A new report explains that online voting in the US is a matter of “if, not when,” but problems of anonymity and verifiability must be solved first.
Online elections could be a reality in the United States if the security world can figure out how to ensure both voter anonymity and vote verifiability — two essential but “largely incompatible” goals, according to a new report from the Atlantic Council and Intel Security. The report, “Online Voting: Rewards and Risks,” discusses what challenges must be solved if online voting is ever to take off in the US.
“It’s not a matter of if, but of when,” says Gary Davis, Chief Consumer Security Evangelist for Intel Security. “I’ll go out on a limb and say within 10 years” the US will allow online voting for national elections.
Why so confident? Davis points at the progress made in banking. Trust between customer and bank is essential to financial transactions, just like trust between citizen and government when casting ballots. Breaches notwithstanding, cryptography, identity management, and other security measures have made secure online banking a reality. Couldn’t the same technology be applied to online voting?
Yes, but there is a key difference between banking and voting: anonymity.
As the report explains, banks must tie a customer’s identity to the details of the transaction. Conversely, the government must not tie a citizen’s identity to the details of their vote. Officials do check IDs at polling places — to make sure that the person is a registered voter at the appropriate polling location, and that nobody gets to vote more than once — but an individual’s identity is never linked to their vote. The ballots cast are only viewed in aggregate.
The need for voter anonymity gets particularly tricky when coupled with the need for vote verifiability — making sure that votes can be accurately tabulated again during a recount or a routine audit. For years, the question of “meaningful audits” has been at the root of the e-voting security debate, even when the conversation is only about electronic voting machines at polling places, not online voting from mobile devices all over the place.
Most of the dispute is over direct-recording electronic voting machines (DREs) without voter-verified paper trails, because they introduce software to the election process, and as all security people know, new software means new vulnerabilities means new ways for nefarious individuals to exploit the system — like for example changing a person’s vote before it’s officially recorded.
Critics say that there must be a way to audit DREs’ results. Manufacturers say that their equipment can conduct audits of election results, but critics say that all the machines can do is recount the same corrupted records. The solution, they say, is to add a voter-verified paper trail — after a person casts their votes, the DRE prints out their selections on paper, asks the voter to review it and confirm that it has recorded their selections correctly, and drops the paper into a secure box once approved. That way, if there is any suspicion that the software was infected with vote-changing malware, the figures can be compared against a hand count of the paper records.
Anyone who was present for the 2000 US presidential election knows that paper is not without its own set of problems. (Remember a time before you knew what a “hanging chad” was?) Yet many districts still use paper votes exclusively, or as a back-up to the DREs and optical scan electronic voting machines.
Online voting would remove paper from the equation entirely. And, according to the report, current online security technology might not be able to provide the same kind of verifiability that paper can. From the report:
Banks, online retailers, and other companies offering services over the Internet factor in some degree of loss as a cost of doing business online, and generally indemnify their customers against bad actors. Online voting poses a much tougher problem: lost votes are unacceptable.
Online voting systems are complex, and any updates often must be separately recertified by election authorities. And unlike paper ballots, electronic votes cannot be “rolled back” or easily recounted. The twin goals of anonymity and verifiability within an online voting system are largely incompatible with current technologies.
That has not stopped Americans from trying, but online voting systems in the States have been fraught with software woes. From the report:
Alex Halderman, an assistant professor and security expert at the University of Michigan, has found holes in many existing online voting systems. In 2010, Dr. Halderman volunteered to test the integrity of an Internet voting system intended for use in Washington, DC. Within hours, his team accessed secret data on the system’s server, including the key used to encrypt ballots; replaced votes that had been cast; linked voters’ names to their votes; and forced the system’s vote-confirmation screen to play his university’s fight song. The team also found evidence that other hackers were trying to compromise the as-yet unused system. It was scrapped.
“Dr. Halderman ripped it apart,” says Davis, “but a lot of [the system’s problem] was Security 101.”
Davis says that online voting systems could “make Dr. Halderman’s life more difficult” if security professionals and e-voting machine manufacturers would really work together — something that has been difficult to achieve in the past. Manufacturers keep their software close, but some proponents of open-source and open-government have argued for greater transparency about the code running e-voting systems.
With so many questions about security, why bother with online voting at all?
“The common belief,” says Davis, “is that online voting will increase voter turnout,” especially if it were possible to vote via a smartphone app. As he explains, elderly or infirm people wouldn’t have to leave the house. Members of the military stationed overseas will not have to go through the absentee ballot process. Young people who love technology and hate waiting in lines might be more likely to participate in the election.
However, in the short-term, online voting could increase turnout from some populations and decrease it in others. Districts offering online voting might not offer anything else. Voters do not have the option to go to another district’s polling place to use their machines. So, some voters who do not trust the technology or do not have access to the technology might decide not to vote at all.
Although the US is (at least) years away from online voting, Estonia has been doing it since 2005; roughly one-quarter of their citizens vote that way. As the report explains:
Because all Estonians have a government “chip and PIN” e-ID card, online voting is now available to the country’s electorate, and votes are encrypted for greater security.
Estonians can also vote more than once, from different devices and locations, over a thirty-day period — though only the final vote counts — giving voters the option to change their minds. They can also vote at a polling station on election day if they wish… The Estonian system also enables individuals to verify their vote using a form of two-factor verification: in this case, two devices, such as a smartphone and a personal computer. Voters are unlikely to “sell” their vote because their e-ID cards are also tied to government services such as healthcare.
Whether or not the Estonian system for a country with only a half-million citizens could scale up to the US’s needs is one question.
The bigger snag, though, is that the Estonian system relies on the fact that all citizens have government-issued Chip-and-PIN ID cards that are essential to a wide variety of government services. The American public might resist such a thing.
However, Davis thinks that as Americans become more comfortable using mobile devices for biometric authentication and transaction verification, there will be less resistance to and/or less need for such a system.