Junior Eurovision: How secure is the online voting system?

The online voting process for JESC2017 is underway. EBU says it’s confident in a valid result in which every person votes twice maximum. However, several journalists, including the ESCDaily investigative team, have found relatively easy ways to cast multiple votes from the same device.

Yesterday at the EBU press conference, Jon Ola Sand explained to ESCDaily’s chief editor Steef van Gorkum the true meaning of the online voting process. “You can vote once before the show and then you can vote again during the show. The voting is free. There are security measurements in place, for example, you have to prove that you are not a robot. And every person can vote twice.”

Casting a duplicate vote at JESC2017

After this press conference, the ESCDaily investigative team went on to try the online voting system. When the website opens, it immediately opens in your own language. Indicating that EBU has some way of recognizing where people are voting from. After this, you are obliged to watch a recap of all the performances first. Without watching this, you cannot vote. And when you minimalize the tab where the recap is on, it automatically pauses and does not continue until you open it again.

So far so good. After the recap, you get to a portal where you can watch all 16 performances on Youtube (but you do not have to). Here, you can also select the 3, 4 or 5 countries that you want to vote for. After this, the page redirects you to the message stating you’ve already voted.

However, here’s where it gets tricky: as soon as you clear your browser history, or even so much as open another browser, you are allowed to go through the process again. Our team prepared to try and crack incredibly difficult security codes to see if casting a duplicate vote was possible. But as it turns out, it is not difficult at all.

EBU: confidence in a fair result

A spokesperson of EBU released the following statement: “The EBU has worked with our technical partners to ensure that the platform can deliver a fair and valid result.” EBU then confirmed to ESCDaily that even after our inquiries about double voting through clearing browser history, they are still confident that they can deliver a fair result in which every person can vote twice maximum (once before the show and once during the show). However, they did not want to go into details about the methods through which they can ensure this.

EBU’s reaction to the matter suggests that they have security measures in place which they are not willing to discuss. As it is clear that duplicate votes can in fact be cast, the only way through which a fair and valid result could be achieved is if votes were discarded afterwards. Therefore, everything currently points in the direction of IP-address blocking.

IP-address blocking

However, the question is whether this is a safe and feasible method to do this. Several professional internet experts have told ESC Daily that “using only IP-addresses to validate votes is an outdated practice. This method has not been an industry standard for years.”

EBU seems extremely confident that they have their security in place. And it is almost impossible to imagine that rigging the system is indeed so easy as our research team has done today. What the exact reason is for EBU’s confidence in a fair and valid result, however, remains a secret to this moment. While we as journalists have an interest in getting to the bottom of this, EBU benefits from security through obscurity. As long as the security system and its potential flaws are unknown, the system cannot be rigged.

We will have to wait until after the contest, when EBU will release the voting data. EBU’s Chief Executive Supervisor Jon Ola Sand told Ewan Spence from ESCInsight at the press conference last night that EBU will be “as transparant as we can be.”

Especially if online voting is the future for the adult contest as well, it will be important to analyze the results of JESC 2017 very closely.