[Do we have to choose between comfort and safety?

Internet voting is today a voting method preferred by many election organizers, such as political parties, businesses and associations. At least 620,000 French people voted online during the various primaries for the 2022 presidential elections (environmentalist, Les Républicains, popular) and 270,000 French people from abroad during the parliamentary elections… But also almost “a million voters in the state's professional elections the same year.

Many advantages of Internet voting can explain this success: possible cost reduction and ease of organization, but also, and above all, the comfort and practicality of being able to vote from home. However, while this last point is often presented as a bulwark against growing abstinence, it is actually far from achieving consensus in the academic literature.

More generally, the convenience of being able to vote from your phone or computer often overshadows security-related issues, such as the potential for cyberattacks or voter fraud, and the risks involved are rarely discussed and well understood.

In fact, at present, Internet voting often fails to achieve the same guarantees as the traditional voting method, the paper ballot at the ballot box.

What guarantees for a vote?

An electoral system must ensure two fundamental guarantees, defined by the electoral code. First of all the secrecy of the vote guarantees every voter that no one will know how they voted. After the vote honesty ensures that the election result was not tampered with, for example by removing, altering or adding a ballot.

For traditional voting, paper voting in the ballot box, the secrecy of the vote is ensured by the use of ballots, opaque and identical envelopes, and ballot boxes that collect and mix all the ballots. The honesty of the vote is ensured by the use of transparent and sealed ballot boxes that are checked at all times by a specific number assessors who control the smooth conduct of the voting. So the ballot is returned affirmable and only one honest evaluator is needed to guarantee the honesty of the vote.

In the case of online voting, the question arises in these terms: when I click on a voting option and then the “Vote” button, what is actually happening? Who verifies that my vote will be counted and who will be able to know my vote? All Internet voting solutions promise a high level of security supposedly guaranteed by cryptography (encryption, digital signature, zero-knowledge proof, etc.). What is it really?

ONE invitation to vote online from the administration of French abroad and the consular administration.

In theory: cryptography guarantees secure internet voting

To answer these questions, the CNIL (National Commission for Information Technology and Liberties) has issued recommendations that define good practices to achieve certain levels of security.

For example, ballots must be cryptographically encrypted, and the key that enables decryption must be distributed among multiple authorities that each have a key portion. Thus, in the presence of all principles and their main fragment, and only in this case, the slips can be collectively is decrypted, thereby revealing the election result (this partially mimics the role of evaluators).

Similarly, to approximate the transparency of a physical ballot, a voter submitting a ballot must receive in return a cryptographic proof confirming that his slip has been taken into account. This proof also allows him to verify, in retrospect, that his ballot was not removed from the ballot box before the final count.

Some steps of electronic voting.
Lucca Hirschi and Alexandre Debant, Provided by the author

For high-stakes ballots (level 3 of the CNIL recommendations), this verification using the cryptographic proof must be possible even through a trusted third party, other than the poll organizer… the latter is not considered trustworthy (like the web of the server hosting the election website).

In theory, these best practices make it possible to ensure voting privacy and vote honesty even when organizers or their electronic systems are compromised, approaching the guarantees of paper voting.

In practice: the flawed security of voting solutions

Unfortunately, many examples demonstrate the weaknesses of the CNIL recommendations and existing voting solutions that do not provide the expected guarantees.

It is important to remember here that with Internet voting, the impact of a possible attack or error takes on an unprecedented scale: in the case of physical voting, if we can imagine “fraud” in a single or a small number of polling stations, it seems complicated to falsify all the electoral divisions in a country at the same time. On the other hand, for Internet voting, all immaterial ballots are generally centralized: they are stored and managed by a single entity, and a single corruption compromises all ballots and results.

Let's start with voting privacy: is vote encryption really enough?

To answer this question, you really need to know how the decryption key (or keys) is generated, distributed, and stored. Some systems have sometimes made the decryption key public once the election is over. An attacker who knows how to connect voters and their ballot (for example, by observing the network between the voter and the voting server) could then breach the privacy of each of those voters' votes simply by decrypting the associated ballot with key once revealed.

Other, more subtle vulnerabilities also make it possible to compromise voting privacy, despite the use of encryption and good key management. Such vulnerabilities were recently discovered in the electoral system used during the 2022 parliamentary elections by French people living outside France (1.2 million eligible voters) or in the electoral systems used in Estonia or Switzerland.

Finally, is the use of cryptographic proofs sufficient to ensure ballot integrity?

And here the devil is in the details. It is indeed critical that the voting solution ensures that the proof provided to the voter corresponds to the ballot they sent. During the 2022 general election, it was shown that an attacker could alter the ballot submitted by a voter and adjust the receipt before transmitting it to the voter, who then mistakenly believes he can verify his newsletter.

Towards safer online voting

Faced with such findings, the relevant government agencies – ANSSI (National Agency for Information Systems Security) and CNIL, the scientific community and solution providers are working and collaborating to improve the security of Internet voting.

First, greater transparency of voting systems and their security requirements is needed. By publishing specifications that precisely describe the operation of critical components as well as the source code of the corresponding programs, different experts will be able to study the security of these systems and thus collectively contribute to their improvement. Similarly, the clear and precise publication of the security objectives claimed to be achieved by the systems will enable each voter to understand the underlying trust assumptions and thus freely and informedly accept whether or not to use the system at its own risk. . This approach has been proven to standardize cryptographic primitives and allows the development of increasingly secure systems.

Next, we need to increase the security requirements for Internet voting. First of all, through more ambitious and precise recommendations and standards on the security and transparency goals to be achieved. But also through a legislative framework better adapted to the particularities of electronic voting. Indeed, it is not enough to require the secrecy of the vote and the honesty of the vote through verifiability (receipt).

For example, compared to paper voting, other properties are expected: its security resistance to vote buying or the coercion. Indeed, if the polling booth ensures that we can vote without external pressure, who tells us that the voter is alone and free to vote as he pleases behind his computer?

Similarly, it would be interesting to discuss the relevance of the solutions that have been put in place to verify the identity of voters. The most popular solution today is two-factor authentication, which is also widely used for other uses such as banking applications. However, it has a clear limit: the username and password can be stolen, guessed or misused. Would it be possible to improve this by relying, for example, on an electronic identity (such as the national digital identity, as used for many years in Estonia)?

Finally, if all paper ballots are physically destroyed at the end of an election, the question of storing (voluntary or not) the ballots on the Internet obviously raises the question of maintaining the secrecy of the vote in 5, 10, 20 years, when cryptographers will surely have found flaws in the encryption mechanism used. This resistance of vote secrecy to future weaknesses in the cryptography in use today is commonly referred to as eternal privacy.

All these questions unfortunately remain open and, yes, it seems that even today, the choice of comfort is made at the expense of safety. Fortunately, these questions are all avenues of inquiry that concern us as researchers and will surely have new answers tomorrow. Meanwhile, they may suggest reasons to limit the use of Internet voting during very high-stakes elections: especially for presidential elections and political party primaries.

The PEPR Cybersecurity project and the Security Verification Protocol (SVP) project are supported by the National Research Agency (ANR), which funds project-based research in France. Its mission is to support and promote the development of fundamental and definitive research in all disciplines and to strengthen the dialogue between science and society. To learn more, consult the ANR website.

Leave a Reply

Your email address will not be published. Required fields are marked *