The case for e-voting in a multi-channel system (PART 2)

If we can advance e-commerce, surely we can advance e-democracy.

1049 0
1049 0

Published by Astro Awani & theSun, image by Astro Awani.

When can Malaysia implement electronic and internet voting? Given that the timeframe is rather short, it’s unlikely that a nationwide use of electronic voting could be implemented for GE15. However, internet voting may not need to be too complicated.

For electronic voting, many things have to be considered and must be in place. This includes the electoral infrastructure (procurement and testing of new voting machines and the related manpower) and verification of ballot security which will require the testing and verification of the servers, level of independence of the EC, the auditors, and many more.

For internet voting, certainly servers and computers will need to installed, the related software/webpages/apps need to be developed and independent auditors and observers need to be appointed.

Most importantly, the system must ensure confidentiality, security and accuracy which can be achieved through various existing and widely used encryption technologies.

One might realise that for online payments or other sensitive transactions, a secure web address will usually start with “https” rather than “http”. This refers to Hypertext Transfer Protocol Secure (HTTPS) in combination with Secure Socket Layer (SSL) or Transport Layer Security (TLS) encryption protocols often used as the standard for secure internet communication.

Other potentially more comprehensive protocols exist such as Secure Electronic Transaction (SET) which is used to ensure the security, authenticity and privacy of economic transactions (such as credit cards).

For increased traceability and immutability of the digital ballots, casting digital ballots can be done over established public blockchain networks — there is no need to build a dedicated blockchain, therefore costs can be reduced. A blockchain technology uses real-world signatures through cryptography techniques along with encryption keys.

Of course, solutions exist, but the most important driver is political will.

Do our politicians really want this? Does the Malaysian government have the will to increase voter turnout and reduce election costs? Or, are they motivated enough to improve education, social mobility, access to electronics and better income for the people, especially in rural areas?

If we are to follow the Estonian model whereby voter identification hinges upon the mandatory digital ID, online voting in Malaysia would also require something like the planned National Digital ID (NDID) — a digital identification and authentication to verify a person’s ID in the digital world.

Therefore, in terms of timeline and alignment with other national initiatives, the National Registration Department (NRD)’s plan to upgrade 38 NRD documents by 2023 in terms of security features to maintain the authenticity of the documents, should be harmonised with NDID which may only be fully implemented in 2024 to provide one of the means or a framework for voter authentication.

As mentioned in Part 1 of this article, access is only one factor for increased voter turnout. Therefore, initiatives such as JENDELA Phase 2—which aims for internet coverage of 100% of the population and to increase fibre broadband access to 9 million premises by 2025—must coincide with better access to quality education, information, increased awareness of political matters, better socioeconomic standing and most importantly structural reforms that promote high governance standards and fairer policies.

Now, that is the ideal situation for a nationwide implementation of internet voting.

As mentioned earlier, internet voting may not be as complicated and Malaysia can start with citizens abroad, students in out-of-state campuses, low-income groups, people in rural areas, elderlies and the disabled.

Subject to the uptake and success of internet voting, more groups can be gradually included to finally be offered nationwide as one of the standard voting channels for everyone.

Starting at this level may not require NDID to be in place. Existing voting systems that are generally secure (or as secure as they can be) are already available.

How secure is it?

This is a widely-debated space, particularly between leaders of companies or organisations that develop voting technologies, and IT or cybersecurity experts and researchers.

Opposing experts often bring up issues of potential hacking, or that voters’ smartphones and laptops could be breached with malware. Even if that’s not the case, and even if a receipt was provided as a paper trail, opposing experts argue that votes could be intercepted or corrupted during transfer. Some experts even go as far as to say internet voting cannot reach a level where it is entirely safe, and that nothing is superior to paper ballots.

Proponents have largely dismissed many of the claims, citing flawed reporting and biased research.

Firstly, even paper ballots and the commission running them have not been free from criticisms of fairness and questionable integrity. Are the critics saying that commissions are always completely trustworthy and that paper ballots are entirely error-free?

Secondly, we are talking about a multi-channel voting system, where internet voting is first applied to a smaller group of people. Therefore, technological evolution takes a careful step to minimise risks, while meeting the needs of the disenfranchised.

Most importantly, other channels are not pushed aside. In fact, the physical casting of ballots remains as the main voting channel and is now proposed to be upgraded to electronic voting machines.

Thirdly, in addition to Estonia, proponents claim that there are cases of general elections in the United States where internet voting was used without any security breaches. Other countries such as Switzerland, Canada and France have also used internet voting at different scales.

In Estonia, the process involves the encryption of ballots, and authentication of voter identity followed by the removal of voter identity before the votes are counted.

Throughout the process, there is a separation between the election commission, the auditor and the voters, involving the secure encryption-decryption of the digital ballots and the secure movement of a sealed physical hard drive (or a storage device that stores the digital ballots) that will be inspected by the auditors, and the final counting of the votes in a computer that is isolated from the internet. On top of this, the cryptography used would allow for the verification that the digital ballots were not tampered with.

Fourthly, internet voting has been widely used in organisations in the private sector, particularly in Japan. Private sector online voting systems require the same elements as political elections—voter authentication, voter anonymity, the secured casting of the votes and guaranteed integrity of the ballots. Private sector online voting systems can use standard encryption used in the banking industry such as high bit SET and SSL protocols.

Fifthly, with the widely touted Fourth Industrial Revolution, new technologies such as blockchain can beef up online voting security even further by making transactions traceable, private and immutable.

Now, with the above points, we come back to the critics with a few foods for thought.

Is there a level at which e-commerce or online money transactions are entirely or completely safe?

Are these experts saying nothing can top the security of physical cash transactions locked in a cash register? Or, are these security experts saying that e-commerce and online banking are similarly risky and untrustworthy as internet voting?

Are we not already widely using our smartphones and laptops—which critics mentioned as being riddled with malware—to conduct business and transactions online?

Are we not trusting banks, financial institutions and e-commerce platforms with our money? Sure, we don’t cast votes as frequent as we spend our money, but does that mean our money is worth less than our ballots?

Would the same cyber security experts differ on their views regarding the security of e-commerce and online transactions had their research been funded by Big Tech and global technology leaders in the payments industry?

These major organisations worked together to develop security protocols that many people trust when conducting online transactions.

We don’t seem to trust casting ballots over the internet for the sake of advancing democracy, in the same way we trust our money to be kept in banks and conduct transactions over the internet in a borderless globalised world for the sake of advancing commerce. Maybe we shouldn’t?

Is advancing democracy, transparency, and inclusivity less important than advancing capitalism?

Like many things, it boils down to willpower, and where the money goes to push for it. When there’s a will, there’s a way.

Ameen Kamal is the Head of Science & Technology at EMIR Research, an independent think tank focused on strategic policy recommendations based on rigorous research.

In this article