More and more is going online and digital. By that many things become simpler and more efficient.
Wouldn't it be a good idea to digitize elections as well?
"If a vote were conducted using an ""online election,"" there are primarily two significant challenges:
First: Protecting the secrecy of the ballot;
And second: Protecting the cast votes and the results from manipulation."

There are primarily two areas in which these challenges must be addressed for an online election:
"First, the device:
There are an almost infinite number of combinations of users, devices, operating systems, browsers, addons, and apps. Accordingly, there are just as many ways for malware to either break the secrecy of the ballot in isolated cases or on a large scale, as well as to manipulate the vote during casting. This can be done in such a way that the vote appears to be cast for the desired option on the display, while in the background, malware alters the vote unnoticed.

Efforts could be made to better secure devices through education. However, this is realistically impossible due to the high complexity of the devices. It's clear that the voting process could instead be offered on specific devices provided for elections. These could then be centrally secured before distribution. Due to their very limited functionality, securing these would be much more realistic. However, distributing and collecting such devices for every election would be too costly and impractical."

"Now, the voting application:
The security of the election application could theoretically be verified through evaluations in the form of formal mathematical proofs and corresponding certification. But how can it be proven that exactly this software, unaltered and unmanipulated, is used for the entire election period? The servers on which the election application runs have the fundamental issue that they (like all multifunctional devices connected to the internet) can never be 100% secure. Consequently, it cannot be ruled out that a security gap in the server could lead to the manipulation of the election software to track who voted for whom and/or manipulate votes before or during casting or tallying.

Particularly critical is that reliable detection of manipulation is not possible even by forensic experts, as such manipulation cannot be seen in the election results. A very unexpected result might be an indication but not proof."

Therefore, simple isolated solutions for the end devices and the election application do not lead to the goal. From an IT security perspective, there is an approach that addresses these two challenges to a large extent: The so-called "Distributed Code Voting with Confirmation Code."

In this approach, there is not only one provider of the online voting system but a number of independent parties that offer parts of the online voting system and monitor or control each other to ensure a kind of ‘four-eyes principle’. The entire online voting system therefore consists of different independent voting applications, which are provided by different independent parties and run on their independent servers. In addition, the realisation of this approach requires a print service provider that receives information from the various parties involved and uses it to generate the election documents - the so-called voter-specific code sheets - and sends them to the eligible voters by post. 

In this approach, there is not only one provider of the online voting system but a number of independent parties that offer parts of the online voting system and monitor or control each other to ensure a kind of ‘four-eyes principle’. The entire online voting system therefore consists of different independent voting applications, which are provided by different independent parties and run on their independent servers. In addition, the realisation of this approach requires a print service provider that receives information from the various parties involved and uses it to generate the election documents - the so-called voter-specific code sheets - and sends them to the eligible voters by post. 

"From the perspective of an eligible voter, the following simplified process occurs with this approach:
Everyone receives a ""code sheet"" by mail. Next to each candidate, there is a personal, unique candidate code. Additionally, a so-called confirmation code, which is also unique for each eligible voter, is printed on the sheet.
After entering and submitting the candidate code on the voting website, this code is stored by all the involved servers. Furthermore, each involved server generates a part of the confirmation code based on the candidate code and sends its part back to the eligible voter. The entire confirmation code is then displayed on the screen.
The eligible voter should now compare whether the displayed confirmation code matches the one on their code sheet."

If this is the case, the voter has a mathematical proof that their vote has been correctly stored and will be counted later. This holds true as long as at least one of the involved parties is working correctly and that their server has not been tampered with. If voters forgo this verification, they will not be able to detect any changes to their vote, and thus, potential election manipulation.

The servers monitor each other in the spirit of the four-eyes principle during the vote counting process. Assuming that at least one of the servers is behaving "honestly," voters can be confident that all votes are counted correctly.

And for those wondering why the code sheets are printed on paper and distributed by mail in an "old-fashioned" manner: firstly, it's because there is still no practical and widely available method for secure online identification in Germany. Secondly, it is crucial that the code sheets are delivered through a secure channel. If the code sheet were delivered digitally, malware on the end device could access both the identity of the voter and the association of candidate codes with the voting behavior. The malware could covertly break the secrecy of the vote and manipulate the vote by sending a different candidate code in the background.

By sending the code sheets on paper through the postal service, malware on the device would be rendered ineffective, as it would not know the identity of the voter or the candidate codes. Consequently, it could neither covertly alter the vote nor breach the secrecy of the election. Therefore, it is not necessary to secure the devices completely, as long as the voters perform the verification of the confirmation code.

"Among the parties involved, the printing service provider is the most critical point in this approach because, in addition to the contents of the code sheets, they also have knowledge of the voters' identities. For instance, they could swap the candidate codes for certain eligible voters, so that the candidate code for candidate A appears alongside candidate B, and vice versa.

That's why it's crucial that the generation of the code sheets is very well secured, for example, by being done offline as much as possible and being accompanied and monitored by election observers."


Just like in a traditional paper-based election, the only way to compromise this entire online voting system is to bypass the four-eyes principle. This means that ALL parties involved would need to be manipulated into behaving "unlawfully": this includes all mutually monitoring voting applications or the servers on which they operate.
Overall, the risk of election influence is significantly lower when using the "distributed code voting with confirmation codes" approach compared to without it because attackers are compelled to manipulate multiple systems simultaneously. Additionally, malware on voters' devices cannot be used to breach the secrecy of the vote or manipulate votes.

"However, this approach also has several disadvantages, including:

  - Lack of accessibility, especially for people with severe visual impairments.
  -It is not practical for all types of elections. For example, in complex local elections such as those in Hesse, Bavaria, or Baden-Württemberg, where the codes of over 50 candidates would need to be entered.
  - The process of printing the voting materials is more complicated than in a ""traditional"" election because unique code sheets must be printed for each individual voter.
  - Implementing the four-eyes principle requires multiple independent parties and complex cryptography to determine the different codes and to collectively determine the result from all submitted candidate codes. This makes it expensive and labor-intensive."

In addition to the "distributed code voting with confirmation codes" approach, there are other methods that, for instance, require a second device instead of printed codes to verify that the vote was submitted and stored without alteration. However, these approaches have other significant disadvantages: malware on the device can compromise the secrecy of the vote. They are also similarly complex to code voting with confirmation codes. Therefore, they are only feasible if one is willing to accept that the secrecy of the vote on the device is not protected.
From a technical standpoint, there are many approaches, each with its own set of advantages and disadvantages. Currently, there is no single technique that convincingly addresses all challenges without introducing new ones. Further research is needed to develop a solution that effectively addresses these issues.
"Indeed, regardless of which existing approach is used to conduct an online election, there is a common challenge: reliably detecting any manipulation of votes and results while preserving the secrecy of the vote requires extremely complex cryptographic methods. These can only be understood and assessed by a small minority of experts.

The question then arises: can the majority trust the election results and the election process overall under these circumstances? Especially in times when certain movements deliberately attack democracy by casting doubt on election results?"