Estonia’s nationwide Internet-voting scheme relies on the state-mandated electronic identity (eID) infrastructure for strong voter authentication and qualified electronic signatures. A statutory safeguard against coercion is re-voting: a voter may cast multiple electronic ballots during the advance-voting period, with only the last one counted, and the number of ballots must remain secret. This expectation is violated by current eID audit practice: every signing transaction-including each vote-is irrevocably logged by the eID service provider and displayed to the credential holder. These logs reveal the exact count and timing of a voter’s interactions with the voting system, compromising the intended secrecy of re-voting and enabling coercers to detect whether the voter has changed their choice. This paper presents a threat model and examines concrete design alternatives-such as persistent log filtering, dedicated voting credentials, and offline signing-analysing their respective trade-offs in security, usability, regulatory compliance, and system complexity. The findings demonstrate how well-intentioned components can interact to break coercion resistance through a metadata-based side-channel. The identified vulnerability has been responsibly disclosed to the relevant Estonian authorities. The case underlines the need for composition-aware risk assessment whenever election systems depend on external digital infrastructures.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Re-voting Under Surveillance: National eID Transaction Logs as a Threat to Coercion Resistance in Estonian Internet Voting

  • Tarvo Treier

摘要

Estonia’s nationwide Internet-voting scheme relies on the state-mandated electronic identity (eID) infrastructure for strong voter authentication and qualified electronic signatures. A statutory safeguard against coercion is re-voting: a voter may cast multiple electronic ballots during the advance-voting period, with only the last one counted, and the number of ballots must remain secret. This expectation is violated by current eID audit practice: every signing transaction-including each vote-is irrevocably logged by the eID service provider and displayed to the credential holder. These logs reveal the exact count and timing of a voter’s interactions with the voting system, compromising the intended secrecy of re-voting and enabling coercers to detect whether the voter has changed their choice. This paper presents a threat model and examines concrete design alternatives-such as persistent log filtering, dedicated voting credentials, and offline signing-analysing their respective trade-offs in security, usability, regulatory compliance, and system complexity. The findings demonstrate how well-intentioned components can interact to break coercion resistance through a metadata-based side-channel. The identified vulnerability has been responsibly disclosed to the relevant Estonian authorities. The case underlines the need for composition-aware risk assessment whenever election systems depend on external digital infrastructures.