The Future of Elections in the Internet Age

09 Aug 2015

I recently went to Pune to be part of Remote Voting Conference organised by C-DAC, with active participation from the Electoral Commission of India. The agenda of the two-day conference was the issue of allowing indian citizens to vote remotely, and the various aspects related to it. This was a collective brainstorming event meant to bring together administrative and technical people together to study the pros and cons of online elections (including whethere we should even go for it or not, and if so, what things to keep in mind). It was a very academic affair where where studied opinions as well as complex technology issues and case studies were discussed and debated.

The first thing I gained when leaving from this event was an even more amount of respect for the Election Commission of India. They have done an amazing job so far under extremely challenging circumstances and pressure, and are proud of the fact that they are responsible for a free and fair election for the largest democracy on earth and aware of just how important their role is for the functioning of democracy.

We have around 815 million eligible voters in India. The ECI is responsible for all national and state elections. Its around 3.5 billion votes being handled every 5 years or statistically speaking, 20 lakh votes being handled every day. This is a huge undertaking for the world’s largest democracy, and they have an extremely tough job where the stakes are high if things go wrong.

The second thing I took away from this event is being made aware of the complexity of the problem at hand. This is a very hard problem to solve, with a lot of complicated issues from legal, administrative, political, public policy and technical angles.

This post is going to be a general primer on the issue. Some of the stats and examples I have cited came from the speakers in the conference, and I couldn’t verify them myself - take everything mentioned here as subjective opinion unless you have verified them yourself.

We’ll first start with some basic clarifications of terms related to this whole topic.

  • i-Voting: This is voting done through the internet. It can be through a website, or an app as well.
  • e-Voting: This is supposed to be voting done through any electronic channel, but mostly, it is thought of as voting done through Electronic Voting Machines (EVMs). We’ll just consider e-Voting as voting done through EVMs for now.
  • Paper Ballot Voting: The voter gets a form, fills out his candidate, and sends it back to the election commission authority through regular mail.
  • R-Voting: Any type of voting where you do not come to a poll booth to vote. This can include voting through the internet, or a kiosk, or even posting paper ballot through regular snail-mail.

During this conference, sometimes i-Voting was described as e-Voting, which made things a bit confusing (and I had to sift through the context of what they were saying to determine which one they meant, which was annoying sometimes), so for the purpose of this post, we’ll stick to the definitions above.

Voting can also be divided into two broad categories according to the setting in which they are conducted.

  • Supervised Voting: Or voting in a supervised setting, this is when the environment in which the voter is operating, is supervised by election officials, so that they can see if things are happening in a free and fair manner. The standard example of this would be the typical poll booth you go into for voting.
  • Unsupervised Voting: Or voting in an unsupervised setting, this is when the environment can not be checked and monitored by the election officials. An example of this could be Paper Ballot Voting, and internet voting.

Why do we need people to vote remotely in the first place?

There are a lot of Indian citizens who are left effectively disenfranchised because of the current limitations of the electoral system.

The most obvious of the lot are NRIs (Non-Resident Indians). NRIs are Indian citizens living abroad - UAE, US, UK, Africa, South-East Asia, Australia and many many more places all around the world. Often it is not possible for them to travel back to India to their registered constituency just to vote. The second category are the armed forces, who are often deployed at extremely remote areas where it is not possible for them to vote. The third are people who are election duty themselves, which include the police and paramilitary forces deployed guarding the election booths and officials, as well as the election officials and poll duty officers themselves.

Then you have people who are disabled who in some cases may have extremely limited mobility, as well as the very old who might have the same problem. Then of course, you have the general citizens who might be working in another city or state within India, and for some reason or another, can’t go back to their constituency to vote at election time.

All of these people are Indian citizens, they deserve a fair chance to exercise their franchise in a practical manner.

There are existing examples of countries conducting their elections online. Estonia and Switzerland were one of the first countries to do so. For Estonia in 2005, only about 10,000 people used internet voting in a local election, but by 2007 it was used in their national election. In the 2014 European Parliament elections, almost one-third of votes from Estonia were cast online.

The U.S. State of Florida allowed overseas residents to vote using computers in 2008. The Ministry of Foreign Affairs in France has allowed overseas residents the option to vote online too. The Philippines also conducted its first national election using the internet as an option in 2010.

Managing ballot box voting is also a very costly affair, and places the security of many government employees at risk.

What could go wrong?

What if the system is gamed or compromised?

Well, the entire future of a country (and the world actually) could go in another direction if the wrong party is elected, especially with a country the size and power of India. If the electoral process is compromised at a large scale, then the faith people have in the electoral process will be diminished, which might result in chaos. Enemy states (and maybe even allies) might have their own interests in stopping or gaming this system.

Besides a party gaming the system to choose a party of their own as winner, there are other scenarios too. Imagine someone compromising a security flaw in this system and not telling anyone about it. Once the government is formed, then they announce the exploit leading a fresh round of elections. Rinse and repeat. You could create political instability for months or maybe even years with this.

It is also a given that i-Voting will attract large scale co-ordinated attacks on the infrastructure, ranging from simple DOS attacks to mass scale layer-7 attacks. This is a point I (and some others) raised there as well. Apart from security, we also would need to ensure scalability. There is no point in having an i-Voting option if the website doesn’t load. Furthermore, if people registered for i-Voting are de-registered from the electoral votes (so that they can’t vote in polling booths) then in case of the website not loading, they are basically disenfranchised.

We also know that the underground betting industry, colloquially called the satta market, constantly tries to pick winners. If there is a flaw in the system, it could mean big money for anyone in that industry, and people would try their best to exploit it.

The Pentagon has spent millions into research projects for online voting, and then scrapped its plans. Norway also went for online voting, but backed out later.

In other words, allowing voting in an unsupervised setting is something to be taken extremely seriously.

What all needs to be considered?

Technical Matters

The first thing is whether the infrastructure would hold up to the traffic and the attacks pointed towards it. In 2014 Akamai saw an attack of 320 gigs/sec. Page views of 270 million per second. Thats insane, and the frequency and sophistication (them being multi-vector) of these attacks keeps getting more and more.

The voting process itself should be end-to-end verifiable (E2E). A good voting system will provide evidence that the election outcome is correct, which means that the system must be auditable (including being open source) and be audited. This essentially means that the voter should be assured that his/her vote was counted correctly and was not tampered with, and at the same time it should not be made public whom the person voted for. This is a very tough problem to crack and a lot of companies and research organisations have been doing work on this very field for a long time in the hopes of finding a good solution.

A few companies working in this space are EveryoneCounts, Helios and Scantegrity. Craig Burton talked about the Victorian Election Commission using a system called vVote. It uses something called the Prêt à Voter which can be best described in the following video (It’s not heart-racingly exciting, but you’ll get the point):

In this system, the voter gets slip of paper. One half with a candidate list (the order of candidates are randomised), and the other half with checkboxes where the voter is supposed to mark his/her vote along with a random ID value. Once the voter votes by checking the checkboxes in his/her preferred order, the half with the candidates list is destroyed, and the other half of the slip of paper where the voter marked his vote is read into the system (typically, using an OCR system), and then given back to the voter to take back with him/her. This piece of paper is the receipt and confirmation of his/vote being recorded.

Since the system which reads the voter’s response only reads the checkboxes and not the candidate list (as it’s destroyed), secrecy is maintained. The random ID mentioned in the slip of paper contains cryptographic information which can later on be used to reconstruct the order of the candidate list which was destroyed, and thus the algorithm can determine what candidate the voter voted for and count it in the system. This can only be done by the electoral tellers as only they have the secret keys to decrypt it.

This system generates a paper trail while working electronically too. It satisfies, to a reasonable degree, the requirements of end-to-end verifiability and security. Then there are other systems like Scantegrity (which was used in the Takoma Park elections in the United States) which uses a slightly more complicated system involving special ink.

As great as these solutions are, these solutions still need a supervised setting. Online voting still can’t happen in this scenario. Also, where do you stop with end-to-end verifiability? We can determine with full confidence if a system is insecure (by discovering a vulnerability), but we can never tell with 100% confidence if a system is secure. There needs to be an acceptance level for verifiability as well.

Other factors to keep in mind are things like dispute resolution, secure and usable authentication, DDOS attacks, as well as malware and viruses. For example, there might be malware designed to specifically target your actions in the election website. All these problems need an answer.

The UI also needs to be responsive according to a range of current devices and screen sizes, and care needs to be given that the layout doesn’t break in certain screen sizes. If so, it might create confusion and may even inadvertently cause a voter to vote for another person. In a country like India which has 22 official languages and the highest blind population in the world, things like localisation of content and web accessibility would also be needed to be taken care of.

Two critical aspects, as far as any election goes, is ballot delivery and vote collection. In the online scenario, this will not just hinge on the data centers hosting the data and site, but also the network between them and the end-user. Though its a given that things would need to be served over HTTPS, there needs to be further analysis on if there are any possible ways for actors to snoop and/or modify information in the network before it even gets a chance to reach the central server. There have been flaws discovered in TLS in the past.

Administrative and Policy Matters

One of the things to consider in elections is the matter of voter coercion. In poll booths, threats like booth capturing, booth stuffing etc were pretty common. One of the senior electoral officers also recounted tales of criminals leaving the poll booth alone, but attacking the convoy of the electoral officers when they were on their way back with the collected votes to count at a central location. Some people will try every trick in the book to influence or sabotage the process.

Hence, it’s not out of the picture to imagine people being influenced or pressured to vote for a particular candidate in an unsupervised setting. If you have the option to vote through your computer or mobile phone, then anyone can threaten you to vote for a particular candidate while they watch alongside that you did.

One solution which was discussed was to allow people to vote multiple times, with only the last vote being counted. So if a person threatens you to vote a certain way, you do it, and when they leave, you vote again, and that is counted instead of the first one. This still leaves potential for abuse, though. A person can threaten a group to vote a certain way at 11:59PM on the last day of voting, and then leave. Since that is likely your last vote, that will count.

A much better solution would be to give two logins to a user (an optional choice). One fake and one real one. If someone pressures you to vote a certain way, login using the fake one, and vote for whom you really want using the real one in private. This way, even if someone pressures you to vote for a certain candidate at the last moment, it doesn’t matter as long as you login using the fake login.

Another issue is preventing people from voting twice (online and then going to the polling booth to vote, or vice-versa). The Indian state of Gujarat recently did one of their local municipal election online, and shared their story of how they dealt with it. All people who wanted to vote online had to register around a month in advance. Those people were then verified in person, and given a login/ID (the login was given on email and the password was given as an SMS). Then their names were struck from the paper based electoral rolls, so that they couldn’t vote offline.

They used a Java Applet(!) and the person had to register his machine as the one he wanted to vote from. They also restricted it to 6 votes per IP. So a person couldn’t use the same IP for mass casting of votes. Personally, I have some reservations with this approach as I think this would be too easily circumventible on any election where the stakes are much higher.

One more issue is voter education and assistance. In the Gujarat municipal elections, they also set up help desks where people could call, in case they had any questions about how to vote online. They also had to conduct training sessions for their own officials to make them familiar with the process of how the online voting would happen. They made a separate data center to handle the election work load, which will be used for further elections too. In fact, they plan to conduct all upcoming the Gujarat municipal elections online coming this October.

Right now there are no laws for unsupervised voting in India. We would need some as a first step, as well as model codes of conduct for all relevant parties. Opening up online voting will first of all require some changes in a few acts in the Indian parliament. I think the ECI has put up some papers for modification of the IT Act for this purpose, and it might be tabled in parliament soon. All political parties will have to be on board and be convinced that it is a solution worth going for. This is a challenge, but it has been done before. For example, when EVMs were introduced, there were a lot of the same questions being asked of it, as they are asked of now with internet voting, but the Election Commission handled it well.

Now with VVPATs, almost everyone is on board with EVMs. There were a bunch of Public Interest Litigation cases filed within the courts related to EVMs but with now with VVPATs they are convincing people that they are a good solution. VVPATs have a bunch of checks to curb tampering, including a one-time programmable chip and the fact that it disables the machine altogether if any one tries to open it. VVPAT machines are still used in a very small scale, but in future elections it is expected to increase in number.

A more tricky thing with opening up online voting around the world would be the monitoring of the election in places where India does not have jurisdiction. Firstly, there is the issue of timezone differences in case we allow voting to happen around the world (and especially so if we use CDNs which are located around the world to handle the traffic). We’ll need staff and operations to handle and monitor it around the clock. The next question is - How will you monitor online voting for an outside country (in this case India) in places where elections itself don’t happen. Would that be even legally possible or allowed by the host country? What kind of diplomatic challenges would it pose?

The Way Forward

There are certain people who do not want online voting to happen. They have sound and very valid arguments, and in the current state, it does have flaws if used on a massive scale - like a national general election. Elections have to move with the times, but at what cost?

However, I have no doubt in my mind that the future of elections will have to include a component of internet voting as well and it makes sense for governments to take a serious look at it by studying the topic closely. This is simply how the world and technology is moving. This is not to suggest that it has to be the only option in the future - it just will need to be one option out of a few. Traditional voting through poll booths will need to be there always.

Making internet voting in a supervised environment is also a possibility. For example, you could visit a site but only though a kiosk (the kiosk could be fully under the supervision of the Election Commission including the hardware and software stack). That is indeed a possibility, but is it worth going for? In such a case, instead of kiosks, could we use the existing ATMs to do it?

I think i-Voting is inevitable. Its not a matter of if, but when. In its current form it is quite risky for a large scale election the size of India, but I’m hopeful that we’ll figure out the solutions of most of the challenges in due time. It may take a few years, maybe even a decade, but it will come, and we need to start looking into the pros and cons right now. The way forward would have to be to do small local pilot projects, take relevant learnings from them and increase in scale till we eventually reach the general elections.

We can also restrict it to certain personnel only. For example, start out with giving access to just defence personnel in remote areas, then expand the group to NRIs in the next election, and then to old people and disabled in the next and so on until we reach the general population.

I think for now, the ECI might start with an e-Postal ballot as a short term goal and i-Voting as a long term goal. An e-postal ballot is where the ballot can be sent online to the voter, and he/she can print it, mark his choice and send the ballot through regular mail in a sealed envelope. The next step after that would be to disregard the need to print it, and send it online.

I have full faith in the Election Commission of India. They fully understand the gravity of the responsibility they have, and I’m sure they will take action in a very studied, deliberate method. It’s great that they are asking the right questions right now and are soliciting feedback on possible approaches. A speaker in the event said during the event that even the best technology doesn’t matter if the public doesn’t believe in it. I think this is true and it will behoove us all to move on this in a slow and steady pace, given whats at stake here.

comments powered by Disqus