OSCE findings on Estonian e-voting

By EDRi · June 1, 2011

This article is also available in:
Deutsch: [OSZE: Untersuchungsergebnisse zum estnischen E-Voting | http://bit.ly/jJOHnA]

In its report of 16 May 2011, the Office for Democratic Institutions and
Human Rights (ODIHR) of the Office of Security and Cooperation in Europe
(OSCE) found Estonia’s March 6 parliamentary elections, including the
Internet voting, as trustworthy, although several elections monitors have
pointed out a series of procedural and technical issues.

“The Riigikogu elections were conducted in an environment characterized by
respect for fundamental rights and freedoms and a high degree of trust in
the impartiality of the election administration. Election stakeholders
expressed confidence in the overall process, including the Internet voting.
Voters had an opportunity to make an informed choice among a field of
candidates representing a variety of political alternatives,” is ODIHR’s
conclusion.

However, the report expresses the belief that there is room for “improvement
of the legal framework, oversight and accountability, and some technical
aspects of the internet voting system.” The weakest point, according to the
report, is that the Estonian legislation doesn’t deal with significant
issues such as the situations that would allow the National Electoral
Committee (NEC) to declare Internet voting invalid or the way in which the
voters should become aware of the fact that they had to recast their ballots
on election day.

Another point of emphasis was that none of NEC staff or members had the
necessary know-how to carry out oversight procedures without strongly
relying on the IT department of the Parliament and therefore, the report
recommended the development of technical expertise within the committee.

Also, the results of the test made by NEC on the e-election system were not
made public and therefore more transparency would be necessary. A disaster
recovery plan was also recommended in the report, as the system maintenance,
as performed during the elections, might create security issues.

After the elections, student Paavo Pihelgas asked in court for the
invalidation of the electronic voting results claiming the software used in
the electronic voting was flawed and a virus could theoretically change a
vote without the voter’s knowledge.

The student conducted a series of experiments with volunteers in order to
prove his point. According to the law, the Supreme Court can nullify
election results in case of violation of voter rights that had or may have
had a significant effect on the election outcome.

As Pihelgas participated in the test wilfully, the Supreme Court’s
Constitutional Review Chamber decided on 21 March that his voter’s rights
had not been infringed as long as he had knowingly put himself into the
situation where his vote hadn’t reached the electoral committee web server.

Therefore, since only an established violation can lay at the basis of the
nullification of the election result, a hypothetical possibility that
someone’s computer may have been infected with a similar type of virus
without that voter’s knowledge, could not constitute enough cause for
nullification.

In this matter, the OSCE recommended the creation of a mechanism that would
allow a voter to check whether his or her vote had been changed.

OSCE Calls for Enhancements to Internet Voting (17.05.2011)
http://news.err.ee/Sci-Tech/2cf34a80-6dfd-4764-aa67-1d2cf4ca879e

Supreme Court Rejects Last Voter Complaint (23.05.2011)
http://news.err.ee/Politics/bbb598aa-586b-4981-9f7e-88273b5a25c0

Parliamentary Elections – 6 March 2011 – OSCE/ODIHR Election Assessment
Mission Report (16.05.2011)
http://www.osce.org/odihr/77557