Internet Voting in Estonia

1
Internet Votingin Estonia

• Tarvi MartensI-Voting Project Manager
• National Electoral Committee

2
E-stonia ?

• Population 1.35M
• Everyday Internet usage 64
• Internet banking 88
• Mobile penetration gt100
• 1000 Free Internet Access points
• PKI penetration gt90 (age 15)
• Biggest national eID card roll-out in the Europe !

3
Internet Voting?

• In October 2005 Estonia had first-ever
  pan-national Internet Voting with binding
  results
• 80 of voters had a chance to vote via Internet
  due to the ID-card
• 2 of participated voters used that possibility
• March 2007 Parliamentary elections with
  I-Voting option (6 of i-voters)

4
ID-card Project

• Started in 1997
• Law on personal identification documents Feb,
  1999
• Digital Signature Act March, 2000
• Government accepted plan for launching ID-card
  May, 2000
• First card issued Jan 28, 2002
• October 2006 1 000 000th ID-card was issued

5
The Card

• Compulsory for all residents
• Contains
• Personal data file
• Certificate for authentication (along with
  e-mail address Forename.Surname_at_eesti.ee)
• Certificate for digital signature

6
Usage of the ID-card

• Major ID-document
• Replacement of
• (transportation) tickets
• library cards
• health insurance card
• driver documents
• etc...
• Authentication token for all major e-services
• Digital signature tool

7
Internet Voting ?

• Not a nuclear physics
• Just another application for ID-card
• ...with some special requirements measures...

8
Brief History

• 2003
• Project started project manager and steering
  committee
• Initial concept developed
• 2004
• Security Analysis on concept
• Refined concept
• Use-case model developed
• Public procurement winner - Cybernetica
• Development of the 1st version
• 2005
• Pilot project in Tallinn in January
• Municipal elections in October

9
What it takes ?
10
I-voting Main Principles

• All major principles of paper-voting are followed
• I-voting is allowed during period before Voting
  Day
• The user uses ID-card
• System authenticates the user
• Voter confirms his choice with digital signature
• Repeated e-voting is allowed
• Only last e-ballot is counted
• Manual re-voting is allowed
• If vote is casted in paper during absentee voting
  days, i-vote(s) will be revoked

11
Voter registration

• Missing
• All citizen (residents) should register their
  place of living in central population register
• Only voters with registered addresses are
  eligible
• Population register is used

12
Envelope scheme
I-voters
I-votes
Results
Public key
Private key
13
Architecture
Central System
List ofCandidates
List ofVoters
VoteForwardingServer
Voterapplication
VoteStoringServer
VoteCountingApplication
log
log
log
Audit
Key Management
Auditapplication
14

• To vote via Internet voter needs
• an Estonian ID card with valid
  certificates and PIN codes
• Computer used for voting must have
• a smart card reader (6 EUR)
• a driver for ID card (free to download)

15
I Website for voting
www.valimised.ee
www.valimised.ee
16
II Identification

• Put your card into card reader

• Insert PIN 1

17
III You are identified
18
IV Ballot completion

• Choose a candidate

19
IV Confirmation

• Confirm your choice with PIN2

20
V Vote recieved
21
Principle of Transparency

• All system components shall be transparent for
  auditing purposes
• No black boxes are allowed
• No use of 3rd party-controlled authentication
  mechanisms or services
• No components without source code

22
Technology Selection

• Involve all major influencers and specialists
• Keep it as simple as possible
• Build it on secure stable platforms (Debian)
• No
• Databases (engines)
• 9GL environments use C Python
• 3rd party libraries too much

23
Managing Procedures

• All fully documented
• Crash course for observers-politicians
  auditors
• All security-critical procedures
• Logged
• Audited observed
• Videotaped
• All major IS-specialists involved for
  network-monitoring 24/7 for dDOS or trojans

24
Physical Security

• Governmental security hosting
• Two independent departments guarding the server
  room
• Strict requirements for entering the server
  premises
• Auditor(s), cam-man, operator, police officer
• Sealing of hardware

25
Results of 2007 (2005)

• I-voters 30 275 (9 317)
• I-votes 31 061(9 681)
• First-time ID-card users 11 894 (5 774)
• Percentage of i-voters amongst votes collected
  during absentee voting 18 (7)
• Certificates renewed Mon-Wed 5994

26
Activity By Day
27
(No Transcript)
28
How old is The i-Voter ?
29
Subjective reasons for choosing i-voting
municipal elections 2005
30
Subjective reasons for choosing i-voting 2007
31
Subjective estimation of participation in the
absence of e-voting
32
Subjective reasons for not using e-voting among
traditional voters
33
Where Internet voters cast their ballots
34
Future developments of the e-voting project

• m-voting

35
m-voting ?

• The same old Internet voting...
• ...but using Mobile-ID instead of ID-card for
  authentication and digital signing
• The voter still needs an Internet-connected
  computer
• M-voting is not about voting by using mobile
  phone only

36
Electronic ID-s very in form

• ID card (smartcard)
• Mandatory ID document
• Enabler for authentication and digital signatures
• Needs smart card reader software
• Support for selected web browsers
• Mobile ID (SIM card)
• Enabler for authentication and digital signatures
• No need for software installation
• Doesnt need web browser support
• No physical identification possible

37
Getting Mobile-ID

• Mobile-ID is available from Q2 2007 for EMT
  subscribers (not pre-paid)
• To use Mobile-ID, it is necessary to change the
  SIM card
• Customer gets the Mobile ID PIN1, PIN2 and PUK
  codes with the SIM card
• Customer activates his/her Mobile-ID by using
  ID-card

Interneti-pank
38
Mobile ID SIM - appearance

• The following information must be communicated
  to the customer on standard SIM card
• PIN, PIN2, PUK, PUK2
• With Mobile ID you have to communicate also
  Mobile ID codes, for example
• PIN1 (authentication)
• PIN2 (signing)
• PUK unblocking
• The Mobile ID PIN and PUK codes are secret so
  these must be covered under scratch panel or
  security foil!

39
Using Mobile-ID for I-voting

• Security analysis of the Mobile-ID has completed
• Comparative analysis with ID-card
• Different chip
• Different issuance scheme
• Different usage model
• Results Almost as good as ID-card

40
Considerations

• Dirrefent aspects shall be considered in decision
  whether to use Mobile-ID in i-voting
• Security
• Few things need to be tuned yet
• Equal access
• Just one operator is in the market right now
• Penetration
• Today 10 000 Mobile-ID owners with 4500
  activated
• Desire for novelity
• Perhaps we are too liberal already ?

41
Lessons learned

• I-voting is not a killer-application. It is just
  another way for people to vote
• Peoples attitude and behavior change in decades
  and generations, not in seconds
• I-voting will be as natural as Internet-banking
  but even more secure
• Internet voting is there to stay

42
More information

• http//www.vvk.ee/engindex.htmlval_at_riigikogu.ee
• tarvi_at_sk.ee