INNOVATE

At the Intersection of Voting Technology and Electoral Standards

Scytl’s experts present their research findings at E-Vote-ID 2022

This year, Scytl’s Research Team had two papers accepted at E-Vote-ID, the leading international event for e-voting experts from all over the world. The two papers were presented during a session on Legal Aspects and Election Administration, and were published in the conference proceedings.

• “The Council of Europe’s CM/Rec(2017)5 on e-voting and secret suffrage: time for yet another update?”, by Adrià Rodríguez-Pérez.
• “Dubious security practices in e-voting schemes. Between tech and legal standards”, authored by Tamara Finogina, Adrià Rodríguez-Pérez, and Jordi Puiggalí.

The Council of Europe’s CM/Rec(2017)5 on e-voting and secret suffrage: time for yet another update?

As we have already explored in previous posts, secret suffrage is central to democratic elections. However, it is far from clear how this principle can be upheld with online voting. The problem with secret suffrage is that it is a principle wide enough to be universally accepted, and yet enforced in many different ways.

The Council of Europe’s standards on e-voting try to shed some light on this matter, by offering important guidance on the democratic conduct of e-enabled elections: Recommendation CM/Rec(2017)5 of the Committee of Ministers to member States on standards for e-voting. However, a closer look at the Recommendation when it comes to secret suffrage highlights important shortcomings:

· Provisions on secret suffrage are dispersed throughout Rec(2017)5 and its related documents. The main provisions can be found in Section IV of Appendix I, but the principle is also mentioned in several other sections, in the Explanatory Memorandum, and in the Guidelines on the implementation of the provisions of Recommendation.

• A clearer scope of secret suffrage is needed. On the one hand, the provisions in the Recommendation under Section IV of Appendix I mix the standards of secret suffrage with those of personal data protection. On the other, some of the Guidelines also seem to point towards an understanding of secret suffrage as being a means to achieve other principles.
• Even more concerning than the flawed scope of these provisions is the fact that the Recommendation has also failed at fully mainstreaming its new approach towards e-voting. In this regard, and in spite of the new benchmark being that “e-voting must respect all principles of democratic elections and referendums”, there are many provisions that are still based on analogies to a paper-based voting channel.

Taking into stock the layered structure of the updated Recommendation, three different scenarios can be foreseen: (1) Rec(2017)5 is updated (again) to address these flaws; (2) Rec(2017)5 remains as it is, regardless of its flaws; and (3) Specific guidelines are adopted on the implementation of Rec(2017)5. We advocate for the third alternative, with the development of specific Guidelines on secret suffrage and remote e-voting. These Guidelines could develop the provisions in the Recommendation and recognize some of its limitations. Since the provisions on data protection would remain under the umbrella of secret suffrage in Section IV of Appendix I, specific Guidelines on personal data protection and remote e-voting could be developed as well.

In case you want to learn more about this topic, you can find this publication online (in open access).

Dubious security practices in e-voting schemes. Between tech and legal standards

In paper-based elections, it is illegal to cast ballots of non-eligible voters (including empty or invalid ones) into a ballot box (i.e., ballot box stuffing). Yet many e-voting schemes add dummy votes to the ballot box for various reasons: for fighting correction, optimizing tally, and testing. In this paper, we highlight the problematic nature of including dummy ballots in the ballot box, commonly employed by e-voting schemes. More specifically, we look into the casting of test votes in some Canadian municipalities, the optimization of some e-voting mix-nets, participatory privacy as suggested in the Helios-null scheme, and coercion-resistance mechanisms proposed in Selene II.

• Issues with voter authentication and eligibility: some mix-net optimizations require adding trivial messages to the ballot box. Regardless of the value of these messages, they can clearly be understood as votes cast into the ballot box. Therefore, these proposals do not satisfy the requirement of some national legislations (i.e., Switzerland and Estonia) about the validity of votes cast, and neither will they comply with the OSCE/ODIHR’s criteria that no votes should be cast prior to the start of voting. Notwithstanding, and since some of these proposals only add these votes during the mixing phase, the practice would be compliant with some international standard as long as they are removed from the final results. The question is therefore how to ensure that those votes are duly deleted before the count.
• Issues with the principle “one voter, one vote”: In the proposal for participation privacy, voters can cast dummy votes on behalf of other voters. This practice seems to breach the standard of “one voter, one vote”. Furthermore, and in contrast to multiple voting, here it is not the voter themself who casts the extra votes to cancel out any vote cast under duress.
• Issues with both principles: The proposal to cast audit impacts both standards. On the one hand, having audit credentials translates into additional voters being added to the electoral roll of the election since it is necessary to add auditor credentials. On the other hand, it is possible that an auditor is registered several times as different voters in case they want to make multiple tests or test different contents in the same election.

As a general recommendation, we advise storing only votes cast by eligible voters in the ballot box. This approach would be the most in line with all legal regulations. Moreover, it would prevent the spread of misconceptions regarding e-voting security, which commonly arise in cases of the temporary addition of ballots to the ballot box. The general public often remarks that adding values to the ballot box (even if temporary) feels insecure.

To learn more, you can take a look at the paper online.

This article was written by Tamara Finogina, Cryptography Researcher; and Adrià Rodríguez-Pérez, PhD and Senior Public Policy Researcher at Scytl.