There has been a lot of interest suddenly in electronic voting, so I thought I would give some insight into what’s holding it back. Between 2012 and 2014, I became intimately involved in electronic voting when I joined the Victorian Electoral Commission to build the world's first Verifiable Voting system, shortened to 'vVote'. This gave me insight into the requirements of electronic voting to satisfy the modern needs of democracy.
The problem with paper based voting
Paper ballot voting has received a lot of criticism, not considering the high cost of running a national general election (~$200 million). Electronic voting brings the promise of reduced costs, faster results, and greater certainty of the outcome — a boon for our small nation.
Paper-based voting is subject to corruption, and we have no way of detecting it. A postal bag of 10,000 votes could be replaced with substitutes and electoral commissions would be unaware. That’s probably the easiest attack vector on voting today.
The risk of electronic voting
But with electronic voting comes a number of risks that can't be ignored. First amongst them is fraud, and the jackpot is almost $500 billion for a federal election. This creates a strong incentive for a financier to arrange to rig an election, and they would be willing to pay a large percentage of that jackpot to be assured a win, knowing that they could pay handsomely out of the budget, once they have control of it.
This represents a major challenge for electoral commissions — to battle against hackers that now potentially have very large budgets and the resources to crack electronic systems.
There is a secondary risk to electoral commissions that adopt electronic voting. That is that if it can be proven that an election outcome has been successfully manipulated as a result of the electronic system, then voters completely lose faith in the electoral system. This would be a major step back from our current position.
An audacious quest
So you can imagine that it was an audacious quest for vVote to make the claim that the proposed system they would build would be completely open for inspection, and would offer certainty that the result is correct.
To make vVote succeed, a team of experts from around the world would come together to build a solution that could be used not just in one election, but repeatedly. The solution was to be made open source so that anybody could re-purpose it for their own election.
What verifiability gives us is indisputable certainty that our solution has been built without any fraud, manipulation or corruption. We didn’t build that solution for ourselves; we built it for countries with high levels of fraud, manipulation and corruption.
You see, any person can challenge any part of our solution with the criticism “this result is manipulated” and we can prove mathematically that they are wrong. And that mathematical proof can be reproduced by anyone with sufficient knowledge. I don’t have that knowledge, but people far more pale and nerdy than me do.
In the unlikely circumstance that somebody fraudulently modifies a part of the vVote system, it can be detected, and votes cast from that part of the system can be discounted from the results.
Then you have privacy. Voters must be able to submit their vote without coercion, or any fear of retribution. i.e. they must be able to vote with complete liberty. This means that your vote can’t be connected to you personally at any time, once it's cast.
We invented a solution that allows you to take your vote home, and to login to the VEC website, and verify that your vote was correctly taken and counted. All without giving away your actual vote. i.e. nobody could ask you “show me how you voted” and our solution would give you away. Your vote was anonymous, and only you could verify your vote. That’s a neat trick.
Now here’s the really neat part that the maths boffins came up with: As more and more people verified their vote online, we could guarantee with increasing certainty that the vote had not been manipulated, or otherwise corrupted.
No other voting system has that inbuilt benefit.
The need for an open system
For such an important system to be accepted by the electorate, it must be open to inspection. It doesn't need to be understood by the electorate, but the electorate must be able to nominate a representative who can audit the system, and provide some guarantee that the system works, is equitable, and does not suffer from manipulation without being detected.
This is the flaw in all closed electronic voting systems.
It was educational to electoral commissions around the world when Ireland rejected their electronic voting system in 2009. Ongoing changes to the software system meant that voters lacked confidence that the system was without error. That the system was not open for analysis meant that the voters rejected the system outright, at a cost of €51 million. This too, represents a key risk to electoral commissions.
“Numerous electronic-voting inconsistencies in developing countries, where governments are often all too eager to manipulate votes, have only added to the controversy,” Newsweek reported. “After Hugo Chávez won the 2004 election in Venezuela, it came out that the government owned 28 percent of Bizta, the company that manufactured the voting machines. Similarly, the 2004 elections in India were notorious for gangs stuffing electronic ballot boxes in villages."
Criticisms made of vVote
There have been a number of criticisms levelled at vVote, mostly from other electoral commissions that choose not to adopt an open, verifiable voting solution. Let's go through them to dispel them one by one.
1. 'It is only able to be used for voting in a polling place'
This is incorrect. vVote targeted early voting polling centres for its first use, as it was designed to assist vision impaired voters, and voters with little English skills, both of whom would require some assistance with voting anyway. vVote was on track to be used for "remote voters" — those who were significantly distant from a polling centre — however this requirement was a low priority, and eventually dropped. The full experience of vVote is currently designed for people attending a polling place, but this doesn't prevent its expansion to remotely located voters.
2. 'It is too complex to understand'
The solution was eventually built by a very small, globally distributed team of no more than 6 developers, on a budget that approximates 1 per cent of the cost of the federal election. While there is some complexity to the software solution, it is not beyond the ability of common senior software engineers to build. The solution has its foundation in mathematics, but it is certainly not the first, nor the most complex mathematically based software solution.
3. 'It is too hard to support'
There was some criticism that explaining the differences of vVote versus paper ballot voting was too challenging, but a random survey of people who used vVote during the election demonstrated the contrary -
4. 'It is challenging to scale'
vVote at the time was designed to accept a number of votes in the low thousands (being the targeted demographic of voters at early polling stations). However during development, the system “had been tested for up to 1M (million) votes, and to receive 800 (votes) in a 10s (second) period,” a presentation by Steve Schneider noted (PDF). Scaling a software solution based on robust software platforms and principles is a matter of hardware cost, and not a major burden on the project. This is a problem that has been solved a million times in modern IT projects.
Results of the first general election using vVote
vVote was deployed for use in the November 2014 Victorian General Election. It accepted 1121 votes across 88 district races and eight regional races, in 24 early voting centres in Victoria, Australia, and also Victoria House in London, the United Kingdom. The system was operational 100 per cent of the time, and with no errors.
Current status of electronic voting
While the 1121 votes recorded by vVote in 2014 was an increase on the previous election's 961 electronically lodged votes, the VEC has faced criticism that their roll-out of vVote wasn't to a broader audience, and more widely supported. The VEC began with strong support for vVote at the outset of the project, but due to the departure of high ranking staff at the VEC, the project lacked the sponsorship and support needed to flourish. This is the danger of all IT projects over time.
The NSW Electoral Commission has chosen to follow the same model as Ireland, and tender out to a third party vendor, in this instance called Scytl. The vendor delivered a closed software system (not open for inspection), much the same as Ireland did. The result of deploying Scytl's solution was some serious errors that came under criticism.
Where to from here?
The low-budget, small-team demonstrator solution that vVote produced gave evidence that an open source, verifiable electronic voting solution is a plausible answer to Australia's electronic voting needs. It gives privacy, security, and complete verifiability of the election result. A first of its kind. I like to think of it as similar to a solution needed 20 years ago.
Twenty years ago the Internet was reasonably new, and nobody in their right mind would enter their credit card details on a website to make payment for something, for fear that their credit card details would be stolen.
Along came a solution that employed mathematical proofs — a seemingly complicated solution — that ensured that a user's privacy and security was protected. It took some time, and some support, to be adopted. In time it was given a symbol — a padlock — that would appear in a user's web browser, to instil confidence in them that they were safe.
Today, 20 years later, it is commonplace to use your credit card online to make purchases. Without fear. Without uncertainty. That technology is called Secure Sockets Layer. It's prevalent in all modern web browsers, in all parts of the world.
It's possible that 20 years from now, voters all over the world will place their confidence in an open electronic voting system that prevents fraudulent elections.
But we are at a crossroads, because the decision-makers in electoral commissions across Australia would rather choose a broken, existing solution from a third party vendor, rather than be the pioneer of tomorrow's solution.
And so we end with a few final words: “Election commissions must produce verifiable evidence that the winning candidates were chosen fairly, based on reliable and secure vote-casting and correct vote-counting.
“The lesson from the bugs in the ACT and NSWEC vote-counting code is clear: make the computer code available for public inspection so that we can scrutinise it for errors before the election.
“Receiving votes from the internet is the easy part. Proving that you got the right result, while keeping votes private, is an unsolved problem."
Further reading
- End-to-End Verifiability in Voting Systems, from Theory to Practice
- The New South Wales iVote System: Security Failures and Verification Flaws in a Live Online Election
- vVote: a Verifiable Voting System Technical Report Version 4.0
- A Supervised Verifiable Voting Protocol for the Victorian Electoral Commission
- Europe rejects digital voting machines
- Verifiable Voting in Victoria: from Prêt à Voter to vVote