Due to an upcoming referendum in Bulgaria about whether we want “remote electronic voting”, I, as a technical person, and at the same time, as government adviser, argue a lot about electronic voting. A year and a half ago I’ve given a very brief overview of what I think has to be done and is doable.
But now I’d like to ask a more general question – why all this fear of electronic voting? I have heard literally hundreds of versions of the same bunch of arguments: anonymity is not guaranteed, someone can change everything with one command, I can’t be sure what happens to my vote, it’s a black box, someone may easily compromise everything with a virus, you’ll be DDoSed, etc.
This for example is one giant strawman video. Every single bit it in, spoken very quickly and very assertively, is wrong. Votes can be anonymous, you can verify your vote, there are ways to prevent massive result changes, there are ways to protect even the clients (hardware keypads, virtualized voting environments), and good operational security gives you, ontop of the essential security, a way to detect every attempt to attack the system, and there are ways to prevent DDoS.
And horribly few people have actually read anything on the topic. I recommend, for example, reading this 136 pages report. And these papers: paper, paper, paper, paper, paper, paper.
But you won’t, will you? Because you are sure that it cannot ever be secure, the ballot secrecy cannot be guaranteed, and you can’t be sure whether your vote is counted. Even though the literature hints otherwise. Let me just outline a few key things:
- One man – one vote. This relies on a national e-id infrastructure, that some countries (like Estonia, Belgium, and soon Bulgaria) have. The id card has a smartcard built-in. That guarantees the one man – one vote principle. A person can only have a single id card with a single keypair to use for voting.
- Ballot secrecy. David Chaum has proposed the so-called “blind signature” that, using cryptography, allows the voting officials “stamp” your vote without seeing it and count you as “already voted”, and then on a second step you send your stamped vote, without the identifying information. There’s also the double-envelope approach used in postal voting, that is applied to electronic voting (but it relies on good operational security). And then there are the anonymous credentials schemes which I haven’t looked into in details.
- Mass replacement of votes. Sending an SQL query to the vote count server is probably what you imagine can happen. OpSec, of course, is tasked to prevent it, but that is not enough. A very determined attacker can break into almost any system. But recent research is being done on using the bitcoin blockchain data structure. A de-facto distributed, unchangeable database. The votes on the central server can then be compared to the public ledger, in order to verify that there are no discrepancies. Which is, by the way, what happens with paper voting, as you’ll see below.
- Black box. Of course, proprietary, closed-source solutions are a no-go. But a fully open-source, peer-reviewed, pilot-tested, in-person tested (as recommended in the report) system is not a black box. It is a fully and constantly auditable system.
- I don’t know whether my vote is counted at all. That’s a major concern, addressed by a lot of E2E research (end-to-end verifiable voting). All sorts of approaches exist. For example a receipt, that you can later verify against a central system. The receipt doesn’t have to contain the actual vote (because someone may have paid to and then wants to check), but a number that you get while voting should match with a number that you see later on a website. The receipt can be issued via a smartphone app, sms, the screen, or any combination of those for a higher level of assurance.
- Client side malware. Now that’s hard. But there are ways to address it. Hardware keypads for entering the PIN for the smartcard, with a small screen to show the actual information that is required to be signed/encrypted. Then come the multiple-factor authentication and validation. You can use a mobile phone, where receipts (as mentioned above) are sent. If a malware replaces your vote (if you are allowed to cast replacement votes, methods for which are also described in papers), you’ll get notified. You may even have to cast your vote from two devices – one computer and one smartphone (identification with a smartphone is a separate topic). That way a large-scale malware attack becomes unlikely. If you add that the client-side software used for voting can be digitally signed, or can be changing itself constantly, then a generalized malware has to target millions of combinations of versions of desktop and mobile OSs, the voting software, etc. And if you instead vote from a remote virtualized environment, to which you login via a sort of a VPN client (with a reasonable assurance on the other end that it is not a fake virtualized environment), then yes – individuals can be targeted, but large-scale attacks may hit a brick wall.
- How will we avoid coercion and vote-buying in remote, uncontrolled environments. That’s a good question, and although it doesn’t sound technical, it is. First, biometric factor as part of the identification may defend against mass collecting of smartcards for voting. Then there’s the concept of a “panic PIN”, which allows a coerced voter to appear to have voted, but to instead send an alarm to the authorities that he is being coerced, which has been discussed in papers as well.
You probably won’t notice the last recommendation of the report, which says that at the present moment there is no voting system that is secure enough to be deployed for national elections. And that is true (as well as the other recommendation). Yes, it is very hard to build a proper e-voting system. You have to take into account at least all the thing listed in the 136 page report. And even more. You have to be paranoid and expect a state-level attack, insider attack, botnets, etc. But that makes it very hard, not “a bad idea” or “impossible”. I’ll quote the comment by Matthew Proorok on the above youtube video:
The thing is, none of this makes electronic voting a bad idea. It makes electronic voting a problem with a lot of hurdles to overcome. After all, you start out the video pointing out that physical voting, too, has its weaknesses. And that attempt after attempt has been made to defraud the system. And that, over time, we’ve found ways to defend against those attempts. Effectively, you’re saying that electronic voting hasn’t had that kind of proving period yet, and thus it’s a bad idea, and thus we shouldn’t use it. That sounds like a great mindset for NEVER DOING ANYTHING NEW.
And at the same time nobody realizes how flawed the paper based system is, and how the same type of loosely defined arguments can be used against the paper based system as well. Saying the “we’ve found ways to counter all types of fraud in a paper based system” is entirely wrong, as I can prove to you if you come and visit just a single Bulgarian election. By the way, do you know that at the moment, paper voting results are finally combined on a computer? Possibly using excel somewhere. How are we sure these computer system are not attacked? How are we sure that the computers that send the the protocols from the local centers to the central committees are not compromised with a malware? There is a paper trail, I hear. Recounting rarely happens, and discrepancies, even if discovered, are often buried, because otherwise the whole election may have to be rerun. My point is, these are problems not inherent only to remote, electronic voting. They exist even now.
So, ultimately, I don’t understand all the fear in e-voting, even from people that are moderately tech-savvy. The mantra “if it’s a computer, it can break” is in fact “if it is anything in the real world, it can break”. But when has that stopped us from progressing and fixing broken systems (and paper voting is broken; the fact it doesn’t appear so in western democracies is because society doesn’t exploit it, and not because it’s unexploitable).
But I do understand the psychology that leads to accepting all pseudo-arguments thrown in the air, as a massive FUD campaign (sometimes even coordinated, by the way) – it is way easier to throw these fears, than to debunk them, one by one, especially when debunking them requires linking scientific papers. It’s easy to tell people “this can’t be done”, because sometimes it sounds counterintuitive that it can, and then it’s hard to explain why it can.
I’m not saying we should be all voting online by now, I’m saying we should push in that direction, and we should agree that this is the direction to push, because it feels like it’s right behind the corner and it’s a way to increase participation, especially for future generations, and therefore enhance not only the legitimacy of the democracy, but the opportunities for more direct democracy.
And it will come down to trust in the system. For which, the whole FUD-technical explanation cycle will be repeated many times. But I believe that in due time we will have trust in such systems (as we do in many other electronic systems) and that will enable us to do more with our democratic rights.