Online Government Elections System - Is it possible?

It is not known how to build an Internet voting system that will be verifiably secure and auditable. Ron Rivest, Turing award winner and the R in RSA, has famously compared Internet voting to drunk driving: something you just can't do safely.

(By Internet voting, I mean voting over the Internet from client computers not controlled by election authorities, including return of voted ballots electronically over the Internet.)

The argument against Internet voting is a bit elaborate, but you can find details in the following articles:

  • If I can shop and bank online, why can’t I vote online?, David Jefferson.

  • A Security Analysis of the Secure Electronic Registration and Voting Experiment (SERVE), David Jefferson, Avi Rubin, Barbara Simons, and David Wagner. Published in excerpted form in Communications of the ACM, volume 47, number 10, October 2004.

  • Attacking the Washington, D.C. Internet Voting System, Scott Wolchok, Eric Wustrow, Dawn Isabel, and J. Alex Halderman. Published in FC 2012.

Don't miss the last paper. It is a totally epic hack of an Internet voting system.


What properties should an online voting system ideally have?

  1. Secure

    • Each voter can vote only once
    • The voting authority can't add or remove votes without getting caught
  2. Privacy/Anonymity

    Other people(including the state) can't find out what you voted for.

  3. You should not be able to prove to somebody else how you voted, to prevent bought votes, or votes under duress

  4. Trojans should not be able to alter votes

  5. The process should be understandable/verifiable by non experts

What can we achieve?

5) non expert verification
that's pretty hopeless for an online system. The required crypto is simply too complicated. But I don't consider this an essential property.

4) Trojans
I can't think of a way to keep the system secure in the presence of trojans. One can simply try not to have them. For example by using a live-cd. Can't think of a way to keep the system secure in the presence of trojans.

In an ideal world we can at least achieve a system that offers 1) security and 2) anonymity, not sure about 3). But implementing a system that achieves 1) and 2) is already quite annoying in practice.

Sketch of how to build such a system

You need to be able to communicate anonymously with the voting servers using TOR or something similar.

Then you need to separate the right to vote once from the actual vote. Blind signatures allow that in principle. But they require two steps:

  1. Turning your non-anonymous vote authorization into a vote
  2. Sending the vote to the vote collection server.

You need to be careful to avoid a side-channel attack that allows correlation of these two steps, for example by timing or IP.

In the end a list of all received votes gets published, allowing every voter to verify that his vote was counted, and a list of the names of all voters gets published, so non voters can verify that nobody voted in their name, and that there aren't more votes than voters. A significant amount of voters and non voters needs to verify this for the system to be secure.

This scheme does not offer 3), and I'm not sure if it's possible to add this property.

Even building this system in practice seems quite challenging if you want to avoid all side-channel attacks on anonymity. For example one needs to put a sufficient delay between steps 1 and 2, and you probably need a slow forwarding anonymizer to avoid traffic analysis.

Conclusion

It looks to me like implementing an online voting system that comes even close to what a conventional paper based system offers is not practically possible. So I recommend staying with good old paper for important elections, but it might be possible to use online voting less important votes.


I think the German high court nailed down the problem very well:

Verifiability

The German constitutional court ruled about any kind of voting devices:

The usage of voting devices [...], is in compliance with the constitutional requirements only, if the essential steps of the voting and counting can be verified reliably and without expert knowledge.

The verdict was motivated by a case on traditional voting computers, but the ruling is more general: Those voting computers consist of a keyboard and a display. The voter presses the key for the party of his or her choice. The vote will be displayed and the voter has to confirm it.

But there is no way a voter can verify that the party he selected and saw on the screen, is the party his vote is counted for. The government tried to argue that the voting computers had been verified by an official institution and sealed to prevent manipulations.

But the court made it very clear, that "verified by experts" is not good enough, to fulfill the requirements of democratic elections.

Note: It makes no difference whether the voting is done using a foreign voting computer or a computer owned by the voter: People are not able to verify that their own computer is working correctly either. This already starts at understanding an open source voting software, but of course this goes down all the way to the microcode within the hardware.

Anonymity and non-provability

The ruling was about verifiability by non-experts only. Of course any solution to this issue, must not violate the other requirements of democratic elections.

For example verifying votes could be done by publishing a complete list of all voters with addresses and votes. But democratic elections requires anonymity to protect the voters and non-provability to prevent selling of votes.

There are some smart concepts of not publish the information for everyone to see, but still allowing the voter to verify his vote. But those concept are not easily understood by average people because of the complex math behind it. So we are back at square one.

Furthermore they cannot satisfy non-provability and provability at the same time. But if they don't allow someone to prove, that his vote was not counted the way it was supposed to be, it is quite likely that a number of people will call fraud after every election.