Security is of Key concern for everybody involved in i-voting 24 August 2022
Why Vote Online?
Internet voting (i-voting) holds many promises. It can cut down on the costs of running an election, while delivering results both with higher speed and accuracy. Users seem to enjoy the comfort of voting remote, with people who used it once having a high likelihood of using it again. It can reduce hurdles for people with difficulties filling out their ballots, like language barriers or disabilities, as well as people staying abroad, for example military personnel. With more and more parts of our lives shifting online, the idea of going to a polling station can seem out of date. Meanwhile, during a pandemic, waiting in line in front of a crowded election booth is a health risk.
But while tech enthusiasts paint utopian futures with effortless elections and direct democracy at our fingertips, experts warn of the dangers. With online elections, a single vulnerability can lead to large-scale election fraud. What’s at stake is nothing less than democracy. With that in mind, we will look at modern technologies – the ones available today, as well as those coming in the near future – to answer the question: Is i-voting secure?
What is I-Voting?
Depending on the goal, different electronic tools can be utilized to facilitate the election process. These tools all fall under the heading e-voting and includes offline options, like Direct Recording Electronic computers, ballot scanners or combinations of recording and storing devices. All of these would be introduced at polling stations, and can help reduce the administrative burden of an election.
i-voting refers only to methods that transmit data over the internet (although e-voting is often also used in this context). Online devices can also be introduced into polling stations, but the more radical approach, and the focus of this article, is the option for voters to cast their ballot remotely, on a personal device, from the comfort of their home, a café, or wherever they like. That means election officials have no control over the device used or the environment.
Furthermore, i-voting is sometimes proposed as an additional channel to cast votes, similar to postal voting, instead of exclusively online elections. For the latter to be possible, every eligible person would have to have access to and be able to navigate the election technology, as well as trusting it. This is a long way off, if it is even attainable at all.
The Dangers of Online Elections
Internet communication is inherently insecure. The National Academies Press writes in their 2018 report on the American voting system: “[…] no known technology guarantees the secrecy, security, and verifiability of a marked ballot transmitted over the Internet.” Sending election data online opens the door for large scale fraud. But manipulation of votes is not the only way elections can be influenced. An attack that disrupts or delays the system can cause as much harm as election-tampering. And even if tampering is identified, it still demands revotes, which cost time and resources, and undermine trust.
The first and greatest concern in an election is for every cast ballot to be processed correctly as well as included in the final tally. For a voter, this includes verification that their vote was interpreted correctly and remained unchanged throughout the whole process. For the administration, this calls for a method of checking the election results. With paper ballots, both are straightforward.
Denial-of-service attacks (DoS) aim at disrupting a system, typically by flooding it with requests. Especially when these attacks are coordinated from different sources, they are hard to defend. The infrastructure has to be built reliably. Unfortunately, with new methods of software protection, new methods of disruption emerge in parallel.
The principle of secret suffrage dictates that people can vote secretly and anonymously. The voter’s privacy must be protected. But a database connected to the internet is inherently vulnerable, especially compared to a shelf of boxed paper, locked in a warehouse. A voter’s personal information has to be stored in a different register than the information about their vote, with the link between the two strongly encrypted.
In remote elections, a method of identification is needed, to ensure that anyone who passes a vote is eligible to do so and everyone has the same number of votes. Authentication can be managed via passwords, but these tend to be either insecure or easily forgotten. Also, the combination of username and password can be easily handed to others which enables vote-selling. Estonia solved both problems with electronic ID cards as well as card reading machines for online identification.
When voting from home, coercion and family voting cannot reliably be prevented. Therefore, it is necessary to provide the option to change a vote cast online at a later point in time, as well as to cast the vote manually.
How to Verify the Integrity of i-Voting
In the process of casting an online vote, there are multiple pieces of critical infrastructure. There is the server that receives and stores the votes, the device on which a vote is cast, and the connection between them. All of these can become the targets of an attack. Personal devices especially are prone to being infected with malware. This kind of distributed system calls for a method to check the integrity of not only every single part, but the entire transaction chain. To ensure that it holds from one end, all the way to the other, it needs end-to-end verification.
End-to-end verification is typically implemented by creating a receipt for the voter after their vote is completed. Imagine a 23-digit Number generated by an algorithm from the specific data of the vote. The algorithm can be public and still provide unique keys that prevent the voter’s information from being reverse-engineered. At the end of the transaction, another key is created from the transmitted data and made publicly available for everyone to check. If nothing has changed, these will be the same.
In an end-to-end verifiable system, votes can be neither lost nor modified without being detectable. Every voter can check if their vote was captured properly. Additionally, it can be verified, either by predefined agents or the entire public, that the whole of the votes was tallied up correctly. In this way, end-to-end verification protects an election from threats on the outside as well as the inside.
Of course, in the best case, the personal information of the voter would be separated from their vote immediately after passing the ballot to ensure secret suffrage. To allow verification, cryptographic technologies are used to keep the anonymity of the voter intact.
Another requirement of elections is that a voter should not be able to publicise how they voted, as this possibility could be used to coerce them into voting a specific way. At first, this seems to be a direct contradiction to verifiability, but achieving both at the same time is in fact possible and an active area of research.
In Estonia, a verification app shows the name of the voter and their vote – thus allowing voters to demonstrate how they voted. However, they allow verification only 30 minutes after casting the vote. This together with the option of revoting is supposed to prevent voter coercion.
On the other hand, this opens up the possibility for malware to secretly recast the vote after the verification time window has passed. While the security of the verification process in Estonia could be improved on the technical level to allow secure verification, the greatest challenge remains adoption, as in the most recent Estonian election, only 5.3 % of internet voters chose to verify their vote.
The great advantage of end-to-end verification is that each voter can make sure that their vote was processed correctly; while in the case of paper ballots, they can only be sure of the integrity of some steps. Paper ballots may be recounted, but they can, in principle, be removed, added, or changed. End-to-end verification, therefore, is also a useful consideration in traditional paper based voting systems. Indeed, implementing end-to-end verification in traditional elections would serve as a test and training ground for the technology, as well as for the people operating it.
The Blockchain’s Potential Role in i-Voting
Blockchain is a buzzword that attracts a lot of hype. It is an incredible solution that’s still looking for a problem to solve. Could it find its home in i-voting? There are prototypes of online voting systems making use of blockchain running today, like the Agora system. To understand their allure, we need to understand the technology behind the word blockchain.
In more technical terms, blockchain is a distributed, immutable ledger. Think of an Excel spreadsheet, where no cell can be changed, and where rows, called blocks, can only be added to the bottom. That is the immutable part. The data structure is implemented in such a way that each block references the last block, leading to the name blockchain.
Furthermore, this table is decentralized, meaning there are copies distributed across many locations. For each new block (i.e. vote transaction), all administrators have to agree that it should be added. If consensus is reached, it becomes a permanent part of the chain. This means that no single agent, neither a hacker nor someone from the authorities, can change votes. To do that, they would have to gain access to the majority of administrator machines. In this way, the trust is distributed across all administrators, potentially consisting of election officials, election observers and other trusted third-party actors. Blockchain can be combined with cryptographic technologies to ensure end-to-end-verification for every voter as well as verification of the whole of the votes.
Blockchain is a promising technology for the application of i-voting. There are, however, problems. Since it relies on communication between the whole network for every single vote, the process is energy-intensive and slow, in the range of hundreds of votes per second. For this reason, blockchain technology is difficult to scale to nationwide elections and especially vulnerable to denial-of-service attacks.
At this point, it is not clear that these drawbacks can be resolved. The blockchain is still in its infancy. No one can predict which solutions will arise in the future, alongside which new challenges. It has the potential to power a transparent, cost efficient and trusted voting system. Trusted, that is, if people understand the intricacies of this technology.
Transparency: Open Source vs. Proprietary
Democracies are built on trust. Even in the total absence of technological vulnerabilities, a system can be disrupted if the population distrusts it. For people to understand why i-voting is introduced and how it works, transparency is called for.
This transparency is achieved by having the election run on open-source software. In contrast to proprietary software, where the code is kept behind closed doors only for a select few to examine, open-source code is completely public and can be inspected and evaluated by anyone.
Estonia has made almost their entire code accessible to the public, the only exception being the app that runs on the voters PC. Keeping this code secret is a defence against the insecure environment of personal computers. Estonia does, however, provide an additional open-source app that verifies that the voting software is running correctly.
Despite criticism from tech experts, the Estonian population has faith in their online elections. Survey data collected after every election shows around 70% of the Estonian general population trust i-voting. Trust in a technology is a major prerequisite for its adoption. In Estonia, it was achieved through persistent efforts to explain and improve the system, a generally advanced digital infrastructure, and transparency.
More on the discussion about open source:
Outlook: The Future of i-voting
Technological challenges for i-voting persist. While companies praise their solutions, experts warn of the risks. Online voting has been tested in pilot projects around the world, most of them discontinued. The reasons range from technological failure to expert warnings and declining political will. In that regard, at least for the time being, Estonia remains an outlier.
Yet there are some signs of change on the horizon. Last year, Switzerland decided to resume their experiments with i-voting, after an unsuccessful trial in 2019. New Zealand’s Jacinda Arden has also expressed an interest in switching from the country’s exclusive use of postal voting to an online system. Perhaps even more importantly, a range of political actors are using online voting systems in lower-stakes situations, including participatory budgets and party primaries in various countries throughout Europe. In this way, i-voting is already beginning to reshape our democracies.
It’s unlikely that many of us will be voting online in national elections in the immediate future. The stakes are simply too high, and the technical challenges too manifold. Yet it is through trials and lower-stakes experiments that new, secure solutions will emerge, and public confidence in online voting will grow.
Vote now
Should i-voting be adopted for all elections in the near future?
