16

I am from Bulgaria and currently some groups here are promoting the idea of referendum among the people, about the possibility for establishing a system for ONLINE GOVERNMENT ELECTIONS. The idea is that the people should be able to vote for elections using the internet.

One concern for me is that on the web site of the promoters, there are no details about how this system shall be managed, hosted and secured. I stumbled upon some documents in the internet, that show that such prototype systems have been successfully hacked so far and that this is a very insecure mechanism for elections. However the people insist that there is a way, that the system can be made secure enough, and that there are no problems.

Do you think that the implementation of such system is possible TODAY with the current technologies that we have - like modern Cryptographic algorithms, Digital Signatures, SSL or some proprietary protocols? Or in the future?

Isn't it possible for a government with high enough budget for super-computers to break, manipulate and compromise the system according to their wishes?

Philipp
  • 49,017
  • 8
  • 127
  • 158
luben
  • 898
  • 2
  • 12
  • 17
  • 3
    It is worth noting that in the USA, even widely used offline vote counters have security vulnerabilities. In the documentary Hacking Democracy, it was demonstrated that an executable could be added to the storage device which would change the results from the scanner, before they were written to the storage. This leaves the necessary (and I hope practiced) step of testing and/or ensuring the hardware is not tampered with. Don't know about Bulgaria's current system. I would advocate ensuring more fool-proof security before advocating online voting. Might be worth checking on. – 700 Software May 28 '12 at 18:13
  • 4
    @GeorgeBailey IMO those hacks aren't even the main issue. The core problem is that no outsider can verify if machines that nobody tampered with are even secure, or if the manufacturer added in some kind of backdoor. – CodesInChaos May 28 '12 at 19:24
  • 2
    The Dutch have an Open-Source "Rijnland Internet Election System". This allows professionals the ability to verify the authenticity of voting systems. The need for professionals isn't new; detecting voting fraud has always required expertise. – MSalters May 28 '12 at 20:54
  • 1
    @MSalters What kind of expertise does the detection of ballots in sockets require? – curiousguy May 29 '12 at 03:18
  • 1
    You mention "_technologies_" (cryptography), but you have to realise that an election process is just that: a **process**. Given the existing "technology" of small papers, opaque envelopes, and a transparent box, **what matters is the process**. No amount of cryptography can solve a real world problem unless secure procedures are followed (f.ex. SSL does not protect you if you accept any unverifiable site SSL certificate). For any electronic voting proposal, you have to evaluate not only its safety, but also the ability of voters, election official and watchers to control procedures. – curiousguy May 29 '12 at 03:41

7 Answers7

18

It is not known how to build an Internet voting system that will be verifiably secure and auditable. Ron Rivest, Turing award winner and the R in RSA, has famously compared Internet voting to drunk driving: something you just can't do safely.

(By Internet voting, I mean voting over the Internet from client computers not controlled by election authorities, including return of voted ballots electronically over the Internet.)

The argument against Internet voting is a bit elaborate, but you can find details in the following articles:

Don't miss the last paper. It is a totally epic hack of an Internet voting system.

kelalaka
  • 5,474
  • 4
  • 24
  • 47
D.W.
  • 98,860
  • 33
  • 271
  • 588
17

What properties should an online voting system ideally have?

  1. Secure

    • Each voter can vote only once
    • The voting authority can't add or remove votes without getting caught
  2. Privacy/Anonymity

    Other people(including the state) can't find out what you voted for.

  3. You should not be able to prove to somebody else how you voted, to prevent bought votes, or votes under duress

  4. Trojans should not be able to alter votes

  5. The process should be understandable/verifiable by non experts

What can we achieve?

5) non expert verification
that's pretty hopeless for an online system. The required crypto is simply too complicated. But I don't consider this an essential property.

4) Trojans
I can't think of a way to keep the system secure in the presence of trojans. One can simply try not to have them. For example by using a live-cd. Can't think of a way to keep the system secure in the presence of trojans.

In an ideal world we can at least achieve a system that offers 1) security and 2) anonymity, not sure about 3). But implementing a system that achieves 1) and 2) is already quite annoying in practice.

Sketch of how to build such a system

You need to be able to communicate anonymously with the voting servers using TOR or something similar.

Then you need to separate the right to vote once from the actual vote. Blind signatures allow that in principle. But they require two steps:

  1. Turning your non-anonymous vote authorization into a vote
  2. Sending the vote to the vote collection server.

You need to be careful to avoid a side-channel attack that allows correlation of these two steps, for example by timing or IP.

In the end a list of all received votes gets published, allowing every voter to verify that his vote was counted, and a list of the names of all voters gets published, so non voters can verify that nobody voted in their name, and that there aren't more votes than voters. A significant amount of voters and non voters needs to verify this for the system to be secure.

This scheme does not offer 3), and I'm not sure if it's possible to add this property.

Even building this system in practice seems quite challenging if you want to avoid all side-channel attacks on anonymity. For example one needs to put a sufficient delay between steps 1 and 2, and you probably need a slow forwarding anonymizer to avoid traffic analysis.

Conclusion

It looks to me like implementing an online voting system that comes even close to what a conventional paper based system offers is not practically possible. So I recommend staying with good old paper for important elections, but it might be possible to use online voting less important votes.

CodesInChaos
  • 11,964
  • 2
  • 40
  • 50
  • Hm, your fist sentence does not seem to fit the rest of the posting. – Hendrik Brummermann May 28 '12 at 17:55
  • 1
    @HendrikBrummermann What I meant is that you can in theory build a system that's secure and anonymous, but even such a limit system is pretty hard to build in practice. And once one adds additional requirements it becomes even harder, perhaps even impossible. – CodesInChaos May 28 '12 at 19:22
  • I think you should edit "What properties should an *online* voting system ideally have?" to "What properties should a voting system ideally have?" Then you can add a section below it "What *additional properties* should an online voting system have?" and you can list be cheaper, more convenient than an off-line system. – emory May 29 '12 at 00:17
  • 1
    "_allowing every voter to verify that his vote was counted_" How do voters prove that it isn't the case? Each voter would need to keep a proof of his vote! – curiousguy May 29 '12 at 03:53
  • 1
    "The discovery of a backdoor in a military grade chip raises some serious questions about hardware assurance in the semiconductor industry. When you use and buy an embedded system or computer it is assumed, wrongly in our opinion, that the hardware is completely devoid of any vulnerabilities. We [...] found that this particular backdoor is not a result of any mistake or an innocent bug, but is instead a deliberately inserted and well thought-through backdoor that is crafted into, and part of, the PA3 security system." [Paper](http://www.cl.cam.ac.uk/~sps32/Silicon_scan_draft.pdf) – Hendrik Brummermann May 30 '12 at 11:16
  • @curiousguy: ThreeBallot and other [end-to-end auditable voting systems](http://en.wikipedia.org/wiki/end-to-end_auditable_voting_systems) allow voters to prove their votes were counted, but without keeping the kind of "proof of his vote" that could be used in vote-buying or duress (3). – David Cary May 30 '12 at 14:30
  • @DavidCary Maybe I am missing something, but it seems to me that a person's voting material (private key) + verifiable public encrypted ballot = proof of vote. – curiousguy May 30 '12 at 17:39
  • @curiousguy: Are you asking "How do end-to-end auditable voting systems such as [ThreeBallot](http://en.wikipedia.org/wiki/ThreeBallot) avoid the kind of 'proof of vote' that could be used in vote-buying and coerced voting?" ? That would make a great separate question. – David Cary Jun 03 '12 at 21:51
  • The notion that you shouldn't be able to invoke your vote because somebody could have forced/paid you is inconsistent. Imagine you can vote from home or from any location with internet. What would stop people from going to one guy voting in front of his eyes and getting paid right away? – WalyKu Dec 15 '14 at 22:49
  • 1
    Why is anonymity so important? I don't see any democracy like Europe or america prosecuting those who didn't vote for the elected party. sure in China and North Korea and stuff I can understand (if they would ever have an election). It might be my naive reasoning but if people have an online account to do government related things on (we in the Netherlands do) then ensuring only 1 vote per person is easy. an infected pc might be a problem indeed but would a random-reader like the one you use for bank transactions not be enough? – Vincent Apr 30 '15 at 07:51
11

I think the German high court nailed down the problem very well:

Verifiability

The German constitutional court ruled about any kind of voting devices:

The usage of voting devices [...], is in compliance with the constitutional requirements only, if the essential steps of the voting and counting can be verified reliably and without expert knowledge.

The verdict was motivated by a case on traditional voting computers, but the ruling is more general: Those voting computers consist of a keyboard and a display. The voter presses the key for the party of his or her choice. The vote will be displayed and the voter has to confirm it.

But there is no way a voter can verify that the party he selected and saw on the screen, is the party his vote is counted for. The government tried to argue that the voting computers had been verified by an official institution and sealed to prevent manipulations.

But the court made it very clear, that "verified by experts" is not good enough, to fulfill the requirements of democratic elections.

Note: It makes no difference whether the voting is done using a foreign voting computer or a computer owned by the voter: People are not able to verify that their own computer is working correctly either. This already starts at understanding an open source voting software, but of course this goes down all the way to the microcode within the hardware.

Anonymity and non-provability

The ruling was about verifiability by non-experts only. Of course any solution to this issue, must not violate the other requirements of democratic elections.

For example verifying votes could be done by publishing a complete list of all voters with addresses and votes. But democratic elections requires anonymity to protect the voters and non-provability to prevent selling of votes.

There are some smart concepts of not publish the information for everyone to see, but still allowing the voter to verify his vote. But those concept are not easily understood by average people because of the complex math behind it. So we are back at square one.

Furthermore they cannot satisfy non-provability and provability at the same time. But if they don't allow someone to prove, that his vote was not counted the way it was supposed to be, it is quite likely that a number of people will call fraud after every election.

Hendrik Brummermann
  • 27,158
  • 6
  • 80
  • 121
  • Those aren't really online voting systems, those are just classical offline voting computers. Adding paper verification to them is pretty easy. – CodesInChaos May 28 '12 at 17:42
  • The biggest problem with non paper verified voting computers is that it's impossible even for experts to verify that they're working correctly. – CodesInChaos May 28 '12 at 17:43
  • @CodeInChaos, Yes, as I said, the case was about classical voting computers. But the constitutional court did a much more general ruling. So in Germany, an online voting system has to comply with the same requirements. I don't think it is possible with the current technology and math. – Hendrik Brummermann May 28 '12 at 17:52
  • There was the idea of having both paper and computers: The paper vote is the official one. The computer vote (e. g. recorded by a electronic pen) can be used for a predictions immediately after closure. To emphasize: The act of voting is not computer based. – Hendrik Brummermann May 28 '12 at 17:54
  • I think the problems with offline voting computers and online voting are pretty different. With offline voting computers the issue is that you must vote on untrusted hardware whose correct functioning is unverifiable. With online voting we need complex protocols that are hard to implement in practise, and probably can't offer all desired properties. – CodesInChaos May 28 '12 at 19:28
  • While online voting does have some additional issues, the core issue is exactly the same: Non experts must be able to verify voting and counting, with compromising neither non-provability nor secrecy. – Hendrik Brummermann May 28 '12 at 19:47
  • 1
    While online voting has a few additional issues, it also has one big advantage: The voter is running trusted software(an open source client) on trusted hardware(his own computer). – CodesInChaos May 28 '12 at 20:05
  • @CodeInChaos "_Those aren't really online voting systems, those are just classical offline voting computers. Adding paper verification to them is pretty easy._" How do you know the computer is not recording all votes in order? – curiousguy May 29 '12 at 04:09
  • "_There are some smart concepts of not publish the information for everyone to see, but still allowing the voter to verify his vote._" if it isn't the case, what then? You can't do a recount. – curiousguy May 29 '12 at 04:11
  • @HendrikBrummermann "_The act of voting is not computer based._" Still, a computer gets to see all votes. – curiousguy May 29 '12 at 04:12
  • 1
    @CodeInChaos "While online voting has a few additional issues, it also has one big advantage: The voter is running trusted software(an open source client) on trusted hardware(his own computer)". The court clearly stated that, **"trusted" (verified by experts) is not good enough**. The voters need to be able to **verify without expert knowledge**. I think it is obvious that an average voter can neither verify that their own computer is working correctly nor understand open source software. So this is not an advantage of online systems. – Hendrik Brummermann May 29 '12 at 10:42
  • @curiousguy Good point. – Hendrik Brummermann May 29 '12 at 10:43
  • @CodeInChaos "_on trusted hardware(his own computer)_" Why do you trust your hardware? Is it open source? Do you trust the BIOS? the CPU microcode? the motherboard firmware? – curiousguy May 29 '12 at 12:05
10

tl;dr: Internet voting is certainly a bad idea now for important elections.

Many of us consider secure Internet voting one of the great unsolved problems in IT Security. That's because of the very challenging requirement for both anonymity and transparency. It also combines the enormous challenges of securing both clients and servers, and requires dealing with denial-of-service. It was nominated as worthy of an X-PRIZE at DESSEC: DEsigning a Secure Systems Engineering Competition.

A big advance in solving the server problem comes with recent advances in homomorphic encryption which achieve a near-miracle: you can publicly store encrypted voted ballots in the cloud, and also allow the public to both add them up to confirm the vote counts for each candidate, and to check that their own vote was indeed included in the total, without having a receipt that could prove how they voted to a third party. See the Helios Voting system for a great implementation and explanation. It is suitable for low-risk elections. But even the author, Ben Adida, saysA government election is something that you don’t want to do over the Internet,” citing both the potential for computer viruses to corrupt the voting and the possibility of voter intimidation.

The client problem is much harder to deal with, but indeed a worthy goal that many people are working on. The denial-of-service problem is very intractable given the current architecture of the Internet.

A great overview of the subject is Internet Voting in the U.S. in CACM, October 2012.

A worthy 2012 video on the topic, by Ben Adida, is Where's my vote?.

So Internet voting is certainly a bad idea now for important elections. The experience of the Netherlands with online voting serves as a lesson in that, and how voters can be educated about the facts. Their Rijnland Internet Election System (RIES) had big security flaws, and was abandoned in 2008 after just a few years of use. See Electronic Voting in the Netherlands: From Early Adoption to Early Abolishment.

See also a previous question on this: Secure Internet Polling - IT Security

nealmcb
  • 20,693
  • 6
  • 71
  • 117
  • Can you provide a source for this claim: "you can publicly store encrypted voted ballots in the cloud, and also allow the public to both add them up to confirm the vote counts for each candidate, and to check that their own vote was indeed included in the total, without having a receipt that could prove how they voted to a third party." (I could not corroborate this from Helios' website) – Atte Juvonen Apr 17 '17 at 12:42
  • @AtteJuvonen see e.g. [End-to-end auditable voting systems](https://en.wikipedia.org/wiki/End-to-end_auditable_voting_systems) at Wikipedia, and work from NIST et al at [Performance Requirements for End-to-End Verifiable Elections](http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=905908) – nealmcb Apr 17 '17 at 22:24
  • I hope I don't sound overly harsh, but... the Wikipedia page you linked does not support your claim. It says: "Some researchers argue that end-to-end auditability and receipt-freeness should be considered to be orthogonal properties." The NIST paper you linked explicitly states (on page 2) that properties related to vote buying is outside the scope of their paper. The original paper about Helios goes even further and describes a procedure for creating receipts which prove how a person voted. – Atte Juvonen Apr 17 '17 at 23:09
7

The biggest unsolvable issue, in my mind, with Internet-based voting, is that voters are not protected from social pressure. The voting booth is there to allow each voter to make his/her own choice: nobody sees what is inserted in the envelope, and the voter cannot bring back any proof that he/she voted for a specific candidate.

In a system where people vote from home, no booth. Voters can "sell" their vote by voting before the eyes of whoever is bribing them to vote in a specific way. Also, voters can no longer vote freely with regards to the wishes of their inquisitive wife/husband.

So, voting (the anonymous vote for political election) needs a booth, and cannot be done safely from home. And if you have a booth, then all the talk about voting protocols is just a way to optimize the counting process, which can be done efficiently with papers and people.

(Of course, Internet-based voting is great for some specialized elections; in particular the elections for some associations -- e.g. the IACR -- where vote-selling seems a preposterous idea, and there are really rarely two voters in the same house; and also non-anonymous elections in stock holder assemblies. But, for government elections, never.)

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • I think this is solvable (for the most part) if the government just imposed a fine on anyone attempting to buy votes and a reward for such proof. Then, if somebody is approaching others to buy votes, a cellphone video or some other proof would be possible...the government just needs to make sure that the fine/reward is high enough - $1000/$500 per vote is probably enough. (But, for the record, other answers still lean me away from online voting.) – bobuhito Feb 26 '16 at 17:50
  • I don't think that the vote-selling is a preposterous idea in IACR, after what I've witnessed at conferences. – kelalaka Dec 23 '20 at 10:15
2

Actually they already did it in Estonia for some years now. For the first time in the world, they successfully carried out an electronic voting session in 2007. Since then, they are still doing it. They call it a success, even though I'm quite sceptical about it. You can read more about it on their official website and of course on Wikipedia. Note that they are using ID cards to identify individuals.

Silviu
  • 380
  • 4
  • 10
2

I'm sure one could create such a secure system. Security isn't the main issue.

The main issue is: without the privacy of the voting booth, you can't be sure voters aren't choosing under pressure. This is a big concern for democracy.