The world is changing. More and more services are moving online. So it seems anachronistic that in the United Kingdom, we still cast our votes on paper in church halls. Many people may wonder why electronic voting is not already a reality in the UK. E-voting in the polling booth or over the internet offers the prospect of accessibility and convenience for voters, and new opportunities for voter engagement. It also offers efficiency gains for election administrators in collecting and counting votes electronically rather than by hand.
Yet the cyber security challenges for electronic voting are difficult because of the need to enable voters to vote in a free and fair way, protecting the secrecy of their ballot while ensuring that it delivers the correct result. And it needs to do all this in a way that gains the trust of the public. The current system in the UK, for all its flaws, is well understood and trusted.
Election integrity is paramount, requiring authentication of eligible voters, and assurance in the handling and tallying of votes. Any e-voting system must be trusted even in the face of the ever-increasing range of cyber threats. These include the possibility of system penetration from well-resourced adversaries; the possible presence of spoof voting sites; malware on voting devices or within the central system; and insider threats from those with privileged access to the system.
Running elections electronically centralises their administration. This means that a single attack vector can have a wide impact by affecting voters systematically through their voting platforms, or by gaining access to large numbers of votes. Today’s reality is that these threats are already credible and active in cyberspace and we must design systems for security with this in mind. Current paper-based elections in the UK are not open to the same kind of systematic attacks at scale, because they are distributed widely with no central point of control. Even so, election fraud does occur, as cases in Birmingham and Tower Hamlets have shown. But in these instances, effects were localised and would be difficult to upscale.
Standard cyber defence mechanisms and processes around electronic voting systems should be deployed, as with any critical infrastructure, but no system is 100 per cent secure. Even with state-of-the-art defences we must always consider the possible consequences of a successful attack.
Distributed denial of service attacks, which take down a website or service by overwhelming it with requests, will be a challenge for electronic voting systems, especially given that elections have strict time windows, and so a well-timed attack can be difficult to mitigate without re-running the ballot. We also have to consider the possibility that the election result itself could be manipulated through tampering with the votes or the tallying process.
The conversation around online voting sometimes refers to online banking as an example of what is possible. As it stands, however, this does not hold up as an analogy. It is banks, rather than their customers, that bear the cyber risk, accepting this as part of the cost of doing business. Online banking provides statements that customers can check, as well as transparency and traceability of transactions, and if fraud occurs then this should be detectable and can be compensated.
Online voting does not provide any of these assurances. Pursuing the analogy, it is essential to be able to detect any attack that interferes with the result of the election. This is difficult because the votes also need to be secret: voters must be able to cast a ballot such that no-one can know how they voted, not even election officials.
Modern cryptography and voting systems research provide technical ways in which this can be done. A focus on end-to-end verifiability for electronic voting systems provides a particular “trust but verify” approach to electronic voting systems that gives a higher level of assurance. In this approach voters can check that their vote has been recorded exactly as it was cast.
The voting system also publishes evidence that can be checked by voters or other independent parties, who can detect whether any vote tampering has occurred, and can confirm that the votes have been tallied correctly and match the reported result. This means that any outside interference or tampering of votes during the voting process, for example due to malware on the voting device or through a penetration attack, would be detectable.
Because of the need for ballot secrecy, the votes typically need to be encrypted when they are cast so that voters cannot be linked to visible votes. After voting has closed, the encrypted votes need to be tallied while still protecting ballot secrecy. One approach is to make use of homomorphic encryption, which allows the votes to be added up while remaining encrypted – the final result is then decrypted by the election authorities, but the individual votes remain secret.
An alternative approach is to make use of a cryptographic mix-net, which shuffles the encrypted votes (an electronic version of shaking a ballot box) so they are no longer linked to voters. The votes can then be individually decrypted without giving away the corresponding voter, again protecting ballot secrecy. Alongside the reported results, each of these approaches publish evidence that the calculations have been done correctly. This means that if the homomorphic tallying, or the mixnet shuffling, have been attacked, then this would be detected.
Another significant challenge for electronic voting in the UK is the management of voter identity. While voter impersonation in person would be difficult to scale, it is a much more pressing problem for voting online. Estonia, which has offered online voting in elections since 2005, establishes voter identity using the national electronic identity card, which all citizens are required to have. This links into the electoral roll and is used to authenticate eligible voters. In the case of the UK there is no equivalent identity platform and so it would be necessary to provide voters with specific election credentials. The security of the electoral roll, and control over its management and veracity of its data, is critical as the reference point for eligibility to vote.
Voting is a social activity, and the general public need to have confidence in the systems and processes that they use for elections. Technical solutions for electronic voting also need to gain public comprehension and acceptance, and this requires transparency and public engagement.
Swiss Post, which provides internet voting in Switzerland, recently ran a Public Intrusion Test on their e-voting system proposed for national use this year. In accordance with the licencing and certification requirements of the Swiss Chancellery, the source code was made available for inspection, allowing experts to examine the code. This resulted in the discovery by independent security researchers of a vulnerability in a cryptographic backdoor, which could allow legitimate ballots to be replaced without detection by a malicious party with access to the system’s critical infrastructure.
The discovery contributed to the decision not to use the system in regional canton elections in May. The Swiss Chancellery deserves credit for requiring the code to be made available for such inspection; code transparency for independent public scrutiny is a key step towards establishing trust in such critical systems. Democracy deserves nothing less.
Steve Schneider led the team that developed the end-to-end verifiable voting system vVote, piloted in the 2014 State election in Victoria, Australia. He is now leading the VOLT research project into Voting on Ledger Technologies.