By Ian - Mon Nov 02 2020 - 8 min read
With the 2020 US elections having mail in ballots, I found myself wondering if a digital solution would be safer, more reliable and easier. As usual the answer isn't straightforward.
In this post I'll talk you through some possible solutions and their potential downsides.
I will mostly focus on Dutch elections, seeing as I can provide the best insights, and most arguments are easily transferable to other nations.
If we would develop a voting system from scratch it would need to have some features that protect our rights and make sure the elected ruler is the one the people really wanted (questionable if that's the case with current electoral systems, but that's for another time).
A big problem with anonymity and verifiability is that making votes anonymous makes them difficult to verify.
If we had a database with all the people who voted, and their cast vote, verifiability would be tackled. However, it wouldn't be anonymous.
When discussing electronic voting there are essentially two things at play.
e-voting is usually seen as the easier one. You can tackle anonymity by submitting anonymous votes, and verify it manually with a passport check before entering the voting booth.
i-voting is much more difficult, because you can't have the manual check.
Well, unless you're part of a secret society with unlimited wealth, chances are your bank account is not a very interesting target.
The scale of an election is massive. The decision made there has so much influence, that it's an incredibly high value target.
Most hackers aren't hardcore geeks typing away on their kali linux distro. It's usually a game of influencing people, leaked data or a weak password. This can be summarised as the human error.
It's much more likely hackers will pour resources into hacking an election than a bank account.
e-voting seems like a pretty good idea. it's pretty straight forward on an abstract level: keep everything the same, only make the counting digital.
Too bad it's an oversimplification. It's impossible for most voters to check how the system works internally. Even if the voters were all programmers, the source code doesn't have to be open-source. There's no rule against making the source code private.
So basically, it's a black box which we have to trust with one of the most important things in a democracy, and impossible for any voter to check the process.
This fear is backed by a 2009 decision by the Federal Constitutional Court of Germany:
The use of voting machines which electronically record the voters’ votes and electronically ascertain the election result only meets the constitutional requirements if the essential steps of the voting and of the ascertainment of the result can be examined reliably and without any specialist knowledge of the subject.
Beside these 'lack of control' fears, a lot of systems have failed miserably over the years.
The lack of pen-testing (inviting good-guy hackers to attack your system and check for vulnerabilities) makes it very hard to pinpoint exact failures, but here's a curated list of found problems in the US:
And of course a Dutch problem:
Side-note; this was known before an election took place. Still, parts of the election were held with the voting machines, causing the Dutch government to be sued, losing, and going back to paper ballots.
So yeah, e-voting; not perfect.
More recently there has been talk of re-instating e-voting with some big adaptations.
The new version would basically be a computer with a printer. You can cast your vote in a voting booth with no connectivity to the web. The voting machine would print your vote on a piece of paper, which you can then check for errors and deposit in the voting box. These printed votes are easily read by a central computer, making counting them a lot easier and quicker.
Though this seems like an interesting concept, it's also doesn't have a lot of benefits over paper ballots. As the software axiom goes "keep it simple, stupid", this doesn't really comply.
I-voting, also known as remote e-voting, is casting your vote from the comfort of your own couch. The only country which implemented such a system is Estonia. With tech giants migrating more of your life to the internet, it seems that it's only logical to move to i-voting. Let's take a look at Estonia. How their system works, what the vulnerabilities are, and whether we should follow suit.
Estonia's i-voting system builds on their ID card. This ID card is also a smart card and allows owners to digitally sign documents and facilitates secure authentication. This already laid infrastructure makes it possible to tackle one of our demands; verifiability.
The i-voting system is available in an early voting period (sixth day to fourth day prior to Election Day). You can change your vote an unlimited amount of times in that timeframe. You can also overwrite your vote by going to a polling station, invalidating your i-vote.
When this new voting method was first introduced, the president Arnold Rüütel challenged i-voting, claiming breach of the principle of equality of voting. The president brought a petition against the e-voting provisions to Estonian Supreme Court but lost. Rüütel was mostly popular amongst the still Russian speaking elderly minority. About 1.9% voted online in the 2005 election. This has increased over the years to 43.8% in 2019.
Estonia also open-sourced much of their source code to make the system as transparent as possible. They haven't released everything (annoying some critics). Most notably, all the client side code is missing (more in that later).
One of the biggest things going for i-voting is potentially increasing voter turnout, however that claim has been mostly invalidated.
One peer reviewed research paper claims the researchers could be able to breach the system, change votes and vote totals, and erase any evidence of their actions if they could install malware on the election servers. Now of course, it's basically impossible to breach the security of election servers. However, circling back to human error; what if someone is bribed, careless, or just malicious? The stakes are immense, and these edge cases can not be ignored.
Another gaping security hole is the personal device of the voter. This may be the weakest link in the chain. The system is quite robust after the ballot has been cast. However, sending that ballot is not trivial.
It's easy to write a fake web client (hence the hidden source code. That would make it too easy), tricking people into thinking they've already voted. Or a piece of malware, sending a different vote than you typed.
The Estonian National Electoral parried these criticisms, claiming they "give us no reason to suspend online balloting". The purported vulnerabilities were said to be either not feasible in reality or already accounted for in the design of the e-voting system.
The Estonian Information System Authority also responded. Claiming the criticisms as a political, rather than technical, attack on the e-voting system.
As a technical guy, I can relate to the Estonian Information System Authority. Their system is probably pretty airtight from a technical standpoint, however it's nearly impossible to account for the human error
I was going to write a big recommendation here, but I don't have a great solution either.
E-voting, and especially i-voting make life a bit easier, but they carry massive risks. If you try to patch all those potential security holes, you come eerily close to paper ballots.
So why go through this trouble? It doesn't increase voter turnout, and comes with a ton of extra headaches.
Maybe just stay with paper and a good old pencil?