[Osmf-talk] Articles of Association Update 2.0

Jaak Laineste (Nutiteq) jaak at nutiteq.com
Thu Jul 24 08:49:22 UTC 2014 

> It is an article at an university website, besides a paper ballot system can be rigged too.
> 
> Researchers Identify Security Risks in Estonia's Online Voting System, May 16, 2014
> http://www.eecs.umich.edu/eecs/about/articles/2014/Estonia_evoting_risks.html
> 
> "Estonia is the only country in the world that relies on Internet voting in a significant way for national elections. ... While some of the problems can be corrected in the short term through changes to the system, others stem from fundamental weaknesses that cannot be fixed. With the growing risk of state-level cyberattacks, the team unanimously recommends discontinuing Internet voting until there are fundamental advances in computer security."
> 


If you read it more carefully, then you see that the study of Estonian Internet voting found some security issues indeed, but these were problems on some specific implementation details, mostly about security details of national id-card software, which is core and mandatory requirement of the system over here. There has been no proof of any misuse of the theoretical security risks. By the way, this study was not even independent, it was directly sponsored by a specific party which just feared to get significant disadvantage due to their focus to not that computer-friendly electorate. Anyway, these were not problems on e-voting as such.

By the way, the key technical solution to avoid “compromised enduser computer” issue implemented in Estonia was not to make votes completely public, but to provide another channel (Android app in this case) which enables to check your own vote privately. Certainly there are other risks like compromised server or enduser offline manipulation, but these tend to be even worse in old-style offline voting systems, where there is not that much attention paid to these aspects.

Current OSMF email voting is trivially hackable by sproofing email senders, so I think that at least email verifications/confirmations should be implemented.

Jaak (from Estonia)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/osmf-talk/attachments/20140724/13a60d07/attachment.html>

More information about the osmf-talk mailing list