Internet Voting in Estonia
Electronic voting (I-voting) is one of the possibilities to vote in addition to other voting methods. I-voting means in this context voting via Internet, not voting by using a special voting device.
In 2012 a separate Electronic Voting Committee was established who is now responsible for conducting Internet voting while the National Election Committee retains a supervisory role. Internet voting was first introduced in the local elections of 2005, when more than 9 thousand voters cast their ballot via the Internet (this corresponded to about 2 per cent of all participating voters). Today, I-voting with binding results has been carried out seven times in Estonia: in the local elections in October 2005, the parliamentary elections in March 2007, the European Parliament elections in June 2009 and May 2014, the local elections in October 2009, the parliamentary elections in March 2011 and the local elections in October 2013. Some statistics on I-voting can be found here. As of 2013, the source code of the I-voting software has been made public at https://github.com/vvk-ehk/evalimine.
One of the traditional ways to vote is outside the polling district of the voter’s residence. This means that during the voting, the voter puts his or her vote into double envelope and the envelope is delivered to the voter’s polling division of residence. The general concept of I-voting has been derived from the above-mentioned voting outside the polling district of residence. What is similar in these two voting methods is the way of checking that the vote has been cast only once and guaranteeing the anonymity of vote.
In order to understand the I-voting system better, the envelope voting method used in Estonia should be described shortly:
- A voter presents an ID document to be identified.
- The voter then receives the ballot and two envelopes.
- The voter fills in ballot paper and puts it into the envelope, which has no information about the voter.
- Then he encloses the envelope into outer envelope on which the voter's information is written.
- The envelope is delivered to the voter’s polling division of residence. After the eligibility of the voter is determined, the outer envelope is opened and the inner (anonymous) envelope is put into the ballot box.
The system guarantees that the voter’s choice shall remain secret and recording the vote in the list of voters in the polling district of residence prevents voting more than once.
I-voting is carried out according to the same scheme. The downloaded I-voting application encrypts the vote. The encrypted vote can be regarded as a vote contained in the inner, anonymous envelope. After that the voter gives a digital signature to confirm his or her choice. By digital signing, the voter’s personal data or outer envelope are added to the encrypted vote.
I-voting is possible only during 7 days of advance polls - from 10th day until 4th day prior to Election Day. This is necessary in order to ensure there is time to eliminate double votes by the end of the Election Day.
To ensure that the voter is expressing their true will, they are allowed to change their electronic vote by voting again electronically during advance polls or by voting at the polling station during advance polls.
For example, if a voter cancels his/her electronic vote by going to the polling station to vote, it is guaranteed that only one vote is counted per voter. To that end, all polling stations are informed of the I-voters on their list of voters after the end of advance polls and before the Election Day on Sunday. If it is found at the polling district that the voter has voted both electronically and with a paper ballot, the information is sent to the Electronic Voting Committee and the voter's I-vote is cancelled.
Before the ascertaining of voting results in the evening of the Election Day, the encrypted votes and the digital signatures (ie data identifying the voter) are separated. Then anonymous I-votes are opened and counted. The system opens the votes only if they are not connected to personal data.
Time framework of I-voting: I-votes may be given during 7 days from 10th day until 4th day before the Election Day.
Possibility to recast I-vote: during the I-voting period a voter can recast his/her I-vote in which case the last cast I-vote counts.
Precedence of the ballot paper voting: if a voter goes to the polling place during advance polls and casts his/her vote using paper ballot (having I-voted prior to that), then the I-vote is cancelled. After that voter can not recast his vote electronically or by using a paper ballot. On Election Day the I-vote cannot be changed.
Similarity of I-voting to regular voting: I-voting adheres to the election acts, general election principles and customs. Thus, it is uniform and secret, only eligible voters may vote, every person may cast only one vote, it should be impossible for voter to prove the way he/she voted. The collecting of votes is secure, reliable and verifiable.
The voter must be able to cast his/her vote freely and without outside coercion or influence. Incitement to e-voting by offering a computer for that purpose or influencing voters in any other way is prohibited, among other things, no collective I-voting events (opening of e-voting offices or service desks, etc.) shall be organised insofar as such activities may be considered violation of the freedom of voting.
An e-voter shall vote himself/herself. Using another person’s ID card (or mobile-ID) for voting and transfer of the card's PIN codes to another person is prohibited. In order to avoid security risks only a trusted computer should be used, either owned by the voter or a person the voter can trust.
- ID card with PIN codes. If PIN codes are lost, new ones may be requested fromservice points of Citizenship and Migration Bureau of the Prefecture or respective bank offices (more information here). Certificates can be renewed by voter at sk.ee/id-kontroll/).
- Computer with Internet connection
- Smart card reader and ID card software (may be installed from installer.id.ee/).
ID card software should be renewed if necessary. (See also id.ee
Stages of I-voting by means of ID card
- Voter inserts ID card into the card reader
- Opens the I-voting website (www.valimised.ee)
- Downloads and runs voter application
- Identifies himself/herself by entering PIN1 code
- the list of candidates of the voter's electoral district shall be displayed
- Voter makes the choice
- Voter confirms his/her choice by digital signature (by entering PIN2 code)
- Receives a notice that the vote has been accepted.
Digital ID, i.e. digi-ID is a document, which allows identifying a person in the electronic environment and giving digital signature. Digi-ID looks like an ID card, but without a user’s photo it can only be used over the Internet.
Stages of I-voting and means in using digi-ID are similar to the ones used with ID card.
This method was used for the first time during 2011 elections to the Riigikogu.
- Mobile-ID SIM card with PIN codes and certificates
- Computer with Internet connection
- Mobile phone
There is no need to install a card reader on the computer and special software; the mobile phone with the respective SIM card performs the functions of the card and card reader simultaneously. Mobile-ID must be activated by ID card prior to use.
Stages of I-voting if mobile-ID is used:
- Voter opens the I-voting website (www.valimised.ee)
- Downloads and runs voter application
- Enters his/her mobile number into the application
- Identifies himself/herself by entering in the mobile phone the mobile-ID PIN1 code (prior to that a control code is sent to you mobile phone by SMS)
- Consolidated list of candidates in the electoral district of the residence of the voter shall be displayed to the voter on the computer screen
- Voter makes his/her choice with the computer
- Confirms his/her choice by digital signature, entering in the mobile phone the mobile-ID PIN2 code (prior to that a control code is sent to you mobile phone by SMS)
- Receives a notice screen that the vote has been accepted.
Mobile-ID allows a person to be identified and give digital signatures but at the moment it is not possible to vote by using a mobile phone, a computer with Internet connection is also needed. Thus, it is too early to talk about m-voting as such.
I-voting may be tested before the elections at www.valimised.ee
. This allows to check whether voter's computer has the required software, ID-card (or mobile-ID SIM card) certificates are valid and PIN codes exist. If any problems occur, there is still enough time to solve them.
Verification of electronic votes (I-votes) enables to receive more accurate information on the security of the computer that was used to cast the I-vote. Verification makes it possible to detect when the computer is infected with malware that changes the I-vote or blocks the I-voting.According to the Riigikogu Election Act the verification of I-votes shall not be implemented before 2015. The system was tested first at 2013 local elections. Voters will be able to verify their I-votes with a smart device (mobile phone or a tablet) equipped with a camera and Internet connection. During the 2013 test only Android devices were supported. Support for other platforms (Windows Phone and iOS) was added in 2014. More information: What is Verification of I-Votes? (pdf)