By Blerim Abedini, ISSD-NM
Mr. Abedini is a researcher of cyber studies and disinformation
The history of online voting is not far off but it belongs to this century. There are several countries in the world that include dual voting as, online and standard. The first expertise in 2004 had to assess the security of online voting for that was rejected due to the risks and consequences. Even after many meetings and consultations of academics and experts in this matter, a solution was impossible! Again in the 2008 and 2009 years, an online vote was dismissed as unsafe for US territory. Even we know that the US is the first state that began researching for implementation of online voting there exist many risks from inside and outside sources. We know that other kinds of voting exist through the internet but do not belong to the matter of electoral elections but could be a fraction of this activity! If we look at Estonia and their internet voting as a hybrid, we may see increasing in internet voters for 20 years! So, Estonia from ~2% of the electorate in 2005 reached ~46% of the internet voting percentage in the 2019 elections. Estonia’s 1.3 million population and established leadership are certainly influential here due to the possible overcome of election cost with beneficial technology in this time we live. In this regard, the OSCE/ODIHR has consistently criticized the elections in Estonia as well as those in Norway in 2011, by calling for necessary perfect implemented projects for their completion in a transparent and secure manner. But we have to evaluate OSCE’s steps as wrong due to many critical approaches to a newborn project. The Estonian online voting system is based and realized on the Estonian identity card, a smart card that allows secure remote authentication and legally binding digital signatures by using key public infrastructure.
PILOT PROJECT FOR INTERNET VOTING IN NORWAY-
With the invitation of the Government of Norway to OSCE/ODIHR organization to observe the election process, then was initiated EET-team of OSCE/ODIHR, to follow the preparations and development of the pilot project for online voting during the local government elections on 12 September 2011 in Norway. Online voting was used for voters in 10 selected municipalities, inside and outside the country with a total of 27,557 voters, or 16.4% of eligible online voters (with proven skills). The electoral act for the pilot project was scrutinized by the ministry’s draft regulations, which were based on international recommendations for electronic voting. The election pilot project has been implemented under the responsibility of the ministry, impartially and professionally, with transparency and accountability. Due to unforeseen technical complications, the ministry has experienced delays in the process which have affected in terms of operational security and few errors, but without major impact to affect the whole integrity of the elections. The Ministry has used high standards regarding the security of the online voting system, by including the components of the equipment and software which has been earlier, carefully designed! Powerful encryption schemes to protect vote secrecy are also an integral part. Technical equipment has been put in place to prevent the system from being targeted by outside attacks which attempt for blocking the voting software service. Ballot verification is done by giving codes to voters which enables voters to check if their votes were cast as they were chosen by themselves. The OSCE/ODIHR is the only body to monitor the voting in Norway, by giving full access to them for all election documentation.
VOTING SECURITY AND SECRET- The Norwegian Ministry has created a sophisticated system for multiple organizational units and locations and a cryptographic scheme, specifically designed to protect the secrecy and security of votes cast in unsafe environments. The ability to review and cancel voting online through ballot papers was one way to limit the possibility of voter fraud or vote-buying. Due to the current encryption model for the Internet pilot project, the election decryption key was not independent of other information but was calculated using the two secret encryption keys used in VCS and RCG. In this case, the secret decryption key would depend on other information.
INTERNET COMMUNICATION SECURITY – A company has been engaged to perform various tests against possible attackers to the whole system or voter’s decision. The voter in this case will receive a return code via SMS to the mobile phone by the system, which he/she could check by comparing the codes given on their voting card. Election authorities can inform voters about the potential dangers of online voting and protecting computers against malicious software. A serious threat to online voting is a potential denial of service (DoS) attack, in which a malicious agent(A) can overload election servers and prevent voters from casting their ballots. However, an attacker must be extremely experienced and fast to hold an attack(DoS) for a longer time period, and the one-month pre-voting period itself is an effective tool against such a potential attack. The ministry has relied on its own resources to prevent any attack, including high-level protection in VCS and RCG. The ministry has asked for help from companies, specialized in monitoring and securing cyber Internet infrastructure. It is recommended that the election authorities consider cooperating with relevant agencies actively, engaged in ensuring the monitoring and overall security of the internet connection, and involving entities that own and operate key parts of the internet pillar in Norway.
SECURITY OF OPERATIONS- The systems in the data centers have been operated with multiple servers for that, a possible failure of a hardware component does not negatively affect the participation of the voters! The IT infrastructure is supplied with uninterrupted power. Batteries and diesel generators are in separate rooms in each location to ensure non-interruption of power, as well as cooling systems to protect against overheating. Data centers have been connected to the Internet through two separate connections.
TRANSPARENCY AND ACCOUNTABILITY- Public trust lies in securing each individual, for a system that operates in accordance with all rules and requirements. The ministry has therefore requested that the software solution of the winning bid being available to the public companies as potential competitors which reflects transparency.
CERTIFICATION – The certification process starts from testing and auditing. Election authorities may consider delegating the formal certification of online voting software to an independent third party to further enhance accountability and transparency.
AUDIT – The task of an audit, in this case, is to assess whether the online voting system has functioned as intended, by considering the technical and procedural aspects of the system as improved.
OBSERVATION – The Ministry has provided full access to observe all stages of the process to the OSCE/ODIHR as the only entity engaged for this case that obtain various aspects of online voting in Norway. The OSCE/ODIHR with its team-EET has in touch and access to all components and documentation and, to follow in any time-related electoral events.
The advantages of online voting give us a variety of reasons ranging from, the lower cost of local or parliamentary elections, reinforcing the state stability in protecting cyber attacks, realizing various banking transactions during this period as safe and highly protected, recognizing state enemies as those attackers which are inside or outside the state. Also, state administration will gain experience to act successfully in time fraction to perform and build better voting system in next cycle of elections. So, citizens will feel comfortable voting from their homes or, anywhere on their mobile phones! It is an incomparable advantage when we will keep in mind that any kind of online voting will preserve the secrecy of the vote but having the state as a shield against cyber-attacks continually. The world now is in at the century with fast technological progress. So vacuum space for cyber attackers is destroying the prosperity of any society and for that primary duty of state administration and leadership is to fight against internet enemies!