Tactics to make Internet voting more reliable than traditional voting.
David Grace (www.DavidGraceAuthor.com)
People fear that voting over the Internet will fall victim to massive fraud.
At least part of that concern is because they’re thinking that an Internet voting system would simply add each new vote to a candidate’s total on a computer’s hard disk.
But that’s not how you would do it all.
Let’s work backward through the process of how votes would actually be cast and recorded over the Internet.
How Votes Would Be Stored
First, the media holding the voting totals would not be an ordinary magnetic disk. It would be an optical disk.
Data is added to an optical disk by deforming tiny physical locations on the media. Once written that data cannot be erased. You can add new data to a “Voted For” optical disk, but you cannot delete old data.
So, instead of storing incremented voting totals on an ordinary magnetic disk in the form of:
Smith — — — Jones
547 — — — — 422
the “Voted For” optical disk would store each new vote as a new entry at the bottom of a list of names:
Each Smith and Jones entry is permanent and once a Smith or Jones name has been added to the Voted For list it cannot be deleted.
How Votes Are Counted
When voting closes, the optical disks would be physically loaded into a computer that is not connected to a network, an “air-gapped” computer, which would simply count up the number of Smith entries and the number of Jones entries to get the total for each candidate.
After the election the Voted For optical disk would be archived and available for examination by the candidates and election officials.
Preventing Phantom Votes
The next question is: How do we prevent people from gaining access to the system and writing extra Smith or Jones entries to the unalterable optical disk?
At the time of registration each registered voter would be assigned a Voter ID Number in the range of, for example, 1,000,000 to 2,500,000. If a voter becomes de-registered their number goes on a list of numbers available for re-assignment to a new voter. If all the numbers in the range are used up then a new top number would be assigned and the range of voter numbers would be updated to, for example, 1,000,000 to 2,500,500.
When a person logs in to vote, a different optical disk, the Who Voted disk, would be scanned to see if their Voter ID Number is (1) within the established range and (2) already on the Who Voted disk.
If their Voter ID Number is within the valid range and also NOT on the Who Voted optical disk, (1) the voter is allowed to access the ballot screen, (2) their choice, Smith or Jones, is written to the Voted For Disk AND ALSO (3) their Voter ID Number is added to the Who Voted optical disk.
If that Voter ID Number was out of range or already on the Who Voted optical disk, the voter would be deemed fraudulent and that person would not be given access to the ballot screen.
Since a Voter ID Number cannot be deleted from the Who Voted disk, no one can vote twice.
Now we have a permanent, unalterable list of who voted, and we have a permanent, unalterable list of the number of times each candidate received a vote and we have prevented anyone from voting twice.
How Do We Know You Are You?
How do we make sure that Mary Anderson’s vote is actually being cast by Mary Anderson and not some impostor?
First, let’s pause to consider how we vote now.
Today, I go to my polling place and I tell them my name and address. They look on a printed list, find my name and address, and they give me a ballot. That’s it.
No one ever asks to see my ID. No one ever checks to see if I am me. Today, anyone can go from polling place to polling place with a list of names and addresses and cast multiple votes.
Of course, if the real voter later showed up they would be told that he/she had already voted and questions would be asked, but there would be no way to determine who the phantom voter was or who he or she voted for.
On-line voting should be as secure as the current system, but it’s hypocritical to criticize it for not being many times more secure. That’s like condemning flying because planes sometimes crash when the alternative is driving which is 86 times more likely to kill you than flying.
OK, let’s go back to how we would verify that the person who logs into the voting system as Mary Anderson really is Mary Anderson.
Before anyone will be able to vote on-line they will have had to appear at some government office, a fire station, a police station, a post office, a court building, etc. and present the same ID required to register to vote. Then their fingerprint would be electronically recorded in the same way that you record your fingerprint when you get your new smart phone.
Next, the voter would give the county the phone number of their smart phone.
When it came time to vote, Mary Anderson would open the County’s voting app on that same phone. The County would text her a six digit number. She would enter that number into the app and then swipe her finger over the phone’s fingerprint sensor.
The election computer would compare
- Her registered phone number to the number she was calling from, and
- The six digit number she entered with the one it had just texted her, and
- Her fingerprint with the fingerprint it had on file.
They would all have to match. After they matched, then the app would check the unalterable Who’s Voted list to confirm that Mary Anderson’s Voter ID number is not on the Who Voted list.
Only when all that was done would Mary Anderson be able to advance to the ballot screen.
Now, how secure is this compared with someone wandering into a polling place, giving a name without any ID whatsoever and being allowed to vote?
So far, comparing the security of Internet voting with the security of paper voting is like comparing the safety of flying to the safety of driving.
The Process From Beginning To End
Mary Anderson goes to a government office, presents a photo ID and has her fingerprint and phone number recorded.
Mary Anderson logs into the voting app from a known phone with her known fingerprint.
Mary Anderson’s Voter ID Number is retrieved and checked against an unalterable list of who has already voted to make sure she has not already voted.
Mary Anderson is then presented with a ballot form from which she makes her selections.
Those selections are (1) encrypted, (2) sent, (3) decrypted, then (4) added at the bottom of an unalterable Voted For list and (5) her Voter ID Number is added to the unalterable Who’s Voted list.
Nothing Is Perfect
Could something go wrong? Maybe. If someone gained access to Mary’s phone and installed software that could intercept the ballot screen, in theory it might be able to ignore Mary’s choices and send different choices back to the County, but this is a problem that has been solved long ago with regard to credit card purchases.
Systems are already in use that encrypt credit card transactions to avoid this sort interception mischief. It would be relatively easy to adapt these same encryption techniques that we now apply to sending credit card information, bank account numbers, and financial transfers between our phones and the bank’s computer to sending the ballot choices from our phone to the county’s computer.
It’s been suggested that Internet voters might be targeted with an email scam that would direct them to a fake voting site. People already know not to respond to emails claiming to be from the IRS, their bank, etc.
It won’t take much effort to train Internet voters to ignore any emails claiming to be from the election authorities, plus voting would commence with the user taping the VOTE icon on their phone, not typing a URL.
Can we guarantee that it would be totally impossible to ever cast a fraudulent on-line vote? Of course not. Can we guarantee that it is totally impossible to cast a fraudulent paper ballot? Absolutely not.
The concern is not about a few fraudulent votes here and there. The concern is about a systemic flaw that would allow hundreds or thousands of fraudulent votes to be cast. That is something careful design can prevent.
How You Would Avoid Problems
After you designed the system, you would set up a test site with test voters and a test election.
Then you would publish how the system works.
On the appointed Test Election Day your test voters would cast their ballots as instructed in advance and the totals the system recorded would be compared to the totals you expected to receive.
You would pay $100,000 to each of the first five people who succeeded in compromising the system in exchange for the details in how they defeated the system and also their cooperation in changing it so that their method would no longer work.
Then you’d hold a second test election. And if necessary a third. You would continue to hold test elections with prizes for successfully corrupting the result until you had a system where the voting totals couldn’t be altered.
Today, the basic idea of democracy is under attack. Voter suppression schemes are blossoming under the guise of foiling fraudulent voting.
- Polling places in districts heavily populated by “the other side” are being closed.
- Poor people are discouraged from voting by holding elections on work days.
- People are discouraged from voting by reducing polling places which forces them to wait for hours in long lines.
We could increase participation by
- Holding elections on weekends
- Holding elections over several days instead of just one day
- Taking voter’s fingerprints at the time of registration and then verifying voters by a quick fingerprint scan at the polling place
- Internet/Smart-Phone voting
We don’t do these things, in material part, because certain politicians want to restrict voting by members of the lower classes and minorities who they believe will vote against their candidates.
Internet voting avoids lines, missing work, and the difficulty of physically appearing at a polling place. It provides an easy way to vote over multiple days without the cost of renting and staffing polling places for several days.
While it has to be intelligently and carefully designed, its benefits are more than worth it.
We just have to do the work.
–David Grace (www.DavidGraceAuthor.com)