EDUCATE
Secret Suffrage and Online Voting
Are ciphertexts secret ballots?
Is it secret to vote online? This is a question that we are often asked. Many people are concerned because online voting allows a voter to vote from anywhere, at any time: does this mean that they could be coerced into voting for a specific candidate while they are at home or work? Others are concerned about viruses and malware that may have infected a voter’s casting device: could these malwares monitor how are we voting? All in all, it is questioned whether online voting can comply with a basic principle of democratic elections: secret suffrage.
In order to address these questions and concerns, a recently finalised PhD explores secrecy in online voting: “Secret texts and cipherballots: secret suffrage and remote electronic voting”.
Secret suffrage: a basic principle for democratic elections
Secret suffrage is central to democratic elections. It is enshrined in the United Nations’ Universal Declaration on Human Rights, in the International Covenant on Civil and Political Rights, and in regional human rights instruments such as the Convention for the Protection of Human Rights and Fundamental Freedoms (better known as the European Convention on Human Rights).
The problem with secret suffrage is that it is a principle wide enough to be universally accepted, and yet enforced in many different ways. It does not have a clear definition either, and we tend to understand it through the technologies that protect it in different voting channels: from voting booths in polling stations, to envelopes in postal voting, and through sealed ballot boxes.
Notwithstanding, it is indeed possible to identify what the principle of secret suffrage aims at protecting. An overview of some international legal sources has helped us identify three standards that lay at the core of secret suffrage:
- Individuality, meaning that each voter makes an individual choice.
- Confidentiality, meaning that only the voter should know how they have voted, and they should be able to make their choices in private.
- Anonymity, meaning that there should not be a link between the contents of the vote cast and the identity of the voter who has cast it.
European experiences with online voting and secret suffrage
Following, the question that we should ask ourselves is whether and how the standards of individuality, confidentiality, and anonymity can be protected when voters are given the possibility to cast their vote remotely and electronically, even from so-called non-supervised environments (i.e., those that are beyond the control of election administrations, like your home, your office, etc.).
To do so, we can learn from the answers in the international standards for e-voting and from different national experiences. Three such experiences in Europe deserve special attention: Switzerland, France, and Estonia.
Switzerland offers a unique set of lessons, having organised more than 300,000 electoral events since online voting was first used in 2003. Switzerland is in fact one of the first countries that adopted online voting for politically binding elections. In 2013, the country came up with an overarching certification framework, so systems can be certified as complying with a basic set of requirements. In turn, the path of the adoption of remote electronic voting in the country has not been steady, and we can observe attempts to stop and discontinue the use of this channel both at the cantonal (as in Geneva between 2005 and 2007) and national levels (as in the current situation).
France is also a pioneer in the introduction of online voting, where this technology has been offered to voters abroad for different contests: first for the elections to the Assembly of French Citizens Abroad, followed by the elections to the National Assembly and for the representative bodies of French citizens abroad.
Estonia remains to date the first and only European country where online voting is offered to all the electorate, for all contests: national, local, and to the European parliament. When it comes to secret suffrage, the country has adopted quite an innovative approach to understand the constraints imposed by this principle and has advocated for a teleological interpretation of secret suffrage.
Analysing these experiences shows that governments and election administrations have several tools they can rely on to comply with the principle of secret suffrage when deciding to offer online voting. For example, votes can be encrypted at the application level, end-to-end, to ensure that they remain confidential. Before counting them, they can be anonymised with a mix-net or — they can even be counted while still encrypted, thanks to homomorphic tallying. In all these cases, splitting the private key of the election (the one that is used to decrypt the votes) into different shares prevents a single agent from proceeding to reveal the contents of the votes during the voting period and before they are anonymous. In the case of individuality, there are several proposals that allow voters to mitigate the risks of coercion, such as multiple voting as used in Estonia: voters can cast as many electronic votes as they want during the advanced voting period, and only the last one counts. Thanks to this possibility, if they have been forced to vote in a specific way, they can cast a new vote later that would cancel out any previous vote. They can even go to a polling station and cast a paper ballot that would cancel any vote cast electronically.
Therefore, is online voting equivalent to any other voting channel?
This study also shows that election authorities sometimes fail at acknowledging the specificities of online voting, some of its challenges, and at taking stock of its potential. For example, there are some risks that online voting faces that are unique to this channel. Election administrations should be aware of these risks and make sure that they adopt adequate measures to mitigate them. At the same time, allowing voters to cast multiple votes is one of the benefits of online voting that would be much more difficult to implement in other remote voting channels where coercion is also possible, such as postal voting.
All in all, the PhD identifies three key recommendations that election administrations should take into account to ensure the respect for secret suffrage in online voting:
- Individuality: coercion-resistant mechanisms (e.g., multiple voting)
- Confidentiality: asymmetric, quantum-resistant vote encryption with key-sharing schemes
- Anonymous tallying (e.g., mix-nets or homomorphic tallying).
To learn more, you can take a look at the PhD (pending publication) and the slides of the PhD defense, and the PhD thesis.
This article was written by Adrià Rodríguez-Pérez, PhD and Senior Public Policy Researcher at Scytl.
