Why All The Fear of Electronic Voting?
Due to an upcoming referendum in Bulgaria about whether we want “remote electronic voting”, I, as a technical person, and at the same time, as government adviser, argue a lot about electronic voting. A year and a half ago I’ve given a very brief overview of what I think has to be done and is doable.
But now I’d like to ask a more general question – why all this fear of electronic voting? I have heard literally hundreds of versions of the same bunch of arguments: anonymity is not guaranteed, someone can change everything with one command, I can’t be sure what happens to my vote, it’s a black box, someone may easily compromise everything with a virus, you’ll be DDoSed, etc.
This for example is one giant strawman video. Every single bit it in, spoken very quickly and very assertively, is wrong. Votes can be anonymous, you can verify your vote, there are ways to prevent massive result changes, there are ways to protect even the clients (hardware keypads, virtualized voting environments), and good operational security gives you, ontop of the essential security, a way to detect every attempt to attack the system, and there are ways to prevent DDoS.
And horribly few people have actually read anything on the topic. I recommend, for example, reading this 136 pages report. And these papers: paper, paper, paper, paper, paper, paper.
But you won’t, will you? Because you are sure that it cannot ever be secure, the ballot secrecy cannot be guaranteed, and you can’t be sure whether your vote is counted. Even though the literature hints otherwise. Let me just outline a few key things:
- One man – one vote. This relies on a national e-id infrastructure, that some countries (like Estonia, Belgium, and soon Bulgaria) have. The id card has a smartcard built-in. That guarantees the one man – one vote principle. A person can only have a single id card with a single keypair to use for voting.
- Ballot secrecy. David Chaum has proposed the so-called “blind signature” that, using cryptography, allows the voting officials “stamp” your vote without seeing it and count you as “already voted”, and then on a second step you send your stamped vote, without the identifying information. There’s also the double-envelope approach used in postal voting, that is applied to electronic voting (but it relies on good operational security). And then there are the anonymous credentials schemes which I haven’t looked into in details.
- Mass replacement of votes. Sending an SQL query to the vote count server is probably what you imagine can happen. OpSec, of course, is tasked to prevent it, but that is not enough. A very determined attacker can break into almost any system. But recent research is being done on using the bitcoin blockchain data structure. A de-facto distributed, unchangeable database. The votes on the central server can then be compared to the public ledger, in order to verify that there are no discrepancies. Which is, by the way, what happens with paper voting, as you’ll see below.
- Black box. Of course, proprietary, closed-source solutions are a no-go. But a fully open-source, peer-reviewed, pilot-tested, in-person tested (as recommended in the report) system is not a black box. It is a fully and constantly auditable system.
- I don’t know whether my vote is counted at all. That’s a major concern, addressed by a lot of E2E research (end-to-end verifiable voting). All sorts of approaches exist. For example a receipt, that you can later verify against a central system. The receipt doesn’t have to contain the actual vote (because someone may have paid to and then wants to check), but a number that you get while voting should match with a number that you see later on a website. The receipt can be issued via a smartphone app, sms, the screen, or any combination of those for a higher level of assurance.
- Client side malware. Now that’s hard. But there are ways to address it. Hardware keypads for entering the PIN for the smartcard, with a small screen to show the actual information that is required to be signed/encrypted. Then come the multiple-factor authentication and validation. You can use a mobile phone, where receipts (as mentioned above) are sent. If a malware replaces your vote (if you are allowed to cast replacement votes, methods for which are also described in papers), you’ll get notified. You may even have to cast your vote from two devices – one computer and one smartphone (identification with a smartphone is a separate topic). That way a large-scale malware attack becomes unlikely. If you add that the client-side software used for voting can be digitally signed, or can be changing itself constantly, then a generalized malware has to target millions of combinations of versions of desktop and mobile OSs, the voting software, etc. And if you instead vote from a remote virtualized environment, to which you login via a sort of a VPN client (with a reasonable assurance on the other end that it is not a fake virtualized environment), then yes – individuals can be targeted, but large-scale attacks may hit a brick wall.
- How will we avoid coercion and vote-buying in remote, uncontrolled environments. That’s a good question, and although it doesn’t sound technical, it is. First, biometric factor as part of the identification may defend against mass collecting of smartcards for voting. Then there’s the concept of a “panic PIN”, which allows a coerced voter to appear to have voted, but to instead send an alarm to the authorities that he is being coerced, which has been discussed in papers as well.
You probably won’t notice the last recommendation of the report, which says that at the present moment there is no voting system that is secure enough to be deployed for national elections. And that is true (as well as the other recommendation). Yes, it is very hard to build a proper e-voting system. You have to take into account at least all the thing listed in the 136 page report. And even more. You have to be paranoid and expect a state-level attack, insider attack, botnets, etc. But that makes it very hard, not “a bad idea” or “impossible”. I’ll quote the comment by Matthew Proorok on the above youtube video:
The thing is, none of this makes electronic voting a bad idea. It makes electronic voting a problem with a lot of hurdles to overcome. After all, you start out the video pointing out that physical voting, too, has its weaknesses. And that attempt after attempt has been made to defraud the system. And that, over time, we’ve found ways to defend against those attempts. Effectively, you’re saying that electronic voting hasn’t had that kind of proving period yet, and thus it’s a bad idea, and thus we shouldn’t use it. That sounds like a great mindset for NEVER DOING ANYTHING NEW.
And at the same time nobody realizes how flawed the paper based system is, and how the same type of loosely defined arguments can be used against the paper based system as well. Saying the “we’ve found ways to counter all types of fraud in a paper based system” is entirely wrong, as I can prove to you if you come and visit just a single Bulgarian election. By the way, do you know that at the moment, paper voting results are finally combined on a computer? Possibly using excel somewhere. How are we sure these computer system are not attacked? How are we sure that the computers that send the the protocols from the local centers to the central committees are not compromised with a malware? There is a paper trail, I hear. Recounting rarely happens, and discrepancies, even if discovered, are often buried, because otherwise the whole election may have to be rerun. My point is, these are problems not inherent only to remote, electronic voting. They exist even now.
So, ultimately, I don’t understand all the fear in e-voting, even from people that are moderately tech-savvy. The mantra “if it’s a computer, it can break” is in fact “if it is anything in the real world, it can break”. But when has that stopped us from progressing and fixing broken systems (and paper voting is broken; the fact it doesn’t appear so in western democracies is because society doesn’t exploit it, and not because it’s unexploitable).
But I do understand the psychology that leads to accepting all pseudo-arguments thrown in the air, as a massive FUD campaign (sometimes even coordinated, by the way) – it is way easier to throw these fears, than to debunk them, one by one, especially when debunking them requires linking scientific papers. It’s easy to tell people “this can’t be done”, because sometimes it sounds counterintuitive that it can, and then it’s hard to explain why it can.
I’m not saying we should be all voting online by now, I’m saying we should push in that direction, and we should agree that this is the direction to push, because it feels like it’s right behind the corner and it’s a way to increase participation, especially for future generations, and therefore enhance not only the legitimacy of the democracy, but the opportunities for more direct democracy.
And it will come down to trust in the system. For which, the whole FUD-technical explanation cycle will be repeated many times. But I believe that in due time we will have trust in such systems (as we do in many other electronic systems) and that will enable us to do more with our democratic rights.
Due to an upcoming referendum in Bulgaria about whether we want “remote electronic voting”, I, as a technical person, and at the same time, as government adviser, argue a lot about electronic voting. A year and a half ago I’ve given a very brief overview of what I think has to be done and is doable.
But now I’d like to ask a more general question – why all this fear of electronic voting? I have heard literally hundreds of versions of the same bunch of arguments: anonymity is not guaranteed, someone can change everything with one command, I can’t be sure what happens to my vote, it’s a black box, someone may easily compromise everything with a virus, you’ll be DDoSed, etc.
This for example is one giant strawman video. Every single bit it in, spoken very quickly and very assertively, is wrong. Votes can be anonymous, you can verify your vote, there are ways to prevent massive result changes, there are ways to protect even the clients (hardware keypads, virtualized voting environments), and good operational security gives you, ontop of the essential security, a way to detect every attempt to attack the system, and there are ways to prevent DDoS.
And horribly few people have actually read anything on the topic. I recommend, for example, reading this 136 pages report. And these papers: paper, paper, paper, paper, paper, paper.
But you won’t, will you? Because you are sure that it cannot ever be secure, the ballot secrecy cannot be guaranteed, and you can’t be sure whether your vote is counted. Even though the literature hints otherwise. Let me just outline a few key things:
- One man – one vote. This relies on a national e-id infrastructure, that some countries (like Estonia, Belgium, and soon Bulgaria) have. The id card has a smartcard built-in. That guarantees the one man – one vote principle. A person can only have a single id card with a single keypair to use for voting.
- Ballot secrecy. David Chaum has proposed the so-called “blind signature” that, using cryptography, allows the voting officials “stamp” your vote without seeing it and count you as “already voted”, and then on a second step you send your stamped vote, without the identifying information. There’s also the double-envelope approach used in postal voting, that is applied to electronic voting (but it relies on good operational security). And then there are the anonymous credentials schemes which I haven’t looked into in details.
- Mass replacement of votes. Sending an SQL query to the vote count server is probably what you imagine can happen. OpSec, of course, is tasked to prevent it, but that is not enough. A very determined attacker can break into almost any system. But recent research is being done on using the bitcoin blockchain data structure. A de-facto distributed, unchangeable database. The votes on the central server can then be compared to the public ledger, in order to verify that there are no discrepancies. Which is, by the way, what happens with paper voting, as you’ll see below.
- Black box. Of course, proprietary, closed-source solutions are a no-go. But a fully open-source, peer-reviewed, pilot-tested, in-person tested (as recommended in the report) system is not a black box. It is a fully and constantly auditable system.
- I don’t know whether my vote is counted at all. That’s a major concern, addressed by a lot of E2E research (end-to-end verifiable voting). All sorts of approaches exist. For example a receipt, that you can later verify against a central system. The receipt doesn’t have to contain the actual vote (because someone may have paid to and then wants to check), but a number that you get while voting should match with a number that you see later on a website. The receipt can be issued via a smartphone app, sms, the screen, or any combination of those for a higher level of assurance.
- Client side malware. Now that’s hard. But there are ways to address it. Hardware keypads for entering the PIN for the smartcard, with a small screen to show the actual information that is required to be signed/encrypted. Then come the multiple-factor authentication and validation. You can use a mobile phone, where receipts (as mentioned above) are sent. If a malware replaces your vote (if you are allowed to cast replacement votes, methods for which are also described in papers), you’ll get notified. You may even have to cast your vote from two devices – one computer and one smartphone (identification with a smartphone is a separate topic). That way a large-scale malware attack becomes unlikely. If you add that the client-side software used for voting can be digitally signed, or can be changing itself constantly, then a generalized malware has to target millions of combinations of versions of desktop and mobile OSs, the voting software, etc. And if you instead vote from a remote virtualized environment, to which you login via a sort of a VPN client (with a reasonable assurance on the other end that it is not a fake virtualized environment), then yes – individuals can be targeted, but large-scale attacks may hit a brick wall.
- How will we avoid coercion and vote-buying in remote, uncontrolled environments. That’s a good question, and although it doesn’t sound technical, it is. First, biometric factor as part of the identification may defend against mass collecting of smartcards for voting. Then there’s the concept of a “panic PIN”, which allows a coerced voter to appear to have voted, but to instead send an alarm to the authorities that he is being coerced, which has been discussed in papers as well.
You probably won’t notice the last recommendation of the report, which says that at the present moment there is no voting system that is secure enough to be deployed for national elections. And that is true (as well as the other recommendation). Yes, it is very hard to build a proper e-voting system. You have to take into account at least all the thing listed in the 136 page report. And even more. You have to be paranoid and expect a state-level attack, insider attack, botnets, etc. But that makes it very hard, not “a bad idea” or “impossible”. I’ll quote the comment by Matthew Proorok on the above youtube video:
The thing is, none of this makes electronic voting a bad idea. It makes electronic voting a problem with a lot of hurdles to overcome. After all, you start out the video pointing out that physical voting, too, has its weaknesses. And that attempt after attempt has been made to defraud the system. And that, over time, we’ve found ways to defend against those attempts. Effectively, you’re saying that electronic voting hasn’t had that kind of proving period yet, and thus it’s a bad idea, and thus we shouldn’t use it. That sounds like a great mindset for NEVER DOING ANYTHING NEW.
And at the same time nobody realizes how flawed the paper based system is, and how the same type of loosely defined arguments can be used against the paper based system as well. Saying the “we’ve found ways to counter all types of fraud in a paper based system” is entirely wrong, as I can prove to you if you come and visit just a single Bulgarian election. By the way, do you know that at the moment, paper voting results are finally combined on a computer? Possibly using excel somewhere. How are we sure these computer system are not attacked? How are we sure that the computers that send the the protocols from the local centers to the central committees are not compromised with a malware? There is a paper trail, I hear. Recounting rarely happens, and discrepancies, even if discovered, are often buried, because otherwise the whole election may have to be rerun. My point is, these are problems not inherent only to remote, electronic voting. They exist even now.
So, ultimately, I don’t understand all the fear in e-voting, even from people that are moderately tech-savvy. The mantra “if it’s a computer, it can break” is in fact “if it is anything in the real world, it can break”. But when has that stopped us from progressing and fixing broken systems (and paper voting is broken; the fact it doesn’t appear so in western democracies is because society doesn’t exploit it, and not because it’s unexploitable).
But I do understand the psychology that leads to accepting all pseudo-arguments thrown in the air, as a massive FUD campaign (sometimes even coordinated, by the way) – it is way easier to throw these fears, than to debunk them, one by one, especially when debunking them requires linking scientific papers. It’s easy to tell people “this can’t be done”, because sometimes it sounds counterintuitive that it can, and then it’s hard to explain why it can.
I’m not saying we should be all voting online by now, I’m saying we should push in that direction, and we should agree that this is the direction to push, because it feels like it’s right behind the corner and it’s a way to increase participation, especially for future generations, and therefore enhance not only the legitimacy of the democracy, but the opportunities for more direct democracy.
And it will come down to trust in the system. For which, the whole FUD-technical explanation cycle will be repeated many times. But I believe that in due time we will have trust in such systems (as we do in many other electronic systems) and that will enable us to do more with our democratic rights.
Why all the fear?
The idea behind all (sane) arguments against electronic voting stem from one place: That voting is so important that even the slightest doubt in the system should be enough to scrap the entire thing. Whether one agrees or not about the importance of voting is irrelevant. This is the argument I can get behind.
To me, this isn’t FUD; it’s just a very high standard of security and accountability.
FUD can come in many forms. In some cases, it stems from ignorance. Other times, the opposite is true. I think you hear a lot of tech savvy people spread this “FUD” because they know the worst case scenario—they’ve seen it up close. They understand the difficulty in designing a truly secure system of this high importance, and they can’t comprehend that it is even a possibility.
I agree that the topic shouldn’t be dismissed outright. We shouldn’t scrap the system before even thinking about it. What we should do, however, is pay attention to every bit of FUD that comes our way.
I just find it strange that you would wonder where all the fear is coming from. Whether I agree with the people who are completely against electronic voting or not, I think the source of the fear is quite clear, and (if I remember correctly) it’s quite clearly stated in the linked Computerphile video: Voting is too important to attach to electronic systems. People’s trust in computer security has been eroding more and more with every new exploit and leak, which seem to be coming around weekly these days.
Quit spamming your shit on reddit
Who decides it is shit?
I fully agree the concerns have to be addressed, and worst-case scenarios taken into account. Voting is too important, but that is one of the reasons e-voting is needed – paper voting is broken and exploitable in so many ways (really, I can speak for hours about horror stories in my country alone)
There are 2 arguments for paper ballot which are; First, the system should be understandable by almost anyone, which is not the case of computer science and math; Second, it should be the opportunity of gathering, that is, an election is a people thing which required people to look at it during tally.
Of course, nothing is perfect and paper is not exempt of problem, but making voting a specialist thing is not the solution. The solution is the people. It is a human problem, as politic is, and thus, should be treated accordingly by the people, not technology.
Technology can improve and even fix human problems.
I agree the process should be understandable, but that’s not true even for the paper process. You have to dig in a lot of rules and procedures, and at the end you still end up with a computer system for gathering the votes, with a lot of OpSec. So does everyone understand how the votes are entered and calculated with paper voting? No.
And E2E verifiability + audits and peer reviews + onsite observers (of the infrastructure, of the logs, etc) gives you enough assurances. Yes, not everyone can make sense of logs, but not everyone can be an adequate observer – he has to know the procedures. And we assume that knowing the procedures is a given, whereas reading logs isn’t?
We can overcome all technical problems but human factor problems will still stay and sadly I don’t see any solution for them.
First (smaller) problem: Will make easier and cheaper to do some of the current voting violations. For example controlled vote of bulgarian citizens that live in Turkey. Currently when election time comes, they are gathered and transported with buses to Bulgaria to vote. E-voting will eliminate the need of transportation thus making it easier and cheaper to get even more people (than now) in the scheme.
Second (bigger) problem: as first commenter said above: ” That voting is so important that even the slightest doubt in the system should be enough to scrap the entire thing”. People don’t understand computers and they don’t trust them. We needed 20 years just to teach them to use something simple as debit cards and ATMs and they are now using it not because they trust the technology but because of their (blessed) ignorance about the technology. It will take probably even more time people to develop the required ignorance in order e-voting to be accepted. I don’t mean that we have to abandon the whole thing, I mean that probably we will have to start (very) small, try as hard as
possible to eliminate all the technical problems that may cast a doubt on the process and just have enough patience and understanding that it will take a lot of time.
That is true. And we should start small. Trust is important, and that’s why it takes time. But that’s also why we have a referendum.
I’ve worked in a company which sell e-voting services for enterprises. I’ve participated to a presidential ballot counting. I’ve talk with people about the importance of voting as a system to make political choice.
For me, voting is kind of pilgrimage. I live in France and voting are in public school. This is very symbolic. People take the time to go to the school, to sign the registration. Then go to the voting booth. And then put the ballot in the box. There is human psychology in this process.
I think that it will be perceived very differently if done at home using a computer. This why I think that the only thing that matters, is that how people organize this time to make the choice. It should not be about how economical the process is, or how fast. Of course, the security matter, the simplicity of the process also, but making an electronic vote for an assembly of 500 persons, and making one for millions, does not implicate the same thing.
The real thing is that I’m afraid that if voting goes fully electronic, that people would care less. And I don’t want what. I want people to consider the importance of voting because it makes a choice, a political one, a people one.
@amertum – On the ‘pilgrimage” aspect of Election Day – I agree that voting has also some symbolic and ritual value which will eventually go away with the remote e-voting. Voting in one’s fatigues at home would make the private and public sphere blur – many voters may not distinguish between voting for X factor and voting for a head of state…
But this is only a sideline extravagant argument especially for the Bulgarian debate which is normally centered on mistrust in the political process at large (though packaged as technology-scare)
Voting is the wrong way. A real democracy works by electing people via lottery as the ancient greek did:
https://en.wikipedia.org/wiki/Sortition
“It is accepted as democratic when public offices are allocated by lot; and as oligarchic when they are filled by election.” (Aristotle)