Different systems have different approaches. If you're a voter, you can use your web browser's developer tools to see what's going on, and part of my research is essentially doing that with systems like this.
With one Ontario online voting system used by dozens of municipalities, your choice is sent via a form submission (POST) to the server. The POST contains your choice in its body (in plain text) and your browser also sends a cookie/authorization header which contains a token which was generated by the server and given to the client when the client logged in with the PIN/birthday. In that case, the online voting system could identify you and who you voted for at the time the request is made (they receive both the authorization token linked to your identity and the vote in the same request). The vendors then takes procedural steps to then separate you from your vote, and the elections authority running the election receives a report of the totals (but not who each voter voted for) from the vendor.
However, other systems are a bit more complicated. They'll serve you client-side javascript which does cryptography with your PIN / voting choice such that you can prove to the server you are authorized and made a valid vote, but the server can't link your vote to your identity. Then there's a lot of stuff that happens to mix votes together before they are unsealed and counted. I'm not a cryptographer, so I can't give you the best explanation off the dome.
The Swiss system does try to do something that looks like the latter approach, and they hire cryptographers and security professionals (and have public testing) to ensure the system's design meets requirements for ballot secrecy and if the implementation is correct.
There's a video about how ballot secrecy is ensured with the Swiss system which you can watch at this link:
So bascially you log in to the login server, which passes a token to the vote counting server that the vote is valid but with no identifying information? And there is some way to verify that these two entities do not cooperate?
How do you override a previously cast vote in that system?
(Overriding a vote is a popular solution to vote buying/intimidating which is otherwise a problem with mail-in votes and e-votes.)
> So bascially you log in to the login server, which passes a token to the vote counting server that the vote is valid but with no identifying information? And there is some way to verify that these two entities do not cooperate?
With the Ontario system I described (first example), no. You can't ensure this. In fact, the server that receives your authentication credentials is the same as the server that receives your vote.
How things work:
1. You send a POST with {"DOB":"1995-01-01", "PIN":"12345678"} to server.
2. Server responds with a session cookie. That cookie is included with all subsequent requests in order for the server to know you are authenticated. This is a typical authentication scheme for web applications.
3. Eventually you make a selection and cast your vote. This will send your vote, and the cookie, to the server.
4. The server verifies the cookie is valid and records your vote.
It is definitely possible for the server to connect the identification information you provided in your initial login with the cookie, if it chooses to log that data. There's no way for the client to know if it's happening or not.
It's also a proprietary system, and because it's owned and operated by the online voting vendor (and not a government body) it's exempt from freedom of information legislation, so you wouldn't be able to see any information about the system's design even if you really wanted to. We do know steps 1-4 exist though, because we can infer all of it from the browser's development tools when interacting with the website.
With this type of system, there is also no meaningful way for a municipality to verify the count is correct, beyond the testimony of the vendor. The system is a black box, where votes go in and a result comes out. The vendor reports the result, and the municipality then declares candidates elected.
To be clear: Not a hypothetical. This is a real system! Used by 49 municipalities in 2022!
> How do you override a previously cast vote in that system? (Overriding a vote is a popular solution to vote buying/intimidating which is otherwise a problem with mail-in votes and e-votes.)
You don't! To the best of my knowledge, no vendor/municipality offers this feature in Ontario.
There have been plenty of suggested online voting schemes over the past several decades, yet the prevailing theme is that the ones that actually see practical use don't even try to solve the problem.
The reason why we have public elections is to ensure a peaceful transfer of power. I believe each and every scholar of political science would agree with this statement.
What's important is that there must be no reason to sow distrust into the process. No party should be able to claim their votes weren't properly counted, or that the process is somehow suspicious. The voting process could be mathematically perfect, but if people doesn't trust that votes can't be bought and counters can't be bribed then it's all for nothing.
That's why we need transparency. Not because of some higher theoretical lofty ideas, but because the basis for peaceful transfer of power between parties mutually suspicious of each other is not there.
If trust gets broken then society gets broken. Elections will continue, but in a generation or two they will cease to be able to fulfill their intended goals, and that's when we see the outcome. Not next year. That's what scares me.
So the short answer is that you're shit out of luck and have to trust the voting system, the server, the javascript, and the vendors that produce them? Presumably all of this source code is available somewhere for auditing?
