"Electoral registration: a review of the process" consultation - Response of the Centre for Computing and Social Responsibility, De Montfort University

At paragraph 2.21 the consultation document states “Although not a matter for this review, it is also the case that a unique voter identifier could assist in elections being e-enabled (fully electronic). This would not only allow for casting and recording a vote at any polling station within a constituency or ward, but would potentially assist in establishing remote voting from any location.”

We are deeply concerned by this suggestion. Any unique voter identifier for which the relationships with individual identities is anything other than the most closely guarded secret, or one that is used for more than one polling day, is almost certain to mean that the secrecy of ballots cast electronically could not be guaranteed (see Fairweather and Rogerson, 2002, p12).

Identifiers generated for a single polling day according to a suitably secure and random method and distributed through the post (or hand delivered) could be used in the ways described, but any other sort of identifiers should not be used for electronic voting.

In the same way, any other identification data (such as national insurance number or date of birth) that is transmitted as part of the voting process would similarly be incompatible with the secrecy of ballots.

It would be possible for these other identifiers to be used as a security mechanism provided neither they, nor any encrypted form of them, was transmitted (the obvious method of using them would be if each voter were sent through the post a disk/smartcard/etc that contained this secondary identification data in a way that could only be accessed by a voting program running on a client-side machine which would check what the voter input against what was on the disk, but not transmit that data).

A voter identity card for use on more than one polling day would be necessarily incompatible with suitably secret electronic voting.

We favour electoral registers being “universally electronically maintained in accordance with mandatory national standards” , provided those standards are compatible with adequate security (thus for example they should preclude the use of insecure software - such as most off-the shelf proprietary software currently available).

For electronic voting, it is advantageous that electoral registers are nationally coordinated. However, it is vital that this is done in a way that does not introduce a single point of failure for the electoral system. The security threats to electronic voting are sufficiently substantial (see CESG, 2002, p15) as to preclude the electoral system being dependent on a single point of failure.

A nationally managed electoral register would introduce a single point of failure that would be incompatible with secure electronic voting (see answer to Q3(b)).

We would tend to support the opinion of the California Task Force (2002, 2.2) that “Without online infrastructure for strong verification of the identity, citizenship, age, and residence of the person doing the registering, essentially any all-electronic voter registration system would be vulnerable to large-scale and automated vote fraud, especially through the possible registration of large numbers of phantom voters”.

The fact that there has been no evidence that such fraud has taken place in countries with online registration is not particularly relevant, since the dangers are greatest when combined with remote electronic voting, and no other country has more experience of remote electronic voting in public elections than the UK.

While aspects of electronic registration are desirable, it is incompatible with secure remote electronic voting, even if additional security checks are introduced, since none available meet the necessary criteria for security.

A choice needs to be made: either electronic registration, or electronic voting.

The use of additional identifiers in electronic registration would be further incompatible with secure remote electronic voting, since the process would require the transmission of those identifiers in a way that would, in due course, be incompatible with the long-term secrecy of the ballot (see the response to Q2a/b, above).

We welcome the acknowledgment that “the lack of evidence of fraud may not directly reflect the true extent of the situation.” and that “Victims of electoral fraud may be under pressure not to complain” We also welcome the fact that “The Commission is concerned to ensure that current levels of security should be maintained or increased.” We are alarmed, however, that the Commission appears to be unaware that online registration is fundamentally incompatible with this aim with all reasonably foreseeable technologies (except perhaps a national identity card scheme of the sort recently proposed by the Home Office), and is additionally incompatible with remote electronic voting.

Making electoral registers available to political parties is a necessary part of our democratic process, and there is little practical way to maintain the security of the registers once in the hands of parties. Since electronic registers are available to parties, this opens them to computerised searching in a way that does have a strong potential for abuse that could threaten personal safety. Therefore it is our view that anonymous registration should be available.

A requirement for evidence of threat to personal safety, on the New Zealand model, appears appropriate. Greater clarity about the difference between the full electoral register and the edited register may also help persuade people to register, but to exclude themselves from the edited register. That this will make it easier to obtain credit may be an additional persuasive factor, although the current wording of canvass forms obscures the fact that being on the full register is sufficient for such purposes.

While we would not be opposed to data sharing purely to improve the accuracy of the electoral register for electoral purposes, we believe that any data sharing that resulted in electoral registration data being passed on to other departments, since such a process tends to result in a reversal of the balance of proof (see Fairweather and Rogerson, 2003, section 2.39). The register is used for a variety of purposes other than elections, however, and on that basis we are opposed to data sharing to improve its accuracy.