An Independent Assessment of the Procedural Components of the Estonian Internet Voting System

Working Paper 6 -- Cyber Studies Programme Working Paper Series in Department of Politics and International Relations, University of Oxford

12 Pages Posted: 29 Oct 2016

See all articles by Jason Nurse

Jason Nurse

University of Kent; University of Oxford

Ioannis Agrafiotis

University of Oxford

Arnau Erola

University of Oxford

Maria Bada

Cambridge Cybercrime Centre

Taylor Roberts

University of Oxford

Meredydd Williams

University of Oxford

Michael Goldsmith

University of Oxford

Sadie Creese

University of Oxford

Date Written: October 24, 2016

Abstract

The I-Voting system that was designed and implemented in Estonia in 2005 is the first Internet voting system to have been adopted anywhere in the world. Since its inception, it has been met with both praise and scrutiny. Concerns include in-person election observations, code reviews, and adversarial testing on system components. As a result of these concerns, some parties have concluded that there are various ways in which insider threats and sophisticated external attacks could compromise the system’s integrity and thus the voting process.

This paper examines the procedural components of the I-Voting system, with an emphasis on the controls related to procedural security mechanisms, high-level operational security aspects, and system transparency measures. The methodological approach is based on both primary and secondary data sources, including interviews with key Estonian election personnel, in order to determine the extent to which the present controls mitigate the security risks faced by the system.

This study makes three main arguments. First, we found procedural controls to be fundamentally important to the design of the I-Voting system. While these mechanisms go a long way toward preventing cyberattacks, problems in the system still exist. For instance, some security situations appear to be addressed in informal ways which rely heavily on the knowledge, experience, and professional relationships between officials. Second, in terms of operational controls, we were generally impressed by the state of the controls adopted, particularly the incident handling processes during elections, as well as checks and investigations during and after elections. Our main concern regarding resilience is the increasing potential for more highly sophisticated attacks. As time progresses, attackers will naturally become stronger, and the system will have to adapt in order to accommodate this evolution. Third, the system’s transparency measures have had a noteworthy impact on building confidence and trust in the I-Voting system, both locally and internationally. Challenges still exist, however, especially pertaining to the difficulty in running voter awareness campaigns, as well as increasing voter usage of transparency measures.

Keywords: internet security, cyber, e-voting, human factors

Suggested Citation

Nurse, Jason and Agrafiotis, Ioannis and Erola, Arnau and Bada, Maria and Roberts, Taylor and Williams, Meredydd and Goldsmith, Michael and Creese, Sadie, An Independent Assessment of the Procedural Components of the Estonian Internet Voting System (October 24, 2016). Working Paper 6 -- Cyber Studies Programme Working Paper Series in Department of Politics and International Relations, University of Oxford, Available at SSRN: https://ssrn.com/abstract=2858336 or http://dx.doi.org/10.2139/ssrn.2858336

Jason Nurse (Contact Author)

University of Kent ( email )

CT2 7NP
United Kingdom

HOME PAGE: http://https://www.cs.kent.ac.uk/people/staff/jrcn/

University of Oxford ( email )

Mansfield Road
Oxford, Oxfordshire OX1 4AU
United Kingdom

Ioannis Agrafiotis

University of Oxford ( email )

Mansfield Road
Oxford, Oxfordshire OX1 4AU
United Kingdom

Arnau Erola

University of Oxford ( email )

Mansfield Road
Oxford, Oxfordshire OX1 4AU
United Kingdom

Maria Bada

Cambridge Cybercrime Centre ( email )

15 JJ Thomson Avenue
William Gates Building
Cambridge, CB3 0FD
United Kingdom

Taylor Roberts

University of Oxford ( email )

Mansfield Road
Oxford, Oxfordshire OX1 4AU
United Kingdom

Meredydd Williams

University of Oxford ( email )

Mansfield Road
Oxford, Oxfordshire OX1 4AU
United Kingdom

Michael Goldsmith

University of Oxford ( email )

Mansfield Road
Oxford, Oxfordshire OX1 4AU
United Kingdom

Sadie Creese

University of Oxford ( email )

Mansfield Road
Oxford, Oxfordshire OX1 4AU
United Kingdom

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
39
Abstract Views
472
PlumX Metrics