- The election manager could manipulate the election.
- Hackers could manipulate the election.
We'll address both of these in this blog post.
An election manger at OpaVote is responsible for all aspects of running the election. The manger needs to provide the information about the election, candidates, voter lists, etc. Although you hopefully trust your election manager, we do a few things at OpaVote to limit what a corrupt election manager could do.
First, we don't allow election managers to modify information about the election after the election has started. For example, changing the candidate list or the dates of the election would allow an unscrupulous election manager to attempt to influence the result. In some cases, we will modify an election in progress at the request of the election manager where we determine that it is not meant to influence the result (e.g., fixing typos).
Second, election managers can't see preliminary results of the election. Election managers can only see results when the election is over, and they can't reopen voting. If a naughty election manager could see preliminary results, then he or she could contact supporters of a candidate to make sure they vote.
Third, we record detailed statistics of all voters who voted. This includes the date and time of the vote and the IP address of the computer used to vote. This information may be helpful in determining whether any fraud was committed (e.g., many votes from the same IP address or at the same time). Since this list contains email addresses of voters, we don't make it publicly available, but it is available to the election manager, and we'll respond to legitimate requests from non-managers if there is a question of election integrity.
Fourth, election managers can't see the secret voting codes of email voters. This prevents the manager from voting on behalf of an email voters. Managers can see the codes for code voters, but since the managers are responsible for providing the codes to voters we can't limit that.
We do a few things at OpaVote to limit our exposure to hackers.
First, we greatly limit our risk by not storing sensitive information. At OpaVote, we do not store any credit card numbers, and instead we rely on third parties to securely process payments for us. We also do not store any passwords. Managers login to OpaVote with another account (Google, Facebook, or LinkedIn) and we receive only a token that acknowledges that you logged in correctly.
Second, we use Google App Engine for the servers that run OpaVote. Google take enormous efforts to prevent hackers from accessing its servers, and we rely on their expertise to make sure our servers are safe.
Third, we use REALLY long secret codes for email voters. For our secret codes, there are 16^32 possibilities (16 raised to the power of 32). That doesn't look a big number, but here it is written out: 340,282,366,920,938,000,000,000,000,000,000,000,000. If you could try a billion codes per second, then it would take more than a billion years to try all of the codes.
Fourth, all voting web pages are encrypted in transmission between your computer and our servers. This prevents anyone from seeing your vote or getting access to your secret code.