If you date online, why can't you vote online?

Author
Dr Vanessa Teague

Research Fellow, Department of Computing and Information Systems
University of Melbourne

Australians queuing to vote. Credit: Andrew J. Cosgriff, Flickr

 

If you asked another person to cast your vote for you, you’d want good evidence that they wrote what you wanted.

 

Many Australians have to do this, because their literacy, vision or motor abilities don’t allow them to use the traditional pencil and paper independently.  There are also many voters for whom attendance at a polling place, or even access to the post, is somewhere between impossible and inconvenient.  So is electronic voting the solution?

 

The answer is yes and no.  Some forms of electronic voting can solve some of these problems, but only if we retain the fundamental idea that each voter gets good evidence that their vote is cast in the way that they intended, and the system provides good evidence that it correctly handled all the votes.  

 

Nobody would suggest that postal voting is perfectly secure, but it would be difficult for a small number of people to manipulate a very large number of votes without detection.  There’s no such restriction for electronic voting.

 

Electronic voting isn’t much different from paper-based voting: transparency about the process and evidence of the outcomes are necessary for a trustworthy election.

 

The challenge with computers is that you can’t see what they’re actually doing to their electronic data.  One comforting response might appear on the screen, while a completely different result (vote) is written on to the disk or sent over the Internet.  Viruses, worms, malware, software bugs, hardware errors, or deliberate electronic manipulation (hacking) could all case a vote to be misrecorded or manipulated.  It might not be obvious that anything went wrong.

 

There are lots of examples of successful cyberattacks on infrastructure that should have been secure.  For instance, last year criminals deployed the Eurograbber Trojan and used it to steal more than 36 million Euros from European Bank accounts.

 

The Trojan successfully hid itself so that customers completed their online banking transaction blissfully unaware that both their PC and mobile phone were compromised.  Some individuals lost €250,000. This year’s big story was Chinese government hackers stealing government and corporate secrets.  Last week it was a hidden service on the TOR network.  

 

Secure, private and verifiable Internet voting remains an unsolved problem.

 

The point is that serious attacks are out there on the Internet, and you don’t necessarily notice them.

 

Computer-assisted voting in a polling place is a problem with several sensible options.  They all involve a human-readable paper record, which the voter can check to see that their vote is cast as they intended.  In Tasmania and West Australia, the paper record is an ordinary-looking vote that goes into a ballot box with the rest and becomes part of the usual process of scrutinised counting.

 

Victoria is developing a scheme in which the paper record can be converted into an encrypted receipt which allows the voter to check later that their vote was properly entered into the count, without compromising privacy. (I have been working on a voluntary basis on this project.)

 

The oldest computer-assisted voting project in Australia is the Australian Capital Territory’s EVACS project, which does not have a human-readable paper record.  However, to its credit, it has had open source code since its inception, so it is easy to understand what it should be doing, even though there is no direct evidence that it’s doing that on the day.

 

Of course, none of these solutions remove the inconvenience of attending a polling place---you still have to join that queue on Saturday morning, or the slightly shorter queue at an early voting centre.

 

Secure, private and verifiable Internet voting remains an unsolved problem.  It’s too hard to authenticate voters, and too hard to give them evidence that their votes are cast as they intended.  

 

Although some techniques exist for proving that all the received votes are accurately recorded and tallied, and some organisations are putting them into practice, this is still a challenging new area.

 

Nobody would suggest that postal voting is perfectly secure, but it would be difficult for a small number of people to manipulate a very large number of votes without detection.  There’s no such restriction for electronic voting.

 

An ambitious New South Wales project called iVote brought 46,864 votes over the Internet in the 2011 state election.  Unfortunately when the votes were printed out, 43 of them had ‘N’ in at least one of the boxes where the numbers are supposed to go (this was almost certainly a bug, not the result of deliberate manipulation).

 

A new version is proposed that would allow voters to “verify” their vote with an auditing firm after casting it via the New South Wales electoral commission server.  The rough idea is that you will ask the auditor (using your ID number) what vote the electoral commission has recorded for you, and you can check that that matches your intention, then the auditor will promise to make sure that goes into the count accurately.

 

If voters have to tell an auditor how they voted in order to get any assurance that their wishes are accurately entered into the count, then I expect that Saturday morning queue to be part of the landscape for a while yet.