The conflict in Ukraine was a core issue in the most recent election. Cyber-security incursions are a persistent threat, also spiking in response to events such as the removal of a soviet monument near the border with Russia. Even with an established foundation, i-Voting in Estonia is always facing fresh challenges. 05 July 2023
Over the last decade, Estonia has emerged as a global leader in the realm of e-governance and i-Voting – co-founding the D5 (now 10-member Digital Nations) group with New Zealand, the UK, Israel and the Republic of Korea in 2014 and persistently demonstrating its commitment to innovation in democracy.
Yet despite significant strides in refining and expanding its internet voting system, even making it a cornerstone of their electoral process, these advances have not come without challenges – not least of which being the global spread of distrust in electoral systems and the geopolitical tensions of a nearby war.
A target for bad actors
It should be no surprise that the current geopolitical environment doesn’t do the system any favours.
Cybersecurity is a constant concern.
Recognising the critical importance of protecting the integrity and confidentiality of the voting process over the years, Estonia has implemented stringent security measures, including the use of secure communication channels, encryption protocols, and advanced authentication methods.
Regular security audits and vulnerability assessments are also conducted to identify and address any potential weaknesses in the system. But the hits keep coming.
The week-long election period sees a not unexpected spike in cyber-security incursions – “With the elections themselves, there’s always been an ongoing cybersecurity concern,” says Priit Vinkel, senior expert on smart governance at the e-Governance academy in Estonia.
What has been noticeable is responses to other societal changes – “For example, we had a World War 2 monument very close to the border with Russia that was removed after the situation in Ukraine. It’s those sorts of things. That’s when the rates of cyber incursions rose rapidly.”
A victim of its own success
Yet whether or not a given security threat is of serious concern, increased use means increased attention and increased scrutiny – something that has coincided with a global downturn in trust.
And with the war in Ukraine being a top issue in the election earlier this year, it’s certainly no wonder the system has suddenly become a point of focus, both from within and without. Many question whether it’s ultimately resilient enough to stand up to the pressure, particularly as utilisation continues to grow.
“In the last five years, the biggest change has been the distrust in election management,” says Vinkel. “It’s kind of a wildfire that started to spread all over the world after 2016.”
Even while participation and engagement continue to improve, the subject of i-voting continues to be politicised. In fact if anything, it seems to amplify the debate.
“The fact that we have more than 50% of people using this technology, sets the stage for forces to take advantage of this situation and to blame it,” Vinkel says. “With the elections this year in Estonia, one of the biggest opposition parties started, from the very outset, playing with the idea that e-voting was the reason they lost.”
That sort of internal debate is not unusual. In virtually every modern democracy there are critiques and challenges being levelled at electoral processes. And digital processes, lending themselves towards opacity, similarly lend themselves towards critique.
In the US it’s voting machines. In Estonia it’s i-voting.
Trust and transparency have always been a challenge – regardless of how an election is run. There will always be a target for those wishing to undermine the outcomes of an election.
Digitisation just makes that target a bit easier to hit.
“Whatever is not understandable, or not so easily observable,” says Vinkel, referring to the unique difficulties presented by elections that can not necessarily be observed or accounted for in a way that’s accessible to everyone – hence why it is so important to first build up that foundational trust in e-governance more generally.
Growing trust and managing threats
As far as foundations go, Estonia has done pretty well.
Services like i-voting rest on a digital ID card – a mandatory national identity document that enables remote, secure authentication and legally binding digital signatures. This, in turn utilises a state-supported ‘public key infrastructure’ – the policies, tools and processes that manage encrypted information transfer.
With over a million ID cards issued to date, Estonia has successfully integrated this technology into its electoral process, ensuring the authenticity and integrity of each voter’s identity and ballot.
To maintain transparency and verifiability, Estonia has also implemented various measures within its electronic voting system, such as ballot verification using a smartphone application which confirms the candidate for whom the vote was cast.
The country has made significant investments in improving accessibility as well, both through widespread internet access and high-speed connectivity. And there are clear legal frameworks and regulations governing the electoral process, with provisions for independent audits and oversight.
Yet no system is perfect. While Estonia’s electronic voting system has garnered praise from local election officials, it has faced criticism from computer security experts outside the country who argue that any voting system relying on the electronic transmission of ballots is inherently vulnerable to security breaches.
In 2014, an international team of computer security experts claimed they could compromise the system, manipulate votes and erase any trace of their actions if malware was installed on the Estonian election servers.
Government officials pushed back, but it highlights the persistent challenges, and the value of a slow and steady approach to implementation and growing trust.
i-Voting in Estonia isn’t an overnight success
“This is not something that comes easy,” says Vinkel. “It’s not a first-hand solution in an ecosystem that’s not already saturated.”
Vinkel, who works with other governments on developing their own digital infrastructure through the e-Governance academy, advises against expecting any great leap straight to the finish line.
“There needs to be a lot of prerequisites met and also basic trust built up over the years.”
For Estonia, the first foray into electronic voting began as far back as 2001, propelled by an “e-minded” coalition government that recognised the potential of technology to transform the democratic process.
The next milestone in the journey arrived via a pilot project for municipal elections in 2005, which marked the first instance of a nation conducting legally binding general elections over the internet. After declaring the project a success, Estonia took another significant step in 2007 by becoming the first country to employ internet voting in parliamentary elections.
Fast forward to the 2023 parliamentary elections, and Estonia achieved yet another milestone when, for the first time, more than half of all votes were cast online, underscoring the growing acceptance and popularity of electronic voting among its citizens.
That’s a 22-year journey. And one that has required a multifaceted approach.
“There needs to be functioning e-governance already there before you should even attempt to address something so brittle as trust by bringing e-voting into elections,” says Vinkel.
Yet the journey is not over. Even with all that lead-in, the integrity of i-voting is not a sure thing.
Fully committed
Despite internal and external scrutiny, Estonia continues to refine and enhance its electronic voting system.
Responding to independent (and not so independent) researchers and activists calling for greater transparency and further improvements, the country has taken steps to improve the system’s verifiability, security, and transparency, including forming working groups and producing reports with recommendations for further enhancements.
While it might be difficult, or even unwise, to imitate directly without first laying the foundations of resilient trust in e-governance, the lessons Estonia is learning on the front lines of digital democracy are worth paying attention to.
