Election Security

Democracy demands the integrity of our elections:  if we cannot trust the votes, how can we trust our government?  Election security is a difficult and complex problem, and one in which we must sacrifice some security to gain other security.  Fair representation also tends to require more-complex voting rules, necessitating strict adherence to security procedures.

Security Trade-Offs

The single most important election security decision is the choice between anonymous and public ballots.

Anonymous ballots sacrifice true verification of our elections.  We can take measures to minimize election tampering, but we can never publish all ballots with names for individuals to verify.  Anonymous ballots require that a person cannot prove any given ballot is their ballot.

Public ballots, on the other hand, sacrifice election integrity at the ballot.  Public ballots allow voters to sell, trade, or coerce votes.  Once a person can prove their vote to a third party, that third party can coerce the voter into voting a particular way with threats, bribes, or social pressure.

Our anonymous ballots protects us from a great degree of election tampering, without which we could not vote honestly.  While public ballots theoretically allow any voter to call out an incorrectly-recorded vote, a voter could lie, making public ballots a worthless security measure.

Paper Ballot Security

Most people are familiar with paper ballots.  Paper ballots, in concept, represent physical, countable votes written on paper and placed into a box.  While implementation differs, this model works well for basic election security study.

With paper ballots, we are chiefly concerned with the integrity of the ballot box.  The general public is allowed to observe every moment of the voting process to ensure this integrity.

Prior to voting, election officials open the ballot box and demonstrate its emptiness to observers.  This prevents ballot box stuffing—pre-loading the ballot box with votes.  Visibly counting votes is another method, ensuring that the number of votes in the ballot box matches the number of votes observed.

Paper ballots require anti-forgery features, or else voters can pre-fill several forged ballots and slip them into the box stacked with their own.  Election judges often place a tear-off tab into a visible ballot count box and verify that the number of tabs matches the number of ballots distributed to voters.

Ballot boxes are sealed in a tamper-evident manner, and never taken from public view without attendance by election judges of opposing interest.  This allegedly prevents ballot tampering, but in reality would allow the judges to agree to trade tampering opportunities, such as to win various elections which are more-meaningful to each.  In truth, election judges must count ballots before removing the boxes from view, or else we cannot guarantee integrity.

Finally, election judges hand-count ballots, announcing each vote for the observers.  This allows verification of figures from each polling location, as observers can record and publish the observed count.

Current Concerns

Our election system brings with it a variety of concerns, some the result of trade-offs.

Voter Disenfranchisement may occur if a voter cannot reach the polls.  We assign polling places to voters to avoid voter fraud:  a voter presents at the assigned polling place, declares their name, and is announced loudly.  The polling place, being close to their neighborhood, will likely contain neighbors and others who may recognize the voter, and will recognize an impostor; likewise, the real voter may attempt to vote, causing conflict and alerting the election judge.

In general, a voter may only use the assigned polling place, preventing impostor voting or repeat voting.  To combat disenfranchisement, we allow early voting and mail-in ballots.  This weakens the strength of the assigned polling place defense, but still prevents double-voting due to the election board associating names with ballots.  Ballots are anonymous because these names are not published.

Mail-in ballots can be proven by allowing a third party to observe the voter, thus opening the election system to voter coercion and vote buying.  Although postal voting opens up an additional tampering concern, we trust election judges.  Delivering and opening ballots in the presence of observers does not fully protect against tampering:  voter lists reveal historical party votes cast by individuals, and the return address on an envelope can predict the party a ballot will likely support, so operatives along the way can tamper.

We accept these concerns because they represent a subset of ballots, thus are diminished in scope; and because voter disenfranchisement and vote tampering are similar attacks, and disenfranchisement is certain while tampering is only ever partially effective.  Tampering with mail-in ballots is extremely difficult, even if theoretically-possible, due to the need for broad collusion.

Security with Modernized Voting

Modernized voting requires strict security procedures.  Even simple population growth has increased the number of ballots counted and the difficulty in summing the counts, changing our security concerns.  Ranked ballots, complex voting methods, and computerized counting raise additional concerns.

Computerized Voting and Counting

Computerized voting requires strict adherence to secure handling procedures.  Computerized voting allows for tampering with machines, and can obscure view of ballots.  On the other hand, computerized voting mitigates ballot forgery.

System and Software Security

Computerized voting machines must never connect to any network.  A voting machine must display its vote totals and transfer vote details to physical media, requiring election judges to walk to each machine and demonstrate this collection.  This allows observers to record and verify vote totals before those votes are moved to a system subject to computer hacking.

Several months prior to any election, the election board must publish the voting software image, along with its source code and build instructions.  This image includes an entire operating system as installed on the voting machine.  Several copies of the image must be brought to the election location on read-only media.  Independent observers may handle each copy, verify it does not differ from the published image, and return it to the election judge who will verify it has not been tampered with.

The election board must also publish the voting system hardware and system imaging instructions.  For example:  they could publish instructions to configure a Raspberry Pi 3 B+ with touch screen to boot from USB, boot a USB CD drive containing the voting software image, insert a 2GB SD card after boot, install the voting software, and reboot onto SD.  Notice that these instructions prohibit sham installation and ensure the voting system contains the published voting software image.  The election judge must perform these steps for each voting machine while observed.

These measures allow third parties to examine and thoroughly test the voting system for several months prior to any election.

Ballot Recording Security

Computerized voting should never scan paper ballots.  An optical reader can misread a paper ballot; whereas a software input can print a paper ballot if desired and, regardless, will always display the voter’s input as recorded so long as the software is non-faulty.

If producing paper ballots, the voting machine must print them for the voter to compare to the values on-screen, then accept for retention in the machine’s own ballot box for later collection.  Rejection must call an election judge to examine the machine, verify the ballot is identical, and remove the ballot physically from the display area.  If the ballot is non-identical, this must be publicly reported.

Each time a voter casts a completed ballot, a display above the voting machine and in public view should increment a counter.  This allows observers to watch the precise number of ballots count reliably and accurately.

When collecting ballots, the election judge must insert a hardware credential—such as a FIDO U2F and hardware OpenPGP device—to authenticate and to digitally sign the collected ballots.  The election judge installing the voting software image will configure each voting machine upon first boot to use this device as an administrative credential, and will add any further election judges only under public observation.

When collecting ballots, each machine must display for public observation the total number of ballots and the pairwise vote tallies.  This provides a sort of “hash” to verify a later published list of all ballots:  achieving the same pairwise vote tallies requires the same set of ballots.

The election judge should also use the last voting machine to exhibit ballot totals and pairwise vote tallies for the polling location.

The election judge carries a digitally-signed copy of each machine’s full ballot count to a recording machine.  This machine runs the same software image as the voting machines; however, it connects to the Internet and transmits the votes to the election board.  Upon transmission, it computes and displays the polling location’s totals, which must match the totals generated using the last voting machine.

The judge connects the recording machine to the election board via an encrypted VPN.  The judge uses two-factor authentication—such as FIDO U2F—to access the VPN and to authenticate when uploading the ballots; and the election board only accepts ballots signed by the judge’s OpenPGP key.

Although multiple layers of cryptographic security protect the process, this is a mere convenience.  The transparency of publishing the system image, displaying verifiable ballot statistics, and isolating voting machines from the Internet ensures public observers can independently verify the election results are tamper-free.  All security must hold at the voting machine, during voting and ballot collection.

Independent Verification

The election board must allow any and all third parties to download all ballots.

When the judge collects ballots, the voting software first assembles and signs—using the judge’s public OpenPGP key—a set of anonymous, numbered ballots.  It then appends a list of voter IDs and the number of the ballot they cast, and signs the whole block.  Ballots are numbered non-sequentially, with random numbers, and each race is numbered separately:  reassembling an individual whole ballot requires the voter ID information.

The election board strips the list of voters from the distributed ballots.  Third parties receive no voter identification except for polling location and machine number.  This, along with each race having its own numbering, prevents reassembly of whole ballots, sequencing of ballots, and identification of voters from partial information about their whole ballot or the time at which they cast their vote.

Third parties can thus compute and verify the pairwise races for Condorcet elections and the intermediate steps for Single Transferable Vote elections.  After verifying individual machine votes and polling place totals, these third parties can recompute the election results in total—a full recount.

Internet Voting

Internet voting brings with it a great many complications, and requires careful consideration before implementation.  It will be the least-trusted voting and the least-verifiable by independent third parties.  Internet voting carries some of the concerns of voting by mail, and some of its own.

We can trivially secure the voter’s ability to cast a vote, and the election board’s ability to identify the voter correctly:  fraud is not a concern.  Requiring Internet voters to register a hardware cryptographic credential at voter registration—such as a FIDO U2F device—allows us to restrict Internet voting to those who can physically vote if they appear at a polling place, and to positively identify them as a particular registered voter.

We can also minimize Internet hacking by opening only the single encrypted Web site port on the Internet voting server.  A firewall blocks all other access.  The Internet voting software would use as little code as possible to process a log-in request:  without the voter’s name, address, birth date, and FIDO U2F authentication, it exposes no further interface and processes no other request.  This restricts attacks to registered Internet voters:  strange traffic has your real name on it.

It’s difficult (but not impossible) to prevent coercion and vote buying.  Strong third-party verification of vote integrity is also impossible:  Internet votes, like voting by mail, are not observed, and so votes can be dropped and omitted.  As with voting by mail, we can prevent outright vote tampering, although the means are complex.

For now, our election system needs updating with more-advanced voting rules.  While Internet voting can combat voter disenfranchisement, it strains confidence in election integrity, and is a matter for a later debate.