The postponed Russian referendum on constitutional reform was held in early July, as the country emerges from many quarantine measures imposed in recent months to control the spread of the COVID-19 virus. The referendum was held to modify the Russian Constitution, and was called in January. The proposed changes mean, in particular, that President Putin can legally remain in power until 2036, allowing him to run in two more presidential elections, if he so desires.
The law does not require the holding of a referendum for these changes. Those amendments can and have been authorized by the Russian regional legislative assemblies. However, the referendum is considered a sample of the public legitimacy of these changes. Therefore, it is important for the authorities that participation is high. Divided opposition movements debated whether they should boycott the elections or not. Meanwhile, the move to online voting has been presented by authorities as a measure to protect public safety during the COVID-19 pandemic, but it also represents an opportunity for the Kremlin to encourage greater voter turnout.
How does it work?
Since this is Russia's first experience of online voting for a national vote, it was expected that the online voting promotion material would highlight the usefulness and convenience of online voting, but also that it would try to reassure the users regarding the security of their vote. For the referendum, only voting citizens of Moscow and the Nizhny Novgorod region, the two regions most affected by the COVID-19 pandemic in Russia, cast their votes online. These citizens of Moscow and the Nizhny Novgorod region went to the polls online between June 25 and 30. The population of Moscow is around 11.9 million and the Nizhny Novgorod region of 3.3 million, making them a significant number of voters. The time allowed for face-to-face voting has also been extended to cover this period, to avoid queuing at the polls, but there has been a strong push for citizens to use online voting technology.
The online voting process for these eligible citizens was: users registered with local authorities to vote online with the state service portal Gosuslugi. To register, users used their national passport number, pensioner number, or tax identification number as validation. Then they authenticated this account with their phone number. User accounts use simple password protection. Once the account was validated with the above data, users could access the portal online from any computer or smart device and cast their vote digitally.
Videos promoting online voting were enthusiastic about the integrity of the ballot, claiming that it was secured by a blockchain that used distributed records. This platform is the result of the State's collaboration with the private company Bitfury, a company well known for searching for data for Bitcoin.
However, some basic security procedures were lacking to ensure that the voter is who they say they are online. Also, while the video highlights how distributed logs protect the integrity of individual votes, attention to security details was almost entirely in the possibility of cyber attacks. It did not address the possibility of internal abuse or consider possible abuse by the voters themselves.
For example, it did not explain safeguards to prevent actions such as voters voting twice (online as and then in person). The same promotional video claimed that this system was the only one in the world that provided anonymous online voting, a claim that can be shown to be false. Certainly, as this analysis highlights, there are alternative electronic voting systems with much more rigorous security procedures.
Who else votes online?
In Estonia, a neighboring country to Russia, voting has been online since 2005. Estonia's experience with online voting is the largest in the world and the country remains the only one to hold all its elections (local, European and national) with the option to vote online for all citizens. The original objective of introducing online voting in Estonia was to stimulate the number of voters and reduce the costs of holding elections. While the first objective has been relatively unsuccessful (participation is constant and reflects most Western democracies), the second has been successful. Estimates suggest that a vote cast online involves half the cost of casting votes on paper. While overall turnout has not been affected so far, the number of people casting their votes online has increased over time, as confidence in a system that also uses blockchain to ensure vote anonymity has increased. .
Other nations that have also dabbled in online voting, such as Switzerland, have offered citizens living abroad to vote online in 2015 and have periodically introduced online voting in certain cantons. However, as with many other countries, skepticism about security has limited the adoption of online voting more widely, and critics have called the Swiss approach fragmented. Similar approaches have been used in Norway and have subsequently been neglected.
Estonia's online voting experience is largely defined by users' digital identity (eID). From the age of 15, every Estonian citizen automatically receives a digital identity that is attached to their official identity document (there is also an alternative mobile electronic ID). Digital identity is essential to be able to vote online in Estonia. Voters must identify themselves online with their digital identity. To authenticate the identity, the user must have their identity card (which contains a chip) and the two PIN codes of that card. The card must be inserted into a card reader to generate the private key necessary to vote. For its part, the MobileID process requires a MobileID compatible SIM card, and a physical electronic identification card for authentication, which means that the voter must have valid details and access codes, and also physical documentation simultaneously.
The voter must have an ID card or a phone with the necessary MobileID SIM and then combine them with the valid security codes so that a vote cannot be cast online. This ensures, within reason, that the ballot is issued by the correct person. In addition, the ballot can be issued and subsequently modified at any time during the voting period. This is an additional security mechanism to avoid coercion, so if someone were to direct a voter to vote in person, they could change their vote later. While even these measures have left many outside critics unconvinced of Estonia's online voting system, they represent an additional layer of security that is lacking in the current Russian system.
Question of confidence
Although the conclusions on the Russian experience in electronic voting at this stage are premature, based on the available information there seems to be a remarkable vulnerability at the end of the users, compared to the Estonian experience of electronic voting using a digital identity. There is also a fragmented application that arguably reflects the nature of the vote itself as a rushed effort. This also occurs in a context of declining President's approval ratings (although these rates are comparatively quite high by the standards of Western leaders).
There are some trade-offs that should be made the first time a procedure is used. It is important to note that electronic voting has been used briefly for the most discreet local votes in recent years. This experience could and should have been used to improve security procedures, as well as consultation with other nations that already use electronic voting. Online voting cannot be introduced overnight and will develop over time, as the Estonian experience demonstrates, but the fact that it is not learned from the experiences of others should not instill confidence in voters that the Russia's current electronic voting system is rigorous enough to be considered secure.
It is vital to keep in mind that any online transaction will never be completely secure and this is also true in the case of electronic voting. Electronic voting always carries inherent risk and requires significant trust in the State to carry out the voting process properly and impartially, and to protect the integrity of the votes themselves. Citizens must fundamentally believe that neither the State, nor external agents, nor the voters themselves will manipulate the process covertly. This applies equally to Russia and the western states cited in this analysis. Trust comes from the broader actions of a government, but it can be enhanced with the safeguards and procedures built into the online process.
Significant research will be required to further explore Russia's electronic voting experience after the referendum. What's more, online participation promises to be one of the most interesting aspects of a referendum whose outcome is almost certain. Especially considering that there have been reports of workers from public institutions being forced to register to vote online.
However, based on what we know so far, there are some reasons to doubt the integrity of Russia's electronic voting, due to procedures and lack of guarantees.
This article was originally published in oDR, the openDemocracy section on Russia and the post-Soviet space. Reproduced with permission, and has been edited by style.