Why Online Voting is a terrible idea

Posted: April 18, 2017 in democracy, elections, New Zealand, United States

For those who know me personally, they usually find this particular opinion of mine surprising. I am a fan of online practically-everything-else. Online games, online food ordering, online shopping in general, online tax, online civil service in general, online insurance, email contacts online, online OIA databases, you name it, I think it’s a reality of modern business and a good thing too.

But I think online voting is a terrible idea, at least at the moment, and possibly inherently, and given that previous paragraph, you should take that opinion all the more seriously, because I would love it if we could square the circle and find a practical way to vote online. I just don’t think it will work.

Why? Well, I’m gonna have to delve into more election nerdery to explain. To start with, there are three critical things to running a good election, that will seem to be contradictory but won’t be once we define them narrowly. They are:

  • Security/Integrity
  • Transparency/Verifiability
  • Secrecy

What do I mean by those three words, and how aren’t transparency and secrecy contradictory requirements? Well because they’re secrecy and transparency of different aspects of an election, namely a secret ballot but a transparent process.

Transparency means you need to be able to tell from the means you use to vote that it will be counted as intended (assuming you actually followed the voting instructions, anyway) if delivered to an honest actor. This is why paper is such a great medium for voting- you mark your ballot, either with a pen or punch machine, and put it into a sealed box so it can’t be spoiled until someone with the key to count it comes along, and it can be secured adequately through purely physical means, and quite easily so. The only people you have to trust are honest are the counters, and they cross-verify, so they’d need to all be part of a conspiracy, or all make a mistake, for them to miscount your vote. Likewise, election officials also need to be able to tell who has voted, not just for statistical research, but also for security purposes. Paper ballots are the best way we currently have to do both of those things at once, especially as you can seperate the metadata part of the ballot from the rest in the counting process so that the people who need to see voter identities to prevent fraud can’t physically go and match that metadata to how a person voted. There is no good way to do that with digital voting. This is sometimes called transparency because for a voter to really be able to understand that any machines involved aren’t fraudulently affecting their votes, they need to actually be able to see and understand how the machine operates, thus the best voting machines are literally translucent so you can watch them doing their thing.

Secrecy, or having a “secret ballot,” refers to a very different part of the process, namely, it means that nobody can prove how you voted, or violate your privacy. The people counting the ballots don’t get to see the database of who voted on which number ballot, and the people who do get to see the metadata about how voters connect to ballots don’t get to see the actual ballots, or if they do, the metadata parts are seperated from the actual vote. The poll workers don’t get to inspect your ballot, but they do get to see that you’re not interfering with other voters, usually through some sort of privacy booth or privacy shield. There are some very narrow situations where it may be arguably better to allow certain voters to cast a non-secret ballot, (for instance, voters who can’t reliably mark a form but trust a friend, family member or carer to assist them) but by-and-large the secret ballot is a critical part of elections.

I’m pretty convinced that it’s fundamentally impossible to marry those two objectives with internet voting, and most approaches also cause issues with integrity. What do I mean by integrity? Well, basically, we should be able to assume that if anyone casts a fraudulent vote through any means, we should be able to easily find out and disregard that vote before a final result is declared, and therefore we should never have to “overturn” the results of an election because we later detect fraud after the fact. In short, the election needs to be secured against vote-tampering, and the public needs to see that it has been secured and have confidence in the measures taken. Some of this security relies on a lack of collusion between other parts of government and the part running the election, but once you have a truly independent election authority, it’s pretty hard to do any sort of mass fraud, so it’s largely down to preventing critical gaming of the election system, or catching people dumb enough to interfere in ways that may not make a significant difference, such as voter impersonation.

There are non-online election methods that don’t rigorously meet these three criteria too, but to my knowledge, most national-level elections in a developed country do, with the exception of the USA, which fails terribly on integrity, mainly due to partisan corruption of their electoral institutions, but we’ll get back to that in a bit.

New Zealand has a vote-by-mail system for local elections and sometimes for citizens-initiated referenda. Vote by mail is not secure, and it’s not secret, and it has some other less-critical problems with it, too, but it’s probably the most practical way to hold local elections if we don’t want to synchronize them with national ones.

How is voting by mail insecure? Simple. People can commit the crime of stealing each others’ ballot papers. If they’re smart, they will do so for people who are away at the time of the vote or who are registered but won’t notice the ballot is missing. There is no actual way to tell that the person who filled out and mailed back the ballot is the person who was supposed to vote with it, so voter impersonation, while not a problem in in-person voting, is an unknown unknown in vote-by-mail. I would trust such a system for institutional elections that nobody outside the institution knows about and where there’s no guarantee anyone aware of the election will know anyone else’s address, but that’s about it.

How is voting by mail not secret? Because there’s no observers, partial or impartial, to ensure that nobody looks at your ballot or coerces you into voting a certain way. This means that people are vulnerable to coercion as to how they cast their votes, as for example, an abusive/controlling parent or spouse can verify whether they’ve voted the “correct” way before they mail in their ballot. Technically, any system where you have the ability to match up a person to a ballot is vulnerable to this sort of coercion, even if that proof of how you voted can only be showed after the election has finished- you can still be threatened with future violence, or have your vote bought with rewards or cash, so long as you have some method to 100% demonstrate how you voted. We’ll come back to internet voting after another example of a bad election method.

I mentioned we’d also talk about the insecurity of US voting. The USA relies on voting machines manufactured by partisan businesses to conduct voting in several states. These voting machines run proprietary software, and in many cases voters can’t verify the paper trail themselves before the vote is finalised, or sometimes even at all. They are thus highly vulnerable both to individual voters bypassing their security and hacking them, (there are videos online of how to do it, in fact, for certain models) and of manufacturer tampering to fix the vote for a certain party, which there is some statistical suspicion might have occurred in the last handful of elections. (it was maybe even critical to Trump’s win of certain northeastern states) Anything that tells you on a screen you’ve voted a certain way can be lying to you if you can’t physically see a way to verify otherwise. It can be programmed to switch a selection of votes from the party the manufacturer doesn’t prefer to the one it does.

Basically the only way to secure a machine against provider fraud is to have its software be open source, (and even then, you need to be able to read code to personally verify that your vote is going the right place, and you need to be sure that the open-source code is actually what’s running on the election machines) however doing so means that if there are any technical vulnerabilities, they are incredibly easy to find. That’s okay if you secure the physical machines and they are disconnected from any and all networks, and if any hardware that could be used for vote tampering by officials or by voters is put in plain view rather than part of the booth or behind the shield that voters will use for privacy. The US largely doesn’t take those preventative measures, because the rules are set by whichever political party is currently in charge of the state, (as the constitution highly limits federal election law for some strange reason) and there is thus huge incentive to game the system, as the official responsible for the integrity of voting in the state has no requirement to be non-partisan. (in fact, the Secretaries of State (not to be confused with the federal one, who is the equivalent of a Minister of Foreign Affairs in a New Zealand context, these are like having 50 local CEs of the electoral commission each making different rules) are often overt partisans)

Traditional internet voting based on a single secure database system or network has all the problems of both vote-by-mail and of US voting machines, with the possibility of online hackers who can compromise the system without even bothering to go phishing for passwords added into the mix. (You also have to remember that the possibility for interference opens up to the rest of the world once you put the system online, so you’re making yourself vulnerable to foreign agents who could never set foot on your soil, too) I’m willing to go on record as saying I think it’s logically impossible to secure such a voting apparatus to a level that’s necessary for national elections, especially as the added problem of hacking makes it much more difficult to verify within an acceptable timeframe whether all the relevant information is authentic. (because instead of being to trust all the meta-information you’ve received about what barcode belongs to what vote, it’s possible that such information has been faked. So you can’t rely on the receipts from the system about how many people voted online until it’s been cleared of digital interference, which is a process pretty vulnerable to false negatives)

Some people are proposing blockchain voting systems. Blockchain is the distributed verification technology behind BitCoin and many similar cryptocurrencies, which is basically a protocol for distributed databases. Such systems could be acceptable for non-critical elections, like organisational ones, or maaaaybe local body voting and referenda. The difficult thing is, the ones that I’ve seen that in principle could be secure are fundamentally incompatible with a secret ballot.

Why? Because they rely on distributed ballot databases and a layer of public key/private key cryptography. Effectively, anyone can sign up to the blockchain and they get a copy of the database. Then whenever a change needs to be made, it’s submitted to a certain number of known holders of the database and tagged with the public key that requested the change, and all of those members of the blockchain ensure that they communicate that change to all other members of the blockchain they’re connected to, until it trickles through the distributed network. This means that any attempt to compromise the database has to simultaneously hit the entire blockchain to work, or anyone that they’ve missed will detect an error. That’s very good for security.

And to vote, someone would need to compromise your private key, which you personally control, so on that front you’re actually a little more secure than vote-by-mail, maybe. I’ll come back to this in a second.

However, it also means that some form of public identifier has to be attached to every vote. While that information is theoretically anonymous, in practice it can be tracked back to an individual. Blockchains rely on tracking where information comes from in order to maintain security, and public keys can be traced back to specific IPs and timestamps, which means they can be traced to specific users, which means you no longer have a secret ballot.

Likewise, the ability to use the private key also allows you to demonstrate to anyone watching you vote online who you voted for at the time of the election at a bare minimum, if not afterwards too, and you are also able to deliberately compromise your private key and let someone else vote for you, again opening up voter coercion. Any system where there isn’t a way to verifiably observe people voting in a way that is seperated from observing what they vote for is fundamentally insecure. You could arguably do so through webcams, but there’s absolutely no guarantee that the video data wouldn’t be fake without secure hardware, which defeats the economies-of-scale to online voting.

You could use such a system in contexts where a secret ballot isn’t necessary, such as local direct democracy, or organisational elections. But it’s fundamentally vulnerable to identities being compromised, because it relies on keeping those identities semi-public to secure the vote.

This is without even getting into the non-critical problems with online voting, such as the fact that when there’s not a specific Election Day, people will often forget the deadline and not vote in time. This is a big problem with voting-by-mail, too, which makes online voting actually a problem for turnout rather than a solution when it’s used as the primary voting method rather than in supplement to in-person voting.

Blockchain methods might be suitable for a sort of public-ballot electronic direct democracy on local issues where voter coercion, fraud, or voter harassment aren’t as likely to be problems, but that too has its issues, such as the “self-selecting oligarchy” problem with inclusive, high-volume democracy: that is, it’s so work-intensive to vote on every local issue that only very enthusiastic people tend to show up for it with any regularity, thus those with the time and/or interest tend to form an oligarchy among those who are actually eligible, as they usually hold the majority of votes on any given issue. You can also have the opposite problem of tyrrany of the ambivalent, where people who are only tangentally effected by on issue flood in and force a decision that key stakeholders hate. These are general democratic challenges of course, but electing representatives helps smooth them out a bit, wheras direct democracy is a little more difficult.

So, in conclusion: No to online voting for now, and probably no forever, as I’m pretty sure it’s logically impossible for online voting to hit all three critical points at once, and I am actually a fan of representative democracy. It provides a level of guarantee of human rights, it helps smooth out how democracy functions between the boring issues and the ones of great public interest, and quite frankly, it’s easier to keep democracy slightly at arms lengths from the average voter, so we can keep their powder dry in terms of democratic participation for when it’s really needed, rather than subjecting them to constant voter fatigue.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s