“Elections remind us not only of the rights but the responsibilities of citizenship in a democracy.” – Robert Kennedy
There’s a tweet being shared around Scottish political Twitter advertising an event on October 23rd. Australian company Clearpoll going to be holding an opinion poll on Scottish independence but are doing so in an intriguing way. They are offering a blockchain-based mobile phone app that, they claim, could be the first step in a revolution in how we approach voting. Instead of having to go to a ballot booth, one could simply press a button on your smartphone, secure in the knowledge that your vote will be transfered and counted without the vulnerabilities to hacking and spoofing that occur in other forms of electronic voting.
First of all. I’m not going to tell people to not take part in this poll. If that’s your thing, go for it. If you want to help test an upcoming piece of technology, by all means.
But I do want to voice my concern about this kind of technology making its way into our democracies. They are vulnerable enough without adding something that, if done badly, could break our voting system entirely.
A few months ago, I took part in a government consultation on electoral reform which outlined my position and my objection to this being done rashly. You can read that here.
I’ve already been accused of Ludditism over my objections to this kind of voting but, to tell you the truth, it’s not really the tech itself that I find to be the problem. It’s the fact that it would encourage voting away from the voting booth that really bothers me. This is, of course, also a problem with things like the postal vote.
My background in the tech industry gave me a good bit of experience in systems analysis, specifically destructive analysis. I’ve taken that with me into politics. The philosophy goes like this. If you want to understand a system – try to break it in as many different ways as you can. Then try to fix the things you broke. Then try to break them again in a different way. Once you start failing to break things, you can build up some confidence that it actually works. I want our voting system to be as robust as possible and I don’t want improvements to the system to introduce more problems than they fix.
The stakes are high here. People point to things like online banking or shopping and how they are secure and trusted. The thing is, these things get broken routinely. I doubt that there’ll be a reader of this blog who hasn’t been affected by a bank or online shop hack or knows someone who has. I’ve been hit more than once. But money and things are insurable. If the security features fail then customers can be compensated.
Democracy is not insurable. We know this from the Brexit referendum where illegal campaigns may very well have tipped the result in their favour yet, despite them being caught, the consequences have been next to nothing. Anyone with the interest and means of breaking a country’s democracy WILL try to. There’s no sense in giving them more opportunities than they already have.
So here I’m going to break down why I think we should be cautious about introducing electronic voting, whether by blockchain or conventional means, into our democracy.
Break 1 – Broken Tech
I’m not going to refer specifically to the company behind the online poll mentioned above. I know almost nothing about them and I’m not going to go and check them out. I would suggest that those who DO want to take part in the poll do check them out first. It’s always good to know who you’re dealing with and this goes whether it is a self-selecting internet poll (which, by the way, are statistically meaningless even if they are fun) or whether they are a full-scale voting operation.
It could be that the company hired to run a full scale election is fundamentally compromised. Maybe they have inserted code into the system that allows the vote to be spoofed somehow. In a worst case, the entire tech could be an elaborate “man-in-the-middle” scheme where the data that comes out of the black box bears no resemblance to the votes that went in.
Sure, you could (and should) demand open access code so that it can be audited but then we hit the issue of a “behind the curtain” attack. How can you tell if the code you audit is the code that is actually being run and isn’t just a plausible looking shell thrown up to pass inspection? This kind of thing has been seen quite recently in the Volkswagen emissions scandals where cars were programmed to change their performance when being tested so that they could pass inspections.
Break 2 – Break the Tech
“Blockchain” is a bit of a buzzword right now. It’s being touted as the solution to every digital problem that one can think of. It actually reminds me of the early days of the laser industry where the laser was described as a “solution without a problem” because it offered something uniquely interesting but no-one could yet work out what to do with it.
This isn’t the place to go into much detail on how blockchain actually works (There are videos online such as this one) nor even all that much on the encryption methods that it itself is based on but very, very briefly, encryption works because some mathematical problems are very easy to perform one way but not easy to perform backwards.
Imagine going into a restaurant and ordering three courses. The price of each course is totaled and comes to £24.73. Easy to do. What is not so easy is to go into a restaurant and to ask for precisely £24.73 worth of food.
Encryption works in an analogous way. It’s easy to scramble a message but very difficult to unscramble it unless you have the appropriate keys to do so.
The thing is, “very difficult” is rarely impossible. Only a very few encryption methods are mathematically impossible to break (and they are not useful for our purposes here). Most encryption methods are merely difficult to break with current techniques and current computers within a reasonable time (where “reasonable” could be defined as “within the lifetime of the universe” or merely “before the end of voting day” depending on the application).
But computers improve. As do mathematical techniques. The future is an unknown and we don’t know how fast we’ll get there. Previously “secure” encryption methods are now obsolete and no longer used. There is a very real possibility that a vulnerability could be found in the blockchain technique underpinning the voting system or that computers – perhaps quantum computers specifically designed for this kind of thing – could come around and open up previously secure systems. This is a particular concern for a voting machine that is maybe only brought out of the warehouse every four or five years.
It’s worth noting that various proof-of-concept and actual vulnerabilities have already been found in the world’s most popular blockchain currencies Bitcoin and Etherium. Some of the proof-of-concept hacks are simply waiting for the tech to reach attack capability. Some of the attacks only fail because the popular cryptocurrencies are too large for the hacks to be practical or make them too expensive to pull off.
But, as I say, democracies require a higher standard of security. Whatever cost one attaches to a hack might be too expensive to be worth stealing a few coins, but what is the cost/benefit analysis of stealing an election and placing your favoured candidate or party in office?
These issues are potentially solvable by evolving the blockchain technology to keep up with the emerging threats but doesn’t this just introduce an arms race into a part of the voting system where the current method – physically counting ballot papers – is inherently immune?
Break 3 – Subvert the Tech
So let’s say that the electronic voting tech works as advertised. It’s absolutely secure from the moment the button on the mobile phone is pressed right the way through to the final count. It’s fully auditable and trusted.
That’s great. Facebook has reminded you to get the app, so you click the link and download the voting app onto your smartphone (What? You don’t have a smartphone? Or maybe don’t have the right kind of smartphone? Oh well. No democracy for you then…) you enter all of your details and you’re ready for election day. The time comes, you fire up the app and you vote. You get your confirmation message and you’re happy.
Here’s the thing. That reminder on Facebook? That was a fake advert. You downloaded a fake version of the voting app.
You see, your constituency was identified as a key swing seat between the Red and Blue parties. Your digital fingerprint identified you as a Blue voter to the Red-sponsored or Red-friendly group behind the fake app and they sent you a targeted advert as they did to all other Blue voters in your constituency. Red voters were specifically excluded from the adverts as were journalists and political activists who might notice and flag up a warning so they never saw it.
Maybe the fake app has harvested all of your data, filled your phone with malware and viruses or now your phone is part of a botnet soon to be used for other nefarious purposes.
It doesn’t need to do any of this to break the voting process though. All it needs to do is convince you that you’ve voted when, in fact, you haven’t. Your vote simply vanishes and if enough other Blue voters are caught out, Red wins the seat without the hackers ever having to compromise the legitimate program.
Break 4 – Inherent Insecurity of Remote Voting.
So let’s say that we’ve fixed all of the above problems and you know for a fact that the voting app on your phone both works and is legitimate.
We come here to the fundamental limitation of voting outside of a polling booth. It is very difficult to ensure that the person pressing the vote button on your phone is actually you. Maybe some security procedures could be used like passwords or fingerprint scanners or facial recognition (not every phone will be capable of these checks) but even if these are passed, how can the app make sure that you are making your vote without coercion?
It’s not inconceivable that someone’s vote could be coerced. Whether the voter is in an abusive relationship, or is being instructed to vote a certain way by their employer or political party and – as with postal votes – there’s always the possibility of unscrupulous political activists targeting vulnerable voters and “assisting” them with the voting process.
Some proposals for electronic voting include offering the voter a cryptographically secured “receipt” which they could use later to check to make sure that their vote was correctly registered. This is fine until one considers again that a malicious third party could coerce that receipt from the voter and use that proof to ensure that they had indeed voted “correctly”. One of the best defences of our secret ballot is that it is truly secret. Any particular vote is strictly between you and the pencil and no-one can prove how you voted.
Solution – How To eVote Securely
There is a place for an electronic improvement to the traditional pencil and paper. Voting systems are often complicated – the AMS and STV systems used in Scottish elections particularly so. There are also potential issues where people have a tendency to vote for candidates who are higher up the ballot list than lower down. This “list order” effect can be countered by randomising or shuffling the order of the names but this can be difficult to do if ballots are purely on paper.
An electronic voting booth would consist of a touchscreen display which would first offer the voter a tutorial in how to vote in this election. It would then display the ballot paper which could be shuffled as described above.
The voter would cast their vote and then the computer could check to make sure that it is a valid vote. If it is invalid in some way (Perhaps a break in the number order in an STV election) then the computer could warn the voter and ask if they want to change their selection. Critically, it should not prevent the voter from casting a deliberately void or blank ballot if they voter wants to. Protest votes are as much a part of democratic freedom as casting your vote any other way. Personally, I’d also like to see a “None of the Above” option on the ballots as well.
Once cast, and here is the critical part to do with electronic voting, the machine prints out your ballot paper. The vote is not stored nor is it transmitted elsewhere nor is a receipt printed which can be used to verify your personal vote. You check your paper then you place it in a box in the usual way.
The count can be done by feeding the papers into a counting machine as is often done in the current system but the paper copy allows for a hand-verifiable check if one is deemed necessary. Indeed, the fact that the cards have been printed likely means fewer ballots rejected due to ambiguous markings (though this would come at the cost of losing the fun part of count day which is having a laugh at the weird and wonderful ways that some people cast their votes.
Remote voting should be discouraged. I’m not going to say that the postal vote should be banned entirely – I have no doubt that for some people this will genuinely be the only practical method by which they can vote – but if alternatives can be provided, then they should be encouraged. This may mean organised transport to polling stations – right now, transport is sometimes available but usually only due to dedicated political activists offering their time to get out the vote. This may also mean mobile polling stations. It’s reasonably easy to envisage taking a van to, say, a care home and deploying booths where people can vote. Once again, the isolation and privacy of the polling booth is a important part of the process and one which cannot be replicated by a remote voting mobile app, no matter how secure the underlying technology is.
Far from being a Luddite, I consider myself a technophile but more than that, I’m someone who wants our vital systems to be as robust as possible. We simply cannot afford to find out years after an election that the system failed or was compromised and the “wrong” political party won the election. If your credit card is hacked and you lose money, you can be compensated. Your bank is insured. The ultimate consequences of the fraud are limited.
We can’t fix things nearly so easily if our democracy is broken. It only has to happen once and we could find ourselves in a very dangerous place with no way out. If “blockchain” turns out to be able to fix all of the problems I’ve outlined above (and any others that I haven’t even thought of) then have at it and please demonstrate the fixes to me. I’m genuinely interested.
But until then. I’m interested, but very cautiously skeptical.