Online voting sounds like an idea we should be able to make work. After all, we do so much online already, and we routinely transmit sensitive data such as financial or medical records by encrypting them. Further, there are cryptographic methods, called end-to-end verifiability, that promise citizens that their votes are recorded as they intended; that each vote is tallied; and that the final tally is the sum of all the ballots. Plus the convenience of online voting may spur more participation in elections.
And where better to try online voting than in Switzerland, where people vote early and often? Although the Swiss have a traditional parliament, many consequential decisions are voted on directly by the people. Unsurprisingly, this results in lots of elections! In just 2018 the Swiss held 10 different referendums on a variety of topics. Voting that much makes the Swiss even more sensitive to electoral convenience than we are.
There is already limited online voting in some Swiss cantons, using two separate certified systems. The government says two thirds of those eligible have chosen this option, attesting to the demand. When the country decided recently to try to dramatically expand online voting, they proceeded methodically in true Swiss fashion. The first step was to hold a mock referendum and invite the world’s “white hat” hackers—security researchers who expose vulnerabilities so that they can be fixed—to infiltrate the system, offering about $150,000 in rewards and bragging rights.
The rewards were swiftly claimed. Three independent teams showed that hackers could alter vote results undetected—the worst-case scenario. The flaw pertains to the way that the system “shuffles” the encrypted votes to protect voter privacy before tallying. This is fixable. But even if it’s fixed, how can voters be fully assured that they should trust the new system?
And therein lies the biggest flaw in all e-voting schemes: the ones that don’t employ cryptography cannot provide the crucial guarantees of secret balloting and verification of tallies. And those that do use cryptographic schemes require that the voters trust the experts. Estonia, a country that has used online voting since 2005, is a case of the latter. A team of researchers at the University of Oxford that examined Estonia’s system in 2016 praised many of its safety procedures but noted that because of the country’s small size, officials also rely on building trust among people who run their elections through interpersonal relationships. Estonians seem to think that’s good enough—but it’s not an easy model to export.
Another thing that distinguishes Estonia is a mandatory digital ID system: every Estonian citizen is issued a card with cryptographic keys widely used for both public- and private-sector functions. While that solves one problem—how to identify voters and prevent double voting—it creates another: such systems can also function as a vast tracking and surveillance system that other countries may not be comfortable with.
Digital IDs can create a third problem: in 2017 a weakness was found in the hardware in Estonian cards, potentially allowing identity theft—the very thing the card is supposed to prevent. Officials quickly replaced the cards and upgraded their systems, but a real crisis was averted only because the flaw wasn’t actually exploited. Next time, that might not be the case.
In the end, the biggest flaw in even the most secure online voting system is this: trusting the experts isn’t supposed to be how voting works. It’s true that voter fraud and errors can occur in a variety of systems, but electronic voting lowers the bar for both stealthiness and scale. Paper ballots can definitely be corrupted, but that requires organizing lots of people in a secret scheme that is hard to keep under wraps. And if fraud is suspected, you can just do a recount in the presence of eagle-eyed observers.
Trust in election results is the bedrock of any democratic government’s legitimacy. Online voting systems cannot fully assure citizens that there are no trapdoors, backdoors, bad implementations or weaknesses. Instead of online voting, democracies should focus on making voting convenient through other measures: national holidays on election days, increasing the number of polling places, sufficient numbers of voting machines to decrease lines, transportation to the booth for people who need it, and more. Voting is too important for systems that rely on “trust the experts” schemes.