Thus, we believe that the debate needs to be free of the idea that a perfect and universal solution is possible. Rather, the main concern is to embed relevant constitutional values and their proportional balancing within the system. Tools should be adapted to the political direction provided by representative bodies in compliance with the overarching constitutional constraints.
E-voting is gaining its place in the growing discussion over the use of blockchain. In our view, when technology addresses such socially sensitive issues, values step forward to the fore, together with the differences and clashes that they imply.
Such democratic values convey the identity, pathologies and fears of the context from which they come. In that sense, the technical operation of designing and developing a voting system entails political and legal effects that make the matter case-sensitive, depending on the different territorial and constitutional traditions.
Some past e-voting experiences
Previous experiments of e-voting have encountered both contextual and structural difficulties. In Europe, the main point of reference is Estonia’s remote e-voting system. Analysts and researchers have highlighted critical issues related to the security of individual devices and identity authentication, based on a PIN and prone to identity theft.
In Switzerland, critical errors were discovered in the source code of the software. In some instances, e-voting was even abandoned for a lack of security and voter confidence. This happened, for example, in Norway, Finland, Ireland, the Netherlands and Germany.
Namely, in the last case, the Constitutional Court found an infringement of the principles of publicity and transparency because the system prevented any public control by using proprietary software. In that case, the court declared the current e-voting procedure unconstitutional and specified that all the essential steps in an election must be open to public scrutiny unless an exception is strictly justified in light of other constitutional interests.
In general, these experiences will also be considered in light of their specific background. For example, even with paper systems, we all know very well that certain voting systems are much more open to remote voting — or voting by correspondence — since inclusion is prioritized over the risk of coercion or exchange, or any other disclosure. In Italy, the opposite is true, and remote voting is only used as a narrow exception.
Italy: The e-voting cases
The latest experiment of e-voting in Italy was in October 2017, during the referendum of Lombardy and Veneto to gain autonomy, and traditional polling stations were used in that occasion. However, the case was deeply controversial, because tallying procedures were abnormally slow, even more so than traditional ones, and this also raised suspicion of tampering. Moreover, the regions incurred significant expenses for the hardware, which was not reusable.
Our knowledge on the matter stems not only from the aforementioned experiences, but also from our personal experience, gained through the elaboration of the software and the voting procedure for the city of Naples — the capital of the Campania Region in the south of Italy.
The genesis of this system is rooted in an experiment of municipal participatory democracy. Indeed, it is being developed by a team of two software engineers and developers, a mathematician, three lawyers and a civil servant. The group is almost completely made up of volunteers and was founded after a public call launched by the municipality, which gained the cooperation from the Neapolitan Headquarters of the Institute for High Performance Computing and Networking of the National Research Council:
“On April 19, 2018, a public call was published on the institutional website, addressed to associations, universities, research centers, students and scholars to establish a voluntary working group, in charge of elaborating and proposing objectives linked to the use of blockchain technologies; by the end of this call, more than 300 applications for membership arrived, coming from all over the world” (City Government of Naples, Resolution No. 465 of October 5th, 2018, authors’ translation).
Actually, the project of a blockchain voting system was the only one emerging from bottom-up, while the municipality’s intention was to rather focus on administrative transparency, payments and cryptocurrencies. Indeed, in a period of crisis of the traditional mechanisms of political representation, the innovation of democracy was vindicated, claiming the necessity of a plurality of participatory tools able to ensure inclusion, fairness and transparency. This push generated a commitment to create a viable solution that is able to innovate an already existing legal tool — the local referendum — by making it more affordable for the administrations and resistant to the dynamics of vote coercion or exchange.
Soon, we realized that the idea of an electronic voting system able to guarantee both full anonymity (like a traditional paper ballot system) and verifiability (like an accounting system) is a delusion. Single vote verifiability is an incredible exposure to corruption/coercion because if voters can check that their votes are counted, then anybody present at the verification time can exert the same control. So, anonymity is compromised. Some cryptographic solution has been studied to implement systems with zero-knowledge proof — commonly referred to as ZKP — but for a certain degree, voters must trust the system and its embedded verification tools.
For the same reason, anonymity in remote voting is an utterly ambitious endeavor that is likely impossible as far as we know. If voters can express their votes from a mobile or uncertified remote device, they can prove — or even show in real-time — the content of their vote to anyone, including vote buyers and coercers.
From our experience in Italy, we know that keeping a secret is a hard task when talking about voting, and constituents do not always cooperate, such as in the case of purchasing votes. This is why we believe a modern voting system must be designed to be as resistant as possible to corruption and coercion. In that sense, multiple ideas have been proposed to avoid falsifying votes, for example, the possibility of changing the vote multiple times before its actual recording.
Many are tempted by blockchain technology and its immutability feature. The underlying idea is to give voters proof of their voting record, encouraging them that their votes will be counted.
For the reasons expressed above, we suggest passing on the idea of remote voting, but other blockchain features could expose evidence of voting preferences to the public. Let us imagine a polling station where anonymous voters, identified by other unlinked means, could record their preferences as a single transaction on a blockchain. Of course, there will be a voter ID that could be anonymized with mixing techniques — losing the singular verifiability — and there will be a timestamp of the transaction. This last information can be effectively used to track singular votes, and we have historical experience of voting batches organized by coercers in order to identify votes using combinatorics.
Many countries refuse to use electronic voting for one or more of the reasons above, including solutions designed surrounding the blockchain hype.
This is also compounded by the perception that an electronic voting system must be perfect: fully reliable, anti-coercion and anti-corruption, with guaranteed true anonymity, and giving the single voter the opportunity for full verifiability of the tallying process.
The current paper ballot systems or voting machines adopted in some states are far from such a high standard. When storing and tallying paper ballots, the voting process is exposed at different levels: marks on the ballots, handling by several officials, human errors and coercion/corruption. When talking about voting machines, certification of the hardware and trust in the automatic tallying are other sensible points: Who certified the algorithms, the components, the installers, etc.?
E-voting with blockchain tech solutions
There is probably not a perfect solution in the theoretical meaning, but we could try to get as close as possible to a good solution. However, we believe that also singular verifiability is a bad idea when trying to fight corruption and coercion. That means that for a certain degree of tolerance, voters have to trust the system in one or more anonymizing steps.
A blockchain is a good tool to make the tallying procedure public, as long as the votes are recorded in incontrovertible anonymity. This could be implemented through a virtual ballot box, which should be kept secured from possible attacks. Cryptographic tools may also be used for this purpose.
In order to mitigate the risks of possible attacks, the voting system should be decentralized and distributed. Resilience is an essential feature. At last, any code used in the voting process should be public, stressed through open hacking tests, and trusted by the voters. Even verified code running that uses modern, verifiable load-time and run-time data can improve trust in the system.
Finally, voting systems have to deal with the concreteness of local democracies, where budgets become a central concern due to policies that, all around Europe, restrain the possibility of financing public services through indebtment.
For example, the city of Naples is in an economically disadvantaged region and, after the reform of budgeting rules, is in a state of structural and financial crisis. This produced institutional and civil consequences. On the one hand, a public discussion has been raised on the matter, through a process of participatory audit aimed at protecting social rights. On the other hand, citizens, as well as informal and community-led economies, mobilized to respond to basic needs through social and solidarity economies.
Under similar conditions, all progress in terms of democracy is hinged on the spending of public money, which means that even acting on ordinary referendums can be financially impossible. This is why voting systems shall adapt to the financial situation, and indeed drive toward more efficient use of public resources as made possible by the digitization of tallying procedures.
This also requires creative solutions in partnership between private and citizen innovators on one side, and administrations on the other. More specifically, following the example of our Neapolitan case, the next step is to organize an open hackathon with the city of Naples to test the security of the system. This will require elaborate forms of private and mixed financing — e.g., civic crowdfunding, sponsorships, calls for funding, research grants, etc. — which might not be immediately available in economically disadvantaged areas like the south of Italy.
In the end, the lesson learned is that, in the field of e-voting, only partial and contextual solutions can be proposed with a constant effort of responsiveness toward citizen needs, legislators’ balance of constitutional values and administrators’ duty of compliance. Thus, we make the case for open, interdisciplinary and cross-sectoral approaches to e-voting, combined with appropriate participatory processes, which are able to fulfill, in a broader sense, the promise of decentralization underlying blockchain technology.
This article was co-authored by Maria Francesca De Tullio, Diego Romano and Erica Vaccaro.