Monday, December 12, 2016

Ensuring Election Integrity

At OpaVote, we want both election managers and voters to have confidence in the integrity of the election outcome.  There are two main ways that election integrity could be compromised:

  • The election manager could manipulate the election.
  • Hackers could manipulate the election.
We'll address both of these in this blog post.

Election Manager

An election manger at OpaVote is responsible for all aspects of running the election.  The manger needs to provide the information about the election, candidates, voter lists, etc.  Although you hopefully trust your election manager, we do a few things at OpaVote to limit what a corrupt election manager could do.  
First, we don't allow election managers to modify information about the election after the election has started.  For example, changing the candidate list or the dates of the election would allow an unscrupulous election manager to attempt to influence the result.  In some cases, we will modify an election in progress at the request of the election manager where we determine that it is not meant to influence the result (e.g., fixing typos).

Second, election managers can't see preliminary results of the election.  Election managers can only see results when the election is over, and they can't reopen voting.  If a naughty election manager could see preliminary results, then he or she could contact supporters of a candidate to make sure they vote.

Third, we record detailed statistics of all voters who voted.  This includes the date and time of the vote and the IP address of the computer used to vote.  This information may be helpful in determining whether any fraud was committed (e.g., many votes from the same IP address or at the same time). Since this list contains email addresses of voters, we don't make it publicly available, but it is available to the election manager, and we'll respond to legitimate requests from non-managers if there is a question of election integrity. 

Fourth, election managers can't see the secret voting codes of email voters.  This prevents the manager from voting on behalf of an email voters.  Managers can see the codes for code voters, but since the managers are responsible for providing the codes to voters we can't limit that.

Hackers

We do a few things at OpaVote to limit our exposure to hackers.  

First, we greatly limit our risk by not storing sensitive information.  At OpaVote, we do not store any credit card numbers, and instead we rely on third parties to securely process payments for us.  We also do not store any passwords.  Managers login to OpaVote with another account (Google, Facebook, or LinkedIn) and we receive only a token that acknowledges that you logged in correctly.

Second, we use Google App Engine for the servers that run OpaVote.  Google take enormous efforts to prevent hackers from accessing its servers, and we rely on their expertise to make sure our servers are safe.

Third, we use REALLY long secret codes for email voters.  For our secret codes, there are 16^32 possibilities (16 raised to the power of 32).  That doesn't look a big number, but here it is written out: 340,282,366,920,938,000,000,000,000,000,000,000,000.  If you could try a billion codes per second, then it would take more than a billion years to try all of the codes.

Fourth, all voting web pages are encrypted in transmission between your computer and our servers. This prevents anyone from seeing your vote or getting access to your secret code.


2 comments:

  1. I commend you on the integrity of the OpaVote system and totally agree with limiting the powers of the election manager (and removing the temptation to bias by hiding interim results).

    However, I recently conducted a STV vote using OpaVote to select a roster pattern in my department. There were 14 voters and 4 candidate rosters. One voter mucked up his ballot by making ranking decisions based on outdated information.

    Because we were unable to spoil his ballot, and due to the small number of voters, we may have selected an inappropriate winner with significant impacts that outweigh any risk of integrity-breach. Whilst I could have manually removed his ballot and uploaded a recount, this would rely on him correctly and truthfully identifying his ballot. The alternative is to run the election again.

    If OpaVote had an option to allow voters to spoil their ballot while the election is still running (e.g. from their original email link), this problem would be avoided. If a receipt of spoilt ballot was available to the election manager, it would be possible for me to have allowed him to recast his vote. I think this would be a safe balance of integrity and practicality in small elections.

    ReplyDelete
    Replies
    1. Hi Sam, unfortunately your proposal would make votes no longer anonymous (i.e., you need to link a voter to the actual vote cast). For most managers, anonymity of the vote is extremely important. In the future, we will be adding an option where votes are NOT anonymous so we could implement such a feature for non-anonymous elections in the future.

      Delete