Sparkster Labs Ltd – written evidence (DAD0064)
- I would like to advocate a proposal for moving the UK towards electronic voting.
- Estonia have implemented electronic voting, and as a result, elections cost half as much to run than a paper-based vote.
- Estonia has identified several benefits to electronic voting, particularly for the disabled and those who live in remote areas, making elections far more accessible, as well as those traveling or residing outside the country. In addition, Estonia has found that most of those aged 25-45 now vote electronically. Hence, I argue that electronic voting increases access to the democratic process and is interest of the citizens of our nation. Electronic voting also makes the process of tallying up results far more efficient, instantaneous and transparent. Eliminating people, and hence the possibility of human error, from the process of collecting results from various parts of the country and collating results increases trust in the democratic process.
- If we’re to move towards an electronic voting system, trust is crucial. Just the perception of election interference can jeopardize the results and undermine the credibility of the entire democratic process .
- “The systems themselves don’t have to be penetrated to impact the process,” says Steven Martin, a senior election adviser with the OSCE’s Office for Democratic Institutions and Human Rights. “Regardless of if there is an actual attack, the perception of an attack can be sufficient for people to cast doubt on the election itself and its integrity.”
- In 2002, Ireland introduced electronic machines, but these were withdrawn because of concerns of the susceptibility to tampering. Germany withdrew their machines because they proved not to be open and transparent .
- This proposal focuses on how we might implement a safe, secure, and transparent electronic voting system in the United Kingdom.
- Current system:
At present, a voter registration letter is sent to my home with a username and password, consisting of random numbers. I am asked to visit a website and verify the accuracy of the data maintained by the election commission for those living at my property and their eligibility to vote.
- On poling day, I arrive at my local poling station, give my name and address. The person behind the desk looks up my name on the list in front of them, and I am given a paper ballot with the list of candidates I can vote for. I mark which candidate I am voting for and insert my ballot into a box.
- I am not asked to present any form of ID. There are several attendants in the room, each with a copy of the list of constituents, and while I am marked off as having voted on one list, I am not marked off all lists in the room, and hence, it may be possible for someone to impersonate me, and vote again. I go home, trusting that nobody has impersonated me, and trusting the people in that room to accurately count my vote, and submit the tally truthfully. However, this process is not transparent and I am not able to personally verify it.
- Proposed Solution
A poling card is sent to my home, and much like the voter registration letter, it contains a unique username and password consisting of random letters and numbers that have been assigned to me. In addition, it contains a 2D barcode encoding the same username and password, along with the address of the website where the person can cast their vote (i.e. vote.uk).
- If the person wishes to vote at a poling station, or does not have the necessary technology or knowhow to vote at home, they take their poling card to their local poling station. Where computers with 2D barcode scanners awaits them. They scan the 2D barcode on the poling card, select their candidate from a list, and click the submit button. The entire process should take no longer than 20 seconds.
- If the person wishes to cast their vote from home, they have two options:
- Visit the designated website (i.e. vote.uk), type in the username and password that is printed on their polling card, select their candidate, and click submit.
- Download the government’s voting mobile app, when opened, it uses the phone’s camera to scan the 2D barcode on the poling card. The user selects the candidate and then clicks the submit button.
- A constituent can verify how their vote was registered, and how all voters have voted on the government’s public vote ledger (i.e. vote.uk/verify) to independently validate the accuracy of the voting process. The constituent visits the designated website, where she sees all usernames (random numbers and letters) and how those usernames voted. She can use the search feature to search for her own username, and verify that her vote was indeed recoded accurately and is free of tampering. This website does not require a username or password, and therefore can be accessed anonymously, further enhancing trust in the vote process.
- The username and password are used to validate eligibility of the individual to participate in the election. The government’s voting system ensures the username is only used once, and hence a vote cast once at the poling station, cannot immediately be cast again on the mobile device by the same individual or for the same poling card. In addition, to maintain anonymity, the constituent does not need to register on either the website or the app with any personally identifiable information.
- Proposals to ensuring the voting system is secure:
The username and password proposed, form a public-private keypair. The private key (password) is used to generate an electronic cryptographic signature and sign the vote, but the private key (password) is never transmitted over the internet, neither is it stored on the electoral commissions servers. Hence, the private key (password) is only ever used on the local device. Given that the private keys are never stored online, this data is impermeable to a hack.
- The public key (username), vote and signature are transmitted to the electoral commission’s servers, and are publicly auditable via the registry website (i.e. vote.uk/verify). Here, the public key (username) can be used to validate the authenticity of the signature, which can only have been produced by the private key. Hence, this is a method of validating that the votes listed on the ledger are indeed authentic and have not been tampered with.
- Transport Layer Security (TLS) is used to transmit the data from the device to the servers, in much the same way as SSL is used to transmit credit card or banking information over the internet today.
- Through a series of in memory caching servers distributed around the country, say Redis, we can ensure that the same public key cannot be used more than once. Once the login process starts, all caching servers nationwide are notified in parallel of the login. A restriction of say 15 minutes can ensure nobody else can login to the app (or website) simultaneously while the vote is being cast. After the vote is cast, the fact that the key has been spent can also be broadcast across the national caching servers.
- We can ensure that the ledger is protected and tamper proof by borrowing some ideas from blockchain technology. A network of independent servers can be geographically distributed around the country, with each server processing each transaction (vote) independently and in parallel. Each server then communicates the vote (or batch of votes) to one another, whereby the receiving server validates the legitimacy of the vote received. They use the public key to validate the authenticity of the signature and confirm the vote is indeed valid. Each server then builds its own independent ledger and by transmitting a proof that the server did indeed validate each transaction (or batch), the servers can arrive at consensus on the validity of a vote and hence consensus on the state of the ledger.
- This would be a private blockchain operated by the government, so the nodes themselves would be secured. However, we require sufficient servers to ensure cryptographic security of the ledger to be able to claim the ledger is indeed hackproof.
- Finally, the list of eligible voters (public key list) would also need to be maintained by each of these servers, and consensus arrived at on this list. This ensures that a hacker cannot inject public keys and attempt to tamper with the results with fake accounts.
- We not only believe this improves the efficiency of voting, and collating results, but dramatically improves access to voting. We would be more than happy to present our ideas in person, if requested to do so. At Sparkster we have experience in all the areas discussed above, and have implemented blockchain technology in the past. The government has done a wonderful job so far in digitizing many of its services, we would be honoured to assist the government in implementing a digital voting system, should we be asked.
- Electronic voting within the Houses of Parliament
- We can see many benefits from the government implementing electronic voting within the Houses of Parliament. In particular, it would make the process instant and painless for Peers and MPs as they would not need to leave their seats.
- A simple solution would be to develop a mobile app for use by Peers and MPs. They would log in with their username and password, and be presented with the items that are on the agenda for voting that day.
- Once a vote has been called by the Lord Speaker / Speaker of the House, the item on the list opens for voting within the app. The Peer can select their position, either content or not-content, and use their thumb as biometric verification that they are indeed personally approving the vote.
- To ensure that the person must be within the House to cast their vote, the system will not be accessible publicly or over the internet, but only accessible over the private wireless network within the Houses of Parliament.
- Much like our public voting proposal, TLS would be implemented to ensure the data is encrypted while in transport between the device and the servers.
- If further security were necessary, the mobile device could have a bearer token installed by IT staff, to ensure that only that device is authorized to cast a vote. While this proposal would be considered as secure as a banking application, if further security were necessary, specialized devices could be created, storing this bearer token in secured memory on the processor. There are clear best practises for this with technology such as Intel SGX or ARM TrustZone.
- In summary, the process of voting can become much easier for those serving in our government, and would be of particular benefit to elderly peers.
 I-Voting in Estonia https://blogs.microsoft.com/eupolicy/2019/05/10/electronic-voting-estonia/
 Elections under threat: Europe’s electronic voting landscape https://blogs.microsoft.com/eupolicy/2018/11/22/europes-voting-landscape/