The Technical Challenges Facing iVoting
Part 3
When we last left this discussion, I was explaining the non-technical challenges of iVoting including the need to be transformative in order for States to be willing to consider how it can be integrated into the electoral process. To be transformative an iVoting solution will have to (among other things) provide better assurances of validity and legitimacy.
Therefore, iVoting faces several technological challenges before it can begin to be implemented. Most election officials and experts in the field are hesitant or skeptical about implementing iVoting with current Internet and Web technology. Even when we view iVoting as simply returning a digital absentee ballot or the digital equivalent of voting by mail, there are still substantial innovations required.
The Specific Challenges
Let’s look at five specific innovation challenges that do not exist today or where some early version of the innovation may exist, it has not been implemented at scale or proven in a production environment to be usable by non-technical typical citizens.
1. Strong Authentication
The first area that requires innovation is authentication; essentially we must be certain that a voter is who she says she is, and that confidence of that assertion is its “strength.” Thus we refer to this as “strong authentication” because the voter’s needs to be as certain as possible in absence of their physical presence. The evidence of identity must be digital in nature for online voting. It must also be evidence that cannot easily be stolen from the voter, such as a password.
The technology for this actually exists; it’s called “two-factor authentication” and is widely used in commercial settings. Two-factor authentication relies on the use of some sort of physical “token.” When Internet voting was used in Estonia, for example, it used two-factor authentication.
Unfortunately, the same achievement is more difficult in the United States. We lack a way of identifying all citizens. We have no system of national digital identification, and such a future is highly unlikely for political and policy reasons. This means that any iVoting system will have to innovate around this issue until such time as America resolves the issue of uniform digital identification.
2. Digital Enveloping
The second challenge facing iVoting systems is what we call “digital enveloping.” When a ballot casting takes place, the “transaction” must simultaneously identify the voter (in order to make sure they are eligible to vote and don’t vote twice) and protect their privacy (so that their vote cannot be traced back to them). For non-digital forms of voting absentee or by mail, this is accomplished through a double-envelope: one that authenticates the voter and contains a second envelope that is incapable of disclosing the ballot or the voter’s choices. The second separable envelope contains the actual ballot, but cannot obtain any information about the voter.
Similar to two-factor authentication, the technology for this actually exists, however, because the digital equivalence of digital enveloping requires a process currently too difficult for the typical citizen to successfully use. An iVoting system must resolve this issue; it must incorporate a combination of two-factor authentication and digital enveloping in a secure manner usable by all voters.
3. Digital Ballot Boxes and Server Integrity
The third innovation required for iVoting concerns the digital equivalent of ballot boxes and the integrity assurance of the computer data server housing a digital ballot box. The digital ballot box is the virtual location where the ballot would be received, and server integrity refers to the security of the server where the ballot box is maintained. For this virtual system there are several requirements consistent with physical ballot boxes, for example:
- Cast ballots cannot be modified or removed,
- Only election officials must be allowed to unlock the digital ballot box,
- The unlocking and processing of the ballots must be publically observable, and
- Physical chain-of-custody records must be maintained as the ballot box is transported.
For iVoting, there are a few difficulties with accomplishing these requirements. The first is that many people and programs can access the computer’s data storage if it is connected to a network, and some may have malicious intentions. In addition to this requirement the iVoting system must have a communication network that allows it to receive the ballots, without enabling any form of ballot modification or tampering, and be unable to run any extraneous software that would allow non-election-officials to access the system.
The stark reality is these requirements are simply un-achievable with a conventional data server system. This means that in order to develop an iVoting system we must also develop a special purpose data server.
4. Client Integrity
The fourth major hurdle is client integrity. By “client” here we’re referring to those devices on the “edge” of the network that provide the voter the means to actually cast a ballot remotely. This device voters use to deliver their votes, their “digital ballot caster” if you will, must be completely resistant to tampering. The device a voter uses, the “client device” as we call it, must perform a variety of tasks including identifying the voter, locating and pulling the correct ballot, coding the voter’s selections, making the ballot anonymous, and sending the ballot to a digital ballot box as we discussed earlier.
Simply creating a typical App for this purpose on laptops or mobile phones is unsuitable for this task, because they are vulnerable to a variety of security risks. That observed, a voting device doesn’t need to be implemented on a general-purpose digital/mobile device. A special device could be used for voting or a general-purpose device (such as those mentioned above) could be, for a controlled duration, constrained to only function as a voting device. Multiple well-known technologies exist that can accomplish this. But none of those technologies have been used to create a single purpose client, as would be required for iVoting. So, to this extent, it has been theory.
5. End-to-End Verifiable Ballots
The last big problem facing iVoting is what we call end-to-end (“E2E”) verifiable ballots. E2E verification refers to a system in which the voter can independently verify that their vote actually went to the candidate they chose. A trustworthy iVoting system would have to incorporate E2E verification. Election cryptographers have developed E2E verification for digital ballots, but their methods struggle with two things:
- Being able to be combined with other required characteristics (such as those discussed above), and
- Being able to be administered by ordinary election officials who lack extensive technological expertise.
All these five problems must be solved in order to create a reliable and secure iVoting system. iVoting may be the future of elections, but as discussed in this article, there is a considerable innovation required before they can become a reality.
As always, I look forward to your comments and the continuing conversation.
--Sergio