EU parliament moves to email voting during COVID-19 pandemic

The European Parliament will temporarily allow electronic voting by email as MEPs are forced to work remotely during the coronavirus crisis.

A spokeswoman for the parliament confirmed today that an “alternative electronic voting procedure” has been agree for the plenary session that will take place on March 26.

“This voting procedure is temporary and valid until 31 July,” she added.

Earlier this month the parliament moved the majority of its staff to teleworking. MEPs have since switch to full remote work as confirmed cases of COVID-19 have continued to step up across Europe. Though how to handle voting remotely has generated some debate in and of itself.

“Based on public health grounds, the President decided to have a temporary derogation to enable the vote to take place by an alternative electronic voting procedure, with adequate safeguards to ensure that Members’ votes are individual, personal and free, in line with the provisions of the Electoral act and the Members’ Statute,” the EU parliament spokeswoman said today, when we asked for the latest on its process for voting during the COVID-19 pandemic.

“The current precautionary measures adopted by the European Parliament to contain the spread of COVID-19 don’t affect legislative priorities. Core activities are reduced, but maintained precisely to ensure legislative, budgetary, scrutiny functions,” she added.

The spokeswoman confirmed votes will take place via email — explaining the process as follows: “Members would receive electronically, via email to their official email address, a ballot form, which would be returned, completed, from their email address to the relevant Parliament’s functional mailbox.”

“The results of all votes conducted under this temporary derogation would be recorded in the minutes of the sitting concerned,” she further noted.

Last week, ahead of the parliament confirming the alternative voting process, German Pirate Party MEP, Patrick Breyer, raised concerns about the security of e-voting — arguing that what was then just a proposal for MEPs to fill and sign a voting list, scan it and send it via email to the administration risked votes being vulnerable to manipulation and hacking.

“Such a manipulation-prone procedure risks undermining public trust in the integrity of Parliament votes that can have serious consequences,” he wrote. “The procedure comes with a risk of manipulation by hackers. Usually MEPs can send emails using several devices, and their staff can access their mailbox, too. Also it is easy to come by a MEP’s signature and scan it… This procedure also comes with the risk that personally elected and highly paid MEPs could knowingly allow others to vote on their behalf.”

“eVoting via the public Internet is inherently unsafe and prone to hacking, thus risks to erode public trust in European democracy,” he added. “I am sure powerful groups such as the Russian intelligence agency have a great interest in manipulating tight votes. eVoting makes manipulation at a large scale possible.”

Breyer suggested a number of alternatives — such as parallel postal voting, to have a paper back-up of MEPs’ e-votes; presence voting in EP offices in Member States (though clearly that would require parliamentarians to risk exposing themselves and others to the virus by traveling to offices in person); and a system such as “Video Ident”, which he noted is already used in Germany, where the MEP face identify in front of a webcam in a live video stream and then show their voting sheets to the camera.

He also suggested MEPs might not notice manipulations even if voting results were published — as looks to be the case with the parliament’s agreed procedure.

It’s not clear whether the parliament is applying a further back-up step — such as requiring a paper ballot to be mailed in parallel to an email vote. The parliament spokeswoman declined to comment in any detail when we asked. “All measures have been put in place to ensure the vote runs smoothly,” she said, adding: “We never comment on security measures.”

Reached for his response, Breyer told us: “My concerns definitely stand.”

However security expert J. Alex Halderman, a professor of Computer Science and Engineering at the University of Michigan — who testified before the US Senate hearing into Russian interference in the 2016 U.S. Election — said e-voting where the results are public is relatively low risk provided MEPs check their votes have been recorded properly.

“Voting isn’t such a hard problem when it’s not a secret ballot, and I take it that how each MEP votes is normally public. As long as that’s the case, I don’t think this is a major security issue,” he told TechCrunch. “MEPs should be encouraged to check that their votes are correctly recorded in the minutes and to raise alarms if there’s any discrepancy, but that’s probably enough of a safeguard during these challenging times.”  

“All of this is in stark contrast to election for public office, which are conducted with a secret ballot and in which there’s normally no possibility for voters to verify that their votes are correctly recorded,” he added. 

NationBuilder probe closed

In further news related to the EU parliament the European Data Protection Supervisor (EDPS) announced today that it’s closed an investigation into the former’s user of the US-based political campaign group, NationBuilder last year.

Back in November the EU’s lead data regulator revealed it had issued its first ever sanction of an EU institution by taking enforcement action over the parliament’s contract with NationBuilder for a public engagement campaign to promote voting in the spring election.

During the campaign the website collected personal data from more than 329,000 people, which was processed on behalf of the Parliament by NationBuilder. The EDPS found the parliament had contravened regulations governing how EU institutions can use personal data related to the selection and approval of sub-processors used by NationBuilder.

The contract has been described as coming to “a natural end” in July 2019, and the EDPS said today that all data collected has been transferred to the European Parliament’s servers’.

No further sanctions have been implemented, though the regulator said it will continue to monitor the parliament’s activities closely.

“Data protection plays a fundamental role in ensuring electoral integrity and must therefore be treated as a priority in the planning of any election campaign,” said EDPS, Wojciech Wiewiórowski, in a statement today. “With this in mind, the EDPS will continue to monitor the Parliament’s activities closely, in particular those relating to the 2024 EU parliamentary elections. Nevertheless, I am confident that the improved cooperation and understanding that now exists between the EDPS and the Parliament will help the Parliament to learn from its mistakes and make more informed decisions on data protection in the future, ensuring that the interests of all those living in the EU are adequately protected when their personal data is processed.”

At the time of writing the parliament had not responded to a request for comment. Update: A spokeswoman said:

The European Parliament has taken into account the advice of the EDPS and has put in place the appropriate processes and workflows to ensure that the IT platforms and data processing operations related to the 2024 EU parliamentary elections are fully compliant with the regulation EU 2018/1725.

Also, a project has been launched to allow that, in any call for tender to outsource services which involve the processing of personal data on behalf of the EP, the company will be assessed also trough data protection criteria.

The Data Protection Service of the European Parliament is closely involved in the establishment of these criteria.