Going from bad to worse: from Internet voting to blockchain voting

Sunoo Park, Michael Specter, Neha Narula, Ronald L Rivest, Going from bad to worse: from Internet voting to blockchain voting, Journal of Cybersecurity, Volume 7, Issue 1, 2021, tyaa025, https://doi.org/10.1093/cybsec/tyaa025

Navbar Search Filter Mobile Enter search term Search Navbar Search Filter Enter search term Search

Abstract

Voters are understandably concerned about election security. News reports of possible election interference by foreign powers, of unauthorized voting, of voter disenfranchisement, and of technological failures call into question the integrity of elections worldwide. This article examines the suggestions that “voting over the Internet” or “voting on the blockchain” would increase election security, and finds such claims to be wanting and misleading. While current election systems are far from perfect, Internet- and blockchain-based voting would greatly increase the risk of undetectable, nation-scale election failures. Online voting may seem appealing: voting from a computer or smartphone may seem convenient and accessible. However, studies have been inconclusive, showing that online voting may have little to no effect on turnout in practice, and it may even increase disenfranchisement. More importantly, given the current state of computer security, any turnout increase derived from Internet- or blockchain-based voting would come at the cost of losing meaningful assurance that votes have been counted as they were cast, and not undetectably altered or discarded. This state of affairs will continue as long as standard tactics such as malware, zero day, and denial-of-service attacks continue to be effective. This article analyzes and systematizes prior research on the security risks of online and electronic voting, and shows that not only do these risks persist in blockchain-based voting systems, but blockchains may introduce ‘additional’ problems for voting systems. Finally, we suggest questions for critically assessing security risks of new voting system proposals.

Introduction

Computers and the Internet have brought great benefits: improving efficiency, reliability, scalability, and convenience of many aspects of daily life. Some naturally ask, “why don’t we vote online?” Voting online seems tantalizingly convenient: just a few taps on a phone from anywhere, without breaking your daily routine, taking off from work, or waiting in line. However, voting online has a fatal flaw.

Online voting systems are vulnerable to serious failures: attacks that are larger scale, harder to detect, and easier to execute than analogous attacks against paper-ballot-based voting systems. Furthermore, online voting systems will suffer from such vulnerabilities for the foreseeable future given the state of computer security and the high stakes in political elections.

While convenience and efficiency are essential properties of election systems, just as security is, these goals must be balanced and optimized together. An election system is ineffective if any one of these goals is compromised.

Exposing our election systems to such serious failures is too high a price to pay for the convenience of voting from our phones. What good is it to vote conveniently on your phone if you obtain little or no assurance that your vote will be counted correctly, or at all?

Those who favor increasing turnout, reducing fraud, or combating disenfranchisement should oppose online voting because the possibility for serious failure undermines these goals. Increased turnout only matters in a system that meaningfully assures that votes are counted as cast. The increased potential for large-scale, hard-to-detect attacks against online voting systems means increased potential for undetected fraud, coercion, and sophisticated vote tampering or vote suppression targeting specific voter groups.

What is more, online voting may not increase turnout. Studies on online voting’s impact on voter turnout have ranged from finding no impact on turnout (e.g., Switzerland [ 1]) to finding that online voting slightly decreases turnout (e.g., Belgium [ 2]) to finding that online voting slightly increases turnout but is nonetheless “unlikely to solve the low turnout crisis” (e.g., Canada [ 3]). 1 [ 4] Studies of Estonian elections have also suggested that turnout changes due to online voting may favor higher-income and higher-education demographics [ 5]. Recent US studies demonstrate significant demographic disparities in smartphone ownership (e.g., in gender, income, and education) [ 6].

Yet proposals for online voting have increased. These proposals are often misperceived as promoting the goals listed above: increasing turnout, reducing fraud, or combating disenfranchisement and coercion. Some online voting proposals have promised added security based on blockchain technology, 2 and have continued development and deployment despite vocal opposition by computer security and blockchain experts [ 7, 8] and technology reporters [ 9, 10].

A prominent example is the blockchain-based mobile voting app “Voatz,” deployed in 2018 in West Virginia for overseas military voters in the US midterm elections [ 11, 12], and in several other US states for smaller-scale (municipal/county) elections [ 13, 14]. Recent research shows that Voatz suffers from serious security vulnerabilities enabling attackers to monitor votes being cast and to change or block ballots at large scale, unnoticed by voters and election officials [ 15].

A blockchain-based voting system was also used in Moscow, Russia, for its September 2019 city council elections [ 16]. Though some system code [ 17] was published and security researchers were invited to audit it [ 18, 19], the system was shown to be gravely vulnerable—not once, but twice (the second time after a proposed fix) [ 20]. Moscow responded constructively to the first reported vulnerability, but appears to have largely ignored the second. Japan and Switzerland have also conducted smaller blockchain voting experiments [ 21, 22].

The recent interest in online and blockchain voting proposals appears related to a growing political enthusiasm for improving and modernizing election systems—and for increasing their security from malicious interference (a topic of particular recent prominence in American politics). This is a promising trend, given that historically, many election authorities have been heavily constrained by limited funding for election equipment. We hope that this enthusiasm may lead to support and adoption of more secure, more transparent election equipment (addressing the many security flaws that have been documented in existing voting systems, as extensively documented for US voting equipment [ 23–25]).

However, the political expediency of adopting a “high-tech” solution also poses the risk that proposals may be too quickly pursued, before allocating sufficient time and funding for independent audits and feedback from security experts. New technologies should be approached with particular caution when a mistake could undermine the democratic process. After all, election systems have been designated as national critical infrastructure implicating a “vital national interest” [ 26].

The surprising power of paper

A natural but mistaken inclination is to entirely replace existing voting methods with the latest digital technologies. Some ask: “Why wait in polling place lines to cast votes on clunky old voting machines, when votes could be cast from voters’ computers and phones over the Internet—using the same security protocols protecting online shopping, banking, cryptocurrency transactions?”

But, perhaps counterintuitively, getting rid of not only outdated voting equipment but also paper ballots risks “throwing the baby out with the bathwater” and making elections much less secure.

Security considerations for online shopping and online banking are different than those for election systems, in two key ways.

First, online shopping and banking systems have higher tolerance for failure—and they do fail. Credit card fraud happens, identity theft happens [ 27], and sensitive personal data are massively breached (e.g., the 2017 Equifax breach [ 28]). Online shopping and banking are designed to tolerate failure: merchants, banks, and insurers absorb the risk because doing so is in their economic interest.

Governments may also provide legal recourse for victims (as for the Equifax settlement [ 29]). But for elections, there can be no insurance or recourse against a failure of democracy: there is no means to “make voters whole again” after a compromised election.

Users of Bitcoin and other cryptocurrencies have lost hundreds of millions of dollars [ 30] due to theft, fraud, or mistake. Cryptocurrencies have fewer risk-absorption mechanisms than traditional banking; losses often fall directly on the victims, with no third party to provide relief.

The second key way in which the threat profile of online banking, shopping, and cryptocurrencies differs from that of elections is the skill level and aims of the adversary. Elections are high-value targets for sophisticated (nation-state) attackers, whose objective is not fraudulent financial transactions but changing or undermining confidence in election outcomes. A technically unsophisticated voter may be attacked by the world’s most sophisticated adversaries.

From a computer security perspective, securing an online voting system is a starkly different—and much harder—problem than securing online shopping or banking system.

Surprisingly, low-tech paper ballots may help protect against malfunctions or attacks of higher-tech voting system components (as discussed more under “Vulnerabilities of electronic voting systems” below).

Minimal election security requirements

Evidence-based elections

“The principle of ‘evidence-based elections’ is that… election officials should not only find the true winner(s) of an election, but… also provide the electorate convincing evidence that they did” [ 31, 32]. This compelling requirement implies both that the election system must be auditable (meaning it creates an evidence trail that can be checked to confirm that each relevant part of the system is functioning correctly as intended) and that any given election run using that system must be audited (meaning that that evidence trail is actually checked in that given instance). 5 Auditability alone isn’t enough, and must be accompanied by auditing to be effective: auditability without auditing is like collecting receipts so you can check your credit card bill, then never checking the receipts against the bill. In short (paraphrasing [ 32]), auditability + auditing ⇒ evidence-based election.

Next, we highlight five minimal—necessary but insufficient—requirements for secure elections in an evidence-based framework: (i) ballot secrecy; (ii) software independence; (iii) voter-verifiable ballots; (iv) contestability; and (v) auditing.

The secret ballot

Ballot secrecy is essential to combat voter corruption and coercion. As the US Supreme Court has put it, “a widespread and time-tested consensus demonstrates that [ballot secrecy] is necessary in order to serve… compelling interests in preventing voter intimidation and election fraud” [ 33]. Protecting ballot secrecy provides a strong and simple protection against coercion and vote selling: if you cannot be sure how anyone else voted, this removes your incentive to pay them or threaten them to vote the way you’d like. 6 Indeed, election law scholars have noted that “[b]ribery of voters was far and away the greatest impediment to the integrity of elections before the introduction of the secret ballot, a fact well known not only to historians but to readers of great 19th century fiction” 7 [ 34].

Software independence

Software independence [ 35, 36] is the property that an undetected change or error in a system’s software cannot cause an undetectable change in the election outcome. Software independence is a key property to ensure auditability of the casting, collecting, and tallying components of election systems. And even beyond ensuring that any errors that occur are detectable, software independence also reduces the likelihood of large-scale errors or attacks occurring in the first place: software-based systems are much more susceptible to “scalable” failure than non-software-based systems (as discussed more under “Vulnerabilities of electronic voting systems” below). For example, a remote programmer changing a line of code could in principle change millions of electronic ballots in milliseconds, whereas changing millions of paper ballots requires physical access and one-by-one handling.

Software independence does not require systems to not use software at all: rather, it means that the work of any software-based piece of the system (including auditing components) be checkable, in principle, using non-software-based means. 8 For example, a system for ballot casting, collection, and tallying would need to produce an evidence trail with an associated verification procedure to check that the system (i) recorded votes as intended, (ii) collected them as recorded, and (iii) counted them as collected, in any given execution. The basic definition of software independence leaves open by whom errors should be detectable: the appropriate answer to this question depends on the context, but using the tripartite framework just mentioned, individual voters should be able to detect errors in (i) and (ii), and anyone should be able to detect errors in (iii). Who can verify (i) and (ii) is constrained by the ballot secrecy requirement from above.

Without software independence, an undetected error in a piece of code could cause an undetected or unconfirmable error in the election outcome—and, as discussed under “Vulnerabilities of electronic voting systems” below, our state of the art is far from achieving error-free code. Democracy—and the consent of the governed—cannot be contingent on whether some uncheckable software correctly recorded voters’ choices.

Voter-verifiable ballots

Even before ballot casting, a voter composing a ballot must be able to verify for herself that her prepared ballot reflects her intended choices. Paper ballots inherently enable simple verification that ballots are recorded as intended: a property that is challenging for electronic-ballot systems to achieve. “With a hand-marked paper ballot, the marks on the ballot necessarily reflect what the voter did, and we can have reasonable assurance that the human-readable mark on the ballot is for the candidate actually intended by the voter” [ 31]. A voter looking at their completed paper ballot can directly see whether their intended choices are marked (and, in principle, detect any mistakes they made).

Contestability

Software independence alone leaves another question unresolved: when an error is detected, can the one who detected it convince others that an error indeed occurred? Some types of errors may be publicly detectable, rendering the second question moot (since then anyone can run the verification procedure for themselves). However, certain verification procedures may be nonpublic: e.g., certain errors related to a given voter’s vote might be detectable only by that specific voter. A contestable voting system is one that provides publicly verifiable evidence that the election outcome is untrustworthy, whenever an error is detected [ 37]. 9

Auditing

As already mentioned, in addition to being auditable (which, for casting-and-tallying systems, corresponds to software independence and contestability), elections should be audited. Auditing checks that the evidence is trustworthy and, for casting-and-tallying systems, consistent with the announced election outcome. Both auditability and auditing are necessary for evidence-based elections. Such auditing should include compliance audits and risk-limiting audits [ 32]. Furthermore, “[t]he detection of any software misbehavior does not need to be perfect; it only needs to happen with sufficiently high probability” [ 35].

Election equipment may fail. The system must be designed not only to prevent failures, but also to ensure timely detection of failures when they occur: the public has a right to know about failures in the election process.

We refer the interested reader to Appel and Stark [ 31] for a more in-depth discussion of security requirements in evidence-based elections. This article’s analysis focuses on the limitations of online and blockchain-based voting which means that they will not foreseeably be able to satisfy even these minimal requirements. Indeed, the interaction of these requirements is remarkably complex; it is surprisingly challenging to design systems that achieve even the minimal requirements all at once, and no currently known technology—including blockchain—is close to enabling mobile or Internet voting systems to simultaneously achieve of all these requirements.

Categories of voting systems

This article suggests four main categories of voting systems, determined by two key system attributes (also depicted in Table 1):

Four categories of voting systems