When it comes to elections, nine of 10 security experts agree that cellulose is safer than electricity.a The best way to vote, they say, is to take the horse-and-buggy down to town on election day, mark up a paper ballot, and put it in a ballot box. The very thought of online voting is anathema. Yet, the status quo in voting is hardly secure, and online voting is inevitable. The agenda for concerned security experts should be to assure online voting is more secure than paper voting. If 60 years of computer security research cannot yield the solution, then it has been going in the wrong direction.
The nay-saying experts are not Luddites, exactly. They recognize the evolution of the field of computer security has followed an arc with its greatest successes in practical solutions to common problems (virus scanning, public key protocols for website verification and privacy, constant inspection and testing for system security errors) rather than in complex, infrequent use cases. Election requirements for assuring a democratically elected government go beyond the usual needs of commerce and communication.
Even as voting technology is recognized as critical infrastructure,b the cost of paper elections burdens government. A small number of local officials are the arbiters of how much to spend on ballots and machines and IT infrastructure. Their solutions are often draconian, discriminatory, and unsafe. In contrast, Internet access through smartphones will be nearly universal and could have a cost-per-vote of essentially zero. To make voting as easy as possible for the greatest number of citizens, we must take the condemnation of online voting as a challenge rather than a prohibition.
Paper ballots, filled out at a polling station and counted by optical scanners, have been endorsed by a number of computer scientists and voting rights groups. Although the method ranks high on transparency and auditability, it is as fraught with inequities and security problems as are the software apps on mobile devices. The only virtue of paper is that large-scale fraud is arguably more difficult because either fraudsters must show up in person, or a fraudster has to approach the voter. Counteracting that advantage is the fact that in-person voting tends to suppress the votes of working people, shut-ins, and those who live in rural areas, and it incurs no small cost in running polling stations. That is why mail-in ballots are becoming cost-saving standard. Unfortunately, it lacks checks on integrity and has no guarantees of timeliness. For a relevant example of poor integrity, note that North Carolina, U.S.A., invalidated an important election4 because of mail-in ballot fraud. Detection of fraud is hardly a cure; the election had to be conducted all over again.
Another disadvantage of traditional voting systems is their practical lack of transparency. Recounts can be conducted by examining paper ballots, but that is slow and costly, and only a few people actually get to see the ballots.
The automation of the initial counting brings into question the integrity the IT resources of the election authority’s systems for handling registration and tallying. Memory cards from optical scan machines can go missing, voter registrations can get lost in processing. The public has no insight into the configuration of the resources and how they are accounted for. For numerous examples, I have to look no further than my own voting district.3 We can do much better.
Despite the admonitions of experts, online voting is emerging in several U.S. and international initiatives; Estonia has the most aggressive effort.1 Online votes in Estonia have been steadily growing since 2005, and the uptake may exceed 50% this year. Their system requires a USB card reader, but there is a smartphone-based app in the works. Some U.S. states allow Internet voting for overseas military personnel. West Virginia, and Denver, CO, are experimenting with a mobile voting app that includes a blockchain component.
The looming question is: Can online voting be more secure than today’s flawed paper systems? I believe we have the technology pieces to reach this goal, and it is imperative to develop secure voting systems running on common mobile devices.
If the threat environment is controllable, online elections with security safeguards are possible today. For a professional society, or the governing board of a small non-profit organization, the Helios open source web-based voting system7 offers some strong cryptographic assurances. It assures vote privacy, transparent audit, and protection against voter coercion (vote early, vote often, only the last vote counts). Helios is scalable and easy to implement. On the negative side, it can be undermined by real-world problems with voter registration, phishing attacks and malware, dirty social media tricks, and so forth. But let’s take Helios as a building block with the challenge to secure it in a voting ecosystem.
A verifiable chain of trust from the voting device through to the election results publication is an absolute necessity. That chain must be robust in the face of concerted attacks on every step of the process.6 Fraud must be detectable and close to 100% preventable. Unfortunately, mobile devices in their current state are untrustworthy. It is far too easy to introduce corrupt software that fools the voter and election officials while also corrupting the vote. The voter cannot trust the integrity of his computing device’s software or firmware or hardware, nor its ability to connect to the correct server, to trust the presented ballot, to believe the vote is private, nor that the vote reached the election officials. Even if the vote is delivered correctly, voters should worry about the integrity of the server software for recording and counting. These are the challenges that should be attracting the best of our security expertise.
The key to success is the development of minimal and fully analyzed components. First, a trusted computing base on trusted hardware, verifiable software, and a public log of voter credentials and votes. Yes, those are the very things you likely did not want to see mentioned: TPM, open source, and … blockchain! With them, a chain of trust can be built: trust in the mobile computing device, the website server, the presentation of the ballot, marking the ballot, submission of a private vote, counting the vote, and vote audit.
Can online voting be more secure than today’s vote-by-mail or vote-in-person systems?
A handful of U.S. initiatives are developing precursor technology that might eventually enable secure smartphone voting, but they are directed at a simpler issue: the security of electronic voting machines and vote tabulating machines. Today, these have questionable security because they are based on commodity hardware and proprietary software. To be trustworthy, they must be based on a secure hardware and open source secure software. Within a DARPA program2,5 for developing secure hardware and firmware, there is one grant for secure voting machines on secure hardware.
The unique challenges of online voting need to balance anonymity, authorization, and transparency. Using a blockchain for credentials solves a vexing Public Key Infrastructure (PKI) problem: The U.S. does not have a “root of trust” for election authorities, and it probably should not institute one. Each state has the right and responsibility for registering voters and conducting elections, and the individual counties (or districts) have a great deal of latitude in how they implement the processes. This means there are at least 50 root authorities. If each one has a public key, where is it advertised? What is trustworthy?
Blockchains are useful for establishing secure identities without a central authority. The election official of a state (governor, lieutenant governor, secretary of state) can issue a public key for granting election authority, and enter that key on a blockchain. There it can accumulate endorsements from other authorities: states, federal agencies, and so forth. A consensus protocol can establish trust by a preponderance of evidence. The state’s public key can be used to endorse the public keys of the county election authorities and other voting districts. Key management for the more than 3,000 counties and 10,000 voting districts in the U.S.A. is a non-trivial task. The blockchain carries an immutable log of the history, revocations, authorizations, and so forth.
The multiplicity and independence of election administration regions prevents adoption of a single software base. There are a few obvious critical items for standardization into open source components. One is a two-way secure communication protocol for voters to use in establishing their voting session. The other concerns the presentation of the ballot and the voter responses. Ballots can be complicated, and the voter must be able to read the options unambiguously. A standardized and formally verifiable markup language will assure the voter’s device can interpret the ballot uniquely and clearly, and verified software on the mobile device will convey the responses into a similarly unambiguous format.
How do voters know the correct software is running on their devices, how do they know their response got to the server? One needs a chain of trust established through trustworthy processors, public keys, blockchain logging, and runtime software audits. The most practical solution would include a standard trusted processing module in all mobile devices along with the minimal verified software for the trusted computing base (TCB). A “trusted path” operation on the cellphone would lock the device interactions into the trusted processor.
The TCB must include the keyboard and device display. Each manufacturer may have separate device drivers, so the variation in interfaces creates a possibly different attack surface for each device. This is another security challenge: nearly device independent hardware/firmware driver designs with common components for critical functions.
The final challenge is economic. How much will the software cost, how much would a smartphone with the trusted hardware and software cost, how much would state and county governments have to spend, and who would pay for development?
My rough estimate is that if the government required cellphones to have the secure processor and software (as user-invocable options solely for voting), the cost would be approximately $10 per unit. This would impact the affordability of the lowest-price cellphones, but the U.S. federal government could subsidize it by transferring landline taxes to a secure voting initiative. States could easily fund the software initiative through the expected savings in reduced election costs.
The unique challenges of online voting need to balance anonymity, authorization, and transparency.
Some voters will continue to need paper ballots or in-person voting at county headquarters, and mobile polling stations are needed to assist rural voters. This support can diminish over time as secure and assistive technologies develop. New opportunities for developing voting devices for the various “abilities” will develop as offshoots of device security research.
Universal, secure online voting cannot be ready by 2020. A national goal of 5% online voting for 2024 seems reasonable, with 50% by 2028. The choice is not really between online voting and paper voting, it is between risky online voting and secure online voting.