New Technologies in Voting

Voting is the core method of implementing public power in modern democratic societies. However, in the contemporary increasingly mobile world, paper-based elections, where every eligible voter has to come to the same physical location during a short period of time, is less and less of an option.

According to UN Migration Report of 2015, the number of people not living in their country (or even continent) of origin has increased by more than 30% worldwide during the period 2000–2015. This means that methods of remote vote casting have to be introduced sooner or later.

Historically, remote paper voting goes back to late 19th-century Australia, and it has been used ever since in many counties to allow for absentees to cast their ballots. However, this method has numerous shortcomings. It is hard to remotely authenticate the voter on paper, reliability of postal services varies a lot across the world, there are no good measures against vote selling, etc. This is why it is important to look for good alternatives for remote voting.

Recent decades have given us fast development in both computerized networks and strong electronic identification mechanisms. These together lay a foundation for vote casting over Internet. And indeed, this approach has been tried out in several parts of the World. In particular, participation in legally binding elections over Internet has been an option in Estonia since 2005. In 2019 Parliamentary elections, 44% of the votes were cast this way.

However, the digital environment is evolving all the time. As this unfortunately also means emergence of new attacks, the Estonian remote electronic voting system also needs to find novel ways to counter them.

The first topic we will be working on concerns personal voting environments. To date, votes are cast using a special application working on a regular PC OS (Windows, macOS or Linux). However, regular PCs, although being very accessible, are also in some sense too powerful. They are running multi-tasking operating systems, making it possible for attackers to create and run malware in parallel with the main voting application. But what would happen if we would create a dedicated voting application working on a very limited platform, say, a microcontroller device which would be installed and deployed under the voter’s sole control? Perhaps this would not be a solution for everybody, but for really paranoid people who do not trust their main PC it can hopefully provide an alternative.

For a larger part of the electorate, it would definitely be interesting to be able to vote from their mobile devices. Mobile devices are becoming more and more like general-purpose computers. This may be perceived as both good and bad. It is good because the defense mechanisms that have been created for PC-based voting applications will with high probability also work on mobile devices. It is bad because we currently rely on mobile devices as an independent individual vote verification platform. If voting and verification would be performed on the same device, we would lose this independence required for verification to work reliably. All in all, there are problems to think about here.

An important issue most of the current cryptographic applications of today will face in near future is the one of quantum computers. Even though not yet sufficiently powerful to do any real harm, they have a potential to break most of the asymmetric cryptography we use today. Standardization process to obtain good post-quantum alternatives has already begun, but there are a couple of extra properties that we want from the cryptosystems to be applicable for electronic voting. Since the standardization process (lead by the National Institute of Standards and Technology in US) does not cover these, we have to work on finding suitable options ourselves, too.

The most important property of any voting system is to adequately reflect the preferences of the electorate. This means that the system in use must provide mechanisms to check that the final tally has not been maliciously manipulated (say, by adding, deleting or changing some votes). In case of paper voting this is done by re-counting the ballots. Even though effectiveness of this measure for detecting manipulations can be disputed, it is nevertheless clear that we need something similar (or better) for electronic voting.

In Estonia, the current safeguards against vote manipulation can be divided into two. First, we have an individual verification mechanism available for all the voters helping them to make sure that their votes reached the digital ballot box the way they intended to. Second, there are extensive system-level logs and cryptographic checks helping independent auditors to verify that the digital ballot box has been tallied correctly.

However, every single voter is not given strong proof that her vote was counted. There is a good reason for that - too strong of a proof can be used to sell one’s vote. So there is actually an inherent contradiction between complete verifiability and coercion-freeness of voting, and the best we can do is to look for a good trade-off between the two. Improving this trade-off is the final task of our project.

Written by Jan Willemson