SBN

Could Estonia Be the Model for Secure Online Voting?

As we head into October 2020, everyone is talking about election security from various perspectives.

Back in June, this blog explained how election security has become a top issue. Since that time, the focus and political posturing by governments, the media, cybersecurity pros and both political parties has only increased, with a special scrutiny on voting by mail.

Another Election Perspective: Estonia

But taking a big step back and putting the November 2020 presidential election aside for a moment (which is hard to do, I know), some experts are already looking around the world for the answer to the simple questions: How can we do secure voting better? Where is the best model to follow? Can we bring elections into the 21st century?   

Back in early 2019, Time published an article entitled “What the U.S. Can Learn About Electronic Voting From This Tiny Eastern European Nation.” Here’s how it opens: “On Sunday, when citizens of the tiny Baltic nation of Estonia go out to vote for their next parliament, many of their compatriots will have already voted — from the comfort of their own homes.

“That’s because Estonia is the world leader in electronic voting. Since 2005, Estonians have been able to cast their ballots from a computer with an Internet connection anywhere in the world. The government says 30 percent of Estonia’s population of 1.3 million people use the system, and that its simplicity helps save the country a total of 11,000 working days each election year.”

Meanwhile, VentureBeat recently added this piece to the dialog: “What Estonia could teach us about internet voting in a post-pandemic world.” The article explains that “while the United States grapples with controversy over electronic voting machines and mail-in ballots, Estonia has created a remote voting system that could address many of the concerns about elections in a post-coronavirus world.

“Refined over more than 15 years, Estonia’s i-Voting system allows citizens to vote from home on their computer using a government-issued smart card. The system is currently used by 46.7% of the population, a figure that has steadily risen over the years.”

Introducing Joseph Carson from Thycotic

Back in 2017, I interviewed Joseph Carson for this blog on security metrics and failing security grades.

Fast-forward more than three years, and Carson is still with Thycotic as their chief security scientist (CSS) and advisory CISO. His background is beyond impressive in the global security industry, and he is a sought-after expert on numerous cybersecurity topics at global events.  

I have been on several event panels with Joseph, and we always have a fun and fascinating conversation. He is very smart, with great stories and an ability to make complicated technology topics easy to understand. He is also a wonderful person whom I can talk to for hours on most tech, security and organization-culture issues.

So when the time came to think about voting in Estonia, there was no one better to talk to than Joseph Carson, because he currently lives there.

 

Dan Lohrmann (DL): Describe the journey for digital elections (voting) in Estonia over the past decade.

Joseph Carson (JC): Internet voting (aka digital elections) was first introduced back in 2005 with a mix of excited thought leaders embracing the change along with some skeptics on shifting to a digital path always finding possible reasons on why it is a bad idea. Estonia has always been thinking outside of the box and challenging the norms, although with every new technology you will always have bumps along that journey and it is how you respond that differentiates you from the pack. 

Estonia’s path really transitioned the government from being a traditional government to being one that is closer to being a service provider, as it is all about providing services to the citizens. Making that service as easy as possible and inclusive of everyone is the ultimate goal. 

The introduction of Internet voting was a normal addition to the ever-increasing digital services that Estonia already had, such as online tax returns, which made tax returns easy and could be completed in minutes, to online digital banking, which made transactions seamless and quick and reduced fraud. Choosing the next government officials via the Internet, however, was always going to be controversial as many other countries had skeptics on the threats from cyberattacks and security of the voting. The goal was never to make Internet voting the only option, but to provide as many options as possible to citizens to vote.

Extending voting to those that found in-person voting difficult, such as those in remote locations, those with health issues, night shift workers, busy parents to those who travel frequently, was about increasing citizen participation and getting to a true democracy that everyone knows could have an impact on their future. The foundation of the voting process was critical to the success. Estonia realized very early that digital identity, digital signature, and time and data integrity were critical components to making it all possible. The move to Internet voting brought some exciting new advantages that included the ability to change your vote multiple times — but only your last vote actually counts — along with fast, automated counting so the results are quick.   

DL: What problems has Estonia overcome during this journey?

JC: Over the years, Estonia has been using encryption to secure the voting and blockchain to enable data integrity for non-repudiation, along with digital signatures to enable only authorized voters to vote. As with everything, technology is created by humans and will continue to have vulnerabilities, as Estonia has experienced a few times over the journey of Internet voting. This raised the skeptics again to push for a return to the “good old ways,” which honestly was a system of control and exclusion, which is not a true democracy of delivering services to citizens. 

I am originally from Belfast, and even when I was growing up, education was not an opportunity — it was all about where you were born, which for many countries is the same as for voting. In Estonia, the vulnerabilities mean a major review of the systems, and rather than removing innovation, Estonia has embraced technology and found ways forward. 

Estonia was also the victim of a cyberwar back in 2007 that saw it become the target of major cyberattacks, which also identified several challenges with being a pioneer in a digital society. But again, Estonia embraced the challenges and again technology innovation was the way forward. Estonia introduced data embassies that reduce the impact and threat from cyberattacks, truly making Estonia a real digital society and e-government. This data embassy idea also was the foundation of Estonia introducing e-residency.   

DL: Can anyone vote online in Estonia today? What other voting channels are possible?

JC: Not anyone can vote online in Estonia. You must be a naturalized citizen or resident, and that only determines which type of election you can vote in, such as local, parliamentary, EU elections, etc. However, a digital identity enables you to vote online, as well as use many other digital services. 

Internet voting is not the only option, and citizens can continue to use postal ballots or in-person voting, but Internet voting typically represents around 30 percent of votes. However, in the current pandemic and with several major elections coming soon, the positive side is that Estonia can continue offering a safe option for citizens to vote, reducing the possibility of putting people at risk by forcing them to go to polling stations and risk their health or, even worse, death.     

DL: What do you see as the major differences in voting in Estonia versus the U.S.? Are digital IDs key?

JC: The major difference in voting is that the U.S. is very decentralized, meaning it is up to each state to determine how the voting takes place.  Though I do see the U.S. being decentralized as a positive, meaning it is more difficult to target via a direct hacking of the voting systems. If the U.S. were to take a similar approach as Estonia does, it would likely have to start at a state level, and again the critical foundation is both digital identities and digital signatures. 

My prediction is that if the U.S. was to be a pioneer and become a true digital society, it could potentially save US$1 trillion per year by significantly reducing wasted time.

DL: You mentioned people can vote twice (or change their mind) in Estonia. How does that work? 

JC: In Estonia, you can vote digitally several times up to three days prior to the election closing. But as voting is tied to your digital identity, only your last vote counts, and if you want to change your vote before the election closes, then you can also go in person and vote. But again, only the last vote cast is counted.

DL: How does Estonia anticipate and defend against hackers or others who may try to disrupt elections?

JC: Estonia has really focused on the digital society and reducing the risks from cyberattacks, though as with all nations we are facing an ever-increasing disinformation threat that at the moment is the major challenge.

DL: Where do you see Estonia going next regarding voting over the next five years?

JC: Estonia is moving forward with more digital services, including more automation, which will see autonomous transportation and AI being used to deliver more services to citizens. 

 

Closing Comments

Recently I appeared on Mike Gruen (from Cybrary) and Joseph Carson’s “401 Access Denied” podcast, and we discussed U.S. Election Security. You can see that episode here and gain a sense of the personalities and issues:

Regardless of your political viewpoint, I urge you to get involved in helping to educate others on the election processes in your jurisdiction. Learn what’s allowed and what voting alternatives are available to stay safe during this pandemic.

Most of all, please take the time to vote in whatever manner works best for you. It is a privilege to have free and open elections.  

Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.