Vastulause The Guardianis ilmunud artiklile/Comment on the article published in The Guardian13.05.2014
On Monday evening, the Guardian published a story ("Estonian e-voting shouldn't be used in European elections, say security experts", by Charles Arthur - http://www.theguardian.com/technology/2014/may/12/estonian-e-voting-security-warning-european-elections-research) claiming that security researchers had found serious flaws in the software used for online balloting in Estonian elections. Individuals interviewed in the story called on the Estonian State to abandon online balloting in upcoming European Parliament elections, which begins on 15 May (Thursday).
The Guardian did not ask the Estonian National Electoral Committee (ENEC), the Government of Estonia or any independent experts for comments on the story or its unsubstantiated claims before publishing. We ask the Guardian to publish this statement in full.
Estonia has been conducting online balloting since 2005. The system has been used in six elections (municipal, national and European) without a single incident which have influenced the outcome. During the most recent municipal elections (October 2013), 21,2% of voters used online balloting, 24,3% in 2011 Parliamentary elections. Online voting is particularly useful for the thousands of Estonians who live, work and travel across the world, enabling them to exercise their civic duty from any corner of the world. In the previous two elections, votes have been cast from 105 countries.
The National Electoral Committee takes any evidence of flaws in balloting extremely seriously. Estonia has conducted its online balloting in a unique spirit of transparency: every aspect of online balloting procedures is fully documented, these procedures are rigorously audited, and video documenting all conducted procedures is posted online. In addition to opening every aspect of our balloting to observers, we have posted the source code of our voting software online. In the past decade, our online balloting has stood up to numerous reviews and security tests. We believe that online balloting allows us to achieve a level of security greater than what is possible with paper ballots.
At this point, we can give only preliminary answers to allegations published in the Guardian, as the researchers have not shared the full results of their work with us. The researchers met with officials from the electoral committee in October 2013, and could have contacted us at any point in the last 6 months to share the initial findings of their research. In reality, the only advance information we received was notification, on Saturday evening, of a press conference on Monday. The researchers' website (estoniaevoting.org) went up on Monday morning. Not until after the press conference did we finally receive in writing (by email) a request to meet.
Based on a preliminary review of the researchers' partial findings, we can conclude the following about their claims:
1. The researchers have not discovered any new attack vectors that had not already been accounted for in the design of our system as a whole.
2. It is not feasible to effectively conduct the described attacks to alter the results of the voting.
3. The electoral committee has numerous safeguards and failsafe mechanisms to detect attacks against the elections or manipulated results.
4. The website put up by the security researchers (estoniaevoting.org) contains numerous factual and detail errors, and does not provide technical details on the alleged vulnerabilities in our system.
The Estonian National Electoral Committee is always open to constructive criticism concerning the security of any form of balloting in Estonia. We look forward to reading the full results of the researchers' work, and are willing to meet with them to explore their findings in detail. Nevertheless, their last minute claims, published two days before the beginning of online balloting for elections to the European Parliament, give us no reason to suspend online balloting.