Monday, May 28, 2018

Trusting your Election Manager

Illustration via Max Fleishman
Because of the importance of some elections, the thought of running elections online can create apprehension. Often, the concern is hackers who might try to manipulate your election (see our recent post on our election security practices).

In this blog post, however, we are going to focus on the election manager (the person who is running the election on behalf of the organization) and the steps that OpaVote takes to limit the ability of an election manager to manipulate an election.

To some extent, you need to trust your election election manager as we'll describe in greater detail below. If you want to eliminate all possibility of an election manager improperly influencing your election, then you can hire OpaVote to run your election for you.

Manager Cannot See or Change Individual Votes

The election manger has no access to individual votes. The manager cannot see votes and cannot change votes. The manager can see the number of votes that have been cast in real time, but nothing else.

Manager Cannot See Preliminary Election Results

We do not allow the manager to see preliminary election results. The manager can only see the results once the election is finished and the manager cannot reopen the election. This prevents the manager from closing the election early or late to try to influence the results.

We do have an option to allow anyone to see preliminary results during an election, but this allows all voters to see preliminary results in addition to the manager.

Manager Cannot Change Election Info after Voting Opens

Once voting opens, the manager cannot change any information about the election. For example, the manager cannot change the election description and cannot add or remove candidates. If the manager makes a mistake (such as a typo), then the manager can contact us to fix it (with a support fee), and we make sure that such changes do not improperly influence the election.

Possible ways for Manager to Influence Election

To some extent, you do need to trust your election manager. To run the election, the election manager needs access to information that is not publicly available. Here are some examples, and the steps we take to mitigate the risks.
  • The manager has sole access to the voting lists. For privacy reasons, we don't allow voters to access voter lists and details about who has and has not voted. If people at your organization other than your election manager need access to this information, then we can provide it to them to allow them to independently confirm that voter lists are correct.
  • The manager can disable voters to prevent them from voting (e.g., if a voter was accidentally included twice). When this happens, however, the voter will receive a message indicating that their voting code has been disabled. If the manager improperly disables voters, then the voters will know and can take action.
  • The manager can see who has and has not voted. The manager could use this information to urge supporters of a particular candidate to vote. We see this as a minor risk since the manager can do this even without knowing who has voted.
  • The biggest risk arises from the use of code voters. When you use code voters, the manager needs access to the secret voting codes so that the manager can distribute them to the voters. Because the manager has access to all of the secret voting codes, then manager is able to enter votes on behalf of voters. One mitigation is that we store the date and time time of each received vote along with the IP address of the computer that was used to enter the vote. If the manager enters multiple votes from the same computer, it is easy to detect this kind of manipulation. If you do not trust your manager, however, then you should either use only email voters or hire OpaVote to run your election for you.