People’s phones, tablets and computers are vulnerable to hackers. Securing the internet could take a decade or more. But some states are plowing ahead anyway.
Some West Virginians voting in Tuesday’s primary will be allowed to tap on their phones or laptops instead of heading to the polls. Some in Delaware will get to do the same next month. And the trend may spread into November, as the coronavirus pandemic inspires a search for voting methods that don’t expose people to the deadly disease.
But moving elections to the internet poses huge risks that the United States is unprepared to handle — endangering voters’ privacy, the secrecy of the ballot and even the trustworthiness of the results.
The problems: The internet is riddled with security flaws that hackers can exploit. So are voters’ computers, smartphones and tablets. And the U.S. has never developed a centralized digital identity system like the one in Estonia, a tiny, digitally savvy nation that has held its elections online since 2005.
“Securing the return of voted ballots via the internet while ensuring ballot integrity and maintaining voter privacy is difficult, if not impossible, at this time,” four federal agencies, including the Department of Homeland Security’s cybersecurity arm and the FBI, warned in a bulletin last month. They called it far riskier than mail-in voting, the technology that has drawn the bulk of the political debate during the pandemic.
On Sunday, researchers at the Massachusetts Institute of Technology and the University of Michigan revealed numerous security flaws in the product that West Virginia and Delaware are using, saying it “represents a severe risk to election security and could allow attackers to alter election results without detection.”
In fact, it may be a decade or more before the U.S. can safely entrust the internet with the selection of its lawmakers and presidents, according to some experts. Still, a handful of states are pushing ahead, with the encouragement of one politically connected tech entrepreneur — and the tempting logic of the question, “If we can bank online, why can’t we vote the same way?”
These are the problems with that logic:
1) Elections are different
Lots of people bank, shop and socialize online — putting their money and personal details at potential risk of theft or other exploitation.
But elections are unique for two reasons: They are anonymous and irreversible.
Aside from party caucuses and conventions, virtually all U.S. elections use secret ballots and polling places designed for privacy. That protects people from being blackmailed or bribed to vote a certain way — but it also means that, barring an advance in the technology, voters have no way to verify that their ballots were correctly counted or challenge the results.
That’s far different from a consumer’s ability to contest a fraudulent credit card purchase, which depends on their financial institution linking their activity to their identity.
“All the same mechanisms that you might use to detect that something went wrong are all the mechanisms that we’re not allowed to give you because of the requirement for anonymity,” said Dan Wallach, a computer science professor at Rice University who is an authority on election security.
And unlike a banking transaction that goes awry, political and legal factors make elections nearly impossible to reverse. Undoing the will of voters threatens the stability of representative government. Courts and state election boards have voided results and ordered do-overs only in extraordinary circumstances, such as the evidence of fraud that marred a North Carolina congressional race in 2018.
Instead, a recount is the usual remedy to resolve irregularities in an election. That’s why security experts insist that all elections have a hack-proof record of every voter’s choices — with the gold standard being a paper ballot filled out by hand.
Transmitting votes over the internet makes a meaningful recount impossible. “The best you can do is say, ‘Add the numbers we have again and get the same total again,’” Wallach said.
How the Internet Works
• Data doesn’t move across the internet in a simple, predictable path. Instead, it bounces from server to server, often traveling through multiple countries in a route that the internet chooses automatically.
• Some of those servers are in countries hostile to the U.S.
• Each server along the route offers a chance for hackers to tamper with an electronic ballot.
• Encrypting ballots is one way to protect them from meddling and detect unauthorized changes. But security experts say nobody has developed encryption robust enough to handle the challenges of internet voting.
2) The internet is a dangerous place.
Data doesn’t traverse the internet in a straight line, like a person driving to a supermarket. It’s more like a package delivery, with a parcel shuttling among warehouses, depots, planes and delivery vans before arriving on your porch. Humans don’t control this process; the internet automatically picks the most efficient route.
And because security was not a top consideration for the internet’s original architects in the 1970s, much of that journey is prone to snooping and mischief.
An email that someone in Washington, D.C., sends to someone across town might zip through servers in Dallas or Mumbai, or even through hostile countries such as Russia, with each stop offering an opportunity for a hacker to tamper with it.
Even if it were possible to require electronic ballots to travel through servers only in the U.S., no method exists to ensure security at every server along the way. It would be like trusting FedEx to deliver a package that had to pass through warehouses with unlocked doors, open windows and no security cameras.
The most effective way to protect data along these digital paths is “end-to-end” encryption, which scrambles the content so that it appears unintelligible to anyone except the sender or recipient. Voting security experts consider that a promising tool for protecting ballots as well, and Microsoft has even created free software that would allow voters to check that their encrypted ballots were counted correctly.
But the software, which is new and still being tested, works only on voting machines that people use in person. Researchers have not figured out how to use end-to-end encryption in internet voting.
3) People’s devices may already be compromised
It’s hard enough to protect a ballot as it transits the internet, but what really keeps experts up at night is the thought of average Americans using their computers or phones to cast that ballot in the first place.
Internet-connected devices are riddled with malware, nefarious code that can silently manipulate its host machine for myriad purposes. “The average Windows machine that we see deployed in the world today undoubtedly has some form of malware on it,” said Joe Kiniry, chief scientist of the election tech firm Free & Fair.
Modern antivirus software is generally effective at blocking known strains of malware, but it sometimes misses the new or emerging varieties that often originate with national intelligence services. In addition, many people don’t even have effective security software — in some cases because their computers are too old. Given that the wealthy are more likely than low-income people to have modern technology with top-notch security protections, ballot-tampering malware creates yet another socioeconomic divide.
One security concern involves “botnets,” armies of malicious computers that hackers create by infecting hordes of poorly secured machines and commanding them to spread spam, malware and other digital threats. If internet voting became widespread, hackers could make fortunes by renting out their botnets to people who wanted to plant vote-tampering malware.
Some botnets contain millions of zombie computers. “Is that enough to tamper with an election outcome?” asked Wallach of Rice University. “If it’s a tight election, yes.”
Importantly, election officials cannot peer into their voters’ devices and definitively sweep them for malware. And without a secure device, end-to-end encryption is useless, because malware could just subvert the encryption process.
What Attackers Can Do
Hackers have multiple options for interfering with an online election:
• Planting malware on the voter’s phone, tablet or computer to alter the ballot after it’s been filled it out.
• Injecting malicious code into the election websites that receive the ballots, altering multiple ballots at once.
• Tampering with the internet’s routing system so that it routes the ballots through a hostile server, which alters the ballots before sending them to the election office.
• Besieging the election site with garbage traffic, slowing or blocking it so ballots don’t get through.
• Corrupting a trusted employee at an election office or its technology vendor, who can tamper with the system from the inside.
4) Hackers have lots of potential targets
What could an attacker do? “There are literally hundreds of different threats,” Kiniry said.
Among the options:
- Attacking the ballot
One way to provide a digital ballot is to let voters download a PDF file with a list of candidates, which they then fill out, reupload and submit. These fillable PDFs may look like paper ballots, but they contain code similar to what runs on websites. “It’s a computer program that happens to appear to you as if it’s a piece of paper or a fillable form,” Wallach said.
By planting malware on a voter’s computer or phone, a hacker could tamper with the PDF’s code and force it to edit the votes after the voter closes it. Or malware in a web browser could stealthily edit the ballot after a voter clicks “submit.” Either way, the vote that gets tallied would not match what the voter intended — and the voter would have no way of knowing.
- Attacking the election website
For speed and stability reasons, modern websites load much of their content, including images and other code, from external sources, rather than hosting all those files on their own servers. By hacking one of these external code providers, bad actors could inject malicious code into an internet voting site and edit multiple ballots at once, without needing to directly infect a voter’s device.
- Tampering with ballotS IN TRANSIT
The internet’s design makes it possible to “hijack” the system that directs internet traffic and force data intended for a particular destination to travel a different route. By exploiting this vulnerability, hackers “could set up a server that looks like and pretends to be the official server, but it’s actually running in some foreign country,” Wallach said. “Then they can receive the votes, tamper with them, and then retransmit them back to the proper server.”
Wallach said there were “probably five or six different well-known techniques” to carry out this kind of “man-in-the-middle” attack.
- Bogging down the election with bad data
One of the easiest ways to attack an internet voting system would be to blast it with an avalanche of garbage traffic in an attempt to slow it down and deny it the ability to serve voters. This is known as a denial-of-service attack, and hackers often rent botnets to carry out especially large ones.
Such an attack would “have enormously greater harm than we’ve ever seen with a traditional election,” said Kiniry, because “you won’t fundamentally know who had trouble voting, whose votes didn’t get through, and more.”
Kiniry described it as “the kind of thing that a talented 16-year-old can do with a credit card.”
- The insider threat
Perhaps the most insidious type of attack involves an employee of an internet voting vendor tampering with an election from the inside, abusing powers they are supposed to use to keep the system running properly. “Most of these systems deployed today in America are essentially built as if you completely trust the vendor that’s providing the service to you,” Kiniry said.
Substantially more sophisticated attacks would be within the capabilities of foreign adversaries such as Russia, which can afford to deploy teams of highly skilled hackers to spend weeks or months studying a system for weaknesses.
Security experts agree that if nation-state hackers focus their time and energy on trying to breach a system, they will eventually find ways to do so. As internet voting becomes more widespread, the motivation to attack it will only grow.
5) Audits have faulted the major internet voting vendors’ security
Virtually every audit of an internet voting system has revealed serious, widespread security vulnerabilities, although the ease with which a hacker could exploit them varies.
MIT and the security firm Trail of Bits recently released damning reports about Voatz, the company that ran West Virginia’s first-in-the-nation mobile-voting pilot in 2018. They discovered flaws that could let hackers alter people’s votes and reveal their identities.
The recent report from MIT and the University of Michigan reached similar conclusions about Democracy Live’s OmniBallot system, the one used in Delaware, West Virginia and last month's municipal elections in New Jersey. It cataloged vulnerabilities including a lack of end-to-end encryption, a web app vulnerable to malware injection and “insufficient” protections on the product’s servers. “There is no way for voters to confirm that their votes have been transmitted without modification,” the authors warned, “and attackers could change votes in ways that would be difficult for voters, officials, or Democracy Live to detect.”
In early 2019, after the Swiss government partnered with the Spanish internet voting giant Scytl, researchers reported critical flaws that forced Switzerland to abandon the rollout. (Scytl filed for bankruptcy in May.)
Over the years, experts have also discovered major vulnerabilities in internet voting systems in Washington, D.C.; Toronto; New South Wales, Australia; and even the digital darling of Estonia. Multiple task forces have confirmed the infeasibility of internet voting.
“We have no example of an internet voting system that has gone through independent review and come out with flying colors,” Wallach said. He attributed the failures to the immaturity of the marketplace, saying larger, more experienced companies subject to years of outside scrutiny don’t make such “rookie mistakes.” (Wallach is on a year-long sabbatical from Rice University to work with the voting technology startup VotingWorks, which is developing some products that compete with Democracy Live’s offerings. But his comments reflect the critiques voiced publicly and privately by the overwhelming majority of election security experts.)
The National Academies of Sciences, Engineering, and Medicine strongly warned against internet voting in a 2018 report on election security, writing that “no known technology guarantees the secrecy, security, and verifiability of a marked ballot transmitted over the Internet.”
Three flavors of internet voting
| Technology | How it works | Danger | Risk level |
|---|---|---|---|
| Electronic delivery | The voter receives a digital copy of a blank ballot, by either email or download. | A hacker could tamper with the ballot before it reaches the voter, for example by removing a candidate. | Low |
| Electronic ballot marking | The voter can fill out the ballot using a phone, computer or tablet, but must still mail it in or cast it in person. | Someone could tamper with the electronic selections in a way the voter doesn’t notice before casting the ballot. | Moderate |
| Electronic ballot return | The voter returns the completed ballot online. West Virginia, Delaware and New Jersey adopted this for some voters in this year’s elections, including people with disabilities. | Multiple, including the risk of an attacker changing votes en masse. | High |
6) Internet voting advocates disagree
Election officials who embrace internet voting deny the risks are as serious as the experts say.
“You keep hearing from the same people over and over again, and they seem to have made their names in the business by being those naysayers,” West Virginia Secretary of State Mac Warner said.
Warner suggested it would “take a nation-state effort” to figure out how to tamper with each of the state’s various ballot formats and break into voters’ devices. He also encouraged experts to “be a part of the solution” by building better internet voting systems rather than criticizing current ones. (Many experts have spent years trying to do that. Their discoveries along the way have informed their criticism.)
But Warner also said it might be necessary to eliminate ballot secrecy for internet voting, in order to ensure that votes are safely transmitted. And he stressed he was not advocating for universal internet voting, because that would create too much of a security risk.
Warner, an Army veteran two of whose children served in Afghanistan, said he supported internet voting for service members and other “specialty groups that are disenfranchised with the current system.”
The vendors, meanwhile, usually argue that hackers could never actually exploit vulnerabilities in their products. They also maintain that such a breach has never occurred in a live election, although security experts call that statement impossible to verify.
Vendors also often attack the researchers themselves, accusing them of sensationalizing their discoveries to generate media attention and undermine confidence in elections.
Democracy Live argues that its product does not constitute online voting at all because election officials print out the ballots after they arrive over the internet. The company also contends that its system is safe because it is hosted on Amazon’s well-regarded cloud platform, which has been approved for use by federal agencies.
Security experts dismiss these arguments, noting that a ballot can be manipulated before it arrives for printing, and Amazon’s security can’t prevent that.
“They are lying,” Wallach said. “None of these things are true, and those claims are dangerous, because it’s hard for nonexperts to look at those claims and see them as the lies that they are.”
Despite repeated requests, Democracy Live declined to make CEO Bryan Finney available for an interview.
New Jersey, meanwhile, has opted not to use Democracy Live's system for July's presidential primary after just one voter used it in the state's municipal elections last month. The voting experiment had cost the state $89,000.
7) What it would take to make internet voting secure
Secure internet voting depends on two major advances: technology that allows voters’ computers and phones to demonstrate that they are malware-free, and end-to-end encryption to protect ballots in transit.
The latest versions of Android and iOS, the two dominant operating systems for phones and tablets, contain features that let devices certify their digital health to third parties, a process known as “attestation.” But the vast majority of Android phones run older versions of Google’s operating system. Plus, Wallach said, Google and Apple didn’t design their attestation features to support a mission-critical process like voting.
In addition, it is vastly more difficult to implement attestation features on computers, which differ from phones in terms of how their components interact. “I need to know that your network card is not running malware in its internal firmware,” Wallach said. “Nobody anywhere has a PC on their desk that can do that.”
Solving these problems would require expensive, long-term collaboration between virtually every big-name hardware- and software-maker, Kiniry said.
“If you were to make the top 20 people in the world literally drop everything and work together and work with those firms for a couple of years, you could actually build something that most of us would trust,” he said. “But that’s not an investment anyone is even marginally interested in making.”
Wallach agreed. “Will we be in a different world 10 years from now? Almost certainly. But 10 years is a long time. We’re nowhere near ready for this today.”
Source: politico.com
