This isn't why we don't have online ballots. The issue is specifically that you aren't in a voting booth, which means there is no control over voter influence.
Imagine a husband and wife plus a ballot initiative on outlawing flowers. The husband is strongly pro-flowers while the wife is strongly anti-flowers.
With online voting, the husband or wife can force the other to vote in front of them. There is no plausible deniability, so individuals are easily pressured into voting one way or another. Groups can say, "you need to vote in front of another group member" to pressure everyone to do what they want.
Voting booths prevent this, to a large extent.
Another issue is electioneering. By current law, one cannot campaign within 100ft of a polling station. This gives a "safe-space" where people can think about their options and make up their own mind. If I can vote on my phone, a random volunteer can get me all hyped up on the street and I can impulse-vote on the spot. Not a great way to run a nation.
(I'm not saying the current system is perfect, or anywhere close to it.)
Washington state does all its voting by mail now, which is good in a way because it means all the ballots are on paper and subject to verification, but it's vulnerable to all the voter influence problems you just listed.
(It also reduces voting from an in-person civic ritual to just one more form you get in the mail and have to fill out and mail back, like paying a bill. But that's a whole separate problem.)
Just what I said: Voting in person is a ritual. You can take your kids with you and show them the foundation of our democracy, right there at your local polling place. Doing things in person has a different psychological effect.
Whether or not that's enough of a problem to outweigh all the benefits of voting by mail, I don't know. It certainly lowers the actual barriers to voting: You don't need time off work to drop an envelope in a mailbox. But I do worry about the loss of ritual, and what it will do to voter engagement over a few decades.
If votes could be updated until the polls close, wouldn't that resolve the issue? You could simply vote in front of your husband/partner/group and change it later when you're in private.
This would rely on having is no method to determine how your vote has been cast, before or after the election. But this should be a feature of any online voting system.
I read through your parent comment and could not find any sentence for which the response "it does" makes sense. (Maybe the parent comment was edited?)
So basically like buying votes on paper? You force someone either not to vote or vote in a specific way by restricting access to their id. See, as the paper ballot trumps the electronic voting, all the attack vectors end up being about controlling the physical voting. Which is the exact problem with voting right now everywhere. Also, if you are already capable of doing this, why not take everything the person has? The digital signature is equivalent to the physical one so all non-notaried transactions you can execute exactly as voting. To my knowledge there has been exactly zero cases of forceful id extraction in the past 15 years. Basically, if you can significantly influence the voting outcome, you can significantly alter the financial wellbeing of the society. Which is, yes, a risk but would be more desirable for an attacker.
You can't buy votes on paper because you need to be alone in the voting booth. You could disable people to vote, but not force them to vote as you want.
As for the value of digital signature, I don't think it's legally equivalent to the physical signature, at least in my country. I've yet to see any administration accepting a digital signature.
Combined with early voting, and you could have a political event with tens of thousands who all vote a month early online in front of each other, the crowd pressure adding to the emotional fervor.
I can't imagine elections being any more screwed up, even including Jim Crow. Jim Crow has nothing on this.
But I'm still of the opinion that anything electronic is by nature untrustworthy. Just ask Microsoft, who for more than a decade or more has tried to lock down their O/S.
I know how the theory works. But that's just a theory regarding abstract concepts. Real voting doesn't work like that. At all. It's much more than the theory describes.
And if we get past all of that? Then we can start talking about how nobody who founded the U.S. wanted a democracy. Democracies are inherently extremely dangerous.
It's just a terrible idea masquerading as some cool new thing tech can do.
Is voter coercion actually a threat today? Or is it just a boogeyman to derail discussion like voter impersonation is used to promote biased voter ID laws?
> With online voting, the husband or wife can force the other to vote in front of them
For what it's worth my ex-wife slightly reprimanded me after a general election some time ago because I hadn't told her with whom I was voting for, because she would have cast the same vote as me.
On the electioneering thing I have no strong opinion. Just wanting to say that if a person's vote can be so easily influenced by a "volunteer hyping up" someone on the street then maybe, just maybe, that person's vote (and lot of other persons' votes) does (do) not accurately represent la "volonté générale", to quote Rousseau, meaning that universal voting might not result in what's actually best for the people. Related wiki link: https://en.wikipedia.org/wiki/General_will
The Estonian system pretty much fully prevents that by allowing to vote whowever many times you want. You can sleep on it, re-cast the vote and sleep on it again. And then, if still not happy, go vote on paper. The last vote cast counts.
I'm sure the director of the self described "leading provider of voting technologies" thinks this all makes sense. But the premise here, that the US has a low voter turnout and e-voting somehow makes it all better, is wrong. Countries with e-voting don't generally have better voter turnout than comparable countries. The countries with the best voter turnout doesn't have any electronic voting systems at all! What they generally have are "boring" things including well functioning free media and high education.
But funny he should mention Estonia's e-voting scheme specifically. There was a very interesting look at Estonia's e-voting system at a previous CCC. Here is a video of the talk: https://youtu.be/JY_pHvhE4os
(Spoiler: Opsec fails begins at 42 min. But watch the whole thing, it's interesting.)
And the system in Estonia is not an especially bad example. E-voting in is hard even in theory, with issues like transparency and voting secrecy, but the systems in actual use have hasn't even nailed the engineering problems yet.
From what I gather, Estonia's is one of the better systems deployed, and it seems to have had a lot of thought put into its design. Nonetheless, it's insecure, if only because of the poor operational security of the people running it.
Voting requires authentication, verifiability and anonymity.
Online electronic voting only allows you to pick two.
They may be lo-fi, but paper ballots work very well here, and engineering a secure Internet voting system which maintains these attributes is a difficult problem.
The people who understand computer security and voting systems well will never design an Internet voting system, because they know it can't be safe. Unfortunately, that means we're left with systems deployed by those who don't understand these well.
But traditional, non-cryptographic paper ballots allow you to pick none of those things.
Traditional ballots don't really provide any authentication. If you check your mail and find a blank ballot addressed to someone who used to live at your address, you can vote twice. Nobody will know unless that person comes looking for their ballot.
Traditional ballots don't really provide any verification. Sure, two weeks after election day I can look up the code printed on my ballot to see if it's been counted. But there isn't any way to verify that it's been counted correctly, nor is there any way to prove that the system isn't lying to me.
Traditional ballots don't really provide any anonymity. In addition to the aforementioned number printed on the ballot, my return address and signature of displayed on the outside of the envelope. I'm told that whoever or whatever opens the envelope won't look at the ballot inside, but I have no way of proving that.
Authentication, verifiability and anonymity are all properties that can only be implemented with together with the aid of cryptography.
Authentication & anonymity are only not provided under your particular system. An in-person voting system, with unmarked ballots being delivered only after authentication by the election officials, do provide both features.
And what cryptographic system provides a proof that your vote is counted for the total?
There are a number of ways to do it, see the article linked below. Not all of these methods actually require use of a computer to cast a vote, which is why I said traditional paper ballots earlier. This of course still leaves the problem of authentication, which can only really be done with a computer.
>engineering a secure Internet voting system which maintains these attributes is a difficult problem.
It's not a hard problem, it's an _impossible_ problem.
If there's any security hole between the BIOS, CPU, firmware, OS, app, a state-sponsored attacker will get it.
The US got into air-gapped systems. You think China (or Russia, Iran, ISIS, Europe, Anonymous, you name it) won't break in?
And what do you do if you discover that there was external vote manipulation? Hold re-elections?
And how easy is it for someone to delete, say, a couple thousand votes in a strategic state? It's hard to physically do it without evidence and a conspiracy, but if a hacker (or a simple bug) gets in, all bets are off.
If you apply zero-trust (as you are here), then its also _impossible_ to assure all those attributes are present in the current voting system.
So I see no harm in attempting to solve for "better" or even "equal but more convenient" than the current. -Which does not technically rule out _some form_ of internet voting.
current voting systems actually work very well with zero-trust.
- You enter into the voting booth with your ballot and cross off your preferred candidate or party. No trust needed.
- You fold it together and put it into a ballot box. No trust needed.
- The ballot box is sealed and driven to a counting station. This is done under supervision of all stakeholders, meaning that cheating is extremely hard because your political adversary is present.
- The ballot boxes are unsealed and the votes are counted. Note that the votes are counted by all stake holders (typically one or more people from each party) making it hard to cheat.
- The final vote is passed on.
None of the above steps require trust in any one person or entity, and the probability of cheating (if the procedure is done correctly) is quite low. If there is some anomaly the votes are saved so they can be counted again.
Literally, all of those trusts in that scenario are with 'people' which are indeed quite easy to corrupt (or fail without awareness). Possibly more so than potential crypto and chain/ledger based systems.
And again if "probability is low" is the bar, then we can surely keep _exploring_ Internet voting systems without engendering rejection as academicly 'impossible' for the whole concept.
Well, you can pick: full verifiability, full authentication, and anonymity-as-long-as-you-dont-share-your-vote-receipt, which might work in some settings where the social norm against something like vote buying is strong enough that the party that tried this would end up with more of its own voters deflecting than opposing voters selling their vote to them.
But there is one more problem: most verifiable voting protocols are fiendishly complex for the average voter to validate, specially if they need to keep in mind how to verify things in a way that is robust to their devices being compromised. If you were holding an election where only people with a crypto or security systems Ph.D. voted and where they would rather punch you in the face than sell you a vote for 1 million USD, then you could have very secure online voting. The real world is a little bit more complex than that... one of the main advantages of paper ballots is that the technology involved is quite widely understood.
Not quite. Ok, I might be exaggerating with the CS Ph.D. requirement for the average voter, but there are two steps:
1) Verify that my vote was correctly encoded and cast as intended. Every voter must verify this. It can be as "easy" as: printing a hash produced by a voting terminal/device you trust (which doesn't need to be government provided), submitting the resulting encoded vote into a (untrusted) government website where you authenticate with a smartcard, and then later comparing your original hash against a hash published in a newspaper... This exceeds the level of sophistication/care of most voters in any large country.
2) Some organization must check a large trail of signatures, zero-knowledge proofs of correctness, re-encryption mixnets, etc, etc. This can be done well enough as long as every political party and election watchdog has one or two crypto professionals in their employ.
I am not really worried about #2, even though it is harder, I am worried about #1. The important part is that all the checking of the world regarding #2 is useless without at least a representative subset of voters performing #1 (~1% would be enough, but only if distributed uniformly at random, otherwise you can flip votes from the population(s) least likely to check).
Yes, #1 is a bit too hard for everybody to do it. Yet, you can help some random set of your friends, while I help some random set of my friends, we add some neighbors at random, and much quicker than you thought, there will be a representative set of verified votes.
No, you won't. You will get a representative set of "votes for voters who have at least one friend who went to college or had the resources to be a computer geek growing up". Then if I want to manipulate the election, I will just flip votes from elderly lower income voters in rural communities and likely not get caught at all.
For an analogy: I grew up in Mexico during the 70 years PRI rule, and I can tell you in my city, in my polling station, with watchers from all major parties and a few ONGs, it is actually very unlikely that anyone stuffed the ballot. But in a rural area, where Spanish is not the primary language and the poll watchers were all from one party or few enough to be for sale... well... My point being that a similar scheme is quite possible when the barrier is "computer literacy" instead of "rights literacy" or plain old literacy (in the country's majority language, I mean). Either way, the smaller the group of people who understand how the election works, the easier it is to disenfranchise people.
The author has barely anything to say himself about this study. Instead, he hides behind the Estonian government's self-serving response, which seems to depend on a heavy dose of wishful thinking. His proclivity towards avoiding the difficult questions suggests to me that he is incapable of considering the serious concerns raised by this report with adequate rigor and objectivity.
And when the next mirai bonnet is turned against the online voting infrastructure, what happens then? Or perhaps ISP hubs in specific areas are targeted to suppress entire groups of voters?
Not to mention, the ability to 'undo' a vote is only marginally helpful in preventing voter coercion or vote buying - it only changes the way it's done a bit.
I've followed Estonia's efforts in online voting for quite a while and it always reminds me of the premise about platforms of the greatest scale acquiring the most attention by bad actors (and typically leading to more exploits accordingly).
How would Estonia's online voting hold up to the kind of global assault that a US system would inevitably draw for example? If Russia, China and the US all went to work on trying to influence (or damage) the outcome by attacking Estonia's voting system, what would happen? All online voting systems will not all receive the same level of assault or garner the same kind of attention toward that end. The best technology companies in the world find it difficult to create an atmosphere of extremely high level security around information, transactions, etc. Outside of very large monetary theft, could there be a juicer target than being the group or hacker that collapses the US online voting system? It would make the front page of every newspaper on earth and would cause as much or more immediate financial damage than 9/11 did. The US stock market would at least temporarily shed hundreds of billions of dollars the next open day.
There is a very strong argument to be made that one size will never and could never fit all when it comes to online voting.
"One remaining problem is that the personal devices that voters use to cast their ballots can become infected with malware that reads their passwords and PIN codes from their keystrokes or that allows hackers to remotely control their desktops."
"The Estonia National Electoral Committee responded to their criticisms shortly after by saying that the theoretical attacks they described were not feasible."
> Casting a vote online can be secure and convenient
I don't recall convenience being a fundamental attribute of maintaining democracy.
Having said that, some countries' current voting systems are a mish-mash of different methods, approaches, technologies and even rules (I'm looking at you USA), that make paper-ballot voting less "convenient" than it could be. There's no reason why paper-ballot voting needs to be inconsistent across electoral boundaries, difficult to execute, or difficult to validate (cf: Australia's system).
I don't recall convenience being a fundamental attribute of maintaining democracy.
Convenience is important to ensure a representative sample of the population is heard, and not just those who have enough free time to wait in line to vote. Mail-in ballots are a good example of convenience allowing greater participation.
Absolutely agree, but convenience does not trump security, verifiability etc. In the example you gave, mail-in ballots were primarily introduced as an exception to the rule, in order to increase participation. They are not a wholesale replacement for ballot-box voting.
I can see then, why for some, the argument that "e-voting can enable use of standover tactics" falls on deaf ears - because the risk is no different than what is currently the case.
It's true. I can see the risk here, since I could easily pressure my wife into voting a certain way or even fill out her ballot and forge her signature (if I ignored the warnings that it's a felony to do so). I think we have to weigh that risk against the benefits of greater participation/accessibility that vote by mail provides.
This doesn't explain how you prevent against paying or pressuring people for their vote. If someone can potentially watch you as you vote, this is not an anonymous voting scheme anymore.
It does. One can drop by the next day and vote for someone else (and the last vote wins over earlier, and physical voting overrides e-voting).
However, it still requires that people "undo" their vote. I can imagine that a large percentage of people won't, so it will still be a net gain to coercion.
It seems like a good idea indeed but it could be countered. Force or pay a person to vote the last day and then to give you their ID until the vote is closed.
Of course, it's still a step in the right direction as it makes a large vote buying scheme harder.
1. _Right now_, I don't know how many nation states are trying to hack the election in Estonia. I know of quite a few who would be more than happy to do so in the US. And while it's true you can send spies... it's much easier and safer to hack from a safe base than to go into foreign countries (and no plausible-deniability).
2. You're _assuming_ no one's logging anything. There's no way to ensure that.
This isn't why we don't have online ballots. The issue is specifically that you aren't in a voting booth, which means there is no control over voter influence.
Imagine a husband and wife plus a ballot initiative on outlawing flowers. The husband is strongly pro-flowers while the wife is strongly anti-flowers.
With online voting, the husband or wife can force the other to vote in front of them. There is no plausible deniability, so individuals are easily pressured into voting one way or another. Groups can say, "you need to vote in front of another group member" to pressure everyone to do what they want.
Voting booths prevent this, to a large extent.
Another issue is electioneering. By current law, one cannot campaign within 100ft of a polling station. This gives a "safe-space" where people can think about their options and make up their own mind. If I can vote on my phone, a random volunteer can get me all hyped up on the street and I can impulse-vote on the spot. Not a great way to run a nation.
(I'm not saying the current system is perfect, or anywhere close to it.)