Language switcher

You are here

The implementation of biometrics in e-voting requires prolonged testing

The Information System Authority (RIA) has commissioned an analysis of the implementation of biometrics in e-voting. The study acknowledges that the inclusion of facial recognition in elections is feasible, but breaches of privacy and the increased technological complexity add risks that currently might outweigh the benefits.

According to Arne Koitmäe, the head of the State Electoral Office, the inclusion of facial recognition requires a public agreement on the level of biometric identification that is reasonable and acceptable to the majority. ‘There is currently no agreed security standard for facial recognition technology and there has been no extended public practice of it being used by a large number of people at once. Therefore, it seems premature to use this solution during elections.’ Koitmäe added that e-voting in its current form is based on the foundations of the digital state, which Estonian residents use and thereby test every day. In his view, the inclusion of biometric data processing in elections should be handled in a similar manner: first, it must work well within public services.

However, according to Koitmäe, the alternative that was proposed in the study to increase the security of elections could be considered. ‘As an additional security measure, the analysis proposed the creation of an automatic notification system for e-voters, which would notify the voter by email or a text message when their electronic identity has been used to cast a vote. Such a notification system is currently used in banking, where it is possible to notify the users through a mobile application in case their bank card has been used to make a payment or money has been deposited to their bank account,’ noted Koitmäe.

There are many complex issues related to the use of biometrics, which is why RIA does not currently recommend implementing it in elections. ‘Implementing a biometric solution requires fundamental changes to the current digital personal identification process, including considering the new risks and benefits, as well as establishing rules. Prior to the introduction of e-voting, we had conducted regular and security-related testing of the principles of digital identity in hundreds of services in both the public and private sectors. As the wider use of biometrics is currently poorly regulated and we have no overview of the most secure solutions, we should not rush to use this option. A number of organisational issues are also raised, such as the availability of a proper camera and other tools, which may hinder participation in e-voting,’ said Margus Arm, Deputy Director General of RIA.
The main conclusions of the analysis by Cybernetica AS:

  • Facial recognition is technically complex and requires very large technical changes. Using it would increase the risk of errors in e-voting and significantly increase the requirements on the performance of the system. Meanwhile, it is impossible to reach a zero margin of error.
  • The e-voting service would become more inconvenient for the user, as it requires the availability of a device with a proper camera and the ability to use it. Breaches of privacy are also present.
  • Instead of facial recognition, there are measures with less risk that would provide aid to combat e-voting attacks:
    • Informing a person by email or a text message that a vote has been cast on their behalf.
    • Creation of good practice for nursing homes regarding the storing of ID-cards.

The study was commissioned by the Ministry of Economic Affairs and Communications and was prepared by the cyber experts of Cybernetica. The analysis can be found at valimised.ee and the website of RIA: Biomeetrilise näotuvastusmeetme rakendamine elektroonilisel hääletamisel (541.95 KB, PDF).

Press release of the State Electoral Office, 15 July 2021

More news on the same subject

28.04.2021

The new yearbook of the Information System Authority (RIA) on cyber security summarises the most influential incidents in cyber space

28.04.2021 – In its most recent yearbook on cyber security, the Information System Authority (RIA) talks about the record number of phishing reports, denial-of-service attacks, and Emotet malware and cyber attacks against Estonian ministries that took place last year. In addition to incidents, you can read about the effect that COVID-19 had on Estonian cyber space, RIA’s larger role in elections, and the new information security standards of Estonia, as well as the most important developments in international cyber cooperation. The yearbook is available on the website of RIA (PDF).

01.08.2018

European Union Members Share Advice on Cyber Security of Elections

1.8.2018 – Over 20 EU Member states have together compiled a compendium on cyber security of democratic processes. The document is a broad set of practical and workable measures that can be applied by both election management bodies and cyber security authorities.