In Estonian Parliamentary elections held in 2011, the percentage of Internet voters among all the voters was as high as 24.3%. At the same time a student implemented a proof-of-concept malware which demonstrated the effective disenfranchisement of the voter from the right to vote. The chapter gives an overview of risk assessment and threat modeling of Estonian Internet voting after the events of 2011. The chapter presents a classification of attacks against the voting method, distinguishing between manipulation attacks, revocation attacks and attacks towards public confidence.
TopIntroduction
Several countries have looked into some form of electronic voting for various reasons. It is hoped that remote electronic voting improves the availability of elections especially for citizens abroad and increases voter turnout (Madise & Martens, 2006; Driza-Maurer, Spycher, Taglioni, & Weber, 2012; Pinault & Courtade, 2012). Electronic tallying is seen as a way to speed up the process to provide accurate election results (Mirau, Ovejero, & Pomares, 2012). For disabled people, electronic voting is a possibility to vote without assistance (Loide & Lepp, 2007). It is even claimed that without online voting segments of society will stay completely absent from voting (The world's five biggest cyber threats, 2012).
Opponents of electronic voting point out that the application of new technology opens new ways to tamper with elections (Jefferson, Rubin, Simons, & Wagner, 2004). The basic threats are the same for all voting methods – selective voter disfranchisement, privacy violation, vote buying, etc., but the technology of electronic voting allegedly allows attacks to be carried out more efficiently than ever before.
Estonia has implemented a specific form of remote electronic voting – Internet voting – as a method to participate in various types of legally binding elections since 2005. In Parliamentary elections held in 2011, the percentage of Internet voters among all the voters was as high as 24.3%. In parallel to the rise of popularity, the amount of attempts to question the security or suitability of the Internet voting increased. For example, in 2011 a student implemented a proof-of-concept malware which demonstrated effective disenfranchisement of the voter from the right to vote, although the victim was left with an impression that his vote was cast as intended and accepted as cast. This proof-of-concept malware was used as a tool in an attempt to revoke the results of Internet voting altogether (Heiberg, Laud, & Willemson, 2011).
Today in Estonia, Internet voting is not a niche-method anymore. Successful attacks against the method might have significant influence on the election result. In this evolved situation we have performed threat modeling of the Estonian Internet voting method. We have used attack-trees as a modeling tool. Building upon existing works and combining it with the experience from Estonian elections, we have reached an extended classification of attacks against the voting method. We distinguish between manipulation attacks, revocation attacks and attacks on public confidence. We show how the technology of the voting method can be abused to achieve an election specific goal.