Online Voting Considered Harmful

There’s been a report about online voting, positing that it’s inherently at odds with the anonymous vote. As it currently stands, that’s correct.

But does it have to be? Or at least, can it be as well-secured from voting fraud and coercion as the paper ballot is today? I’m not sure. It would be difficult, perhaps unrealistically so, but I can’t help but wonder if it’s possible to build a system with secret sharing and PKI with a trusted third party handling authentication.

In the no-doubt-naive flow I imagined, it would go something like this:

  1. The voter generates a one-time asymmetric key pair
  2. The voter authenticates with the trusted identity provider, and provides the public key
  3. The identity provider builds a “voter certification” out of the public key, something to identify the election, and enough demographic information to prove the voter’s region (since we need that), then signs it, puts it on its public server, and gives the voter the url
  4. The voter provides the election system the URL
  5. The election system uses the public key to create a challeng
  6. The voter answers the challenge using their private key
  7. The election system provides the ballot, signed using the system’s private key
  8. The voter responds with their choices
  9. The election system signs the response, encrypts it with the voter’s public key and returns that to the voter, along with an OK challenge using the voter’s public key
  10. The voter decrypts a copy of the response ballot, and finding it correct, provides the OK

Now, I probably did this wrong, but the idea is that afterwards, the election system has no idea who the voter is, and afterwards the voter has an audit trail that only they can prove. If we don’t want them to be able to prove on their own, then maybe the election system encrypts on their end as well, and the two sides keep their own copies of the vote along with a nonce to identify it, so that both need to cooperate to prove the vote, and neither side signs anything. I dunno.

Of course, the third party would have to be trustworthy and separate from the organization counting the vote. It might be possible to prevent collusion between those two from subverting the anonymity of an online vote, but I don’t see how.

That said, it might be worth honestly considering how protected the paper ballot is from malicious insiders. How many of those places have security cameras? How hard would it be to plant something? How would the voters be able to realistically protect themselves if there was someone or someones doing an actual dedicated attack on the vote?

Has it already happened? Some fishy stuff has happened in the last few decades in US elections. There’s no real way of verifying the vote, even discounting voting machines. Ballots can get “lost” or “damaged”. Voter registrations can and have been invalidated right before the vote. You’d think this would be big news, but nobody really seems to care. Or maybe the people believe that our current hodgepodge of systems is secure?

Certainly, even if you made it anonymous and secure, any online voting system would be an incredibly juicy target. So you’d also have to build in an audit system, a real one designed with the expectation that we’d have to use it. Which would honestly almost be worth doing this on its own.

I am not a cryptographer, but I can’t help but wonder. Are we giving up without considering the possibility? Or even if it is impossible to have an anonymous vote online, maybe we should take a step back and evaluate what exactly we’re trying to protect against with the anonymity and if we can protect it some other way.

Do we want to protect against government coercion? Because I doubt we could realistically stop that either way, but even if we can, that’s a very different solution space than if we’re trying to stop the purchase of votes. In the former, we need some guarantee that the person can’t be tracked down by the election office. In the latter, we need to build a system where the voter can’t prove on their own how they voted.

Honestly, it can’t be worse than the voting machines we have now, and a good online voting system could empower a lot of people who currently can’t vote either because they can’t get to the ballot, or are too poor to take the day off.

Bleh, I’m writing this entirely too late at night, and by morning I’ll no doubt see something obviously wrong. I just can’t help but think that there’s a real possible benefit to online voting that we’re giving up on out of hand without actually trying to make secure and anonymous.

After all, if the history of personal computing should teach us anything, it’s that convenience wins out over security ten times out of ten. So maybe it’s time to sit down and try to make it as secure as we can before it becomes a major thing anyways and a really bad breach happens.