Internet voting has two essential, unpatchable vulnerabilities: voters cannot vote anonymously and are exposed to external pressure.
That's why we have voting booths: so people are guaranteed to be able to vote without someone looking over their shoulder (or pointing a gun at their heads).
If people cannot vote in total freedom and anonymity, it's not a truly free and democratic vote.
We should stop trying to "solve" everything with technology. Some things should be "hard", because it's essential to get it right.
Postal voting has two essential, unpatchable vulnerabilities: anyone can open an envelope and can be exposed to external pressure.
People are exposed to enough pressure just by virtue of having to interact with politically passionate people just to get to the booths. In many cases, they don't check photo ID, just evidence of enrollment.
At very least, I'd like to see internet voting implemented without low-hanging security issues, enough confidence in their implementation to open-source the code, and with the backing of security researchers and organisations like the EFF. At least if we had issues like guns being pointed to heads and potential invalid double-votes, we could discuss them in the context they deserve.
In Estonia the pressure issue is solved. One can vote as many times needed. When first vote was given under pressure, one can vote differently later. As many times is needed. Internet voting is not possible on the voting day, only before. That assures that when one has no possibilty to vote without pressure in internet, one has possibility to vote traditionally. Traditional vote overturnes e-vote.
At some point, a decision has to be reached, right? You can't just decide ten years later that you changed your mind on some election issue expect to take your vote back.
So if you're an evil person looking to pressure people to vote your way, you would make people prove their vote to you after it's too late to change it. Or, if it's not possible to verify the vote later (I believe it is possible in the estonian system), you'd make them vote at the last minute.
Am I misunderstanding something here? I don't see how this issue has been solved.
Yes, there is a method to verify your vote. But as i said, e-voting is in advance only. On the voting day only traditional voting is possible, traditional vote voids e-vote. E-vote can be changed only when e-voting is active, not later.
And yes, one could prevent someone to go and vote traditionally, but this is out of the scope of e-voting. There are myriad of methods how to manipulate traditional voting. And your hypothetical case is really a kidnapping, criminal offence, not scalable.
That's a reasonable approach, though of course it means that you can never have a 100% e-voting system as the security of the thing is contingent on there being a regular paper ballot.
> And your hypothetical case is really a kidnapping, criminal offence, not scalable.
No, there is no need for kidnapping. Human relationships are complicated and pressure can be applied in many ways. A spouse, father, or other person can influence people in his direct vicinity. The secret ballot and requirment that only one person enters the voting booth at a time ensures that that influence does not extend to the election result.
You do not have any idea whatsoever how those systems are built, do you? Everything is logged, and logs changes are logged and logs change logs are logged and all those logs are signed and when the logger looses connection to loggable, then this is logged too and that is logged too.
And finally. The interest of knowing of who voted who is virtually zero. I admit that the principle of anonynous voting is good and needs to be guarded, but the real harm of leak is virtually zero too. The most bigger threat is manipulation of results.
You have no idea whatsoever how these systems are built.
You don't know because you haven't seen the software (or hardware) for them. You haven't because (I assume this part) you weren't one of the state inspectors, and what many (most?) of the manufacturers have done is to insist that no one ELSE be allowed to view the details since it's a "trade secret".
So maybe there is excellent logging like you describe. And maybe there isn't. We DO know that there have been occasional incidents of invalid vote reporting by the machines (such as [1] or [2]) that were not caught by such log systems.
You cast your vote at a github-hosted source code repository?
As René Magritte might have put it, "Ce n'est pas le logiciel". You haven't seen the software - you've only seen source code that may resemble what is running when you cast your vote.
And I don't really care what logs are kept, because any such log is one dodgy programmer, one bribed sysadmin, one lost private key away from being totally or partially compromised.
The system we have works and would require the complete and flawless cooperation of thousands of conspirators -- including mutually hostile, cross-checking party officials -- to subvert the outcomes.
There is nothing that prevents an online voting system from having a truly secret ballot. There is a class of algorithms[0] designed to compute a verifiable result from private inputs without revealing those inputs. One of the major applications of them being researched is voting.[1][2][3]
Normally I would agree with you, but only if we insist everything has to be completely over the internet. If we make it so that voters have to collect a random token from a box (ie you stick your hand in and take one) and that they have to show id to get to pick one then there is no way to vote twice (at least not without a fake id) and no way to connect the voter to the vote. It does require on site access but that could be allowed over a period of several months if need be.
We already have voting by mail, of course, but this way you get to wait until election day to cast your actual vote and it is too easy to connect the vote to the voter.
The issue with a gun being pointed to the head could be solved rather easily by issuing every voter a random number of votes and marking on as special (perhaps it comes in another envelope). All none special votes are automatically ignored, so you would gain nothing by pointing the gun at somebodys head.
This also solves the software trust problem: allow an open specification and an API test endpoint and somebody will write an open source voting program. As a bonus the software could submit the votes to an api at all the registered parties and any news org so that everybody could agree on the count.
I think mail-in ballots are the best option. Oregon does them, but I'm not sure what other places do.
Every voter gets a ballot mailed to them far in advance of election day along with a booklet outlining the benefits/consequences of measures we're voting for, what each potential representative wants to do, etc. You can take the time to research all available options and make an informed vote, then mail your ballot in at your convenience or drop it off at any library.
Far, far better than having to get up early in the morning and being around people who might attempt to grill you before/after you vote. Less chance of votes being manipulated since there's a paper trail, too.
I really don't know why the rest of the US doesn't do it this way.
That's definitely a "head of household can enforce votes" system, and in countries without strong ID systems is especially vulnerable to creating nonexistent voters.
Sure, but you need to sign your ballots, and if someone's forcing you to sign your ballot or forging your signature, it's a crime.
There's far less social pressure when you can fill out your ballot whenever and wherever than needing to line up somewhere and deal with the social pressure of voting "properly."
No method is perfect, but I think the issues with mail-in ballots are nowhere near as bad as the problems voting booths present.
Is it information-theoretically impossible to devise a cryptographic protocol that allows all the desired properties of voting (verifiability, anonymity, preventing double-votes, ....)?
I recall that there exist some protocols that provide at least some of those.
If it's not impossible then it's not unpatchable. Someone just has to come up with the right method to do it.
I've mostly read about them in passing, but a quick google search turns up some results. They seem to rely on at least partially homomorphic encryption.
Interestingly, the NSW iVote seems to share some ideas with helios. They both appear to use ElGamel encryption, which is a [partially] homomorphic algo.
I don't know anything close to enough about ElGamel to comment on their implementation with any authority whatsoever, except to note that it looks very different to others I've seen. The challenge/proof parts in particular look unusual to me - I haven't spent a lot of time looking into their implementation, so it could just be parsing failure on my part, but it doesn't appear at first sight to use the usual fiat-shamel method other ElGamel implementations I've seen tend to.
Interestingly https://vote.heliosvoting.org/faq gives the answer no to "Should we start using Helios for public-office elections?" on the grounds the people's computers are too easily compromised for this to viable. So perhaps the issue is not the protocol at all?
according to the technical paper they don't even attempt to provide any form of coercion-resistance, so that would already fail one of the criteria usually required of public elections.
But yes, computer security certainly is a problem. But I think it's not intractable. We manage to get online-banking to work with acceptably low compromise rates despite huge monetary incentives to attack them.
So maybe if they handed out small, non-personalized cryptographic devices (similar to TAN generators) that can do all the essential operations and talk to a smartphone to retrieve a ballot and submit the vote then e-voting could work.
It would essentially be your own little portable voting booth. It's important though that the device should be separate from the key used to vote, so you could swap devices and re-cast your vote if you consider it compromised for any reason.
The government could promise to maintain anonymity for online voting, and it wouldn't be any more or less believable than for in-person voting. It would be trivial to subtly mark ballots to track who voted for what, or heck, even hide cameras in the booths.
That would be a problem if internet voting was the only option, but surely if the "normal" way of voting was still to come in to the polling place on the day and cast a paper vote, then online voting as an option for people who are unable to make it to the polling place on the day is not a bad idea?
That picture could be shooped, therefore it does not provide proof to the coercing party.
The threat model for coercion-resistance is providing proof to someone after you have cast your vote.
The threat model for anonymity is that an observer - either a 3rd party or someone colluding with the voting authority - that does not have access to the voting client itself.
Voting-at-gunpoint coercion as threat model cannot really be defended against because it basically implies that the attacker has full control over the voter. Even some scheme that would allow vote retraction/recasting wouldn't help since the attacker could simply keep threatening the voter until the election is over.
Let's say I'm trying to force you to vote for my candidate. Am I going to be happy with you taking the option of going to the polling place to vote privately? No. You'll do it right here where I can watch you click the button for my guy.
Coercion is a problem even with paper ballots, though. I could force you to take a picture with a cell phone of who you voted for on threat of violence.
Is that really a problem? There's nothing stopping anyone from pointing a gun at my head and demanding I transfer all my savings to their account. That would have more impact on my personal wellbeing than someone stealing my vote. But we don't ban internet banking.
If somebody steals your savings, one person is affected - you. And while pointing a gun to one person's head will work, it won't scale.
But if somebody works out how to steal an electronic vote, such a solution is likely to scale, and to compromise the outcome of the election, which would have a massive collective impact.
That's why we have voting booths: so people are guaranteed to be able to vote without someone looking over their shoulder (or pointing a gun at their heads).
If people cannot vote in total freedom and anonymity, it's not a truly free and democratic vote.
We should stop trying to "solve" everything with technology. Some things should be "hard", because it's essential to get it right.