The paper discusses the trends in regulation and use of remote electronic voting (REV) in international practice and in Russia. The main form of voting proposed for consideration is voting at the polling station on the election day. This form is considered to have the lowest level of risk of election fraud and subsequent distortion of the will of voters. The risk is directly proportional to the framework for public scrutiny of voting integrity — the wider the framework, the lower the risk. All other forms of voting (e.g. postal, early voting, multi-day voting, etc.), except for the main one, are regarded as derivative (additional, subsidiary) from the main one. This study classifies REV as one of the derivative forms of voting and as the riskiest form, and therefore in need of additional measures of legal protection of the results of the voter will expression. The paper analyzes the existing means of protecting the results of voter will expression in REV and their sufficiency to achieve the constitutional goal of free elections. The main conclusion is that REV, as a new form of voting, also requires new relevant means of protecting the results of voting. Among these means, the focus is set on improving observation during REV.
Research objectives. In order to determine the full range of legal risks associated with remote remote e-voting, streamline those risks and propose a protection system, it is necessary to conduct a dialectic analysis of e-voting implementation both in Russia and globally. One also has to determine the nature of the legal mechanism for the expression of voters' will in e-voting and its transformation into vote returns with respect to legal risks, identify the effectiveness of existing legal measures for voting results protection in e-voting in this case, and propose additional measures of protection if the measures are insufficient.
Advantages of REV. Internet usage studies show that about 80% of the Russian population go online on a regular basis [15]. The high degree of Internet penetration in Russia brought forth a high demand for digital services, digital communication, etc. Rapid digitalization, caused by the accessibility and convenience of communication on the World Wide Web, gave rise to a new social and legal phenomenon — electronic democracy (e-democracy), which has become a research focus for legal scholars [12; 35].
Remote e-voting (REV), also known as Internet voting, is one of manifestations of e-democracy.
Researchers [1; 29] attribute certain advantages of REV that can accelerate its spread in the future. These advantages include convenience and accessibility (ability to vote from anywhere), sustainability (no need for paper ballots), cost effectiveness, increased turnout, quick and accurate vote tallying, appeal for young voters and Internet users, voting process and voiting result security.
REV implementation across the globe. For at least two decades, several countries have experimented with Internet voting. Estonia might be the most successful example of such an experiment, where the issue of Internet voting was first raised in 2001, and since 2005 it has been considered an additional and legally binding form of voting [17].
According to the data sourced from E-Voting.CC website [6], four countries used Internet voting in 2015: Canada, Switzerland, Estonia, and India. Four more countries were discussing the experimental use of Internet voting: Iceland, Great Britain, Lithuania, and Finland. Norway, Austria, Germany, Ireland, and Kazakhstan abandoned this form of voting for various reasons after experimental use of REV. About 40 other countries in Europe, South America, Africa and Asia led theoretical discussions about the possible use of REV in elections.
As a result, REV is not yet a common official form of voting on the one hand, while on the other its advantages serve as an incentive for electoral authorities to continue experimenting with its use, although the results of such experiments are controversial.
In Russia, REV was a subject of long discussion and cautious experimentation, and finally the pandemic prompted the Russian authorities to use it extensively.
In the early stages, the introduction of REV into electoral practice did not spark much legal controversy. However, the 2019 REV experiment in the three districts of Moscow within the framework of the Moscow City Duma election prompted two court cases that present as intriguing cases for subsequent analysis of voter protection.
Candidate Ivan V. Ulyanchenko challenged the REV procedure approved by the Moscow City Election Commission in court [38]. Along with other arguments, the plaintiff believed that a) the REV procedure does not provide for voter ID verification by election commission members before providing an opportunity to vote; b) does not provide for voting with an invalid ballot; c) does not guarantee the secrecy of the vote, since the "encryption" of data does not fully ensure the secrecy of the vote due to the lack of legislative regulation and proper technical means.
However, the court dismissed the claim, rejecting all arguments of the plaintiff and pointing out that the special software that performs the encryption procedure for the expression of will is the proper system to ensure the secrecy of the vote. Moreover, the court concluded that participation in REV is an additional guarantee of active suffrage and does not oblige a citizen to take part in voting only in electronic form.
The other 2019-related case directly concerned the processes of voting and vote tallying in the REV system [37]. To support his claim, Roman Yuneman, the plaintiff, indicated that the system experienced at least three failures on election day, resulting in the inability of voters to vote for an extended period (about a third of the voting period) and making it impossible to ensure that the vote was recorded correctly. Since the voter had limited time to exercise their will, the failure that occurred could directly lead to the inability to use the ballot, resulting in 148 ballots issued but not used. It should be noted that the vote gap between Yuneman and Rusetskaya, who won the constituency, was less than 100 votes.
The court dismissed this claim as well, concluding that the glitch that occurred could not have affected the will of the voters and did not interfere with the expression of the will of the voters. After the REV system was restored to working order, voting continued as normal. All voters who experienced the technical issues were able to successfully participate in voting after the system was restored.
There were no court disputes during the 2020 implementation phase.
The last phase (2021) of REV implementation may have been the most controversial. All of the court cases (see, for example, the case of the CPRF and Mikhail S. Lobanov against Precinct Election Commission (PEC) No. 5013 [41]) concerned elections in Moscow: the State Duma election, Moscow City Duma election, and Shchukino Municipal District election.
In general, the plaintiffs' arguments boiled down to the fact that the REV system used during September 17-19, 2022 was incomplete and insecure; that it allowed adding any person, including fictitious voters — bots, to the electoral roll; that the data of the election observation site during the voting did not correspond to the data of the observer "node" (the computer connected to the REV system information resources, designed for the purpose of monitoring the system); that during the voting the election commission and observers had no information about the voting except the turnout numbers; that during the vote decryption procedure, the observers lost access to the database starting 8:00 PM on September 19, 2020; that the members of the election commission did not see who was getting the ballots, as they were actually by the operator of the REV system — Moscow Department of IT, subordinate to the Mayor of Moscow Sergei S. Sobyanin, who ran in the State Duma elections as the ruling party candidate and endorsed the candidates from the so-called "Sobyanin's team" who won 15 constituencies exclusively thanks to their victory at the corresponding "digital" polling stations; that after the voting was over, commission members did not see the ballots being "removed" from the electronic ballot box; that commission members themselves could not check that the list of those who voted and the vote count was correct that the REV system allowed for a re-voting procedure in which all votes cast in the REV were individualized and linked to the voters who cast them; that the re-voting procedure contributed to the violation of the voters' will and to the distortion of vote returns using the REV by shifting votes from the virtual "stack" of opposition candidates to the "stack" of ruling party candidates during the re-voting process.
The courts dismissed all claims, concluding that the procedure for anonymizing and encrypting the vote cast ensured the secrecy of the vote, that the authentication and ID procedure with confirmation codes ensured voter identification, that the bona fides of voters who should not transfer vote access to others were presumed, that arguments about vote decryption interference and incorrect counting were unsupported and built on plaintiffs' assumptions, that there were no court sentences for vote returns falsification at the REV polling stations. Nor did the courts see the influence of the mayor of Moscow on the REV system operator, believing that the plaintiffs had not proven violations, and the publications [10; 23; 24; 27; 30; 47; 48] in the press showing statistical calculations of voting and vote tallying anomalies were not sufficient evidence to establish gross violations of electoral legislation.
As a result, legal disputes highlighted some of the practical legal risks in the "electronic digital" form of expression of will in elections.
Forms of voting. The actual will of the voters must first meet the substantive criteria set forth by the Constitution. Section 3 of Article 3 of the Constitution stipulates that free elections are the supreme direct expression of the power of the people. Free elections ultimately manifest in the results of the expression of the will of the voters, and they must be reliable. Reliability is achieved when the actual will of the voters (as a subjective intention to make a choice in favor of a particular candidate or party list) coincides with their expression of will (as an external action fixed in the ballot paper).
Section 9 of Article 2 of Federal Law No. 67-FZ defines elections as a form of direct expression of the will of citizens for the purposes of forming a body of state power, or vesting an official with powers. According to Sections 1 and 2 of Article 3 Federal Law No. 67-FZ, voters express their will by secret balloting.
Traditionally, the main form of secret ballot in elections has been voting at polling stations in the voting room and on election day by personal attendance, filling out a ballot in a booth and dropping it into a stationary ballot box.
The legislation on the experimental use of REV in various elections and in the constitutional amendment referendum [7; 8; 34]defined remote electronic voting as voting without a paper ballot using the REV software and hardware system, which the REV participant accessed through an Internet portal.
As a result, the following should be considered as main features of the Russian REV model: 1) electronic voting; 2) use of mobile or stationary computer equipment by an REV participant; 3) absence of a paper ballot; 4) use of a hardware-software system by the election body; 5) communication between the voter and the organizer via the Internet; 6) voting in an uncontrolled environment; 7) voting by a voter in an arbitrary location; 8) running election procedures on a special website (portal).
It should be noted that REV is a derivative (additional, subsidiary) form of voting, because it is used along with the main form of voting, does not exclude it, and is designed to draw more participants to the voting process — those who find it more convenient to vote via the Internet.
How do REV and the main form of voting compare in terms of various risks?
Election fraud. O.A.Kravchenko defines electoral fraud as any kind of distortion of the will of the voters [22]. Electoral fraud is intentional distortion of voting results by manipulating electoral documents that certify the will of citizens, or by altering the free will of citizens [33]. According to Zhanna B. Skripkina, electoral fraud in an election campaign involves deliberate distortion of data [43]. Arkadii E. Lyubarev, Andrei Yu. Buzin and Alexander V. Kynev define electoral fraud as methods and mechanisms used to distort the will of the voters, meaning the announced election results do not correspond to the real opinion of voters [28].
Given the key characteristics of electoral fraud identified by researchers (distortion of the will of voters, intentionality, inconsistency of the announced results with the actual will, electoral documents manipulation), the term should be defined as a deliberate of the true expression of the will of voters with a false one.
Public control and its limits as a criterion for the risk of electoral fraud. Risk is a consequence of the impact of uncertainty on the achievement of set goals. The effect of uncertainty should be understood as a deviation from the expected result. Risk is often characterized by describing a possible event and its consequences or a combination of them, and it is often represented as a probability. Uncertainty is a state of complete or partial absence of information necessary to understand an event, its consequences and their probabilities [11].
For the purposes of this paper, the risk is considered as the probability of negative consequences of remote e-voting with regard to the integrity and invariability of a voter's will (his/her vote) and its fair consideration during vote counting.
This study proposes to correlate the risk of electoral fraud with the capacity (framework) of public observation of the integrity of the vote.
The broader this framework (the more opportunities for observation and the easier they can be implemented), the lower the risk of electoral fraud.
In terms of electoral fraud risk, the traditional form of voting is the least risky. First, all observation forces are concentrated in one place — the voting room; second, the duration of observation is comparatively short, usually one day; third, the observers' opportunities are supplemented by the fact that they can make their own video records of what is happening at the polling station, in addition to standard centralized video monitoring. Therefore, the temptation to rig the election is seriously limited.
In terms of said risk, REV is at the opposite end of the hypothetical spectrum of all forms of voting in relation to the traditional form. We shall analyze these risks through the lens of REV-specific problems. It should be noted that all of these problems are interconnected and amplify one another.
The problem of identification. REV scholars unanimously agree that there exists the problem with the identification process of the person wo requests access to vote [25]. This problem entails the risk of of non-voters getting onto the electoral roll.
Within the framework of the traditional form of voting, this risk is controlled by observers, who can make sure that it is the voter who came to the polling station and is going to vote on their behalf and not on behalf of someone else. This way, "carouseling": (double voting, etc.) can be prevented.
Moreover, the combination of the procedures of voter identification, voting and saving the vote in the electronic ballot box in the REV system entails the risk of establishing a connection between the identity of the voter and his/her expression of will (this risk is especially relevant for the multiple voting procedure where only the last vote is to be counted).
In the traditional form of voting, the ban on numbering and any other form of ballot individualization cuts the link between the voter's identity and his/her choice, as can be verified by observers.
The problem of preserving the secrecy of the vote. This problem is identified as a major one in the ODIHR OSCE REV observation handbook [14]. Equally aligned is the legal doctrine on how it is impossible to fully guarantee the secrecy of the vote in REV [18; 44].
Since the electronic ballot is filled out beyond the control of the electoral commission and public observation, we cannot rule out the so-called "family" voting. This problem entails the risk of vote buying and other influences on the will of the voters at the time of its execution.
At a regular polling station, observers can verify that the voter entered the booth alone and then dropped the ballot with his/her vote into the ballot box himself or herself.
The problem of transparency. Researchers agree that the REV system is a "black box" for the vast majority of citizens [4; 32]. Due to the electromagnetic nature of the processes occurring on the hardware, they can only be judged indirectly with the help of software and special means of visualization. A deep understanding of these processes requires special knowledge, which only a few experts have. The complexity of the REV system poses the risk that within this "black box," experts with vested interests may use high-tech means of vote manipulation and unreliable vote counting [16]. The "black box" problem entails the risk of losing control over the integrity of the vote. Moreover, there is a perception—one worth agreeng with — that it is not the electoral commission that essentially controls REV, but the software and whoever controls it (vendor, operator, programmer, system administrator, etc.) [21]. This further exacerbates the risk of losing control over the voting process. Some studies [20] point to the fact that computer illiteracy among the elderly voters, the lack of digital devices and Internet access among low-income population groups creates the risk of a "digital divide" (inequality of advanced and non-advanced voters).
The voting procedure at a regular polling station is extremely simple and clear: 1) the voter certifies his/her identity to a commission member by showing his/her passport; 2) after making sure that the voter is listed at this polling station, the commission member issues a ballot against the signature on the electoral roll; 3) alone in the voting booth, the voter expresses his/her will in the ballot, and then puts the latter into the box. The process is monitored by observers, who ensure that the voter is alone in the booth and no-one can influence his/her choice. The commission directly organizes the entire procedure and ensures its implementation. At the same time, all voters are equal, their equality is ensured by the same ballot for all, the same booth and the simplest pen to fill out the ballot.
The problem of sustainable functioning of the REV system. The aforementioned legal disputes revealed that failures in the REV system are not uncommon and they entail the risk of losing the voter's vote — something that legal scholars pointed out as well [13]. Researchers also point out that intentional and unintentional tampering with the REV system entails the risk of improper vote recording and counting.
In the traditional form of voting, the risk of losing the vote is minimal and associated with a natural disaster (fire, etc.), which is extremely unlikely. The presence of observers and commission members with consultative capacity prevents intentional spoiling of the ballot and incorrect vote counting. Commission members can directly recount the votes, and both can make sure that the counting is correct.
The problem of trust. All combined, the previously described problems create collective mistrust of REV among citizens. The problem of trust entails the risk of absenteeism (alienation between citizens and the state, refusal to participate in elections) and devalues all the advantages of REV noted at the beginning of this study.
It is now clear why REV should be categorized as the riskiest form of voting, and each risk identified requires appropriate legal remedies.
A historical and comparative analysis of REV regulation shows that the legislator and election commissions have provided for a number of legal means to protect the results of the expression of the will of the voters from the risks described. However, are these means sufficient?
Reducing the risk of identification. The REV procedure (in this study, "REV procedure" implies the CEC-approved procedure, which was applied in the election of September 17-19, 2021) solves the problem of identification through an account on the public services portal (PSP) and the procedure of voter identity confirmation.
To register an account on the PSP, a citizen must first verify himself or herself officially. This way, in the legislator's view, it is guaranteed that a citizen who has confirmed his/her identity with an official person participates in REV. The user can access the account if he or she correctly enters his/her username and password. The ballot is accessed by entering a confirmation code, which is sent to the account user's cell phone number. This creates a "chain of trust," which is built on the premise that it is extremely unlikely that a random person has the login and password to someone else's account as well as someone else's cell phone number.
Some researchers [2] rightfully refer to the widespread use of "chains of trust" in online banking.
Moreover, according to the recommendation of the Committee of Ministers of the Council of Europe (CM/Rec(2017)5 recommendation) [36] implies division of responsibility between the voter and the e-voting system / electoral management body. This principle echoes the presumption of voter integrity that Russian courts have developed in the above-mentioned disputes. At the same time, it is mutual responsibility that is the focus of the recommendation.
We have to admit that in REV, there is no way of telling for sure that it is the voter and not someone else who gets access to the vote, and the radical solution to this problem is to abandon voting in an uncontrolled environment. However, this eliminates the previously noted advantages of Internet voting.
While preserving the possibility of voting in an uncontrolled environment, the responsibility of the voter for transferring his access to his/her PSP account, as well as the responsibility of the PSP operator for registering fake accounts and using "sleeper" PSP accounts when voting should be provided. Moreover, identification process in REV could be made more complex by introducing additional links in the "chain of trust," as was done in Moscow's 2019 REV procedure [39], when the Moscow City Election Commission required the voter to manually fill in his/her address in the appropriate field of the form before accessing the ballot.
Another point to be kept in mind is that identification credibility can be enhanced by using biometric data (fingerprint, iris, etc.) in this procedure.
It is possible to implement the Swiss experience, which involves a random phone survey of 2% of REV voters in order to make sure they are real people and that they voted freely and independently [42].
Reducing the risks associated with the secrecy of the vote. REV's riskiness is most evident in the problem of the secrecy of the vote. When addressing this problem, one must take into account the principle of the priority of secrecy over all other concerns: the convenience of using REV must not prevail over the need for a high level of security.
In order to preserve the secrecy of the vote, the REV procedure provides that before accessing the ballot, an anonymization procedure is launched, which creates the effect of a virtual "booth". This way, the voter becomes isolated from the prying virtual "eyes".
However, in reality, the voter can use his/her electronic device at the time of voting in a crowded area. Therefore, although the risk of the secrecy of the vote being violated is reduced in the virtual world, it does remain in real world. The risk of "family" voting remains as well.
In order to eliminate this risk, the CEC introduced a procedure for re-voting shortly before the 2021 election: at any time during the three days of voting, a voter (who had voted, for example, under administrative pressure) could return to the virtual ballot box, find (specially individualized for such a case) his/her ballot and change his/her vote. However, some IT specialists [10] conducted a voting statistics study for the 2021 election in Moscow, which showed that, paradoxically, voters did not vote for the opposition, but for "Sobyanin team" candidates. This created reasonable suspicion that the Moscow Department of IT, as the operator of the PSP, used the voting procedure to shift votes from the opposition "stack" to the ruling party "stack".
Given the re-voting experience in Moscow, a feasible step would be abandoning this procedure in further regulation. It increases the risks of REV instead of decreasing them.
If, however, the legislator considers re-voting possible, the link between the vote and the voter, which is necessary for processing multiple votes (one vote erases the other), must be severed at a predetermined stage of storing the votes before they are counted.
No residual information (CM/Rec(2017)5 recommendation understands "residual information" as traces that are kept in various locations — PC memory, browser cache, video memory, swap files, temporary files, etc. — after the vote was cast and which may reveal the voter's decision) related to the voter's decision should be displayed in the REV system after the vote was cast. The REV system operator must take all measures to remove such information, and the voter must be informed of the risks involved and how to mitigate them.
Blockchain. In REV, software and hardware take on a legal interpretation in terms of protecting the expression of the will of the voters. This cannot be ignored, given that relevant studies are being conducted and should be taken into account in the development of legal requirements for the REV software and hardware complex. Its design cannot be left to IT experts alone.
The REV procedure stipulates that anonymized results of expressed will are immediately encrypted and stored in the blockchain of the REV system. This creates the effect of "dropping" the ballot into the ballot box and subsequently keeping the vote unchanged.
However, researchers note that encryption and the use of blockchain (we define "blockchain" as the chain of data blocks in the distributed database of the REV software) do not guarantee the secrecy and inalterability of the vote, although there are those who disagree with this assumption [1].
For example, shortly the 2019 election, Pierrick Gaudry and Alexander Golovnev published a paper about an attack algorithm used on the REV vote encryption system that was implemented in the Moscow City Duma election — an algorithm that decrypted the votes [9].
The blockchain used in the 2021 election in Moscow was under the full control of the REV system operator, exclusively hosted on the operator's software and hardware. This fact raised suspicions among the losing opposition candidates, who believed that the Moscow Department of IT abused its dominance of the system and manipulated the encrypted vote records in the blockchain.
On this occasion, it is worth mentioning that legal scholars point to how blockchain is structured in essence. Blockchain can be public and private [26; 45].
A public blockchain allow the data stored in it to be distributed to any users who wish to become participants in the blockchain. A public blockchain guarantees the safety of information because it can only be changed by the consensus of all participants. However, the downside is that it is vulnerable to attack by malevolent blockchain participants.
A private blockchain assumes that although information is distributed among different computers, they are all under the control of a "central authority" of the blockchain. While this eliminates the risk of an internal attack on the blockchain, it creates the risk that a "central authority" could change the contents of the blockchain at will.
In this regard, the following amendment is proposed to the REV system: the blockchain cannot be completely private, it must be distributed between the computer resources of at least two different entities (for example, between a public chamber and an election commission).
Reducing the risks associated with non-transparency of REV. The REV procedure provides for the following transparency guarantees: 1) observers are present when encryption keys are generated, as well as in the room of the REV election commission; 2) there is an "observer node" (a computer giving access to the blockchain). Moreover, specific data on the voting process is published on the election commission website.
However, Yevgeny I. Kolyushin [21] rightly points out that under the current legislation, the existing monitoring tools only allow us to observe the external performance of the software and to obtain the information produced by the software without any legal opportunities to make sure if it is corresponding with the actual expression of will.
There are several aspects to consider when it comes to REV transparency.
First, REV uses a sophisticated hardware and software system. The sophistication creates a "black box" risk that we identified earlier. The vast majority of voters do not understand the level of sophistication and are forced to put their trust in the developers and the operator of the REV system. Such state of things seems fraught with potential violations of the true expression of will inside the "black box". Therefore, there is a need to shed light on the inner workings of the system.
Following international recommendations, it is necessary to legally ensure that an independent entity (a public chamber, observation NGOs, etc.) has the opportunity to audit the REV system.
The election commission should be required by law to publish the REV software source code in advance so it can be audited. The system configuration and all of its hardware and software components should be disclosed as well.
Secondly, the electoral commission must exercise effective control over the functioning of the REV system.
Prior to the start of voter registration in REV, the commission organizing the elections should enlist the help of observers and make sure of the authenticity and proper functioning of the REV system. Public modification of the REV software, as well as hardware modernization, should be regulated. It is worth pointing out that all this should take place under close public scrutiny.
Moreover, the REV system administrators must be appointed by or with the approval of the organizing election commission. All their activity in the REV system should be logged automatically, and observers should have unrestricted access to this information.
Third, the REV procedure should provide for a substantial expansion and simplification of observation.
The existing procedure should exclude the provision on the transfer of powers from one REV PEC to another. It is also necessary to avoid all authority being concentrated in a single REV PEC, as it creates a "mega-commission" that is nothing like a PEC; a "mega-commission" naturally interferes with observation, since dozens of observers are concentrated in one PEC and the quality of observation is reduced.
Under the current regulation, REV precinct observation in a constituency in the State Duma election was beyond human capacity, since the digital polling station, in constituency No. 197 in particular, included about 122,000 REV participants. For example, checking such an enormous list of REV participants posed an unrealistic task for one observer.
In this regard, the REV procedure should provide for an increased number of observers. A candidate should have the right to appoint as many observers to REV PECs as there are regular precincts in the constituency.
There should be mandatory video recording of all events that are broadcast from the blockchain to the "observer node" — from the start of voting to the point when e-vote counting is complete, with the ability to view the recording after the votes are tallied.
Reducing the risk of losing votes. The current REV procedure does not provide any solutions to a potential REV system failure. However, the user may repeatedly enter the confirmation code to access the ballot. Therefore, in case of a short-term failure, the voter who could not access the ballot can try to access it later.
However, in case of a long-term failure, the voter may lose his/her vote, since the REV procedure stipulates that a voter on the REV electoral roll is not allowed to vote at a "regular" polling station.
In order to avoid loss of votes in case of a long-term REV system failure, it should be stipulated that the organizing election commission is allowed to decide to stop accepting e-votes and shift voting to the "regular" polling stations only. This will give voters who have not yet casted a vote in the electronic ballot box an opportunity to vote.
It would also make sense to use the Estonian experience and to complete REV 1-2 days before the last day of voting at "regular" polling stations, so that anyone who could not for some reason take part in REV, could still vote at a "regular" polling station.
Reducing the risk of improper vote registration and counting. The solution provided for this problem in the REV system is quite controversial. REV conducted outside of Moscow does not provide for a confirmation that the vote was registered. The REV procedure for the elections in Moscow provides for the "paper trail" rule: when the ballot is accessed through REV hardware, the corresponding information gets printed in the REV PEC room. It is also sent to the "observer node"; after the vote is cast, the encrypted information about the anonymized expression of will gets printed.
The OSCE/ODIHR Election Observation Handbook points to end-to-end auditable voting systems as one of the possible ways of tracking vote integrity and properly registering it during counting. Such systems receive a positive assessment in the Recommendations on Voluntary Voting System Guidelines developed by the US Election Assistance Commission (EAC) [46]. The point of such systems is to let the voter trace the entire path from submitting the vote to its registration in the final protocol of the electoral commission. The difficulty that such a system tries to deal with is ensuring the voter does not reveal his/her choice to anyone. The EAC guidelines state that this is technically possible, but this algorithm is still being discussed.
According to the CM/Rec(2017)5 recommendations, the vote count shall be reproducible, so the Russian REV regulation should provide for the possibility to obtain convincing evidence that the counting procedure was conducted fairly, including through an independent re-count.
The "paper trail" rule should be made mandatory in all elections that use REV. Without this rule, verifying vote registration and counting in the REV system by a manual recount becomes impossible. We need to go back to the first iterations of the Moscow REV procedure [39; 40], which provided for manual recounts following the "paper trail."
Besides, the REV procedure should have provided that the voter receives a confirmation from the REV system (e.g., in the form of a hash sum [19]) immediately after submitting an encrypted vote. This confirmation would contain the information about the encrypted vote getting into the electronic ballot box unchanged. The connection between this "electronic trail" and the voter's account is subsequently maintained until the votes are counted. In case the vote is altered, the voter is notified immediately (this feature is used in elections in Estonia, where the voter receives a QR-code of his/her vote and can check it before the results are tallied [31]).
Reducing the level of distrust. According to CM/Rec(2017)5 recommendations, an electronic voting system can only be introduced if voters trust their electoral system as a whole. OSCE ODIHR Election Observation Handbook echoes this idea.
As was pointed out earlier, all of the problems and the resulting risks collectively give rise to the problem of voter distrust of REV. This means that successfully addressing the problems and reducing risks in a consistent manner will help to increase voter trust in REV.
In this regard, we should not rush to expand the use of REV, but instead preserve its experimental nature and level down experimental use to municipal elections, without allowing the risks analyzed in this study to discredit the federal and regional elections.
First of all, we should raise voter trust in the entire electoral system, the electoral authorities, and the state mechanism as a whole, and then we should fully embrace REV.
Voter education. One of the important trust-building measures is to educate voters the structure of the REV system and the functions it serves. We have to commend the efforts of the CEC, which published videos [3] explaining how the structure of the REV system, how voting is conducted, etc. on its website.
At the same time, a study of a similar information portal of the Estonian [5] leads to the conclusion that the latter compares favorably with the CEC's educational page. The Estonian website has a detailed and descriptive voting instruction, instructions on how to check the vote, an FAQ section, audit reports on the use of REV, the source code of REV software, etc.
Therefore, the Russian REV system has great potential for gaining the trust of the Russian citizens. In this case, it is important not to rush, but to gradually move toward a wider application of REV, eliminating the identified risks and solving the problems that emerged.
Reflected in the voting result, the free elections need additional protection when remote e-voting is applied. REV has a long list of advantages over other forms of voting, accessibility and convenience being the major ones. Therefore, this new form of voting that has been introduced into law did not occur by accident, especially in the context of the ongoing pandemic.
At the same time, the study reveals that REV is fraught with the potential threat of harm to such a key constitutional value of a democratic state as free elections. One should also remember the priority of voting security over considerations of convenience and accessibility of the voting form itself. The principle of free elections must be upheld in any case. The implication is that measures proposed by scholars and tested by global experience should be taken to reduce the risks of REV. The introduction of REV should be done with caution an without haste. The existing REV procedure indicates that the legislature and the CEC see the problems and risks and take certain steps to eliminate them, but REV's innovative nature and the lack of research on a number of aspects cause gaps in regulation.
When using REV, it is necessary to take into account the risk of election fraud and distorted expression of the will of the voters — a risk that requires extra means of protection. The study makes a number of suggestions to reduce the likelihood of electoral fraud. Some of these suggestions require further reflection.
However, the study indicated the need for systemic legislative measures to improve legal protection of the results of the expression of the will of the voters while using REV. These measures, along with the ones already introduced by the legislator and the CEC, will increase the trust of citizens in this nascent institution of electoral law.
Received 02.02.2022, revision received 14.02.2022.