Verified Voting, an advocacy organization of leading academic computer scientists, have compiled a list of many of the top concerns introduced by insecure internet voting.
SIV has always taken these thoughtful concerns into consideration, designing the system to meet the high standards needed.
The most common reason computer scientists are skeptical of digital voting is because of elections' unique requirements. Specifically, achieving authentication, privacy, & verifiability at the same time. This is unusually challenging.
We believe the SIV Protocol solves this challenge, with the potential to significantly strengthen the security level of all 3 requirements. It can greatly improve upon the status quo, making it easier and more affordable to run secure elections, and ultimately inspire more confidence in outcomes.
In addition to these core requirements, thoughtful computer scientists have also highlighted other important issues raised by internet voting.
Many of them are more difficult to provide "perfect" answers to. But we believe for almost all of them, SIV can achieve higher levels of security than traditional paper approaches.
The SIV Protocol is intentionally flexible about voter authentication methods. The specific process is up to each jurisdiction's and election's requirements.
SIV can recreate the existing voting protocols, such as requiring unique codes sent via postal mail or given out in person.
In other words, SIV's authentication can be at least as strong as existing paper approaches.
But we can also layer additional authentication methods, such as verified email delivery, SMS, drawn e-signatures, time-based one-time passwords, IP address geolocation, photos of government ID, or using cryptographic key pairs.
Importantly, the entire SIV voter authentication process should be independently auditable.
Additionally, all voter credentials can be revoked at any point of the election, including after voting and tallying. This means even if credentials are compromised, the issue can still be fixed.
Note that this is simply not possible with paper elections. It opens up powerful new precision remediation abilities for election administrators and legal court orders, who currently can only unfairly throw out entire precinct's votes or expensively require a new election.
SIV is designed to be voter-verifiable: It makes it possible for voters to detect if their vote was cast differently than intended, such as due to malware.
This level of verifiability is simply not possible with traditional paper elections.
Even if malware was sophisticated enough to corrupt the voter's device's ability to verify:
a. Checks can still be performed by separate devices, including running distinct operating systems. This can be done when the vote is cast and at any time after.
b. After the election, Risk Limiting Audits, based on statistical sampling, can also provide additional verification that votes were cast as intended, creating even stronger assurance that election outcomes are accurate. This can be done using separate hardware, and only checking a relatively small number of votes, without compromising vote privacy.
If any vote is found to be corrupted, the SIV design allows for individual votes to still be removed and remediated, with auditable justification, even after votes have been tallied.
When evaluating this risk, it's also important to keep in mind that SIV is only meant as an additional voting option. As we can clearly see with so many other aspects of our lives, large numbers of people prefer digital options. This is despite similar risks of malware, with often far greater individual consequences. It is easy to imagine many voters would also like to have the option of Secure Internet Voting.
Delivering reliable services at scale is an issue to take very seriously. Fortunately, there now have been decades of proven experiences delivering trillions of dollars of economic value to billions of people online. This includes both the private sector and government services, such as communicating with each other, financial trading, paying taxes, and many more examples.
Here are some of the ways SIV can mitigate Denial-of-Service attacks:
a. The core SIV architecture is built for high scale, with extremely light-weight clients and limited resources needed from backend servers, all of which can scale both vertically and horizontally.
b. SIV is designed to allow outsourcing the public-facing resources to Content Delivery Networks, who have the expertise of successfully serving billions of users daily, even in the face of hostile attacks. These can be leveraged without compromising SIV's fundamental security for running elections with strong integrity and privacy.
c. SIV can utilize multiple redundancies in infrastructure. The "Chaos Engineering" approach popularized by Netflix is a well-established method to pre-emptively diagnose and resolve any points of infrastructure vulnerability.
d. Because SIV is authenticated, there is always the option to rate-limit abusive users and IP addresses.
Our critical election systems must be handled responsibly. It is clear to us that when significant numbers of voters try to use a system at the same time, while hostile actors are also attacking with DoS traffic, unreliability can create fear, uncertainty, and doubt.
Therefore, our attitude is to scale slowly and intentionally, with clear expectations for what load the system is ready to handle, with explicit contingencies in place.
If we are to compare SIV with paper options, then we must take into consideration that even in the best of times, in-person voting options are only available during limited daytime hours, typically something like 8am - 7pm. Online options, on the other hand, can easily be offered 24 hours a day, without compromising security.
Additionally, we must consider that existing in-person and vote-by-mail options are also subject to availability challenges, whether intentionally, such as the Fall 2020 allegations of U.S. Postal Service sabotage, or acts of nature, such as pandemics that disrupt in-person voting.
Fundamentally, Secure Internet Voting is now orders of magnitude cheaper to securely power elections than in-person or vote-by-mail. So while all of these options can face threats to their normal operations, it is valuable to further develop trustworthy and widely available internet voting options.
In the end, SIV is only an additional option. We are not advocating for replacing existing in-person or postal-mail options, only adding onto them for people who want to use such service.
We must be proactive about defending against Denial of Service attacks. But let us not pre-emptively completely deny the service of Secure Internet Voting from voters, simply because there is a future possibility of it being temporarily denied.
The SIV Protocol is designed so that nobody needs to trust the election server for accurate results or confidentiality.
All results are completely verifiable and any mistakes can be independently detected. This provides far greater assurance than traditional election infrastructure where tallying is done behind closed doors.
Written auditable evidence is available for successful completion of each of the 5 steps of the SIV Protocol. Each and every step can and should be independently checked and verified to justify as much confidence in election outcomes as possible.
SIV has developed Zero-Knowledge Proofs that provide Universal Verification against tampered election results. These proofs only need to be run once, rather than requiring all voters to verify.
In both paper-only elections and Secure Internet Voting, compromising election administrators or their computers could lead to inaccurate results being published. The difference is that SIV makes it much harder for these types of inaccuracies to pass undetected.
There are many reasons this potential attack should not justify withholding Secure Internet Voting from citizens:
a. SIV itself can be installed onto the election administrator’s domain, so that it is only offered behind easily identifiable .gov domain addresses.
b. In the physical world, this is already an issue with fake ballot drop-boxes and ballot harvesting rings. The answer in these cases is education, clear communication from the election administrators, and criminal prosecution where necessary. The same applies with digital voting.
c. Currently spoofing/phishing is a risk with any digital service such as e-commerce websites, fake banking websites, fake crowdfunding websites, etc. Sadly, it does happen. But this is not sufficient justication to prohibit online services altogether.
d. Even if a voter casts a vote on a fraudulent service, they can still cast their vote on the legitimate service. If a voter has registered their email address or phone number with their election administrator, the admins can easily send follow-up reminders that an official vote still has not been received yet.
e. Even if election administrators do not offer Secure Internet Voting as an additional option, fraudulent actors can still set up fake voting websites and trick especially vulnerable voters.
f. It is important to work to mitigate the number of votes lost because voters fall prey to fraudulent vote collection. However, let us also consider how many votes are not being cast right now in elections with only paper options. It's not hard to imagine significantly more votes cast with the additional accessibility of quick and easy voting from our own mobile devices.
g. SIV is not meant as the only voting option. Voters that do not feel comfortable with digital methods can continue to use the paper-voting options they are familiar with.
Historically, ensuring both authenticated and private votes has been very hard.
SIV was specifically designed to solve this problem, ensuring voters' right to a free and fair election.
SIV leverages strong Multi-Party Encryption and Verifiable Cryptographic Shuffles so that no one can see how anyone else votes. This includes keeping vote contents anonymous from election administrators and the SIV infrastructure itself.
At a high level, SIV ensures vote privacy by:
a. Using strong encryption to lock votes inside sealed digital encryption before submission.
b. Shuffling up the encrypted votes many times for strong anonymization, by multiple independent parties ("Verifying Observers"). This design creates multiple fail-safes. Even if some Verifying Observers' devices are compromised, vote privacy can still be protected. Verifying Observers do not need to trust each other, and thanks to strong cryptographic proofs, cannot possibly tamper with votes.
c. Only after the votes have been thoroughly anonymized, the Verifying Observers work together to unlock the encryption and verifiably tally up the final results.
The technical details are available on the Protocol Page.
SIV allows for vote privacy to be verified mathematically: all encryption takes place on the voter's own device. For even stronger confidence that no plaintext information can leak out, all the encryption work (Step 2 of the SIV Protocol) can be performed in an Incognito browser window, with the device's internet disabled. This effectively airgaps the plaintext data, with only the encrypted ciphertext copied out at the end.
This cryptographic privacy offered by SIV is an improvement over the implicit trust required in paper elections, where for example, a single postal worker could surveil and potentially dispose of votes they dislike. Even ballots given out in-person often have unique voter-linked tracking numbers, and voters have little ability to verify for themselves how strongly their privacy is being protected.
Paper elections do have potential mitigation strategies, such as including independent election observers. But at scale, this requires huge numbers of people's time. SIV offers even higher assurances of privacy and accuracy, at orders of magnitude cheaper costs.
We can start by looking at the current paper voting options, which are already vulnerable to voter coercion. In particular, it is trivial to coerce mail-in voters, if they sign a blank ballot and hand it over to the coercer.
Even with in-person voting, there are countless examples of people posting pictures of their filled out ballots to social media. With smartphones in our pockets, it is now cheap and easy to record a video of oneself dropping a ballot into a ballot box. Even without internet voting options, a determined coercer can still set up cryptocurrency payments for such videos.
Although preventing vote coercion is important to maintain free & fair elections, there is a lack of widespread evidence of its existence in the US.
Vote selling or voter coercion is and will continue to be a crime for both briber and bribee, punishable with up to $10,000 in fines and 2 years jail time, per vote. Therefore, the main questions when threat-modeling this topic are: How much would a market pay for individual votes, and how many are needed to flip an election? Are these costs worth it for such a large downside risk if caught?
We recommend always keeping this potential attack in mind. Voting software can include clear warnings for voters to report any coercion attempts to the relevant authorities. Honeypot operations can be set-up to catch bribers and bribees.
With all this said, we should not let the perfect be the enemy of the good.
We are aware of alternative proposals that achieve "receipt-freeness", but they introduce other complications & sacrifice easy verifiability.
Fundamentally, there is a trade-off between receipt-freeness and verifiability. But we have asked countless voters, candidates, and election officials about this. Almost without exception, they have all said they strongly prefer verifiability, which offers a significant improvement over our current process, even at the expense of receipt-freeness.
There is an incorrect belief that computers are fundamentally less secure than paper.
On the contrary, computers can and have been used for much stronger security than analog options, and already power much of our political, military, and economic infrastructure.
The US House of Representatives has cast all their public votes using electronic voting equipment since 1973. Before this, a single vote took 30 minutes; now it takes seconds.
The US nuclear arsenal is secured by strong multi-party cryptography, and communication from command centers to the front lines goes over digital channels, secured by strong encryption.
Millions of Americans have adopted online banking. In a single day, the NASDAQ Stock Exchange sees hundreds of billions of dollars of trading volume.
As of April 2022, the collective cryptocurrency algorithms represent over $1.8 trillion of market value, secured by nothing more than secret integers on individual devices. And with no reversibility, unlike SIV.
Many people clearly prefer online options. It is easy to imagine many would likewise prefer Secure Internet Voting.
SIV makes elections significantly faster, easier, cheaper, and more accessible. While all of the security concerns listed above are important to mitigate, we believe it can ultimately also improve election security over the status quo.