E-voting is accused of lacking transparency and being difficult to trace, which would allow manipulation to take place without being detected. In contrast to a physical contest, recounts are not possible, which means that any potential doubt in the results could be damaging to democracy. But is it actually true that e-voting cannot be verified and audited?
Any secure voting and election process, be it physical or digital, needs to guarantee the secrecy of the ballot as well as the following conditions:
- The process must ensure that only those eligible to vote may do so.
- The process has to maximize the time spent and the costs involved in manipulations and be able to detect them wherever they occur despite security hurdles.
- The process must correctly determine the result.
- The process must enable recounts where there is suspicion of irregularities.
E-voting systems that enable elections and voting via the Internet must also meet these requirements. And with today’s technologies, all these points can be satisfied. This is referred to as the universal verifiability of an e-voting system. Universal verifiability ensures that the public can detect any errors or manipulations during the entire voting/election process without any doubts.
Digital election observers monitor the electronic ballot box and counting
The counting process used in an e-voting system is comparable to that of a traditional contest. However, it is conducted by machines, not people. As such, each step needs to be logged using digital signatures and cryptographic evidence to ensure people can monitor the procedures and results.
Various digital processes take place in an electronic ballot. Put simply, it involves two things: first, any theoretically possible link between the identity of the voter and their digital ballot paper is cut. To achieve this, the votes are separated from the already anonymized voter identities and the order is mixed at random. And second, the votes are decrypted and counted upon the opening of the ballot box on election day.
Isolated parts of the system, or control components, monitor these digital processes. The control components are like digital election observers. They log and report manipulation to the electoral commission, which bears responsibility for the contest on behalf of the authorities. They create cryptographic evidence for all ballot box activity to ensure errors or manipulation can be clearly detected in retrospect. If all the cryptographic evidence is correct, the result is then in turn proven to be accurate.
How can the public verify election results?
A key challenge in e-voting is the elimination of doubt that the results have been manipulated. Verification of the evidence is a fixed component of the official counting process and enables public acceptance of the election result.
Software running on independent computers not connected to the Internet must be on hand to verify the cryptographic evidence and whose source code can be checked by independent experts. The software is used to check whether there was any manipulation of the ballot or the counting process.
It is important that the verification of cryptographic evidence is performed by individuals deemed as trustworthy in the eyes of the electorate, and that the process can also be performed by independent institutions. The election result is communicated to the public once verification is complete. If irregularities were detected as a result of the verification, an investigation is initiated.
What happens if manipulation is discovered?
There is no such thing as absolute security and manipulation attempts cannot be wholly excluded. Experience from fraud attempts with postal and ballot box voting has shown that this applies to all election processes. With e-voting the universal verifiability of a system does not prevent manipulation theoretically taking place but does ensure that it is noticed wherever it occurs.
If the digital election observers report irregularities in the cryptographic evidence, the electoral commission launches an investigation. Those who have lost in the election have the option to contest the result on the basis of such irregularities. As is already the case for physical ballots, a court would then decide on the merits of the case and what measures should be initiated. The election may be repeated as a last resort.
The two providers of e-voting systems in Switzerland – Swiss Post and the Canton of Geneva – have both announced that they will introduce universal verifiability by 2019 at the latest. This is a prerequisite for a canton to be able to provide e-voting systems to the whole of Switzerland and not just a section of the population.
Conclusion
Even if digital election processes cannot be directly monitored by people, we can observe them using control components and unequivocally prove any irregularities by mathematical means. The evidence generated can be checked by the electoral commission and independent institutions on isolated computers following the count. This corresponds to the counting process in the physical world. It means that e-voting can be audited and the results can be verified.
The introduction of e-voting rests upon one key question: is the population ready to place their trust in these verification options and the human controllers involved, i.e. the electoral commission and independent experts?
