Estonia

Estonia's voting system was the first internet based system in the world to be used on a national scale. Voters sign in using their Estonian ID card, and can re-vote however many times as they want. They can also vote at a polling station to cancel their electronic vote. However, the system suffers from a lack of transparency and audibility. No audit of the election system has been released to the public, and too much of the protocol's supposed security is achieved behind closed doors. This also means that we can't prove for certain that elections haven't been stolen (which one Estonian political party believes) and that we can't determine whether people's anonymity is preserved.

There are also a number of other security issues regarding the Estonian system - just because it was the first internet voting protocol to be implemented doesn't mean that it's the best.

Infrastructure attack protection
All internet voting systems are vulnerable to denial-of-service attacks. There are defenses against these kind of attacks, but they can't stand up to an adversary given sufficient computing power. In the event of such a situation voters would have to vote in person (or by mail). In the case of Estonia (in 2007), Guido Schryen remarks "there did not appear to be a formal plan to monitor network traffic and deal with the risk of DoS attacks against the Internet Server." A plan could be implemented without changing the other components of the system in theory however.

Outsider hacking protection
I can't find much info on this. Based on a lack of an auditor and verifiability it would be hard to know if an adversary has broken into the system. There are adequate protections (i.e. storing encrypted ballots) but this may not be enough. Could the ballots be deleted and replaced with fake ballots (like in the DC voting trials)?

Malware and virus protection
There is almost no protection against malware and viruses. Guido Schryen writes that "malware, which makes the card reader sign other data than displayed on the screen, [was] not seriously addressed or even not considered." Voters can vote in the elections, but given that there is no way for them to know whether their vote has counted, they likely won't even if there is malware on their machine.

Man in the middle attack protection
In theory, votes are encrypted and thus should be difficult for a man in the middle to tamper with. While SSL isn't perfect it effectively negates eavesdropping by use of Diffie-Hellman Key Exchange (which is secured from MITM attacks by the usage of certificate identities - the user just needs to trust the certificate authority). This, however, may not solve the issue that Jefferson et. al mentioned in the SERVE security report namely that "attackers could engage in election fraud by spoofing the voting server and observing how the voter votes," and could then redirect the voter if the vote is to their liking. Would this issue cross over? It's likely that there's a possibility of this happening.

Insider attack protection
Protection against insider attacks is an issue in any voting system, especially one that involves voting online. Yet this problem is worsened by the lack of transparency of Estonia. Guido Schryen writes that "The Internet Server and the Vote Storage Server were located in a locked room which was guarded by a policeman and continuously filmed" but is this an adequate solution? Especially if the public can't see the film. The results of the audit of Estonia's voting system are not public (see the section on transparency)

Coercion resistance
Voters won't want to trade their Estonian ID cards away because they can be used to create legally binding digital signatures. Coercion is mitigated by the fact that voters can re-vote in person or online. This system is likely the best internet voting system around in terms of protection against coercion/vote selling (at a cost of anonymity and verifiability)

Ensuring one person, one vote
The infrastructure in regards to the ID card seems to fullfill the constraint of only letting people only vote once, because there is only one Estonian ID card per person.

Counting and tallying accuracy
Votes may not be counted correctly. There's no auditor to help verify that votes received are counted correctly. There are security precautions to check "the installed voting software... to ensure that it was identical to the software reviewed," but the lack of transparency is problematic here. So long as the rest of the system holds up votes will be tallied pretty accurately (but there's no guarantee of that).

Voter anonymity
Guido Schryen notes that "the separation of voter's decision and identity is realized at organizational level, not providing the voters any option to monitor this separation." In theory, it's anonymous - but we really have no idea if this is the case due to a lack of transparency. This is especially problematic in Estonia because digital id cards can generate legally binding digital signatures under Estonian law. Since voters sign in using these cards that infrastructure makes it easier for individual votes to be traced back to individual users.

Voter verifiability
The Estonian system is not voter verifiable. Guido Schryen writes that "the voters got no proof of the separation of their decision and their identity. As no voter verified paper audit trail was implemented, voters did not know whether their vote had been correctly counted." Even if there are other means to verifiability besides the VVPAT, it's clear the Estonian system has not implemented them.

Immediate results protection
In order to decrypt the votes using the Hardware Security Module at least half of the NEC members must be present to count and decrypt the votes. Thus, no results should be obtainable before the voting period ends, assuming the rest of the system holds up. If the rest of the system doesn't, however, releasing vote counts will be the least of the election officials' problems.

Ease of performing a recount
Performing a recount is not possible because there is no auditing trail. Sure, the votes can be counted again (they are transferred around on CD-ROMs from the Vote Storage server to the Counting Server) but this doesn't solve for the insecurity issues present throughout the system.

Usability
The voting system is only available in the Estonian language which is problematic for Russian voters. Voters use an ID card which is legally accepted to digitally sign documents. The voter must have a smart card reader (but maybe this is more common in Estonia) and installation software. Windows users vote using a web browser, on OSX and Linux the interface is a standalone program. It's convenient if your situation satisfies this criteria and inconvenient if it doesn't.

Transparency
It was audited, but this was by an external auditing company. But "the final result is not public, and the external auditing company was not requested to conduct any post-election audits."