1

My Government is designing a direct democratic voting system and would like the system to be open sourced and unable to be corrupted by individuals and other stakeholders.

Some requirements as of now:

  • Citizen individual votes shall remain private.
  • The system must not be corrupted by (those?) running the system.
  • Vote results must not be changed by the system.

Open source code is an obvious part-solution, but how would you ensure that the correct code is used on the production live voting server?

Anders
  • 64,406
  • 24
  • 178
  • 215
mateos
  • 165
  • 1
  • 6
  • This question is mainly a system design question. Although it has a lot of IT Security implications, I suspect that ServerFault might be a better forum for this. – baldPrussian Jan 18 '18 at 15:45
  • Perhaps, but it is about information security and making sure of date integrity – mateos Jan 18 '18 at 15:52
  • 2
    @baldPrussian , Albert: I don't think this will be welcomed on Server Fault. – S.L. Barth Jan 18 '18 at 15:55
  • 1
    Obligatory XKCD reference: https://xkcd.com/463/ – S.L. Barth Jan 18 '18 at 15:58
  • To point out the obvious: there is a pretty extensive [Wikipedia article](https://en.wikipedia.org/wiki/Electronic_voting) on this. This topic was widely discussed in the US and has been an issue (not only there) for several decades. Your questions - which are definitely valid - have a lot of answers on other sites, easily searchable. – Tom K. Jan 18 '18 at 16:18
  • 2
    is this online voting or in person voting? – Eric G Jan 18 '18 at 16:20
  • 1
    For digital voting, maybe blockchain would help? – luizfzs Jan 18 '18 at 16:53
  • Online digital @eric g – mateos Jan 19 '18 at 04:05

2 Answers2

2

In a perfect way you can't. There is always a group of people that could conspire to rig the system. It isn't feasible to allow every member of the public the opportunity to manually vet and observe each step.

So what you do is form a group made up of representatives from each party. In this way you know the group are extremely unlikely to rig anything because they would be unable to decide on a result to rig it to.

Another feature which can aid is to pubish a full vote log in a way where each voter can verify their own vote is shown correctly. This can be done either by assigning each voter a unique private ID or using cryptographic signatures and assigning each user a private key. The downside of this is voter manipulation (I can threaten you to vote a certain way. In a paper/booth voting system you can vote differently and lie to me) - but with an online system someone can just stand over your shoulder and watch you vote anyway.

Hector
  • 10,893
  • 3
  • 41
  • 44
  • That 3rd paragraph(vote log), honestly a great idea, thanks for that – mateos Jan 18 '18 at 16:05
  • 1
    The voter log also allows forcing a vote. "Let me see you verify your vote, so we can see that you voted for Don Corleone like we told you..." – S.L. Barth Jan 18 '18 at 16:09
  • Voter private id (perhaps per vote to avoid profiling for identification) on the public log, only citizens can see their private ID’s and compare them to the public log. – mateos Jan 18 '18 at 16:10
  • @sl, why would citizens give away their votes?, a private group usually wouldn’t have enough money to influence a considerable amount of the population through bribes, while representatives can be bribed, unless you’ve got another scenario? – mateos Jan 18 '18 at 16:13
  • @S.L.Barth - Yes - but by "direct democratic voting system" you'd assume people are voting over the internet. So Don Corleone could just watch you vote (as alluded to in my third paragraph). – Hector Jan 18 '18 at 16:16
  • 2
    @Albert - First of all peer pressure - now your friends can say "I don't believe you - prove it". Secondly you can easily enough imagine organisations like Combat 18 or FARC issuing threats to large numbers of people. They only have to make a handful of examples of people for much greater numbers to do as they are told. Same issue with authoritarian governments. – Hector Jan 18 '18 at 16:21
  • @Hector That's always been my concern about voting from home. I guess both the actual voting, and the verification of one's vote, would need to be in a safe environment (e.g. a voting booth). But that sets up a whole new set of challenges. – S.L. Barth Jan 18 '18 at 16:25
2

It sounds like you may be asking about in person or online voting, so I will provide some info in both areas.

General

I would read the research from past conferences such as USNIX EVT/WOTE. DefCon had a voting village, this may be another source for research. People often present on voting security at different IEEE conferences as well.

You need to think about not only the software and systems, but also policies and procedures. For example, if the system is secure but there is no process to ensure all votes are collected from offline machines there could be fraud.

From a holistic perspective, you also need to make people trust the system or they may opt-out. If there is a lot of negative publicity that may reduce turnout.

With a physical digital voting system you would also want some type of physical tally print out, punch out that would ensure the total number of votes match those entered in the machine and observed by the observer.

Anonymity is difficult in any online system.

Online

Estonia is well known for its online voting and e-Citizenry in general. You may want to review some of the things that they do and also some criticism:

Blockchain

  • Follow My Vote: "By casting votes as transactions, we can create a blockchain which keeps track of the tallies of the votes. This way, everyone can agree on the final count because they can count the votes themselves, and because of the blockchain audit trail, they can verify that no votes were changed or removed, and no illegitimate votes were added."
  • Kaspersky Polys: ccording to Kaspersky Lab, a robust voting system should ensure voter anonymity, provide protection against trash votes, vote trafficking and voter coercion, and enable voters to check that their votes have been recorded in the blockchain. It’s also important to encrypt the voting results recorded in the blockchain, otherwise intermediate results could become available before voting ends, which is often against the law.
Eric G
  • 9,691
  • 4
  • 31
  • 58