The idea of electronic voting has gained significant ground in the past few years, but it’s far more complex than it appears at first. This article will delve into the different types of electronic voting and the various security challenges that surround them.
We will cover types of voting that involve electronic systems in any way, known as e-voting, as well as i-voting, which refers to voting online.
Before we jump in, it’s important to understand some of the background on voting systems, what we require from them, and why security is so important.
What do we want from our voting systems?
A useful voting system needs to balance out a range of key features. Security is definitely one of the most critical factors, because we want to prevent any adversaries or self-interested parties from being able to manipulate the results.
We also want to ensure that the counted votes are authentic. Otherwise, the result won’t be fair and democratic.
Despite how crucial security is to the voting process, it still needs to be balanced out with other requirements. For the final vote count to accurately represent the will of the people, the other properties that need to be considered in voting systems are:
- Accuracy – We want the final vote count to accurately represent the choices of the people.
- Verifiability – It’s important to be able to check the accuracy of the vote and determine whether an election has been tampered with. If any manipulation is found, a new election can be conducted.
- Anonymity – The need for anonymity in voting is complex, because we don’t want anonymity in all aspects. We need to be able to verify who is voting in order to prevent people from voting multiple times or committing other types of fraud. However, we want the votes themselves to be anonymous. If the government, opposing party, or anyone else could find out who an individual voted for, it may lead to intimidation or coercion. This would compromise the integrity of the vote.
- Accessibility – Accessibility needs to take all voters into account. It would be great to allow everyone to vote from the comfort of their own homes to make the process easier. At the same time, we don’t want a system that is too technical and makes it difficult for some segments of the population to vote.
- Speed – It’s best if we can receive the results in a relatively short period of time. If it took a year to calculate the final vote tally, the will of the people at the time of the results may be very different from what it was at the time when the votes were cast.
- Cost-effectiveness – We could have the most secure or accurate system in the world, but if it costs 10 times a nation’s GDP to implement, it wouldn’t be practical.
One of the main issues is that many of these properties compete against each other. If you make the system excessively secure, it may also be too hard to use for most of the population. You could also build a system that is incredibly fast but has a high error rate. This would also be useless.
The main ideas that we will be focusing on are security, verification, and anonymity. One of the largest complications is that an anonymous vote makes it very difficult to verify whether the result is accurate or if there has been a security compromise.
The easiest way to verify whether an election was tampered with would be to keep a database of everyone’s votes so that they can look up their name and see whether their vote was recorded accurately.
Unfortunately, such a system would not be anonymous and could lead to coercion. The challenge of verifying the vote while also maintaining anonymity is one of the key stumbling blocks involved in electronic voting.
There’s a lot at stake in elections
Another major consideration is just how valuable elections are. The GDP of the US for 2019 was estimated at $21 trillion by the IMF. It’s a value so large that it’s beyond most people’s comprehension. To give you a vague idea, it’s enough to buy Apple 21 times.
The winner of an election has a significant influence over the future of a country, its alliances, its trade, its taxes and its regulations. When you consider the amount of money and power at stake, this is a pretty big deal for other nations, major businesses and other interest groups.
Foreign actors have been trying to influence the outcomes of elections in their favor for a very long time. This became extremely evident in 2016, with Russia’s multi-pronged campaign to disrupt the US elections and sow discord among the US population.
This included targeted propaganda campaigns through social media platforms such as Facebook, hacking into political databases and strategically releasing the information, as well as attacks on voter databases and electronic voting machines themselves.
If we can secure banks, surely we can secure the vote, right?
A common argument for electronic voting is “If we can secure online banking, then we should be able to make online voting secure.” There are a few issues with statements like this. If we are looking at it from a personal perspective, most people’s bank accounts simply aren’t worth enough to justify attacking them.
It would be irresponsible to use the same level of security to protect the few thousand dollars in an individual’s bank account and for an election that is worth trillions. Even if there wasn’t such a huge difference, accounts are hardly as safe as people think. Criminals are constantly coming up with ways to drain people’s bank accounts.
If we level things up and talk about corporate banks and other major transactions between financial institutions, these aren’t overly safe either. The Carbanak cybergang is alleged to have stolen up to $1 billion by targeting these transactions.
You would be right in saying that the majority of times, the security systems in place for these banks are effective and everything runs smoothly. The occasional large-scale attack may be covered by insurance or treated as a cost of business in exchange for the efficiencies that come with using online systems.
When it comes to elections, the problem is that you can’t really insure them. Can a country afford to have its election manipulated by enemies? What if an election was compromised and the people never found out?
Given just how valuable an election can be, and the proven desire that other nations have to influence them in their own favor, we have to recognize just how significant the threat to our democracies is. This is why our election systems need such high security standards in place.
What is electronic voting?
When we talk about electronic voting, it’s important to know what we are actually referring to. There are two types, e-voting and i-voting, each of which can be implemented in a range of ways. These variations have their own unique advantages and complications.
E-voting
An e-voting machine. Tally Voting by 34esmond licensed under CC0
E-voting still takes place at central polling locations, with observers overlooking the process. The difference between e-voting and paper voting is that e-voting involves using technology in any of the following processes:
- Ballot casting – E-voting systems may use technology for casting the vote itself. They can include direct-recording electronic (DRE) voting machines, which have touchscreens or other interfaces that voters can cast their ballots on.
- Tabulation – A paper-based voting system can also be considered e-voting if machines are used in the counting process. Systems that involve punch cards or coloring in a box can be termed e-voting if they use machines such as optical scanners to count the votes.
- Transmission – It can also be considered e-voting if paper-based votes are used alongside human counting, but the results of polling stations are sent via the internet or other networks to the central tallying location.
I-voting
Remote e-voting, also known as i-voting, uses the internet to allow people to vote from essentially anywhere. It can be done with computers, smartphones and other devices. It’s probably what most people think of when they hear the term electronic voting.
I-voting has the most appeal, because participants don’t have to leave their home to vote. One of the main downsides is that many key processes occur away from the eyes of human observers, so it can be impossible to know whether or not a vote has been manipulated.
What are the security issues involved in e-voting?
When e-voting is involved in the ballot casting process, it generally involves systems such as direct-recording electronic (DRE) voting machines. These systems typically have a touchscreen display or some buttons that voters can use to choose their preference.
When a person votes through the interface, their choice is recorded directly on the machine. When the election finishes, the machines total their votes and then store them on removable memory cards and as printouts. The results are then transferred to a central counting location either physically or over a local network.
There are a number of benefits to these systems. The main ones are that they speed up the vote counting process, they make it easier for those with disabilities to vote, they can make the election process cheaper in the long run, and they can help to reduce waste. These machines also eliminate the ambiguity of paper ballots that have been marked improperly.
Despite this, they come with a number of different issues. The most significant one is how can we know whether the final result is an accurate representation of the votes that were cast?
There is a common maxim in the computer security world that you can only trust software that you programmed yourself. Since most people aren’t programmers, how can the population trust these systems?
The above statement may seem a little extreme, but it was backed up by a 2009 decision by the Federal Constitutional Court of Germany:
The use of voting machines which electronically record the voters’ votes and electronically ascertain the election result only meets the constitutional requirements if the essential steps of the voting and of the ascertainment of the result can be examined reliably and without any specialist knowledge of the subject.
Under this stream of thought, computers should probably be avoided in the election process, because the average voter doesn’t understand them enough. The German court’s argument may not convince everyone, but this is far from the only issue that appears in e-voting systems.
Accuracy
According to Michael D Byrne’s paper, Improving voting systems’ user-friendliness, reliability and security, DREs have an error rate of one to two percent. This means that between one and two percent of votes may not be counted, or could go towards the incorrect party.
This isn’t worried about too much, because the error rate should theoretically affect all parties equally. This holds true if everyone in the electorate uses the same machines, but what if only parts of a country use voting machines, while other parts use ballot papers? Such a hybrid system could lead to a biased result, especially if areas that favored one party used DREs, while those that prefer another used paper ballots.
Audits
To confirm the accuracy of the result and that no tampering has taken place, audits need to take place before, during and after the election. Before the election, one of the most important types of audit involves verifying that the voting machines themselves are working properly.
This includes verifying the code, and making sure that the physical machine has not been altered. In the US, this is done along the Voluntary Voting System Guidelines. These are voluntary at the federal level, and whether or not they are adhered to is left for the states to decide.
Most states that use electronic voting subscribe to at least some aspect of the federal certification process, although there are states like Florida which have their own certification programs. Let’s disregard the issues surrounding the fact that these are only voluntary guidelines and not federal regulations, and look into the problems of the guidelines themselves.
The inherent security flaws in the Voluntary Voting System Guidelines
A range of different security issues in the federal guidelines have been pointed out. While they feature some good recommendations, the guidelines also leave a number of gaping security holes and they are open to interpretation.
The guidelines focus more on the technical aspects, and ignore the processes that need to be in place so that these systems can be effective. As an example, you can mandate that encryption must be used, but if you don’t regulate how it is used, then the system may not be much more secure. A system that features encryption as an opt-in feature will lead to far more data breaches than one where encryption is opt-out.
The guidelines also neglect important processes such as social engineering training for staff, the security of the voting machines when they are in storage, password storage protocols, and penetration testing. The lack of system-wide penetration testing presents a significant security oversight.
Penetration testers are essentially good-guy hackers who you pay and say “These are our systems. Give us your best shot at breaking in.” The hackers then probe for weaknesses and try to make their way in. If they find faults, they make recommendations on how the systems can be fixed.
If systems are deployed without taking this step, the operators are essentially inviting hackers to be your penetration testers. The problem with this is that black hat hackers (the bad guys) aren’t going to write a report and give you recommendations on how to fix the security gaps.
The problems will only be found out after the hackers have breached the system and a disaster is at hand. This is why the lack of penetration testing in the guidelines is such a massive oversight.
Since the guidelines only cover the systems that record the votes and those that tabulate them, there can be glaring security holes in other electronic voting technology. Electronic voter registration systems and pollbooks (systems used to review and maintain registration information – voter lookup, identification, verification, ballot and precinct assignment, etc.) are left out.
This means that there isn’t even a federal guideline of how these systems should be secured, let alone set-in-stone regulations. Considering that voter registration systems were hacked by Russian operatives ahead of the 2016 elections, this is a serious weakness.
The voluntary voting system guidelines simply aren’t comprehensive enough to secure something as important as an election. Even with these guidelines in place, their real-world implementations leave a lot to be desired.
Real-world security issues
If you didn’t believe that the holes in the guidelines were severe enough, or that they weren’t being carefully followed, here’s a list of past security incidents, errors and theoretical attacks to make you seriously question whether our current use of electronic voting machines can be trusted.
To avoid turning this article into a tome, the incidents are presented as brief summaries with links so that you can read about the matters in detail if you want.
We will focus on security issues concerning US machines, since these are the most relevant to the guidelines that we have just discussed. There is also a long list of flaws in other countries, which have led nations such as the Netherlands to return to paper ballots.
- 2003 – In Fairfax, new voting machines either didn’t work, or would lose the voter’s choice after a few moments.
- 2003 – The State of Maryland found that the Diebold Election Systems, Inc. (now rebranded as Premier Election Solutions) AccuVote-TS system “as implemented in policy, procedure, and technology, is at high risk of compromise.”
- 2002-2006 – During this period, Election Systems and Software, the US’s leading voting machine manufacture was shipping some of its systems with remote access software, making them vulnerable to hacking.
- 2006 – Researchers from the Voting Systems Technology Assessment Advisory Board (VSTAAB) and the University of California corroborated previous research that found various Diebold voting machines can have the votes on their memory cards tampered with in a way that cannot be detected. They found a number of other security vulnerabilities as well.
- 2006 – Princeton researchers studied the Diebold AccuVote-TS and found that it was vulnerable to a range of serious attacks. These included the possibility of malware installation which could be used to alter the vote.
- 2015 – The Virginia Information Technologies Agency assessed the WinVote machine, which is manufactured by Advanced Voting Solutions. The agency recommended discontinuing the use of these machines after they found a range of serious flaws such as weak passwords, outdated security protocols, and insufficient system hardening.
- 2018 – At DEFCON, J. Alex Halderman showed that Diebold AccuVote TSX voting machines could be manipulated remotely in a mock election. The same vulnerable machines were being used in 18 different states. After the event, a 50 page report was released, detailing vulnerabilities in Election Systems & Software’s M650 machine and the Diebold AccuVote TSX. Together, these machines are used in as many as 23 states.
- 2018 – Some voters in Texas allege that the Hart InterCivic’s eSlate machine was switching their vote to another candidate in the state’s election for senator.
The incidents listed above are far from an exhaustive list of examples. These and the other security flaws show that the e-voting systems that are currently used in the US are inappropriate for securing elections
Updates to the Voluntary Voting System Guidelines
The good news is that the federal guidelines for electronic voting systems are set to be updated. The bad news is that it’s unlikely for these alterations to be implemented ahead of the 2020 elections.
On top of this, the proposed Voluntary Voting System Guidelines 2.0 still feature numerous security gaps. Just like the current version of the guidelines, they focus on technical aspects rather than procedure, which can be just as important when it comes to security. Again, they ignore electronic voter registration systems and pollbooks, which also need to be secured.
While the new guidelines do feature some positive steps, they are simply not holistic enough to provide a secure framework for elections.
E-voting in a perfect world
Now that we’ve looked into the issues with federal regulations, the oversights in the guidelines, and some of the real world problems, let’s examine at e-voting from a hypothetical point of view. We will ignore the human error and sloppy implementations that we see in practice, and instead look at how these systems could work in a best case scenario.
Auditing before an election
If we are going to use electronic devices in any aspect of the electoral process, it’s important to make sure that they are functioning as they are supposed to. Before an election, the code and the hardware need to be audited to make sure that the machines have not been tampered with and are free from error.
The US already has a voluntary certification process, but as we have just discussed, it does not do enough to secure the election. Since this is a hypothetical scenario, let’s say that new federal regulations have been brought in, which provide a cohesive and comprehensive framework to verify the security of any machine that is used in the electoral process.
If we theoretically did fix the guidelines, the next issue we would have is who would audit it, and how could we trust them? The most obvious choice would be for some kind of private, community or independent government body to audit the machines and make sure that everything is implemented correctly.
But how could we trust whichever entity is responsible? The same way that we trust our banks, judges and police? The difference between this and most other trust-based scenarios that you could name, is that there is a lot more at stake in an election, so there is much greater potential for corruption.
If you remember our There’s a lot at stake in elections section, the result determines future taxes, laws, alliances and the direction of potentially trillions of dollars. Considering how much money is at stake, and that we know that adversaries are already motivated to disrupt elections, it would be unwise to trust that such a small group of individuals could not be corrupted.
But there is an alternative.
Open-source code
If we feel that there is too much at stake to trust a small group, then we could use election software that is open source instead. This means that the code is freely published online, and anyone can inspect it to make sure that there are no errors or indications of tampering.
At the moment, the electronic voting machine industry runs on proprietary code, meaning that no one can publicly verify whether or not the machines work as they say they do. This is obviously a huge security flaw. If we can’t verify the software, how can we verify that the vote is accurate?
How do you know the verified software is on the polling machines?
Let’s say that under some Herculean effort, we have revolutionized the industry and implemented open-source software in all of the machines, and that the software has been scrutinized by every programmer in the country and certified as legitimate. How can we know that the legitimate software is actually on the voting machine in front of us?
Perhaps it’s possible for each machine to be inspected by any member of the community before the election begins. But how can voters know whether or not the machine has been tampered with after the initial inspection?
A system can seem to be running normally even though it may actually be manipulating the vote. It’s alarming to think that an election could be tampered with without anyone being aware.
Most of these concerns apply to the central vote counting machines as well. They could be tampered with in many different ways. On top of this, there is also the potential for the vote count to be altered while it is transmitted between local machines and the central system.
Paper auditing
Paper audit trails have been proposed as a solution to many of the above problems. Voter Verified Paper Audit Trails (VVPATs) include a number of different systems that allow voters to choose their candidates on electronic voting machines, and then have a paper record printed out.
In one of the most common methods, voters are able to verify their vote by checking the result of a printed ballot, however, this ballot is kept at the polling booth. The digital tallies of the machines are often used for the primary result. If there are any disputes, then a manual recount is done with the paper ballots.
Let’s work through each of the problems that can come with these kinds of systems:
- The system can only accurately verify the results if a statistically significant number of people check the printed records.
- Voters may not be willing to take the time to recast their vote if it is recorded incorrectly, which negates the system. According to a Caltech and MIT study, “In watching 500 voters casting ballots, I saw less than one in 10 people who, when they were told they had a problem with their ballot, were actually willing to take a new ballot and vote again.”
- There can be printer errors.
- The machines are still vulnerable to malware which could manipulate the digital record. If a physical recount is not called, then tampering may not be detected.
- They are more expensive and more difficult to administer than paperless electronic voting systems.
Considering that reduced costs, paper wastage and the time it takes to count the ballots are some of the main arguments in favor of using electronic voting machines in the first place, VVPATs seem to negate a lot of the benefits.
When you also take the negatives of VVPATs into account, it just seems like an over-engineered process that doesn’t really give any significant advantages over a traditional paper ballot system. Why not just stick to simple paper ballots?
Is e-voting a good idea?
You might argue that some of the vulnerabilities mentioned in the above scenarios are extreme, and you would be right. But as we have mentioned, the stakes in an election are also extreme, so it’s only reasonable that we should hope for the security of our election systems to be as airtight as possible.
Electronic voting machines do have a number of positives, but it is hard to justify them when you consider the potential for disaster. These systems complicate the process significantly and introduce a number of points where massive failure could occur.
Considering that the democracy of nations is at stake, and there is the possibility that elections could be tampered with without anyone’s knowledge, it’s hard to justify the risks that come with electronic voting systems.
I-voting
I-voting, also known as remote e-voting, seems like a far more appealing system than either using paper ballots or electronic voting. In the age of Uber-Eats and Amazon Prime, it seems almost neanderthal to have to leave your house to express your democratic will.
I-voting has several things going for it. It’s appealing because it seems easier and more accessible, although this doesn’t necessarily translate to increased voter turnout. One Swiss study found no measurable difference, while another found a three and a half percent or greater increase (if the electorate did not offer postal voting as an alternative).
Other benefits include faster results, while it also saves man hours in counting and other administrative tasks. Polling stations can be smaller, because they handle a reduced number of voters.
A study from the University of Tallinn concluded that i-voting ends up being almost 50 percent cheaper than paper voting. The system used in Estonia even allows voters to change their vote if they want to, as long as they do so before polls close.
As i-voting is currently practiced in Estonia, it appears to be more secure than the implementations of e-voting in the US. In some aspects it also has advantages over paper voting.
Despite this, i-voting still has many of its own risks, and the systems need to be continuously improved to provide security in the long term. It’s also important to note that other countries would face significant challenges if they chose to adopt a similar system.
We will focus on the security risks in the Estonian system, since it is the only one which is widely used. These include procedural issues, attacks against personal computers or election servers, verification, and coercion.
I-voting procedural issues
Securing a remote election involves more than just the right technology – it’s important that adequate procedures and oversight are also in place. All things considered, the Estonian system has some well-thought-out procedures in place.
Operational security is in place for many processes, as well as contingency plans for when things go wrong. These include multiple observers overseeing critical aspects of the system, as well as releasing videos of certain processes.
Despite this, human error is universal, and researchers have witnessed numerous acts that could compromise the security of the elections. These include election officials entering their passwords in full view of cameras, and using a personal (and potentially contaminated) USB stick to transfer election results.
These small oversights could expose the openings that hackers need to get into election systems. These kinds of errors have the potential to completely endanger an election. Although Estonia generally does things quite well, it’s important to be wary of just how much is at stake in elections, and just how great the risks are.
Threats to voter computers
According to the Estonian National Election Committee, the voter’s PC is the “…weakest link of the e-voting procedure…”, since its security is left up to the voter. Many computers already have malware without the user knowing, and this poses great risks to the security of the vote.
Given how much is at stake in an election, it’s not unreasonable to assume that an enemy may specifically release malware that is designed to manipulate the vote. If it’s new code, it could get past the antivirus on voter computers and then manipulate the victim’s vote in favor of the attacker’s party.
It’s also possible for attackers to build a fake voting client, which could trick users into thinking that they have voted, even though they never actually accessed the official system and cast their vote. If either of these attacks occurred on a large scale, they could completely undermine the validity of an election.
Despite this, it is unlikely that attacks against so many computers could go on undetected. If an attack like this did take place, it would probably be noticed and a new election could be scheduled if necessary.
Attacks against election infrastructure
In Estonia, a number of procedures check that hardware is free from malware. There are also reasonable security practices in place to secure hardware during the election.
Even though these measures are active, it’s not infeasible that a number of election officials could be compromised and may tamper with the hardware. Again, we have to remember just how much is at stake in elections and the huge bribes that could potentially be offered.
A team of researchers led by J. Alex Halderman simulated Estonia’s election systems in their laboratory and found that it was possible to infect the vote counter with malware and alter the count without being detected. While this attack may be difficult to execute, its sheer possibility is enough to make one think twice about whether these systems are a good idea for democracy.
Under such an attack, it’s theoretically possible for the election to be altered without anyone knowing. This type of attack is probably the worst case scenario in an i-voting election.
Auditing
One of the most important parts of any election system is that there are checks in place to verify the integrity of the election process and its result. The Estonian system has a range of different auditing and verification measures, but there is still room for improvement.
It involves auditors who monitor the elections and issue reports based on their findings. On top of this, observers from the public can also sign up to watch over the elections and provide feedback. Election officials film many key processes and provide public documentation about many of them.
Verifying the code
In 2013, the Estonian National Election Committee (NEC) made the majority of its code available on GitHub. While the move was praised by many for its transparency, there was also some criticism for not releasing the entirety of the code, and for releasing it under a license that does not allow derivatives.
The Free Software Foundation Europe said that the move did not go far enough. It claimed that the code for other components involved in the voting process also needed to be released, and that “the client side software must also be published as Free Software.” They allege that in its current state, the client could be used to spread spyware, and that a fully open license would allow more people to fix bugs.
Tanel Tammet, a professor from the Tallinn University of Technology, responded to these criticisms by saying, “There’s no reason at all why there should be consent to make one’s own variations on this code.” Even though he was one of the primary voices calling for the code to be released, he sees no need for the public to be able to make their own versions.
Tarvi Martens, the head of the NEC, also defended the release, acknowledging that many in the community may have wanted to be able to work on the code themselves. “But that’s not our aim,” he said, “The development of such a system must be kept under control and centrally coordinated.”
A report from researchers at the University of Oxford found that part of the unpublished code, “is focused on malware detection and avoidance at the voter’s machine.” Publishing it would help attackers create malware that could avoid detection.
Verifying votes
In 2015, an app was launched that allowed Estonian voters to check whether their votes had been recorded correctly. To verify their vote, they have to use a separate device to the one that they voted on, so attackers would have to compromise both in order to disrupt the verification system.
While this verification process is a positive step, it does not necessarily mean that all votes will still be recorded correctly in the final tally.
Coercion
Coercion is a serious issue that all voting systems need to take into account. Voting is generally done anonymously to make sure that people can truly express their democratic will, without feeling pressured to vote for certain candidates for financial gain, to advance their career, or out of social pressure.
This is why paper ballot systems tend to involve a person checking off their name, having a ballot handed to them, and then going off to a controlled environment where they can privately cast their vote according to their true wishes.
I-voting happens in an uncontrolled environment, so the anonymity of an individual’s vote cannot be guaranteed. This issue is not unique to i-voting, as postal votes can also be vulnerable to coercion.
The main fear is that in an uncontrolled environment, it is possible for someone to pay or use force to make another person vote in a certain way. This could be done by a major political party, a meddling nation state, or even a domineering partner.
To minimize this risk, Estonia’s internet voting is conducted during an early voting period where a voter can change their ballot as many times as they want. A person can also override their internet vote later on by casting a physical ballot.
This system makes it much more difficult for coercion to succeed, because victims can just change their votes afterward. Despite this, there are still scenarios such as abusive relationships where voters may be coerced into voting against their will and then not have the opportunity to rectify their vote.
Estonia vs. the rest of the world
Estonia is a great example of what is possible in i-voting. Security experts debate whether its security is adequate for something as important as elections, but all things considered, the security processes in place aren’t terrible.
While the argument rages on over whether Estonia’s system is secure enough, one of the biggest questions is whether something similar could be implemented in other countries. The short answer is that at this stage, it’s probably a bad idea.
Digital infrastructure
One of the main reasons why the Estonian system would be difficult for other countries is that Estonia already has considerable digital infrastructure in place that is lacking in other nations. The centerpiece when it comes to i-voting is the digital identity card, which has a public and private key pair used to digitally sign documents.
For a similar system to work in other countries, they would need identification cards in place, linked to digital signatures. This may not be possible in the current climate of countries like the US, due to the privacy concerns of the general population.
Do you trust your government to be able to secure such a critical IT project?
Let’s be honest, many governments colossally screw up their IT infrastructure. Whether it’s the US’s healthcare.gov debacle or the Australian NBN, tech is not the forte of many governments around the world. Do you really trust your government to be able to secure something as crucial as an i-voting system?
There’s more at stake in other countries
Estonia is a relatively small country with a GDP that is a tiny fraction of the US’. Since there is so much more at stake in countries like the US and China, we have to expect that other nations will be far more motivated to disrupt their elections than Estonia’s. They will, therefore, be prepared to throw a much greater amount of resources into an attack.
If we assume that manipulating a vote system would have a similar cost, regardless of the size of a country or its wealth, then it follows that attackers will be much more likely to go to the expense for bigger and more powerful nations.
We can’t be sure whether or not Estonia’s vote has been altered so far. Even if its systems have been secure, it doesn’t necessarily mean that these would be adequate to protect a nation that has a lot more at stake.
E-voting & i-voting: How do they compare with paper ballots?
So far, this article has been quite critical of the security of both e-voting and i-voting. You may expect there to be some perfect alternative instead. Unfortunately, there isn’t. Paper ballots also have their faults, although one of their greatest advantages is that it’s essentially impossible for large-scale manipulation to go unnoticed.
The results of paper-based elections can still be altered on a small level. It’s conceivable for a well-resourced adversary to bribe some officials or tamper with the system in other ways. Things like ballot stuffing and fraudulent voting certainly do happen in paper voting systems.
Despite this, the effects are generally quite small. If an adversary wanted to alter the national election result in a significant way, it would involve compromising countless people. Not only would this be incredibly expensive, but the larger in scale a conspiracy is, the more likely it is to be found out.
When compared to both e-voting and i-voting, paper-based voting has a much lower potential for disaster to strike and for democracy to be undermined in a massive way.
At the end of the day, the risk of large-scale, yet undetected vote manipulation may be quite small for both e-voting and i-voting. But is it really worth the risk of something so catastrophic happening, especially when paper voting offers such a simple alternative?
You mentioned that the easiest way to verify whether an election was tampered with would be to keep a database of everyone’s votes so that they can look up their name and see whether their vote was recorded accurately.
I think you have solved the problem. Instead of listing names in the database, give everyone a receipt with a code. They can look up their votes any time after the election and verify that their votes are accurate. Anonymity would be protected because only the voter would know her own code. The ‘online’ database used for verification wouldn’t contain any personally identifiable information. Anyone attempting to alter votes wouldn’t know which voters will verify their votes and which won’t so it would be unlikely that an election could be compromised without voters catching on. Additional votes couldn’t be added to the system because each ballot would need to be tied to a registered voter..
It seems foolproof to me.
It’s stated in the article that people usually do not bother to check their vote afterwards, so it’s not very “foolproof”.
While that’s definitely a solution, my perspective is “What’s the point?” If we’re going to the trouble of printing out paper receipts, why not just have a paper-based system in the first place? Although there are some minor issues, overall, it’s a pretty effective system in countries that have robust democracies.