Written by Shaun Waterman

Blockchain technology can safely be used to authenticate e-voting by shareholders at a company’s annual general meeting, Nasdaq said this week, following a pilot project in Estonia.

The stock market technology provider — which has a subsidiary that runs a securities market and ownership registry in Estonia’s capital, Tallinn — said in a report it had successfully built and operated four web-based user interfaces that allowed shareholders in Estonia to log in using their verified national online ID and vote at the AGM of Tallinn-listed tech company LVH Group.

The implications weren’t immediately clear. Nasdaq said no one could be made available for interview, but it appears that the pilot’s success depends crucially on the company’s control of the securities registry; and on Estonia’s advanced e-ID program, which issues citizens with an electronic token to enable secure identity verification online.

Voting security experts in the U.S. were skeptical about the pilot project’s wider applicability, especially with regard to national elections.

“Blockchain solves a small part of the overall set of problems [with e-voting], but nowhere near all,” said Pamela Smith, president of election integrity advocacy group Verified Voting. “If you have a boat with many leaks, plugging one of them should not make you assume the others won’t swamp you,” she told CyberScoop via email.

The Nasdaq report states that the Estonia pilot “uses the blockchain in the traditional way to record the ownership of securities as reported by the [Estonian central securities depository, or] CSD,” the ownership registry operated by Nasdaq Tallinn.

Blockchain is the technology that underlies digital currencies like bitcoin. Also known as distributed ledger technology, or DLT, it uses distributed computing and cryptography to produce an unforgeable record of a transaction — shared amongst all the parties to it.

But the Nasdaq pilot goes beyond the traditional transaction settlement function of blockchain, to enable the verifiable owners of shares to take part in votes at or in advance of the AGM.

“Based on those [securities] holdings, the [e-voting] system also issues voting right assets and voting token assets for each shareholder. A user may spend voting tokens to cast their votes on each meeting agenda item if they also own the voting right asset,” states the Nasdaq report.

The web interfaces “identify users based on their Estonian digital ID – either via Estonian ID card or e-Residency card.”

Estonia issues its citizens national ID cards containing an electronic token that enables two factor identity authentication online when combined with a PIN. Non-citizens are able to obtain an e-Residency card with the same type of token as well.

The report adds that, “Pilot test feedback showed that support for mobile devices and a custom mobile e-voting application would further enhance the user experience.”

But online identity authentication via mobile phone is much less secure that the e-tokens currently used, points out James Scott, a senior fellow at cybersecurity think tank the Institute for Critical Infrastructure Technology.

The “movement to switch from ID cards, containing [a token,] and a PIN, to mobile authentication could greatly weaken” security, he told CyberScoop.

Verifying the identity of voters online is a key problem for any kind of internet-based election, Scott said. Alternatives like facial recognition via webcam, or social security numbers, have their own problems “These stores of e-voting authentication information invade users’ voting privacy and … the data itself could be stolen or manipulated by cyber-adversaries.”

“Blockchain technology is certainly more secure than the current antiquated black-box proprietary voting systems that are used throughout the United States,” Scott noted, but he added that typically blockchain technology detects errors “by attributing the transaction to the user or user identity across multiple ledgers. This cannot occur in e-voting because it would directly identify voters and therefore invade their privacy and invalidate their right to vote [privately.]”

“Blockchain is better than many of the voting systems currently in use, but current implementations of blockchain voting are far from foolproof,” he adds, concluding, “E-voting over the internet, known as I-voting, will inevitably end in disaster.”