August 5, 2021

Internet Voting is Still Inherently Insecure

Legislation for voting by internet is pending in Colorado, and other states have been on the verge of permitting ballots to be returned by internet.

But voting by internet is too insecure, too hackable, to use in U.S. elections.  Every scientific study comes to the same conclusion—the Defense Department’s study group in 2004, the National Academy of Sciences in 2018, and others.  Although the internet has evolved, the fundamental insecurities are the same: insecure client computers (your PC or phone), insecure servers (that collect the votes), and Americans’ lack of universal digital credentials.

Vendors of internet voting systems claim it’s different now:  they claim “online voting” is not “internet voting”; they say smartphones are not PCs, cloud-computing systems are more secure than privately hosted servers, dedicated apps are not web sites, and because blockchain.  So let’s examine the science.  Of course “online voting” is internet voting: your smartphones and laptops connect to servers and cloud servers through the public packet-switched network; even the phone network these days is part of the internet.  And if the voter sends a ballot electronically to an election office that prints and counts it, that’s certainly not a “paper ballot” in the sense that a voter can check what’s printed on it.

Smartphones are client computers on that same internet.  Smartphone operating systems (Apple’s iOS and Google’s Android) have improved their security in recent years, but serious new exploitable vulnerabilities are continually discovered: about 25 per year in iOS (2018-2020) and 103 per year in Android.  And there are an unknown number of undiscovered vulnerabilities that attackers may be exploiting.  If you prepare a ballot on your smartphone voting for candidate Smith, you cannot be sure whether a hacker has caused your voting app to transmit instead a vote for Jones.

Major cloud-computing providers such as AWS and Azure do a good job of securing their systems for the companies that they “host” (banks, retailers, voting apps).  But a bank or voting-app maker must write their own software to run in that cloud.  It’s difficult to get that software right, and bugs can lead to exploitable vulnerabilities that a hacker could use to change votes as they arrive.  AWS is not some sort of magical pixie dust that one sprinkles on software to make it unhackable.  Blockchain doesn’t help either: the vote can be hacked before it even gets into the blockchain.

We have no system of unforgeable digital credentials that we can give to every voter to authenticate their voting transaction.   In practice, internet-voting products marketed in 2020 (from Voatz and Democracy Live) contracted out digital authentication to privacy-invasive third-party companies who asked voters to hold up their driver’s license next to their face and take a picture, or captured “browser fingerprints” tracking personal information about the voter’s Web usage—revealing this and much other private information about the voter and the voter’s votes to these unaccountable third-party companies.   Traffic in stolen credentials would seriously compromise elections.

We still do online banking and shopping.  But banks have control over to whom they issue credit cards; can suspend a credit card at any instant if they suspect fraud; can decide what percentage of fraud they want to tolerate, balancing against convenience.  And most important, every individual transaction is traceable and auditable.  But with voting, none of those are true.  You have the right to the secret ballot, with an assurance that the system doesn’t know who you voted for.

The groups pressing hardest for internet voting are national organizations representing voters with disabilities.  They want voters with visual impairments or motor disabilities to be able to vote independently and conveniently from home.  Indeed, although every polling place (by federal law since 2002) has an “accessible” voting-machine to accommodate voters with disabilities, many of those machines are so ill-designed that they are accessible in name only.  We need better technology for such voters, and it’s worth investing in it.  There really are better accessible voting machines on the market for use in polling places and early vote centers, and more research would help too.  But we must not let wishful thinking lead us into hackable internet voting.   Wishing that internet voting could be made secure is not a justification for implementing it.  And in fact, surveys of voters with disabilities show that the vast majority want to vote on paper.

The clear consensus of computer scientists and cybersecurity experts is that paperless voting systems cannot be made sufficiently secure for use in public elections.  Paper ballots are our only practical choice—countable by machine, recountable by hand in case the machines were hacked or misconfigured, and auditable by hand to detect whether a recount is warranted.

Comments

  1. J. Alex Halderman says:

    These are excellent points, Andrew.

    I’d add one more concern about cloud-hosted online voting systems, particularly in light of November: they introduce additional parties that must be trusted. Think about how practically half the country now has distrust for the Washington Post simply because it’s owned by Jeff Bezos. Are those voters now going to trust Amazon’s cloud to transport and safeguard their ballots?