Research at TalTech raises questions about e-voting

Citing university research, Tallinn University of Technology (TalTech) leading researcher Ago Samoson wrote that it's possible in one stage of processing e-votes to introduce entirely new ballots to be counted. The State Electoral Office (RVT) maintains that e-voting is verifiable from start to finish.
Citing research by Tarvo Treier and Kristjan Düüna (link in Estonian), Samoson wrote in daily Postimees' opinion section that in the stage of e-vote processing where valid e-votes are separated from those annulled by repeat votes or a paper ballot and then anonymized, it is possible to introduce entirely new ballots to be counted — and that no software has yet been developed to allow auditors to verify such replacements.
According to State Electoral Office (riigi valimisteenistus, RVT) director Arne Koitmäe, what Samoson fails to mention is that auditors have manually checked this process, and that a specialized auditing application was already in use for this purpose during the 2024 European Parliament elections.
Düüna had pointed out in his master's thesis that there had previously been no simple way to verify this, and that his proposed solution introduces additional control mechanisms to ensure that all votes originally present in the ballot box are accounted for, whether among annulled votes or those proceeding to being counted.
The RVT incorporated the researcher's proposed solution into the auditing application used in the 2024 elections.
Samoson also criticized the application of analogies from paper voting to e-voting, claiming that this allows the electoral office to determine the voter behind each ballot and even how they voted.
According to Koitmäe, however, this isn't true, as votes can only be opened using segments of a key whose use is audited and which are sealed, preventing votes from being accessed at any other time.
"The key for opening votes is generated by the RVT in the presence of auditors and observers prior to the start of the election, and it is then divided into nine key segments, distributed between members of the RVT and the National Electoral Committee (Vabariigi Valimiskomisjon, VVK)," the director explained. "After creation, they are sealed by an auditor with security stickers to prevent the key segments' use or duplication."
In order for e-votes to be able to be technically opened, e-voting, or online voting, must have concluded, the e-ballot box must have been handed over to the RVT in the presence of an auditor, and personal data must have been stripped from the e-ballots — a process likewise conducted under the supervision of auditors and observers.
Center Party calls for Riigikogu select committee on e-voting
A thorough analysis conducted by researchers at TalTech has identified several significant security shortcomings in Estonia's e-voting process, which is why it's necessary to immediately form a select committee in the Riigikogu to clarify these matters, said opposition Center Party chair Mihhail Kõlvart in response to the article published by Postimees.
"The Center Party has expressed doubts about the integrity of Estonia's e-voting system for years," Kõlvart stated. "Now these doubts have been scientifically and technically validated by TalTech researchers, whose expertise is beyond question. A risk has been identified that the electoral committee may be able to link a voter to their ballot, violating the principle of ballot secrecy. In addition, their research highlights the possibility of introducing [additional] electronic ballots."
According to the Center chair, potential shortcomings in ensuring election anonymity clearly violate the principles of a democratic rule of law.
"If a voting system has even a theoretical possibility of influencing or altering election results, it constitutes a clear security threat," Kõlvart stressed.
"Given the upcoming local elections and the m-voting system currently under development, it is crucial to urgently convene a Riigikogu select committee to analyze the risks associated with e-voting and assess whether the security concerns raised by researchers can be convincingly refuted or must be addressed."
--
Follow ERR News on Facebook and Twitter and never miss an update!
Editor: Aili Vahtla