Shut up and trust them Why Moscow’s new Internet voting system relies on faith, not transparency or peer review
The Moscow Mayor’s Office promised that its prototype online voting system, which gets a limited test run in this Sunday’s City Duma elections, would be transparent. Instead, officials have assembled something even more obfuscated than traditional voting. In typical elections, you can always recount the ballots. This won’t be possible with Moscow’s Internet voting, and online observers effectively will have no way of knowing if electronic votes have been counted properly. In essence, the Mayor’s Office can claim whatever Internet voting results it likes, and neither voters nor observers will be able to prove otherwise.
The system’s architects designed three means of controlling for the correct counting of votes, but all three were ultimately abandoned
- The Mayor’s Office promised that individual voters would be able to verify, after the election, that their vote was accurately recorded in the system. Programmers promised to release a special service for this option, but the plan was scrapped at the last minute.
- The Mayor’s Office promised to publish a vote decryption key, which would have allowed observers to decrypt and count anonymized votes. In the end, five days before the elections, the Moscow officials decided that vote decryption would limit observers’ access to “the total number of encrypted ballots, the number of decrypted ballots, and the percentage of decrypted ballots.”
- The Mayor’s Office promised to grant access to the voting system’s blockchain, so observers could track all “transactions” from the source. This would have allowed observers to monitor the entire voting process, but city officials ultimately decided to restrict access to specific “blocks.”
Officials sacrificed transparency for the sake of ballot secrecy
Developers never explained publicly why they decided to abandon voting transparency, but the city’s working-group members say the programmers told them unofficially that they scrapped the vote-verification system on orders from their employer.
Officially, the Mayor’s Office says its Internet voting is risk-free, but concerns about ballot secrecy might explain why the city decided to limit access to the system’s blockchain, and why it stopped publishing private encryption keys in its public-intrusion tests. Ordinary voters now won’t have a simple means of copying their encrypted vote, but tech-savvy individuals will figure this out. The same is true of employers who force staff to vote remotely from work. The voting system’s designers haven’t figured out how to prevent this.
If the system’s developers published a private encryption key, these votes could be decrypted, and full access to the blockchain would provide access to the private key, even if it weren’t released separately (when voting ends, the vote decryption key is collected from several points and recorded on the blockchain).
Moscow’s Internet voting system was designed in a way that prohibits users from voting one way initially (as an employer might demand), and later changing their vote, before the end of the elections. Online voting in Estonia, for example, allows people to change their votes like this, as a protection against workplace pressure.
Granting Moscow voters the right to change their votes would require a radical redesign of the system that’s been developed. For example, it would necessitate ditching blockchain and changing the anonymization scheme now in place. In Moscow’s system, anonymization occurs immediately before a ballot is received. It’s impossible to know “where” a specific voter’s ballot is, which means voters can't modify their choice and invalidate the first ballot.
In Estonia, anonymization occurs after voting is complete, but before the votes are decrypted, when the system takes the last ballot submitted by each voter, severs its ties to the individual, and then shuffles the votes, before finally decrypting the data. At the same time, before voting is over, any individual can verify that their vote was recorded correctly. Estonian online voting also lasts more than 12 times longer than Moscow’s (153 hours versus 12), and access is controlled by microchipped tokens and PIN codes, whereas Moscow’s system relies on logins, passwords, and text messages.
The restrictions on Moscow’s Internet voting have resulted in a process that’s less transparent than traditional elections
Blockchain protects against ballot stuffing after the voting is finished, but Moscow officials have nevertheless left the door wide open for election fraud.
The city is essentially telling observers and voters to have faith that the new system will work as advertised, but the Mayor’s Office hasn’t inspired much confidence with its behavior, so far. For example, when a previous iteration of the system failed a public-intrusion test, Moscow officials simply refused to acknowledge the hack.
The Mayor’s Office also refused to disclose the Internet voting system’s full code, and consequently it hasn’t been subjected to an independent audit. This effectively means that no one but the developers knows for certain how it works.
In traditional elections, observers can check voters’ passports to verify that they are voting legitimately. With online voting, this kind of monitoring is impossible.
As a result of all these shortcomings, the Moscow Mayor’s Office can effectively publish whatever Internet voting results it likes, and neither voters nor observers will have any way of judging the numbers’ accuracy. The system’s code hasn’t been released, and observers won’t have the chance to recount these votes. The only conceivable way of verifying the online election results would be to take the city to court, where officials could be compelled to grant access to the system’s original blockchain and vote decryption key.
Translation by Kevin Rothrock