Electronic Voting

This article provides the first security and privacy analysis of the Neovote voting system, which was used for three of the five primaries in the French 2022 presidential election. We show that the demands of transparency, verifiability and security set by French governmental organisations were not met, and propose multiple attacks against the system targeting both the breach of voters’ privacy and the manipulation of the tally. We also show how inconsistencies in the verification system allow the publication of erroneous tallies and document how this arrived in practice during one of the primary elections.

The open vote network (OV-Net [10]) is a secure two-round multi-party protocol facilitating the computation of a sum of integer votes without revealing their individual values. This is done without a central authority trusted for privacy, and thus allows decentralised and anonymous decision-making efficiently. As such, it has also been implemented in other settings such as financial applications, see e.g. [15, 17].

Online voting systems typically display a confirmation screen allowing voters to confirm their selections before casting. This paper considers whether a network-based observer can extract information about voter selections from the length of the exchanged network data.

We conducted a detailed analysis of the Simply Voting implementation, which had randomly varying lengths of exchanged data due to dynamic page content and gzip compression. We demonstrated that we could correctly guess a voter’s selection with accuracy values ranging up to 100% in some instances. Even on more complex ballots, we generally could still rule out some combinations of candidates. We conducted a coordinated disclosure with the vendor and worked with them to roll out a mitigation.

On the 29th of March 2019 the Swiss Federal Chancellery launched a review of the procedures surrounding e-voting after numerous flaws were discovered in the Scytl-Swiss Post system sVote. On the 5th of July 2021 an independent examination of the revised Swiss Post system began, with some cantons planning to launch new trials with this system.

We summarize and reflect on our experience with the examination of the cryptographic protocol so far and muse over the future. We find that the protocol specification considerably improved over the last 3 years, both through changes in the protocol itself and through clarifications of missing elements in its specification. The clarifications also shed a new light on shortcomings of the protocol, in terms of both verifiability and privacy, including in the latest version of the system, which remains incompletely specified.

We believe that these findings illustrate virtues of the examination requirements set by the Swiss Federal Chancellery: problems can be fixed before deployment rather than being exploited by malicious parties during an election. They also illustrate the tremendous challenges of creating a secure Internet voting system, and the long road ahead.

This paper examines the impact of two exogenous shocks – a 2018 technical incident that took place in Ontario, Canada, and the COVID-19 pandemic – on the administration of local elections in Ontario. Drawing upon survey and focus group data, this paper concludes that these two exogenous shocks affected the perception and adoption of online voting on the municipal level in differential ways. We find that the COVID-19 pandemic had a greater perceived effect upon the decision to adopt online voting than the 2018 technical incident. However, the perceived effects of the 2018 technical incident were just as likely to be felt in unaffected municipalities as they were in those that had been directly affected. Municipalities that had not used online voting in 2018 and medium-sized cities were more negatively affected by the 2018 technical incident. In contrast, the perceived effects of the COVID-19 pandemic did not hinge upon the previous use of online voting, city size, or the urban/rural divide.

The Council of Europe’s Recommendation CM/Rec(2017)5 on e-voting remains the main international legal standard in the field. According to the updated Recommendation, e-voting should respect all the principles for democratic elections. This includes, of course, the principle of secret suffrage. Provisions on secret suffrage are dispersed throughout Rec(2017)5 and its related documents. The main provisions can be found in Section IV of Appendix I, but the principle is also mentioned in several other sections, in the Explanatory Memorandum, and in the Guidelines. A detailed analysis of all these provisions reveals important flaws in the understanding of secret suffrage in (remote) e-voting. Some of the flaws are the result of an inaccurate understanding of secret suffrage, in which this principle is mixed with provisions on personal data protection. In other cases, the flaws are due to analogies being drawn with paper-based voting channels, which prevent the standards from taking stock of the specificities of (remote) e-voting. In this paper I provide a detailed account of these flaws. I also suggest some alternative approaches and wording for the provisions on secret suffrage. Lastly, I discuss the desirability and feasibility of different alternatives regarding the review of Rec(2017)5.

Stratified sampling can be useful in risk-limiting audits (RLAs), for instance, to accommodate heterogeneous voting equipment or laws that mandate jurisdictions draw their audit samples independently. We combine the union-intersection tests in SUITE, the reduction of RLAs to testing whether the means of a collection of lists are all \(\le 1/2\) of SHANGRLA, and the nonnegative supermartingale (NNSM) tests in ALPHA to improve the efficiency and flexibility of stratified RLAs. A simple, non-adaptive strategy for combining stratumwise NNSMs decreases the measured risk in the 2018 pilot hybrid audit in Kalamazoo, Michigan, USA by more than an order of magnitude, from 0.037 for SUITE to 0.003 for our method. We give a simple, computationally inexpensive, adaptive rule for deciding which stratum to sample next that reduces audit workload by as much as 74% in examples. We also present NNSM-based tests that are computationally tractable even when there are many strata, illustrated with a simulated audit stratified across California’s 58 counties.

Bugs, misconfiguration, and malware can cause ballot-marking devices (BMDs) to print incorrect votes. Several approaches to testing BMDs have been proposed. In logic and accuracy testing (LAT) and parallel or live testing, auditors input known test votes into the BMD and check whether the printout matches. Passive testing monitors the rate at which voters “spoil” BMD printout, on the theory that if BMDs malfunction, the rate will increase noticeably. We provide lower bounds that show that these approaches cannot reliably detect outcome-altering problems, because: (i) The number of possible voter interactions with BMDs is enormous, so testing interactions uniformly at random is hopeless. (ii) To probe the space of interactions intelligently requires an accurate model of voter behavior, but because the space of interactions is so large, building a sufficiently accurate model requires observing an enormous number of voters in every jurisdiction in every election—more voters than there are in most U.S. jurisdictions. (iii) Even with a perfect model of voter behavior, the required number of tests exceeds the number of voters in most U.S. jurisdictions. (iv) An attacker can target interactions that are intrinsically expensive to test, e.g., because they involve voting slowly; or interactions for which tampering is less likely to be noticed, e.g., because the voter uses the audio interface. (v) Whether BMDs misbehave or not, the distribution of spoiled ballots is unknown and varies by election and possibly by ballot style: historical data do not help much. Hence, there is no way to calibrate a threshold for passive testing, e.g., to guarantee at least a 95% chance of noticing that 5% of the votes were altered, with at most a 5% false alarm rate. (vi) Even if the distribution of spoiled ballots were known to be Poisson, the vast majority of jurisdictions do not have enough voters for passive testing to have a large chance of detecting problems but only a small chance of false alarms.

Researchers advocate for end-to-end verifiable voting schemes to maximise election integrity. At E-Vote-ID 2021, Kulyk et al. proposed to extend the verifiable scheme used in Switzerland (called original scheme) by voting codes to improve it with respect to vote secrecy. While the authors evaluated the general usability of their proposal, they did not evaluate its efficacy with respect to manipulation detection by voters. To close this gap, we conducted a corresponding user study. Furthermore, we study the effect of a video intervention (describing the vote casting process including individual verifiabilty steps) on the manipulation detection rate. We found that 65% of those receiving the video detected the manipulation and informed the support. If we only consider those who stated they (partially) watched the video the rate is 75%. The detection rate for those not having provided the video is 63%. While these rates are significantly higher than the 10% detection rate reported in related work for the original system, we discuss how to further increase the detection rate.

Pre-election logic and accuracy (L\( { \& }\)A) testing is a process in which election officials validate the behavior of voting equipment by casting a known set of test ballots and confirming the expected results. Ideally, such testing can serve to detect certain forms of human error or fraud and help bolster voter confidence. We present the first detailed analysis of L\( { \& }\)A testing practices across the United States. We find that while all states require L\( { \& }\)A testing before every election, their implementations vary dramatically in scope, transparency, and rigorousness. We summarize each state’s requirements and score them according to uniform criteria. We also highlight best practices and flag opportunities for improvement, in hopes of encouraging broader adoption of more effective L\( { \& }\)A processes.