Securing Online Voting Remains Elusive Goal for National Elections
It will be a long time, if ever, before it’s possible to securely deploy internet voting systems for most Americans, but even the most skeptical experts are coming around to the idea that online ballots are OK in certain circumstances, attendees of AFCEA’s 2021 Federal Identity Forum and Expo heard Monday.
That was the takeaway from a panel on election identity, featuring technical experts discussing the development and use of identity technologies in voting. Inevitably, the conversation turned to online voting.
A lot of Americans wonder, “I bank online. I've been working online for the last year and a half doing relatively sensitive stuff, maybe with the federal government, I file my taxes online—post-pandemic basically everything I do is online, why haven't we figured out how to vote online?” asked panel moderator and former National Institute of Standards and Technology digital identity chief Michael Garcia.
The answer, he suggested, lay partially in how high the stakes of a national election were, and the fact that, “We don't really have any re-dos” in an election. If a system failed some voters, there would be no way to remediate or fix that.
Nonetheless, the law treats some categories of voter, like disabled people or military service members deployed overseas, differently, noted Jocelyn Bucaro, director of mobile voting for Tusk Philanthropies, a charitable project funded by venture capitalist Bradley Tusk.
Military and other overseas voters “have special privileges under federal law in federal elections to receive ballots electronically, over a longer period before election day, and in 32 states currently, they also have the option to return a ballot electronically,” Bucaro explained. In most of those states the channel for electronic return is emailing a scanned image or photograph of the ballot as an attachment.
“That method has no security,” she noted, “And not only is it not secure, but it's also not terribly convenient ... either. It's a lot of work to process those ballots.” Other states use fax, a secure file transfer site where voters upload their ballot, or in one case, a mobile application.
But voting is different from banking or health care or any other critical activity now performed online, added Ben Adida, executive director of Voting Works, a nonprofit that makes voting machines using open-source technology.
“You’re going to notice if a large amount of money leaves your bank account,” Adida explained, “But if your vote is flipped as it's getting into the tally, how are you going to know that?”
One of the oldest principles of election security was that the ballot must be secret—it mustn’t be possible for election officials or anyone else to know how any particular individual voted. And it shouldn’t even be possible for an individual to be able to get proof of how they voted—since this would enable them to sell their vote or to be effectively threatened to cast it in a particular way.
“If we don't make it possible for you to go and check how you voted, which would allow you to sell your vote and break the secrecy of the ballot, how are you going to notice that” your vote had been changed? Adida asked.
He said there was research underway using homomorphic encryption to provide people a way to check their own vote was accurately cast without granting them the ability to prove how they voted to anyone else. “And if that sounds contradictory, it's because it's just the kind of flavor of contradictory that cryptography loves to solve, right? And it is technically possible.”
But, he added, even if voters had a way to check their ballot, there would still be huge risks in deploying online voting at scale. “There's a question as to whether enough voters would actually carry out this process of verification or would understand this process of verification,” Adida said. Imagine trying to conduct the kind of state-wide recount carried out by Georgia in the wake of the 2020 election. “What does a recount look like” in an election where a substantial proportion of ballots were cast online? “How do you trust that that recount is meaningful?
“And if you pull that thread a little bit, you start to understand that a lot of the security that exists in the voting system as we use it today, is based on an extremely inefficient and unscalable paper ballot process,” Adida said.
At the moment, there was an asymmetry that helped keep elections secure, he said. “If you look at the power you get from stealing one person's identity and voting with it versus the penalty that would be imposed, if you were discovered,” there’s an imbalance: “It’s one vote versus a federal felony.”
Even the entirety of the current population of voters allowed to use online balloting wouldn’t necessarily make it worthwhile for a nation-state or other motivated, well-resourced attacker to try to hack the vote, he said. “The threat model [is] that Russia probably won't care about flipping 100,000 military votes, but they'll definitely care about flipping a few million.” Moreover, with a small number of voters involved, would make it possible to “audit the heck out of it, you could have all those [voters] sign papers, saying that they give up their right to an anonymous vote, and you could hire all the people you needed to call them up individually, and say, ‘I'm just confirming, that you voted for this person,’ just to really nail down the process.”
Those facts brought Adida, a self-described skeptic of online voting, around to the idea that it might be OK for small numbers of people who would otherwise effectively be disenfranchised by their inability to submit a timely ballot.
But such measures simply couldn’t scale across the whole voting population, he concluded. “I don't yet see a path to safe broad deployment” of online voting.