With the 2020 US presidential election over and the result all but declared – and with the COVID-19 pandemic raging on across the world – online voting seems like an obvious choice for democracy in the digital age. But is not as simple as it looks.
The pandemic reshaped the 2020 US presidential election, spurring higher postal votes and more interest in online voting.
In Europe and the US, where voters aren’t fined for not casting a ballot on election day, online voting could boost participation and deliver faster results than postal counts. In Australia, online voting could be more convenient for voters too, but there are serious hurdles to implementing it.
“It’s very easy for Australians to feel a bit smug about election security. We look at America – it’s a debacle,” says Thinking Cybersecurity chief executive and ANU adjunct associate professor Vanessa Teague, a noted critic of online voting systems.
“We think election interference and insecure election systems is something that happens in other countries. People say, ‘Here in Australia, we don’t have that kind of stuff.’ But we do have these kinds of problems.
Professor Teague and several colleagues last year probed the shuffling and decryption components of Switzerland’s online voting system. It was relevant to New South Wales’ iVote online voting system because both were developed by Scytl, a company headquartered in Barcelona that specialises in secure electronic voting.
However, Swiss Post, Switzerland’s national postal service, published its shuffling and decryption code six months before it intended to use it for an election so that researchers like Professor Teague could vet the system for flaws.
The NSW government took a different tack. It rolled out iVote with Scytl code in 2015, after an initial trial in 2011. While it hired a major consultancy to audit its tech, Professor Teague notes that the NSW government did not release its source code for public review until four months after the 2019 state election.
The problems for NSW voters were legal and technical.
“The Swiss transparency law specified that if the system was to be used by up to 100 per cent of the voters it had to have a period of open and public review, well ahead of the election,” she said.
“We found two errors. One [was] in the proof that they were shuffling correctly without dropping or adding votes. The other was that they were decrypting correctly without telling lies.”
Online voting is not new. Estonia, wedged between Sweden and Russia, was the first country to enable online voting in 2005.
In 2017, after Russia’s alleged interference with the 2016 US presidential election, Estonia implemented anti-tampering features called “end-to-end verifiability”.
Rolling out a voting system like Estonia’s is not simple. Voters have a national ID card issued by banks. Voters also need a card reader that costs around $50.
There are education challenges too. A voter needs to place the national ID card into a card reader, open a web page for voting, and then verify their identity via a PIN code. On the server side, the election authority needs to confirm the person is who they say they are, confirm the person is eligible to vote, and then prove the vote was cast how the voter intended it.
What does end-to-end verifiability have to do with NSW iVote?
“Not much,” says Professor Teague.
“We want a way for the voters to verify that the vote they made was their true intention. iVote didn’t have that. It had a closed source verification app, designed and built by the same foreign software company that built the voting app in the first place.
“If you didn’t trust Scytl to encode your vote correctly, you could ask Scytl whether they’d done the right thing or lied when they encoded that vote,” she said.
iVote had a secret bulletin board that only allowed NSW government insiders to see what the encrypted votes were. It also relied on a single mix server – a piece of software that was meant to unlink identities from their votes – but the architecture meant that anyone with access to the server can link incoming ballots with ballots sent to the vote-capturing server.
“It kind of defeats the purpose because that server knows exactly the correspondence between incoming and outgoing votes. It doesn’t really do anything for privacy because whoever can read the data from that server knows how everybody voted.”
Professor Teague tells InnovationAus that there is a US-based system called risk-limiting audits that can help prove that online votes are counted accurately. The problem is that iVote can’t support this type of audit.
“You need an evidence trail to check, such as paper ballots verified by voters. IVote has nothing. In theory, one could imagine some other kind of immutable record but realistically that’s the only solution,” she said.