Some thoughts on online voting
I was asked to comment on this Reddit thread: http://www.reddit.com/r/netsec/comments/s1t2c/netsec_how_would_you_design_an_electronic_voting/ This post is written with the assumption that a bitcoin-like system is used.
Nirvana / perfect solution fallacy
I agree. I don't think an electronic system needs to solve every problem present in a paper system, it just needs to be better. Right now, for example, one could buy an absentee ballot and be done with it. I think a system that makes it less practical to do something similar is an improvement. As always when considering options, one should choose the best solution, not stubbornly refuse any change that will not give a perfect situation. Paper voting is not perfect either. - Threatening scenarios The instant you let people vote from remote locations, everything else is up in the air. It doesn't matter if the endpoints are secure. Say you can vote by phone. I have my goons "canvass" the area knocking on doors. "Hey, have you voted for Smith yet? You haven't? Well, go get your phone, we will help you do it right now." If you are trying to do secure voting over the Internet, you have already lost. While one cannot bring goons right into the voting boxes, it is quite clearly possible to threaten people to vote in a particular way right now. The reason it is not generally done is that every single vote has very little power and the costs therefore are absurdly high for anyone trying scare tactics. It is also easy to solve by making it possible to change votes after they have been given. This is clearly possible with computer technology but hard with paper. - Viruses that target voting software This is clearly an issue. However, people can easily check that their votes are correct in the votechain (blockchain analogy). A sophisticated virus might wait until the last minute and then vote, but this can easily be prevented by turning off the computers used. Furthermore, I imagine that one will use specialized software for voting, especially a linux system designed specifically for safety and voting, and rigorously tested by thousands of independent coders. One might also create specialized hardware for voting, i.e. special computers. Specifically, one can have read only memory which makes it impossible to install malacious software on the system. For instance, the hardware might have built in software for voting and a camera for scanning a QR code with one's private key(s). Lastly, one can use 2FA to enchance security just as one does everywhere else where extra safety is needed on the web. - Anoynmous and veriable voting You can either have a system where people can verify their vote and take some type of receipt to prove the system recorded their vote wrong, or you can have anonymous voting. You cannot have verifiable voting AND anonymous voting. Someone somewhere has to be able to decrypt or access whatever keys or pins or you are holding a meaningless or login or hash that can't prove you aren't lying or didn't change your vote etc. Yes you can, with pseudonymous voting with a bitcoin-like system. Everybody can verify that no more votes are used than there are eligible voters. But the individuals who control the addresses are not identifiable from the code alone. They can choose announce publicly their address so that people can connect the two. Will will ofc be used to public persons. - Selling votes This is already possible. It is already possible to verify this as well, as one can easily film the process of voting. This is not generally illegal either. The reason why people do not generally buy or sell votes is that single votes have basically no power and hence are worth nothing. As pointed out in the thread, this is already possible with mail-voting. Lastly, it is generally thought of to be evil or wrong to buy and sell votes, but only when done directly. It is clearly legal indirectly and even if not de jura legal, it is de facto legal. In every modern democracy, it is common for politicians offering certain wealth or income redistribution policies. If people who would benefit from these vote for the politicians they are indirectly receiving money for voting for a given politician/party. For this reason, the buying and selling of votes is a non-issue. - The ease of digital attacks It seems to me that the real problem is the scalability of the attacks in the digital sphere. Changing votes in our regular system of several thousand human ballot counters looking a pieces of paper is rather costly. A well-planned digital attack can be virtually free of cost (not counting the time it takes to figure out the attack). This is a concern, and that is why one will need tough security and verification technologies. I have suggested several above. - Interceptions of the signal Whatever, VPN, custom software, browser. It's the same thing. Malware or even an ISP could intercept and manipulate what is displayed or recorded. The software on the receiving end can also be manipulated but more likely to have some controls of the hardware and software, but again, who inspects this? This could be a problem. It can be reduced by having a nationally free, encrypted VPN/proxy for voting purposes. - Others who were faster than me Voting could not be more further from any of the simplest banking. The idea behind banking or any "secure" online transaction is that it is not anonymous. Bitcoin might be the only viable anonymous type online voting. - The bitcoin protocol would actually be fantastic for this. I should explain for those unaware: Bitcoin is actually two different things. One: A protocol, and Two: A software implementing the protocol to send 'coins' like money to others. I'll do a writeup a little later, but the gist of it is: the votes would be public for anyone to view, impossible to fake/forge, and still anonymous. This would be done by embedding the voting information into the blockchain. - Strong encryption with distributed verification a la bitcoin. You don't have to trust the clients; you trust the math. I'm by no means a crypto expert, so don't look to me for design tips, but I suspect you could map a private key to each valid voter's SSN then generate a vote (hash) that could be verified by the voter pool. These posts dates to “1 year ago” according to Reddit. Clearly, I was not the first to think the obvious. - Who is going to mine votecoins? So unless you are actually piggy-backing voting ontop of another currency (like the main bitcoin blockchain), there's no incentive for ordinary citizens to participate and validate/process the blockchain. What are they mining? More votes?? That seems weird/illegitimate. If you say "well, some government agency can just do all the mining and distribute coins to voters" this would seem to offer no improvement over a straightforward centralized system, and only introduces extra questions like The government and the users who want to help out. Surely citizens have some self interest in getting the election over with. This is a non-issue. If the government started the block chain, mined the correct number of coins, and then put it in the "no more coins mode" then we would have the setup for it. If they could convince one of the major pools to do merged mining with them (i'm not sure what they would exchange for this, but it would only have to be for a week/month) if hiring a pool is out of the question then just realize that the govt spends millions routinely on elections, and $10M should be more than enough to beat most mafias (~9Thash/s which is roughly what the current bitcoin rate is). If someone like the coke brothers tried to overpower this it would be very obvious. Yes, this is the same solution I suggested. Code the system so that the first block gives all votecoins. Another option is making a dual currency system, such that one can help mine votecoins and only get rewarded in rewardcoins. That way the counting is distributed to whoever wants the job. - The prize for the least imagination The simple answer is that I would not. The risks and downsides of such a system are inherently not worth the only benefit which I can think of (faster results). This should also answer your last question. This hasn't been done simply because there is no good reason to do it. No other benefits? Like... an infinite variety of other voting systems??? - The price of online voting You're assuming the cost of an electronic voting system and the time it will take for people to be comfortable using them will outpace paper and pen, which if you ask me is a pretty damn big assumption. Maybe someday, but until a grandma can easily understand and use electronic voting I am loathe to even think about implementing it. A voting system needs to be transparent and easy to understand. In Denmark it costs about 100 million DKK to have a vote. Is he really suggesting this cannot be done cheaper with computers? I can't take it seriously. -