This post is inspired by my taking part in the Open Rights Group (Scotland)‘s e-voting round-table in February, and the Scottish Government’s Online Identity Assurance‘show and tell’ in March, and by a seminar by Professor Brian Detlor last week. (My notes from the ORG’s round-table should be available on the Open Government Network website. I’ve also posted them on my personal blog.) In this post, I assume that e-voting would be run on central servers, but votes would be cast via software running on personal phones, tablets and computers.
A vicious triangle?
As mentioned in the round-table, any voting system must guarantee security, anonymity and verifiability. Obviously, any voting system must be secure so that results are reliable. Any system must be able to verify that those who vote are entitled to do so, and reject those who are not. Any ballot must recountable. Only individual voters should be able to know how they vote, so that vote-buying is minimised.
The UK’s paper systems seem to me to achieve these fairly well. Ballot boxes are locked during voting. Votes are counted (and recounted) securely and reliably. Eligibility-verifiability is generally established via polling cards, but other forms of voter ID have been trialled recently (admittedly not without problems). Vote-verifiability stems from using standard ballot papers with security features. Paper and pencils are simple enough for the majority of people, and can be used almost anywhere. I believe it’s easy enough to determine whether votes have been marked according to the rules. Anonymity is provided by voting booths, and by voters folding ballots to hide their choices. Further security-verifiability is provided showing ballots’ security marks before ballots go into boxes. There are ways to enable voting by visually impaired people and people who cannot visit voting stations. So I’m not convinced that there is a real need to introduce e-voting.
It’s possible that e-voting security issues can be solved, but can I mention Heartbleed, or Meltdown and Spectre, for example? The most well-known e-voting system (Estonia) was shown to be seriously insecure (Springall et al., 2014). Update: these problems have been fixed, but my next point is still true, as far as I know. My point is that security depends on low-level coding at the heart of vote-counting systems. And that’s long before we start thinking about the security of personal devices that might used to vote. For example, I tend to apply security updates to my Apple devices within a week of their release. Android security is allegedly subject to even worse delays. So there are likely to be plenty of ‘windows of insecurity’.
Anonymity and verifiability
It must be provable that votes were properly cast by eligible voters. We currently do this using physical objects which we ensure are balloted according to the rules – thus votes are verifiable. Their physicality enables us to break the link between votes and voters, thus providing anonymity. However, to prove an e-vote is valid, we must be sure that it was cast by a real, eligible person. The simplest way (perhaps the only way) to do this with e-votes is recording who cast each vote – thus waving goodbye to anonymity and saying hello to coercion and vote-buying.
I had wondered whether an e-voting system could provide anonymity by first verifying eligibility to vote, then admitting voters into a ‘room’ in which they are anonymous and invisible to all other voters. Perhaps this would entail ‘hand-off’ from eligibility-checker system to the actual voting system: ‘here is an eligible voter. Do not tell me what ID you will use to enable his or her progress through your system. Just tell me when he or she has voted, so I can ensure that he or she cannot vote a second time.’ Then votes would be cast by incrementing the chosen candidate’s tally (chosen candidates’ tallies for STV etc). Each vote would be anonymous, with no record of who cast them.
However I’m not sure that anonymity can be achieved in this way. For example, might voters be traceable via the IP addresses over which they connect to the voting systems? Also, because IP addresses are spoofable, can systems be sure that the voters are who they claim to be? This is why online identity assurance matters!
It’s all about people
Then there are social factors. (This is the part that bubbled up after Brian Detlor’s seminar.) For e-voting systems to work, there must be
- Trust in the technology
- See above.
- Access to the technology
- What if you can’t afford a device, or run out of phone credit on voting day, or your phone is stolen?
- The digital literacy skills so people can access and evaluate information before casting votes.
- To be honest, that’s a problem with any voting system. For example, how many people read every manifesto before deciding how to vote? How many of us know enough economics to make informed choices about parties’ financial promises? I don’t!
- The physical ability to use voting systems.
- This is the point of the next section.
Physical ability (aka ‘What could possibly go wrong?’)
Government IT can work, and be delivered on time and on budget. (Revenue Scotland is a great example.) But it can also fail badly: witness Universal Creditand Care.data. However, even if the systems arrive on time and on budget, there could be issues for users who aren’t fully mentally or physically capable.
This section is not meant to be exhaustive, nor is it meant to imply that there aren’t already recognised methods to create ‘disability-friendly’ systems. Indeed, it is my fervent hope that, if e-voting is introduced, standards such as the W3C Accessibility Guidelinesand the Scottish Government’s Digital First Service Standardwould prevent the horrors I try to illustrate below. However this section is simply meant to show what might happen with insufficient care.
Click any of the graphics to see larger versions. My graphics are based on this drawing by Min Tran.
|Some potential issues are hopefully obvious and easy to avoid.
|Some are sightly less obvious.
|Screen-readers won’t help people who have visual impairments unless the underlying system is sensible.|
|In his later years, despite retaining his mentalcapacity, my father had great difficulty clicking where he wanted, even on a tablet, let alone a small phone screen.|
|According to the Office for National Statistics, in 2011, 726,000 people in England and Wales reported they could not speak English well’.|
|According to the Office for National Statistics, in 2011, 138,000 people in England and Wales reported they could not speak English at all’.|
|The below is just part of a ballot paper from the Netherlands. See https://bit.ly/2KJ3ljo for the full photo. (Photo credit: JM Luijt, CC-BY-2.5-NL)|
|Any e-voting system should facilitate voting by people with disabilities, for example by reading out what people have selected, and enabling everyone to change their votes unlimited times before ‘committing’.|
I started from not being convinced that there are real needs for e-voting, even though it could make my life easier. (I spend enough time in dingy meeting rooms already at community council meetings, so I would prefer to vote by simply just tapping a few buttons on my phone, wherever I chose to be. However, unless the necessary security is in place, and unless there are clear signs that the anonymity-verifiability conundrum is answered, then I tend to agree that e-voting is an idea whose time has come – to go away.
Springall, D., Finkenauer, T., Durumeric, Z., Kitcat, J., Hursti, H., MacAlpine, M., & Halderman, J. A. (2014). Security Analysis of the Estonian Internet Voting System. In Proceedings of the 21st ACM Conference on Computer and Communications Security(pp. 703–715). ACM. Retrieved from https://jhalderm.com/pub/papers/ivoting-ccs14.pdf