The cornerstone of democracy is the right for voters to participate in free and fair elections. However, securing elections is a non-trivial task due to the conflicting security requirements.
On the one hand, to provide the freedom to vote, it should not be possible to coerce voters into voting for a specific candidate. Therefore, the vote must remain secret, and the voter must not be able to prove how the vote was cast. On the other hand, to guarantee fair elections, it must be possible to verify that the election result is correctly determined. Thus, the voter must be able to verify that her vote was taken into account. However, by allowing the voter to verify whether the vote was taken into account in the tallying phase, the voter is given the opportunity to prove how the vote was cast, which opens up possibilities for vote-selling and coercion. Thus, a balance has to be found between these security requirements.
The necessity for vote secrecy emerged due to large scale fraud and vote-buying. While ballot secrecy was described in the French Constitution already in 1795, the modern interpretation of a secret ballot originates from the principles adopted in Australia in the middle of the 19th century. The Australian ballot became known due to the following four requirements. First, the ballots had to be printed by the election organiser. Second, the ballots had to be distributed by the election officials in the polling stations. Third, all nominated candidates had to be listed on the ballot. Fourth, the voters had to be provided with a private environment to fill in the ballots.
To reduce fraud, the concepts from the Australian ballot were also introduced in other countries. In addition, voting machines were used to reduce the risk of fraud. However, as time went by, the devices became more complex, which raised questions regarding their trustworthiness. This highlighted the need to make elections transparent and verifiable.
The adoption of remote voting systems, like postal voting and remote online voting, once again raised the question of how to prevent voters from being coerced as the vote may be cast in an uncontrolled environment. For example, in the case of remote online voting, researchers have proposed multiple different techniques for lowering the risk of coercion. As voters’ computers cannot be guaranteed to be trustworthy, it is also necessary to allow voters to verify that their votes reached the voting system. Fortunately, modern cryptography makes it possible to build end-to-end verifiable voting systems that enable everyone to check that the election result is determined based on the votes cast by eligible voters. Ironically, introducing end-to-end verifiability to remote voting systems weakens their coercion-resistance.
We studied how different online voting systems attempt to bridge the gap between coercion-resistance and verifiability. It turns out that most of the studied online voting schemes rely on non-trivial assumptions to protect voters against coercion. There are two commonly used techniques for providing coercion-resistance. The first one allows voters to use fake voting credentials if a coercer confronts them. The other one lets voters re-vote to replace the vote given under coercion. Unfortunately, it is non-trivial to use fake credentials, which makes re-voting the most practical anti-coercion measure.
Regardless of the used anti-coercion measures, it is sometimes claimed that standard paper-based voting systems provide a higher level of privacy to the voter. However, researchers have shown that vote privacy can also be violated in paper-based voting systems. The advancement of technology has made it possible to use cameras in voting booths to record or stream the vote casting process. Another option is to lift fingerprints from the ballot papers to match the votes to the voters. However, there are also other ways to compromise vote privacy. For example, it has been shown that the internal structure of a paper sheet is unique and easy to measure. This property makes it possible for malicious election officials to match filled in ballots with the voters who cast these votes. However, one other attack vector against paper-based voting was previously not studied. It turns out that the audio that is emitted by filling in the ballot can leak information about the choice the voter made.
We built and tested two proof-of-concept attacks that target vote privacy in paper-based voting systems. These attacks rely on one or more microphones being placed at the voting booth. The first proof-of-concept attack was designed to reveal which numbers were written on the ballot sheet based on the sound emitted by the pen or pencil. Testing showed that, in principle, it is possible to construct such an attack. Still, it only works for the ballot designs requiring voters to fill in the ballot with a candidate number. However, these types of ballots are rarely used and instead, it is common for ballots to list candidates along with checkboxes.
Thus, we created a second proof-of-concept attack to show that it is also possible to reveal information regarding the voter’s choice if the voter fills in a large ballot consisting of many checkboxes. The attack relies on the finding that the table plate, which is used to fill in the ballot, is likely to carry sound waves. This makes it possible to attach microphones underneath the table to capture the signal. We used this idea to measure the time differences between microphones capturing the signal emitted by marking the checkboxes with the pen. With this information, we can recover the coordinates where the pen was used to mark the ballot, which can leak information about the voter’s choice. Of course, the success of such an attack depends on multiple factors like the ability to place microphones in the voting booth, remove noise, calibrate the attack according to the design of the ballot sheet, and predict the behaviour of voters. Regardless, these attacks demonstrate that the advancement of technology also affects the security properties of traditional voting systems. It becomes evident that voting booths cannot guarantee absolute coercion-resistance.
Similarly to many other voting systems, the designers of the Estonian i-voting system also had to find a balance between coercion-resistance and verifiability properties. Coercion-resistance has been one of the main security features of the Estonian i-voting system. This is provided by allowing voters to re-vote in case they have been forced to cast a vote while being influenced by a coercer. Due to the risk of coercion and vote-buying, end-to-end verifiability has not been introduced to the Estonian i-voting system. However, over time, the Estonian i-voting system has been made more transparent. In 2013, individual verifiability was introduced, allowing voters to check whether the voting system has correctly received their ballots. In 2017, the server-side components were rewritten to make the server-side verifiable, allowing external auditors to verify cryptographic proofs to check whether the voting system correctly handled the ballots. The updated system was named IVXV.
As a consequence of having to balance the verifiability and coercion-resistance properties, compromises had to be made. We studied the Estonian i-voting system to identify the security issues related to the voting and vote verification protocol. It turned out that many of these issues can be directly linked to the requirement of having to provide coercion-resistance to the voters. As a result of the analysis, we proposed possible improvements to the Estonian i-voting system. For example, to reduce the risk of third parties abusing access to voters’ electronic identities, voters could be notified if a vote has been cast in their name.
While notifications and vote verification can help detect attacks that target the integrity of the elections, they cannot detect attacks that aim to violate vote privacy. The issue stems from the fact that voters’ computers cannot be fully trusted. If a voter’s computer is infected by malware, there are no simple ways to protect vote privacy.
One non-trivial solution to this problem is to redesign the voting system such that it would use code voting. Thereby, each choice or candidate would be tied to a unique voter specific encoding, which would prevent the malware from finding out how the voter voted. However, for this to work, a mapping between the candidate names and the corresponding encodings would have to be delivered to the voters in a manner which is not accessible to malware. This usually means that a postal channel would have to be used, which on its own creates new security risks.
The other option for increasing the privacy guarantees is to use a dedicated voting device that does not have additional functionalities. Such a device should have a significantly reduced attack surface compared to traditional computers. To test the approach, our team built a proof-of-concept voting application for the Estonian i-voting system that runs on top of a microcontroller. We could do that, as the documentation and server-side source code for the Estonian i-voting system are public. In addition to describing how the microcontroller-based voting application works, we also published a security analysis and the source code for the application.
While it is unlikely that dedicated voting devices will be provided to voters in the near future, voting from smartphones could become a reality. From a technical standpoint, it is already possible to build voting applications that run on smartphones. The question is whether the smartphone-based voting application would introduce new security risks.
We analysed these aspects by considering two different approaches to distributing the smartphone-based voting application. As the first option, the voting application could be distributed in the form of a dynamic web page that can be accessed from a web browser. The alternative is to create a standalone voting application that is distributed to the voters via official application stores. Both options come with security risks, but the browser-based approach negatively stood out due to the number of risks. For example, smartphone-based browsers tend to lag behind desktop browsers when considering their security features. It would also be difficult for voters to verify the integrity of such a voting application. However, by using a standalone voting application, the election organiser would have to distribute the application via official application stores, thereby delegating some of its tasks to a private company, which creates new risks. In both cases it is unclear how smartphone-based voting would influence vote verification. Thus, before introducing mobile voting, the election organiser must decide whether the accompanying risks must be mitigated or accepted.
In conclusion, it can be challenging to build voting systems due to the conflicting security requirements. Thus, a political decision may have to be made to find an optimal balance between coercion-resistance and verifiability properties.