We shouldn’t necessarily trust electronic voting and counting

By Dr Chris Culnane; Dr Vanessa Teague
School of Computing and Information Systems, University of Melbourne

Tagged:

politics; election; policy Politics; Election; Policy

As Victorians vote in another state election, many will again wonder why they can’t vote online. If we bank, shop, and communicate in so many ways online, why can’t we vote online?

Actually, you might be surprised how much of the voting and counting process in Australian state, federal and local elections is done electronically.

The Victorian Electoral Commission runs our ballot draw electronically and counts Legislative Council ballots electronically. The Australian Electoral Commission digitizes and counts Senate ballots electronically, and some voters in NSW and WA can vote over the Internet in state elections.

But rather than ask “Why can’t we just vote online?” we should ask “Why should we trust those results?”

Voting may not be secure

We have come to think that it is safe to bank and shop online, but in fact it is far from safe. Online payments fraud in Australia rose to $476 million in 2017.  If we are unable to secure something as simple as online shopping, which has no need for secrecy, how can we possibly expect something as nuanced and complicated as voting to be performed online?

Voting requires two seemingly inconsistent properties - it needs absolutely secrecy of the ballot, combined with enough transparency to ensure integrity of the result.

Significant issues have been encountered in Australia.

The iVote Internet voting system was trusted for the return of 280,000 ballots in the 2015 NSW state election and rerun in Western Australia in 2017.

Each time, we and our colleagues completed an independent security analysis of parts of the live iVote system.  In 2015, there were severe vulnerabilities that could be leveraged by an outside attacker to manipulate votes, violate ballot privacy, and subvert the verification mechanism.   In 2017, Western Australian voters were entrusting their vote to a third-party company that could read or modify it without their consent.

Despite this, the NSWEC intends to rerun the system in the next state election on March 23.

In the ACT, many votes are cast using computers in a polling place, on an open source system that was ahead of its time when it was first used in 2001, but doesn't produce a paper record of the vote. When Tim Wilson-Brown, an independent security researcher, demonstrated that people's votes can be easily identified because they're not shuffled before being posted online, the ACT electoral commission denied there was a problem.

Counting may not be secure

In the lead-up the 2016 Federal election we were concerned about the possible implications of a software error or security failure in the automated Senate counting system.

With colleagues from Melbourne, Berkeley and MIT we prototyped a few methods for conducting an audit of the paper ballots, so that any errors in the electronic count had a fair probability of being detected before the wrong Senators were seated. We were keen to try them out in practice but didn’t get a chance.  No significant audit of the paper evidence was performed.  The last Tasmanian Senate seat went down to 114 votes. There are 300,000 voters in Tasmania (0.04%), so even a small random error might have been enough to affect the outcome.

Our concerns were echoed by a National Audit Office report on the Senate counting system, which said that “The wording used in some of the internal records and published materials would generate confidence in the security of the system whereas the underlying assessments indicated significant risk." They concluded "The AEC could have conducted a statistically valid audit or tested audit methods during the post-election period. It has not done so."

Voting in person ensures everyone is given an opportunity to vote without fear or favour

Conducting an election is a huge undertaking using carefully honed processes, to ensure that the vote is secret, secure, and easy to perform.

It is one of the few rights that is gifted to individuals by society, without the need for the individual to assert it.

This is vitally important, because the very people who may face a threat to the secrecy of their ballot are the same people who will be unable to assert the right to a secret ballot.

The solution: verifiable electronic voting

The key idea is verifiability: the opportunity for voters to test that their electronic vote reflects their intentions, and for scrutineers to check that all the electronic votes are properly included and counted.

There are plenty of practical techniques for verifiable electronic voting in a polling place.  One obvious approach is to produce a plain paper ballot and allow the voter to check it, then conduct a statistically rigorous audit of the results.

An alternative is a cryptographic method called "end-to-end verifiability."  An end-to-end verifiable system was deployed in some polling places in the 2014 Victorian election, through the electronically assisted voting system vVote. The system was open source and backed by academic publications; however, whilst it was relatively easy to use, it was complicated to run.

Rather than invest in the expertise necessary to run such a system the Victorian Electoral Commission wanted to follow NSW and WA in using online voting. Luckily for Victorians those plans have not materialised in 2018. Nor did a proposed change to the Local Government Act to allow the Minister for Local Government to decide at any time to simply declare electronic voting (of any form) the universal method for voting at every local government election.

Anyone purporting to sell an Internet voting system that’s verifiable, and secure and privacy-preserving enough to withstand the security environment now faced by democratic elections, has invented something that years of research haven’t found.

We get the voting system we deserve

If candidates and voters continue to accept the results from unverifiable systems that don’t protect the secret ballot and don’t allow for meaningful Australian (candidate-appointed) scrutiny of the results, electoral commissions will continue to run them.

When you cast a vote, remember, you are not there because of archaic procedures, or a failure to modernise, you are there playing your part in society’s gift to everyone of the right to a free and secret ballot.

Dr Vanessa Teague is presenting on the topic of online voting and counting next week, at Raising the Bar, co-hosted by the City of Melbourne and Election Watch. A version of this article has been co-published by the City of Melbourne.

Image credit: Australian Electoral Commission

Tagged:

politics; election; policy Politics; Election; Policy

Election Watch: Past Editions