Already in the previous Saeima elections, the Constitution Protection Bureau (SAB) deemed the portal Latvija.lv, created by the State Digital Development Agency (VDAA), unsafe and asked that it not be used in the elections, according to information available to Inc.
In its restricted-access (IP) document, SAB urgently asked the organizers of the electoral process to assess the technical possibilities of not using the unified authentication mechanism of the http://www.latvija.lv portal in the Electronic Online Voter Register and in the Election Management Systems. Instead, SAB recommended using the other designated authentication mechanism.
At that time, the other authentication mechanism had been developed by the company “SOAAR”, but initially SAB requested that this method not be used. During the course of the election – on the advance voting days – security specialists repeatedly changed their position, at one point demanding that the option to use latvija.lv be removed, then restored, so that it would not look suspicious, but all the while remaining ready to disable this option again as soon as the identified threats started to have an impact on the election systems. As SAB and CERT.lv unofficially explained, the cause of this was chaos and non-compliance in the maintenance of the VDAA portal latvija.lv.
The mentioned excerpt from the IP document circulated in Signal and WhatsApp chats used by security officers, Central Election Commission (CVK) representatives, CERT.lv and the election service provider SOAAR for mutual communication both in preparation for the elections and during them.
The 14th Saeima elections took place on 1 October 2022, but advance voting – i.e., depositing a vote for safekeeping – was already possible from 26 September in 66 polling stations. In advance voting, 4.11% of eligible voters cast their choice, but the SAB information that latvija.lv should not be used in election information systems appeared suddenly in the middle of the week, on 29 September.
Authentication in the elections is used by all polling station staff, who then scan all voters’ documents on their own or rented phones, checking whether the voter is entitled to vote, whether they have already voted, and obtaining similar information by scanning voters’ identity documents. Thus, if the authentication method is not secure, there is a risk of voter personal data leaking to third parties, as well as of influencing the fact of voting.
In response to questions, the Constitution Protection Bureau requested that the following comment be used without additions or rephrasing: “Satversmes aizsardzības birojs (SAB) does not comment on communication between SAB and other institutions that contains classified information and, in accordance with the procedures laid down in the regulatory framework, is not to be made public. SAB points out that one of the bureau’s competences is to regularly provide information on possible security risks to the state’s highest officials and the responsible institutions, which then decide on the most appropriate actions to prevent the security threat. In response to the question about Latvija.lv, SAB indicates that the State Digital Development Agency, as the maintainer of the state administration service portal Latvija.lv, is a subject of the cybersecurity framework and is obliged to ensure that the platform complies with cybersecurity requirements. SAB currently has no information indicating security vulnerability risks for Latvija.lv.”
Originally published at https://inc-baltics.com/sab-14-saeimas-velesanas-latvija-lv-izmantosanu-atzina-par-nedrosu/
Like
Love
Happy
Haha
Sad
