Would you want to choose your next president with your phone?

Would you want to choose your next president with your phone?

Summary: In Estonia, online voting is becoming increasingly commonplace, and a way of voting just using a mobile handset isn't far away.

SHARE:

When it comes to e-voting, Estonia has a relatively long history of getting citizens to cast their ballot over the internet.

Estonia started using e-voting (sometimes also called i-voting in the country) during the 2005 municipal elections. Since then, it's been an option for voters in six elections since: in the 2009 and 2013 municipal elections, the 2007 and 2011 parliamentary elections, and the 2009 elections for the European parliament.

The popularity of e-voting has grown rapidly: in 2005's municipal elections, only 10,000 people cast their votes electronically; in the parliamentary elections six years later, over 140,000 did so — which meant one in every four votes was cast electronically.

At the end of October, the country set another e-voting record with the municipal elections: 133,808 voters out of a total of 630,059 voters cast their ballot electronically — that's over 30,000 more e-votes than the previous municipal elections.

Following paper's trail

According to the Estonian National Electoral Committee (ENEC), e-voting in Estonia is based on the method used for traditional in-person voting.

With the latter, the voter has to present their ID documents to verify who they are. Then, they're given a ballot paper and two envelopes. After filling in the ballot paper, the voter puts it inside what's known as the "clean" envelope, which has no information about the voter on. That envelope is then placed inside the second envelope, which has the voter's details written on.

After the government polling staff have checked the information written on the outer envelope and confirmed the individual's eligibility to vote, the inner envelope is taken out and put into the ballot box.

According to the ENEC, this method is used in order to guarantee that the voter's choice is kept secret, while still recording which people in the polling district have voted in order to prevent anyone from voting more than once.

Like other online public services in the country, e-voting in Estonia is based on the country's compulsory ID card.

The Estonian ID card holds two separate public key infrastructure (PKI)-based digital certificates, one for confirming the holder's identity, and the other to allow them to sign documents with a digital signature.

The two certificates contain only the holder's name and their individual code. There are also two associated private keys on the card, which are each securely protected by a unique user PIN — the user can enter one when asked to verify their identity online, the other when they want to digitally sign something. Entering the second PIN is the equivalent of signing a document in person, and it's considered just as legally binding in Estonia.

E-voting in Estonia follows the same pattern as the double-envelope method. In order to vote, an individual downloads the government's e-voting application (there are Mac, Windows and Linux versions), which encrypts the vote — think of the encryption as the inner envelope.

Then the voter will give their digital signature to confirm their choice of election candidate. The digital signature acts effectively as the outer envelope, adding the voter's personal details to the encryption.

How to vote online

There are three different ways to vote online in Estonia.

First, a voter can use their ID card along with their two PIN codes. The voter inserts their card into a card reader (they're available from electronics shops across the country), then opens the government's e-voting website, and downloads and runs the voting application. They can confirm their identity with their first PIN, select their preferred candidate, and confirm the vote with their digital signature by entering the ID card's second PIN. After that, the person receives the confirmation that the vote has been registered on the system.

The second option to e-vote is to use the "digital ID card", similar to a standard ID card but without a photo of the holder on. It's not compulsory in Estonia, as the ID card is, and is just used for online convenience. The digital ID card can be used to confirm the holder's identity online, though not in person, and can also be used to give a digital signature. Using it to vote works in the same way as the traditional ID card.

The third — and the newest option — for e-voting in Estonia is to use both a PC and a mobile device together.

With mobile voting, there's no need for a card reader. Before casting their vote, an individual has to register a Mobile ID with the government using their mobile SIM along with their ID card. They're then sent two PINs in a text message, which they will need to use with the Mobile ID.

To cast their vote, the voter opens the e-voting website, downloads and runs the voting application, then enters their mobile number into the application and confirms their identity by entering their first Mobile ID PIN. The voter can then choose their preferred candidate on their PC, and then types their second PIN into their handset to confirm the choice.

Hopefully, in the near future, an all mobile voting option should be introduced, allowing voters to bypass the PC element altogether.

Advance voting

E-voting is only possible between 10 and four days prior to the actual election day, in order to ensure there's time to eliminate any double votes that come in. 

One interesting dimension to the Estonian e-voting system is that the voter can change an earlier vote by casting a second vote online, or by voting 'manually' at any polling station during the advance polling period. This is the time when those voting aboard or by post cast their ballot, while there's at least one polling station open in every county centre in Estonia, for all individuals to vote regardless of which voting district they live in.

If the individual votes online first and then chooses to go to the polling station and vote there as well, the e-vote is cancelled and the envelope vote is considered their final ballot. All polling stations are given details of any individuals who have cast their votes electronically between the time the advance polls closes and official election day. If any double voting is found, the e-votes are simply cancelled.

To keep the voting as secure as possible, the encrypted votes and digital signatures identifying voters are digitally separated before the end of voting on election day. When the vote counting starts for in-person ballots, the anonymous e-votes are opened and counted too. It's worth mentioning that the system is built in the way that it only opens the votes when they are not connected to the voters' personal data, to keep the ballot secret.

E-voting has, unsurprisingly, raised questions about security. To aid transparency and encourage technical analysis of the system, the Estonian Electronic Voting Commission made the source code of the server side components of the system available for public review a few months before the October municipal elections. Details of the voter-side program remain secret, however, for obvious security reasons.

Because of allegations in recent years that it was possible to manipulate online voting using a virus that tells voters (erroneously) that they've already cast their vote even though it's never counted, in this year's municipal election Android smartphone users were asked to test out a new voting mechanism.

These users could scan a special QR code with their smartphone for a limited time after casting their vote. The code led the voter safely to a special page where his or her choice was shown for a short period of time. It was run as a pilot, and the functionality for double checking that a vote has been cast is likely to become available in 2015.

Further reading

Topics: Government, Mobility, Security

Kalev Aasmae

About Kalev Aasmae

Kalev Aasmäe is a technology and economics journalist, who also writes for the oldest and largest quality newspaper in Estonia, Postimees.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

26 comments
Log in or register to join the discussion
  • That's a good shot...

    ...and as long as everyone is honest, the software implementing it is open source, and the software is installed and configured in the presence of technically qualified witnesses. But it relies on the computer keeping secrets, which has the potential to compromise either secrecy or integrity in the face of a determined attack.

    I still think the only real way to guard against election fraud while simultaneously guaranteeing secrecy is with in-person voting conducted publicly in the presence of witnesses of multiple political affiliations. Traditional absentee voting, properly administered, comes close. The Estonian system might well be good enough in countries and jurisdictions with traditions of clean politics, but probably isn't robust enough to withstand cutthroat tactics.

    BTW, as it is election day in much of the United States, this is a highly appropriate article.
    John L. Ries
    • Please let me edit my posts

      Partial sentences are not good things.
      John L. Ries
  • Enjoyed this interesting description.

    Great article. I'm impressed that Estonia was able to come up with this system before virtually anyone else. This system has a lot of double-checks, making it more trustworthy than many I've heard about.

    Still, I'm not sure it would work in the U.S. because frankly, we can't trust our government or any of our large corporations to run the servers without covertly massaging the results. They've been caught violating election laws far too many times. I could easily imagine the NSA decrypting and altering the packets to prevent the election of officials who wouldn't allow them to continue breaking the law. The NSA has so much dirt on everyone in Washington, that they pretty much get their way, period. Plus, contrary to org charts, the people who actually control the NSA aren't even in the government.
    BillDem
    • Hey, Bill

      I see you still don't have complete trust in the honesty of some individuals or corporations. Good for you. I'm pretty sure Canada is not about to give up on paper ballots any time soon, either.
      bart001fr
    • NSA Snooping...

      With respect to the NSA, rather than tampering I'd be much more concerned that my vote was no longer confidential. Further, I'd be more concerned with local confidentiality than national. While anything is possible, revenge is a very ancient sin (i.e. Cain and Abel). If a neighbor is running for city council and they are also your friend, there would be a lot of unnecessary hard feelings if they found out you didn't vote for them.

      Yes, cameras could be recording what I do at the polling place. Someone could somehow zoom in on my ballot number and later connect those votes to me. However, until AI is born and it's effortless to ask a mechanized, emotionless and ethics-free consciousness to review billions of hours of hidden video at local polling place, I feel paper ballots are safely anonymous. Contrast that with voting by phone where every packet is recorded, decoded and connected with my personal device in some massive NSA database.
      robradina9
    • ID cards and more

      We lack an infrastructure secure enough for this, and it would take ID laws far more intrusive than those now being contested.
      ka5s
  • Just let those who pay income tax vote for president.

    Put in a checkbox in turbo-tax.

    If you have no income tax liability, the box is just greyed out.
    everss02
    • For starters...

      ...you'd need to get the 24th Amendment repealed (it specifically prohibit states from disenfranchising citizens for failing to pay a tax). Then you'd need to persuade the legislatures of all 50 states to delegate to a private corporation the authority to determine who is and is not allowed to vote, and Congress to do it for the District of Columbia and the territories.

      This one isn't happening.
      John L. Ries
      • Correction

        The 24th Amendment bars tax requirements for voting in federal elections, but since under Article I, the qualifications for voting for members of Congress are the same as those for voting for members of the "most numerous branch" of the state legislature, it's highly unlikely that states would create different requirements for voting in state elections than in federal ones, and in any case, a subsequent Supreme Court decision barred disenfranchisement in state elections based on failure to pay a poll tax (Equal Protection Clause of the 14th Amendment).

        Again, this one isn't happening.
        John L. Ries
        • They could vote for state elections

          they would likely be paying at least sales tax to the state.
          everss02
          • And who keeps track of sales tax expenditures?

            Besides, it's a moot point under current Supreme Court precedent. And in any case, such a requirement couldn't apply to elections to the lower (or only) house of the state legislature which under the Constitution are required to have the same franchise as Congressional elections.

            And it's highly unlikely that any state would maintain more restrictive requirements for voting in state or local elections than in federal ones, and in practice, none has since before the Civil War (except for some failed attempts to retain the poll tax in the 1960s that were quickly struck down by the courts).
            John L. Ries
    • Please explain.

      Please explain what you mean by liability in this case. Suppose an individual has paid all his taxes due, he then has no liability. Does that take him out of the voting block? Or how about the many hundred of deceased voters who still have estates which pay taxes. Are they blocked from voting? Why? They have tax liabilities, probably for years to come, some of them into the next century. Why should they be barred from voting? Or naming a proxy to vote for them?
      bart001fr
      • simply

        We declared independence from GB because of taxation without representation, representation without taxation is just as appalling. Unless we go back to not having an income tax that is.
        everss02
        • We declared independence from GB for lots of reasons

          Reread the Declaration of Independence. Interestingly enough, there is no allegation that King George or his ministers were plotting to extend the franchise in the colonies (and they were the last people who would have wanted to do so).

          Would you favor exempting the District of Columbia from federal taxes as it has no voting representation in Congress? It would be one way to encourage people to move back to the District from the suburbs.
          John L. Ries
          • Also...

            ...would you favor enfranchising non-citizens who do pay income tax? There are quite a few of these (some of them here illegally).
            John L. Ries
        • Besides...

          ...would you really want to give Congress the authority to disenfranchise people by exempting them from the federal income tax? Or allow states to do so with their taxes?
          John L. Ries
          • 43% didnt pay any income tax last year

            I'd like a flat tax no credits/deductions or a consumption tax replacing all the IRS/tax code
            everss02
          • I might accept that

            But it doesn't and shouldn't have anything to do with the franchise.

            I do find it amazing that so many anti-tax Conservatives are eager to increase the tax burdens of the lower classes. I guess we need to spend some time figuring out who can afford to pay what and which, if any of those deductions are really in the public interest.

            Or maybe we just drop out of the WTO and raise tariffs to whatever rates maximize revenue.
            John L. Ries
  • You need a paper trail

    When things go wrong, you need that paper trail to recount the votes.

    eVoting doesn't have this.
    Vbitrate
  • Lots of problems that may not be stoppable.

    Unless each state can come up with a foolproof plan to issue each registered voter with an unique code, I can foresee 270 plus people (or one very active person) voting from the same house on the same phone. Based on what's been happening in Washington lately with government created computer programs....I have very little faith that any government can create a reliable program to count the inventory of rubber bands in the basement supply store accurately.
    LeSpot