Sergii Figurnyi - stock.adobe.co

Security fears delay roll-out of national e-voting system in Finland

Project enters problem-solving phase to identify advanced, effective and best practice solutions to develop a secure internet-based voting system

This article can also be found in the Premium Editorial Download: CW Nordics: CW Nordics: Finland delays e-voting plan

Security concerns have re-emerged to further frustrate the Finnish government’s plans to launch a national e-voting system.

But the country’s Ministry of Justice (MoJ) working group, which is leading the project, insists the venture is delayed rather than mothballed.

Finland’s online e-voting project will now enter a problem-solving phase to identify advanced, effective and best practice solutions to protect a future e-voting system.

The government said the system must be able to guarantee the operating integrity of the election process while being technically robust to combat a wide range of external threats, particularly those emanating from the cyber domain.

External interference in elections is an increasingly common threat to the integrity of national voting systems, their supporting IT infrastructure and the probity of election results. The overall security of voting systems came under the spotlight after the US presidential elections in 2016, and the more recent parliamentary elections in France and Germany.

Against this backdrop, Finland finds itself on a learning curve to develop IT-based security systems to make any future e-voting system effectively tamper-proof.

The country’s e-voting learning curve will include a high degree of competence-building and IT-based innovation. The main focus is on delivering a system comprising an online voting application, a front-end system and a back-end system. The online voting system is expected to use the nationally accepted Suomi.fi e-Identification, the voting register and the election information system.

Project managers are examining the strengths and weaknesses of e-voting systems in other countries, focusing particularly on Estonia.

Read more about e-voting

  • Despite years of opposition and distrust in voting machines, a small Dutch initiative is aiming for a new form of e-voting.
  • Jeremy Epstein, senior computer scientist at non-profit research institute SRI International, spoke to the Computer Weekly Developer Network blog to share his views on the possibility of electronic voting security.
  • Abu Dhabi Securities Exchange offers controlled access to the AGM information of listed companies through a blockchain-based service.

Electronic voting in Estonia was rolled out for the country’s local elections in 2005, and further security features and safeguards were added to the internet-based system ahead of parliamentary elections. In 2007, Estonia conducted its – and the world’s – first national internet election.

By any measure, tech-savvy Estonia’s e-voting system has been a significant success story in a country where more than 99% of all public services are accessible online.

The Finnish MoJ’s decision to further postpone the e-voting project was based largely on fears around system security. Contributing concerns included external interference and the potential loss of public trust in the election process.

The MoJ estimates that the cost of launching and operating an e-voting system, based on a 15-year timespan, will be about €32m.

But the risks attached to launching online voting in Finland currently outweigh its benefits, said Johanna Suurpää, chair of the MoJ’s e-voting working group (eVWG).

“Our present position is that online voting should not be introduced in general elections as the risks are greater than the benefits,” said Suurpää.

In its project feasibility report presented to the MoJ, the eVWG conceded that although a Finnish online e-voting system is technically possible, the technology available is not yet at a “sufficiently high level to meet all the requirements”.

Problem areas

The report identified certain problem areas, including difficulties in the reconciliation of verifiability and election secrecy. As regards verifiability, the eVWG said full confidence in a future system must be based on voters being able to ensure that ballots are counted as cast. Also, the voter should receive “proof” of the ballot cast.

Not surprisingly, the potential risks identified in the eVWG’s feasibility report included the threat of external interference and possible manipulation of election results. It highlighted electoral interference through cyber space-launched distributed denial of service (DDoS) attacks, and large-scale breaching of election secrecy.

“The greatest risk relates to the loss of public confidence, the spreading of false information and malicious rumours could be enough to shake citizens’ confidence in the election process,” the eVWG report said. “When an online voting system is used, the information produced by the system needs to be trusted.”

Supporters of e-voting routinely put forward the prospect of higher voter turnouts in local and national elections as arguments in favour of such systems. Being able to vote remotely without having to physically travel to a voting station is the key to unlocking larger democratic participation in the election process, they argue.

Finland has a history of electronic voting dating back to the municipal elections in October 2008 that saw the country test e-voting for the first time in the municipalities of Karkkila, Kauniainen and Vihti. Voters in these three districts were able to cast their ballots electronically at polling stations either on election day or in advance. Traditional ballot voting was also allowed, but distance voting via the internet was deemed unsecure at that time.

Flaws in the system

Although the Finnish government considered the pilot project a general success, flaws discovered in the system halted any expansion of e-voting for other elections in Finland. Some 232 voters encountered usability issues in the October 2008 municipal elections, resulting in their votes not being registered. Because of the uncounted votes, Finland’s Supreme Administrative Court ordered new elections to be run in those municipalities.

The 2008 e-voting pilot project in Karkkila, Kauniainen and Vihti used direct-recording electronic internet-enabled machines provided by local IT company TietoEnator. Back-end systems were supplied by Spanish e-voting technology group Scytl Secure Electronic Voting. Scytl’s Pnyx.core was the main security engine for the internet voting system. It was customised in collaboration with TietoEnator, and the voting interface was designed by the MoJ.

It may take years for a sufficiently well constructed and protected Finnish e-voting system to be developed. The MoJ is working closely with the country’s leading IT agencies and cyber security experts in the public and private sector to create a high-performance system that fully protects the integrity of the election process and result.

The growth of DDoS attacks against Finnish organisations is another consideration in the development process, necessitating robust shield technologies for a future e-voting system.

In recent months, a series of DDoS attacks launched from other countries have targeted Finland’s national social insurance agency Kela, the Ministry of Defence, Åland Bank, the Bank of Finland and the Financial Supervisory Authority.

Finnish investigators suspect that the attack on Åland Bank, which caused its websites to crash, was linked to the Russian military exercise Zapad 2017, which was largely conducted in the Baltic Sea. Åland Bank is headquartered in Mariehamn on the Åland Islands, midway between Sweden and Finland in the Baltic Sea.

Read more on Information technology in the Nordics