November 18, 2018

Internet Voting

(or, how I learned to stop worrying and love having the whole world know exactly how I voted)

Tomorrow is “Super Tuesday” in the United States. Roughly half of the delegates to the Democratic and Republican conventions will be decided tomorrow, and the votes will be cast either in a polling place or through the mail. Except for the votes cast online. Yes, over the Internet.

The Libertarian Party of Arizona is conducting its entire primary election online. Arizona’s Libertarian voters who wish to participate in its primary election have no choice but to vote online. Also, the Democratic Party is experimenting with online voting for overseas voters.

Abridged history: The U.S. military has been pushing hard on getting something like this in place, most famously commissioning a system called “SERVE”. To their credit, they hired several smart security people to evaluate their security. Four of those experts published an independent report that was strongly critical of the system, notably pointing out the obvious problem with such a scheme: home computers are notoriously insecure. It’s easy to imagine viruses and whatnot being engineered to specifically watch for attempts to use the computer to vote and to specifically tamper with those votes, transparently shifting votes in the election. The military killed the program, later replacing it with a vote-by-fax scheme. It’s unclear whether this represents a security improvement, but it probably makes it easier to deal with the diversity of ballot styles.

Internet voting has also been used in a variety of other places, including Estonia. An Estonian colleague of mine demonstrated the system for me. He inserted his national ID card (a smartcard) into a PCMCIA card reader in his laptop. This allowed him to authenticate to an official government web site where he could then cast his vote. He was perfectly comfortable letting me watch the whole process because he said that he could go back and cast his vote again later, in private, overriding the vote that I saw him cast. This scheme partly addresses the risk of voter coercion and bribery (see sidebar), but it doesn’t do anything for the insecurity of the client platform.

Okay, then, how does the Arizona Libertarian party do it? You can visit their web site and click here to vote. I went as far as a web page, hosted by fairvotelections.com, which asked me for my name, birth year, house address number (i.e., for “600 Main Street”, I would enter “600”), and zip code. Both this web page and the page to which it “posts” its response are “http” pages. No cryptography is used, but then the information you’re sending isn’t terribly secret, either. Do they support Estonian-style vote overriding? Unclear. None of the links or information say a single word about security. The lack of SSL is strongly indicative of a lack of sophistication (although they did set a tracking cookie to an opaque value of some sort).

How about Democrats Abroad? If you go to their web site, you end up at VoteFromAbroad.org, which gives you two choices. You can download a PDF of the ballot, print it and mail or fax it in. Or, you can vote online via the Internet, which helpfully tells you:

Is it safe to vote by Internet? Secure Internet voting is powered by Everyone Counts, a leading expert in high-integrity online elections. We are using the same system the Michigan Democratic Party has used since 2004. Alternatively, you will have the option to vote by post, fax or in-person at Voting Centers in 34 countries around the world.

The registration system, unlike the Arizona one, at least operates over SSL. Regardless, it would seem to have all the same problems. In a public radio interview with Weekend America, Meredith Gowan LeGoff, vice chairman of Democrats Abroad, responded to a question about security issues:

Where I grew up, the dead still vote in Louisiana. There are lots of things that could potentially go wrong in any election. This might be a big challenge to a hacker somewhere. We’re hoping a hacker might care more about democracy than hacking. But we’re not depending on that. We have a lot of processes, and we’ve also chosen an outside vendor, Everyone Counts, to run the online voting.

The best we can do is the same as New Hampshire or Michigan or anywhere else, and that’s to have the members of our list and correspond that to who actually voted. Another important thing to remember is that our ballots are actually public. So you have to give your name and your address, so it’s not secret and it’s not anonymous. It’s probably easier to catch than someone in Mississippi going across to Alabama and trying to vote again.

Ahh, now there’s an interesting choice of security mechanisms. Every vote is public! For starters, this would be completely unacceptable in a general election. It’s debatable what value it has in a party election. Review time: there are two broadly different ways that U.S. political parties select their candidates, and it tends to vary from state to state. Caucuses, most famously used in Iowa, are a very public affair. In the Iowa Democratic caucuses, people stand up, speak their mind, and literally vote with their feet by where they sit or stand in the room. The Iowa Republicans, for contrast, cast their votes secretly. (Wikipedia has all the details.) Primary elections may or may not be anonymous, depending on the state. Regardless, for elections in areas dominated by a single political party, the primary election might as well be the final election, so it’s not hard to argue in favor of anonymous voting in primaries.

On the flip side, maybe we shouldn’t care about voter anonymity. Publish everybody’s name and how they voted in the newspaper. Needless to say, that would certainly simplify the security problem. Whether it would be good for democracy or not, however, is a completely different question.

[Sidebar: bribery and coercion. You don’t have to be a scholar of election history or a crazy conspiracy nut to believe that bribery and coercion are real and pressing issues in elections. Let’s examine the Estonian scheme, described above, for its resistance to bribery to coercion. The fundamental security mechanism used for voter privacy is the ability to vote anew, overriding an earlier vote. Thus, in order to successfully coerce a vote, the coercer must defeat the voter’s ability to vote again. Given that voting requires voters to have their national ID cards, the simplest answer would be to “help” voters vote “correctly”, then collect their ID cards, returning them after the election is over. You could minimize the voter’s inconvenience by doing this on the last possible day to cast a vote.

It’s important to point out that voting in a polling place may still be subject to bribery or coercion. For example, camera-phones with a video mode can record the act of casting a vote on an electronic voting system. Traditional secret-ballot paper systems are vulnerable to a chain-voting attack, where the voter is given a completed ballot before they enter the polls and returns with a fresh, unvoted ballot. Even sophisticated end-to-end voting schemes like ThreeBallot or Punchscan may be subject to equally sophisticated attacks (see these slides from John Kelsey).]

Comments

  1. How does vote by mail stack up in the bribery and coercion department? Something like 50% of California’s ballots, and 100% of Oregon’s, are voted by mail in the primaries and general elections.

    • Thanks for the post. Whether you need a small executive suite or an entire floor of Serviced office space , our flexible serviced office centres provide the solution. Hire our meeting room by the hour and benefit from our superb business facilities and surroundings

    • Nice tip, although this does take a bit of discipline to do right the higher interest rates at the moment do make this more doable. One thing to remember in caution is that borrowing a lot of cash on your credit card up to its limit will lower your credit score a little when you are applying for other loans.

      Check our current accounts and isa savings offerings.See also our Bank accounts offerings.

  2. Note that most damaging of the attacks Kelsey proposes change the protocol for Punchscan. Choice of which sheet is decided before a voter views a ballot, not after (note that this was unspecified initially — because we said the choice was “random” and not that the voter got to choose).

    A lot of what Kelsey has done is very interesting, and it highlights the need to handle “problems” that may occur properly. I would like to see more about how realistic it is.

  3. Fair Vote is the owner of the website conducting the Libertarian Primary in Arizona : http://fairvotelections.com/election/login.php?reason=Please+login

    See Whois
    http://www.whois.net/whois_new.cgi?d=http%3A%2F%2Ffairvotelections&tld=com

    Fair Vote has an “Electoral Services Group” that provides election services including internet voting and
    also recommends vendors. http://www.fairvote.org/?page=38

  4. Hal asks how vote by mail resists bribery and coercion.

    The answer varies from one county to another and boils down to the same issue as I discussed with Estonia: whether you can cast multiple votes and have the last vote be the one that counts. A quick Google search turned up the following from Multnomah County, Oregon:

    Can I change my mind after I’ve returned the ballot?
    No. Your ballot has been cast as soon as you deposit it in the mailbox or at a drop site. After that, you cannot receive a new ballot to re-vote.

    That tells me that Oregon doesn’t have particularly good resistance to voter bribery or coercion.

  5. It’s not clear to me how a last-vote-cast system is ever going to be completely immune to bribery and coercion. If you allow for the possibility of the evildoer getting possession of the authorizing token, then they can a) prevent the voter from casting any vote after the corrupt one, b) cast their own corrupt vote at the end of the process to supersede the voter’s true one. And if they can watch the voter asking for additional paper ballots, those will be easy enough to suppress or alter.

    Perhaps a vote-by-mail system could be secured by sending out multiple copies of the ballot to each voter (with the number of copies randomly determined) in the weeks before the election, so that an evildoer could never be sure that the bribed/coerced voter wasn’t holding one in reserve.

  6. Here’s a good way of evaluating coercion-resistance for any voting schemes. If there’s a way you can sell your vote to two different people, for two different candidates, without either one knowing that you sold a vote to the other one, then you’ve got good coercion resistance. I don’t see any way of pulling that off without there being a mechanism to cast multiple votes. We can imagine a number of mechanisms that might get the job done, but the real problem is usability. If you want to send somebody four ballots in the mail at once, then you need to be able to explain to them how to make it work. And you’d better evaluate it in a controlled human factors experiment.

    (Voting system design would be so much simpler if humans weren’t so skilled at following instructions incorrectly.)

  7. Hal asks: “How does vote by mail stack up in the bribery and coercion department?” Well, the ballots go through the postal system, typically in an envelope that is distinctive, and there are no poll watchers in the post offices, so a bad guy who favors candidate A and happens to be in a post office located in a predominately candidate-B district could cause a disproportionate number of B votes to get “lost in the mail”. Not bribery or coercion, but certainly an attack vector. And where the by-mail voter must sign the outside of the envelope, the voter’s ethnicity might be guessed, and the envelope “processed” accordingly.

  8. Let’s suppose that each time you vote, you enter a number (say between 0 and 999) and it sums up all the numbers (using modulo 1000 addition). The latest vote counts, except that votes where the modulo total is in the 500 to 999 range never count. In the case of coercion, presumably the true voter could potentially vote earlier, or later than the coercion attempt and only the true voter would know what part of the cycle the system was really at.

    Large sets of votes by the same person at a sitting could be prevented by adding a random delay after voting before you can vote again (but not printing the delay) so if you try to vote within the delay period it just says “please come back later”. A similar random delay would be inserted when polling first opens.

    This should make it fairly difficult to control someone’s vote without total control over their life (e.g. you take their ID card away for long periods of time). It isn’t necessary to make it impossible to buy and sell votes; you merely need to make it somewhat difficult, thus exposing the scheme (which is after all illegal) to a reasonable chance of detection. People expecting to get caught tend not to commit crime.

    Admittedly, my method is a bit difficult to explain to the average punter… but most methods are. On second thoughts, spend the money on education, not electronic elections.

  9. there always are risks. but the weakest part in the scheme is human nature, not the technology.

  10. Re: Coercion resistance and multiple voting

    In the Estonian scheme, couldn’t you simply add another secret, that’s memorized instead of tokenized? For instance, a password or PIN required after the ballot has been voted, and then the system accepts whatever entry the voter makes, but only counts the ballot if the secret checks out? You can vote as many times as you like, but only the last ballot with the correct secret actually registers.

    I think this would reduce the problem to securely establishing/distributing the “extra” secrets, which you could maybe do in person at voter registration?

    If a people keep their secrets actually secret (admittedly unlikely, but what can you do?) then even imagining an attacker who achieves total physical control over the smart cards, the worst that can happen is the suppression of votes, rather than their being coerced for candidates the voter does not intend.

  11. @Sam, don’t forget that the flipside of voter coercion is vote-selling. If an “attacker” is simply handing out money to vote a certain way, a voter might just take him up on it.

  12. But also see @Dan Wallach above — resistance to coercion is equivalent to being able to sell the same vote twice. Unless the attacker is present twice (when the memorized secret is established, and when the final vote is cast, before the ID card is taken away), there’s no way to confirm that voter actually *registers* the ballot.

  13. “And where the by-mail voter must sign the outside of the envelope, the voter’s ethnicity might be guessed, and the envelope “processed” accordingly.”

    Eh? I can’t remember the last time I saw a signature with a skin color, it was so long ago.

  14. Ethnicity isn’t the same thing as race, Spudz. If the envelope is signed Fernando, or Jamal, or Vito, or Shaneeqa, or Virginia Kennedy-Weaver, you can make a pretty good guess how they are likely to vote. Flame me, but you know I’m right.

    (“Spudz” — that’s an Estonian name, isn’t it?)

  15. Last night on ABC’s Super Tuesday coverage, the analyst talked about the youth vote, and mentioned a question that had been asked of young people, what would improve the youth voting turnout? The overwhelming answer, according to the reporter, was internet voting.

    But then another commentator spoke up and said, imagine what the conspiracy theorists would say if we had internet voting, with all the hackers and such out there on the net. All the reporters seemed struck by the novelty of this thought and sort of stared into space, nodding vacantly, as they tried to process this new idea. Then of course they quickly returned to their semi-scripted discussion of the incoming returns.

  16. No, it’s a bunch of potatoes.

    I rest my case. 🙂

  17. One addition to the Estonian system: not only does only the last vote count, but one is also not bound by the channel one uses. If one physically goes to vote in a polling station on election day, the electronic vote is ignored.

    This tackles situations where the ID card would be taken away by the coercer, preventing a new (later) vote over the Internet.

    Other than that: I’m not sure how “the insecurity of the client platform” can ever be perfectly solved. In that mindset, the only conclusion is to not ever think of Internet voting…

  18. Nathanael Nerode says:

    “Ahh, now there’s an interesting choice of security mechanisms. Every vote is public!”

    It does, of course, prevent pretty much all forms of vote falsification and vote count falsification. What I always say is: *electronic voting is incompatible with the secret ballot*. It works just fine with non-secret ballots.

    We require members of the legislature and the courts to make their votes on laws and cases public. We attempt to use different methods to prevent vote-buying and blackmail… it’s debatable how well those methods work!

    Secret ballots are a pretty good idea for several reasons, but election integrity is *more* important. If we can have both, we should. If we can’t, drop the secret ballot. That’s what Democrats Abroad finally decided to do.