In Estonia, just about everything happens online: 99% of the Baltic country’s public services are available on the internet. Everything from storing health data to signing legal court documents — and, in 2005, voting was added to that list.
Voters use a national ID to login to the system, enter a PIN code to cast their votes and then scan a QR code afterwards to make sure their ballot was received. And there haven’t been any effective, large-scale attempts to hack the system, according to Liisa Past. She helped lead the Estonian government’s analysis on cyber-risks of online voting and now works with the government through a partnership with cybersecurity firm Cybernetica.
“Online voting — however you vote — is not the main attack vector,” she explained. “There are information attacks that are trying to undermine legitimacy of elections: attacks against election organizers and defacement of websites, theft of data and emails. It’s that wider context of there being quite capable and incredibly opportunistic adversaries seeking to delegitimize democratic routines across the Western world.”
Because voting is clearly regulated in many parts of the world, it’s instead the trust voters have in their governments that Past says is the primary target for cybercriminals.
In Estonia, that trust is inherent since residents are used to carrying out much of their daily lives and interactions with the government online.
In the U.S., moving elections online in the same way could prove more difficult.
“Voting cannot be more digital than the governance it supports,” Past said.
“If your citizens are quite accustomed to applying for their driver’s license online or filing taxes online, and there’s years of history of doing that securely, then voting just becomes one of those services.”
But not everyone sees online elections as a positive step.
Harri Hursti, who helped lead analysis at the University of Michigan into Estonia’s online voting system, argues no platform will ever be 100% secure. When a voter casts a ballot online, it’s much more difficult to keep the choices he or she made secret.
More basically, he said, voting is a far different beast than managing your bank accounts.
“There are no do-overs,” Hursti said of elections. “In banking, if there’s a problem transaction, your money can be returned. That’s not the case with voting. You cannot correct errors, so you have to get it right.”
But that’s where Florian Marcus of e-Estonia, a partnership between the government and the IT industry, disagrees. Marcus said that if there is a widespread problem, the government can cancel the online elections and revert back to the paper vote right afterward. That process, he said, wouldn’t delay the election because internet voting ends three days before paper voting begins.
And clearly that reassurance is enough for Estonians: In the last election, 44% of the nation’s voters cast their ballots online, up from just 1% when online voting was first available.
While participation has been slow to build, Past said building online voting into a habit will form the backbone of trust in the process.
“Next time you vote online and it’s both convenient and secure, you build another small piece of trust that encourages you to do it again and again,” she said.
But before you jump to the next conclusion, that the convenience of online voting leads to higher voter turnout, Past said that doesn’t actually happen. She says a voter is a voter, and technology neither entices nor discourages participation in the democratic process.