There have been attempts at, for want of a better term, “eVoting” before in various guises. From using computers to read paper ballots through to having fixed touch screens at polling stations, there have been lots of schemes in lots of countries, and many of those schemes have had problems. I’m going to address one particular scenario of my own making which I outline in detail below – but in a nutshell it could be described as “voting in a UK-wide election using an app on your smartphone”. As we use our smartphones to perform all kinds of transactions, why not include voting, right?
I’m also going to make the discussion shorter and easier, although probably less satisfactory, in that I’m going to describe the problems that would need to be solved, and potential problem scenarios, and I’ll stop there. I’m not going to offer any solutions because that would require a much longer article, and I’m not sure that all of them can be solved easily or elegantly.
All this leads me to believe that this is one of the hardest problems in IT today. I’m happy to be corrected on that, but the challenges are undoubtedly numerous and significant.
I recognise that there are potentially lots of advantages of “eVoting”, but, again, I’m ducking that topic for the sake of brevity.
I’m going to describe the voting scenario & the exact steps that would be taken by a voter, and what would happen to her vote once cast. This will then frame a discussion of the issues.
In my hypothetical world where one can happily vote by mobile phone, the voting experience looks something like this:
- In the run-up to the election, the authorities decide to support voting by mobile phone. Voters can vote through an app that’s developed and issued by the relevant government authority.
- Our voter, let’s call her Alice, decides she’d like to vote by mobile app, rather than in person at a physical ballot box, or by postal vote. She registers to vote by app. [an alternative would be via a mobile-friendly web page – almost all of the issues would still apply].
- Alice follows the build-up to the election, but doesn’t download the app until the day of the vote. She does so on the morning of election day.
- Alice opens the app, and it somehow authenticates that Alice is who she says she is
- Alice casts her vote at 5pm by clicking on the relevant option in the app
- The app then prevents her from changing her mind or from casting another vote
- Her vote is registered and stored anonymously by a cloud-based government service – no-one but Alice knows how she voted
- At 10pm the polls close. All the votes cast by people via their mobile phones are added to the ones cast by other means, the votes are counted, and winner declared.
- The database of all the votes cast is kept securely so that it can be audited if necessary
Hopefully this scenario (or “use case”) is entirely plausible and straightforward. Alice behaves in a “normal” way and doesn’t do, or attempt to do, anything unreasonable or illegal (although those use cases would have to be considered, designed for, and tested in a real system).
Here I’ll attempt to enumerate the various problems, from a systemic, IT perspective. They are listed in roughly the same order as the chronology of the scenario.
- The UK government has to put in place the infrastructure to receive the votes cast electronically. Amongst other things, some of the challenges include:
- How do we make sure that the count of the votes cast is correct, and that it can’t be tampered with? The votes will likely be stored in some kind of database, how can we ensure this isn’t hacked?
- How we can we be sure it’s actually Alice casting her vote, and not some imposter? What if Alice loses her phone on the day, or someone else obtains access, and votes on her behalf?
- Probably not an issue for the database, but how do we make sure that the system can register millions of votes per hour without crashing? Recently, when the deadline approached for registering to vote in the EU referendum, the UK government’s website couldn’t cope.
- Reliability and availability. What happens if the data centre where the data is stored becomes unavailable?
- How does Alice register to vote via app in advance? The same way that she could potentially register for a postal vote? Some kind of registration infrastructure and process will be required.
- Alice needs to download the app to her phone. Which phones are supported? There are tens of thousands of Android phone variants alone– will the app support them all? What happens if Alice has an older phone which the app won’t run on – is she disenfranchised? Can the app stores support millions of people downloading the app at the last minute?
- The app needs to present the voting options as clearly and unambiguously as the paper equivalent. The user experience (UX) needs to be considered carefully.
- When a voter casts their vote in person or by post, they have no chance to change it once it’s either in the ballot box or it’s in the postal system. The app needs to make it clear when the vote is being cast, and that Alice can’t change her mind after it’s cast.
- What happens if, at the moment the vote is cast, the phone has no signal? The app would have to cache the vote and continually retry sending the vote until it’s successful. The voter would need to be kept informed of the progress of the retrying.
- In the paper world, once the vote is cast, it’s supposed to be anonymous. No-one could, and should, know who you voted for, unless you’re happy to tell them of your own free will. In the electronic world, someone’s vote could easily be traced back to the voter. Safeguarding voters’ privacy at the same time as authenticating them would be very difficult to achieve.
- At the same time, it is important that independent entities can audit the vote (to check for instance, that people have voted once and only once). Keeping an anonymous but traceable audit trail is almost paradoxical and could be difficult to achieve. There would be issues about what to do with this data, once the count had been completed. Would it be kept forever, so it could be scrutinised at a later date (e.g. if problems or foul play came to light – in the same way that athletes’ urine samples are kept for long periods and re-tested at much later times once the tests for banned substances become more refined)? How would voters’ anonymity be guaranteed in perpetuity?
- Currently, if you register to vote by post, there are safeguards in place to prevent you from voting again in person at a polling station. Similar safeguards would need to be extended to eVoting; at the same time, if someone is unable to vote electronically they need to be allowed to vote in person at the polling station. This balance could be very difficult to achieve too.
- With the current paper system, there is an important principle that whilst the voting is going on, no-one knows what the ongoing score is because the ballot boxes are sealed until the count after the polls close. With eVoting, the realtime results will be stored in a database. This will need to be monitored by a technical team to check that it’s functioning correctly, but at the same time it would be very desirable for the technical team to have no access to the ongoing result as, if that information leaked out, it could influence voters who were yet to cast their vote.
- What’s to stop the software which registers and counts the votes from being infected by malware? It could be replaced by a malicious party to subtly but crucially alter the result. Bruce Schneier and others have made a convincing case for making such software open-source so that it can be scrutinised.
I think that are many tough problems to be solved before we move to eVoting as described above. Some of the problems are technical, some are social / behavioural. It’s essential that the voter can cast their vote in confidence, and on equal terms to those casting theirs via traditional means. Consequently, and despite being an optimistic technophile, I can’t see voting by mobile phone happening anytime soon.
Neil Tubman, Director, Terzo Digital. June 2016.
Disagree? Have I missed anything? Let us know via twitter: @terzodigital