Buzin A.Yu., Isavnin A.A., Kuznetsov D.A., Nesterov D.V., Ovchinnikov B.V., Reut O.Ch., Rybin A.V., Tolstoguzov V.L., Fedin Ye.V.
Experts in the field of IT application in elections discuss the experience and prospects of applying remote e-voting using the Internet (Internet voting) in foreign and Russian elections. The issues under discussion include international use of this type of voting, using of Moscow and federal platforms for the 2019–2021 elections in Russia, possible ways of ensuring secrecy of the vote in Internet voting, accuracy of vote counting, defense against hacking attacks, intimidation and bribery of voters, possible ways of ensuring effective public control over Internet voting.
One of the most important innovations elections in Russia have seen in recent years is the introduction of remote e-voting using the Internet (REV), or simply Internet voting. The introduction of this innovation began rather unexpectedly. Back in October 2018, such proposals were discussed only in theory, as future prospects [47]. However, the talk of experimental use of REV in Moscow City Duma election began as early as February 2019, and it sounded like a done deal from the get go. And even though Alexei Venediktov — a member of the Civic Chamber (CC) of Moscow and one of the driving forces behind this novelty — pointed out at the time that "introducing such a feature requires the consensus of all parties — political players, the mayor's office and observers" [28], the objections of many opposing politicians and experts were not taken into consideration [22]. The REV platform was created by the Department of Information Technology (DIT) of the Moscow Mayor's Office Hall on short notice, and it took almost until the vote to flesh out all the technical points [25; 26; 46].
The first use of REV in September 2019 ended in a scandal. In single-seat constituency No. 30, candidate Roman Yuneman lost to Margarita Rusetskaya by only 84 votes. At the same time, however, he was leading across individual polling stations, but lost the REV by 665 votes [23; 46]. According to data provided by Roman Yuneman, there were many technical glitches during the voting process, plus the administrative mobilization of public employees [46].
After the 2019 elections, the leaders of the Russian Central Election Commission said that the CEC would develop its own platform [42]. Rostelecom created such a platform for the CEC, and it was first tested in September 2020 in the State Duma by-election in two single-seat constituency [8]. In September 2021, the CEC platform was used to hold REV in the State Duma election in six regions [9].
The Moscow platform remained functional at the same time. In June 2020, the platform was used for the Russian constitutional referendum in two regions – Moscow and Nizhny Novgorod oblasts [7]. And in September 2021, it was used in the State Duma election in Moscow, and the scale surpassed all expectations: 1,893,000 voters voted using REV in Moscow, which is only slightly less than the number of voters in regular polling stations (1,946,000). However, the results of parties and single-seat candidates were very different for online and offline polling stations. For example, United Russia gained 29.4% at the offline polls and 44.8% at the online polls. In 8 of the 15 single-seat constituencies, candidates who lost offline polls won.
Such results, as well as various system failures and other suspicious moments identified by the experts, led to a serious distrust of the official vote returns at online polling stations and increased distrust of the REV system as a whole. There media was full of publications discussing the mechanisms of alleged falsifications [2; 12; 18; 19; 20; 49; 48; 50]. Nevertheless, officials continue to consider the experiment a success and anticipate further development of REV [30].
In this regard, the editorial board decided to discuss the experience and prospects of using REV with experts. We came up with eight questions, four of which concern international and domestic experience of using REV, and the other four focus on the possible uses of remote electronic voting in accordance with the standards of free and fair elections.
We received responses from nine experts who are qualified in the matters of information technology, aware of the reality of Russian elections, and who studied practical application of REV.
Boris V. Ovchinnikov
As far as I understand, the world at large is mostly skeptical about online voting at the moment. Individual examples of small countries like Estonia are exceptions rather than the rule.
The main thing is that focusing on the experience of Western democracies with sustained political competition makes no sense. The situation in Russia is completely different, as in the electoral process is monopolized by one political force and citizens are sceptical about elections. Moreover, there are many other examples where elements of Russia's electoral system that work well in other countries lead to increased fraud: for example, multi-day voting or the number of parliamentary seats for a region depending on election turnout.
Alexander A. Isavnin
The reluctance of most countries to force the introduction of REV is understandable: information technology is still too much of an enigma for most of society. Some countries, such as Germany, stay away from this method altogether. Other, such as Switzerland, tried it, but suspended the use after encountering problems. The only significant example of active use of REV is Estonia, but it is backed by several decades of successful implementation of e-government, and public trust in such technology as well as organizers of such election is well-deserved and well-tried.
Oleg Ch. Reut
No national Internet voting system has a mechanism to prevent possible violations of the principles of freedom of expression and secrecy of the vote. The newly emerged possibility of correlating choice with a particular voter remains the focus of electoral experts who specialize in developing modern methodological approaches to digitalizing electoral processes. There are quite a few papers in this field [3; 5; 6; 14; 15; 34; 37; 41].
Dmitry A. Kuznetsov
My opinion is that the Estonian experience of using REV deserves the most attention. The Estonian REV solution indicates that creation of this system was prompted by other issues: there is no issue of authorization or anonymization, the system does not decouple the user and the vote, but keeps the connection until the final stage instead.
The developers did not have to solve the issue of confirming the user's identity either: in Estonia, a voter uses a smart ID card for authorization. The main issue that was solved in Estonia is technical transparency and verifiability at tallying stage. The system was implemented in the context of trust in the governmental IT infrastructure and the electoral system
Andrei Yu. Buzin
I assess the experience of foreign countries as a) completely natural and b) very useful. As far as I know, no countries, with the exception of Estonia, have implemented REV on a national scale. In some countries, the concept was abandoned after the experiment, the reasons being insufficient public accountability of this type of voting and increased likelihood of fabricated vote returns.
However, it is quite obvious to me that REV will gradually be introduced as an auxiliary voting method. It is more convenient in terms of procedures performed by both the voter and the election organizer.
However, some important election principles are more difficult to implement using REV:
· voluntary character of voting;
· secrecy of the vote;
· integrity of the vote count;
· openness and transparency of election organizers and their activities.
Until these problems are resolved, REV should not be introduced as a non-exclusive voting method. It should be borne in mind that the solution to these problems depends very much on trust in election organizers and in the institution of elections in general.
Dmitry V. Nesterov
The issue of using Internet voting in elections is a complex one. One must take into account its technical, social, institutional and organizational dimensions. If foreign experience is compared with the development of Russian systems, analysing of the latter will most illuminating. In particular, it is interesting to compare the nature of public (dis)trust and readiness of institutions to ensure an acceptable level of transparency, comprehensibility, and integrity of Internet voting systems.
Of interest here is the experience of Estonia, the only country with a fairly stable democracy that has been systematically using this form of voting for all elections for a decade and a half. Another interesting case is the experience of preparing and testing Internet voting in countries such as Norway, where experiments reached the stage of testing in real elections, or Canada, where, after a comprehensive study and accompanying public discussion, experiments with Internet voting were postponed indefinitely.
Russian social and institutional realities are far removed from the situation in countries like those two, but their deeply studied and well-documented experience comes in handy for analyzing different aspects that are not always obvious.
Viktor L. Tolstoguzov
First of all, I would like to clarify the terminology used. REV stands for remote electronic voting, which can mean, for example, SMS voting, telephone and telegraph voting, Internet voting and other systems. When using the term REV, he CEC of Russia refers to the system of Internet voting. Moscow Election Commission and Civic Chamber of Moscow use an even more general term for Internet voting — e-voting. At the same time, the legislation also uses such a term as EVC — electronic voting complex — a system that is installed for voters within a PEC and is a sensor device for voting where the vote is recorded on a paper tape. Therefore, there is some confusion in our country as to what electronic voting and REV actually mean. To avoid confusion, I will write about Internet voting.
It is clear to me that Internet voting systems have a number of fundamental issues that do not allow the principles of openness and transparency to be enforced, which significantly impairs the right to elect and be elected.
These issues include the inability to create a full-fledged electronic equivalent of passport-based voter authentication, expression of will in a closed-off voting booth at the polling station, handling of original paper documents and observation at the polling station, all which are necessary to uphold trust in the elections. Any attempts to bring electronic voting systems closer to classical paper voting systems in terms of the level of trust and simplicity of verification end up producing incredibly complex electronic systems, whose workings can hardly be understood by a single specialist. This limits the rights of citizens, who do not have special knowledge, to participate in tallying procedures as well as hinders necessary control checks of paperless voting systems. Based on this, the use of paperless electronic voting systems in state elections has been banned in a number of advanced countries [38].
I consider the sporadic use of fundamentally flawed voting systems abroad to be a dangerous practice and my assessment is highly negative.
Aleksei V. Rybin
The issues of REV are not unique to Russia. Foreign experience indicates numerous legal issues with electronic voting. For example, the Austrian Constitutional Court concluded in 1985 that elections by mail (postal voting is closest to remote electronic voting procedurally) are contrary to the constitutional principles of public elections and secrecy, since it is impossible to control the act of voting. In Germany and Austria, the most vigorous debates took place over the issue of secrecy of the vote. "The Achilles' heel" of Internet-based elections is the possibility of revealing the will of the voters at the time of casting the vote [16].
Many experts keep chanting "Estonia" as a role model for digital voting. However, Estonia also faces the same problems as all the other countries where electoral authorities are trying to use electronic voting.
According to the OSCE ODIHR Handbook [36], transparency and public trust are cornerstones of democratic elections. Where there is significant distrust or dissatisfaction with election administration, introducing of new voting technologies can be problematic and may further undermine trust in the elections. A step-by-step approach to introducing new voting technologies, along with rigorous testing, verifiability and full transparency, will help build public trust in the new technologies.
Researchers of electronic voting call attention to the fact that the practice of applying various methods of remote e-voting in foreign countries revealed typical possible violations of electoral rights: inadequate secrecy of voting; interference in vote processing systems and the associated need to ensure the invariability of information on the expression of will; difficulty in ensuring observation and control over the remote e-voting procedure [31].
Difficulties in ensuring the principle of protection of the will of voters in remote e-voting are arise from the need to record and store both the data related to voter identification and the direct data on the votes cast. At the same time, international practice came up with a universal approach for this issue. The two types of said data are stored on separate carriers that prevent identification and correlation of data on voter identity and the choice made by them [31].
International experience should be considered, and data on voters and their voting should be distributed to various computer resources, including trustworthy non-government resources.
Andrei Yu. Tsaplin points out that the vast majority of countries that are now mastering remote e-voting are established, "old" democracies [40].
REV is a convenient form of voting for the "advanced" part of the electorate. However, in view of the risks described earlier, rushing with the widespread use of REV in Russia is not a good idea, since Russia can hardly be classified as an "old" democracy at the moment. Rushed introduction of REV may undermine voter trust in the elections where a significant share of voting will take place in a virtual environment without adequate opportunities to monitor its fairness.
Dmitry A. Kuznetsov
The development of the Moscow platform in 2019–2021 is the best practice of creating a system in collaboration with experts from different political structures. This experimental development resulted in introduction of basic methods of technical observation for such a system. However, there is room for development: the system should be even more open. Now, re-voting procedure draws most of the criticism since there is no verification procedure for it.
While examining official data, I was unable to find evidence of fraud, but the data is not enough to draw conclusions.
Viktor L. Tolstoguzov
Experimental use of the Moscow Internet voting platform developed by Moscow DIT confirmed that it is impossible to solve the existing fundamental issues. There is no way to observe the system in its entirety, and therefore it is virtually impossible to confirm or disprove system interference using evidence.
Alexander A. Isavnin
This is a case of highly negative experience. There was no transparency in the work of the City Commission either during election preparation or in the development of the system. Only a cynical election conducted by the executive branch and the subsequent statistical analysis that revealed significant pro-government oddities drew the attention of the public. The work of the so-called technical working group was mostly for show so that propagandists of all levels, including the Moscow Civic Chamber's Alexei Venediktov, could proclaim transparency and lack of issues.
Andrei Yu. Buzin
I see one positive thing in the case of the Moscow platform: the creation and work of the technical group under the developers. Nevertheless, as far as I understand, the members of the technical group have serious complaints about this platform. In particular, they do not have full access to the system's software code.
This is the reason why there essentially can be no convincing evidence of fraud or lack thereof. However, statistical analysis of the data that is available publicly gives reason to suspect fraud.
Yevgeny V. Fedin
I would like to remark on the technical working group that existed in 2019–2021, because it was during its meetings that decisions on REV development and the possible consequences of these decisions were voiced. Given that video footage is available to the public [10], it turned out that the development of this system has been documented.
All of the circumstantial evidence of fraud of REV results of in Moscow in 2021 looks convincing to me. What we can speak of with full conviction is the existence of functional methods of fabricating the result on the part of Moscow's DIT, which in fact managed remote e-voting in Moscow.
Boris V. Ovchinnikov
My assessment is extremely unfavorable. This is an inherently flawed scheme, when in fact even the formal independence of electoral process organizers from the executive branch is abolished and the voting process is completely in the hands of the employees of the mayor's office. However, after the 2021 election, we can say with confidence that the REV does not just have the capacity for electoral fraud — it was actively exploited.
Evidence of fraud includes the difference in the share of "re-votes" between the government candidates and the other candidates, sharp increases in the share of such "re-votes" between the other candidates during certain periods, a splash of votes for United Russia and for the government candidates on Sunday after 2 AM, a discrepancy in the percentage and number of votes for United Russia and for the government candidates in the single-seat constituencies on Sunday after 2 PM.
Aleksei V. Rybin
In Russia, the REV procedure [33] for electronic voting in Moscow, for example, stipulates that Moscow Department of Information Technology (DIT) is the administrator, whose computer facilities store both data on voters and data on the votes they cast. This undermines any trust in the fact that results of voters' expression of the will are protected.
In their own right, radical differences between vote returns at regular polling stations and at electronic polling stations prompt quite reasonable assumptions about fraud at the latter. DIT being completely transparent and willing to disclose all the technical and programing details of implementing electronic voting in the September 19, 2021 election could have easily allayed all suspicion. This level of transparency would have required the department to provide information about the servers in the data centers, specific administrators, key information exchange nodes within the REV system, data storages, etc. However, to my knowledge, the DIT was not particularly willing to disclose all the information, which is reason enough to allege that there is something to hide.
DIT was involved as an interested party in the case 2a-670/2021 opened on the lawsuit filed by candidate Mikhail S. Lobanov in Presnensky Court. The plaintiff asked the court to demand the material data carriers for REV in the digital polling station in constituency No. 197, enlist the help of experts to examine the data and then give an opinion on whether there are any traces of the will of the voters being tampered with. However, the court did not give the plaintiff the opportunity to take the case further, and DIT decided against sending a representative, to whom the plaintiff could ask questions. Instead, the DIT opted to present the court with an extremely succinct two-page response to the claim: there were no violations during the electronic voting, the claim should be dismissed.
Dmitry V. Nesterov
There is definitely a lot to discuss. The nearly three-year history of the development of Moscow's Internet voting system demonstrates that it is technically possible to make an advanced electronic voting system provided there is funding, but the main obstacle to making it more usable is the corrupt political system and bureaucraticy. The Moscow system technically had the chance to become a fairly transparent and secure platform as early as 2020, had the implementation of a number of technical solutions and appropriate procedural decisions been approved. Analyzing three years of decisions and reactions to expert proposals, it is difficult to shake the feeling that one of the main motives of the current executive branch in promoting Internet voting is the desire to have a centralized voting and vote-counting management tool at its disposal; the tool with the option to adjust the results on a large scale, but subtly (this option would allow to remove some of the organizational complexities and political risks inherent in interference with traditional offline voting).
There is not much interesting data available for analysis about the 2020 all-Russian election. It is worth recalling how journalists prevented potential use of virtual voters scheme. There is much more statistical material about the 2021 ballot, which, unfortunately, shows the likelihood of distortion of will during re-voting and subsequent counting processes. Potential use of virtual voters also remains an open question. The scandal that followed the violation of counting procedure and the publication of counter-intuitive results, as well as the consequent unwillingness of the organizers to disclose the necessary data (which should have been either public or available to the election commission and observers) for verification and recount contribute to an increasing distrust of remote voting.
From the point of view of society (at least its politically active part), before September 2021, rational distrust of Internet voting was prompted mostlty by a general distrust of the current institution of government and the non-transparent nature of the newly-launched the Internet voting system. The 2021 election brought about a marked shift in public perception toward an awareness or belief in the reality of domestic interference in such systems.
Oleg Ch. Reut
First substantive talk about the use of REV in Russian elections started in the summer of 2018. It was the year that Kaspersky Lab announced Polys, an online voting system built using blockchain technology and transparent crypto-algorithms (ru.polys.me). Surprisingly, in three years neither political parties, nor candidates, nor public observation entities have come up with any definite viewpoints on the theory and practice of Internet voting.
Starting with the 2019 Moscow City Duma elections, every year goes through the same pattern where parties and candidates underestimate the extent to which electronic voting affects final results. On voting days, there are no party or independent observers who have proper training in specialized observation and documentation of subsequent electoral disputes. All charges of possible fraud are based on identifying anomalies, which is clearly not enough to demonstrate a willingness to defend the electoral rights, neither within election commission system, nor in court.
At the same time, the target of accusations of potential fraud is unclear. Winning candidates are appointed defendants, as well as their campaign headquarters, "political process operators" that organize elections, Moscow's Department of Information Technology (DIT), system administrators of state services portals and the official portal of the Mayor and Government of Moscow, and even software developers. The presumption of guilt of all the abovementioned actors is "confirmed" by the Yuneman case, which justifies why, as of 2019, "the use of electronic voting in elections is the new life for the administrative resource".
In the circumstances under consideration, people who are dissatisfied with electronic vote returns are "doomed" to claim fraud, which reduces the credibility of electoral procedures. In their turn, members of commissions responsible for REV prefer to turn a blind eye to deviations from the procedural regulations and even to violations of law, any of which certainly requires a modicum of public response.
After the 2021 elections, Internet voting stopped being an innovative technological experiment and turned into an inevitable routine. However, not only the much-needed discourse about electoral cybersecurity is stalling — as a matter of fact, it is getting overcomplicated and pushed to switch from Internet technology analysis to normative judgments about the social and political consequences of using said technology.
The aspects that keep fuelling the increasing distrust of online voting are voter intimidation, unreliable and unsafe Internet connection, violation of the secrecy of the vote at any stage of voting, possible identification of voters and the data on votes casted by them [35].
There is a new development, however, and it's methodologically weak reasoning using anomaly statistics. Instead of mapped and well-documented vulnerabilities, descriptive or explanatory patterns of voter behavior (electoral choice determinants), the seemingly illogical (usually from a comparative perspective) anomalies are used as fundamental "evidence of fraud". When translated into post-election context, anomaly statistics can hardly be the foundation for legal claims. Being the subject of dispute, the statistics is not a relevant enough evidence that proves the existence of significant violations of the will of the voters, and, therefore, predetermines the court decision.
In this context, electoral experts should not so much discuss how electoral trust "works" in the digital era, as to develop a methodology for substantiating Internet surveillance, adapting and modifying it while keeping in mind the existing technological solutions and socio-political realities.
Andrei Yu. Buzin
This system is completely unavailable for public scrutiny. But it is one that will be implemented in the near future. Considering the current situation with the institution of elections in our country, it will continue to amplify distrust of elections. Introducing CEC-based REV is consistent with the overall anti-democratic direction our country is being taken to.
Alexander A. Isavnin
As compared to the case of Moscow, transparency was non-existent: the CEC expert group included only the "tried and trusted" participants and was essentially a closed one. However, the developers from the CEC considered and implemented a number of proposals made by the Moscow technical working group — the proposals that Moscow's DIT rejected.
Aleksei V. Rybin
I suppose it is not that different from the Moscow platform. The federal platform results did not lead to any scandals, apparently only because there was no need to "manufacture" anything using REV.
Viktor L. Tolstoguzov
There is little difference between the Moscow platform and the platform developed by Rostelecom that the CEC uses.
I was an REV territorial election commission (TEC) member with consultative vote at the September 19, 2021 election. This TEC was tallying the results for 1691 votes. I wrote multiple requests to the CEC asking for copies of electronic documents that our TEC needed to determine vote returns, but I did not get a proper response even after a month. I was not allowed to review system documentation on the grounds that these documents were for official use only (FOUO) either, nor was I granted proper access to the system during my work. I've also encountered multiple other technical and organizational restrictions.
Dmitry A. Kuznetsov
Considering the fact that he system was developed a year after the Moscow platform, there doesn't seem to be any common elements. The CEC's REV system served a different technological purpose: holding multiple votes with the possibility of centralized control of the system.
Publication of some technical documents marked a whole new approach to documenting such systems. At the same time, the dialogue with the technical community looked was less transparent at the creative stage: the CEC's technical group was not open to the public.
Yevgeny V. Fedin
This year I was appointed as an REV TEC member with consultative vote. I was surprised to encounter the level of opposition that I did from three staff members of the CEC. The TEC's chair and vice-chair lacked any previous experience in such jobs, and although other members were more qualified, the overall impression of TEC activity was still unpleasant. Perhaps training could have improved the situation, so it is definitely a missed opportunity. It is likely that this is the reason why a large amount of work had to be performed by RTLabs staff on the REV TEC premises, and they were not part of the TEC itself.
Dmitry V. Nesterov
REV system developed by Rostelecom is a very interesting case, especially when comparing it to Moscow and considering how this is in fact the first project of this scale. We can actually see that the two systems follow two slightly different, but also quite non-transparent trajectories. At the same time, there are no conceptual technical hurdles for making the system more transparent and auditable.
I can see some positive aspects in how the electronic ballot confirmation system was implemented. The system's description was also made publicly available, albeit late and not in full form. However, the refusal to make it possible for the voter to check their own vote and the introduction of a verifiable re-voting procedure, in fact, negates the first advantage.
At this point, I would say that Rostelecom's REV system is conceptually not yet ready to be used in elections either. And yet again, the vulnerable point is the lack of traditional public protection mechanisms against the will of the voters being distorted by internal interference.
Boris V. Ovchinnikov
There were no big scandals around the "federal" REV this time. However, I'm not sure that this is grounds to say that it is fundamentally better. Perhaps the reason for the lack of major scandals is simply that the data from the federal REV was not analyzed as thoroughly, and that the actors who control the federal REV had no direct need to use the opportunity to "tamper" with the results. After all, the central government (as opposed to regional governments) did not mind the prospect of letting a certain number of moderate opposition candidates (such as A Just Russia in Yaroslavl Oblast) through.
In any case, the basic problems of using REV in Russia — lack of effective public control (including protection against ballot stuffing and vote transfers), lack of real guarantee of the secrecy of the vote, REV allowing voting under the supervision of anyone other than the voter or even voting for other persons — are just as inherent in the "federal" REV as they are in the Moscow platform.
Viktor L. Tolstoguzov
There are some small differences, for example, the declared encryption methods or the information about the algorithms used, but there are no fundamental differences between the two. You can't fully observer the workings of the federal system either.
Andrei Yu. Buzin
The external difference is that the Moscow platform allows for re-voting. I believe this an advantage. The development of the Moscow platform was more transparent than that of the CEC platform.
Alexander A. Isavnin
The cryptography of the CEC platform was definitely much more refined than that of the Moscow platform And the CEC did not shy away from publishing (albeit without any signatures of people in charge and any connection to "Procedures...") a number of documents.
In both cases, the use of blockchain technology made no sense whatsoever, it was more of a false target that propagandists used to convince the public of the reliability and secrecy of the vote.
Surprisingly, in both cases we do not know the opinion that agencies responsible for information security and cryptography have of the system: the Federal Service for Technical and Export Control and the Federal Security Service.
Dmitry V. Nesterov
Both REV systems are limited by the conditions, parameters, and objectives set by the political groups and agencies that make decisions about the development of said systems. Neither system has mechanisms to control electoral roll accuracy (the main protection against large-scale manipulation of electoral rolls). Neither system has proper mechanisms for voters to verify their own vote (the only external protection against large-scale vote fraud and incorrect counting). The federal system lacks a re-voting mechanism altogether. And its implementation in the Moscow system turned out to be paradoxical, where it (allegedly) does not entail any direct means to verify that the re-vote was properly registered.
Neither system is safe enough to use in elections in terms of transparency and protection from internal interference. At any rate, it is not safe enough for the average voter . Considering the above-mentioned shortcomings, the technical differences are secondary when it comes to actually using the systems in elections.
Yevgeny V. Fedin
As of 2021, the biggest visible differences, in my opinion, were as follows:
(a) The Moscow platform allowed for re-voting, the CEC platform did not;
b) the code of the CEC platform [4] appears to be more thought-out than that of the Moscow platform [27], and it sticks out—despite the fact that only parts of the source code are available for both systems;
c) in the course of REV, technical glitches were registered for the Moscow platform only (perhaps the reason is that the elections in Moscow were more competitive and attracted more attention);
d) the encryption scheme used on the CEC platform looked more interesting;
e) some documents are published for the CEC platform [24].
Dmitry A. Kuznetsov
The main difference in technical solutions is found in how anonymization, encryption and re-voting were implemented. Without going into a discussion of the two agencies: the CEC used the classic He–Su protocol for anonymization, while the DIT developed its own anonymization protocol, which failed to inspire any confidence in me personally.
At the same time, for the counting procedure, the CEC platform uses homomorphic encryption that does not decrypt each individual ballot instead of individually decrypting and publishing the decrypted ballots and the decryption key, like the DIT platform does . I believe that the DIT platform, although less elegant technically, is more voter- and observer-friendly.
The re-voting system proposed by DIT, in my opinion, is ineffectual and requires serious refinement in terms of the verifiability of tallying if it is to be used in the future.
Alexander A. Isavnin
Of course. But there have to be both technological and organizational means for that. It is possible that they will be in some way similar to traditional elections, but completely unexpected in another way.
Andrei Yu. Buzin
In terms of software, the secrecy of the vote can be ensured to a very high degree. Such secrecy techniques are used in banking, where, nevertheless, fraudulent activities occurred and will continue to occur. It is not about the absolute preservation of secrecy, but about increasing the degree of protection of the vote with the possibility for the voter themselves to verify that it was registered correctly.
An essential condition for preserving the secrecy of the vote is the open program code of the REV system.
Dmitry A. Kuznetsov
From the technical point of view, these are solved issues. Secret voting protocols are their own theoretical and practical branches of cryptography. In my opinion, He–Su voting protocol protects secrecy of the vote well enough — keeping the voter's account and the choice he or she made unaffiliated while ensuring that unauthorized persons cannot vote.
Trust in the counting procedure can be ensured by greater transparency of the procedure itself. In my opinion, it is worth looking at Estonia in this matter, where commissions activities are public and cooperative, which fulfills the principle of collegiality.
Dmitry V. Nesterov
In theory, guaranteed secrecy of the vote in REV system is possible. However, the main problem with the secrecy of the vote is that its observance is difficult to guarantee and prove. This applies to almost all Internet voting systems. To simplify things a bit, even the software component of anonymization in the Moscow system (even if one is sure of it) does not guarantee an irreparable connectivity break between the voter and their will. Indirect reconnection is theoretically possible, such as through the logged service information of REV components or external server infrastructure. There is no external control over the absence or non-use of such information, as well as the parameters of the generated service information in existing REV systems.
Ways to ensure accurate counting, guarantee its correctness and provide independent verifiability of the results are standard for electronic systems with secret ballots as well as known. The fact that such measures are lacking in Russia's current Internet voting systems is, in my opinion, a consequence of the political will of administrations and other actors involved in the process.
Boris V. Ovchinnikov
Theoretically (and technically) the tasks of ensuring the secrecy of the vote and accurate counting do not contradict each other. It is more difficult, but seemingly also possible, to combine them with the third element — transparency of voting and counting, the possibility of effective public and candidate control.
However, solving these problems is impossible in Russia's current climate, as it requires political will and a willingness to give up monopoly decision-making. Moreover, even if these problems were suddenly solved, this would not significantly improve the situation: there would still be lack of trust in the secrecy of the vote from a significant part of the electorate (which can affect their choice) and the distrust of society as a whole online vote returns.
Viktor L. Tolstoguzov
Since it is impossible for observers and commission members to check the Internet voting system to a sufficient extent in practice, there can be no guarantees of secrecy of the vote and accurate vote count for an external observer. At present, the exact count and secrecy of the vote are ensured only by proclamations made by developers and possibly by some private documents that the public was unable to obtain. In addition to the practical impossibility for external observers to separately verify the secrecy of the vote and the accuracy of the vote count, Internet voting has a fundamental problem of being unable to ensure these two conditions simultaneously. I'll try to explain it.
In Internet voting, the small physical size of the data carrier for the expression of will (which is as small an electron) as well as the remoteness of the voter make it impossible for commission members to make sure that a particular voter received the ballot, voted, their vote was not distorted and they did not vote twice. Therefore, for Internet voting, the unique physical image of the voter is replaced by a unique number associated with their name and address in a database. This number is assigned to each electronic ballot and then sent to the voter. The number of the returned ballot is checked against the database. Moreover, the system learns other parameters, such as the IP address of the voter and the software version. But if each ballot has a unique number, then the secrecy of the vote can be revealed. You cannot avoid to use ballot numbers, because if you do, you may receive as many ballots as you want from each voter or other persons, which will disrupt the accurate counting of votes. Using various ballot encryption schemes (including homomorphic encryption) does not solve the problem, because once the results are decrypted, the data of any electronic ballot tied to its unique number must be disclosed for a clear, open and transparent vote count. What still stands is the problem of explaining how the unique number is separated from the data on the will expression within an "invisible" digital ballot in an open and comprehensible manner. The same problem at a regular polling station is solved simply when the voter puts their ballot into the slot of a transparent box n the presence of the commission and observers.
To date, no developer has provided sufficient evidence that their system ensures the secrecy of the vote and accurate vote count. The arguments usually boil down to references to selected theoretical works on encryption and the construction of linked lists. However, the proof of performance of the entire system cannot be based only on individual theories, as their implementation, the operating environment and all other stages of working with processed information are also important. The developers also did not provide a way to prove that it is the previously announced solutions that are used at the time of voting, and not something else, that some other algorithms are not at work at the same time. There are no such verification methods in the normative documents on Internet voting, but even if they are introduced, all concerned citizens will have to learn large amounts of specialized knowledge. The developers did not provide any alternative apparent ways to verify Internet voting systems.
As an example, a meeting of the technical working group during the testing of the Moscow system demonstrated that the result may distorted on the user device and the developers can not detect it. The demonstration was recorded on video in the presence of representatives of Moscow State Election Commission, DIT, CEC and various public organizations. Therefore, the will of the voters can also be distorted by factors unrelated to the system: hardware engineers, electrical and network equipment, user devices, operating systems, drivers, browsers, voting applications, administrators as well as hackers.
The regulations make no mention of the methods of monitoring the voting process on the user's device, as well as everything that happens on the server hardware before encrypted information is published. Moreover, it is difficult to obtain supposedly public information with data of will expression in encrypted form. I, as a member of the REV TEC, was unable to look through the documentation for the federal system. I was also unable to obtain copies of documents with encrypted data on voting results, even after an official appeal to the REV TEC and a complaint about the lack of a proper response to the CEC of Russia.
Yevgeny V. Fedin
Ensuring secrecy of the vote in REV is possible, but I am convinced that neither the Moscow platform nor the CEC platform guarantee it. It is possible to ensure an accurate vote count in REV, just as it is possible to ensure it at the same time as the secrecy of the vote.
One of the main problems with the platforms used in Russian election was that they did not guarantee personal voting. By gaining control over someone's personal account on Gosuslugi / Moscow Mayor's portal, an offender could vote for another person. Sometimes the requirement was to enter the numbers that were sent to the phone number "linked" to the personal account. But again, anyone could have done it instead of the voter themselves. The most famous video this year is [44], and a journalistic investigation by Anton Bayev [1] made a splash last year.
Moreover, there were cases of voting using outdated data on the electoral roll. Probably the best documented case is that of a voter in PEC No. 1039 [13], but this is not the only case [45; 18], and the total number is difficult to estimate.
Aleksei V. Rybin
Remote e-voting is the most problematic in terms of control. As was aptly noted by Yevgeny I. Kolyushin, "compared to automation, digitalization translates real phenomena into a virtual world, which creates a new concept of "virtual reality". Access to this world is coded. Reality recedes into second, third, or perhaps tenth place, depending on the software. If you digitize voter V.A.A., it is not the voter themselves, but their a digital copy that will participate in the election. The question about the legal mechanisms of the identity of this copy and the real voter thus arises [17].
Remote e-voting is more complex from the point of view of technology. It requires special hardware and software, as well as a special infrastructure of multiple-computer network with nodes for information processing and transmission. If it is possible to control this complex technical system, then the candidate or party will need a highly qualified IT, programming and communications specialist. Not everyone can afford it, however. And then there is the question of the equality of competing forces in elections, the forces that are mostly interested in the integrity of the vote by observing it.
The voters are in an equally flawed situation, and the vast majority have no idea how REV works, and are forced to trust election officials that no one's vote will be lost or altered or switched.
Andrei Yu. Buzin
This is not a matter of organization of elections, but a matter of organization of the state. However, re-voting may reduce potential intimidation and bribery.
Oleg Ch. Reut
Such control is a characteristic of the current political regime. Organizing and conducting elections, the use of digital technology cannot be considered outside the context of the regime and its characteristics. By now, consolidation of Russian authoritarianism is nearly complete; for a regime that exists in the form of personal autocracy, it is fundamentally important to ensure the irremovability of power and its personification. Consolidating authoritarianism means creating institutional opportunities for "controllable" or at least "predictable" electoral results, and REV is one of the tools.
Viktor L. Tolstoguzov
Since it is effectively impossible to ensure the presence of observers, commission members and the police in all rooms where voters vote online, it is only possible to minimize this problem by minimizing the number of voters who vote online. It is best to abandon this method of voting altogether.
Dmitry A. Kuznetsov
REV is not a cure-all for bribery or intimidation. The problem of intimidation and bribery must be solved by prohibiting such actions and holding the perpetrators accountable. In my opinion, re-voting does not solve the problem of intimidation.
Alexander A. Isavnin
Solely by fostering civic responsibility within targeted groups. Even now, representatives of such groups do not give away their passports or Internet banking passwords so easily. It is necessary to cultivate similar attitudes when it comes to government services accounts and electronic signatures. Unfortunately, even in advanced Estonia there are complains about how the introduction of electronic voting made bribery and controlled voting easier. In Estonia, this type of control is apparently exerted via home delivery
Boris V. Ovchinnikov
Partial improvement is possible if we limit online voting to weekends. Voting interface could also display information on the illegal nature of things like voter intimidation and control with references to articles of the Administrative and Criminal Codes.
Yevgeny V. Fedin
Free independent media, functioning law enforcement agencies and courts would have a very good effect.
Speaking of a technical solution, in my opinion, there are no options to comply with the legislation on using REV without having a commission member and a voter go on video call before the fact of voting so that the former could verify that the latter is voting personally, freely, voluntarily and without anyone else standing behind their back. This will provide some control over how targeted groups vote. Bribery detection can be done through searching for opportunities to sell the vote before the vote.
Dmitry V. Nesterov
In the practice of Internet voting (with secret ballots), the main means of minimizing supervised voting is the ability of voters to re-vote an unlimited number of times. Re-voting must be implemented in such a way as to (1) preserve the secrecy of re-voting on the one hand, (2) preserve the control of the voter over their own vote and (3) allow verifiable and transparent vote count. With such a re-vote option, the control of the vote cannot be broad and yet effective, because the controller cannot be sure that the voter will not change their mind.
Properly implemented re-voting is a necessary component of Internet voting systems. It compensates for the additional risks of vote control that arise in simple implementations of a system that controls the correctness of the voter's own vote. Re-voting also provides effective insurance against technical glitches during voting, preventing you from losing your right to vote due to a communications breakdown, software or hardware failure.
Oleg Ch. Reut
Such controls should cease to be public in the sense that the tasks of prevention (auditing, consulting, proactive protection), response (in case of misuse) and investigation of cybercrime should be performed by professional teams outsourced to a new generation of citizen observers. Only they can create their own products and services, develop hard and soft skills, and create local practices that enrich global expertise.
Alexander A. Isavnin
Voting protocols developed by mathematicians can provide such a guarantee. But their implementation requires precision and transparency.
Andrei Yu. Buzin
The open code of the REV system is essential for public scrutiny. Another effective means is the possibility for the voter to check if the vote was registered (which to some extent contradicts the principle of secrecy of the vote).
Dmitry A. Kuznetsov
First of all, the composition of the election commission should be formed on a competitive basis. The counting procedure should not be performed by unnamed technicians. The commission must participate in the technical counting procedure and act in an open and transparent manner.
Yevgeny V. Fedin
If REV as a form is not abandoned in Russia after the 2021 scandals, the public will have to strive for a proper control system over the REV platform. This will require providing access to server infrastructure for REV election commission members and possibly observers. Another requirement is the opportunity to analyze all of the logs written while the REV platform is in operation.
Boris V. Ovchinnikov
I believe that the right thing to do in the current Russian climate is to abandon online voting altogether: the level of development of society, political sphere, and civic awareness is insufficient, to put it mildly.
But if we think within the framework of "how to minimize evil," then, of course, we need to separate the organization of online voting from the executive branch. We need to make the entire code public (and in advance at that), we need to make electoral rolls indicating who voted public (at least accessible to the representatives of candidates), we need to abandon the mechanism of re-voting, we need to publish more detailed online vote returns. And in fact, there is nothing prevents making it happen through regular PECs.
But in order for public control to be really effective, independent courts, politically neutral investigation and watchdogs, an independent and objective CEC as well as many other, alas, mythical elements, are still needed.
Viktor L. Tolstoguzov
It is impossible to provide effective public control over Internet voting in practice, since all participants of such public control need to have special knowledge to understand how the Internet voting system works in its entirety. However, finding even one expert with such breadth of knowledge is unlikely. Even the simple questions in this discussion required expert answers.
The obligatory requirement to make it possible for any citizens without special knowledge to participate in the control of Internet voting systems, as well as many other important points, are covered by the document on the requirements for the Internet voting system specifications [39]. The document was developed by members of the technical working group under the Civic Chamber of Moscow. The requirements were developed based on the principle of maintaining the possibility of traditional voting with paper ballots. If implemented, these requirements would ensure effective public control of Internet voting. The document was sent to the CEC of Russia and the Moscow DIT. However, neither Moscow DIT, nor Rostelecom have been able to meet this requirements so far.
Dmitry V. Nesterov
Standard technical and procedural solutions that are standard for such systems and will eliminate the main risks must be implemented. The risks include voter fraud, stuffing of virtual ballots, unauthorized voting or re-voting for voters, and incorrect tallying of results.
Independent experts have repeatedly proposed a list of measures to eliminate these risks, and the list is quite a long one.
Speaking of general fundamental points the management and control of Internet voting systems should be diversified and decentralized while unrestricted participation in Internet voting is maintaned. The management of Internet voting systems should be largely delegated to election commissions, with separate control and independent tallying of results at the regional level. At the CEC level (at least for regional and federal elections) it should all be centralized.
Voters should have control over the accuracy of their vote and the electoral actions they take. Commission members and observers should have a set of multifactor control measures over the correctness of the electoral rolls, the operation of the Internet voting system, and results tallying. The tallying itself should be based on a more public, well-regulated, and reproducible handling of the data (arrays of encrypted ballots).
We also ought to get rid of the nearly full mediation of voter's actions during authorization/verification systems at Internet voting application stage and when receiving a ballot during voting. At the moment, there is no interaction between voters and election commissions, which makes the integrity of the vote dependent on the integrity of the operators of the authorization/verification systems. At the very least, it makes sense to attach a scan of a short application with the passport number and voter signature when applying for Internet voting via Gosuslugi. These scans should then be forwarded to the off-line precinct commissions as grounds for removal from the electoral roll at the PEC. It probably makes sense to additionally confirm that the re-vote is done personally, in some easy way that election commissions could verify.
Aleksei V. Rybin
The only universal way to prevent voter fraud is dependent (on the forces competing in the election) and independent observation. From this point of view, REV in the browser on your home computer or smartphone cannot be monitored. Therefore, REV in this form should be avoided at this stage. If we are going to use REV, it should be done in specific locations (shopping malls, Multifunctional Centers of Public Services, libraries, etc.) and they should not be too many, but they must accommodate the presence of observers. Voting booths in these locations need to be equipped with computer technology, so that voters can vote in an intimate setting. And that would be available for observation. In this case, we need to review the current regulation of observation: simplify the possibilities for observation, increase the number of observers, introduce mandatory video surveillance with broadcasting for anyone interested.
It should be noted that REV surveillance requires highly qualified specialists with special knowledge in programming, cryptography, technical communications and computer technology.
It seems that the most effective means of controlling REV is to modify the secret ballot procedure. In this case, each voter should have a real opportunity to trace the correct recording of his vote in the commission's final protocol.
Moreover, to eliminate the possibility of fictional virtual "voters," it is necessary to disclose and publish the electoral roll of voters who used REV, so that candidates and parties, as well as voters, can see that all these voters on the roll are real. Such experience is found in Armenia, where electoral rolls are scanned and published on the website of the Central Election Commission of Armenia after the results are summarized [29].
Andrei Yu. Buzin
To a very high degree. In as much as the government connection.
Yevgeny V. Fedin
Rather no than yes. In the medium or long term, perhaps a solution can be sought in North Korean practice.
Viktor L. Tolstoguzov
I believe that due to the existence of fundamental problems, it is impossible to make the Internet voting system secure enough for state elections.
Boris V. Ovchinnikov
I would not venture to judge, since I am not an expert. But, unfortunately, a much more pressing question is how to secure the process against influences from within? (I'm talking about influences that distort the results of the expression of will). And within the framework of the current political system in Russia, this question does not seem to have an answer.
Alexander A. Isavnin
A perfectly secure computer is one that is located in a closed room and not connected to the Internet, and one that is turned off altogether is the most secure of all.
Today's technology and methodology make it possible to minimize the risk of such interference or make it easily identifiable. In this case, the willingness of election organizers to do so and the openness of their actions is what matters — in information security, lack of procedural transparency is also out of favor.
Dmitry A. Kuznetsov
There is a vulnerability risk in any software. For this purpose, the source code is tested by specialized information security organizations. The code may also be made available for public testing, and those who detect vulnerable points are rewarded financially (see [11] — vulnerability discovered by P. Gaudry). Partial publication of the source code is not sufficient for such an analysis, the source code of the whole technical solution should be made available. The results of the external commercial testing must be made available to the public.
Dmitry V. Nesterov
Both a computer and a complex server system that has Internet access can be protected against external attacks as thoroughly as one prefers. However, since the environment in which some of the Internet voting processes take place is an open one, full protection against an unlimited range of possible attacks cannot be guaranteed.
A theoretical protection against this uncertainty factor can only be the possibility of cancelling vote returns in case a large-scale external (or internal) attack is detected. Given this fundamentally non-zero probability, it should be possible to call for e-voters to vote at regular polling stations on the main day of voting. For this to be done, electronic voting must be early (like, for example, in Estonia).
In the context of Russia, it is acceptable for Internet voting to take place on Saturday, when the main vote is held on Sunday.
Oleg Ch. Reut
Unfortunately, "evidence of fraud" built solely on statistics of anomalies steers virtually stops the discussion of the causes of electoral hacking. As a rule, this evidence is reduced to the deduction of some essence, whether it is social injustice, the desire for self-affirmation or enrichment, lack of resolution for some particular socio-political conflict. In fact, such a state of affairs makes electoral hacking a political phenomenon in at least one important sense — hacking turns out to be a subject of social and political relations, since it affects the election campaign and elections as a process of gaining political power.
But even if we ignore the questions of why transnational hacking teams targeted election on September 17–19, 2021, there is still an open question of why the criteria of successful hacking ("hacking the electronic voting system" that is) are taken out of the context of explaining the difference between the results of paper and Internet voting.
Aleksei V. Rybin
On September 17, 2021 from 8 a.m. to about 2 p.m., the Gosuslugi portal was barely accessible and "froze up," which is confirmed by numerous media and blog posts [43; 21; 32]. Thus, the question of interference is not an idle one.
In theory, foreign interference can be excluded by creating a closed network for voting within Russia (similar to SAS "Vybory", which has no connection to the global network). However, I believe that the foreign threat looks more like a scare than something posing real danger.
The real danger to fair elections in Russia comes from administrative resource, which is something purely native to the country. And for now, there are no good solutions for getting rid of the interference in the remote e-voting system. If the system for remote e-voting is sourced from the executive branch, then we find ourselves in a situation from the proverb about "the goat in the cabbage patch. Nothing can be guaranteed if it is all sourced from private entities either, if these entities are few and they are subject to administrative pressure. Using resources specifically provided for the election authorities to host the system is bound to be problematic as well, as one will have to recruit extra IT, communications, programming and other staff members.
The key issue with remote e-votingis that it is not conducted by election commissions, but by technical specialists, system administrators and programmers, and their knowledge is so far removed from the mundane that it is impossible for an regular member of election commission to understand what such a specialist is doing in the remote e-voting system at any given time.
Therefore, I believe that there is no way external intervention in the broad sense can be excluded in remote e-voting. And that is its main infrastructural vulnerability.
Received 10.11.2021, revision received 14.11.2021.