Why Internet Voting is Still Rare
Last week saw elections held across the European Union. One key point that has received significant media coverage was the relatively high voter turnout of over 50% of the population. While this turnout is historically high, it still means that about half of the people either chose to not spend the time to vote or were otherwise impeded from doing so. Internet voting appears like a promising solution to this problem. In this briefing, we will take a look at what it is and why it is not common.
What is Internet Voting?
Internet Voting is the process of casting your vote in an election form over the internet. Either using a website or a specially crafted application issued by the country. It usually involves some form of digital identification such as that found on “smart” government ID cards in Europe or Asia.
Internet voting should not be confused with E-Voting, which is the process of using electronic voting machines in physical polling locations.
Who does Internet Voting?
At present, while many countries employ some sort of E-Voting mechanism in polling places, only Estonia allows citizens to Internet Vote for a majority of its elections. It uses a dedicated smartphone app in addition to the digital ID included on its national ID cards to do so. In conjunction with this, traditional polling is also still available.
Why isn’t Internet Voting more popular?
On the surface, allowing citizens to vote through an app seems like a great idea. By reducing the barrier to vote, voter turnout can likely be increased. It doesn’t matter if work commitments, health issues or simply laziness are preventing an individual from voting - an app would be more convenient than polling stations in either case.
The problem however is information security. As we have repeatedly stated, it is a mistake to believe that systems can be categorically secure or insecure. Rather, a secure system is one where the cost to compromise it exceeds the value that any given attacker can gain from doing so. This explains why end users are extremely unlikely to be targeted by dedicated hackers and why crypto currency exchanges in excess of a few million dollars in assets keep getting hacked.
The value of an individual web application or company can be estimated and is usually defensible, but when we start dealing with entire countries, the method of calculation becomes tricky. What is the value of a country? It’s GDP? Across what time span? Furthermore, could the value of controlling a country not significantly outstrip that country’s GDP in the eyes of a foreign government? The net worth of breaching such a system is difficult to quantify, and the realised value will often be context dependent.
There may be ways to protect an asset as valuable as a country’s government but it appears unlikely from a 2019 perspective. While it is possible to secure systems that control billions of dollars in value, it may simply be impossible to create enough deterrent to safeguard the value of running an entire country - which would have to be measured in trillions of dollars.
Estonia is willing to take the risk of allowing internet voting because they believe that the current benefits outweigh the risk of interference for their relatively geopolitically stable country. But they are still aware of the risk and continuously re-evaluating if the program should continue.
Internet voting would likely be a boon to democracy and allow many people who are unable or unwilling to vote to participate in the democratic process. However, the core principles of information security may make it difficult to ever do so securely since the value of a successful attack is astronomical.
The only currently viable mechanism for a major country would be to decentralize its voting endpoints and perform rigorous in-person checks of every voter and the voting process to remove the risk of votes being manipulated. In other words - we would end up right back at polling locations and in-person voting.
We expect internet voting to remain evolve over the coming years and decades. It is possible - yet from a current technological standpoint unlikely - that mechanisms allowing internet voting to be done securely may be found in the future.