The implementation of biometrics in e-voting requires prolonged testing
The Information System Authority (RIA) has commissioned an analysis of the implementation of biometrics in e-voting. The study acknowledges that the inclusion of facial recognition in elections is feasible, but breaches of privacy and the increased technological complexity add risks that currently might outweigh the benefits.
According to Arne Koitmäe, the head of the State Electoral Office, the inclusion of facial recognition requires a public agreement on the level of biometric identification that is reasonable and acceptable to the majority. ‘There is currently no agreed security standard for facial recognition technology and there has been no extended public practice of it being used by a large number of people at once. Therefore, it seems premature to use this solution during elections.’ Koitmäe added that e-voting in its current form is based on the foundations of the digital state, which Estonian residents use and thereby test every day. In his view, the inclusion of biometric data processing in elections should be handled in a similar manner: first, it must work well within public services.
However, according to Koitmäe, the alternative that was proposed in the study to increase the security of elections could be considered. ‘As an additional security measure, the analysis proposed the creation of an automatic notification system for e-voters, which would notify the voter by email or a text message when their electronic identity has been used to cast a vote. Such a notification system is currently used in banking, where it is possible to notify the users through a mobile application in case their bank card has been used to make a payment or money has been deposited to their bank account,’ noted Koitmäe.
There are many complex issues related to the use of biometrics, which is why RIA does not currently recommend implementing it in elections. ‘Implementing a biometric solution requires fundamental changes to the current digital personal identification process, including considering the new risks and benefits, as well as establishing rules. Prior to the introduction of e-voting, we had conducted regular and security-related testing of the principles of digital identity in hundreds of services in both the public and private sectors. As the wider use of biometrics is currently poorly regulated and we have no overview of the most secure solutions, we should not rush to use this option. A number of organisational issues are also raised, such as the availability of a proper camera and other tools, which may hinder participation in e-voting,’ said Margus Arm, Deputy Director General of RIA.
The main conclusions of the analysis by Cybernetica AS:
- Facial recognition is technically complex and requires very large technical changes. Using it would increase the risk of errors in e-voting and significantly increase the requirements on the performance of the system. Meanwhile, it is impossible to reach a zero margin of error.
- The e-voting service would become more inconvenient for the user, as it requires the availability of a device with a proper camera and the ability to use it. Breaches of privacy are also present.
- Instead of facial recognition, there are measures with less risk that would provide aid to combat e-voting attacks:
- Informing a person by email or a text message that a vote has been cast on their behalf.
- Creation of good practice for nursing homes regarding the storing of ID-cards.
The study was commissioned by the Ministry of Economic Affairs and Communications and was prepared by the cyber experts of Cybernetica. The analysis can be found at valimised.ee and the website of RIA: Biomeetrilise näotuvastusmeetme rakendamine elektroonilisel hääletamisel (541.95 KB, PDF).
Press release of the State Electoral Office, 15 July 2021
More news on the same subject
21.03.2022 – The State Information System Authority (RIA) and Cybernetica AS signed a cooperation agreement to develop an election application for mobile devices.
21.12.2021 – As of 1 January, the State Information System Branch of the Information System Authority (RIA) will be led by Joonas Heiter, who has been managing the State Data Exchange Department of the same branch since 2018.