Why Voting on the Blockchain Won't Work
With the Philippine Presidential elections happening today, there’s a renewed discussion about how we could use blockchain tech to store our votes as a way to promote transparency and reduce the possibility of fraud. This recent post from Bitpinas contained a few interesting thoughts on the subject and included a few working examples of blockchain-based elections. Now, I’m obviously a pretty huge fan of crypto and its underlying blockchain technology, so believe me when I say that I wish I didn’t have to write this sentence, but here it is anyway: blockchain-based voting won’t work. Let’s talk about why.
Ideally, a new blockchain-based voting process should be offered primarily online, allowing Filipinos to vote at home or from overseas. Although most Filipinos have some kind of Android phone now, you’d probably still need to have voter precincts in low-income or far-flung areas. But for the part of the population with smartphones and Internet access, they could just download a Metamask-like wallet with a custom-built voting dApp (decentralized app) integrated into it.
It’d be ideal if the code for the dApp was open-source, allowing interested developers to review and audit the app and help spot any security holes. In practice, it’s unlikely that this would ever happen of course, because any company building something this valuable would want to enjoy long-term economic rewards for their work. So that’s your first challenge: in order for something like this to be trustworthy, the code MUST be open-source, auditable, and most importantly, free of security holes.
On voting day, all 43M registered Filipino voters would log in on the app, enter their COMELEC-provided credentials, and begin casting their digital ballots. Each ballot is encrypted on the app-level, the data packet is transmitted to the COMELEC server, and the whole thing is decrypted, stored on a buffer database, and then finally written to the blockchain. Even if there’s only one blockchain transaction per ballot, this implies that we need to use a public blockchain that can handle at least 1,000 transactions per second (tps). That eliminates many of the popular blockchains, although Solana does advertise that it can handle over 60,000 tps. (The last time it saw 4M transactions over a short period, the entire network crashed and was inaccessible for 7 hours though.)
But wait! If you’re a keen blockchain enthusiast, you’ll have noticed that I just committed The Cardinal Sin of Centralization with my proposed process above. The voting data shouldn’t go through the COMELEC servers at all, it should be written to the blockchain directly from the users’ respective apps. COMELEC should just be there to verify the credentials of the voters, and perform the final count at the end of the day. In fact, storing the votes on a public blockchain means that everyone gets a real-time view of the count, meaning that the COMELEC’s official announcement would just be a formality. Now, we could argue all day about whether the government agency would be OK with their power being taken away like this, but ultimately this is the correct way to design a blockchain voting solution. It should eliminate the middle man and give the end-user a direct connection to the resource he/she is trying to access. It’s the whole point of decentralizing any process with blockchain tech.
So let’s review where we are. In theory, we have an open-source, secure, transparent dApp where users can login using COMELEC credentials and cast their ballots directly by storing a record on a super-fast blockchain. Sadly, even if all these parameters are met, our blockchain voting solution will still fail. Why? Here’s the question: how do we know that a digital vote has been cast by the person it supposedly belonged to? Credentials — usernames, passwords, private keys, biometrics — can be bought and sold in the black market just like all other digital assets. Let’s not forget that the COMELEC has lost our data in the past: in 2016, 55 million voter identities were forcibly downloaded from their servers and made public by Anonymous Philippines. Blockchains can’t help you if the point of failure occurs at the user-level, because blockchains don’t actually get involved until the moment when you start storing data in them.
Now, you may be arguing that I’m identifying a weakness in an overall system, but that weakness isn’t blockchain’s fault. And that, dear reader, is entirely the point. The reason why blockchain-based voting platforms won’t work is because blockchains can’t solve the primary problem of all online-based voting platforms: They can only verify that the usernames and passwords provided by users were correct, but they can’t actually verify WHO typed them in (… or who paid for them). Computer science folks refer to this issue as the Data Oracle problem, which states that blockchains must rely on the “outside world” in order to perform real-life functions like voting or logistics. This is a critical weakness, because blockchains are only considered 100% reliable when all their data is maintained internally.
If you’re interested in a more rigorous academic perspective, MIT researchers wrote an interesting paper a few years ago entitled “Going from Bad to Worse: From Internet Voting to Blockchain Voting” that argues “blockchain-based voting would come at the cost of losing meaningful assurance that votes have been counted as they were cast, and not undetectably altered or discarded.” Sounds like the complete opposite of what the blockchain diehards are saying, right? Unfortunately, many of the promises that we often hear about blockchain don’t hold up when you look at it from a technical execution standpoint. For now at least, it sounds like we’ll be waiting in line to cast our ballots for a few more elections. See you all next Saturday, cryptofam!
Also, something that is frequently overlooked, real-time monitoring of results might not even be desirable at all. Being able to see the trend in real-time changes people's behavior dramatically.
Early votes looked like Candidate A will win? Candidate B supporters might get disheartened and not bother. Candidate A lost out in the end? "But I was winning during the first half".
It was one of those things that we were conscious about when we rolled out the university-wide elections system in UP Diliman.