E2E (end-to-end) voting system with the ability to verify the voter
A few days ago , the Securing Digital Democracy course from Coursera and University of Michigan professor Alex Holderman ended.
In this interesting course, Holderman talked about the requirements for voting, the past of voting systems, reasonably criticized existing systems, and cited an example of a technology that, in his opinion, is the future (he already penetrates the present) as a conclusion and advice.
These are the so-called E2E (end-to-end) systems in which each voter can make sure that his vote has been correctly counted, and additional checks can be made to correctly account for votes in general.
An important requirement for voting systems is to ensure the anonymity of the voter and the secrecy of his choice. Of course. besides these, there are general requirements (for example, accessibility of voting, authentication, convenience, understandability, etc.), but I will not dwell on them now.
Anonymity and secrecy are a problem that needs to be resolved if you want to check how your vote has been counted. There are ideas for electoral systems that alleviate this problem by changing the basic principles of voting. For example , Cloud Democracyfrom Leonid Volkov and Fedor Krasheninnikov suggests that the voter can at any time change his vote from one person to another, must see what decisions his candidate makes, etc. At the same time, it makes no sense to hide his voice for the system or for the person behind him, which removes part of the problem, causing, of course, others, but this is not the topic of this topic.
Given the current order of things, anonymity and secrecy must be respected. Holderman cited two existing systems as an example, which, given the above requirements, make it possible to individually verify voting, Scantegrity and Helios . These systems are distributed open source, which, according to Holderman, is the best protection against possible vulnerabilities.
Both of these systems use similar principles for encrypting voting results, publishing votes, and checking part of internal data through random selection. For a more detailed description of the process, encryption principles, etc. You can read the internal documentation or look for additional information on the home pages.
I will describe the process briefly, based on the Scantegrity system. It uses optical scanning systems, similar to our COIBs, but at the same time provides additional information to the user through hidden tags for selecting a candidate.
The voter, arriving at the station, receives such a ballot with a serial number and a tear-off coupon. In the voting booth, making a choice using a special marker, he displays hidden information that needs to be rewritten on a tear-off ticket.
After the election (or even during the time when optical scanners are connected to the central server), this information (a pair of serial number - code) can be checked on a special website, or compared when printing the voting table in a local newspaper.
All information received from scanners is recorded in several related encrypted tables.
At the end of the election, the table is randomly decrypted, opening some of the encrypted fields for verification so that the chain for a particular ballot is not visible (which will violate privacy)
If the correctness of the partially disclosed table is confirmed, that is, the votes are taken into account correctly and correctly reflected in the final table, it can be said with a high degree of probability that there were no internal implementations.
Of course, this does not eliminate the stuffing, carousels, additional lists and other joys of voting common in, say, developing countries, but it allows everyone to make sure that his vote is correctly registered, which is already good. Again, there is a certain specificity associated with the fact that voting is not only a count. It is also the registration of candidates / parties, as well as equal opportunities for campaigning. In other words, elections must be open, equal and fair. But this is a topic for another conversation.
The Helios system (written in Django), unlike Scantegrity, is designed for relatively small (about 500 voters) online voting, for example, at university elections or other local communities. This is due to the problems of coercion to vote for a particular candidate, the stability of online services to DDoS attacks, and the fundamental impossibility of materially confirming the vote. Holderman believes that at the moment technology does not allow reliable online elections to be held on a serious (city or country level) scale, in his opinion it is a matter of decades, but when the problems are resolved, the future will certainly be with E2E online systems. Personally, it seems to me that it would be better to switch to new principles (see "Cloud democracy") than to wait until technologies reach the old principles.
Helios allows you to check whether the system encrypts your voice correctly (by several test attempts with different random keys), whether it records it correctly (and instantly, the ID-encrypted voice table is updated immediately and immediately becomes available to everyone), and selection after voting available for audit to all comers.
Unfortunately, in Russia at the moment there is a bunch of election commissions-prosecutors-investigations-courts (as I was convinced in practice, doing as an observer and witness of a crime in the Istra district of the Moscow region, where about 20% of the votes were stolen on 12/04/2011, stupidly rewriting protocols in more than half of the sites), for which E2E systems similar to Scantegrity are unlikely to be interesting. But time goes on, new people and new ideas will inevitably come, and E2E voting verification systems will certainly be introduced, sooner or later.
In this interesting course, Holderman talked about the requirements for voting, the past of voting systems, reasonably criticized existing systems, and cited an example of a technology that, in his opinion, is the future (he already penetrates the present) as a conclusion and advice.
These are the so-called E2E (end-to-end) systems in which each voter can make sure that his vote has been correctly counted, and additional checks can be made to correctly account for votes in general.
An important requirement for voting systems is to ensure the anonymity of the voter and the secrecy of his choice. Of course. besides these, there are general requirements (for example, accessibility of voting, authentication, convenience, understandability, etc.), but I will not dwell on them now.
Anonymity and secrecy are a problem that needs to be resolved if you want to check how your vote has been counted. There are ideas for electoral systems that alleviate this problem by changing the basic principles of voting. For example , Cloud Democracyfrom Leonid Volkov and Fedor Krasheninnikov suggests that the voter can at any time change his vote from one person to another, must see what decisions his candidate makes, etc. At the same time, it makes no sense to hide his voice for the system or for the person behind him, which removes part of the problem, causing, of course, others, but this is not the topic of this topic.
Given the current order of things, anonymity and secrecy must be respected. Holderman cited two existing systems as an example, which, given the above requirements, make it possible to individually verify voting, Scantegrity and Helios . These systems are distributed open source, which, according to Holderman, is the best protection against possible vulnerabilities.
Both of these systems use similar principles for encrypting voting results, publishing votes, and checking part of internal data through random selection. For a more detailed description of the process, encryption principles, etc. You can read the internal documentation or look for additional information on the home pages.
I will describe the process briefly, based on the Scantegrity system. It uses optical scanning systems, similar to our COIBs, but at the same time provides additional information to the user through hidden tags for selecting a candidate.
The voter, arriving at the station, receives such a ballot with a serial number and a tear-off coupon. In the voting booth, making a choice using a special marker, he displays hidden information that needs to be rewritten on a tear-off ticket.
After the election (or even during the time when optical scanners are connected to the central server), this information (a pair of serial number - code) can be checked on a special website, or compared when printing the voting table in a local newspaper.
All information received from scanners is recorded in several related encrypted tables.
At the end of the election, the table is randomly decrypted, opening some of the encrypted fields for verification so that the chain for a particular ballot is not visible (which will violate privacy)
If the correctness of the partially disclosed table is confirmed, that is, the votes are taken into account correctly and correctly reflected in the final table, it can be said with a high degree of probability that there were no internal implementations.
Of course, this does not eliminate the stuffing, carousels, additional lists and other joys of voting common in, say, developing countries, but it allows everyone to make sure that his vote is correctly registered, which is already good. Again, there is a certain specificity associated with the fact that voting is not only a count. It is also the registration of candidates / parties, as well as equal opportunities for campaigning. In other words, elections must be open, equal and fair. But this is a topic for another conversation.
The Helios system (written in Django), unlike Scantegrity, is designed for relatively small (about 500 voters) online voting, for example, at university elections or other local communities. This is due to the problems of coercion to vote for a particular candidate, the stability of online services to DDoS attacks, and the fundamental impossibility of materially confirming the vote. Holderman believes that at the moment technology does not allow reliable online elections to be held on a serious (city or country level) scale, in his opinion it is a matter of decades, but when the problems are resolved, the future will certainly be with E2E online systems. Personally, it seems to me that it would be better to switch to new principles (see "Cloud democracy") than to wait until technologies reach the old principles.
Helios allows you to check whether the system encrypts your voice correctly (by several test attempts with different random keys), whether it records it correctly (and instantly, the ID-encrypted voice table is updated immediately and immediately becomes available to everyone), and selection after voting available for audit to all comers.
Unfortunately, in Russia at the moment there is a bunch of election commissions-prosecutors-investigations-courts (as I was convinced in practice, doing as an observer and witness of a crime in the Istra district of the Moscow region, where about 20% of the votes were stolen on 12/04/2011, stupidly rewriting protocols in more than half of the sites), for which E2E systems similar to Scantegrity are unlikely to be interesting. But time goes on, new people and new ideas will inevitably come, and E2E voting verification systems will certainly be introduced, sooner or later.