Lawfare is partnering with the Stanford-MIT Healthy Elections Project to produce a series on election integrity in the midst of the coronavirus crisis. The Healthy Elections Project aims to assist election officials and the public as the nation confronts the challenges that the coronavirus pandemic poses for election administration. Through student-driven research, tool development, and direct services to jurisdictions, the project focuses on confronting the logistical challenges faced by states as they make rapid transitions to mail balloting and the creation of safe polling places. Read other installments in the series here.
The ongoing coronavirus pandemic has forced many election officials to consider how they can guarantee the right to vote without compromising the health and safety of voters and poll workers. In light of these concerns, officials nationwide have rapidly expanded mail-in voting processes and organized safer in-person polling stations in order to ensure successful elections. Online voting has also gained some attention as a potential means to support healthy elections for its apparent safety and accessibility advantages, especially earlier on in the pandemic.
Security experts warn that, if deployed, online voting could jeopardize the security of an election. A recent memo published by our team at the Stanford-MIT Healthy Elections Project summarizes many of the security concerns surrounding online voting and the 2020 general election. Russian interference in the 2016 elections demonstrated the will and capacity of a nation-state to target America’s highly decentralized election infrastructure. Heading into November 2020, safeguarding vulnerabilities in the U.S. election is essential.
Though most realistic discussions regarding online voting for this election have faded out due to the security concerns, calls for online voting for this and future elections will persist. In this post, we explore the security requirements of online voting systems and suggest current alternatives that can be employed to improve election security and accessibility today.
Why Online Voting Isn’t Secure Today
To the layperson, online voting may sound like a sensible option. If people can bank and file taxes on their phones, why should they not be able to vote the same way? The unfortunate reality is that, while most activities can be conducted relatively securely over the internet, voting still faces unique security constraints.
With online banking, for instance, transactions are visible to banks, so they can monitor and audit for fraudulent transactions and take action if malicious activity occurs. Further, the liability is on the bank. The banking system is verifiable, as individuals can tell if their accounts have been compromised, and it is remediatable, as users can notify their banks when transfers do not add up.
The same is not true for online voting platforms; votes must be kept secret to avoid vote selling, coercion and vote buying. If a vote is altered surreptitiously, the voter cannot easily check or remediate the problem, and, even if an issue is detected, the voting company is not held liable and the greatest damages it will receive are to its reputation. Due to these seemingly conflicting requirements of ballot secrecy and verifiability, it is remarkably difficult to construct an online voting system that maintains the same two security properties. We explore these challenges below.
The scientific and expert consensus is that online voting is not—and will not be—ready for the main stage until “substantial scientific advances” are made. In a landmark report by the National Academies of Sciences, Engineering, and Medicine (NASEM), experts stated that internet voting “should not be used … until and unless very robust guarantees of security and verifiability are developed and in place.” Similar sentiments have been echoed by the American Association for the Advancement of Science. And multiple federal agencies, including the Election Assistance Commission, the Cybersecurity and Infrastructure Security Agency, and the FBI, have warned that online voting presents an unacceptably high risk. This is especially true when just a few ballots may sway a national election.
According to the NASEM report and other prominent works on internet voting, a prerequisite for overcoming these security challenges is end-to-end verifiability (E2E-V). An E2E-V system provides voters with proof that their votes were cast and counted as intended, which means voters don’t have to merely have blind faith in the election software and hardware they use. The proof that voters receive to ensure their ballot was cast as intended does not violate voter privacy nor does it provide a usable receipt that voters could then use to sell their votes. While certain E2E-V online voting systems have been created by academics, decades of research concludes that no E2E-V online voting system is robust enough to be deployed widely.
Current online voting products are far afield from reaching E2E-V. In fact, the two vendors deployed most prominently in the United States, Voatz and Democracy Live, have been subject to scathing assessments by Massachusetts Institute of Technology and University of Michigan researchers, who found a slew of basic security and privacy flaws that could allow concerted adversaries to reveal, alter or deny a voter’s ballot. Despite claims by the vendors that their technologies are “voter verifiable” (in the case of Voatz) or that they are “not an online voting system” (in the case of Democracy Live), the assessments prove that neither vendors’ solution provides verifiability, as votes can be changed surreptitiously by malware sitting on either the voter’s device or the vendor’s servers without possibility of detection or remediation by either the voter or the vendor.
The evident faults of these commercial voting platforms are perhaps unsurprising, given the scientific and academic community’s consensus that secure online voting remains an open research problem.
The Role of Academia in Overcoming Security Concerns
Academic research is needed to help online voting technology reach maturity. Critics often accuse the academic community of being resistant to change with new technologies, claiming that online voting could be solved easily if academics set their minds to it. Yet computer scientists have been making progress toward E2E-V voting systems for decades, aided by advancements such as homomorphic encryption, which allows arithmetic to be performed on encrypted values without needing to decrypt them.
One of the most robust online voting systems is Helios, an open-source system that allows for end-to-end verifiable online elections. Helios works by using a cryptographic technique known as a mixnet to shuffle votes. This cryptographic process allows ballots to be anonymized while also mathematically proving to voters that their ballots were successfully cast as intended.
Yet Helios is far from perfect. Helios creator Ben Adida admits that the system should be used only in “low-stakes” elections such as student government elections, as Helios does not protect against coercers forcing voters to vote a particular way and further requires voters to trust a centralized server not to violate the secrecy of their ballots. Adida has conceded that Helios should not be used in high-stakes elections as its design is not resistant to coercion. This is a hard research problem—a recent survey of existing E2E-V systems shows that quite a few unsolved challenges remain in remote E2E-V systems. These challenges must be overcome before E2E-V systems can be trusted for high-stakes elections.
Adida is the first to admit that Helios (or any current online voting system, for that matter) is not ready for use in real-world public government elections. We spoke with Adida—who designed the Helios system as part of his doctoral thesis at MIT under cryptography luminary and Turing Award winner Ronald Rivest—and he emphasized that even though mathematical techniques may exist to prove that a voter’s ballot was cast as intended, a challenge still lies in convincing the voter that the proof, and hence election results, can be trusted. To Adida, this is an unsolved security usability problem, and extensive user research will be required to create a verifiable system that the average voter trusts. No matter how secure a system is, that security counts only when users can trust it.
New Enfranchisement Concerns
Online voting is sometimes touted as a positive for voter accessibility, particularly for voters with disabilities. In reality, internet voting introduces serious enfranchisement concerns of its own. This presents another area where research is needed before implementing these systems.
Voter authentication is among the most controversial aspects of voting in the United States and will likely continue to be no matter the voting system put in place. Widespread online voting will require a system that does not undermine the voting process by precluding certain demographics from voting. In this regard, online voting is inadequate in its current form.
Thus far, some internet voting vendors such as Voatz have employed an authentication system based on a machine learning-driven facial comparison of a photo of a voter’s driver’s license or passport page to a short selfie video of the voter’s face. If the software deems that the two match, the voter is authenticated. Such forms of technical authentication may institute prohibitive barriers that exclude legitimate voters from participating. Facial comparison systems have been known to have higher error rates on minority faces compared to Caucasian faces.
To provide more fair and robust authentication means than facial recognition, online voting systems will need to involve secure, modern hardware. Adida suggests that this could include hardware enclaves on mobile devices or physical security keys. Of course, such authentication methods themselves face accessibility concerns, as not every voter may have access to a cutting-edge mobile phone. While 81 percent of Americans own smartphones, there is variation in smartphone ownership based on race, gender, age, income and educational attainment. The Estonian national ID card system is one example of a means to authenticate voters by distributing digital identity cards, though it has seen its own security woes: In 2017, researchers discovered a cryptography flaw that allowed Estonian ID cards to be compromised, resulting in the forced update of 760,000 cards.
While online voting may seem to make voting more accessible overall, it could yield new disparities in demographic and political representation. The digital divide—the “haves” and “have nots” of internet access—will, in part, determine who gets to vote. Demographics that traditionally turn out at higher rates (older Americans and women) are among the groups most affected by the digital divide. Racial minorities, older adults, rural residents, and those with lower levels of education and income continue to be less likely to have broadband service at home. Without broadband service, which provides internet access, one cannot vote online.
There are few case studies of online voting in the United States today on which to base voter accessibility claims. Those that do exist, however, such as for the 2000 Arizona Democratic presidential primary, suggest that women, the elderly, racial minorities, the unemployed and rural residents are less likely to engage in internet voting.
While creating a secure enough online voting system is a worthwhile research-level effort, current online voting options are not secure enough for use in real elections. For online systems to be implementable, researchers will need to develop systems that are end-to-end verifiable and transparent to users, while also robust enough for federal elections. Researching and developing such a system will take years.
In the meantime, a number of measures can be taken now to improve the reliability and accessibility of the voting process. These include expanding end-to-end verifiability for paper ballots, risk-limiting audits, assessment of nonvoting technology and remote accessible vote-by-mail for disabled voters:
- Rather than immediately trying to confront the difficult problem of end-to-end verifiability of online voting, the industry and researchers may instead focus on first developing and deploying end-to-end verifiable in-person and mail-in voting systems. Microsoft’s ElectionGuard is one such readily available open-source resource for end-to-end verifiable in-person elections. Working to deploy such software, and fielding similar solutions for mail-in ballots, offers a tangible path to improving election security.
- Risk-limiting audits (RLAs) are a standard technique to verify election results. In an RLA, election officials compare a random sample of paper ballots to the ballots’ electronic representations in order to verify that the computer records are accurate and the election was tallied correctly. RLAs are both statistically sound and resource effective, as the amount of ballots audited is dependent on the margin of victory. RLAs can be used to complement both existing voting systems and end-to-end verifiable systems.
- The problem of election security extends well beyond just voting systems themselves. Other electronic systems deployed include e-pollbooks, online voter registration and election-night reporting software. While these technologies benefit from less restrictive security properties than those required for online voting systems, it nonetheless remains a challenge to develop such electronic systems in a secure manner. A vast amount of work is needed to secure existing technologies and develop new, more verifiable means (such as for voter registration).
- Voters deserve more transparency in the technology used for their elections. Voting systems should be open source to allow maximum public scrutiny. Adida’s nonprofit VotingWorks is a strong example of how accessible, secure voting technology can be developed using modern design principles. A push toward open-source systems should be accompanied by public security assessments that follow standard practices in security for reporting and disclosing vulnerabilities.
- For disabled voters, who are often the primary audience for jurisdictions that consider online voting, voting options such as Remote Accessible Vote-by-Mail (RAVBM) offer a more viable alternative. RAVBM allows voters with specific disabilities to access and fill out their ballots remotely using visual or dexterity-aiding tools. After filling out their ballots, disabled voters can print and mail them, combining the convenience of computers with the security of maintaining a paper trail for individual ballots.
Congress has already introduced legislation that encompasses several of these measures. The Securing America’s Federal Elections Act, or SAFE Act, promotes election security through grant programs and imposes new requirements for voting systems and paper ballots. In addition to funding research into accessible voter-verified paper ballots, the bill mandates that states carry out risk-limiting audits for federal elections.
Online voting was not ready for 2020, and it won’t be anytime soon. Rather than prematurely offering insecure technologies to American voters, we must focus instead on addressing security and accessibility problems with the resources and technologies available today. By focusing on real areas for improvement, as outlined above, we can hope to offer Americans more secure elections for 2020 and beyond.