Internet Voting in Estonia
Internet voting (I-voting or online voting) is one of the possibilities to vote in addition to other voting methods. I-voting means in this context voting via Internet, not voting by using a special voting device.
In 2012 a separate Electronic Voting Committee was established who is now responsible for conducting Internet voting while the National Electoral Committee retains a supervisory role. Internet voting was first introduced in the local elections of 2005, when more than 9 thousand voters cast their ballot via the Internet (this corresponded to about 2 per cent of all participating voters). Today, I-voting with binding results has been carried out eight times in Estonia:
- in the local elections in October 2005, October 2009 and October 2013
- the parliamentary elections in March 2007, March 2011 and March 2015
- the European Parliament elections in June 2009 and May 2014
- Brief description of the I-voting system
- I-voting principles
- Different ways to identify a person and to give digital signature while I-voting
- Verification of I-votes
- Scientific Research on Estonian Internet Voting Experience
One of the traditional ways to vote is outside the polling district of the voter’s residence. This means that during the voting, the voter puts his or her vote into double envelope and the envelope is delivered to the voter’s polling division of residence. The general concept of I-voting has been derived from the voting outside the polling district of residence. Both voting methods use a similar way of checking that the vote has been cast only once and guaranteeing the anonymity of vote.
In order to understand the I-voting system better, the envelope voting method used in Estonia should be described shortly:
- A voter presents an ID document to be identified.
- The voter then receives the ballot and two envelopes.
- The voter fills in ballot paper and puts it into the envelope, which has no information about the voter.
- Then he encloses the envelope into an outer envelope on which the voter's information is written.
- The envelope is delivered to the voter’s polling pision of residence. After the eligibility of the voter is determined, the outer envelope is opened and the inner (anonymous) envelope is put into the ballot box.
The system guarantees that the voter’s choice shall remain secret and recording of the vote in the list of voters in the polling district of residence prevents voting more than once.
I-voting is carried out according to the same scheme. The downloaded I-voting application encrypts the vote. The encrypted vote can be regarded as the vote contained in the inner, anonymous envelope. After that the voter gives a digital signature to confirm his or her choice. By digital signing, the voter’s personal data or outer envelope are added to the encrypted vote.
I-voting is possible only during the 7 days of advance polls – from the 10th day until the 4th day prior to Election Day. This is necessary in order to ensure that there would be time to eliminate double votes by the end of the Election Day.
To ensure that the voter is expressing their true will, they are allowed to change their electronic vote by voting again electronically during advance polls or by voting at the polling station during advance polls.
For example, if a voter cancels his/her electronic vote by going to the polling station to vote, it is guaranteed that only one vote is counted per voter. To that end, all polling stations are informed of the I-voters on their list of voters after the end of advance polls and before the Election Day on Sunday. If it is found at the polling district that the voter has voted both electronically and with a paper ballot, the information is sent to the Electronic Voting Committee and the voter's I-vote is cancelled.
Before the ascertaining of voting results in the evening of the Election Day, the encrypted votes and the digital signatures (i.e. the data identifying the voter) are separated. Then anonymous I-votes are opened and counted. The system opens the votes only if they are not connected to personal data.
More detailed information in Estonian: E-hääletamise süsteemi üldkirjeldus (PDF).
Time framework of I-voting: I-votes may be given during 7 days, from the 10th day until the 4th day before the Election Day.
Possibility to recast I-vote: during the I-voting period a voter can recast his/her I-vote in which case the last I-vote counts.
Precedence of the ballot paper voting: if a voter who has already I-voted goes to the polling place during advance polls and casts his/her vote by using paper ballot, then the I-vote is cancelled. After that, the voter cannot recast his or her vote electronically or by using a paper ballot. On the Election Day the I-vote cannot be changed.
Similarity of I-voting to regular voting: I-voting adheres to the election acts, general election principles and customs. Thus, it is uniform and secret, only eligible voters may vote, every person may cast only one vote, it should be impossible for voters to prove the way they voted. The collecting of votes is secure, reliable and verifiable.
The voter must be able to cast his/her vote freely and without outside coercion or influence. Incitement to I-voting by offering a computer for that purpose or influencing voters in any other way is prohibited; among other things, no collective I-voting events (opening of I-voting offices or service desks, etc.) shall be organised insofar as such activities may be considered violation of the freedom of voting.
An I-voter shall vote himself/herself. Using another person’s ID card (or mobile-ID) for voting and transfer of the card's PIN codes to another person is prohibited. In order to avoid security risks, only a trusted computer should be used, either owned by the voter or a person the voter can trust.
1. I-voting by means of ID card
- ID card with PIN codes. If PIN codes are lost, new ones may be requested from the service points of the Police and Border Guard Board or respective bank offices (more information here). Certificates can be renewed by the voter at www.sk.ee).
- Computer with Internet connection
- Smart card reader and ID card software (may be installed from installer.id.ee).
ID card software should be renewed if necessary. (See also www.id.ee)
Stages of I-voting by means of ID card
- Voter inserts ID card into the card reader
- Opens the I-voting website (www.valimised.ee)
- Downloads and runs voter application
- Identifies himself/herself by entering PIN1 code
- the list of candidates of the voter's electoral district shall be displayed
- Voter makes his/her choice
- Voter confirms his/her choice by digital signature (by entering PIN2 code)
- Receives a notice that the vote has been accepted.
2.I-voting by means of digital ID
Digital ID, i.e. digi-ID, is a document which allows identifying a person in the electronic environment and giving digital signature. Digi-ID looks like an ID card, but without a user’s photo, and it can only be used over the Internet.
Stages of I-voting and means in using digi-ID are similar to the ones used with ID card.
3. I-voting by means of mobile-ID
This method was used for the first time during the 2011 elections to the Riigikogu.
- Mobile-ID SIM card with PIN codes and certificates
- Computer with Internet connection
- Mobile phone
There is no need to install a card reader and special software to the computer; the mobile phone with the respective SIM card performs the functions of the card and card reader simultaneously. Mobile-ID must be activated by ID card prior to use.
Stages of I-voting if mobile-ID is used:
- Voter opens the I-voting website (www.valimised.ee)
- Downloads and runs voter application
- Enters his/her mobile number into the application
- Identifies himself/herself by entering in the mobile phone the mobile-ID PIN1 code (prior to that a control code is sent to you mobile phone by SMS)
- Consolidated list of candidates in the electoral district of the residence of the voter shall be displayed to the voter on the computer screen
- Voter makes his/her choice with the computer
- Confirms his/her choice by digital signature, entering in the mobile phone the mobile-ID PIN2 code (prior to that a control code is sent to you mobile phone by SMS)
- Receives a notice screen that the vote has been accepted.
Mobile-ID allows a person to be identified and give digital signatures, but at the moment it is not possible to vote by using a mobile phone, a computer with Internet connection is also needed. Thus, it is too early to talk about m-voting as such.
I-voting may be tested before the elections at www.valimised.ee. This allows to check whether voter's computer has the required software, ID-card (or mobile-ID SIM card) certificates are valid and PIN codes exist. If any problems occur, there is still enough time to solve them.
Verification of electronic votes (I-votes) enables to receive more accurate information on the security of the computer that was used to cast the I-vote. Verification makes it possible to detect when the computer is infected with malware that changes the I-vote or blocks the I-voting. According to the Riigikogu Election Act the verification of I-votes shall not be implemented before 2015. The system will be tested first at 2013 local elections. Voters will be able to verify their I-votes with a smart device (smartphone or a tablet) equipped with a camera and Internet connection. During the 2013 test, only Android devices were supported. Support for other platforms will be added by 2015. More information: What is Verification of I-Votes? (PDF)