Ask HN: How would you design an secure online voting system?
I have seen a lot of proposals; from apps on phones to systems where the ballot is still mailed to you but you fill it out, take a picture of it and submit it that way (with a bar code of course to ID the ballot).
29 comments
[ 0.22 ms ] story [ 89.5 ms ] threadBut to take a stab, welcome blockchains ^_^
You don't. Anything done "online" simply verifies that "some human at a keyboard" has the requisite "secret" -- but cannot verify that the correct human who should legally have the secret is indeed the one entering the secret.
I.e. Bob gives Joe his "voting secret" and now Joe can log in as "Joe" and vote his legal vote, and also log in as "Bob" and cast a second vote, all while the online system believes "Bob" is casting that second vote.
Also, if you want to maintain the secrecy of the ballot then you simply can not perform online voting, because with the machines there can always be some trail to trace between "ballot X" and "Fred" to show who cast that ballot.
How do you verify the identity of a person at the polling station?
I'm not sure how it's done in the US specifically but in general it boils down to the voter handing over a piece of paper that's been mailed to them by some government agency and optionally, in places where such provisions exist, producing an ID card or social security ID.
That's nothing more than the real-world equivalent of "but cannot verify that the correct human who should legally have the secret is indeed the one entering the secret."
It's admittedly much more difficult to pull off at scale in an in-person setting, though.
However, verifying that a voter is the person they claim to be is a problem that equally exists in both online and offline settings.
So if I were building a system for voting online, I would audit that system and improve on any security deficiencies.
- Every citizen is issued ID that includes a hardware embedded public/private key pair. A YubiKey essentially. This step is optional, but allows ballots to be assigned remotely.
- Election commission creates and maintains their own key pair.
- Ballots are assigned remotely to eligible voters by encrypting with citizens public key, or assigned in person. Ballots themselves are key pairs, and the commission throws away the private keys after assigning them. The list of ballots is published signed by commission’s key.
- Votes are the position + a secret encrypted by a voter’s private key, signed with the ballot. Votes sent to the commission and published.
Everyone can see which ballot voted which way, verified by the ballot public key. Voters can verify the commission didn’t keep the private key by verifying their encrypted secret. Votes are anonymous, cryptographically verified, and if a citizen ID system is used ballots can be assigned remotely so the entire election is remote.
No blockchain or specific applications are required for this system, just agreed upon key algorithms. The downside is keeping private keys secure is difficult compared to watching over physical ballots.
A system similar to this was used in the recent Hong Kong protest election, with the ballots issued in person.
Estonia’s system is insecure, relying on private closed systems to store, transmit, and tally votes. They have made changes, but AFAIK they don’t provide a way to publicly cryptographically verify votes or vote counts, and voting has to be done through a specific app.
A company can already compel you to vote, because all states allow mail-in ballots. It would be pretty hard to announce this to everyone while simultaneously keeping it a secret.
In the story, its become an ordinary fact of life. In fact, once you have somebody's card you have their life. They can kill employees if its convenient.
But its just a story.
Take the current elections in the US as an example. Yes, the system's working and it has proven to be quite resilient but those shenanigans involving mail-in ballots and the uncertainty that came with that for example could've been avoided with a properly designed digital system.
Most of those problems could of course be solved with a properly designed non-digital system, too.
Its similar to a story I read a while ago about flooding a lottery system with enough combinations of numbers to near guarantee some level of profit. The scale needed to fill out, submit, track, etc. 10's of thousands of tickets was ridiculous.
There is no need to speed up the election process. If any human effort is to be spent, it should go towards rolling back the perceived need for constant updates. Its unhealthy.
Another minor problem cryptographic electronic voting solves is inaccurate vote counts.
If we allow vote-by-mail we should allow cryptographic voting over the Internet. I agree in-person voting is the most secure, but we already use a less secure system.
Some things that come to mind: - National voter ID card. Countries like Mexico and India have this for everyone. You can’t vote without it. - Fingerprint of some sort. Either retina or fingerprint scan to verify identity. This opens up a civil liberties can of worms but we would need to secure this somehow. - I’ve read of some startups looking to us blockchain, but not sure how that would work. - I read an article about a company called Unum ID that was looking to address this problem. You sign up, give an address, they mail you a card with verification of your address to put into their app. The app then has a unique QR code that gets scanned. Similar verification setup to Nextdoor or buying ads on Facebook. They verify your identity by mailing you a unique code that needs to be entered into an app or page to verify your address and who you are.
I think the key components are, verify the address of the person, confirm it, secure/uniquely store the identity in a service.
The biggest problem we face is fraud. Double votes, voting for others, voting as dead people. California had to purge their roster after being sued for the data being inaccurate. I think 300k names were removed or asked to verify. 300k wrong voters can swing a local or state election. That’s big.
https://www.youtube.com/watch?v=w3_0x6oaDmI
Long story short voting needs to be secure and anonymous to be fair.
Hard to get all things at once.
We could immediately open this system up to every American with a small number of technical & legal changes.
Most of my thoughts about a more complex system are probably not unique, but thinking about this generated a few details that may be interesting.
The obvious final conclusion (for me) was that we could digitize our entire system in a few election cycles, without throwing out the entire system and starting over.
Just 1. Set minimum requirements federally for voter registration systems, 2. Create digital tools for creating and tabulating votes (form to PDF software, public ledgers), & 3. Allow everyone to cast a digital vote which can be converted to a normal paper ballot.
Then, at some point in time, you reverse the system, and make your digital ledger your source of truth, instead of your paper ballot counts.
1. Each existing voter registration generates a unique, anonymous identifier. They probably already do, you just have to standardize it and create an API to verify it. Cryptographic verification solutions would improve this even more.
2. Create a simple, open source public ledger with an open API. Something where any software that knew enough of the voter registration details combined with that identifier could submit or update a ballot.
3. Give voters multiple systems for voting, to ensure everyone has access to a system that meets their needs. No reason to restrict who can create a system, just set federal minimums for each of this systems & let any tech company build a competing app.
4. A public / private key signature process could be used to ensure the validity of both a "local copy" of the vote stored on the user's device, and that the vote was cast, for future auditing. You could create APIs for validating a vote.
Once you get everyone a unique voter registration identifier, Voters could download the database and use simple tools to audit their vote as part of the final, public count. Any irregularities would be publishable and verifiable.
Independent groups could use samples of volunteers (who would essentially agree to publish their voter ID & local copy of their choices for that year) to further validate the integrity of the result.
You could even plant fake votes that cancelled each other out to facilitate an audit.
I'm sure there are details I'm getting wrong (like how to protect someone's identity in a world where all your voter registration details are able to be purchased in legal and illegal markets).
My only point is, anyone could start working on this kind of system as an open source project, validate it works, and start "patching" our existing voting processes with more accessible or more efficient digital replacements.
For example, at the end of the process the election counters release a file called "results.txt".
Inside that file is a data structure like: { huid: "123-456-789-ABC", vote: "Biden" }
Then you grep for the secret huid that you wrote on your paper ballot and that make sure that your vote was counted correctly.
This is a simplified concept without eg. PK crypto. Microsoft's ElectionGuard is an actual cutting edge implementation of how to do it well: https://github.com/microsoft/electionguard
If it is not in real time voting in person is not a problem. A secure room (phones and cameras not allowed) where no one can see what you've voted. (a bus would do fine)
4 separate systems with a 5th that checks if they all got the same vote from you. At the regional level the votes are counted continuously, if one of the 4 system produces a different result an investigation is triggered and huge prison sentences may follow.
A system in which all votes are fungible after a certain point only encourages fraud. As long as you execute it well you can have a high degree of certainty that you won't be punished.
[0] First, behind this requirement is the premise that political repression is to be expected. I'm sure that's true in some places, but you want to fix this in other ways. Second, you already don't have perfect secrecy in many systems and people don't seem to mind.