Shut up and trust them Why Moscow’s new Internet voting system relies on faith, not transparency or peer review
The Moscow Mayor’s Office promised that its prototype online voting system, which gets a limited test run in this Sunday’s City Duma elections, would be transparent. Instead, officials have assembled something even more obfuscated than traditional voting. In typical elections, you can always recount the ballots. This won’t be possible with Moscow’s Internet voting, and online observers effectively will have no way of knowing if electronic votes have been counted properly. In essence, the Mayor’s Office can claim whatever Internet voting results it likes, and neither voters nor observers will be able to prove otherwise.
The system’s architects designed three means of controlling for the correct counting of votes, but all three were ultimately abandoned
Officials sacrificed transparency for the sake of ballot secrecy
Developers never explained publicly why they decided to abandon voting transparency, but the city’s working-group members say the programmers told them unofficially that they scrapped the vote-verification system on orders from their employer.
Officially, the Mayor’s Office says its Internet voting is risk-free, but concerns about ballot secrecy might explain why the city decided to limit access to the system’s blockchain, and why it stopped publishing private encryption keys in its public-intrusion tests. Ordinary voters now won’t have a simple means of copying their encrypted vote, but tech-savvy individuals will figure this out. The same is true of employers who force staff to vote remotely from work. The voting system’s designers haven’t figured out how to prevent this.
If the system’s developers published a private encryption key, these votes could be decrypted, and full access to the blockchain would provide access to the private key, even if it weren’t released separately (when voting ends, the vote decryption key is collected from several points and recorded on the blockchain).
The restrictions on Moscow’s Internet voting have resulted in a process that’s less transparent than traditional elections
Blockchain protects against ballot stuffing after the voting is finished, but Moscow officials have nevertheless left the door wide open for election fraud.
The city is essentially telling observers and voters to have faith that the new system will work as advertised, but the Mayor’s Office hasn’t inspired much confidence with its behavior, so far. For example, when a previous iteration of the system failed a public-intrusion test, Moscow officials simply refused to acknowledge the hack.
The Mayor’s Office also refused to disclose the Internet voting system’s full code, and consequently it hasn’t been subjected to an independent audit. This effectively means that no one but the developers knows for certain how it works.
In traditional elections, observers can check voters’ passports to verify that they are voting legitimately. With online voting, this kind of monitoring is impossible.
As a result of all these shortcomings, the Moscow Mayor’s Office can effectively publish whatever Internet voting results it likes, and neither voters nor observers will have any way of judging the numbers’ accuracy. The system’s code hasn’t been released, and observers won’t have the chance to recount these votes. The only conceivable way of verifying the online election results would be to take the city to court, where officials could be compelled to grant access to the system’s original blockchain and vote decryption key.