Should vs Is
I guess you sense what the real reason for this situation is. No system of online voting has proven to be secure. None. Well, almost no cyber system is totally secure in general, and voting systems have to be easily accessible to millions, in a short period of time, with no hiccups and with a high level of public trust in the system and the result it produces.
This lack of security is, as multiple cybersecurity scientists would attest, basically established well in computer science. New fads, like blockchain, offer some hope for the future – just not the immediate one. We at Curiosum both tech specialists and product designers we face such challenges often, but here, scale and weight of responsibility is just that much larger. First, let us establish what are the key characteristics of voting processes that need to be maintained. Voting systems must provide:
Vote integrity. Rules of democracy are daringly simple. One person has one vote, only those who are eligible to vote can do so, and all of those votes are counted. The classic methods of ensuring this are burdensome, but reliable – government voter rolls and databases are authenticated with the identity of the voter before the ballot is cast.
Usability. UX designers love to brag about the diversity of user they take into consideration. But this system is the ultimate challenge. It must be simple and accessible to absolutely all, with, if possible, minimum deviation for special groups that would make logistics harder and slower. This makes using some authentication methods probably too burdensome for low-tech groups, like the elderly.
Secrecy. Your goddamn right as a citizen is to cast your ballot anonymously. In most paper ballot systems this is quite easy, as ballots go into an urn where the identity of the voter is no longer discernible. But your packets of data are usually traceable, bar the smartest of VPNs and encryption methods.
Transparency. There were many famous recounts that changed history – or didn’t. Elections must be possible to verify, when there is doubt regarding the outcome. Even if this process does not change the result, but ensures a heightened level of trust in that result. Crucially, transparency cannot be achieved at the cost of vote secrecy, which is an additional issue when designing digital voting systems.
The real challenge
Now, does the list above looks overwhelming? In each and every bullet point above, dozens of challenges await. Now let’s jump to the most technical aspect, which is cybersecurity. Experts agree that even if the best practices in cybersecurity are used and followed to the letter, a complete protection of cyber systems is not possible.
The best case that online voting proponents are usually pointing to – which is Estonian internet voting system – has been retroactively found to be vulnerable to DDoS attacks. Moreover, a shell-injection attack was possible, using built-in administrative functions of the program. This was true despite a thorough, community-based audit of the system.
What makes attacks more probable is the stakes. Voting decides fates of entire countries, their policies, it impacts the neighbouring countries and all industries. Shady interests may prevail. Democracy, as show in the recent example of Russian manipulation of the sentiments of American electorate, can be vulnerable to coordinated attacks even without outright changes to cast votes.
Cybersecurity is... hard
More specifically, what are the key technical threats that online voting must account for?
DDoS attacks. Such attacks can slow down the whole system or a key part of it, inducing crashes and delays thanks to massive traffic inflow.
Spoofing attacks. Voters can be redirected to fake websites with massive phishing campaigns – getting such emails, even if users recognize them correctly, already increases stress and distrust in the voting system. After all, would my granny pass this test of recognizing a legitimate website?
Security of voter's devices. Computers and mobile devices that voters use may already be riddled with malicious software. This can not only make voting impossible, but can also lead to a spread to the receiving end. Malware, viruses, trojans – you name it – those can be custom built to simply change a single data packet that contains our vote and make it invalid or different.
Server penetration. The election offices are sometimes decentralized, as is the case with multiple US state level voting systems. This increases the attack surface and, in many cases, just one remote breach may be enough to sow chaos on the administrative side of those systems.
Authentication attacks. Advanced adversaries can forge voter’s credentials and cast the vote instead.
As with most cybersecurity challenges, the defender must protect everywhere – but attackers flow like water, to the easiest opening they can find. Having time, skills and resources that the election offices often spare, adversaries can truly wreak havoc on the elections, their integrity, and most importantly – trust in the electoral system itself.
So far, the accounting is clear – online voting it is not worth the risk. We have tested current systems for decades, and in most democracies, those have been quite resilient. Developing adequately secure systems should very much be on our agenda, but until they prove themselves, go out there, and use paper and pen. And choose wisely!