The thing

As it turned out, proving the illegality and inadequacy of the online voting system used in Moscow's elections in 2022 wasn't rocket science or high mathematics. On the contrary, it was as easy as asking for a certificate!

And yet, the Moscow Election Commission failed to present this requisite essential document. Moreover, while the technical system violated rules and regulations set by the Central Election Commission, the obligations imposed on district election commissions amount to 'the act of the rape'.

The members of the commissions had no way of knowing how the system obtained the results they were forced to verify.

On the 9th of March 2023, legal proceedings were held in Moscow on the distance electronic voting (DEV) system used in the 2022 elections. In the court of first instance, 15 legal cases were held, all united by one theme. Two-thirds of them have reached the appeal stage. The candidates' fatigue from the election campaign seems to have taken its toll.

Prior to the 2022 campaign, we only really had an outline of how the DEV system worked. It was clear that the DEV system upends the results of the conventional vote, does not comply with the principles of openness and transparency, and that the system, produced by executive authorities with a vested interest, is closed to any technical examination, and how it works is unclear to everyone, including members of electoral commissions. But in spite of these well-known properties, in 2022, a few months before the start of the campaign, the DEV system was given a legal basis.

The 2022-2023 legal proceedings have gone through two stages of litigation, first instance and appeal, without apparent success. However, the court procedure allows plaintiffs to ask questions, and the cases in the first instance are gathering more and more evidence to be used further in higher courts. While it's clear that the Russian judicial system is currently broken, there is, on occasion, a judge in the higher courts who is in no way prepared to suffer humiliation, as demonstrated by several cases before the Supreme Court of the Russian Federation during the 2022 electoral campaign.

In order to understand the specifics of the court cases at hand, all of which share a common theme, a brief overview of the preceding key cases should be given.

The testing of the DEV system, which was introduced selectively as an experiment, took place during the campaign for the 2019 Moscow City Duma elections, and was followed shortly after by a suit by Roman Yuneman. The candidate, who had gone through legal proceedings, couldn't do anything in the courts. The lack of a legal basis and its explanation that the DEV system was experimental apparently delighted the authorities, and the usage of by-laws, which are not subject to appeal to the Constitutional Court, has continued.

During the 2021 campaign for the State Duma, Mikhail Lobanov also made his way through the courts. The court was presented with data that clearly demonstrated an anomaly in the DEV system. The court found no malfunction. Proving that the "dancing to the same tune" graphs indicate an anomaly pointing to some common cause has been impossible in this court. In essence, in the 2021 campaign, the court affirmed that any external indications that the DEV system was not fit for purpose were insignificant. In a curious turn of events, the court ruling expressed the position that the court should not intervene in the actions of the executive, because to do otherwise would violate the principle of separation of powers. This is not usually given in the text of judgements, although it is implied and follows from the judgements.

"Dancing to the same tune" graphs. see "Falsification of electronic voting (Moscow 2021)" from Navaly's team.

By the 2022 election, the rules for the use of the DEV system were legally officiated. In essence, the logic of elections dictates that a person's vote cannot be altered as it is received or during counting. However, Article 64.1 of Federal Law No. 67 stipulation of the need for "permanence of the results of the expression of the will of the voters" can be interpreted quite broadly. The legal requirement for certification does not specify what is certified but refers to the requirements of the CEC (Central Election Commission) on this matter.

This ambiguity in the law (a requirement yet without a requirement) is important for the authorities, as it allows the elections to be governed not by law but by regulations, which do not require approval by the State Duma.

What exactly the DEV system is certified for can be found in CEC Regulation No. 86/715-8 dated 08/06/2022. This document meant that the CEC had established that not just any DEV system, but a State Information System DEV system (SIS DEV), with Class 1 protection for information and Class 3 protection for personal data, would be required for elections. But the CEC regulation does not explain what type of information out of this two a person's vote is. There is no requirement for the CEC to protect a person's vote. Finally, it's easy to understand the purpose of the vague wording of the federal law. 'A vote may be protected, but we are not sure', as the common joke goes.

The Moscow City Election Commission is a subordinate commission to the CEC, which establishes procedures for its subordinate commissions. Despite not giving district commissions (Note: District Election Commissions are organisation commissions for the September 2022 Moscow municipal elections) any rights or tools to control the course of i-voting and its results, without giving them any understanding of what happens in the SIS DEV system and why the SIS DEV system results should be trusted, the Moscow City Election Commission has obliged these commissions to certify the final DEV protocols. The members of the commission have no way of knowing how the figures in the DEV protocol are reached and what they correspond to, no matter how much they want to.

By doing so, the Moscow City Election Commission has decoupled the legally significant act of certifying with a signature from giving a signature as confirmation. This is an act of the rape of district commissions.

So now we come to the essence of the 2022 lawsuits. The plaintiffs did not challenge the established rules. The plaintiffs demanded that the electoral commissions prove compliance with these rules, present a certificate on the SIS DEV system, and also show how the established set of rules ensures the main principle of any election, namely that the initial will of the voter is recorded in the final results.

This point should be emphasised, as it is crucial to understanding the issue. The conventional election commission and observers monitor the mechanics of a vote going into a ballot box, the integrity and unaltered nature of the paper ballots and do not control the expressed will of the individual voter. They can make sure that every elector's intact vote gets counted, where commission members from different parties and associations, in the presence of observers, count the votes openly and publicly. In contrast to the conventional procedure, there is nothing of the sort in internet voting via the SIS DEV system. The commission is obliged to entrust a device, which is beyond its ability to control, with the functions to accept the vote from the voter, preserve it, count up the vote totals, and issue the result in printed form.

When the public verification mechanism is replaced by the SIS DEV system, commissioners and observers need to be absolutely certain that the processing, storage and summing up of results are correct, which is required by the logic of the electoral process. Simply put, the SIS DEV system should not allow malfunctions that distort the will of the voters and this is the minimum requirement of the many possible requirements, without considering malevolent intent.

There are certain rules on how such systems should be designed, operated and tested. In particular, the entity that develops such a system must not participate in its certification. The system, including its hardware and software and how they work together, is verified by an independent body, which issues a security certificate for the resulting hardware and software product. By the way, if you want to understand the complexity of things on the level of SIS DEV systems, validation of such systems can take from several months to several years, and there are plenty of cases where developers have not received a security certificate for their system.

In lawsuits, it was demanded of the CEC to provide an explanation and prove that the chosen requirements, including the selection of defence classes, ensured that the will of the voter was unaltered.

Since it is impossible to build an absolutely foolproof system, the question to be investigated in court was how probable it was that the vote of Joe Bloggs could be distorted in the system and whether that probability was acceptable. In response to the issues raised by the lawsuit, the CEC submitted to the court an explanation that, firstly, the CEC's requirements had been verified by the court and, secondly, the CEC could not be a defendant. This is a half-truth. The CEC's requirements were examined by the courts on a different subject. The CEC did not provide a representative to the court, so the plaintiffs could not ask the CEC questions about the subject of the suit.

The subject of the lawsuits included the requirement to the Moscow City Election Commission to prove that the SIS DEV system used in the campaign had received the appropriate certificate.

Nothing has been presented in response to this clear and precise question.

So what was used as a SIS DEV system in the 2022 municipal elections in Moscow? Exactly what the court ruling in the Mikhail Lobanov case said was that a piece of "special software" (SSW) that had been developed and implemented by the Moscow Department of Information Technology. And there are certificates for only two SSW products, which cannot be a SIS DEV system, as a secure SIS must include hardware.

Unsurprisingly, said SSW had failed when in use, clearly demonstrating what "classes" of protection it actually had. Even the State Agency RIA noted instances where the mos.ru portal froze when voters cast their vote remotely, with the system authorising some voters under other people's names.

Thus, in violation of the current law and their own rules, the CEC and the Moscow City Election Commission held an election using a makeshift system instead of a certified one. Now, with no way to prove its adequacy, the courts have to wriggle out of it. It remains to be seen whether the conscience of the Supreme Court judges can withstand such an evasion of the subject matter.