Phil Windley is a really smart guy, so when he speaks on a technical matter, I make it a point to listen. (Also, he runs the @utahpolitics Twitter bot that so many of us know and love.) He recently raised a number of good points about some dangers in embracing electronic voting, none of which are trivial matters. Unlike Phil, I don’t think these are insurmountable barriers. I’d like to propose some ways we can work with and around them.
Secret ballots are required
There are a lot of benefits to the secret ballot. Nobody can, for sure, guarantee that you voted a specific way. This eliminates the possibility of threats or pressure from, say, an employer to vote a certain way. Even with a mail-in ballot, the signature used to validate the voter is removed from the ballot before it is counted, thus severing any link between the voter and the ballot cast. By removing the link between the voter and the vote, it allows voting based on conscious rather than intimidation.
With electronic voting options, we often end up with a competing interest: auditability. In order to make sure that only authorized ballots are cast and no electronic tampering has occurred, we need to be able to make sure that ballots were legitimately cast by eligible voters. Can we take a page from existing voting options to remediate this? I think so.
Currently, ballots cast at a polling location are recorded electronically and on a backup paper ballot. Polling devices are under a strict chain of custody to ensure that the numbers on the machine are not altered (which is comically easy to do). I think we can apply some solid security principles towards ensuring both the secrecy and the integrity of the ballot. It all depends on how you define “secret”.
When designing a secure system, it’s common to create processes that force collusion. This means that no single actor can carry out a bad act; they always need the assistance of a second party to accomplish the ill deed. Since it is much harder to find multiple willing participants, it breaks the ability to compromise the system. Forced collusion could help keep the ballot secret.
A way to make collusion required is to maintain the ballot and the identity associated with it in separate encrypted databases. To establish a link between the two pieces of data would require what is known as secret sharing. This is where multiple users each contain a key to unlock a piece of encrypted data, but a minimum number of them must agree to use their keys in order to decrypt it. An example would be entrusting 7 people with the encryption keys and requiring at least 5 of them to present their keys to use them.
Of course, it depends on whether such a system meets the legal requirement of “secret”. I’m thinking some sort of fix in state code would need to explicitly allow for this workaround to ensure auditability. Voters who choose to do electronic voting would also need to do so with the understanding that the possibility exists of linking their vote back to them under some circumstances. It’s not perfect, but it does minimize the risks involved.
Computing environment is uncontrolled
Malware attacks have gotten much more targeted and sophisticated within the last decade. We don’t see a lot of widespread general purpose pieces of it as much as we used to. In fact, most of it is highly targeted and often deployed by script kiddies. The number of people who are actually writing the code is very, very small. In almost all cases, it is done for explicit financial gain (think banking trojans and corporate espionage). What’s there to gain in attempting to rig elections in Utah?
When answering that question, we have to look at the cost of a successful attack. It would require a lot of programming time to create malware crafted explicitly to target online voters in Utah. You’d also have to go after just competitive races to avoid detection, and you can’t trigger any of the normal voting signals such as an excessive number of out of state votes, too many votes from a single IP address, or voting for someone who has already cast their ballot.
Even if you overcome all of these obstacles (which greatly reduces the number of potential fraudulent votes that can be successfully cast), you’re still going to have to specifically target eligible voters and somehow find a way to install the malware payload into their systems. It would be an effort that requires an exploit that is readily available on each target machine. Attempting to hit everyone in a brute force attack tips your hand and thwarts the attack. Simply put, the difficulty of executing the attack is high, the probability of doing so is low, and the reward for doing so is even lower. About the best outcome someone could hope for is a denial of service style attack that quickly lands them in federal prison for many decades as a new election is held.
What we have to ask when it comes to the integrity of the results is what matters more, that the number of ballots cast for each candidate is perfectly accurate or that the candidate who received the highest number of ballots cast ends up the winner? I’d say the latter more than the former. That’s why I wouldn’t be overly concerned with malware or other exploits.
Margin for error is very small
In the scenario above, an attack to attempt to tip the scales would only make sense in a competitive race. Any attempt to tip the scales in a highly irregular way (such as getting a Democrat to win a legislative seat in Provo) would be immediately recognized as fraudulent and quickly discarded. Even if someone decided it was worth the time, effort, and risk of a decades-long prison sentence, just how many races would be worth targeting?
To be honest, not many. The only competitive races in Utah are Salt Lake County Mayor, a handful of county council and legislative seats (again, mostly in Salt Lake County), and the odd non-partisan city council race. Add in a few close primary races and you’re talking maybe dozens of races often involving just a few thousand voters each. If there’s an obvious irregularity (e.g. more votes than voters, attempting multiple voting from multiple IP addresses, etc), an audit could be triggered and voters can be notified that they need to recast their spoiled ballots. The risks and costs are very high for a relatively small reward and certainly no financial one.
I think we can mitigate or minimize the potential risks involved with online voting, but it will require a lot of caution, some changes in state code, and adjusting expectations. Our current system comes with plenty of its own risks (including the limitations of physical IDs) that create security risks. As long as we’re doing a risk transfer and still providing plenty of deterrent against fraud, I see no reason why we can’t look at ways to move forward.