A Computer Scientist Explains the Problem with Online Voting
Ryan North

Arguing that computer systems can never be engineered towards resilience against fraud is the wrong argument against electronic voting.

The statement that various layers of abstractions in computer systems are an unfixable security problem is only true within certain assumptions. Those assumptions are:

The system is run by a small enough set of computer systems to compromise all or enough of them.

We can distribute computation on millions of different computers and a variety of independent software these days without problems using protocols, standards and computer networks. The more diverse and distributed the system, the harder it is to compromise it. At a point it becomes practically impossible.

Electronic votes cannot be validated in retrospect.

We know plenty of cryptographic approaches today to verify ownership decoupled from identity. On top of this, we have a rich set of statistical methods that can be used to detect fraud. Electronic votes are very well auditable when the system was designed for it.

Voting systems must provide absolute reliability to be useful.

Absolute reliability is not what analogue voting systems provide today. Actually, it’s quite the opposite: Analogue voting requires a lot of trust into officials and institutions. Many countries around the world are seriously struggling with this — even including very developed countries like the USA. We don’t need to come up with something absolutely reliable. Just with something more reliable than what we have today. And that bar is not unreachable high.

Here’s a hypothetical voting system that shows that we can indeed get around all of the three assumptions:

Let’s assume a distributed ledger as the base of our voting system. We let people vote anonymously but publicly on this ledger. People would use one-time-usage keys issued by at least 2 independent sources to sign and later validate their vote. Those keys are issued to assure a single vote per person and the total amount of keys would be limited to the amount of voters through cryptography methods. Independent key issuers would minimize the risk that officials can steal keys from voters that don’t use their right to vote. To assure a personal and secret vote, one of those keys would be issued after identification in a dedicated cabin. The voting would take place in the cabin but on the voter’s device with their software of choice.

The correctness of individual votes — once accepted on the ledger — could be validated and confirmed by every voter for their own vote with a separate key. Such validations would be propagated on the ledger as well. The entirety of all votes, validations and therefore the outcome of a poll would be available to everyone. Moreover, everyone would be able to verify that all votes on the ledger are authorized (signed correctly) and that no unauthorized votes have been counted. Officials would correlate the total count of votes with their separate counts of identified voters and therefore add another validation mechanisms to detect potential fraud.

All three core processes — voting, validation and summing — would be implemented by an unlimited amount of independently developed software. Each software would implement parts of the open ledger protocol and could run on a variety of different stacks and devices. The amount of validated votes would determine the probability for correctness of the end result, taking a maximum successful attack into account. The higher the validation rate of votes, the higher the probability for correctness. The closer a vote, the more validations are needed to be able to validate the overall results with a probability close enough to certainty.

Such a combination of distributed software and validation mechanism shrinks the impact of every attack vector to a predictable maximum. Even the most successful attacker would not be able to manipulate a poll beyond small magnitudes. Otherwise statistical anomalies beyond the standard derivation would signal fraud. Therefore it’s unlikely to manipulate a poll in a way that it affects the outcome without noticing. Even in the worst case scenario — when a poll is close and manipulation is likely — the confidence in the result would still be an objective mathematical number which is much better than the uncertainties that we are facing with polls these days — especially when they are close.

Overall, such a voting system would be way more resilient and reliable than today’s pen and paper approach. The whole voting process would be transparent and observable. Organisations like the UN and OECD would be able to oversee the entire process with their own software and could detect fraud independent of local administrations.

So why are we not using such a system then? The problem with electronic voting is not of technical nature. Every voter — and most importantly all involved officials and politicians up for vote — would need to understand why such a system would be reliable and resilient. Apparently some computer scientist already don’t understand how the right combination of cryptography, distributed ledgers, statistics and chain of trust can lead to trustworthy electronic voting systems. How would we get non-technical people to understand and trust such a system then?

The striking argument against an electronic voting system is not technical feasibility. It’s the complexity of the solution that would hardly be understood, accepted and adopted by enough people in the near future.

A final side note for the nerds: I used the term distributed ledger because such a system might be as simple as a distributed HashMap with an attached protocol and some brute-force protection. For various reasons there’d be no need for a heavy weighted decentralized blockchain with smart contracts and block confirmations. When we can assume a fixed amount of verifiable keys distributed upfront to voters then we find ourselves in a different situation than in a classical blockchain scenario.