Can We Have a Safe Election via the Internet?
In connection with the upcoming USA presidential elections in 2012, I would like to discuss holding the election via the Internet and the risks associated with it. This is not a technical text; it does not show a technician carrying out attacks on individual choices. It is an article containing the basic information that every voter should know, striking out to the ballot box, or voting by the network.
None of us likes to stand in line and wait our turn to carry out our democratic responsibilities. Public opinion surveys in each country say that more and more people want to be able to vote via the Internet. But the experience of many countries shows that Internet voting hardly increases turnout and that is very difficult to ensure its secrecy. This article introduces the technical details of the election by the network, because really they are not equivalent to traditional voting at the ballot box.
To start, consider what features should electronic elections have? Certainly, like the traditional ones, they must be organized in such a way as to prevent any falsification. A fairly conducted election should meet several conditions:
First: It should be set so that only registered voters can cast votes. When voting at the polling station, the election commission verifies our identity, and on this basis gives a ballot to us. In the case of electronic elections, in my opinion the only sensible solution is to assign each of the eligible citizens a specific identification, such as for example unique numerical code, cryptographic key and private key, so that each will be able to cast their vote.
Second: Remember, the Internet is open. Thanks to this , a very likely scenario is that manipulations can be carried out over the course of voting. The election results may affect various lobbies or interests of foreign states or terrorists. So people who are not voters may wish to vote, pretending to be eligible voters, or may otherwise tamper with the election results. A good voting mechanism must minimize to virtually zero any chance of the success of such attempts.
Third: In the election, every citizen can vote only once. If a voter goes to the ballot box and votes there, after signing in he gets only one card. The Internet must verify each voter in such a way that he could not under any circumstances enter the vote more than once.Fourth: All elections shall be by secret ballot. This condition is essential for the conduction of democratic elections. No one should be able to determine who voted for any particular candidate. In the case of Internet elections, secrecy is of course possible to introduce into the system, but very difficult to reconcile with the two previously mentioned conditions.
Nothing done so far in the world’s Internet elections were secret in the full sense of the word. During the voting process, voters have to first prove they are the person they say they are, and have full confidence in the electoral commission that all data, by which they can be identified, will be disconnected from the vote counting before or after the vote. In practice, unfortunately, it did not look so rosy. It was possible to check on anyone who voted, and all citizens were given was state assurances that no one ever seized this opportunity and that their privacy was really respected. As you can see, the situation is completely different from the traditional ballot in the box, where the voter alone can make sure the ballots are not tracked in any way or if people are not watching during the casting of the vote.
A Digital Signature or a Code: What to Choose?
Any voter who chooses to vote by Internet, must convince the electoral commissions server that he actually is entitled to vote. To do this, all existing or proposed use of Internet technology chooses usually one of two basic methods. The first is a digital signature that identifies the citizen with a pair of cryptographic keys. The second solution is, to provide a unique citizen code before the election.
The solution of the electronic signature is a much safer choice, because for the digital signature to be forged, that is, to impersonate the selected person, it is very hard to do, though not impossible . However, the encryption keys should be on a smart card chip, based for example on the RFID chip, which increases the technical requirements of the project. How is it resolved in Europe? Estonia, for example, managed to hold elections on the Internet without any problems for one reason only. Estonian citizen ID cards contain a microprocessor, which allows a digital signature. Another possibility is that the smart card was used only to vote, which takes place in Switzerland, but then it also must produce and deliver voters, preferably with a suitable card reader.
An alternative solution to this problem is to provide voters with unique codes that allow a vote. It may be provided for example in paper form, or an incoming text message on mobile phone. When it’s time to vote, the voter simply enters his code on a computer keyboard.
In this case, the problem is different. Posted voters code must be long and include the addition of numbers, letters, and special characters, for a possible attacker is not going to successfully choose numbers at random in the hope of guessing the right combination. If we want to make accidentally hitting the correct combination as difficult as forging a digital signature, the code would have to have more than 300 digits. Even codes of 50 or 100 digits would be impractical because the voter would prefer to actually go to the polling station rather than type 50 characters on the keyboard.
Where Can You Currently Vote by Internet?
With the dangers of voting by the network discussed, now let’s see where online elections are used. In fact, they are not used in much of the world due to technical difficulties in ensuring the safety of the vote. The first sample was taken in the United States, during the presidential election in 2000. People in four states were able to vote through the Internet, but unfortunately, this netted only a few dozen votes.
Before the next presidential election in 2004, security experts and developers of electronic information tried to develop a completely new mechanism for Internet voting, but the project was abandoned, because the specialists have found that it is not possible at all to cast a safe vote over the network. Once that decision was reached, everyone on the old continent, including in Europe, abandoned work on a common system of MEPs (Members of the European Parliament) election sites, but focused on the technique of absentee voting. In fact, only the Dutch, in addition those who lived abroad or who were abroad during the elections, could choose their MEPs over the Internet.
A more interesting solution was adopted by the Swiss. There, Internet voting is practiced during each referendum, but not during the election. In the UK, Internet voting is used in local elections,with ¼ of the votes cast in this form, so they really enjoy the great interest of voters.
Estonia – Silicon Valley of Europe
The most interesting case is here from Estonia. For many years, they have managed to hold elections on the Internet at the largest scale in the world. It all began in 2005, after much discussion. First voters were allowed to vote via the Internet in local elections and then in parliamentary elections in 2007. Despite expectations of government, there was not much of an increase in voter turnout. Through the Internet in the first such elections in Estonia, 3% of those eligible voted.
Why do I really like the solution to online elections in Estonia? Because it is really very unusual. That’s why I decided to devote a whole chapter. The first thing is that Internet voting in Estonia takes place a few days before the regular election. Oddly enough you can always change your mind and vote several times, but only the last paper ballot is taken into account. So if somebody votes over the Internet, and then at the polling station, then the votes cast electronically are invalid.
What is interesting here is that voting via the Internet empowers electronic evidence. A document equipped with a microprocessor and memory has now been assigned to almost every resident of Estonia. Apart from the usual personal data, the document also contains an individual’s cryptographic keys, so every citizen can make a digital signature, which in Estonia is legally binding and is used during the election.
To vote you need a special reader connected to the computer, which introduces the reader to an identity card. On the side of the Electoral Commission, two servers are used to support the Internet vote. The first one gathers the voices of citizens, while the second is used for their calculation. Each voter encrypts his vote with a special program, and then adds his digital signature. After encryption and signing of his voice, it can be safely sent over the network with minimal risk or change the reading on the display. The server, whose task is to collect the votes, is able to verify the signature, and therefore determine whether the voice actually comes from a legitimate voter, but does not have the key needed to decrypt the voice.
Once the election is completed, all votes are copied to the counting server, which alone has the decryption key and is able to read complex voices. The counting server does not receive the signatures of citizens as they have previously been separated from the vote. Theoretically, this provides complete secrecy of the election, but it would suffice to compare data from both servers to determinewho each person who voted for. The voter must therefore have full confidence in the electoral commission and in the professionals working there.
The State and Citizens – Two Conflicting Interests
Note that there are some electoral protocols that enable the real secret ballot over the Internet. They are based primarily on the allocation of random, unique code for all citizens. The voter shall then vote by code, but the committee does not know to whom the code belongs.
Yet another safer method of voting is the equivalent of an electronic ballot. In this case the use of cryptographic protocols blind digital signatures. Well, the election commission shall sign the ballot together with the code selected by the voter, but under no circumstances is it possible to know the code. With this method, the voter must connect to the commission server twice, first in order to issue the card, then, being fully anonymous, to cast their vote.
We can also add a very interesting solution to each of our chosen methods. Well, we can allow voters to be able to verify that his vote was properly counted. After the vote, the election results are published, containing besides the number of votes, the codes of citizens, supporters of a candidate. As a citizen knows only his own code, which is not known by the electoral commission, you can easily view this detail of the election results without compromising secrecy.
Unfortunately, all the protocols to ensure complete secrecy of the election have one major drawback. They are very vulnerable to a massive vote trade. Note that to vote you only need a numerical or other code, digitally stored information that is not associated with any particular voter, because it is anonymous. People who are not interested in elections, they could try to sell this information, if the electoral commission did not have its mechanisms which allow verification that the voice he gave power to was the voter or some other person who has somehow come into possession of the code.
Therefore it’s perfectly clear that in some situations the interests of voters, which is the secret ballot, may be contrary to the interests of the state, which must prevent trade votes. One thing remains a fact. Citizens who are interested in both the introduction of online choices and participation in them, really should follow the technical details of the proposed solutions and confidently express their own opinions about them.
Most governments already provide citizens the opportunity to vote via the Internet, set up in one way or another. Some ways are better, others are a tad worse. It really only depends on us whether we use this opportunity.