Can Online Voting be Auditable?
Imagine a community shares a credit card account to make all their purchases. Each person gets their own card to use as needed.
Individual voting is like each person going about their days shopping at various stores, but when they get to the checkout there is no display. They can’t see what each item is as it is scanned or what it costs. After the cashier is finished scanning everything, they verbally say the order sum to our community member. Then the individual dips their credit card and leaves without a receipt.
Voting results are like the monthly credit card bill showing how much the collective has spent at each store without a per transaction breakdown, but, even if there were a breakdown, the data would be missing dates and times. There’s no way for any given person to say which was their transaction and even if they did, they couldn’t prove it because they don’t have a receipt. There’s no way to reconcile or audit the data.
Explanation
You would never use this for accounting purposes and you shouldn’t use the voting equivalent. Each step of the way there is too much unverifiable trust placed in the system accepting, storing, and tabulating votes. There is no separation of responsibilities and there is no way to reconcile each vote or even a subset of votes tabulated in the election results.
Intro
Let’s take a deeper dive into what makes an election trustworthy and why online only voting is not viable. If you’ve seen any reference to online voting on slashdot or reddit, you’ve seen software engineers blast the idea as horrendous. This XKCD comic is a fun explanation.
Trusted Elections
Every legitimate democratic government holds elections and ensure those elections are free and fair. One aspect of meeting the goal is making elections auditable. The details of what makes an election auditable vary, but the goal is to ensure that you can reconcile the total counts against a trusted secondary record of votes.
In other words, these two things must be satisfied:
- Ballots must be re-countable
- Ballots must be stored securely to prevent tampering (no one should have escalated privileges without an independent auditor and supervision).
A very simple example is using paper ballots that can be counted multiple times, but even paper ballots has issues. Some may remember the scenario in Florida during the Bush-Gore election.
For years, Suffolk County, Long Island, New York used mechanical voting booths that registered your vote physically upon pulling a lever to open the curtain.
These days people want to make it easier to tabulate votes and they’re turning to technology to do the simple task of counting. After all, computers are phenomenal at counting.
Technological Mishaps
It is frequent to see news articles about security breaches and issues where online software stopped working for some period of time. Occasionally, an entire swath of the internet is unaccessible. Sometimes this is caused by a physical problem, like a wire being cut or a major switch going down or a software problem, like a DNS misconfiguration. DNS is like an address book for websites. Even though companies do their best to prevent problems, issues like these plague all web applications.
If we designed a physical electronic device for voting, we could easily audit it by having it print out the results of an individuals vote and have them visually validate it as accurate, keep a record for themselves, and have the election administrators hold a record for an audit. This is a doable task, though it does present itself with other problems, like how to secure the device and how to secure the paper ballots. Anonymity can be satisfied by using a random number or set of characters, like a UUID, to link the paper vote to the digital vote. It is also possible to make a physical device tamper proof. For instance, new credit card readers supporting EMV chips will permanently shutdown if they are tampered with in any way.
However, if we were to do an election entirely online, we have a new set of challenges. Users make their selections on their own computer and send their votes to a server. How do we ensure a vote goes to exactly the candidate the user voted for and how do we keep an audit trail of this activity that we can trust? What types of things can go wrong?
- A user’s computer could have a virus that manipulates votes before being submitted to the server.
- The front-end could submit data in a manner that is unexpected due to browser incompatibilities or a difference in expectations with back-end developers during implementation.
- The data could be manipulated in transit.
- The server could fail to record the vote, yet the front-end could display a message as though it had.
- The environment where the servers/database are located could be compromised.
This list is not exhaustive and we already have solutions for some of these problems. However, the biggest issue is we cannot ensure a reliable and transparent audit trail. It is not possible to aggregate votes from user’s devices in a manner that honors separation of responsibilities and allows the user to validate their vote. We could have the user print out the result of their vote with the same random number solution we used in the physical voting device, but then we would need to have the user send a physical copy of it so it could be used as part of the random check (the partial audit). If we’re going to fallback to paper being mailed, we can just use that for the election. Also, not everyone has access to printer.
Technical Details
You might be wondering why a trustworthy audit trail isn’t possible. This is a fundamental problem, not a technical one. As you may know, using the internet requires a client device, like your computer or smartphone, and a server. The server is comprised of an application server and a datastore, most often a database. The client device cannot access the datastore directly, it must send data to the server and the server restructures information into a consistent format the datastore can understand.
Modern web application architecture decouples the front-end from the server. In the past, the server would generate HTML that your browser would use to have you interact. These days, the part of the application that runs in the browser is 100% decoupled from the server. That means the code running in your browser can be stored on servers that are physically closer to your client device. This allows the application to load and run faster on your client.
When you vote using an online tool, your browser allows you to make selections that are translated from data in the datastore. There is a translation that occurs between that datastore and your client device. Your election is displayed in a very different way from how it is stored. The application server and the front-end code is responsible for making this translation. As a result, the only way for the application to hold an audit trail of your submission would be on the application server. It would push your data into another location in the datastore (or a separate datastore) in a format that is closer to how you submitted it. This is a problem because it is still the application server that is responsible for processing this data. The voter is not able to validate that the data being stored in either place matches what they submitted. As a result, the audit trail is untrustworthy. The voter must be able to validate the auditable portion of their vote.
Summary
While the internet offers great benefits for commerce, information, and productivity, critical tasks should be kept off it. Voting is fundamental to our society and ensuring free and fair elections is paramount.
Online voting can be used for things that aren’t critical. In my mind, the Oscars is a good example. I know actors get jobs based off awards, but it’s a private group’s election that bears little weight on people’s overall well-being. In a coop, HOA, or condo, elections determine the fiscal direction for years and that affects the lives of every resident and is truly important.