I have read a great deal of stories over the last few years, especially from the USA about electronic voting and its pitfalls; about how easily such systems can be corrupted.  I agree with their conclusions. (see … http://www.blackboxvoting.org/ and http://blackboxvoting.com )

However at the same time I am not anti technology and when I consider the democratic process that we have it does not seem very democratic to me.

The idea behind democracy is to allow the ‘people’ to decide how the country is run, therefore democracy needs to:-
a) Allow the people to decide what policies are implemented.
b) Do so effectively and efficiently.

At present this is achieved by allowing the ‘people’ to vote for who they want to represent them in making decisions on how the country is run. The successful candidates are a small enough group to meet together and vote on actual policies. (Often there is a second vote, as in the USA, to decide an ultimate figurehead as well, however I am from the UK so will write for the system I am used to.)

I think that this was a revolutionary solution a few hundred years ago, when democracy was for the first time becoming a method of governance for a whole country. Messages got across the country by courier on horseback and organising anything more than this would have been unworkable.

Now however, we live in an age where communication travels at light speed. Anyone can be up to date with the decisions that government is making and technology could easily let everyone have their say.

Over the centuries, the means to sway the masses to vote in a particular way has become very sophisticated. Often the party that spends the most, wins the most.  If we could start to take parties out of the equation, if we could make participation in the democratic process less of a black and white choice and more of a participatory experience then I think it would be very likely to encourage people to think far more deeply on the issues at hand and create a far more active and true democratic system.

Corruption has crept into the system and government often listens more closely to vested and corporate interests than the needs of the general public. If we remove this decision making power from the few individuals who have it today and instead let everyone have a say then corruption will have a far harder time taking hold.

Technology has come on a long way since democracy was invented, this is presenting us with new challenges in order to maintain a genuinely democratic process yet it is also providing us with an opportunity to reinvent how we govern our countries. For the first time in history, we can, if we choose it, make our democracies truly democratic.

There are many inherent flaws in the current process (I am talking generally here, although there is plenty of variation around the world, they all have the same basic flaws that I will outline here.)

1. There are never enough candidates to represent everyone’s point of view - not even close.

2. In order to be elected, politicians need to appeal to as many people as possible in order to be successful. Rather than this resulting in a good representation of peoples views it often leads to spin doctoring. Often politicians say one thing to get elected and then vote differently.

3. The current system creates a power hierarchy where many are attracted to politics for the power it brings rather than more altruistic people who genuinely want to represent the ‘people’. This makes it easy for corruption to creep in and for biased interests to have leverage in government policy.  This is particularly apparent with the amount of sway the corporate world has over government.

4. It is very hard to pass new laws that involve taking power away from government, as government itself has to vote on these laws.

5. It distances the ‘people’ from the democratic process as they only have a say in it once every so many years, and only a limited say at best.

6. The reliance on a party system causes problems to be presented in overly simplified ways where there are only two views, which are often polar opposites. The truth of most situations is much more colourful.

How we could improve the situation
What follows is a systems design for a solution to the above issues.  Rather than hide behind a rock when faced with the electronic voting system, I would rather grab it by the thorns and remake it in a way that is both secure and improves the democratic system.  The system that I define below allows people to take a far more active role in government, but it does not alienate those who are quite happy to continue voting once every few years.  I have designed the system with two central principles. It must be both secure and confidential; this is a challenge, but not one that I think is insurmountable.

The new system starts by continuing to encourage people to vote in a general election as they do now, voting for someone in their constituency. However at the same time it allows individuals to sign up with a website where they can choose to override their representatives vote on issues that they choose to.  This allows the general population to continue to influence government as they have been but it also allows for a new more active participatory democracy.

Instead of giving each MP a fixed vote, which counts for one out of however many are sitting in parliament. They are instead given a number of votes equal to the number of people who voted for them (or the total number of votes in their constituency). When a vote is taken in parliament, the power of their vote will have more or less power depending on how many people actually voted. In addition, after the general election, anyone who voted has the opportunity to register on a government website and be enabled to vote on motions in parliament. In doing so, anyone who is interested can have their single vote removed from the person that they elected and can instead choose to vote anyway they choose on motions presented to parliament.  This would be achieved through the website and would allow people to ensure that their vote was used to vote for the things they felt were particularly important.  When someone votes on an issue, the MP they elected has one less vote. Most people would not want to, nor have the time to vote on every issue and so they would be able to elect any of the sitting MPs to represent them the rest of the time.

To achieve this, a few small changes would need to be made to government process. The first is simply in the counting of the votes.  The second is that the time for voting would need to be extended, to perhaps a 24 hour period. This solution allows government to continue as it does now, yet it also allows for a more active democracy. It would allow for a steady, quiet revolution rather than the messy varieties of old.  As more people become used to being more actively involved in government, the system could continue to be updated in ways that make the process fairer and more efficient, resulting in a democracy that is far less susceptible to corruption.

There would be several important issues to consider, for example, what motions get put before parliament in the first place; perhaps to start with, this would happen as it does now, slowly introducing a mix of issues presented by MPs and early day motions made popular by people signed up on the website.

There would be issues of media persuading people to vote a particular way for ulterior motives. This is a serious problem, but it is one we already have.  I will be writing about an open media in another post so will leave this for now.

Another issue would involve security. This would be easy to do if the system was completely transparent, but I am not sure that society is ready for this. By completely transparent, I mean that:-
a) The software is all open source and anyone can investigate it.
b) Everyone on this system is open about their identity. This would mean that anyone’s voting record is public knowledge and everyone on the system is identified by their real name.

The reason we have confidential voting is to prevent people from being bullied into voting for issues that they do not want to; by family, community and society. This does leave our current system open to fraud in numerous ways and this would also apply to any electronic voting platform that needs to be both transparent and confidential.

Perhaps society is ready to move beyond the need for the confidentiality. Have we reached a critical mass of individuals that are capable of thinking through the issues for themselves and are prepared to vote against their peers and authority figures?  I wish society was so enlightened, but I have my doubts that it is.

In working out a solution to this conflict of interests it is important to remember what the purpose of the confidentiality is.  It is to protect the integrity of the voting system. If a way could be found that could allow people to check that the votes are genuine without allowing open access to everyone’s voting history then the system would be secure.  At first this seems like a contradiction in terms, but I don’t think that it is.  One way of implementing this is outlined below.

There are several important issues that need to be considered to ensure that the system is both secure and confidential.
a) How to ensure that peoples votes are actually counted accurately.
b) How to guarantee that the people voting are real, eligible  people and that they are genuinely voting.
c) How to ensure all this whilst not leaving a voting history that can be tracked to the actual voter.
d) In the process of creating the system, not creating a database of confidential information that could be used for malicious ends.

What follows is one possible solution to these questions.

Part 1 - Signing up to the system
The most important parts of this process are
a) Ensure that the person is who they say that they are.  This could be achieved by insisting that people register in an official location, where there identity is confirmed using a process similar to that used for passports etc.
b) Ensuring that their user identity is set up in a way that does not tie their voting history to their real name.
c) Ensuring that no database of biometric data is created that can connect to the persons real identity. This does not mean that biometric data is not used, just that it is only used in a way that maintains privacy.

When someone attends a place of registration, they are identified and it is checked that they are not already registered. This public register is the same as the one that can currently be accessed from a library. Ideally it should not contain addresses, but since at present it does I have decided that in designing this voting system I have purposefully attempted to avoid adding to privacy issues, but I am not addressing the wider questions around national ID cards etc. This is an important topic that I will discuss another time.

The persons public registration details are entered into a computer (see section below about the software and hardware used in this process) and these are uploaded to the main voting server (more about this later). They are uploaded with a status of ‘awaiting confirmation’.

The person is then asked to enter a privacy cubical.  Inside the private cubical there is a computer with a simple registration process.
a) The voter is asked to enter a screen name that they would like to be identified as. This must be unique.  They are informed that they must keep this name secret, as it is a public name and anyone can look up their voting history if they know their screen name.
b) The computer then performs an iris scan. Everyone’s iris is unique, but even if the technology is not perfect, it does not have to be, as will be clarified later.  This iris scan will not be connected with either the real identity of the person or their voting history so a biometric ID database is not being created.  The iris scan could be replaced with a fingerprint, any biometric data could be used, I am choosing iris scans simply because they are more accurate, but the cost and simplicity may make fingerprints the method of choice.
c) The person is given or creates a random password. The password would not need to be very long because it would be used in conjunction with the iris scan (explained below), the system could allow the person to enter their own password and then ensure that it is complex enough.  The person will be informed that they must keep this password secret as it can be used in conjunction with their iris scan to identify them.

On entering this information, various processes take place, which I will describe below, but first I will finish the registration from the person’s perspective.

The person is then given a print out of the username and password, and are strongly warned to keep this information private.  If they can do so, then they should memorise them and destroy the paper.  If they are unable to memorise them then they should store the username and password in different locations (the printout could be perforated to aid this.)  The username and password could be presented in a randomised grid of data, so that all the person has to remember is the starting coordinates to read off the information, the coordinates could be in the form of a memorable date; this would prevent the casual thief from accessing the data, but may present a false sense of security as it would not be secure against a professional attack. Even if this information is made public, the voting system itself is not compromised as it depends on the iris scan; only the persons personal voting history is easily compromised and to someone with access to the full iris database, which everything is done to prevent, could the persons iris scan be connected with these details and even this does not connect to their real name.

At this point the person is told that they have successfully registered and that they are to inform the clerk outside the cubicle that they registered with.

The clerk then looks their real name identification up on the public list and marks them as an active voter on the list. The registered voter can now return home.

Computer processes in the sign up process - Hardware
It is important to ensure that no malicious hardware is installed in the system that compromises  privacy or the security of the vote.

The computer used by the clerk and the computer used in cubicle would both be standardised systems built specificity for the task they are doing. Because they are standardised, any qualified member of the public can request to swap out the hardware with a replacement for investigation.  This prevents any corruption from inside the registration organisation. This investigation would take place on the premises and be monitored both by someone in the registration office and through a publicly available CCTV feed to the internet.

By ‘qualified member of the public’ I mean anyone who can demonstrate that they know what they are doing, I won’t go into details of how to ascertain this, but the process should be simple enough to encourage participation yet complex enough to deter time wasters. A certain amount of public funds could be made available for ‘qualified members of the public’ to drive this process.

All hardware is inspected under publicly accessible CCTV before begin installed. Once installed, this hardware is never out of range of the CCTV inspection that is archived on the internet for anyone to investigate.  Surprise inspections would not be necessary because the hardware is under constant surveillance.

The only connection these computers have to the outside world would be through a secure encrypted connection to the main voting servers, so the CCTV only needs to monitor the hardware to the point of its internet connection. It should be arranged in such a way that no view of the public is visible - this is important to maintain privacy.

The hardware for the cubicle should not be accessible from within the cubicle, other than through the input mechanisms (keyboard/mouse), however it should also be under CCTV surveillance and be swappable.  It should be located in a way that makes the connection to the cubicle clear (leaving no blind spots in the CCTV) yet also retain the privacy of those using the cubicle.

In order to maintain privacy with a swappable system, they should be physically built to ensure that if a process is interrupted - for example the hardware is swapped out whilst someone is in the cubicle, then all trace of the active process is irreversibly erased; this could be done by having a battery powered, hard-wired system that takes over if the power supply is disconnected and immediately erases any sensitive data, combined with disconnecting the power supply being physically built into swapping out the hardware.

Computer processes in the sign up process - Software
All the software would be built using open source principles specificity for purpose from BIOS level up.  Making the software open source allows for the general public to verify its security and for a rapid identification of weaknesses that can be corrected.

The operating system would ideally operate entirely from ROM that must be physically swapped out for an upgrade, this would be a strong defence against any form of spyware being installed.   The nature of the software being installed in ROM would allow for easy checks that the installed system is exactly the same as the version it was installed from (by using checksum methods).

As with the hardware, qualified members of the public can swap out systems to check all is as it should be.

The password entered by the potential voter is used to algorithmically collect data from the iris scan and this resulting data is used to create a unique cryptographic hash.  This hash key can in no way be reverse engineered to identify the password that it is identified with.  However whenever the iris scan and the password are passed through the same algorithm, the same hash is presented.  This means we now have a way for a user to have their iris scanned, type in their password and thus be positively identified as a registered voter without the persons name needing to be associated with them.

The password is also used to create another cryptographic hash with the username.

The iris is then uploaded to the main voting server, connected to its hash.  The username and username hash are then uploaded in a separate process, leaving the server with no method of connecting the two processes (software is built in such a manner that no identifying information, such as IP address is recorded against the uploaded information.)

The day of registration is also uploaded against each registration, but no time stamp. This means that each username can be identified as having come from one of all the irises uploaded on that day - this reduces the anonymity to one in tens to hundreds of thousands.

The software now erases the local copies of the iris scan, username, password and the two hashes, leaving no method of recovering the information (this is not a normal delete, it would require multiple overwrites of the memory using random data.)

Registration Clerks
Each clerk would obviously be vetted and trained, however in order to prevent corruption creeping in from their end, when registering a persons name they would also have to enter a password, whose cryptographic hash is stored on the main voting server. The registering clerk is then associated with the real name of the person on the electoral register.  Each privacy booth could also be associated with a particular clerk, so that when the private information is uploaded it is also associated with the clerk.  This presents some advantages and disadvantages.  The advantage is that in investigating fraud, the number of suspects is severely reduced. The disadvantage is that the voters anonymity is now reduced to one in all those registered by that clerk, in that one day.  This could only work if the clerk is guaranteed to process several hundred a day. It may be necessary to register a person against the registration centre, rather than the clerk. Anonymity of one in several hundred should be fine for our purposes here; no one would be able devise a persons voting history, or work out whose iris belongs to which name and that is what is important.  It does mean that peoples usernames can be geographically identified.

Registration conclusion
Should the registration system be compromised - and the only likely way I can think of this happening would be due to corrupt registering agents, voters would need to re-register once a year, and should an agent be identified as corrupt then everyone registering with them would need to reregister. To reregister, a person first enters their old details in the privacy cubicle and the account would be automatically renewed.

Should a person forget their password or username, there would be no way of identifying the person to retrieve the details; the system would not be secure if there was.  If the iris scan was 100% accurate in identifying the person then it would be possible to cancel the iris scan and this would automatically prevent the login process from working for the username, in this situation the person could reregister. If the iris scan is not 100% accurate then they would have to wait for a year before they would be able to reactivate their account; their elected representative would continue to represent them for this time.  This is not ideal, but I can see no way around this without 100% accurate biometric data or a lack anonymity.

To stress an important point of this process: The only way that a person’s iris scan can be connected with the person is if the password and username are made public.  This password is not recorded anywhere on the system, only the voter has it.  Even if the country descended into a dictatorship, the database could not be used to identify people or their voting history.

Part 2 - Voting on an issue.
Ideally people would vote using an isolated client provided when they registered; this clients sole purpose would be to connect to the voting website. This would make it far easier to ensure that the client is free of spyware. The client would be able to connect to the internet using any means available. I.E narrowband, broadband, wireless connection etc. On boot up, the unit would run through a security check with the website to check it had not been compromised.  Such a system need not be very expensive, the computer hardware needed does not need to be state of the art. Technology from ten years ago would be quite capable of doing what we need.  Once again the software would be open source from the BIOS up and would ideally have the entire operating system stored in ROM, this would however mean that security upgrades would have to be done by taking the system back to the registration office.  The qualified public would be encouraged to investigate their unit to ensure that it has not been compromised.

Alternatively the website could be accessed using a normal PC, but this would not be as secure as it would be vulnerable to spyware attacks that could compromise accounts; however there is a secondary check detailed below to keep this to a minimum. If an account is compromised then it may however allow a hostile interest to connect an account username with the real person and gain access to their voting history. It would also make it possible for compromised accounts to be used to place votes.  If access is to be done over a standard PC then a team would need to constantly check for spyware and the public encouraged to do so as well, whenever a system is identified as containing compromising spyware then the voters using this system have to reregister with a new username/password.

The login process
The computer uses a specialised webcam to take an iris image of the voter and the voter also enters their username and password. The image is passed to the website server along with the password and username over a secure connection. The server then checks the password against all the iris images that match the one uploaded. Unless the process is 100% accurate, there may be more than one match, this will not matter, as the hash will be complex enough to make it mathematically highly improbable for a false positive (The rare event of a false positives could be dealt with in the registration process by changing the password.) If the password hash is found then the system checks the username hash, if both match then the system logs them on. (See the server section to see how privacy is maintained in this process).  Using this process, the iris scan, password and username all have to entered correctly.  This means that should the printed information be stolen, it is impossible to log in with just the username and password.

The user would now also be able to select issues that they wish to vote on.  When they choose to vote, the username is recorded against the motion being voted on.

Once the person logs out or times out, the server erases any information that connected the iris to the password or username.

This login process may fail for a variety of reasons.
i) The iris scan is not recognised. Take a second iris scan and try again. If it fails repeatedly and the username and password match, then the users account is put on hold and the person is asked to re-register, and to take their iris scanner for an exchange.
ii) The password or username is incorrect. Allow another try, but give a pause of several seconds between attempts to prevent brute force attacks.

Various fraudulent checking algorithms could be used in the login process to check for patterns of failure.

When the iris image and the username is sent to the server for validation, the two are only stored together for the process of verification and at no point is the iris image or the registered name connected with the username in a way that is visible to anyone, meaning that no one can access voting history.  The details of this are in the server section below.

After a user has logged in to the website they are presented with a list of their previous votes.  This allows the voter to check that their account has not been compromised and votes placed in their name by someone else. A further check allows the voter to download spreadsheets of the tallies of the votes, listing every username and the way in which they voted.  This allows the general public to see that their vote has been recorded exactly as they requested.  Voters are encouraged to check this information when they log in. This is also a secondary check against spyware, as compromised accounts would show votes that they have not made.

Part 3 - The web servers
Once again, all software used is open source from the bios up, using operating systems stored in ROM, with the live web servers being open to inspection by qualified members of the public. A system could be set up, where individual load balanced servers could be swapped out for inspection by the public inspector; meaning the actual live servers could be inspected moments after being taken down.  Any in-process iris/username information is immediately erased on removal of the server from the farm using the system explained earlier.

IP addresses and other computer identifying information would be used in certain login and verification processes but never logged in a way that could be connected to the username or iris scan. Any such information in process when a server is swapped out would also be erased.

All communication between the voters computer and the end server is over a secure encrypted connection.  This is actually the weakest part that I can identify in this system.  Whilst the connection can be secured with a unhackable level of cryptography, all encrypted internet connections depend on the server holding a cryptographic key. Anyone with the private part of this key can compromise the system.  The system has been designed in such a way that all information except for the personal passwords are public, (with the exception for open access to the iris database, although this is more of a precaution than a necessity.)  In some way the cryptographic key would have to be installed and propagated to the servers in a way that no human eyes lay eyes upon it, nor have access to it, yet it the public part of the key is published in a trustworthy way.  Any server removed from the system would have to erase teh private key. One way of doing this would be to create a new key with each login attempt to the system, the key being deleted along with the other data in the event of the server being swapped out. This would ensure that the connection would be secure, however security certificates serve a second purpose and that is of ensuring that the server you are connecting to is the one you think it is and without a signed key you would not know this. Cryptographic keys are signed by verification companies who are trusted to be secure. If that company is compromised then theoretically the secure keys they have encrypted can also be compromised. Personally, I do not think that this is a secure enough a solution for our needs. Here is the best alternative I can think of. A special console attached to the server system that is under CCTV surveillance has a unique job of creating a new key pair.  When this console is asked to create a new key, it automatically does so and copies the private part of the key to the servers in the system, also updating any that are swapped into the system, the private key is stored in the part of memory that is automatically erased on being swapped out, including in the console itself, which would also need to be able to be swapped out. Nobody ever sees or has access to the private key. The main role of this console is to present the public part of the key on the consoles screen that is being watched by CCTV. This would allow people to verify that the public key presented by the web server is genuinely the key presented. There is a further flaw here, in that the CCTV system it self could be compromised, the best way I can think of to prevent this is to have the public key on the console visible from a publicly accessible area. The CCTV that is monitoring the system can in this case also see the public who are visiting, thereby allowing the public to verify the genuine nature of the CCTV image.

This whole process is highly dependant on public participation in the security of the system.  I don’t think this is a problem, I think it is a bonus, the active responsibility on the public of keeping the system secure will I think engender a sense of pride and interest in the democratic process.  Schools in particular could be encouraged to visit the voting servers, teaching children about the hard won gift of democracy that they are born with and their responsibility in maintaining it, whilst at the same time allowing for constant verification and witnessing of the security (and lack of tampering with) the servers.

Nighttime might still be an issue, but a security check of servers could be made every morning and a new key pair generated.

The introduction of new servers into the server farm and the updating of existing servers would go through a similarly fully monitored process, both in person and remotely. Every step from the compilation of the latest code base to the insertion of the server would be recorded broadcast and archived.

Things I’ve missed.
I may well have missed an important point somewhere along the line, please point it out if I have. Regardless, I think any problems will have solutions; what often appears an intractable problem due to what seems to be conflicting interests are often not when the case is examined more closely. What I have presented here is just one way in which I think this could be achieved, there will almost certainly be improvements to be made.

Finally,
This system covers a method for identifying individuals in a secure manner and allowing that individual to cast a vote that is confidential.

At the moment I can see several possible issues with this system.

1. The expense of providing the home equipment needed to make votes.  As a back of the envelope estimation I would say that at the levels of production required this would come in at around £100 per household, for such a major step forward for democracy I do not think this needs to be a limiting factor.

2. I am not entirely sure that the recording of biometric data is entirely necessary.  It provides several helpful features.
a) Shorter passwords, without this, a back of the envelope guess of password length would be 20 characters. With the biometric only 5 or so, more like a pin. This is because the biometric data provides a far greater quantity of data for cryptographic use.
b) It makes it impossible for someone’s vote to be stolen (or bought) just because they know the password and screen name. It does not make it impossible. The thief would need the password, screen name, a high-resolution copy of the iris scan, and the knowledge to hack the software of the voting computer to make it accept the copy instead of the genuine scan.
c) Possibly a way of re-registering someone if they forget their username and login. (Needs a 100% accurate match).

Having said this, the biometric data does not create a great deal of privacy concern, precisely because it is not connected to anything that identifies the person with the scan. The iris scan would likely also be fiddly and not user friendly. A finger print may be easier and so may be preferable despite the loss of accuracy.

4. One concern I have not gone into is how fraud would be investigated, as it would inevitably need to be. The main system I have built into this design is in the recording of the registration place and day against both the real name and the screen name, this reduces the matches to a few hundred, making a door to door investigation possible if it became needed. Ideally the system would be built in such a way that fraud would be so hard to do and so risky (large consequences for doing so) that it very rarely happens.  One of the ways I have achieved this in this system is to make everyone’s vote count on every issue through their elected representatives vote even if they do not vote themselves. With an estimated 40 million eligible adults in the UK, 400,000 votes would need to be rigged to make approximately one percentage point of change in the vote. (Assuming half the people voted one way and half the other.) I find it hard to believe that this level of fraud would go unreported by the people whose votes are being used; because of this, I am not worried about votes being illegally bought or stolen.

5. I know I’ve made a lot of unqualified and unreferenced statements here, but this is a blog post not an academic paper - I just don’t have the time. I expect there are a lot of people out there who agree with this sentiment, my intention here is to get an idea out there that the system can be changed, I hope to inspire greater minds than mine to fill in the blanks and correct my mistakes.

6. This system could be built to be as user friendly as possible, but it will take a little savvy in order to use it. My great, great grandmother and my great grandmother where both suffragettes who spent time in prison to give women the right to vote. The argument against was essentially that women did not have the intelligence to make considered political opinions. I think that the great unwashed masses are quite capable of mastering this change, and besides, people do not have to partake, it is an optional extra, people can still just leave it at trundling down to the voting station once every few years if they prefer. Personally I think it would be a very exciting and engaging change that would revitalise people’s participation in democracy because finally they would know that their vote really does count.