Modernising elections

Today the Government announced that online voting will be trialled at the next local body elections in 2016. Although it’s a while away, and is only a trial at this stage, this is really great news.

Turnout at local body elections is notoriously low and online voting has the potential to be a great tool for increasing turnout and engagement. It will also help to maximise accessibility.

There are security issues associated with online voting that I’m hopeful will be addressed in this trial. If it’s a success, it will be great to see it expand to general elections as well.

Today’s news comes on top of the Government’s announcement last week that we’re likely to have online enrolment in time for next year’s General Election.

Modernising the way that people can participate in elections with online enrolment and online voting is an important step in encouraging people to get involved. Giving people options and making it easier for people to participate will hopefully make a big difference to voter engagement and stop the trend of declining voter turnout

24 Comments Posted

  1. We could use to technology to make it easier to vote and still have polling booths.

    At the moment, in order to get registered to vote you have to have a fairly permanent address, receive and return a form. We should move to a system where any NZ citizen/permanent resident (who, if physically in NZ, is almost certainly entitled to vote) can turn up at any polling station, show ID, supply an address if one is needed and vote. That’s a good use of technology and one that can be kept free of abuse.

  2. My reasoning is that this is worse…

    Most election disputes I know of lately have to do with people not being permitted to vote and/or not being permitted to register, understaffed and inadequate polling places… that sort of thing.

    …and that my method is actually more secure from vote tracking than the paper forms checked off at the polling place.

    People engaging in “standover” tactics on a scale large enough to affect an election are apt to find themselves instead with a revolution. Even in this nation of political “sheep”.

  3. bjchip: That business about social is why I expect we should still keep polling booths… and the easy way out of that situation is “I’ve already voted”… or having a coercion code. I prefer the voting booth.

    Yep, got it. I’m just going to have to respectfully disagree with you on this.

    In my view, if a person can vote, in a way where they’re not guaranteed privacy of their vote or where they’re able to produce a receipt, it’s putting a free and fair election at risk. Either possibility means that it’s totally possible for a third party to coerce a voter to vote in a certain way, then require them to prove who they voted for.

    I don’t think everyone can be expected to be willing and able to avoid coercion using the techniques you suggest. If a man told a partner, in a domestic situation, that “bad things” would happen if she didn’t prove who she’d voted for, she’d probably not think she had much choice. Some (like the voting at the pub example) won’t necessarily even realise at the time that they’re being coerced to vote in an open and public way. Others will just happily give up an unbiased vote in exchange for an informal bribe, if the opportunity’s there to trade in a receipt.

    If there are clear and demonstrated advantages with online and/or electronic voting, some form of it might still be worthwhile once the risks are weighed up. I’m just not convinced that the benefits over ballot box voting are as great as they’re often purported to be. Evidence would be useful. Many arguments I’ve seen might as well be claims that enabling voting online would make it really really cool, and then young people would vote. Never mind if they’re still lacking the actual interest in who or what they’re voting for.

    If it’s truly a matter of convenience and access to polling booths that’s the critical problem, then how does it compare, for example, with possible alternatives that might address ways to make it easier for people to get to regulated polling booths so they can vote in a controlled environment?

  4. Ah… see your other post.

    That business about social is why I expect we should still keep polling booths… and the easy way out of that situation is “I’ve already voted”… or having a coercion code. I prefer the voting booth.

    As for the paper trail, a printed vote sheet with the QR code is an easy way to do it.

    If the rule is that a certain percentage (0.001% or so) of invalid votes voids the election so we do it over then people who cheat can force us to vote over and over. Asking for a recount however, is sort of meaningless. Most election disputes I know of lately have to do with people not being permitted to vote and/or not being permitted to register, understaffed and inadequate polling places… that sort of thing.


  5. The anonymity comes from the crypto by way of a bit of a shell game.

    At Registration time the user’s name is combined with some random salt to create a crypto hash. This is the voter’s access number. It is not recorded with the user’s name, it is simply recorded as A valid voter registration ID. Cryptographically expensive to try to get the name back out of it. The salt belongs solely to the user who of course also knows his/her own name.

    At Vote time the access number substitutes for a check of the voter’s name and address, that was done at registration. What we lose is easy control over removing voters from the rolls and checks that the person voting is in fact the person who registered (assuming they managed to get access to someone else’s computer.

    We’d also need to make the salt and the encryption space large enough that randomly generated numbers have a high likelihood of being invalid, AND trace back invalid attempts and block them from access.

    This is a variation of a computer voting scheme I thought about in the context of simply eliminating the count-by-hand and hanging chad issues in the existing systems. The voter can retain the keys that couple his identity to his vote while the system can count votes by the voter access numbers alone. I reckon there are holes, as I haven’t worked on this to shape it up, but the principle is not hard. Heck, don’t even use the voter’s name or crypto at all… just hand him a big random key and keep track of which keys are used/valid… or one of those key generator cards or sticks. There’s at least 5 or 6 ways to do this I can think of off the top of my head, and not one of them makes it as easy as it is even now, to figure out who cast what vote.

  6. Hi bjchip.

    I can’t speak for Rich, and I don’t dispute the crypto integrity, but my own anonymity issue is that irrespective of how much cryptographic verification is involved, it doesn’t appear to address the social aspect of people not being guaranteed a way to vote without someone looking over their shoulder to see who they’ve voted for.

    Even if it’s still possible to visit a polling booth, the very existence of a way to vote non-anonymously has potential to compromise the election’s integrity. It means that Person A can coerce Person B to cast their vote in a place where Person A can be certain of what it is.

    ie. The extreme case is that A points a gun to B’s head until they’ve voted for candidate Z. Most likely, however, it’s a combination of peer pressure. eg. “I’m with all my friends, so I have to be seen voting for candidate Y” or at the pub… “Let’s all fire up the laptop now, and cast our votes for candidate X!”

    From earlier: “Post election, if there is any controversy about the count, voters who wish to ensure that their vote was correctly entered can easily check.”

    Again I won’t dispute that this is possible (because I happen to know that it is), but I’m most concerned about the social aspect.

    Even if nobody’s looking over the shoulder, nobody should be able to retrieve a receipt, after they’ve voted, which proves who they voted for. Ever. It immediately invites coercion in the form described above. ie. Person A requires that Person B produce a receipt to prove that they’ve voted for candidate Z, or “bad things” will occur. Or (more likely) the peer pressure thing, where people start encouraging each other to produce their receipts—maybe a pub owner somewhere informally offers free drinks to everyone who shows they voted for candidate W.

    Furthermore, if there’s controversy about an entire election result, having 2% of the voting population—who are really concerned and can be bothered—verifying that their vote was recorded correctly, won’t be a substitute for a proper recount. At best it’ll prove that something was wrong with the count, but at worst it’ll prove nothing and everything will remain controversial.

    IMHO voter-verified paper trails, with the paper properly audited, sealed and stored, are still the only reliable way towards having a trusted election and a trusted recount if it’s needed. Voter verified paper trails could be produced by voting machines if needed, where a receipt is printed by the machine, and guided into ballot box by the voter once correctness is verified, or elsewhere if it isn’t. The usefulness of the machine in that case is really limited to accelerated accurate counting (good where a system like STV is involved), and perhaps also to ensuring that paper votes are recorded clearly and unambiguously if anyone needs to look at them.

    Anyway, much of my concern might be skipped over. The nature of postal voting in local elections already means that there’s no guaranteed anonymity for voters, but (as I indicated earlier) I do still find it unsettling that we allow postal voting in the first place, and if we shift online then I’ll continue to be concerned about the way things are going. I definitely wouldn’t want to see anything of such a nature in national elections.

  7. Rich, if you read how the crypto is applied with and the salt provided and to whom it is provided, you’ll see that the anonymity of the voter IS preserved.

    The key for voting is never associated with the name of the voter. It is generated and with the salt known ONLY to the voter the ballot is not able to be associated with that voter unless the voter asks.

    All the balloting is done on the keys, no names.

  8. In my opinion, this form of e-democracy is a positive way forward for citizens in general, as it facilitates the participation needed to ensure people are active members of a democratic society. Although there are obvious security issues that need to be addressed, online voting can and will revolutionise the way people participate in the making of their governments. This could also be an extremely useful way in which the youth can involve themselves in the voting process as they are the group which seem the least motivated at joining in the voting process. Good stuff, New Zealand!

  9. Presumably, there will still be the hard copy option for those who do not/will not/ cannot do the internet one?

  10. Holly it seems that your ‘youthful exuberance’ for technology is not held by all, including I.
    I accept that the internet is a huge part of the worlds communication systems, BUT beware the ‘HACKERS’ that are out & about ! Also with recent revelations about sweeping up ‘metadata’ etc. how do we know that our so called ‘secret ballot’ will be anything BUT secret ?


  11. Lots of pertinent points raised here. I tend to agree with Mike M that taking a very simple, universally understood system and complicating it does not really make much sense.

    However, looking to the future, there is some merit in electronic voting but only on the provisio that you have (i) a politically active and aware populace and (ii) constitutional enforcements in place that support a more active political environment (e.g. revision of the rules around citizens referenda).

    Otherwise, it reduces the idea of electronic voting to a change of channel fraught, rather than an empowering factor.

    BJ / Gerrit / Trevor – there are some very clever technologies on the horizon that deal with the issues you have identified. Quantum Key Distribution was tested in Swiss cantonal elections in 2007. The technology is not really commercial yet though as it’s still pricy and faces some physical restrictions.

  12. Holly (and others), I realise that there are issues with getting certain people to vote, but if people can’t be bothered to take an interest in politics anyway, will this really help?

    I’m really concerned about what seems like a gradual erosion of what I’ve always thought were meant to be fundamental aspects of a fair and trusted election. Notably things like anonymity, freedom from coercion, and an ability for voters to trust the system which is used to count their votes.

    Electronic enrolment? Fine — it’s an administration thing.

    Electronic voting? Only with a voter-verified paper trail that takes precedence in any recount in the case of controversy. (ie. The only advantage for a machine would be in more speedy counting.)

    I find postal voting to be a disturbing enough compromise. It sacrifices the guarantee of voter anonymity, and it sacrifices the guarantee that a voter won’t be unfairly coerced by others nearby when casting their vote, not to mention the possibility that someone’s collected all the voting papers that were delivered to a house and simply mailed them back with their own preferences.

    Online voting is in danger of all of these (except possibly the last one) simply because there’s no guarantee that someone can vote in privacy when they’re in their own home. In addition, it seriously risks compromising voter trust in the system. That could just as easily result in people not bothering to vote.

    The ballot-in-the-box, or even the ballot-in-the-post, system is brilliantly easy for virtually the entire populace to understand: Someone marks their preference on paper, places it into a box (or into the post). It’s received, opened and counted by an authorised officer, and scrutineers from interested parties watch on to ensure it’s counted properly. People can look at the process and understand for themselves how the final count was arrived at. It’s easy for people to trust that the resulting government was elected fairly, based on their own ability to judge the process.

    Online voting loses this trust aspect. Even if the software works perfectly, it takes something that nearly the entire populace can understand, and complicates it in such a way that only highly qualified software experts have any hope of understanding, and that’s only if those people have sufficient access to the system. People can cast their vote, but they can’t genuinely know that their vote is being counted correctly. Instead of being able to trust an above-board system which everyone can see and assess, it’s necessary to trust a minuscule clique of experts who claim that it’s working correctly.

    Anyway, I’m a software developer by profession and my own view is that I really don’t see good democratic elections as something that software should be used to help with in this way.

    Aren’t there less dubious ways that we can get people interested enough in local politics that they’ll consider bothering to vote?

  13. Ideally on-line registration and on-line voting would be available to anyone with a smart-phone – whether or not they have credit for it! This requires the on-line registration and on-line voting to be set up for Sending Party Pays mobile data access – a concept that I have drawn attention to previously which aims to reduce the digital divide.

    We don’t want to restrict voting to only the Haves.


  14. Yup, I believe that cryptographic solutions have been suggested – not sure if any have been deployed.

    Still comes back to problem #1 – no secret ballot.

  15. Sorry, dangling thought there. An inexplicable mismatch may be grounds to void the election… That bit has to be considered carefully. If done correctly there should be no opportunity to have an “inexplicable mismatch”.

  16. Seems to me that one could use the registration process to deliver an encrypted key and a salt, using the name of the person registered to generate the key but NOT recording the name, and giving them the key and the salt. Now that KEY is the registration, and no two the same. So its use is tracked, but the name isn’t recoverable? The voter gets the key and the salt.

    Only if a voter requests an audit, to ascertain that his/her vote is accurately recorded in the system, can the record be unlocked and attributed to them.

    When voting only the key is presented, the vote is tallied and the voter is given the opportunity to record his/her vote locally (on the computing device he/she used or on paper (recommended) or both (better yet).

    Post election, if there is any controversy about the count, voters who wish to ensure that their vote was correctly entered can easily check. The key calls up the vote record, the voter’s name and salt validate that it is THEIR key and the hardcopy has to match. Possibly the hardcopy could be provided with a QR code to make it easier.

    Not fully thought through, though we’ve been over this ground before. I think Jackal may have a plan for it that has been worked over better.

    Any inexplicable mismatch (someone fat-fingered a key entry) is

  17. Electronic voting sounds like a neat way to use up-to-date technology to assist and empower democratic process. And it has its place, in informal settings and closely held groups where decision-making needs to be quick and collaboration tools are already in place. But it has far too many weaknesses and potential avenues of exploitation to be considered in running free and fair elections in a democratic society.

    Just take a look at for the current state of play in the US. Systems were put in place with little or no auditing, and companies with partisan directorship supply most computerised voting machines. And if you think the problems are bad with standalone e-voting, they multiply as soon as you put the whole thing online.

    Sometimes the best tech is the old-fashioned stuff.

  18. I’m aware that, having scrutineered, I specifically undertook not to make a second copy of the mapping between electoral roll numbers and voting stub numbers, which currently exists in a single copy in the book of voting papers.

  19. Yes. I also know what happens to the ballot papers. They are counted, sealed and stored for six months. Any attempt to access them without a court order (to investigate fraud, not to find out how people voted) would be firstly illegal (this may not deter certain organisations) but also very discoverable.

    This procedure is necessary to prevent fraud (such as ballot stuffing). In an electronic system, the comparable record would still be kept, but would be much easier to access undetectably.

  20. You are aware that the document you cast your vote on is numbered, and that number is written down next to your name by the clerk that issues your ballot paper…

  21. Great news, Holly? Ya think?

    What safeguards on this corrupt government and any future corrupt governments to abuse this?

  22. I don’t think this is good news at all.

    However secure the system, it destroys the secret ballot (that’s already gone for by-mail council elections, but if spread to general elections it would be gone there as well). There is no way to tell if someone outside a polling booth is selling their vote or being coerced or encouraged to vote a particular way, maybe by an overbearing family.

    There is also an issue of tracking ballot papers, which is necessary to investigate any abuses, but can itself allow the way people vote to be discovered. With paper ballots, the physical destruction of the papers can be witnessed – with an electronic system, it is difficult to impossible to ensure that information allowing voter identities does not leak.

Comments are closed.