Why internet voting is a threat to democracy and why it's also the solution
Juanjo Bermúdez - Jan 23, 2016

Vendors of internet voting technologies will tell you that there is no problem with the technology used for voting online. They will say that there is only a cultural problem (whatever they say it is) and that is why the use of this technology is not widespread.


Why it is

Their argument is that any aspect of life has an associated probability of failure. There is a probability of failure associated with using paper ballots, DRE machines, punch cards, and any other technology. That's right. But they don't explain the different risks that these probabilities entail in each case.

The main risk associated with the use of paper ballots is that fraudulent voters or administrators could alter some ballot boxes. If you implement a basic security audit strategy — as usually is the case in all developed countries — you know for sure that this risk can only affect a small percentage of votes.

The risks associated with the use of DRE machines are similar to those of using paper ballots, but with a huge difference: it is easier to hide an attack. DRE machines could be altered in transit to the voting place; they could be altered the night before the election or in some cases even while the voting takes place, as they could be in a hidden place to guarantee privacy. You don't need to be physically present at every polling place to significantly alter the result. So a security audit is far harder to implement, far more expensive and an attacker could have a much bigger impact on the result, needing less resources to perform his attack.

Experts consider punch card systems as one of the most secure voting systems available, given that every vote is counted electronically and there is also a physical proof of your vote that can't be easily altered. However, they have other practical disadvantages and they are being abandoned as voting systems. The main disadvantage is that despite the fact that you can verify the punch cards, it is not obvious when the votes are valid.

Finally, the internet voting technology probably has one of the lower probabilities of success in attacks. While it's acceptable to think that at least one attack is likely to be successful in every massive paper ballot election, for 100% probability to occur, an attack to an online voting election has in most cases almost 0% probability of success.

Does this mean that the risks are lower when using online voting? Absolutely not. One thing is the probability of success, and a very different thing is the risk. It's not the same if a success means altering a small percentage of votes or totally altering the result without any possibility for the rest of us to ever know that it happened.

You know that 0% probability doesn't exist. There is always a tiny possibility. Now, think about how many elections take place in the world affecting public budgets of billions or trillions of dollars. There are thousands every year. Think what could happen if all of them were performed using online voting technology. You would only need one of them to fail so that attackers get control of billions or trillions of dollars. Think what could happen if the attacker is also backed by a foreign country with dubious intentions. Obviously the risk is much higher than with any other voting system. And the probability of success for attackers grows accumulatively with every new election. That is the main reason almost nobody uses this voting technology for important decisions.

Therefore, the arguments of online voting vendors are wrong and I think they know that they are wrong. I think it's not foolhardy to qualify these arguments as bullshit.

Why it isn't

Now I will explain why the argument exposed here is also wrong.

Online voting technologies are highly risky, even if they achieve a very high level of security. That's right. But that's right for the voting technologies already known from long time ago, not for new possible implementations. That is right for technologies where the focus was on probability of failure instead of risks. You could think in new implementations which, even if they don't have the same level of security, have risks associated far below any other voting system. For example, you can think on a distributed voting system.

Woman voting at home in Ukraine

Imagine if you did not have any obligation to go to a specific polling place to vote. Imagine if you could place a ballot box in your house and let your family and friends vote there. Everyone using your voting place would only have to communicate with an established authority that he will vote in your house, and so be banned from voting anywhere else. If they trust you as the organizer, what would the problem be? At the end of Election Day, you would count the votes and submit the results to the central authority. You could even send a signature from every voter guaranteeing their conformity with the result. The individual votes from every voter would still be private to the public as they would be mixed with the votes of all your friends.

Now, for an attacker, it would be almost impossible to know where all voting is taking place and organizing an attack on a significant number of voting places. An organized and massive undetected attack altering significantly the result of the overall election is not a real risk. But there is another risk. It could be that you, the organizer of the private voting, are the attacker and that you communicate a fraudulent result to the central authority. A system like this one could have many practical limitations despite having been associated with low risk. But it's still not all lost.

Why are you using ballot boxes in your house? Why are you letting only your friends vote? Why not use an automated voting system in which not every voter would need to trust you? Magically, a solution to all these questions exists. You can use the Internet to connect random voters to organize one of these random elections. You can use an online voting system to let them vote. And finally, and the most important piece of that argument, you now can make use of an algorithm in which you don't need to trust anyone to be sure that your vote is private and securely counted.

The theory proving the existence of such algorithms is known since a long time. They simply have not been used for real voting because, despite the fact that we know for sure that such algorithms exist from a mathematical demonstration, they were since now too slow and unpractical to be used. Now, new algorithms to solve these drawbacks are being developed.

Please, explain it

So, you can have an online voting technology with far less risks associated than any other voting system. You'll have a lot of small elections hard to attack coordinately, and every partial voting doesn't need to rely on any trustee. It does not matter if this technology has more or less the probability to fail as long as it does not have a probability higher than any other voting system. The risks associated with this technology matter. As we have seen, they are by far the lowest of all voting technologies. People trying to argue against the security of such systems based only on the probability of failure would be also doing nothing else than exposing more bullshit arguments.

Now again, magically, at Igloovote, we have developed an algorithm with not only all these magic properties, and the lowest risk associated from any existing voting technology, but also with a probability of failure that can be configured to be even smaller than in any other voting system.

Now please, every time someone tells you that centralized online voting systems are not deployed because of a cultural issue but there are not existing security concerns, let him know that this argument is bullshit. And in the same way, if anyone tells you that internet voting should never be deployed for important decisions because of the risks, please let him also know that I will prove him/her absolutely wrong.

[Also published at @Medium]

Also, read: The future will either be an Internet requiring personal IDs or it won't be