Is Secure Internet Voting Possible?

We expect anonymity in any form of voting, whether you’re casting your vote in-person at the local polling station, or if you’re voting from your laptop at home. Today’s remote voting options raise concerns regarding privacy and security. Experts wonder if electronic voting (e-voting) systems can provide reliable results.

Properties of a Secure Remote Voting System

Remote voting, or e-voting, can be a highly convenient option to increase voter turnout through improved accessibility. While in-person voting methods have proven to be secure and reliable to an extent, sometimes they might not be available to all participants.

According to information scientists, e-voting is poised to take over conventional paper ballots as it is more convenient and cost-effective. Dr. Indrajit Ray comments,

“Electronic voting overcomes the problem of geographic distribution of the voters as well as vote administrators. It also reduces the chances of errors in the voting process. However, in order that electronic voting replace conventional mechanisms, it must provide the whole range of features that conventional voting does.”

As introduced in a previous article, e-voting comes with its own set of criteria. In this article, we will take a closer look at the requirements of a secure e-voting system.

There are a number of basic requirements to consider when creating a secure e-voting or remote voting system. These properties include:

  1. Ballot Anonymity – This means that each voter’s decision is a secret.
  2. Integrity – This means that each voter’s decision is counted, unmodified, in the final tally.
  3. Trustworthy Platform – Voter’s ballots should be both reliable and accurately transmitted from their personal computer.
  4. Coercion Resistance – Voters should be able to cast the ballot of their choice, even if they are voting in an unsupervised and potentially insecure environment.
  5. Denial of Service (DOS) Prevention – The e-voting system should effectively prevent small- and large-scale DOS attacks.

The first two properties should be expected of both in-person as well as remote systems, while the last three are more specific to remote or e-voting systems.

Ballot Anonymity & Integrity

Traditional voting systems typically achieve ballot anonymity. However, this is where it usually stops. Once voters leave the polling station, integrity of their vote is not guaranteed. By contrast, end-to-end (E2E) verifiable systems ensure both ballot anonymity and integrity. Such systems ensure security through cryptography, and as such, the votes can be publicly posted without breaking ballot anonymity. Boters can also check that their votes are included – and have not been tampered with – in the final tally.

For example, Scantegrity, an enhancement for optical scan voting systems, ensures E2E verifiability of election results. It relies on confirmation codes, allowing voters to confirm that their ballot is included unmodified in the final tally. Codes preserve privacy and don’t divulge which candidate a voter selected; ballot anonymity is not compromised with this system. Scantegrity systems have been used in a municipal electionn Maryland.

Helios is another voting system that is voter-verifiable. With this system, each voter receives a smart ballot tracker, which can be checked against the Ballot Tracking Center to ensure the ballot was received and tallied appropriately. With Helios, advanced cryptographic techniques are used to combine all encrypted votes into an encrypted tally. Only the tally itself, rather than the individual ballot, is actually decrypted. So far, Helios has only been used in student elections.

Trustworthy Platforms

It’s still a major challenge to design e-voting systems that can meet the first three criteria of ballot anonymity, integrity and trustworthy platforms. While there hasn’t been a system that has done this successfully yet, there is one known as Remotegrity, which is scheduled to be used in Maryland, and the voting system designed in Norway, to be used in the near future.

Such systems rely on two techniques:

a)      Two channels, with the assumption that either one is trustworthy.

b)      Code voting

Over one channel (e.g. mail, CAPTCHA), voters receive a list of candidates with a serial number and unique codes associated with each one. Over another channel (e.g. internet on their computer), they vote through providing the serial number and code for the candidate they have selected. Should the voter’s computer be compromised, attackers will be able to see the code, but will not be able to identify which candidate has been selected, nor will they know the valid code for any other candidate.


In the scenario described above, security would be compromised if the voter should show their card to an attacker, or the attacker was physically present with the voter during the time they placed their vote. So far, researchers have proposed two methods for addressing the problem of coercion.

First, voters could be allowed to cast as many ballots as they one, so they would be able to override previous ballots. Cryptography might be used here to have hidden tags linking votes with their voter, so that only one ballot is kept. However, this doesn’t prevent an attacker from coercing a voter at the very end of the voting period.

Alternatively, a system could feature both real and fake ballots. Voters being coerced, or those selling their votes can use or sell a fake ballot, which would not be distinguishable by an attacker. However, the challenge here would be counting the real ballots, not the fake ones.

Denial of Service

Finally, DOS is a problem that continues to elude voting security professionals. After all, infected computers can always prevent a voter from casting their ballot. Trustworthy platforms can allow for the detection, but not prevention of DOS. Such attacks can also take place at the network level, by taking down the servers that receive the votes, for instance. While the integrity of the voting system might be able to detect if ballots are deleted or modified, it cannot prevent this from happening.


This article takes a look at five properties of a secure, anonymous e-voting system: 1) Ballot anonymity; 2) Integrity; 3) Trustworthy platform; 4) Coercion-resistance. It also introduces systems that have effective addressed these issues.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

  • Applications of anonymity tools – voting and surveying (III.E.c.iii.3.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>