In early February 2017, two large Internet-based consultations were held in Madrid, Spain. From February 4 through February 11, over 155,000 members of Podemos voted online to renew the party leadership and political line before the second party congress of Vistalegre. A few days later, 214,000 madrilenos voted in the first binding city referendums (76,000 of which via the Internet) concerning public transport, a sustainability programme, and the renovation plan for Plaza de Espana.
In both circumstances, Podemos party members and Madrid residents relied on Agora Voting, an open source software developed by a small team of Spanish programmers and tech activists that allows the members of any organization to vote online.
Some of these activists, had co-founded in 2009-10, the Partido de Internet, a small Internet party that sought to replicate the successes of rising European political formations such as the Swedish and the German Pirate Parties. Like its Northern European counterparts, the PDI promoted a radically participatory model of democracy known as Liquid Democracy. Unlike its Northern European counterparts, the PDI never reached a critical mass of activists and electors, precisely leaving as its most durable legacy Agora Voting, which started as a party research project.
Beginning in 2011, Agora Voting took on a life of its own to meet a growing demand for secure voting systems that leverage the distributed features of the Internet. Since then, the software has been used by Spanish parties such as Compromis and Podemos, the Norwegian Sosialistisk Venstreparti, as well as police unions, municipal administrations, and professional associations. Overall, the system’s developers estimate that the software has been employed in 700 online consultations, where over 1 million votes have been cast and counted.
David Ruescas, who first began developing Agora Voting in 2009, was later joined by Eduardo Robles and Lucas Cervera, who helped him develop it and market the company’s services, respectively. In 2016, Agora Voting was renamed nVotes. In this interview, which was held via email, Ruescas reflects on the state of the art of online voting systems, the safety and verifiability of online voting, as well as the public lack of interest in the implementation of liquid democracy-based systems.
Marco Deseriis (MD): Can the users of your software rest assured that their election is 100% secure and trustworthy?
David Ruescas (DR): Like any computer system, no electronic voting system can be said to be 100% secure. Claims of this type are not only false, but misleading. However, meaningful distinctions can be made between systems that aim to achieve certain properties deemed important for voting, and those that do not. Agora Voting is a system which employs state of the art techniques as an attempt to achieve the properties defined in the literature on secure voting systems. This does not mean that Agora Voting is 100% secure, but only that it applies said technologies as best as possible, given our limitations and resources.
In the end, what matters is whether the properties that Agora Voting offers are sufficient for each use case. For each electoral process run by Agora Voting, a technical specification is published that details what security properties are offered and the supporting assumptions. Part of our mission is to be transparent about what can and cannot be achieved.
MD: Do the elections rely on secret ballots?
DR: Yes, we run elections with support for ballot privacy through encryption.
MD: Is the vote verifiable?
DR: Leveraging years of academic research, nVotes employs mixnet-based cryptography to support privacy (thresholded) as well as end-to-end (cast-as-intended, recorded-as-cast, counted-as-recorded) verifiability. End-to-end verifiability is the current gold standard for electronic voting systems, and is widely regarded as a requirement for politically binding elections in the research community.
MD: Can you explain how the vote gets verified in the E2E process?
DR: There are three distinct verification steps in E2E systems. First, the user can initiate a ballot audit to ensure the encrypted vote corresponds to their choice. Basically, the user selects an option on the voting booth that displays encryption data which can then be verified on a secondary device (typically a different computer they own).
Second, after casting the ballot, the user receives a receipt that corresponds to a specific record in the database. This allows the user to check that their ballot was correctly recorded. Finally, the entire tally process can be mathematically verified to ensure that the set of registered encrypted ballots corresponds to the set of decrypted ballots used in the counting, and that the tally is correct. This last step can be conducted after the election.
MD: A while ago the Chaos Computer Club offered a famous demonstration, known as the Wahlcomputer problem, which showed that electronic voting cannot be trusted regardless of whether it is via the Internet or local electronic voting machines. The German Constitutional Court subsequently recognized the unconstitutionality of the electronic vote, claiming that the electoral process must be understood by any citizen without specialized knowledge. Even though Agora Voting has not been used in official elections, how do you respond to those who claim that the only way to ensure the trustworthiness and verifiability of voting is via a paper ballot or an equally simple recording method? Have you ever addressed this kind of concern during the consultations you have held so far? If so, how?
DR: As I said, no electronic election can be said to be 100% secure. Having said this, traditional elections via paper ballots are not 100% secure either. There have been many cases documented in history of election fraud with traditional elections. Some argue that electronic voting solutions offer better verifiability properties as voters can check that their ballots were correctly recorded and that tallies have been correctly calculated (universal verifiability).
On the other hand, and as you point out, voters cannot be expected to understand the mathematics underlying cryptographic techniques employed in secure electronic voting. This debate is important, and compelling arguments can be made on both sides, including criticisms of electronic voting.
In conclusion, we do not have an official position in the general electronic vs. paper voting debate. Our position is simply that, if you wish to carry out electronic voting, we offer solutions that offer some of the best guarantees possible leveraging academic research. Whether those guarantees are sufficient for any specific purpose is for users and society in general to determine.
MD: Can you explain how a political party such as Podemos, for example, has been using the software?
DR: Podemos has used the system many times. Some example use cases are: to carry out online primaries, to elect members to party positions (e.g. secretary general), to approve internal regulation documents and to determine the party’s official position (internal referenda) on important issues. Among many other examples, the city of Lugo used the system to implement participatory budgeting. In all these cases the organizers required strong support for ballot privacy.
MD: Does Agora Voting/nVotes implement different voting systems? And if so, do you recommend any of these voting systems to the organizations that approach you? In other words, I was wondering whether Agora Voting/nVotes should be considered as an intermediary that satisfies needs that are defined in advance by your customers, or whether you also suggest voting solutions that end up shaping a decision-making process.
DR: Yes, the system is built for flexibility and different voting systems are supported; new ones are added when requested. Besides providing technical solutions, we also advise organizations and provide consulting on matters related to voting and e-participation.
This includes things like choice of voting system. However our advice is limited to informing these organizations of the options available and recognized best practices, and we are careful not to enter into political terrain to the best of our abilities. So no, we try to avoid shaping decision-making, although sometimes the distinction is blurry.
MD: When you started Agora Voting you were working on a system that would allow users to delegate their vote to other users. Does Agora Voting support delegated voting?
DR: Agora Voting was designed from the start as a system that would support liquid democracy, and initial versions supported it as a core functionality. However, with the passing of time, we have come to realize that the demand for this feature in “secure elections,” those where the properties we mentioned above are important, is not very high. For this reason, the current version of Agora Voting does not include this functionality, although the design does allow it to be implemented.
MD: How does your implementation differ from LiquidFeedback?
DR: The distinguishing characteristic of Agora Voting is that it supports secure liquid democracy, i.e. the ability to maintain privacy in a context with vote delegation. The crypto scheme supporting this came out of original research conducted for this purpose. Although this design is ready for implementation, this has not been carried out as of today.
MD: Why do you think there is not much demand for liquid democracy-based voting systems? Is this based on lack of knowledge or something else?
DR: In our experience lack of knowledge is definitely a factor, both on the side of organizers and potential voters. Additionally, organizers are reluctant to make too many disruptive changes at once, and liquid democracy is a step beyond direct democracy which they feel is already a hard enough sell. It may be the case that as direct democracy initiatives become more popular and public awareness of different participatory mechanisms rises, demand for liquid democracy may also rise. On the other hand, it may also be the case that practical experience with liquid democracy reveals problems that cannot be clearly identified and predicted at this stage.