Many companies and organizations depend upon online
voting to elect people to leadership positions.
It is difficult to ensure that the system used cannot be subverted. It
is like ensuring that a rambling big house is safe against entry of burglars.
The house might have strong walls and doors, but a single point of weakness can
endanger the whole thing. For instance, can one remove a set of tiles and enter
the house? Or can someone inside the house be fooled into opening a door for
the intruder?
Good technology is valuable in making elements of the
system strong, but envisaging all possible modes of failure requires healthy
skepticism and a system science point of view.
A service provider usually makes available the software
and related infrastructure for running an election to the entity holding the election
over the Internet. The service provider is selected to be a trusted partner, and is
beyond suspicion.
However, the client organization needs to ensure that
everything else is well thought out and is free of risks. Some service
providers create a password file starting with a list of email IDs of all
voters provided by the client entity, and linking a machine-generated password to
each ID. Each voter will need the password linked to his/her email ID in the
password file for casting a vote. The service provider’s system would send an
email to each voter for this purpose, giving the password to be used. It would
also describe the procedure to be followed.
The password file would be sent to an officer nominated by
the client entity, to inform them the list of all voters contacted. This would also
allow the voters to be offered any necessary help in case of a missed email,
etc. The officer nominated to handle the password file could be a paid employee
or an elected person (let us call this officer Y). Some of the possible risks
to the election arise from how safely this file is handled.
Another possible risk arises from the fact that the list
of eligible voters may not be accurate enough. Some of them might have left
their companies and their email accounts might have been deleted, unknown to
the party conducting the election. Hundreds of orphaned emails inviting members
to vote and giving the necessary password could bounce; the election software
might direct them to Y. How these emails are handled, and who all can access
them, will again decide how reliable the election is going to be.
One would have to consider the specifics of any system
used and the supervisory mechanisms that oversee the election to find possible
modes of failure such as the two described above.
In many cases, there may be simple ways of reducing risks
from any anticipated failure mode. For instance, the service provider who makes
the IT infrastructure available for elections could withhold the password file
till the election is over and then make it available to Y. Similarly, there is
no need to make available any bounced emails to Y till after the election is
over. This means that Y cannot help any voter who does not receive an email
from the service provider; however, if the list of voter email addresses given
to the service provider is reliable, Y’s intervention would be unnecessary.
The mode of operation described above is only one of many
possible modes; but the concern for integrity of the election will be there in
any case!
The aim of this blog post is to sensitize all those concerned with the integrity of online elections to some of the obvious risks in one mode of operation.
