________________________________________________________________________________
How would you design an secure online voting system?
You don't. Anything done "online" simply verifies that "some human at a keyboard" has the requisite "secret" -- but cannot verify that the correct human who should legally have the secret is indeed the one entering the secret.
I.e. Bob gives Joe his "voting secret" and now Joe can log in as "Joe" and vote his legal vote, and also log in as "Bob" and cast a second vote, all while the online system believes "Bob" is casting that second vote.
Also, if you want to maintain the secrecy of the ballot then you simply can not perform online voting, because with the machines there can always be some trail to trace between "ballot X" and "Fred" to show who cast that ballot.
Those statements apply to in-person voting, too, don't they?
How do you verify the identity of a person at the polling station?
I'm not sure how it's done in the US specifically but in general it boils down to the voter handing over a piece of paper that's been mailed to them by some government agency and optionally, in places where such provisions exist, producing an ID card or social security ID.
That's nothing more than the real-world equivalent of "but cannot verify that the correct human who should legally have the secret is indeed the one entering the secret."
It's admittedly much more difficult to pull off at scale in an in-person setting, though.
It is exponentially more difficult to pull off in person identity theft on scale whereas getting secrets online on scale is a lot more feasible.
Where I live in the USA, you verify the voter to get a ballot, go to a private area to fill out the ballot, go to a new area to scan the ballot, and leave the paper ballot that is filled out in the scanning machine to have a paper trail of votes. Unless you are the only person voting in a long stretch of time it would be hard to determine which vote was your vote. That doesn't mean it is impossible just highly unlikely.
Possibly being able to identify a voter and their vote after the fact certainly is another issue, one that admittedly is more pronounced with a digital system (albeit still solvable).
However, verifying that a voter is the person they claim to be is a problem that equally exists in both online and offline settings.
I would look at works in other countries and see how we can adopt or improve on that and our existing system.
Some things that come to mind:
- National voter ID card. Countries like Mexico and India have this for everyone. You can’t vote without it.
- Fingerprint of some sort. Either retina or fingerprint scan to verify identity. This opens up a civil liberties can of worms but we would need to secure this somehow.
- I’ve read of some startups looking to us blockchain, but not sure how that would work.
- I read an article about a company called Unum ID that was looking to address this problem. You sign up, give an address, they mail you a card with verification of your address to put into their app. The app then has a unique QR code that gets scanned. Similar verification setup to Nextdoor or buying ads on Facebook. They verify your identity by mailing you a unique code that needs to be entered into an app or page to verify your address and who you are.
I think the key components are, verify the address of the person, confirm it, secure/uniquely store the identity in a service.
The biggest problem we face is fraud. Double votes, voting for others, voting as dead people. California had to purge their roster after being sued for the data being inaccurate. I think 300k names were removed or asked to verify. 300k wrong voters can swing a local or state election. That’s big.
The process is actually quite straightforward:
- Every citizen is issued ID that includes a hardware embedded public/private key pair. A YubiKey essentially. This step is optional, but allows ballots to be assigned remotely.
- Election commission creates and maintains their own key pair.
- Ballots are assigned remotely to eligible voters by encrypting with citizens public key, or assigned in person. Ballots themselves are key pairs, and the commission throws away the private keys after assigning them. The list of ballots is published signed by commission’s key.
- Votes are the position + a secret encrypted by a voter’s private key, signed with the ballot. Votes sent to the commission and published.
Everyone can see which ballot voted which way, verified by the ballot public key. Voters can verify the commission didn’t keep the private key by verifying their encrypted secret. Votes are anonymous, cryptographically verified, and if a citizen ID system is used ballots can be assigned remotely so the entire election is remote.
No blockchain or specific applications are required for this system, just agreed upon key algorithms. The downside is keeping private keys secure is difficult compared to watching over physical ballots.
A system similar to this was used in the recent Hong Kong protest election, with the ballots issued in person.
Estonia’s system is insecure, relying on private closed systems to store, transmit, and tally votes. They have made changes, but AFAIK they don’t provide a way to publicly cryptographically verify votes or vote counts, and voting has to be done through a specific app.
A simpler variation on this system is for the ballot keypair to be generated by the voter, and then the public key given to the registrar to "register" for the election. The registrar publishes all the registered ballots signed by their key. All the registrar does is ensure eligible voters submit a public key to register. This would require a voter to register in person or a national ID card that could be used to sign the ballot public key.
If I understand correctly, you are saying when the voter goes to the DMV or US post office - a registrar can instruct the voter to download a voting app on his phone. The registrar activates the app and generates the key pair. The registrar records the voter’s public key. The voter can now use the app to vote and his votes are encrypted using his private key which can be read using the recorded public key. Every election cycle or if he loses his phone the voter needs to go back to the registrar. Is there anything I am missing?
Yup. Or if a national ID system was put in place they wouldn’t need to go to the registrar, since the ID would have a key pair to prove eligibility remotely.
There have been dystopian stories written about such schemes. The ID card essentially becomes a 'voting voucher'. You have to possess it to vote. Employers then demand your ID card as a term of employment. The voting system becomes a corporate power grab, and the resulting disenfranchising of everybody becomes a new form of society.
That would be illegal, and quite difficult to hide, since presumably you need the ID card for other things. The larger the company is the more difficult it is to keep this a secret.
A company can already compel you to vote, because all states allow mail-in ballots. It would be pretty hard to announce this to everyone while simultaneously keeping it a secret.
Illegal? What makes us think that unrestricted corporate power isn't going to continue?
In the story, its become an ordinary fact of life. In fact, once you have somebody's card you have their life. They can kill employees if its convenient.
But its just a story.
The biggest problem with voting systems (online or otherwise) is absolute secrecy. If you give up on this requirement, which I believe is antiquated [0], you can easily come up with a system where most fraud could be fixed and punished. You can have reasonable privacy, but you have to have the ability to audit votes if need be.
A system in which all votes are fungible after a certain point only encourages fraud. As long as you execute it well you can have a high degree of certainty that you won't be punished.
[0] First, behind this requirement is the premise that political repression is to be expected. I'm sure that's true in some places, but you want to fix this in other ways. Second, you already don't have perfect secrecy in many systems and people don't seem to mind.
"Online voting" is a solution in search of a problem. A pencil and paper does the job better, cheaper, and more securely.
The problem solved by cryptographic electronic voting is secure remote elections. Mailed ballots cannot be secured from tampering, since they cannot be observed. I voted remotely this selection, and I have no way to verify my ballot was counted correctly by my county registrar, or even received.
Another minor problem cryptographic electronic voting solves is inaccurate vote counts.
If we allow vote-by-mail we should allow cryptographic voting over the Internet. I agree in-person voting is the most secure, but we already use a less secure system.
Except when it doesn't.
Take the current elections in the US as an example. Yes, the system's working and it has proven to be quite resilient but those shenanigans involving mail-in ballots and the uncertainty that came with that for example could've been avoided with a properly designed digital system.
Most of those problems could of course be solved with a properly designed non-digital system, too.
Even a properly designed digital system will have flaws and if it is on a network it can be hacked at scale. Hacking paper ballots cannot be achieved at the scale necessary to sway a national election.
Its similar to a story I read a while ago about flooding a lottery system with enough combinations of numbers to near guarantee some level of profit. The scale needed to fill out, submit, track, etc. 10's of thousands of tickets was ridiculous.
There is no need to speed up the election process. If any human effort is to be spent, it should go towards rolling back the perceived need for constant updates. Its unhealthy.
HN users get dumber everyday. Have you had your brain turned off the last couple days?
I started thinking about this a few months ago when I voted by email as an overseas voter. Essentially, our state has an online-to-offline process to convert digital votes to a PDF that can be emailed or faxed, then printed and processed like any other vote.
We could immediately open this system up to every American with a small number of technical & legal changes.
Most of my thoughts about a more complex system are probably not unique, but thinking about this generated a few details that may be interesting.
The obvious final conclusion (for me) was that we could digitize our entire system in a few election cycles, without throwing out the entire system and starting over.
Just 1. Set minimum requirements federally for voter registration systems, 2. Create digital tools for creating and tabulating votes (form to PDF software, public ledgers), & 3. Allow everyone to cast a digital vote which can be converted to a normal paper ballot.
Then, at some point in time, you reverse the system, and make your digital ledger your source of truth, instead of your paper ballot counts.
Imagine a simple, digital, public ledger:
1. Each existing voter registration generates a unique, anonymous identifier. They probably already do, you just have to standardize it and create an API to verify it. Cryptographic verification solutions would improve this even more.
2. Create a simple, open source public ledger with an open API. Something where any software that knew enough of the voter registration details combined with that identifier could submit or update a ballot.
3. Give voters multiple systems for voting, to ensure everyone has access to a system that meets their needs. No reason to restrict who can create a system, just set federal minimums for each of this systems & let any tech company build a competing app.
4. A public / private key signature process could be used to ensure the validity of both a "local copy" of the vote stored on the user's device, and that the vote was cast, for future auditing. You could create APIs for validating a vote.
Once you get everyone a unique voter registration identifier, Voters could download the database and use simple tools to audit their vote as part of the final, public count. Any irregularities would be publishable and verifiable.
Independent groups could use samples of volunteers (who would essentially agree to publish their voter ID & local copy of their choices for that year) to further validate the integrity of the result.
You could even plant fake votes that cancelled each other out to facilitate an audit.
I'm sure there are details I'm getting wrong (like how to protect someone's identity in a world where all your voter registration details are able to be purchased in legal and illegal markets).
My only point is, anyone could start working on this kind of system as an open source project, validate it works, and start "patching" our existing voting processes with more accessible or more efficient digital replacements.
Here is a great video from Computerphile about why this is a hard problem
https://www.youtube.com/watch?v=w3_0x6oaDmI
Long story short voting needs to be secure and anonymous to be fair.
Hard to get all things at once.
Estonia has online voting. Approximately 30% of votes are cast via that medium. There have been past concerns about the security, but they are supposedly resolved now. They use a smartcard and blockchain as part of the system. I don't remember the rest.
So if I were building a system for voting online, I would audit that system and improve on any security deficiencies.
E2EVIV - end to end verified internet voting, is an open field of research. there's a company out of Portland that is working on implementations from publications called Free and Fair. The IVF internet voting foundation has some good documentation on this as well.
I'd keep it offline but allow for online lookups to make sure your vote is cast.
For example, at the end of the process the election counters release a file called "results.txt".
Inside that file is a data structure like:
{ huid: "123-456-789-ABC", vote: "Biden" }
Then you grep for the secret huid that you wrote on your paper ballot and that make sure that your vote was counted correctly.
This is a simplified concept without eg. PK crypto. Microsoft's ElectionGuard is an actual cutting edge implementation of how to do it well:
https://github.com/microsoft/electionguard
The first problem is identity. The voting part is easy, the politics are impossibly expensive to navigate though.
It already exists!
HTTPS://Vocdoni.io
HTTPS://Docs.Vocdoni.io
--->Online.
I wouldn't.
But to take a stab, welcome blockchains ^_^
I wouldn't design it but I could contribute to it. I would look for the proverbial pony express friendly features and check if they actually make sense in 2020. For example: remove the requirement for it all to happen at the same time. This is clearly a feature that makes paper voting work. In 2020 we should be able to change our vote when we like and have a threshold at which a candidate or party is replaced. (This also gets rid of the election circus and make election promises more binding (rather than the "say whatever you like" paradigm) If you need to make decisions that are unpopular you will just have to work harder to inform and educate people about the logic behind it.)
If it is not in real time voting in person is not a problem. A secure room (phones and cameras not allowed) where no one can see what you've voted. (a bus would do fine)
4 separate systems with a 5th that checks if they all got the same vote from you. At the regional level the votes are counted continuously, if one of the 4 system produces a different result an investigation is triggered and huge prison sentences may follow.