Secret ballots have long been fundamental to democracy, ensuring the integrity of elections in both government and corporate settings. Traditionally, votes are cast on physical paper, creating a clear separation between the voter's identity and their choice. This anonymity protects individuals from vote-buying, intimidation or retaliation.
But what happens when the system moves online? Recently the Australian National University opted for an online ballot to decide a contentious vote that could significantly impact staff pay. Staff were assured their vote would be anonymous.
The online voting system used by the university is provided by a company called CorpVote, which says "all votes submitted through our secret ballot process are guaranteed to be anonymous". The system is also used by some of Australia's largest organisations , including Woolworths, Coles, Telstra, Westpac, BHP, Bunnings , the Australian Federal Police, the Department of Home Affairs , the Fair Work Commission and the ABC.
We decided to investigate whether the claims about voter anonymity were accurate - and made some troubling discoveries.
A three-step process
The CorpVote website claims:
The only way that a response in any of our ballot or election processes can be identified as coming from you is if you disclose this information yourself.
The CorpVote voting process has three steps.
First, each voter receives a unique "voter access code", similar to a single-use pass code. The voter enters this code on the CorpVote website, along with their employee number. The code and employee number are sent to a CorpVote server to verify the voter's identity.
Second, once CorpVote verifies a voter's identity, an online ballot is displayed on the website.
Third, the voter casts their vote on the online ballot. The vote, along with the voter's unique code, is then sent to the CorpVote server.
A flawed system
The "voter access code" is the connective link that allows an observer of this voting process to connect each vote to each voter's employee number. At the university, the unique "voter access codes" were also sent to employee email addresses, automatically linking each "voter access code" to each person.
A well-designed voting system makes it difficult to link votes to voters, even in the face of collusion by multiple parties. Some e-voting systems use sophisticated cryptography such as homomorphic encryption or verifiable mixing to break the link between a person's identity and their vote. However, there are still compelling reasons why e-voting should not be used in government elections . For example, it carries a risk of electoral fraud or error because it makes it difficult to verify each person's vote is accurately recorded.
Nevertheless, e-voting has been used in state and territory elections, in addition to corporate elections. E-voting is often adopted by organisations for the convenience of allowing stakeholders to cast their votes remotely.
In the case of CorpVote, we did not have direct access to its systems. Instead, we asked volunteers to examine the network activity - how their vote data travels online - while votes were being cast during the Australian National University's election.
Using freely available developer tools in their web browsers, volunteers recorded the three-step process we previously described.
Who can observe or access the vote data?
Anyone with administrator access to the CorpVote server can inspect or alter the voting data. Additionally, third-party internet proxy servers used by CorpVote could also inspect or alter the data as it transits to the server.
The system relies on "transport layer security" encryption - a standard internet security measure designed to protect data as it moves across the web. While this effectively secures the connection between the user and the server, it does not protect the data once it arrives at the server.
An attacker with unauthorised access to any of these systems could exploit this flawed design, enabling data tampering or leaks.
Some systems, such as iVote, used during the New South Wales state election, add an additional layer of encryption that the server cannot remove.
This ensures that when the server decrypts the incoming network traffic, it only reveals an encrypted vote. This is similar to how secure messaging apps such as WhatsApp or Signal protect your messages from being read by their servers.
While encryption does not prevent tampering, it ensures those with server access cannot read the votes.
CorpVote strongly rejected our results, telling The Conversation the investigation was "based on several incorrect assumptions" because we did "not have technical access to [CorpVote's] systems, policy frameworks, or cybersecurity posture".
A spokesperson for the Australian National University declined to comment, saying any questions about CorpVote's systems should be directed to CorpVote.
A significant impact
Corporate elections have a significant impact on economies, industries and millions of lives.
In Australia, for example, one in three workers can vote in elections that shape their employment conditions , such as enterprise agreement ballots. As happened recently at the Australian National University, workers often cast their ballot through the CorpVote system .
Meanwhile, about one in three Australians is an investor in a publicly listed company , giving them a direct vote on decisions that influence corporate futures and the value of their investments. For example, shareholders vote to elect directors to the boards of companies such as Woolworths and Coles.
The outcome of such elections can impact how these companies are governed, ultimately influencing how much we pay for groceries at the counter.
Rigorous scrutiny of e-voting systems is needed
Since 2014, employees of the ABC and members of the Construction, Forestry, Mining and Energy Union have raised privacy concerns about the CorpVote process.
At the core of their unease is the requirement for voters to provide sensitive personal information, such as payroll numbers and birth dates, to verify their identity in the e-voting system.
Our investigation adds to these concerns.
Trust in institutions is already declining in both corporate and government settings. If people think their votes can be traced - such as their boss knowing how they voted - they might not vote at all. Worse, they might not vote honestly. This would lead to unfair outcomes and make others doubt the results.
Organisations and individuals must adopt a "verify, don't trust" philosophy when voting online, even in corporate settings. This approach demands rigorous scrutiny of e-voting systems, no matter their reputation or assurances.