In mid-May, the Estonian National Electoral Committee said that allowing voters to use a voting app on their smartphones would prevent the state from carrying out necessary checks on the app and its authenticity and would leave the distribution of the app in the hands of Google and Apple.

The committee said that it is important to be aware of all the risks associated with m-voting; the technical solutions developed to date do not mitigate these risks sufficiently and implementing m-voting does not only require the decision of the Electoral Commission, but also requires a change in electoral laws.

Arne Koitmäe, head of service at the State Electoral Office — the main administrative body of Estonian elections responsible for organizing Internet voting — said at the hearing in mid-May that the m-voting application cannot be used in the European Parliament elections in its current form.

The most serious risks are associated with online shops, application distribution, and software updates. These activities are not controlled by the electoral service.

Sven Heiberg, an expert from Cybernetica AS, said that the state would not have authority over the voting app. Heiberg identified three major risks: first, the time necessary to acquire critical updates to the application will increase and the election office will lose important control over the distribution of the application. Instead, tech giants such as Google and Apple will have a major say over app distribution.

Second, the application's authenticity and integrity could not be verified. Heiberg said this is an issue specific to Apple, as the IOS platform gives no control over the functionality of voter applications; Apple simply has to be trusted.

In the case of Google, the situation is somewhat less complicated; experts from the electoral office can guarantee that the application available for installation from the Google Play store is the one authorized by the electoral service.

Oliver Kask, chair of the electoral committee, told ERR that if the issue is identifying which app the voter is using in the first place, whether it is authentic or not. Also, whether there are bugs in the app that should not exist.

"The only program currently available is downloadable from the valitsus.ee website. The smart device, however, assumes it can be downloaded from the Apple App Store or Google Play. These stores are not under the authority of the Estonian government. It would possible to cooperate effectively with them, and we can place a significant amount of trust in them, but it is impossible to guarantee absolute certainty or control. In those stores, it is impossible for a public authority to verify the application. Also, if voters encounter difficulties downloading or activating the app, it would be challenging to provide helpdesk support," Kask explained.

The third risk is also significant: the m-vote cannot be verified. Since the m-voting app has the same verification protocol as the regular voter app, i.e. a QR code, a different smart device would be needed for verification. A solution is currently being developed so that votes could still be verified.

Kask said the majority of people do not own two smart devices, so they would have to use a family member's or friend's device to verify and "because it leaves a trace of who you voted for, it does not guarantee the privacy of the vote."

In addition, making quick changes to the app can be a problem.

"If necessary, it is now possible to modify e-voting program's tech within minutes. It will take hours, if not days, to update an m-application and upload it to (app) stores. In this case, conducting electronic elections becomes a serious hurdle," said Kask.

Alo Einla, head of information systems development at the Information System Authority (RIA), said that it was crucial to decide as soon as possible whether to use mobile voting in the European Parliament elections.

Koitmäe said it may be necessary to regulate by law the requirements for voting using a smart device.

He added that if none of the problems identified in the risk assessment have a legal basis, the Supreme Court, which has already acknowledged that the regulation is not sufficiently clear, will have to resolve these issues.

M-voting means that a computer is no longer required to vote electronically; a smartphone or tablet could be be used instead.

--

Follow ERR News on Facebook and Twitter and never miss an update!