Kaimar Karu: Face recognition could be added to e-voting but should it?

It might seem at first glance that face recognition could be a second authentication factor to leave us with a more secure e-voting system. However, this fails to consider the fact that the Estonian ID-card already uses two-factor authentication. The card cannot be used digitally without knowing the PIN numbers, while the latter are useless without the physical card, Kaimar Karu writes.
The topic of e-voting and its security landed on the agenda again recently. The option largely missed by the public that has nevertheless been doing the rounds backstage for some time of using face recognition as an additional measure of security was proposed and immediately met with (mostly critical) feedback.
For example. Just like trusting e-voting cannot be a matter of faith, the same is true of distrust for it. Fundamentalism is unacceptable on both headings.
Secondly, the following is based on the presumption that Estonia wants to use the possibility of e-voting in the future – provided several important conditions have been met. The following train of thought shares nothing with the conviction that electronic voting is a priory wrong and shouldn't be allowed.
Thirdly, it proceeds based on the fact that voter fraud at electronic elections in Estonia has not been proven as of today. There are various stories and hypotheses but no proven cases. My opinion shares no common elements with accusations according to which fraud has taken place but has been covered up in cooperation of the police and courts.
Managing risks also a compromise
It is sensible and necessary to investigate ways to improve the security of digital solutions. Every potential improvement needs to be weighed in terms of its proportionality considering the extent of the security risk, as well as the cost and complexity of implementation.
In other words, and to simplify to a great degree, we need to ask whether it is sensible to spend €100 on managing a risk of a single euro. Managing risks – whether technological or not – is a matter not just of analysis but also compromise. There are many risks that can never be reliably eliminated.
No digital solution is 100 percent crackproof. Work to manage new risks and for discovery, recovery and correction to take place as soon as possible upon a new risk manifesting is constantly underway. Technological development is rapid and the race between crackers and builders-defenders is an endless series of sprints.
One method of boosting the security of digital solutions is two-factor authentication that requires the person to be identified in two separate ways, making it much harder for criminals to gain access. It is a favored and recommended additional layer of security for many modern digital solutions.
It might seem at first glance that face recognition could function as a second and additional layer of security with which to complement e-voting. However, this fails to consider the fact that the Estonian ID-card already uses two-factor authentication. The card cannot be used digitally without knowing the PIN numbers, while the latter are useless without the physical card. Face recognition would therefore constitute adding a third layer in the electronic voting context.
The more security, the better. Right? Unfortunately, and as said before, it is not quite that simple. We need to also keep in mind technical feasibility, the cost of the solution, inconvenience and compare all of those aspects to the extent of the risk.
One of the safest possible ways of organizing e-voting would be to use a single electoral computer in a guarded room that voters are given access to based on a voter list after producing their ID and biometric data (fingerprint, iris scans and heartbeat), whereas every single press on the keyboard, including the person's choice of candidate is recorded.
One of the least secure ways of going about it would be to identify voters through something like a good-politician.ee website by having them provide their name and postal code and only count votes until the total number of people with voting rights is hit. Our goal should be to find a sensible compromise somewhere in between these extremes.
Back to face recognition
Firstly, we need to clearly phrase the problem we are trying to solve. Based on more frequent opinions, the problem could be summed up as trying to reduce the likelihood of criminals casting a vote in place of a person and without their knowledge after having gained access to their ID-card and its PIN numbers.
Secondly, we need to analyze the extent of the problem/risk. Have we proof that something like that has ever happened? Under what kind of conditions could such a risk manifest in the future? How many citizens eligible to vote could it concern?
Thirdly, we need to consider alternative ways to manage the risk. Would a technological solution, such as face recognition, be the best option? Or perhaps an amendment to prescribe tougher punishments for election fraud? Or maybe we need to boost supervision to raise voter fraud detection rates (from zero)?
We need to analyze feasibility and potential effect for every alternative. I will stick with what I know and only look at the technological solution of facial recognition here.
Firstly: Is the method technologically workable? Right now, electronic voting happens with the help of a special computer program the voter needs to install in their computer. Voting using a smartphone is impossible, which is why we need to keep in mind the possibilities and limitations of personal computers.
How many potential e-voters have a webcam? How many know how to or want to use it? What kind of hardware configurations and operating system versions would the electoral application need to be compatible with, considering the peculiarities, reliability and security of web camera drivers?
Secondly: What sort of developments would be needed? Here, we need to look at how much time and resources would be required and the side of processes and procedures. In the case of face recognition, we are talking about software developments, reliability and security testing and continued maintenance, as well as how much it would cost and a realistic time frame.
It is also possible that amendments to existing legislation would be in order. It could prove necessary to change the process of auditing elections. Several associated information systems might also have to be changed.
Thirdly: Would successful implementation of the project yield desired results? If the goal is to eliminate risks, can they be eliminated? For example, we can imagine a criminal asking (or "asking") their victim to look at the webcam for a moment and for the latter to comply for one reason or another.
If the goal is to reduce the risk, to what extent (and how should it be measured) would it need to be lowered for the goal to be fulfilled?
Fourthly: Is the final effect of the measure positive summa summarum? Every component added to election software and procedures is a potential security risk. Every change creates both anticipated and unanticipated side-effects. Every procedural and technological addition has either a positive or negative effect on voter turnout.
In choosing the best possible course, we need to keep in mind the complexity of the electoral system as a whole on the one hand, while trying to pinpoint specific problems, challenges and criticism of elections on the other.
For example, destruction of ballots after elections is not a matter of e-voting but a peculiarity of the Estonian electoral system provided by section 77 of the Riigikogu Elections Act, whereas paper and electronic ballots are treated the same. Another peculiarity of our system is secrecy of voting as provided in sections 60 and 156 of the Constitution.
In summary. Face recognition could be added to e-voting. The question is whether it should.
Editor: Marcus Turovski