Privacy technologies and democratic values¶

Privacy protection is crucial for the values that support democratic societies. Paraphrasing Daniel Solove: “Part of what makes a society a good place in which to live is the extent to which it allows people freedom from the intrusiveness of others. A society without privacy protection would be suffocating”. Such a society seemed like science fiction until relatively recently, but, for example, the Facebook Cambridge Analytica case shows how important it is, in order to protect citizens from opinion manipulation, to prevent unauthorised access to their data. Privacy technologies are essential to ensure that the right to privacy is respected in the digital world.

Privacy technologies in support of democracy¶

The increasing use of electronic applications for transactions benefits society. When citizens have easy means to express their opinions, comment on administrative initiatives and decisions, or vote, their participation in public decision-making increases. This improves the balance of power between decision-makers and those affected by the decisions.

For the above to function effectively, citizens must have both the freedom and the means to express their opinions, confident that their views are not altered or lost during the process. However, there are concerns related to surveillance and manipulation, for example if cloud services or unprotected networks are used to implement applications that enhance democracy. The implementation requires strong privacy-preserving technologies that protect both users’ identities and the data they input into the application.

Electronic voting: Electronic voting systems aim to enable fair elections in an environment where, for example, manipulation or other forms of tampering threaten results. Electronic voting systems must ensure:

Ballot secrecy: An attacker cannot determine whom a person voted for.
Universal verifiability: An external observer can verify that all votes have been counted correctly. There are also weaker protocols that provide individual verifiability, where each voter can check that their vote has been counted correctly.
Eligibility verifiability: An external observer can verify that only eligible voters have cast votes and that each has cast only one vote.
In addition, some protocols aim to prevent coerced voting.

To preserve ballot secrecy, the link between the voter and their vote must be broken. In physical voting, this is achieved by placing identical ballot papers into the ballot box, so that during counting it is no longer possible to know who cast which vote. In electronic voting, the equivalent is implemented, for example, using mix networks, where votes pass through several mixing stages. There are multiple mixers so that no single entity can trace a voter to a given vote. Finally, the results are published for everyone to verify.

The mixing of votes takes place after all votes have been cast. This ensures that all votes participate in the mixing process and maximum anonymity is achieved. For universal verifiability, each node of the mix network also performs verifiable shuffles, demonstrating that all votes are mixed and that the mixing is random. This uses zero-knowledge proofs. These allow a claim to be proven such that the only information revealed in the proof is the truth value of the claim. Eligibility verification is also implemented in this way: voters must present a zero-knowledge proof of their eligibility.

Other methods for preserving ballot secrecy include digital signatures and homomorphic encryption. With digital signatures, an authority verifies the voter’s eligibility and performs a blind signature on the vote, meaning that the authority does not see what is being voted for. When casting the vote, the user provides a zero-knowledge proof that the vote has been correctly formed. These are sent to the vote-counting server through an anonymous communication channel. In this way, the system cannot link a vote to the person who cast it.

With homomorphic encryption, the vote-counting server creates a bulletin board with an encrypted slot for each candidate, initially containing zero votes. Each voter casts their vote for a candidate and simultaneously randomises the encryptions so that encryptions of the same number never look identical. Zero-knowledge proofs can be used to ensure that the sums and randomisation have been performed correctly.

Coerced voting can be prevented, for example, by giving voters dummy credentials. If a voter is coerced, they can comply with the coercer’s demands but use the dummy credentials. The vote-counting server discards votes cast using dummy credentials. Another approach is to allow re-voting. When a voter votes multiple times, a rule must be defined to determine which vote remains valid. A natural rule is that the last vote cast remains valid, or that earlier votes are marked in some way and not included in the count.

In Finland, electronic voting is discussed in the media from time to time, but Ministry of Justice expressed already in 2017 that risks outweigh the benefits. At that time, and generally, the discussion did not concern the most cryptologically advanced voting protocols referred to above. These do not require trust in election authorities, and even the risk of rumours undermining trust in conventional protocols is minimised. You have probably already read about usability problems in security and realise what the problem with sophisticated protocols is, in addition to their significant computational cost.

Petitions are formal requests or initiatives signed by one or more citizens and submitted, for example, to the government (cf. Finnish Citizen initiatives). In publicly signed petitions, the problem may be that the signature is visible to family members, neighbours, colleagues, etc. Public visibility may reduce willingness to participate.

One approach for privacy is the use of anonymous identifiers. In this case, a citizen registers as a user of the petition system. At this stage, an authority verifies the citizen’s eligibility to participate and provides them with an anonymous signing key associated with petitions but containing no identifying information. The citizen can then sign an petition without revealing their identity. The weakness of this system is the required trust in the authority that registers users. However, there are also cryptographic alternatives that remove the need for a single trusted third party. For example, multiple parties may participate in the registration of the signing key. In this way, the user’s trust is not placed in a single actor but distributed among several parties.