Recommendations to OSCE/ODIHR (on how to give better recommendations for Internet voting)

TL;DR

The paper addresses how ODIHR's Internet voting recommendations for Estonia over 2007–2023 have sometimes been unimplementable or undermining system integrity. It analyzes historical ODIHR recommendations, focusing on vote secrecy and end-to-end verifiability, and discusses attacker models and the necessity for explicit trade-offs. It advocates for clear criteria to assess verifiability levels and sufficiency, illustrated by Estonia's IVXV evolution and the Pereira attack scenario. The framework aims to help ODIHR and national authorities issue balanced, implementable guidance that preserves secrecy and integrity while acknowledging practical constraints, thereby strengthening public trust in Internet voting.

Abstract

This paper takes a critical look at the recommendations OSCE/ODIHR has given for the Estonian Internet voting over the 20 years it has been running. We present examples of recommendations that can not be fulfilled at all, but also examples where fulfilling a recommendation requires a non-trivial trade-off, potentially weakening the system in some other respect. In such cases OSCE/ODIHR should take an explicit position which trade-off it recommends. We also look at the development of the recommendation to introduce end-to-end verifiability. In this case we expect OSCE/ODIHR to define what it exactly means by this property, as well as to give explicit criteria to determine whether and to which extent end-to-end verifiability has been achieved.