Oct 2024

Manipulation in e-voting system in the Moscow City Duma elections

We investigate the vulnerabilities of Moscow’s e-voting system, focusing on the substitution of candidate identifiers as a method for manipulating election results. The 2024 Moscow City Duma elections provided substantial evidence of such manipulation, where candidate identifiers assigned to votes were altered. This manipulation allowed votes initially cast for opposition candidates to be reassigned to those from the ruling party, United Russia.

Research by: Alesya Sokolova, Peter Zhizhin, Kseniia Zhizhina

This research was presented at the E-Vote-ID International Conference in Tarragona, Spain, 2024

Introduction

In the Moscow City Duma elections 2024, for the first time, voters had to apply in advance to cast a paper ballot. This year, 95% of voters in Moscow used remote electronic voting (REV). REV has been conducted in Russia since 2019, in elections ranging from local to presidential. However, until now, REV has only been an option, with in-person voting at polling stations remaining the default method.

Russian courts have never ruled against the use of REV or annulled its results, despite numerous reports of violations [1,2] that had likely influenced election outcomes. Under the full control of the Russian state apparatus, the REV system complements traditional tools of fraud [3], such as ballot stuffing and protocol tampering. Proving electronic violations is much more difficult. Despite the lack of direct evidence, we see anomalies in the election data and can speculate about how these anomalies occurred.

For example, investigations [4,5] into the 2021 State Duma elections revealed that Moscow's remote electronic voting system was manipulated through a re-voting mechanism (which was deprecated afterwards). In 2022 new technical changes were introduced to Moscow's remote electronic voting system, allowing for vote tampering. Different candidates were assigned different identifiers for each voter [6], which were later likely matched with an unpublished internal mapping table. This table could be altered after vote decryption to manipulate results. This form of tampering probably caused anomalies in the 2022 [7,8] and 2024 elections [9].

This paper aims to provide evidence and analysis of how candidate identifier substitution was used to manipulate results in Moscow's e-voting system.

Overview of Moscow’s E-voting System

Russia uses two independent e-voting systems: the Moscow system and the federal system. The Moscow system was developed by the Moscow Department of Information Technology (DIT). Until 2021, the operators of the Moscow e-voting systems partially published their source codes [10]. Based on this code, observers were able to conclude about the structure of the system.

During an election, the vote being recorded into the system contains the identifier of the candidate. The list of candidates and their corresponding identifiers could be observed on the REV website [6]: they are not displayed in the browser interface but can be accessed through the developer tools.

When a user casts their vote, the browser sends a request to obtain the candidate IDs for the ballot. In response, it receives a JSON mapping the candidate's full name to the deputyID. During the voting process, the array of deputyIDs selected by the voter is then encrypted and sent to the server.

One would expect that the candidates' identifiers should not differ for different voters. Before municipal elections in 2022 in Moscow, these candidate IDs always matched the unique ones recorded in the blockchain at the time the vote was created. However, since 2022, we have determined that every voter has had different identifiers for the same candidates.

Table of deputyID-to-candidate at 2022 Moscow municipal election [6]
CandidateVoter 1Voter 2
Avdeeva Tatiana Vladimirovna5426293201308471730
Boykova Anna Alekseevna424666912423986187
Zykov Nikolay Appolonovich687882885144946037

To count the votes, there must be a mapping between the deputyIDs issued to the voters and the candidate IDs in the blockchain. If the server also stores the association between the deputyIDs and the voters during the ballot distribution, it would violate the secrecy of the vote, as it would be possible to determine how each individual voted once the ballots are decrypted.

There are two possible locations where the deputyID-to-candidate ID mapping could be stored in the blockchain: (1) the mapping resides on the server and is inaccessible to observers — in this case, it would be possible to declare virtually any result; (2) the mapping is embedded in the ballot transaction itself in a manner that is not immediately apparent to us. In any case, independent observers have no means to verify the accuracy of the vote registration and counting process. From this, we can conclude that the vote can be counted in any manner.

The authorities explained the different candidate identifiers in the following way [6]: (1) the system is designed to protect against malicious software that could automate voting if it is provided with fixed candidate IDs; (2) this is a feature, intended to comply with legal requirements that prohibit determining how a vote was counted without an explicit request from the voter. They also mentioned that independent verification of election results should not be possible, as required by the law.

Evidence of Manipulation in the September 2024 Election

To analyse the e-voting during the 2024 elections for the Moscow City Duma [11], a public snapshot of the database containing votes decrypted by Moscow DIT and their timestamps was downloaded from the official observer website (observer.mos.ru) after the elections. The code and data used for our calculations can be found on Github [12].

We found that in three constituencies where candidates from parties of parliamentary opposition were leading by Saturday evening, the dynamics shifted dramatically overnight. By Sunday morning, the results had reversed, with candidates from the ruling party, United Russia, taking the lead.

Vote swapping in the 3 constituencies where United Russia was losing. Each data point shows the candidate's result on 300 ballots, so the points are heterogeneously spaced over time but have the same noise level. The position of the point is the time of getting the first of the 300 ballots. No other candidates except the two leading ones switched their places. Short-term changes in other candidates' positions were due to random fluctuations, but never changed for long periods.
Vote swapping in the 3 constituencies where United Russia was losing. Each data point shows the candidate's result on 300 ballots, so the points are heterogeneously spaced over time but have the same noise level. The position of the point is the time of getting the first of the 300 ballots. No other candidates except the two leading ones switched their places. Short-term changes in other candidates' positions were due to random fluctuations, but never changed for long periods.

No constituencies where United Russia was winning had this pattern.

Example of a constituency presumably with no manipulation. The same pattern was observed in all of the 42 remaining constituencies.
Example of a constituency presumably with no manipulation. The same pattern was observed in all of the 42 remaining constituencies.

This sudden shift is unlikely to appear by natural voter behaviour. One of the explanations for such dynamics is the administrators of the e-voting system altered the mapping table with the candidate identifiers on Saturday night to increase votes for the preferred candidates from United Russia. As a result, votes cast for opposition candidates during Sunday’s voting were reassigned to United Russia candidates.

Turnout percentage by 15-minute intervals. The turnout in the anomalous constituencies did not differ from the other constituencies. This suggests that votes were reassigned between candidates, maintaining turnout while altering outcomes.
Turnout percentage by 15-minute intervals. The turnout in the anomalous constituencies did not differ from the other constituencies. This suggests that votes were reassigned between candidates, maintaining turnout while altering outcomes.

Although the manipulation did not alter the overall outcome — United Russia still lost in these three constituencies, but secured a majority regardless of the results in them — such dynamics indirectly confirm the mechanism of vote swapping described in the previous section.

Conclusion

This paper has presented evidence of how the substitution of candidate identifiers in Moscow’s remote electronic voting system could be used to manipulate election results, particularly during the 2024 Moscow City Duma elections. By altering the mapping between candidate identifiers, election organisers likely reassigned votes from opposition candidates to the members of the ruling party.

The vulnerability of candidate identifier substitution in Moscow’s e-voting system poses a significant threat to the integrity of electronic voting. The opaque nature of the system, combined with the absence of independent verification mechanisms, creates opportunities for electoral fraud that are difficult to detect or prevent. These findings underscore the necessity of addressing such vulnerabilities in electronic voting systems to ensure transparency, security, and public trust.

This issue is particularly relevant to ongoing global discussions on building reliable e-voting systems. As we move toward increased use of digital voting technologies, it is crucial to develop systems that prioritise transparency and accountability.

The data from the observation portal and the code we used for the study are available on Github.

References

  1. Corrupted code: exposing fraud tactics in Russian e-voting system, Cedar, 2024, https://cedarus.io/research/e-voting
  2. ‘The Art of the Steal?': Russia’s online voting problem, GlobalVoices, 2022, https://globalvoices.org/2022/09/29/the-art-of-the-steal-russias-online-voting-problem/
  3. How to uncover electoral fraud in Russia using statistics: a complete guide, Cedar, 2024, https://cedarus.io/research/evolution-of-russian-elections
  4. Необъяснимый рост. Что не так с электронным голосованием, iStories, 2021, https://istories.media/investigations/2021/09/28/neobyasnimii-rost-chto-ne-tak-s-elektronnim-golosovaniem/
  5. Зазор и позор, Novaya Gazeta, 2021, https://novayagazeta.ru/articles/2021/11/09/zazor-i-pozor
  6. Что не так с ДЭГ Москвы на этот раз?, Habr, 2022, https://habr.com/ru/articles/687626/
  7. Аномалии результатов муниципальных выборов в Москве, Golos, 2022 https://golosinfo.org/articles/146205
  8. Фальсификации в выборах муниципальных депутатов 2022 в Москве, Habr, 2023, https://habr.com/ru/articles/760152/
  9. ДЭГ не выбирают, Novaya Gazeta Europe, 2024 https://novayagazeta.eu/articles/2024/03/28/deg-ne-vybiraiut
  10. moscow-technologies/blockchain-voting_2021, Github, https://github.com/moscow-technologies/blockchain-voting_2021
  11. Недокрутили, Novaya Gazeta Europe, 2024, https://novayagazeta.eu/articles/2024/09/10/nedokrutili
  12. Cedar-Russia/REV_Moscow_2024, Github, https://github.com/Cedar-Russia/REV_Moscow_2024

Related Articles

We and selected third parties use cookies or similar technologies for technical purposes and, with your consent, for other purposes. Use the “Accept all” button to consent. Use the “Decline all” button to continue without accepting.