Digital voting is a game changer but we have to get it right

If successful, electronic voting poses a serious threat to the great British queue. Ruth W

The UK may be taking its first, tentative steps towards introducing online voting with the establishment of a Commission on Digital Democracy. As so many of our routine tasks are going digital, the shift towards virtual polls seems like a natural progression. However, there are many technical issues that need to be ironed out and the stakes are very high.

John Bercow, Speaker in the UK House of Commons, established the commission with a view to looking at how technology can be used to aid the democratic working of parliament, including online voting. This team would do well to take a look at what has, and has not, worked elsewhere around the world.

The pitfalls of online votes

Electronic voting can take a number of forms, including tallying votes by computer, using electronic equipment in polling stations and voting over the internet from the voter’s own computer or mobile device. Voting by phone is already used in entertainment shows, though multiple voting is possible and result-fixing has been known to happen.

Internet voting is also carried out for professional societies, student unions and other forms of election. It works well when cost and desire to increase turnout are important factors and where the likelihood of an attack on the election is considered to be low.

If we were to start using e-voting systems for electing political representatives, we’d need to be absolutely sure of their trustworthiness. Computer systems, including e-voting systems, can go wrong accidentally through software bugs, they can be hacked, and they can be subverted by corrupt insiders. Systems used in elections have been the subject of criticism for all these reasons, resulting in some cases from their withdrawal.

The potential frailties of e-voting systems have been demonstrated several times. In 2010, for example, researchers from Michigan State University successfully took over an internet voting system deployed by Washington DC, and managed to reach a position where they could have undetectably rigged the election. In the Netherlands, a campaign group called We Don’t Trust Voting Computers has even emerged to stop the use of such systems in elections.

Secure design

As well as making sure security concerns are addressed, the design of an e-voting system also needs to provide verifiability. Independent checks and balances are needed to ensure that bugs, hacking and corruption are detectable and cannot have an impact on the election. Voters will want to know how they can be sure that the system has not corrupted, subverted or lost their votes.

This is particularly difficult in voting because voters have a secret ballot and are reliant on the system to handle it correctly. The interaction between a voter and the system is private and the vote recorded within the system should not be connected to the voter. This is in contrast to banking for example, where errors and theft are more easily detected.

To address these problems, e-voting systems in the US and elsewhere have introduced the Voter Verified Paper Audit Trail as an independent paper record of the votes cast. These systems have had their problems too, though, and security is best designed into a system rather than bolted on afterwards.

Who’s doing it?

Estonia leads the way in Europe for parliamentary internet voting, having used it since 2007. Its system is built on top of the national digital identity card, which is used to authenticate voters to the system. To introduce a similar system in the UK, we would need some equivalent way of providing non-transferrable credentials.

Estonia also seeks to address another major concern relating to internet voting; the ease with which a coercer could force someone to select a candidate or party that is not their preference by watching them cast their vote. In Estonia, polling stations still operate alongside e-voting, so that people can choose the more traditional method of casting their vote if they feel under pressure. Voters can even vote again after their initial choice and only the final vote cast will count. This means that a coerced vote can be corrected later.

However, to achieve this the system must keep a record of votes against voters, which requires a great deal of trust and confidence in the election officials, who may have access to highly sensitive information and are required to safeguard it. There is no suggestion here that Estonian election officials are dishonest or incompetent but any system that relies on the honesty and competence of its operators is less than ideal.

There are many technical challenges still to be overcome but progress is being made. We are working with the Victorian Electoral Commission in Australia, for example, on a verifiable e-voting system which we aim to use in the 2014 Victorian State election.

The Victorians are keen to introduce this type of technology to make voting more accessible for blind and vision-impaired people and to be able to provide ballots in up to 20 different languages. It is also aimed at making voting from outside the state easier and help voters to correctly fill out the large and complex ballot forms used in Australian elections. Of course, this has to be done in a secure way, and so the system is designed using cryptography to provide ballot secrecy for voters and end-to-end verifiability to allow independent external checks that the system has processed the votes correctly, right from when ballots are cast through to the final tally.

It is challenging enough to introduce electronic voting into the polling stations, where we have control over the equipment. Internet voting raises a whole set of additional challenges. These are not insurmountable, but neither should they be underestimated. They need to be properly and carefully tackled if we are going to build an infrastructure for e-voting fit for the future.