Trustworthy Voting Systems

PaCCS Communications Officer Kate McNeil sat down with the Director of the University of Surrey’s Centre for Cyber Security,  Professor Steve Schneider, to discuss his work on trustworthy voting systems and electronic voting. Professor Schneider’s EPSRC-funded work on trustworthy voting culminated in the deployment of the world’s first end-to-end verifiable electronic voting system used in a statutory statewide election. Professor Schneider’s current work focuses on online voting, including work on the Verify My Vote system presented in a conference paper in October 2020. 

Kate McNeil: Thank you for taking the time to speak with me today. Would you mind getting started by telling me a bit about your research background, and how you ended up working on trustworthy voting systems?

Professor Steve Schneider: My background is in theoretical computer science and concurrency theory – which focuses on how different agents interact and what can go wrong in those interactions. Quite early in my career I became interested in cybersecurity, because a huge part of cybersecurity is ensuring that we know who we are talking to in online interactions and that we have the credentials of the other party.

In 2004, I became interested in electronic voting because it poses some unique security challenges – you need to protect the secrecy of the vote while being confident in the integrity of the overall result. Consequently, you need to have a system that can process votes even though the system should not know how any one individual voted. At first, these strong security requirements seen almost incompatible, especially if you want the system to work without needing to trust the authorities who are running the system. There are some really difficult questions there around how cryptography can be used to provide solutions.

While working on an approach to tackling this problem known as “Pret a Voter”, some colleagues and I applied for and were awarded funding for a project on trustworthy voting systems, which became the project that we are here to talk about today.

What were you trying to achieve with the trustworthy voting systems project?

When we started the trustworthy voting systems project, the question we were trying to answer was: how can you design an electronic voting system that is not only trustworthy and secure, but which is also understandable to the general public. Ordinary voters just want to get on and vote, and when security gets in the way it may put them off voting. So the challenge was to introduce solutions to ensure that the system was trustworthy, but then to ensure that these technical solutions were accompanied by interfaces which were sufficiently understandable for the general public to trust the integrity of the voting system. We wanted people to feel secure using it.

It is worth noting that when we started this project, the idea of well-resourced attacks on election systems was still quite remote and was viewed as a theoretical possibility. The situation has changed a lot in the years since, and well-resourced hostile attacks from nation states on critical infrastructure, including attempts to undermine or influence elections, are now a fact of life. So, these cybersecurity challenges are now more relevant and realistic than ever

Has the system you developed during your work on the trustworthy voting systems project been used anywhere?

The Victorian Electoral Commission reached out to us about using our product to help run their state elections. They had already been using electronic balloting over the internet, but they wanted to use our system to ensure security while making electronic voting, including casting a secret ballot, more accessible for users with accessibility issues, particularly those who had visual impairments and mobility issues.

In Australia, voting systems are quite complex. In Victoria voters may be presented with a list of maybe 40 candidates, and can either choose a pre-determined list provided by one of the parties, or can rank all of the candidates in any order they choose. So that is quite a challenge for electronic voting systems, but we were able to adapt our system to make it work. So, the Victorian Electoral Commission provided the usability features and interfaces at the front end, while we provided all the security features and secure design in the background. In the end they considered that there was quite a high overhead for rolling out this system to a relatively small number of voters and so didn’t want to roll it out again for those numbers. However, it was an exciting opportunity for us to have a case study on how this technology works in the real world, and we would expdect the costs to come down as the technology matures.

What lessons did you learn throughout this pilot project with the Victorian Electoral Commission?

We learned that this kind of secure voting system requires substantial resourcing to get it to the place where it is ready for large-scale voting. Once we got it up and running, the voters liked it and found it useful, but the business model of having electoral commissions develop new software products in-house probably is not the way forward because that’s not the business electoral commissions are in.

What we were most excited to learn, however, is that our efforts to incorporate verifiability mechanisms into our security systems worked. So, voters can check that their vote has been captured the way they cast it. They can ensure that their vote has not been tampered with, but no one else can check their vote, and the election can be tallied up without the system ever giving away how any individual voter voted. We proved that this sort of verifiability was not only a theoretical idea, but one that could be made useable by voters.

Have you continued working on voting-related issues in the years since the trustworthy voting systems project finished?

Yes, I am still working in this area. Mostly recently, I have been working on a project with Civica Election Services, which runs electronic ballots for organizations including professional societies, political parties, building societies and trades unions. What has been challenging about this work has been applying verifiability mechanisms not to voting machines at polling places as we had developed for Australia, but instead applying those same security principles to internet voting. Voting online is voting in an uncontrolled environment – you do not know whether the voter has somebody over their shoulder telling them how to vote, for example. It is also much more difficult to preserve verifiability in this environment, and you do not have control over the platform people are voting on – which increases the risks from malware. We know that the public wants electronic voting over the internet to be more available, but from a cybersecurity perspective, we are not there yet. There are still open research questions about how to manage complex security behaviours while making them usable and understandable to voters.

I am also currently working with the Institute of Engineering and Technology as the chair of a working group on electronic voting. We have just published a report on electronic voting which explores and explains the cybersecurity challenges involved in electronic voting. We know that the pandemic has increased the sense of urgency around online voting, and that some policymakers had already wanted online voting as a way of increasing turnout. But there are so many challenges which still must be resolved before online electronic voting can safely be implemented for high stakes political elections. The challenges are solvable if there is a concerted effort to conduct research in the right areas, but it is not going to be ready tomorrow.