You can open an app, press a few buttons and have pad thai delivered straight to your house. You can send money to the opposite side of the world with just a few clicks. You can automate your regular shopping list and have your groceries sent straight to your door every week.
So why can't you vote online?
It seems straightforward. Even Estonia does it. So why can't you?
The short answer is that it's probably not a great idea if you like democracy.
Let's start by explaining two critical aspects of free and fair elections:
Voting needs to be anonymous — If a person's voting record is public, they can be paid or coerced to vote against their wishes. Anonymous voting hinders this, because there is no way for someone to check whether bribery or coercion was successful. Why would you bribe someone to vote a certain way, when the voter could just lie to you, take your money, and then vote for the opposite candidate?
Election results need to be auditable — We need a reliable and trusted way of being able to recount votes to ensure that the result is accurate and hasn't been manipulated.
Let's dig into the first aspect a little deeper. It is technically possible to use cryptography to allow for anonymous online voting. However, you need a way to authenticate that each voter is who they say they are. Estonia achieves this by issuing everyone with an electronic government ID capable of digital signatures. Many countries don’t have this, and there is often public resistance to these IDs out of fear of government overreach.
So, before you can establish a country-wide online voting system, you need digital IDs for everyone. Without them, online voting just isn't going to happen.
Another major issue is that cryptography isn't foolproof. It has to be implemented carefully in order to provide anonymity. Given the records of many governments when it comes to IT infrastructure and security, do you really trust them to be able to securely implement something as important as an anonymous voting system?
If the system can be exploited and people fear that their voting record will be made public, will they actually vote for the candidate that they want to? Or will they vote for who their boss/partner/parents/union tells them to?
Elections need to be auditable so that we have a way of verifying that the count is accurate. When the results are close, or we suspect that they might be rigged, we need a way that we can easily recount all of the votes to verify the result.
In most democratic countries, the gold standard is for voters to:
- Have their name crossed off a list and be handed a paper ballot (electronic voting machines are problematic—let us know if you'd like us to cover them in a future newsletter).
- Walk into a booth where they can privately write out their vote
- Drop the vote into a secure box.
At the end of the day, the votes are counted, and the local polling place sends the results to a central hub for the final tally to decide the winners. Throughout the process, election observers watch over the proceedings for any shenanigans. If the results are close or suspicious, the ballots can easily be recounted.
One underappreciated aspect of these simple voting systems is that it is hard for an attacker to sow doubt about an election’s fairness because the process is fairly decentralized and easy to understand. Everyone knows how pencils and locked boxes work, and as long as there are no complaints from the election observers, the public will generally view the election as fair.
Let’s contrast this with an online voting system, which is essentially a black box as far as the majority of the voting public is concerned. People know that their votes go into the black box, but due to the complicated nature of the system, it’s much harder for them to verify that the system worked appropriately and that the election result the system spits out is accurate.
This complexity is an excellent opportunity for an attacker that wants to sow doubt about the election process. Instead of having to arrange a grand conspiracy with fabricated evidence at multiple polling sites, all they have to do is claim that “The election was rigged”. Security engineers can’t easily explain that the election wasn’t rigged, so as long as the attacker’s claims can convince enough people, there could be riots in the streets and democracy could be undermined.
And this is all without an actual compromise to the integrity of the voting system. Let us know if you want us to talk about how things like insider threats, malware and denial of service attacks can also impact the security of elections.