
In Estonian parliamentary election, 44% of the votes were cast online - atlasunshrugged
https://www.zdnet.com/article/online-voting-now-estonia-teaches-the-world-a-lesson-in-electronic-elections/
======
deogeo
"The system has been designed to ensure that voters' computers are not
infected by any kind of malware that could change or block their vote."

I'm sure this cannot be subverted by an attacker with the resources of
USA/China/India/.., or with access to the supply chain from the chip fab
onward (don't forget about malware hidden in USB cables!), or or,...

And you'd have to be _dead sure_ , because, unlike with physical votes, there
will be few-to-none signs of subversion. You can vote physically, but what do
a few physical votes matter when the attacker can change the vote of 30, 50,
70% of the population.

And how do you change the system, when all parties promising to do so can't
get enough votes?

Edit: Example of what a voting system must be resistant against:
[https://www.schneier.com/blog/archives/2018/03/adding_backdo...](https://www.schneier.com/blog/archives/2018/03/adding_backdoor.html)

~~~
tim333
>few-to-none signs of subversion

You could make it so you can view your vote and check it was registered the
way intended. If you voted A and it came out B that would be a sign.

~~~
pedrocr
Now you can demonstrate to anyone what you voted. That's how you get people
selling votes. In any reasonable election system you need to be able to be
sure your vote is being counted without at the same time being able to prove
who you voted for. The demands of voting are incredibly unsuited to digital
systems and definitely to any online voting. For every layer of extra
complexity you add there's either a way to subvert it to break another of the
essential guarantees of voting or to use it to DoS your election.

~~~
runarberg
Say I sell my vote. The person picks a party I don’t agree with. I will simply
vote for them anyway in the prelimenaries, screengrap my proof, and send to my
customer.

I can do this multiple times. Each time I void my previous ballot, betraying
my previous customer.

Then comes election day, then I show up in person and cast a physical ballot
for the party that I favor. As a buyer, my customers have no way of knowing I
didn’t void the preliminary ballot by showing up on election day.

Note that frauding vote buyers this way is also possible in most election
systems that have non-digital preliminaries.

~~~
pedrocr
I can't see a way of that working without breaking down somehow:

\- If every time you vote you get a receipt for that vote that can be checked
if it's still valid then you can send that receipt to the buyer and he can
then check that your vote is still according to his purchase \- If you can
only check that the receipt was registered but not if it's still valid you
can't check that your vote was correctly counted because you don't know if the
vote has been changed after in multiple possible ways \- If you can check that
the vote actually is for candidate A at any time you can sell that access to
the buyer for him to confirm \- If the only way to avoid all this is to also
cast an actually secret vote on election day the buyer now just needs to make
sure you don't go to the polling place. Posting spotters at the door is not
too hard.

I don't see a way for you to actually be able to confirm your vote was counted
and not having at the same time the ability to sell your vote in a verifiable
way. Perfect verification isn't needed either. If you're selling your vote to
the mob you'll have second thoughts about failing to deliver. If you make the
process easier "honest" sellers will create the market.

> Note that frauding vote buyers this way is also possible in most election
> systems that have non-digital preliminaries.

Most I know are actually harder because you only get the single mail-in ballot
so you can't do the double or triple voting. If you can show up on the day and
invalidate your mail-in then part of same can be done. Depending on how the
invalidation of the mail-in is done it can be even sketchier. But I don't
consider mail-in and absentee paper votes to have enough security guarantees
either way. Paper ballots, in a box, counted by adversaries is the gold
standard. Everything else has a high burden of proof.

~~~
runarberg
Iceland doesn’t have e-voting, but they do have absentee voting. You can vote
as often as you want during the absentee ballot, and your most recent will
count (or none if you also show up during election day). If you need to
physically be present to make sure your agent does’t show up during election
day, buying enough vote to sway any election is going to be hard. I suppose if
you are a part of a larger organization, you can post several spotters around
every voting station. But that will increase the chance of them being spotted
and spoofed by the police.

~~~
pedrocr
> I suppose if you are a part of a larger organization, you can post several
> spotters around every voting station. But that will increase the chance of
> them being spotted and spoofed by the police.

It's easy enough to deploy spotters without being found out. Just deploy
spotters as exit pollers, they're already part of any modern election :)

~~~
runarberg
Exit polls are not done everywhere, and in some countries they are even
illegal. Just make soliciting around poll stations is illegal and the problem
is solved.

~~~
pedrocr
Eliminating exit polls seems like a really bad idea. They're one of the only
ways to validate an election system that doesn't depend on the system itself.
When you have wild discrepancies, particularly in some precincts, you know to
investigate. And it seems you'd want that particularly when you've implemented
a complex electronic voting system.

And thinking about it some more the Estonian system seems perfect for vote
selling. You just provide your ID card and PIN in the last day of early voting
and get it back the day after the election. The buyer can vote in your name
and hold your ID card to make sure you can't vote in the booth.

~~~
runarberg
You might be right about the exit polls. Perhaps this can only be applied in
countries that have strong independent monitors (which Estonia should have
being an EU member). Regarding vote selling, I don’t know how it is in
Estonia, but in Iceland voter ID is pretty lax. You can provide an ID in the
form of passport, drivers license, bank issued debit cards, etc. As a buyer I
have no way of knowing if I'm witholding all possible IDs from my agent since
they might have several debit cards from several banks, more then one passport
(through dual-citizenship), etc.

------
HarryHirsch
That is worrying. How do you know that the voter could vote freely and didn't
sell their vote? Corruption around vote-selling is a concern in certain ethnic
enclaves in Britain, and there were even elections annulled over that. The
foremost concern shouldn't be convenience, it should be that the vote is safe
and secret.

~~~
pytester
>That is worrying. How do you know that the voter could vote freely and didn't
sell their vote?

Historically, vote buying in the UK and the US used to be rife until it was
cracked down upon (which came after it was made illegal). Once that happened
it _completely_ disappeared.

For voters to sell their votes, somebody needs to advertise that they are
willing to buy their votes. That advertisement makes them easy to detect,
track down and prosecute.

Vote buying doesn't worry me in this system but hacks certainly do. It gives
the impression of being a very insecure system.

~~~
bryanrasmussen
yeah but part of cracking down on vote buying has to do with making it
difficult to track if you actually did vote for who you said you would, with
online voting it becomes totally possible to track you did the vote, give it
to the guy who has promised to pay you, forgive your debts, the debts of your
son, not beat you up, allow you to keep your job etc. etc.

~~~
pytester
>yeah but part of cracking down on vote buying has to do with making it
difficult to track if you actually did vote for who you said you would

That isn't necessary to prevent vote buying. Vote buying is _easy_ to detect
because advertising in secret is impossible. All that's required is the
political will to look for people wanting to buy votes and come down hard on
them when they're detected.

Moreover, if you _do_ do away with the ability to track then you open up the
electoral system to _other_ forms of abuse that _can 't_ be trivially
eliminated with police and stiff sentences.

>it becomes totally possible to track you did the vote, give it to the guy who
has promised to pay you, forgive your debts, the debts of your son, not beat
you up

If I were to define "secretive electoral fraud that could never possibly
scale" I would define it as "I promise not to beat you up if you vote for me".

~~~
bryanrasmussen
how far did Tammany Hall have to scale?

How big is Estonia?

Do you think every election ever held that can be worth money and power is the
size of the U.S National Election?

As far as the political will to come down on people for vote buying or
intimidation etc. I'm sure that making things illegal when there is a profit
to be made at doing it has always succeeded in driving that illegal thing out
of existence without any untoward effect on society whatsoever.

I mean definitely making it not worthwhile to buy votes because you will not
be able to tell if you got what you paid for seems a more foolproof strategy
than make it possible for people to determine what they paid for but threaten
to throw them in prison if they do.

on edit: corrected second use of word money to power.

~~~
pytester
>How big is Estonia?

Are you saying that it's small enough that you can sway the election by
threatening to beat up every voter?

That's a brave claim.

>As far as the political will to come down on people for vote buying or
intimidation etc. I'm sure that making things illegal when there is a profit
to be made at doing it has always succeeded in driving that illegal thing out
of existence without any untoward effect on society whatsoever.

there is ZERO profit to be made in vote buying if you are thrown in prison
after purchasing your 9th vote. You'd have to be enormously stupid to even
_try_.

that's why vote buying doesn't exist. that's why it's not like drugs. It's not
because you "can't tell people" who you voted for. It's because it's trivial
to detect, easy to crack down on and there's _nothing_ to be gained by risking
it. The only time when there _was_ something to be gained by doing it, it was
because it was COMPLETELY LEGAL.

Let me repeat that: the only time in history it was ever a problem, it was
because it was LEGAL.

I want _proof_ that my vote counted because that helps protect against the
kind of threats which DON'T disappear just because they're made illegal. I
don't need people like you telling me that I'm not responsible enough to get
proof because I might sell it.

~~~
bryanrasmussen
>Are you saying that it's small enough that you can sway the >election by
threatening to beat up every voter?

>That's a brave claim.

No, generally the way it works is letting the word get out that if people vote
for X you will come kick their ass later. For example if go beat up vocal
supporters of X before the election and shout we're going to kill you if you
vote for X, we know who votes for who because our hackers can see it online
fools. Then people might be, oh I don't want anyone coming by my house and
kicking my ass after X wins. So I will either not vote, or I will vote for Y
so I don't get my ass kicked or even killed, sob.

If we think you voted for X and we come by your house you better be able to
convince us you voted for Y! That actually scales pretty good because you only
have to publicly hurt a few people before the election, and then hurt a few
people after the election if X actually loses so the next election people will
be well I better vote for Y and prove I did it. And people now have to
actually vote for Y and show they did.

For example, take the following paper into consideration
[https://www.aisre.it/images/old_papers/MafiaViolence_Oli&Sbe...](https://www.aisre.it/images/old_papers/MafiaViolence_Oli&Sbe.pdf)
and then think, huh what would it be like if they could tell who voted for
whom?

I mean the thing you're saying about the only time people ever bought votes
was when it was completely legal, maybe that was true - was it also possible
to prove who you voted for? I mean I don't know what you are actually
referencing with your completely legal vote buying line but the implication
that people would not buy votes to get power seems if it were illegal to do so
seems incredibly silly given all the other illegal things people do to get
power.

------
gardaani
Usually online voting supporters say that it would increase voter turnout. It
seems that it hasn't happen in Estonia: 64.2% in 2015 and 63.7% in 2019
[1][2].

Also, I am a bit worried that online voting might give young tech-savvy people
an advantage over old and poor people who don't have access to computers or
mobile phones. Has there been studies about demographies in these elections?

[1]
[https://en.wikipedia.org/wiki/2015_Estonian_parliamentary_el...](https://en.wikipedia.org/wiki/2015_Estonian_parliamentary_election)
[2]
[https://en.wikipedia.org/wiki/2019_Estonian_parliamentary_el...](https://en.wikipedia.org/wiki/2019_Estonian_parliamentary_election)

~~~
sccxy
Online voting statistics are available here:
[https://www.valimised.ee/en/archive/statistics-about-
interne...](https://www.valimised.ee/en/archive/statistics-about-internet-
voting-estonia)

Same smart card is used every online service in Estonia. 96% taxes are done
online.

So online voting is not something new for older people. It is just like every
other online service.

------
antris
Essentially, Estonia gives 44% influence of their country to a system that
cannot be verified to have almost any relation to what people actually have
voted for. The people have will just look at the results and have to think
"well, I hope weren't hacked this time" and move on.

Rest in peace, democracy in Estonia.

~~~
dekrg
>The people have will just look at the results and have to think "well, I hope
weren't hacked this time" and move on.

Well, no they the main proponents of e-voting figured a long time ago that
it's easier to eliminate those concerns using propaganda. For example if you
are against e-voting media will brand you as a backwards russkie who hates
Estonia.

~~~
dcbadacd
I'm not a supporter of i-voting, but it is true that most of the "concerns"
given are pure FUD/bullshit. Studies that consider guest WiFi password being
vital information, studies that collate e-voting and i-voting and a lot of
other shit I can't recall at the moment.

But the very __basic __problems are not talked about, namely: * Votes should
be counted by independent parties while preserving anonymity * Certificate
issuance should be actually monitored by CT logs, every vote that is not in a
CT log is dismissed and logged * Voting code should be actually readable and
audited (only opsec has been audited so far)

There are a few other problems but I've forgotten them for the time being.
These are the problems we should be talking about, not some bogus like, "Omg
how can ten grannies vote quickly online".

------
xorcist
Here's a video on an interesting talk about Estonia's e-voting system:
[https://youtu.be/PT0e9yTD2M8](https://youtu.be/PT0e9yTD2M8)

(Spoiler: Opsec fails begins at 42 min. But watch the whole thing, it's
interesting.)

It might be prudent to point out that Estonia is one of the better e-voting
systems. Voters can override their e-vote with a regular one on election day.
However that just means that other systems are mostly even worse.

~~~
nelsonic
"Video unavailable This video is no longer available because the YouTube
account associated with this video has been terminated." :-(

~~~
xorcist
Thanks, link fixed.

------
selune
Wasn't it compromised a few years ago?

[1] [https://edri.org/estonian-eid-cryptography-
mess-750000-cards...](https://edri.org/estonian-eid-cryptography-
mess-750000-cards-compromised/)

~~~
dcbadacd
Those certificates were replaced and/or revoked.

~~~
patall
They have also changed the wifi password that they had made public in one of
their youtube videos via a note on the wall. (Sure, it was the guest-wifi but
still)

------
JDiculous
All these "e-voting can never work" comments just scream ludditism. Estonia
has already demonstrated that it works, we have online banking and
cryptocurrencies worth billions of dollars in market cap, and people want to
say it's not possible. Yeah, ok. Feel free to express your views, but don't
pretend to represent the software engineering community.

~~~
antris
Online banking and cryptocurrencies are not equivalent technologies. Just
because you can solve those problems with software doesn't mean you can solve
every problem in the world with software.

~~~
JDiculous
Yes they are not equivalent, my point is that if we can handle money online,
there's no reason that voting can't. Bitcoin's market cap is something like
$80b, yet nobody has ever hacked it.

------
positivejam
Relevant Computerphile episode (w/ Tom Scott):
[https://www.youtube.com/watch?v=w3_0x6oaDmI](https://www.youtube.com/watch?v=w3_0x6oaDmI)

------
DocG
Although not witout issues, the overall trust seems to be pretty high for
e-voting(and voting numbers confirm it). And when voting, papervote always
triumps digital one as last resort.

I also think this is one thing that also gets more young people to vote. They
are familiar with technology and so used to doing everything online. For
example I would have not voted for the last couple of elections if digital
voting would not have been available.

------
rcdmd
Think of what this means for voter representation. You just made it much
easier for people with computer access to vote, compared to those without who
still must trek to the polling place. I doubt the demographics represented in
this vote were the same as the last comparable one.

~~~
Etheryte
I think you have it the wrong way around. This actually improves voter
representation. It's now a lot easier for people with disabilities, the
elderly, etc to cast a vote — they don't have to organize transport, they can
just vote from home. Getting people to actually go to the polling stations and
cast a vote is something that all democracies struggle with to a certain
extent, this helps alleviate that issue.

------
markus_v
It is a pretty smooth system. Voting in the last elections took me about 60
seconds.

Also, no method of voting is ever going to be 100% safe. It's not like there
haven't been any unfair elections using paper ballots.

~~~
muthdra
It's not about being safe, it's about being provably shareable. When the
option of privately sharing your vote is there, it doesn't take long before a
malicious candidate forces you to do it or face consequences.

See Halter Vote:

[https://books.google.com.br/books?id=7gPvCgAAQBAJ&pg=PT144&l...](https://books.google.com.br/books?id=7gPvCgAAQBAJ&pg=PT144&lpg=PT144&dq="halter+vote"&source=bl&ots=O9UgXdXDQ2&sig=ACfU3U0p9AJLdrZvNb6uA8UKRj4XPKXIvw&hl=pt-
BR&sa=X&ved=2ahUKEwjAntHUu_jgAhWrK7kGHWs1CEAQ6AEwB3oECAUQAQ#v=onepage&q="halter%20vote"&f=false)

[https://translate.google.com/translate?source=osdd&sl=auto&t...](https://translate.google.com/translate?source=osdd&sl=auto&tl=en&u=https%3A%2F%2Fwww.todamateria.com.br%2Fvoto-
de-cabresto%2F)

~~~
markus_v
But couldn't you just take a photo of the ballot? Considering that not
submitting the ballot after taking it is not allowed here.

~~~
muthdra
I think you have to reliably prove that it's your ballot and that it wasn't
tampered with after the photo. Halter Voters would sometimes include a
specific marking on the ballot that confirmed it was a succesfully bought vote
so people could be personally rewarded accordingly.

------
devit
Any more in-depth treatment on the properties of the system and how it resists
various attacks?

~~~
bwblabs
"Security Analysis of Estonia's Internet Voting System" @31C3 (December 2014)

[https://media.ccc.de/v/31c3_-_6344_-_en_-
_saal_1_-_201412281...](https://media.ccc.de/v/31c3_-_6344_-_en_-
_saal_1_-_201412281400_-_security_analysis_of_estonia_s_internet_voting_system_-
_j_alex_halderman#t=1227) (starts at 20:26)

They failed on quite some points, I cannot believe they fixed all issues.

~~~
dcbadacd
Any analysis written not this year is out-of-date.

------
KorematsuFred
Newver understood the fascination with e-votes. E-votes are great when you
vote for reality shows but for a normal election I think walking to the local
booth and vote is a much better idea because it is hackers proof and also only
citizens with enough motivation will vote.

~~~
zanny
> Newver understood the fascination with e-votes.

People want convenience. Citizens would like to vote online, and are largely
ignorant of the technical challenges that make it impossible to secure, at
least on your average everyday Internet connected consumer device.

Its the job of us techies to keep shouting from the rooftops how all these
implementations of online voting are deeply flawed and exploitable the same
way climatologists have to keep screaming from the rooftops about the damage
rising co2 is causing to our biosphere.

~~~
C1sc0cat
Don't vote = don't get any benefits.

You would have to have an allowance for certain Disabled and Housebound voters
and maybe be allowed to miss one election.

~~~
KorematsuFred
That is worse. It means people on welfare might be willing to vote more and
hence peters would vote to steal from paul. Probably an argument that only
those who pay certain amount of tax alone should be able to vote.

~~~
C1sc0cat
Lovely so who gets to decide who the "active citizens" are.

I think we have moved beyond that sort of limited franchise.

Btw "active citizens" is a reference to the French revolution

------
wizzairflyer
Online voting seems like such a bad idea to me. If people want convenience
couldn't voting by post be a good compromise? Sure you still have to bring
your letter to the post office but that's a more mild inconvenience and it
seems more secure than e or i voting.

~~~
C1sc0cat
You get problems like "granny farming"

------
dalbasal
I'm curious about what we can do with digital voting, in terms of evolving
democracy. If, hypothetically, all mechanical issues are solved...

We could have more direct democracy, with high-frequency referendums,
reversible proxies, publicly submitted or endorsed bills. The democracies we
have were designed around mechanical limitations, so it stands to reason that
(at least some) democracies would change when those limits go away.

That said... there seems to be a dearth of ideas, at least few seemingly
useful ones that I ever hear.

If you were making a new constitution for a village or city, what could be
done with electronic voting and how does it make it better?

BRTW, links welcome.

------
DonRico
Oh well as an Estonian that topic is staring to become really tiring
especially because we just passed to voting season.

Bottom line is: Conservatives / nationalists are preferred by older folks and
these parties lobby against anything that can give votes to liberals. They
also know that youngster might skip the voting after all if we would go back
to paper voting all together. Also there will be major reputation loss. But
since conservatives are against EU, open-trading and anything outside our
teeny-tiny pond they don't give a flying fuck about that.

------
TheOperator
I understand the cost appeal of such a voting system but it's pretty low
security for an election. I wouldn't even worry about foreign actors as much
as I would worry about domestic actors controlling the digital ballot box by
fucking with the online voting system.

------
dcbadacd
@Moderators

Just to avoid people collating together all e-voting (voting machines and
similar) with the tech that Estonia uses (they call it i-voting for that
reason), could the title be changed from "e-voting" to "i-voting"?

~~~
dang
Ok, we'll do that.

Edit: actually, just using the word 'online' seems to make the distinction
more clearly.

------
sib
That's nothing, once e-voting is legal in Chicago, it will be 144% of the
vote.

~~~
dcbadacd
The title is incorrect, it's i-voting, not e-voting, there's a difference.

~~~
lolc
i-voting is e-voting too.

~~~
dcbadacd
All i-voting is e-voting but not all e-voting is i-voting.

------
ajvs
I like this trend towards e-voting since it seems to be influenced by trends
in cutting edge blockchain technology like decentralised autonomous
organisations. It means that novel types of national governance may follow
from blockchain governance models, such as liquid democracy.

This would be a vast improvement over our current representative democracy
model since we'd be able to hold politicians accountable more easily,
lobbyists would be less influential and we could put our voting power behind
domain experts for issues of importance.

~~~
pgeorgi
> such as liquid democracy

The German Pirate Party tried liquid democracy, and the result was similar to
what's going in Wikipedia: There's a small set of people with more time on
their hands than it good for them or others, and it doesn't take long for them
to take over.

~~~
Zooper
I'm confused, why would a small set of people with time on their hands be able
to compromise a liquid democracy? Are there not workarounds to the problems
encountered? Interesting how we iterate so often, yet are so concrete in our
conclusions about improvements to our own governance.

~~~
mola
I think because we can't afford to 'break things' with governance so we prefer
not to 'move fast'. Seems like good thinking...

