Loomio

Electronic and Online Voting

DS
Danyl Strype Public Seen by 452

The online voting issue is becoming a major public debate, due to the experiments with it in next year’s local body elections, and the commentary I’ve seen is mostly anti TDB, even from the technically literate. The Pirates have a horse in this race, and we need to agree on some common points, and get them onto the racetrack, for example:
* any voting software must be free code/ open source
* votes should be secured using PGP or a blockchain system or (?)

The Danish Liberal party supposedly used a blockchain based voting system for internal elections last year. Not sure how it worked out yet.

AR

Andrew Reitemeyer Sun 20 Sep 2015

The Pirate Party of Iceland uses its own system - wasa2il - Podemos, in Spain, uses a liquid democracy variant developed by the Belgian Pirates. Both are open source.

As far as I know, all experiments, where electronic voting has replaced paper voting, have been using proprietary software. We should only consider open source solutions.

The idea of changing overnight to an online voting system that elects representatives in a PR system is flawed. Introducing a parallel, permanent, online direct democracy system of some sort is not.

We should look at the experiences of other legislatures who are and will be looking at this system and running our own in district councils for example,

The philosophical objections, such as being forced to vote a certain way under threat are met with a system where votes can be changed or passed on to trusted persons.

It don't think we should get too far into the technology but work more on the principle.

HM

Hubat McJuhes Mon 28 Sep 2015

" The idea of changing overnight to an online voting system that elects representatives in a PR system is flawed. "

That is exactly right. Replacing paper ballots with voting machines is something that we should oppose categorically.
Not only have all voting systems so far turned out to have been shockingly prone to manipulation; the real point is that it is intrinsically impossible to any process that includes digitalisation at any point in the process to be verifiable and anonymous for the individual voter at the same time. But these are core requirements for a democratic vote. Hence we must oppose any such attempt for as long as we are stuck with a PR system.

" Introducing a parallel, permanent, online direct democracy system of some sort is not. "

That is exactly spot on. With a liquid deliberation process it is arguably justifiable to omit secrecy/anonymity from the list of requirements.
It is a design feature of the new P irate Party concept that we can explore the potential of liquid systems as the tiny group that we currently are to the large organisation that we soon will be, in parallel to the current big scale PR system. Our success will work as an advertising platform for the liquid system that we come up with.

DS

Danyl Strype Sat 3 Oct 2015

Some facts we need to check before making a public statement:
* for those local bodies who are joining the online voting experiment, will online voting replace postal ballots or supplement them?
* will in-person voting still be possible at Council offices?
* is all the online voting being run by the same private company (ElectioNZ Ltd.)?
* how was the decision made to outsource the running of elections to a private company?
* how was the decision made to award the contract to the company(s)?
* what public interest scrutineering (if any) checks the rigour of the online voting procedures?

Is these questions prove difficult to answer, we could mention that and pose them again in our statement.

it is intrinsically impossible to any process that includes digitalisation at any point in the process to be verifiable and anonymous

What about a blockchain-based system like the Danish Liberals used internally?
EDIT: Or something like BitVote?

HM

Hubat McJuhes Wed 21 Oct 2015

What about a blockchain-based system like the Danish Liberals used internally?

To my knowledge do all reliable blockchain-based systems work pseudorandomly at best rather than anonymously, hence they are not suitable.

HM

Hubat McJuhes Wed 21 Oct 2015

@strypey All those questions are very well chosen to be asked.

But there is the risk that people could believe that if all these questions could be answered to full satisfaction, then it would be fine to move towards online voting.

My position is that there is no way to make such a move working all right. And I would advocate that we should make that very clear (if we can agree on this one).

That also means that while these questions are good to be asked, there is no need to wait with a statement until we have answers.

RF

Robert Frittmann Tue 10 May 2016

There's been some interesting discussion on this issue recently in the NZOSS mailing list, particularly about Voting with blockchain technology and Online voting "trial" scrapped.

My own opinion on this mirrors other Pirate's comments above, that any move to provide online voting within the scope of the existing proportional representation electoral system would be doomed to failure. I can imagine the headline in the NZ Herald already, something like "Online voting system botch-up likened to NovoPay". New Zealand's public-sector IT implementation history is fraught with tragedy: INCIS, WINZ kiosks, NovoPay, etc. Something as important as deciding on who should govern us needs to be reliable and above reproach, as do those implementing it. I don't think we're there yet, either as in-house or outsourced bespoke code.

DU

[deactivated account] Wed 11 May 2016

I have been working on and off into the area of secure online voting for the last 15 years.
There is some concern that genuinely secure online voting will not have the approval of the GCSB and their masters in the five eyes alliance, hence I have been forced to keep this research offline until the recent retirement of a certain former GCSB administrator.

I have long ago sent the basic preceding outline of my encryption system off for peer review with a classmate who now has his doctorate in cryptography maths, Dr Ali Hameed confirms it works, yet he has yet to study my other maths research which outlines why it works in detail.

I am personally committed to the completion of this project when the investment funds come through for a major unrelated research project.

I suggest that the potential for voter intimidation issues can be alleviated by confirmation with a selfie from phones, tablets and computer webcams.
This could also have a time limit on tokens for voting, whereby a vote can be updated within the voting period which allows for an individual vote when alone, such as in the toilet.

The main thing that online voting improves is the participation rate, as young voters can easily participate without constantly following a mail trail to their current property.
As this works to better get results from renters, the voting system no longer is biased in favour of the elderly property owners.

AB

Adam Bullen Wed 11 May 2016

If we make the reasonable assumption that it is impossible to make a 100% secure system; we must then decide on an acceptable level of security.

Once we have decided on the reasonable level of security that we are happy with then the cost associated with achieving this level of security can be estimated.

Two things come out of the above; we know how much it costs to run current elections and how many votes are cast thus we know the cost per vote to run the current system. The goal of any new system should be to reduce the cost per vote; as it is tax (rate) payer money that is used to run the system. If costs double but voter participation goes from 25% to 80% I would be happy.

There are only a few ways this can happen; either reduce the cost to run the system and get the same number of votes; reduce the barriers to entry and get more people voting for the same overall cost; or some combination of more votes and less money to run the thing.

As an open source fan I think that it is best practice for any security software to be open source. The "just trust us (tm)" argument has never swayed me very much.

DU

[deactivated account] Wed 11 May 2016

If we make the reasonable assumption that it is impossible to make a 100% secure system; we must then decide on an acceptable level of security.

Once we have decided on the reasonable level of security that we are happy with then the cost associated with achieving this level of security can be estimated.

Two things come out of the above; we know how much it costs to run current elections and how many votes are cast thus we know the cost per vote to run the current system. The goal of any new system should be to reduce the cost per vote; as it is tax (rate) payer money that is used to run the system. If costs double but voter participation goes from 25% to 80% I would be happy.

We are currently around the 41%~42% mark for the 2013 local elections, down from the increase at the 2010 local elections cycle which coincided with the earthquake increasing interest in local body politics. (49% mark at 2010 local elections).
Logically if we can introduce online voting to achieve anywhere from 60 ~ 90 % participation, then we can say that online voting is worthwhile the expense associated with increased turnout.

https://www.dia.govt.nz/diawebsite.nsf/wpg_URL/Services-Local-Elections-Local-Authority-Election-Statistics-2013?OpenDocument
(As above link shows, 60% participation is above that seen in 1989 local elections, and would be considered success in current electoral trend where nearly 60% don't engage with local elections.)

There are only a few ways this can happen; either reduce the cost to run the system and get the same number of votes; reduce the barriers to entry and get more people voting for the same overall cost; or some combination of more votes and less money to run the thing.

The system I propose of a peer to peer platform hosting a plain html website accessible to all, while hosting a form of voting blockchain for unalterable records for all to audit at the end of the voting period should have minimal costs only for the official results, and as a consensus record should be confirmed by all observers.

As an open source fan I think that it is best practice for any security software to be open source. The "just trust us (tm)" argument has never swayed me very much.

Which is why I think we should all be relieved that Elections NZ Ltd has not succeeded in a closed but binding trial this local election cycle.

HM

Hubat McJuhes Tue 17 May 2016

"If we make the reasonable assumption that it is impossible to make a 100% secure system..."

Security is not only about the accuracy of the counted votes, it is also about how easy or hard it is to tinker with the system and most importantly how likely it is to recognise an attempt of tinkering.

Digital systems offer a high variety of attack vectors and exploitation of many of those will be undetectable whereas the paper ballot system is very well understood, due procedures very well established and manipulation on a broader scale pretty much impossible to do without being recognised. The paper ballot is the clear winner in my eyes.

TF

Tommy Fergusson Thu 19 May 2016

By my understanding in-person voting for councils is long dead. Society somewhere along the way decided that the "acceptable level of security" is low enough to use postal voting. (as in the flag referenda)

So, options are either call to end postal voting, or defend postal voting as less insecure than online voting.

DS

Danyl Strype Thu 19 May 2016

@robertfrittmann mentions

New Zealand's public-sector IT implementation history is fraught with tragedy: INCIS, WINZ kiosks, NovoPay,

It's worth noting that every single one of these high-profile debacles involved projects outsourced to private companies, who supplied proprietary software. Any voting system to be used for local or central government elections must be designed and developed by a suitably qualified, fulltime, research team, employed by the Electoral Commission, and all software involved must be free code ("open source"), that can be audited by experts selected by all political parties (and anyone else that cares to do so). Technical scrutineering processes also need to be developed to ensure that binaries used for an election have indeed been compiled from the audited code, not from a version modified just before compiling (I think GIT has hashing tools for this).

Thanks also to @robertfrittmann for pointing to the discussions on the NZOSS list, it's worth skimming through both. One thing I notice everywhere this topic comes up is a frankly naive faith in the robustness of the current system. I think it's worth reproducing in full my fiancee's description of checking for multiple votes after the vote counting:

"In 2008, I worked a polling station on election day. After the initial
vote count, I worked for one week at the Mt Roskill electorate office.
There were 20 of us on the team, working long hours, for minimum wage,
in a short-term job, with minimal training. We worked under one manager,
who was useless, and was sexually harassing female staff. So after the
first day, I ended up as the de facto manager of the team of 20,
reporting directly to the Returning Officer for the electorate, who
seemed to be as confused as I was about how some of the post-election
checking processes were supposed to work.

"At the electorate office, we had a huge stack of electoral roll books
lined up against the wall in one room, that had come from various
polling stations. The 20 of us worked in this room, checking each book
against a master copy (broken up into sections of the alphabet to share
the task). Our job was to carefully go through each polling station
book, and for each person whose name had been crossed out on election
day, we had to draw a red line through their name on the master copy.

"Occasionally, I would look up the person's name in the master copy, and
with my red pen raised to draw a line through their name, I would see
there was already one there. In some cases, this happened multiple times
with the same name. So, we would write "2" or "3" or "4" next to the
crossed out name in the master book, to indicate how many times their
name had already been crossed out in the other books that had already
been checked.

"Early on, I discovered one of the many flaws in this system. Although we
knew how many times votes had been recorded against the same name
(assuming that me and all the people I was working with were being
sufficiently thorough), we had no record of the first polling station
book this had happened in. In fact, initially I was the only person who
was putting aside the books that contained evidence of a multiple vote
at all, instead of just throwing them all in the done pile. Our
objective seemed to be to go through all the books, as quickly as
possible, so all the stuff that I was bringing up about multiple votes,
and what we were supposed to do to find the first book, was seen as an
impediment to getting the job done. Despite encouragement from the
Returning Officer to keep doing what I was doing to improve evidence
collection, I left the job after a week because I could no longer cope
with the sexual harassment from my manager.

"There was clear evidence of a certain amount of voting fraud in Mt
Roskill, in 2008. Because I essentially took over the process, we did
end up with a stack of polling booth books that contained some of this
evidence, although at the time I left the job, we still hadn't even
looked for the first book in each case. I have no recollection of any
system that matched names with multiple votes cast under them, with
ballot papers, nor any sign of anyone activating such a system to
retrospectively correct vote counts. There were no scrutineers involved
in any stage of the process beyond election day."

I'm convinced that it is possible to develop an e-voting system that is not just as secure as the current paper-based system, but more secure. Providing the conditions I laid out earlier in this comment are met, and that sufficient time is taken to do thorough testing.

DU

[deactivated account] Fri 20 May 2016

"If we make the reasonable assumption that it is impossible to make a 100% secure system..."

Security is not only about the accuracy of the counted votes, it is also about how easy or hard it is to tinker with the system and most importantly how likely it is to recognise an attempt of tinkering.

Tamperproof voting is possible with a blockchain style of voting, as it requires the pool of nodes to be in consensus before a record is agreed across the network.
I have been working on a specific system capable of handling online voting at a higher threshold of acceptance than the bitcoin blockchain default values, it has an internal record that can display attempts at non-consensus decisions, along with what was the majority decision and the minority decision.

Digital systems offer a high variety of attack vectors and exploitation of many of those will be undetectable whereas the paper ballot system is very well understood, due procedures very well established and manipulation on a broader scale pretty much impossible to do without being recognised. The paper ballot is the clear winner in my eyes.

The problem with paper ballots is that it is actually easier to cast multiple votes in person simply by attending multiple voting locations and doing multiple voter details. I can confirm that would be difficult to detect in urban electorates such as Mt Roskill, as the voter details could easily be determined from social media.

Local postal elections are definitely less secure than even in person voting, as it takes no effort to gain additional votes.

DS

Danyl Strype Sun 22 May 2016

The NZ Open Source Society has set up an Online Democracy email list specifically to discuss the social and technical considerations of both e-voting and online decision-making (eg liquid democracy).