Security Experts Say Online Voting Is a Bad Idea. Here’s Why.
It is crucial for democracy to work every time and we can’t guarantee that with an online system.
At last year’s DEF CON, I wandered into a panel with voting industry leaders from the public and private sectors. Towards the end, the facilitator asked the room filled with 200 or so security experts and hackers if they thought the US should have online voting.
Three brave souls raised their hands. They were booed. One put his hand down, looking embarrassed.
Article was last updated 11/08/20
Read the EFF’s concise position on this topic:
Read this Letter to Governors and Secretaries of State on the insecurity of online voting, signed by over 50 (at time of writing, others may be added) researchers and experts:
Back in July, this tweet came across my timeline:
Doesn’t he have a point? Vote by mail has gotten some attention recently but do we really want to be mailing things on paper when we have email and apps? Voting in person isn’t wise to do in a pandemic, so it seems like building an e-voting system would be best in the current climate.
Voting through a website or app sounds like a no-brainer.
Sure, there might be cybersecurity risks, but surely it’s not physically impossible to build something safe enough. Can’t we sprinkle some crypto-magic on it? Banks are still operational even though they have money at stake for hackers to steal.
Besides, e-voting would surely increase turnout among young people. Given this, wouldn’t the risks be worth it? Don’t some countries like Estonia already do voting online with no problems? Could we vote online in the US?
The answer is NO.
Online voting would be disastrous especially for the United States. There are better things we can and should do to make voting accessible.
If You Don’t Read The Whole Thing
These are the four things I explain in detail:
- Votes need to be more secure than anything else we have. More than banking, taxes, and identity. This is because the consequences of election interference (especially in the US) are dire.
- A secure election needs physical ballots so recounting is possible and reliable. Rows in a database (and even blocks on a blockchain) do not have enough integrity to prove the vote was cast by a real voter.
- Cybersecurity experts are nearly unanimous: a digital voting system would be impossible to implement securely enough. This problem is not solved by blockchain.
- Online voting doesn’t have huge benefits over voting by mail where it comes to safety, convenience, and turnout. Any benefits it does have are not worth it.
Section 1: Free and Fair Elections
The stakes for voting in the US are higher than anything else we could do over the internet. It’s more important than banking, passport applications, and yes, parking tickets.
Not only would it be disastrous for the vote to be rigged, there are also immense incentives for powerful players (countries and corporations) to attempt it. This is the most important thing I want readers to come away from this article with. Voting systems need to be more secure than anything else we have. (with the exception of maybe medical devices like pacemaker software. Oops.)
It’s worth starting out by defining the required characteristics of a free and fair election. If citizens don’t believe a vote is fair, this is very dangerous for the stability of a democracy. If a malicious actor can change the outcome of a vote, they can topple a whole country, disrupt their economy, and maybe even cause a civil war. If a malicious actor can disrupt an economy like the US, then they can disrupt the global economy.
It is crucial that voting is done right in America. So how is a free and fair election done right? What features does it require?
Auditable + Accurate
Votes must be counted accurately. Failing that, it must be possible to audit them without running another election.
If someone doesn’t think the vote was fair, there needs to be a way to go in and prove that it was or rectify the tally if it wasn’t. This is so we don’t have to make voters vote again. If those in power are unwilling to recount or run another election, that’s a failure.
Anonymous
This is an often overlooked but crucial aspect of a good voting system. Voting should be anonymous because if someone tries to pay or intimidate you into voting a certain way, it should at least be impossible for them to verify that you complied.
You don’t want extremists going after people who voted a certain way. Even if it’s illegal to bribe or intimidate voters (that still hasn’t stopped some bad actors), anonymity makes it impractical for criminals to try on any kind of scale.
Accessible
If someone is qualified to vote, they should be able to vote easily for anyone they want and to have their vote counted. That means, among other things, that voters who can’t afford to take time off work should be able to vote and that voters with disabilities must have accessibility services provided.
Making an election less accessible is as easy as cutting funding in certain areas. I would argue that our current election system is not accessible enough. It’s the biggest weakness of in-person voting in America.
All of these started with As. This was not on purpose but it’s catchy: Accurate, Auditable, Anonymous and Accessible. Heh.
There are countries who have accessible non-online voting systems. Inaccessibility is more a result of corruption than inherent flaws with in-person voting. As we’ll see, these flaws do not out-weight the benefits.
Section 2: Software Security
Lets talk about computers and software. It is so incredibly easy to write bad code. Web applications and mobile apps are especially bad, I say this as an appsec engineer.
Furthermore, humans have to manage software systems and humans are even worse than computers. Look at the recent Twitter hack. If Twitter is pinning admin credentials to their Slack channels, do you think gov administrations will do better?
Even voting machines have been proven time and time again to have security flaws that would allow a hacker to change, add, or delete votes.
There’s a lot of attention on voting booths when we talk about election interference, so I’d like to put a reminder here that while state actors did try to hack the vote by targeting infrastructure directly, there is no evidence they succeeded in 2016. Read what experts say about the 2020 election.
If we can’t have airtight voting booths, we certainly can’t have an app or a website that is secure. My day job has me thinking about the mistakes programmers can make and how often they make them. The idea of a voting website is terrifying to me. Websites and mobile apps are complicated, have a high potential for flaws, and can be attacked from many angles.
There’s a problem of scale. Many of these voting booths are (mostly) only vulnerable to physical attacks: where a hacker can walk in and take it apart or plug in a USB drive. This attack is risky for the hacker and not very effective (relatively) because you can only target one booth at a time, limiting you to certain districts (which is still potentially a big problem). With a website or app, a cybercriminal could rig a vote on a much wider scale from the comfort of their own home somewhere they are unlikely to be apprehended and potentially never even detected.
Even cybersecurity companies end up with breaches and hacks. No matter how good your security and auditing process, no software will ever be un-hackable.
But what if… if it were possible for voting software to be implemented effectively, 100% secure, 100% maintained even through incompetent administrations, kept up to date with no budget cuts — would it be a good idea? Would it be worth the extra voter turnout?
The answer is still no.
Section 3: Proper Usage
The problem with voting is that humans have to do it — and it’s possible to trick humans. Once again we have a problem of scale. With in-person voting you might be able to trick an individual voter, but that’s just as effective as convincing them to vote for your candidate through regular campaigning. With online voting, targeting voters with scams, malware, or intimidation en mass becomes a viable strategy.
Scams
Any information you might use in an online voting system to verify your identity can be stolen. Once it is stolen it is permanently out there: social security numbers, date/location of birth, state ID numbers— any or all of these is insufficient proof that you are a real voter.
Estonia uses a national ID to authenticate and some e-voting startups want to use biometrics. These are better than how we pay taxes now but you can still fool someone into using either of those in a malicious app.
If you work at a big company, maybe you have a benevolent security team that periodically tries to get you clicking on links in emails designed to steal your credentials. Maybe you’ve even fallen for one of these schemes yourself, if not at work then maybe you’ve accidentally clicked on a malicious link in an email at home that installed a fake version of Adobe Flash on your PC. This is called phishing.
Companies spend so much effort trying to immunize employees against this type of attack because it is extremely effective.
If you don’t believe me that a critical mass of Americans are likely to fall for voting scams, read this (approachable, well written) study on online scams. 23% of people targeted by the scams in this study lost money. That is more than enough to sway a swing district.
Perhaps the most similar type of scam to our hypothetical voting rackets are fake IRS scams. There are already widespread scams that steal taxpayer information, file taxes to claim returns, and extort folks by threatening to send in the FBI, CBP or ICE. In the study above, 15% of targets engaged with the IRS scammers while 3% lost money. Furthermore, these are perpetrated by low-skill cybercriminals with limited resources just looking to make easy money. If they can do it, much more competent state actors can do it better.
Even besides the risk of mass voter fraud, residents would be more at risk of having their private information stolen and sold by virtue of having an online voting system.
E-voting puts every voter at risk whether they participate or not.
Malware, Intimidation, and Bribery
I mentioned above that anonymity is crucial for a free and fair election. With a website or an app, you can never guarantee anonymity. What if someone is voting on a library computer? What if they’re viewing the site through an in-app browser without realizing it? What if they’ve installed a malicious chrome extension or have spyware on their computer? What if someone makes a fake version of the voting app?
There were recently a swarm of emails threatening Democrat voters. The scammers, who DHS says was Iran, made the claim that they had “hacked the whole system” and that if voters didn’t signal they were going to vote for Trump by switching their voter registration, they would “come after them.”
Hopefully, most recipients of these emails will see through the scam or be wise enough to inquire if anyone else has received them. This is one type of attack that becomes much more dangerous and effective if we vote online. Voters in the US today are reassured that their votes are private. If you are voting from your phone where anonymity isn’t guaranteed, the number of psychological tools at the disposal of an attacker goes up significantly.
For example, if a nation state like China has control over a popular app that has access to your camera roll and contacts, they can acquire sensitive information by leveraging the trust placed in them by networks like the App Store. They might threaten to send everyone on your contact list your nudes and even send you a random photo from your camera roll as proof that they have this capability. If they’ve ‘hacked’ your phone, surely they can see your vote as well — or so most people will believe.
Once again, e-voting puts all Americans at a higher risk of being targeted by scams and having our private information stolen. Bad actors are already attempting these scams. It would be very bad to give them better tools to do so.
Section 4: Estonia
So far we’ve been speaking in terms of “could happen”, “would happen” but hasn’t this been tried by anyone? Surely e-voting hasn’t failed in every single instance.
Online voting has been tried lots of times and has mostly failed spectacularly. The one exception to this rule is Estonia.
If you don’t know anything about Estonia (*cough* Americans), it is a Nordic country which borders Russia, has wifi in forests, and some of the most competent tech usage in government of anywhere in the world. If anyone could do this right, it would be them .
They have been holding digital elections since 2005. 43% of voters use the online voting platform, and so far there has been no evidence of meddling. They share a border with Russia who has some pretty good incentives as well as the capability to influence their elections.
Wait doesn’t this negate the whole argument?
Well, it’s true that nothing seems to have gone wrong yet and maybe nothing ever will.
Researchers have indeed been able to demonstrate flaws that could compromise the integrity of the Estonian election. They were able to change an outcome of a simulated election in a lab environment in a way that would go undetected. To quote their conclusions:
Based on our tests, we conclude that a state-level attacker, sophisticated criminal, or dishonest insider could defeat both the technological and procedural controls in order to manipulate election outcomes. Short of this, there are abundant ways that such an attacker could disrupt the voting process or cast doubt on the legitimacy of results
In an entertaining read, an analyst for Estonia’s Information System Authority reacted to this by attacking the researcher’s credentials and criticizing their disclosure methods. Other than this I wasn’t able to find a good response to this research from the government (but I don’t speak Estonian so may have missed important sources).
It’s important to note that, unlike the US, Estonia doesn’t have nukes. If their election were rigged it would be really bad for them, but bad actors (other than Russia, potentially) don’t have as much incentive to do so as they would for America. If the USA, with our irresponsibly massive military and economic power goes on an insane fascist rampage, the whole world is in danger.
Would Online Voting Actually Increase Turnout?
If it’s young people who don’t vote and young people who can’t afford to take time off work (in America), then surely mobile/online voting would help?
Unfortunately, a few studies conclude that it would not increase turnout or would help very little. Researchers in Switzerland did a study on their e-voting system. They found that it did not increase voter turnout.
Estonia’s aforementioned online voting platform has been going for several years now. A study concluded that it had no effect on voter turnout. On the other hand, a study on the (failed) West Virginia e-voting platform suggests that it raised participation by 3–5%.
It’s hard to say if online voting would increase participation over time if voters became more comfortable with the idea. Early evidence suggests that it’s the people who already vote who would use these systems.
If I Can Bank Online, Why Can’t I Vote Online?
This is the most common question I get on this topic. The answer is that the risks for banking are lower. Yes, I mean that. Banks actually get hacked all the time. My favorite example is this gang that managed to steal money from around 100 financial institutions — and that’s the institutions themselves getting pwned. Consumers have their individual credentials leaked (remember Equifax?), use terrible passwords, and give out their information to scammers constantly.
If anything, the financial industry is an example of how bad things could get. However, banks haven’t opted to go offline and still manage to function, because they are a business. Widespread fraud and losses isn’t an existential threat to them. They just need to stay under the threshold of convenience versus risk and make more money than they lose (and they make a lot more money than they lose).
Even fintech is a bad example of how secure an online system can be. Billions worth of crypto has been stolen by hackers and scammers and the amount goes up every year.
Banks have insurance. Democracies do not.
Summary
We’ve gone over a lot here so lets recap.
- A secure election system needs a physical paper trail to make recounting possible.
- Elections are critically important to get right every time and bad actors have great incentives to compromise them especially in a global super power like the United States.
- Computers are very bad and digital security is hard
- Not voting in person eliminates the ability to keep votes anonymous in several ways — and this (I would argue) is an unsolvable problem
- Internet voting doesn’t actually increase voter turnout (probably)
So What Do We Do?
I’ll be the first to say that new ideas are scrutinized more harshly than obviously bad old ideas. In this case however, the old way of voting in person and on paper is a better way than digital voting.
Voter turnout is a problem that needs to be solved — but online/mobile voting is not the answer. Here are some ideas from experts on the topic:
Footnotes
I’ve nearly hit the limit on how long a Medium article can be so I’ll quickly go over a few more topics I think are important to address.
Vote by Mail
I think vote by mail is a good middle ground that makes voting more accessible. As an Oregonian, I love the ability to get my ballot in the mail and drop it in a mailbox. I get to weigh my options more carefully in my living room than from a voting booth with the pressure of people waiting in line behind me.
Voting by mail still has a problem of privacy/authenticity, it just can’t be exploited by organized crime and foreign powers as easily. This might make the vote skew a little bit in some areas. I could forget to un-register at an old address — then the new resident could try to forge my signature, but it would be hard to do this as a massive coordinated effort and that vote would almost always end up getting thrown out. There could also be anonymity issues. For example, a domestic abuser threatening other members of their household to vote a certain way.
I’ve talked to a few people who think universal vote by mail isn’t worth the convenience, and I’m not yet sure if I disagree. Regardless of how they feel however, it is a good option when voting in person isn’t safe or feasible like for citizens overseas or in the case of a global pandemic.
Blockchain and Crypto
If I did my job correctly, you will understand by the end of this article why replacing the read/write method with a blockchain doesn’t solve any of the problems we have here. There may be some substance to adding cryptography to election systems, but not blockchain.
My position is that physical ballots will always be the only secure way to count votes and the less digital the better when it comes to elections.
I have talked to some smart cryptography people who think we’ll eventually have the tech and infrastructure to safely vote online. I am not yet convinced that this is possible, but I would love to be wrong.
Thanks for reading this very long article!
Are you an elections expert? Did I get something wrong or could I clarify anything folks are misinterpreting? I am a cybersecurity person but I am neither a civics nor elections expert. I did my best to research this but would welcome feedback from subject-matter experts.
