Internet voting, security, and transparency at E-VOTE-ID

7 minute read

Published:

Last week, I attended my first voting conference: E-VOTE-ID. I’ve presented at statistics conferences before but never an interdisciplinary one like E-VOTE-ID. It brought together people working on electronic voting issues from a whole range of disciplines: legal studies, sociology, cryptography and security, voting systems developers, former election officials, and one statistician. This guy!

I learned an incredible amount in 4 days, none of it having to do with my research directly. It was awesome! There were no parallel sessions, so we had everyone at the conference in one room for all the talks. The most interesting part, for me, was hearing how every country has its own challenges and addresses them so differently. Here’s a recap of some of the most memorable things I heard.

E-VOTE-ID Day 0: the PhD Colloquium

I was one of six grad students who gave talks on e-voting research. I heard talks on how to verify security properties of a new e-voting protocol with some crazy cryptographic properties, a history of security problems with paper ballots in the United States, inefficiencies in the way Estonia integrated internet voting into their electoral process, and a discussion of how Germany painted themselves into a corner legally.

The German issue is a funny example of how non-technical people try to do the right thing but fail when they don’t consult technical people. Germany had some issue in one of its elections and so passed a law in 2009 with the goal of making elections more transparent. Instead, they’ve essentially made it impossible to use any sort of electronic equipment. They require that “the average voter” can understand anything that leads from ballots being cast to a final tally. Problem is, even most educated people can’t understand security and cryptography under the hood, so they can’t use any of those techniques to make things private. But they are required to implement some security by law – ballots have to be completely private and cannot provide voters a receipt of how they voted. They call this the transparency-anonimity dilemma.

I won the best PhD workshop paper award! Check out my slides from the talk here.

E-VOTE-ID Day 1

I had NO IDEA about how everything in Estonia is so technologically advanced. Frankly, I had to check on the map to be sure where this tiny country is. But in the past 20 years, Estonia has introduced a smart ID card for every citizen that plugs them into an entire internet-based system called the X-Road. Banking, healthcare, and voting are all done on the X-Road. They’ve had internet voting since 2003 and participation rates are above 30% now. They studied the costs associated with internet voting, early voting, and election day voting, and found that e-voting is 20x cheaper than all other options combined. Crazy.

In Nigeria, the norm is for the losing party to bring a law suit. They don’t accept that they’ve lost. It’s interesting because a delegation of elections officials from Nigeria visited Berkeley last year and spoke to my advisor and me about ways they could improve their elections. I think it’s all about making the process transparent while people are voting and auditing things afterwards. The person delivering the talk on Nigerian elections proposed having external (foreign?) impartial people monitoring the election as it happens.

Jason Thompson gave a lively talk about internet voting for Americans. Even as an American, I didn’t know this was a possibility! It’s meant for American citizens living abroad, of which there are about 9 million including military. Each state can choose how to do its remote voting. Shockingly, 28 states ask voters to return ballots by email and they make waive your right to a secret ballot. Emails aren’t end-to-end encrypted, PDFs can be changed easily, and voting this way isn’t necessarily private. To demonstrate, Jason sent in his ballot in front of everyone at the conference!

I found this article independently the same day: Pennsylvania and other states are locking foreign voters out of their elections websites. Probably some IT specialist doesn’t understand firewalls and Americans abroad don’t necessarily know how to VPN into a U.S. network.

E-VOTE-ID Day 2

We heard a great talk about lessons learned about internet voting in Norway. The talk was given by a cryptographer who acknowledged the fact that e-voting is way more than just the cryptographic protocols! No matter how well the security works on paper, there are challenges putting it into practice. Norway has done remote voting experments in uncontrolled environments, including local elections in 2011 and parliamentary elections in 2013. They’ve stopped using it because the government is too worried about coercion happening when people vote from unregulated environments.

They had a cool natural experiment: the incompetent election workers somehow printed the wrong return codes on ballot receipts. Voters should have been able to use their code to verify that their vote was cast correctly – but they got someone else’s code. Based on the number of complains they received, they could estimate that 85% of voters tried to verify their vote. This is huge and unexpected!

Another lesson learned: openness helps with mistakes and confusion. If you explain everything in great technical detail, then journalists aren’t interested. People are looking for a good story and if you don’t give fodder for negative press, they don’t care.

In many talks from many countries, researchers gave evidence that goes against our stereotypes. They found that internet voting is not more attractive to young people. Early adopters of internet voting in Estonia were older. Surveys of voters in Norway, the Netherlands, and Canada showed the same thing. At first, this was surprising, but the more I think about it, it’s not: perhaps young people are more aware of the security issues involved with electronic devices, while older people are more willing to trust them?

We heard a lot about blockchain voting. I’ll just leave this here.

E-VOTE-ID Day 3

This morning, I gave my presentation on SUITE, a new method for risk-limiting post-election audits of stratified samples. Check out my slides here!

We heard not one, but two interesting talks from Vanessa Teague on measuring the evidence that outcomes are correct in elections that use instant runoff voting. The way that votes are distributed to candidates in these kinds of races (mostly done in Australia, but sneaking into some American elections) is incredibly complicated. What can look like a close margin to the naked eye can actually be a close race, based on early rounds of eliminated candidates. She showed that in such cases, it’s essentially impossible to do a risk-limiting audit, but when margins aren’t too close then it’s statistically quite simple.

The conference ended with an awesome lunch and perfect early fall weather in Bregenz. I haven’t been to that many conferences, but this was among my favorites.