the requirement for a secret ballot.

William Heath wrote on March 7th, 2007 4:03 am :

Recd by email:

The difference is that in Estonia everyone’s votes are identifiably recorded on a computer. That makes political surveillance a lot easier than getting access to millions of paper ballots and typing them in.

and this link