E-Voting Source Code Made Public In Estonia

New submitter paavo512 writes "Server-side source code used for electronic voting was made fully public by Estonian officials on July 11 (in Estonian). The aim is to encourage more specialists to get involved in the technical analysis of the software. It is hoped that public overview will help to ensure the security of the system. E-voting has been successfully used five times in Estonia since 2007. It facilitates national ID cards which are obligatory for all citizens. In the next municipal elections later this year it is planned to test an experimental feature where the voter can check via a physically separate channel (smart phone) if his or her vote has been registered correctly. The publicized source code is available at GitHub."

The big question

[Anonymous Coward]

How do you verify that the published source code is running unmodified on the production servers?

Re:The big question

[i kan reed]

The typical answer is the same magic answer that's been a part of democracy since the invention of the secret ballot: oversight. Think the oversight is foxes watching the hen-house? Volunteer!

Re:The big question

[MarcoAtWork]

it's a lot simpler to have oversight of paper ballots being counted by hand than of a program running on a computer somewhere: there's no way anybody can be sure the program being actually run is the program that was generated via the source code you are given.

Not to mention that there is no way you can be sure about the *environment* the software is run on, since it would be trivial to have some kernel/environment exploits that could alter the result arbitrarily.

The only way one could be sure there are no electronic shenanigans would be redundancy:

- provide the source code and build instructions for all the software
- at voting time anybody can come in, get the raw data and run it on their own compiled copy of the software, if there is a discrepancy flags would be raised and the result would not be accepted until at least a certain number of independent computers come up with the same result

Re:

[lister king of smeg]

Ken Thompson compiler hack?

Re:

[Anonymous Coward]

Ken Thompson compiler hack?

So they would somehow make sure that every independent person who built the software did so using the hacked compiler?

Re:

[Kielistic]

Democracy@Home - I actually find the idea quite interesting.

Although now you have to find a way to ensure trust in the raw data...

Re:

[MarcoAtWork]

for ballot box votes it would be pretty easy to guarantee raw data trust via the usual observers, as long as the voting machines leave a paper trail (and they should). For remote e-voting you would set up end-to-end vote verification as the poster below was saying, it would just be part of the voting process, you go to vote on the day, and the next day you verify that your vote was counted. With vote verification and distributed verification of the results it seems it would be a very solid system.

This said

Re:

[jnork]

Or you could have end-to-end verification of your vote. Doesn't guarantee the software is the same, but at least you'd know that YOUR vote got there intact. And if not, presumably there'd be something you could do about it. Enough people complaining might get paid attention to.

"...planned to test an experimental feature where the voter can check via a physically separate channel (smart phone) if his or her vote has been registered correctly." Yep, that's the kind of thing I had in mind. It'd have to be done

Re:

[AK Marc]

There's one *very* easy way nobody likes to talk about. Abolish secret voting. Open voting is more secure than any secret ballot used or conceived of to date. It worked for the first 100 years of the US, and failed only when there was a Civil War. A return to Open Voting would allow for vote buying (which is easily possible today under all absentee voting systems I've seen in the US, but still doesn't happen), but eliminates 100% of the most common frauds. Fix the system in 1 easy step. Then it doesn'

Re:

[i kan reed]

The threat of an open ballot election isn't that someone will murder you, it's that the police chief you voted against "happens" to suspect you of running a meth-lab, and runs a no-knock warrant on your home. Or the health inspector might just find a few specks of dust that don't belong. It's like pay-for-play kickbacks, but you can't ever prove the connection.

Re:

[AK Marc]

So it's like today. If you vote for someone, you hope he does something that benefits you. Only there will possibly be more direct link between voting and actions. And yes, there have been cases of politicians acting against those who didn't vote for them. Even with secret ballots there will be. There will just be more guesses about who it was who voted against. Again, it's a problem today that secret ballots doesn't stop. The theory is that the candidates would not act in such a revenge manner. Aft

Re:

[Kavafy]

Again, it's a problem today that secret ballots doesn't stop. The theory is that the candidates would not act in such a revenge manner. After all, it would do nothing to improve their chances of reelection, so why bother? Bribing for votes would be a much more effective election influencing act, rather than vote punishing.

Isn't the point that, without a secret ballot, candidates can intimidate people into voting a particular way? IOW the key period is before the election, not after?

Re:

[AK Marc]

Isn't the point that, without a secret ballot, candidates can intimidate people into voting a particular way? IOW the key period is before the election, not after?

They do that today. It's just less personal. If it became personal, John Smith gets a letter stating if he doesn't vote for Bob Barker his house will be demolished to make way for a road, don't you think John Smith publishing that letter would affect the campaign (and arrest) of Bob Barker?

Re:

[plover]

I don't care how well you think you're watching. You are a human, and you are capable of overseeing simple activities, such as official pieces of paper being dropped in a box, or official stones being dropped in a jar. Your capabilities for "oversight" do not extend down to observing the correct bits are flowing through a CPU.

The thing we've all forgotten in our rush to tune into the 24 hour news channel is that voting results do NOT have to be completed within 15 seconds of the polls closing. I don't ca

Re:

[AK Marc]

Where I grew up, you could only volunteer if you were a verified fox (a member of a party with candidate in the election). How's that for oversight? If the US oversaw it's own elections to the degree they oversee others, all of the elections since 1996 would be declared invalid.

Re:

[Thry]

The same way you verify that the published final result matches the actual votes!

Re:

[Pieroxy]

The same way you verify that the published final result matches the actual votes!

You mean by counting manually the bits in the RAM of the machine, or counting the votes (with a witness in the booth) and checking that against the overall results?

The ONLY way to make e-voting productive is to have those machines ... produce a piece of paper on whitch the voter can check that the right name is printed on. Put it in an envelope, and in the urn. At the end of the day, the ballots are opened by some volunteers, the name printed on is read out loud, they are passed into a machine and a giant s

Re:

[manu0601]

The ONLY way to make e-voting productive is to have those machines ... produce a piece of paper on whitch the voter can check that the right name is printed on.

You also need to check identity of voters and count them so that no vote can be injected. And that cannot be done remotely, voters need to attend physically for that, otherwise someone will manage to vote for the deads.

Re:

[AK Marc]

Paper or electronic, once they are in the urn, there are hundreds of ways to spoil them. Lose them, stuff them, in all sorts of ways. Paper is broken, that's why e-voting is getting traction. The only system not broken is voter-verified open voting.

Re:

[Pieroxy]

The only system not broken is voter-verified open voting.

What is that? Can you give us more than 4 words to get an idea?

Re:

[AK Marc]

Vote buying in the US is easy. Your employer fills out 100 ballots (in an office of 100) and passes them out. You are required to sign them and hand them back. He'll seal them and send them for you. Your vote is cast in his desired manner or you are fired. He then calls a special day on vote Tuesday. Everyone works a 12 hour shift, in-house lunch provided, so nobody can sneak away to vote in person that day.

That's all easily possible today. Yet it *never* happens. The *only* attack vector to open v

Re:

[Anonymous Coward]

Signed binaries and random unannounced audits.

Re:

[tsadi]

The part where they will be testing an "experimental feature where the voter can check via a physically separate channel (smart phone) if his or her vote has been registered correctly" sounds like a good start. When you get verified reports of people's votes getting changed along the way, you launch an investigation and trace how/where it happened.

Re:

[CastrTroy]

But then you no longer have a secret ballot. If you can prove that you voted for a specific person, you can be coerced by others (your boss, the mob, some guy giving you money) to prove that you voted for who they wanted you to vote for. A system has to be verifiable in the sense that you can be reasonably sure that all the votes are counted correctly, without being altered, and without being able to attach the votes to who cast them. This is why paper ballots work. Start with an empty sealed box, verifi

Re:

[zero.kalvin]

In other news, sending a copy of yesterday's lecture to a friend magically changes the original copy, news at 11!

Naturally...

[Anonymous Coward]

...Nothing can beat the audit trail of Elbonian clay tablets.

Re:

[Samantha Wright]

Classic translation error. As far as hilarious editorial travesties go, I think that one's fairly understandable. Given that Estonian is pretty unambiguous about how to put the sentence in passive voice (See on hõlbustanud... instead of See lihtsustab... according to Google Translate) I'd guess the original author didn't know the exact meaning of "facilitate" in English, which is odd because Estonian has several comparable verbs which all have the same direction.

Re:

[Jorgensen]

So... The hackers will win. And the problem is....?

Re:

[AK Marc]

Secret voting was the end of democracy. It just took a while to get as bad as it is now.

e-stonian speaking here

[Anonymous Coward]

National ID cards are NOT mandatory for citizens.

E-voting used five times? Uh, it has been an OPTION. People vote in person mostly. In press articles+commentaries, e-voting has drawn rampant suspicions of corruption. (There's a scandal with some party internal voting, which is quite unrelated, but......)

As an estonian, I have to say I bloody hate this stupid hype. I also believe the cheapest and most reliable method of voting continues to be in-person voting. (Your BRAIN, casting the vote, is attached to your FACE, which typically is fuzzy-recognized by the local officials. This system is very hard to improve upon.)

captcha: contrary

Re:

[linnumees]

The only ones with the "rampant suspicions of corruption" are the opposition parties spreading FUD, especially by comparing that to electronic voting elsewhere: voting machines - which is a totally different thing.

The scandal with some party's internal voting didn't even use the same infrastructure. FUD much?

Re:

[Anonymous Coward]

In press articles+commentaries, e-voting has drawn rampant suspicions of corruption. (There's a scandal with some party internal voting, which is quite unrelated, but......

Really? Rampant? There was one guy who pointed out a potential security vulnerability, which so far is unconfirmed - hypothetical, it relies on the assumption that a users computer could be compromised and the voting software UI manipulated, iirc. Party internal voting scandal is a completely different matter. They used a weak internal voting procedure which is unrelated of the state run e-voting system.

Re:

[Anonymous Coward]

National ID cards are NOT mandatory for citizens.

E-voting used five times? Uh, it has been an OPTION. People vote in person mostly. In press articles+commentaries, e-voting has drawn rampant suspicions of corruption. (There's a scandal with some party internal voting, which is quite unrelated, but......)

As an estonian, I have to say I bloody hate this stupid hype. I also believe the cheapest and most reliable method of voting continues to be in-person voting. (Your BRAIN, casting the vote, is attached to your FACE, which typically is fuzzy-recognized by the local officials. This system is very hard to improve upon.)

captcha: contrary

You are a lousy estonian then. ID cards are mandatory, passports are not. Soovitan sul seadust lugeda seltsimees.

Re:

[Anonymous Coward]

This is correct. Parent is not.
(Estonian here as well, but I don't think calling each other comrades is "the thing" after the collapse of Soviet Union.)

Re:

[kuldkollane]

The ID card is mandatory for citizens. https://www.eesti.ee/eng/topics/kodakondsus/eesti_kodakondsus/isikut_toendavad_dokumendid [eesti.ee] (English version).

Re:

[kuldkollane]

I'm sorry, unfortunately the English translation removes some of the nuances: "Isikutunnistus ehk ID-kaart on Eesti kodaniku ja Eestis püsivalt elava Euroopa Liidu kodaniku kohustuslik isikut tõendav dokument." Trying really hard to come up with a better translation here; would you accept "The identification document, also known as ID-card"? Probably not. I'm sorry, but this is mainly a translation issue. The card itself is still mandatory for Estonian citizens and EU citizens whose permanent co

Re:

[pjt33]

The card itself is still mandatory for ... EU citizens whose permanent country of residence is Estonia.

That will only last as long as the first challenge in the European courts. Spain used to make its ID card mandatory for all residents, but some expat EU citizen challenged it and Strasbourg ruled that EU citizens only need identity documents from their home country.

Re:

[kuldkollane]

I know I'm now late, but could you provide a source? I'd really like to learn more but I can't really find any official rulings. I'd appreciate it a lot!

Re:

[pjt33]

Fair question! I've not been able to track down a source which exactly matches my understanding; ruling C-157/03 [europa.eu] appears to deal with some related aspects, and this analysis of Directive 2004/38/EC [dropbox.com] (not a brilliant source without provenance) in section 8.2 talks about the elimination of "residence cards" for foreign EU citizens. That's the best I've been able to find in about 45 minutes.

Re:

[kuldkollane]

Thanks for the links! It looks like that section is not about permanent residence. Upon checking article 19:

Upon application Member States shall issue Union citizens entitled to permanent residence, after having verified duration of residence, with a document certifying permanent residence.

New: The fact of having acquired a permanent right of residence entails a series of important additional rights. For this reason Union citizens are entitled to apply for a document certifying permanent residence.

It is possible that I misunderstood something, I'm terrible at legalese even though this document's fairly simple. In Estonia the ID-card is the document which among other functions certifies permanent residence. Also, it's rather annoying not to have one, as it is used for identifying oneself in electronic environments and for signing documents with a digital signature - and most of the documents a

Re:

[Anonymous Coward]

Estonian speaking and with law degree: national ID card is the one and only MANDATORY identification in Estonia. Passports are just travel documents and are not mandatory. ID cards, mandatory.

Re:

[Freultwah]

It HAS been used five times, and nowhere in the summary does it say it has been mandatory and the only way. So, a nice strawman there, but try to rein in that hate a little better and use actual arguments. The e-voting system is an excellent option to improve participation, and if you do not like it, don't use it. There is no need to become a Bolshevik about it, as in "I don't like it for me, let's get rid of it for everybody".

Besides, throwing all this Centre Party's FUD around is just not a good way to pa

US aversion for ID cards

[dargaud]

I truly do not understand the US aversion for identity papers. (*) There needs to be a way for you to interact with the state / federal government, it's obvious. But how do you prove who you are when you do ? ID papers provide this certification easily. I've heard all kind of 'slippery slope' arguments like 'it's the first step towards a nazi state'. Well duh, every country in Europe has had ID papers since at least WWII and it hasn't changed anything. Instead of that the US relies on driver's license for the same purpose, or much worse, social security number which anybody can figure out and copy at will. Dumb.

(*) And at the same time I don't understand why most USamericans don't give a flying squirrel about the wholesale spying going on. They don't want a piece of paper to identify them once a year when a cop or a govnmt employee asks for it for a legitimate purpose, but they don't care to have their every word archived to some big brother 5 zetabytes database with sorry consequences years from now. Beats me.

Re:

[CanHasDIY]

I truly do not understand the US aversion for identity papers.

Well, basically it boils down to legal requirements for government accessibility - not everyone can get to the ID shop (a 90-year-old quadriplegic living below the poverty line doesn't really have the means to get an ID, and thus, to access their right to vote), and a lot of people bitch about the "cost to taxpayers" when you explain that charging people for access to government via legally required ID would be unconstitutional.

Of course, there's also the ever-present rationale (if it can be called that) ex

Re:

[Anonymous Coward]

There is a difference between having ID papers so you can use them at appropriate times and requiring every citizen to carry ID papers all the time. In the Netherlands, it used to be the former, it is now the latter, and I fucking hate it (and do not comply).

Re:

[plover]

It's not just the religious fundamentalists. Students of history understand that tracking of things is a useful step in controlling those things.

There's a very common pattern used by tyrannical governments. They demonize and marginalize the "undesirables", whether they be religious cultists, intellectuals, liberals, or conservatives (when you hear the word "terrorist" used without a weapon of mass destruction actually being detonated, you're seeing this step in action.) They isolate undesirables by restr

Re:

[Anonymous Coward]

There's no need for ID cards. In the UK, which, depending on which side you're on, is either in or just next to Europe, the system is the same like in the US. You identify using your name when you vote, and using a two utility bills (or a utility bill and a tax bill - from either HMRC or your local Council) when you open a bank account.

If they were to introduce e-voting in the UK, they'd do it in a very similar way to postal voting. You ask for a postal vote form plus envelope, which you fill in and send to

Re:

[AK Marc]

The US sees them as the first step in control. Identify everyone, make them reveal home addresses, and require the papers be shown on demand, and you have a registration system. The next step is to come for the Communists. And under McCarthy, they really did, if they had a suitable national registry, there would have been mass arrests and internments. But there wasn't, so it was much harder for the government to get anything done. That's the point. We don't trust our government so we want to make it h

Re:

[AK Marc]

What's wrong with no anonymity? For the first 100 years of the US, there was open voting only. It wasn't until a Civil War that there were problems that forced closed voting. When Reconstruction was over, we should have gone back to open voting. But we didn't. Open is better in every way.

Not to be modified, just for bug fixes

[healyp]

Under a NoDeriv license so it cannot be built upon. http://creativecommons.org/licenses/by-nc-nd/3.0/ [creativecommons.org]