Frequently Asked Questions - Follow My VoteOnline Voting Platform FAQ’s

 

What is a blockchain?

A blockchain can be referred to as a transactional database or public ledger that is created and maintained by a network of computers/servers.  The various computers and/or servers that power the network take turns verifying sets of transactions and adding them to the database, which are referred to as blocks. These “blocks” of transactions are mathematically linked to one another in a way that would resemble a chain, hence the name blockchain. Once stored in the database, these transactions are permanent and irreversible. Our online voting platform has a blockchain-based ballot box that allows votes to be securely stored within the system.

What are the key benefits of using your online voting platform?

The key benefits of our online voting platform are inherent in its design, as it embodies all of the characteristics that a legitimate voting system requires: security, accuracy, transparency, anonymity, freedom, and fairness. Learn More!

How are elections hosted within your online voting system kept secure?

Our online voting system uses elliptic curve cryptography, which requires each voter to be issued two separate keys that are mathematically related upon the creation of their account. One of these keys is made public to the other voters within the system, which is why it is called a public key. The other key is kept secret from all other voters within the system, and is therefore called a private key. The combination of the public key and private key is described as a key pair. When a voter creates an account within our online voting system, although the voter will be given both a public key and a private key, the voter’s private key will be used by the voter to control the account and submit requests to the system; however, other voters within the system will only know what that voter’s public key is. By leveraging elliptic curve cryptography in this way, ballot requests, updates, and submissions made within the system are kept secure, as they cannot be hacked or faked in any way. Also, once a voter’s vote have been approved and stored in our online voting system’s blockchain-based ballot box, it cannot be changed by any other voter within the system.

 

How does your online voting system ensure elections results are accurate?

In order for votes to be considered official votes within our voting system, voters must have their identities verified prior to casting their ballots. Voters can only request official ballots for elections that meet their account credentials (i.e. country of citizenship, age, etc.) and can only request one ballot per election. During the ballot casting process, voters can rest assured knowing that their ballots will not be tampered with, as cryptography technology prevents voters’ ballots from being intercepted and modified prior to being stored in the blockchain-based ballot box. Once a voter’s vote has been stored in the blockchain-based ballot box, it cannot be changed by any other voter within the system. Finally, all voter’s that participate in an election will have an opportunity to audit the ballot box themselves to ensure that the vote count of the ballots stored in the ballot box match the election results being reported.

How are transparent elections possible within your online voting system?

Transparency is the most critical aspect of hosting a legitimate election; if one cannot audit the results of an election themselves, then how can they be assured that the results are accurate? The key differentiator of our online voting system when compared to other voting systems being used in elections today is that our system provides transparency into the election results, as all voters will have access to the blockchain-based ballot box that contains every ballot that is cast within each election. Being that all users have access to this information at all times, any user could audit the results of an election at any time to ensure the election results being reported are truly accurate.

Will my vote be kept private in your online voting system?

Being that our online voting system has a transparent ballot box where all ballots cast are viewable to all voters, anonymity is necessary in order to protect each voter’s right to privacy. Our online voting system provides each voter with anonymity through the use of elliptic curve cryptography technology. Upon account creation, each voter is issued a public key that is associated to their account. Voters are known by other voters in the system only as their public key so that they can cast their ballot without having to reveal their identity to everyone else within the system. With this in mind, voters can be assured that their identities will be protected and that their votes will remain anonymous.

Will your online voting system allow me to change my vote?

Voters that use our online voting system can cast their ballots online, ahead of time, similar to how one would vote by mail in an election. Once cast, voters can access their ballots and update them at any time on or prior to election day. This rule will ensure that, in the days leading up to an election, a voter can change their vote before it’s made official if they happen to change their mind about a particular candidate. This will also ensure that, when an election comes to a close on election day and the votes are officially counted, the election results are much more likely to reflect whom the voters really want to win the election at that point in time.

How can we verify the correct person is voting?

This question breaks down into two parts: first, how can we verify that a given person is allowed to vote (i.e. they have a right to vote, and they have not voted already); second, how can we determine that a given vote was cast by one of those verified persons, and that it is the only vote on a given issue cast by that person.

The first part doesn’t change substantially in a transition to an online voting system. Voters must register to vote, and receive a certification authorizing them to vote when the polls open. In Follow My Vote’s online system, this certification takes the form of an identity on a blockchain which has been cryptographically signed by the identity verifiers for the election as being unique and authorized to vote.

The second part is a more difficult problem which, in contemporary paper ballot systems, is largely unaddressed. It is simply assumed that if a ballot is in the box, it is valid and should be counted. There is no possible verification of this assertion later on in the process. In electronic voting systems, the problem is worse as typically audit trails are not preserved, and these systems are frequently designed with no eye towards security, allowing them to be manipulated to alter the votes. Follow My Vote’s voting system will preserve a complete audit trail which provides cryptographic proof that each counted vote was cast by one of the authorized identities, and it was the only one cast by that particular identity, without enabling any party (including election officials) to determine which certified identity cast that vote.

What safeguards are there against being pressured to vote in a certain way?

One of the major benefits of an online voting system is the flexibility it offers to voters in terms of where and when they vote. Voters can vote in a time and place where they feel best enabled to make an honest and informed voting decision. If a voter still feels pressured in any way, our system provides a mechanism by which voters can revoke their online vote and instead vote on a paper ballot at a polling place, without opening up the possibility for a vote to be counted multiple times.

How can the voter ensure that the vote they submitted is the one that is received?

In the Follow My Vote system, all votes are public data available on the blockchain. Because of this, a voter can look up his vote in the public record and verify that it was cast correctly. The voter can do this verification on a public computer to verify that his personal computer is not out of sync with the network, or being fed invalid information about the public record by an attacker. Furthermore, the open source Follow My Vote application will be able to count the votes on the public record, and show the voter the results directly, rather than trusting election officials to tally the votes in secret, so the voter can be completely assured that his vote was cast as intended and counted as cast.

How can the online voting provider verify that the votes they received are the same as the ones that were submitted?

Due to the inherent trust, fault tolerance, and censorship issues involved in a centralized voting solution, our system leverages a decentralized design. Thanks to this property, our system does not require any online voting provider to verify the votes. This is done by individual voters as they tally the votes as described in the question “How can the voter ensure that the vote they submitted is the one that is received?”. This verification is done using the cryptographic audit trail made publicly available on the blockchain. This audit trail proves that the votes were not tampered with after they were cast.

What safeguards are there against malware on the voter’s device?

In any electronic voting system, if the operating system the voter uses when casting his votes is compromised with malware, it is possible that an attacker could steal the voter’s cryptographic identity, change the votes prior to publication, and determine the real-world identity of the voter. No safeguards do or can exist with modern technology once the malware infection has taken place; therefore, the only defense against this is to prevent a malware infection, or to neutralize the infection for the duration that the voter’s private information is held on the device used to vote.

Clearly, the threat of malware is a serious one, and Follow My Vote has hired a malware analyst to help them to harden their software against this threat to the greatest possible extent. The threat of attack is greatest on web-based platforms, and for this reason, Follow My Vote will not provide a web-based voting application unless they can ensure that such an application meets the security standards of their other voting applications. The threat of attack is least on mobile devices, where, due to the security models used by modern mobile operating systems, it is rare to find a malware infection capable of interfering with other applications on the device (most malware on mobile devices can do nothing without first asking the owner’s permission and can be trivially removed simply by uninstalling the application containing it). The greatest risk of compromise from malware will be on desktop and laptop computers, where the operating systems do not have as strong of a security model, and malware can be difficult to find and remove. Because of this, Follow My Vote will recommend users only vote from these computers using a live operating system (a temporary computer operating system which runs in RAM and is used only for voting), which will neutralize the threat of malware on the computer while the

Follow My Vote application is running and storing data on the computer. Follow My Vote will provide tutorials and/or software to help voters accomplish this. Voting from a computer running a live operating system is the most secure way to vote, and will protect users from virtually all possible malware.

What safeguards are there against a cyber-attack to the online voting system?

As discussed above in “How can the online voting provider verify that the votes they received are the same as the ones that were submitted?”, there is no centralized system to attack. A custom cyber-attack would have to be levied against each individual voter, which would be prohibitively expensive and time-consuming. Furthermore, attacking voters who are using the live operating system described in the previous question would be nearly impossible.

What contingencies are there for votes being tampered with on an individual and large-scale basis?

Due to the decentralized design of the Follow My Vote system and the blockchain-based record, it should be impossible to tamper with votes on a large-scale basis. If such an attack could be found, the same attack could compromise the entire Bitcoin network (an online payment processing network). Since there is already such a great incentive to find such an attack, yet Bitcoin remains secure against large-scale attacks, it is highly unlikely that such an attack will be found.

The difficulty of attacking an individual voter depends on how careful they are to avoid attack, but as described in the question”What safeguards are there against malware on the voter’s device?”, the Follow My Vote software will be designed to make it easier for voters to protect their security than to compromise it. Nevertheless, if such an attack is successfully levied against a voter, that voter will immediately be able to see on the public record that his vote has been tampered with, and will be able to report the fraud to the election officials. From there, the exact details of how fraud is dealt with will need to be determined on an election by election basis.

How can you detect interference with the online voting system during the election?

Because all of the online communications used by the Follow My Vote system will be encrypted and cryptographically signed, any interference with the online communication will be automatically detected and rejected.

What audit trails can an online voting system provide?

The Follow My Vote online voting system will provide a complete audit trail for the entire election, from identity verification through to the final tally, on the public blockchain record. The open source application will validate this entire audit trail when tallying the results to ensure that no tampering occurred. Since the application is open source, the public can examine its code and verify that it is auditing the election correctly.

How do you stress-test and verify whether an online voting system is sufficiently secure?

There is only one way to determine if a particular online system is secure, and that is to try to attack it. If no successful attack can be found, it is considered secure. Even formal proofs of correctness can only verify that the software is doing what it was intended to; they cannot verify that the software is invulnerable to an attack its designers failed to foresee.

Because the Follow My Vote system is based on proven blockchain technology, which has been open to attack for several years, it is unlikely that such an attack will be found.

How do you guard against a third party hacking into the system and stealing voters’ personal details and a record of who they voted for?

The Follow My Vote system will not need to store any voter’s personal details, nor does it mandate what details may need to be collected and/or stored. The identity verification agencies chosen for a particular election will likely need to collect some personal details in order to certify within the Follow My Vote system that the voter’s on-chain identity is unique and authorized to vote, but it is their responsibility to ensure the confidentiality of any data they require in order to grant this certification.

Would you consider open-sourcing your software or working with others in an alliance?

Follow My Vote’s code is open source on GitHub. The entire voting system will be open source, including the voting, tallying, and auditing software. They welcome contributions from all who wish to further the goal of building a secure, open source, end-to-end verifiable online voting system and seeing this system implemented in elections around the world. Anyone wishing to help out with development should visit followmyvote.com/code-contributors.

Real Questions By Real People 

The blind signature approach is better than the double-envelope approach because it doesn’t require procedural security when splitting the votes and counting them. But does it allow revoting on paper after you have voted online?  – Bozhidar Bozhanov, Advisor to the Deputy Prime Minister of Bulgaria

Yes, our protocol allows voters to rescind their online votes in favor of a paper ballot. Voters who have completed our registration process have an anonymous voting account which casts votes on the blockchain. They can cast a special kind of “vote” which declares their online vote revoked in favor of an offline vote, at which point our voting application will provide them with a receipt. They must present this receipt at the central polling place. The worker at the polling place checks that the receipt is valid and marks the anonymous voting account as having received a paper ballot, to prevent the same voter from receiving multiple paper ballots at different times, and gives the voter their paper ballot.

How do you propose to manage secure key distribution in this system. Is presentation of a private key sufficient to prove my identity? Also, how do you prevent sabotage of the election, for example by DDoS attacks. Or even geographically selective DoS of clients and client networks, that might prevent voting by certain demographics in a way that could change the election outcome? Another question: Can (A) blockchain technology, and (B) your software specifically, handle different voting systems like Alternative Vote (aka Instant Runoff) or proportional systems like Single Transferable Vote?           – Ian from the UK
The blockchain is the PKI in our designs. Using a blockchain as a PKI is a practical scenario, and the BitShares blockchain already does just this by mapping usernames to public keys. What this looks like in the voting context is that a user creates a key pair, and publishes the public key on the blockchain as an identity, then uses that key to sign a request for an ID verifier to certify that on-chain identity as being unique and authorized to vote. The exact procedure by which the verifier determines the identity of the person making the request is out of scope for the voting system, but we have a general procedure outlined which closely mirrors that of getting your identity verified for an SSL certificate today.
As to preventing sabotage, there are a number of ways this could be attempted. An attacker could attempt to manipulate the individual votes themselves, but our protocol is designed to make this impossible at large scale, and extremely difficult and expensive at small scale. Furthermore, even if an attacker targeted a specific voter to change his vote, the voter could easily detect this and report the fraud. As you pointed out, a more promising sabotage technique would be some kind of DoS as a censorship mechanism. Unfortunately, DoS neutralization/mitigation is an open problem, and we do not have a solution to it, but DoS attacks are noisy (implying a high risk of being caught), so if a DoS attack were to occur, it would be widely known, and of course the election results would not be considered valid until all voters have had a chance to vote. Furthermore, our decentralized design makes DoS difficult: there is no server to attack, and since a voter could vote from her phone, it would be difficult to successfully deny her service, as she could simply move to a different access point and try again. Additionally, election officials can make DoS attacks impractical by setting a large window during which votes will be accepted. Maintaining such a high-profile attack across the entire window would then be prohibitively expensive and/or too risky.
To your final question, our software can be easily adapted to support arbitrary contest, contestant, and tally semantics, even on a per-contest or per-election basis. As long as it is possible to express the votes in a digital format and count them unambiguously, we can implement it, possibly without even requiring an update to the software.
Do you have a version of FollowMyVote that supports any form of Proportional Representation voting system such as MMP or STV?    -Mark from Canada

Our voting system starts with the assumption that a voter can securely prove his real-world identity over the internet (typically using a service like Jumio), and that given a real-world identity, it is possible to unambiguously determine which contests, if any, that identity is authorized to vote on. We should be able to customize our software to serve any use case that fits those conditions.

There are often many uncast ballots in an election. What prevents a bad actor from voting on behalf of the people who were not going to vote for themselves – in other words, ballot stuffing. That is, if a bad actor were able to get a list of voter ids, could they determine which ones were unused and vote for those voters.  Or similarly, could a bad actor register dogs or dead people and then vote on their behalf?      -Mark from Canada
You mention an attacker leveraging otherwise unused login credentials to submit valid votes, but in our design there should be no unused login credentials at all. Voters prove their real-world identity to the ID verifiers which then certify their public keys (on the blockchain) as belonging to said identity (like a PKI). The voter then begins registration using this certification, and finishes it using a new key which can’t be tied to his identity. We’re about to release a video describing exactly how this registration works. We’ll send you a link when that goes live. (Watch Video Here)
At the end of this registration process, the voters who completed the process have a key which is publicly certified as being able to vote on the appropriate set of contests, but which cannot be tied by anyone, including the ID verifiers or registrars, to the voter’s identity. Only votes which are signed by such a key will be counted, thus eliminating ballot box stuffing.
An attacker could attempt to fraudulently register as one of the eligible voters, but the ID verifiers should detect and reject this attempt. Even if he believed he had a reasonable chance at success, in general he has no way of knowing which identities will legitimately register, and if he successfully registered with an identity whose owner later tried to use legitimately, it would be detected that someone had fraudulently voted.
Of course our system is designed to be as fraud-resistant as possible, but one of our design principles is that when fraud is successfully executed, to make that fraud detectable. This is different from currently utilized voting systems, which generally make fraud undetectable.
 What is a “blinded token” (that will be signed by the registrar)? Is it a “Blind RSA Signature”, as described here on Wikipedia?           -D. Pulmi

Yes, that’s the blinded signature scheme we’re using. The token itself is just a random nonce selected by the voter.

 

If you still have questions please reach out via our contact page.