Why Online Voting is So Hard
Nearly every expert on the subject agrees we don’t have the technology to satisfy the requirements of a democratic election with online voting. Experts who don’t agree are generally in the business of selling online voting systems. But why is it a bad idea? “Because the experts say so” isn’t a very satisfying answer, so I spent a lot of time trying to understand what the experts know. Why can’t we vote online? By the end of this article, you’ll be able to answer that question.
Is This Article Going to Suck to Read?
Probably, it’s pretty long! Instead of just talking about online voting, I do this big review of the challenges in-person voting and vote-by-mail both address. We’ll review online voting after getting used to considering secrecy, accuracy, and security.
tl;dr: Making a voting system is hard, and today’s tech (including blockchain) doesn’t address the hard parts: providing a secret ballot voters can verify and ensuring only eligible voters get a ballot.
A Non-Exhaustive List of Election Requirements
We have some basic expectations for a fair election, and fundamentally need to accurately determine the winner and adequately convince the loser. This article isn’t about fairness in media, gerrymandering, benefits and drawbacks of the electoral college, etc. These topics, albeit interesting, are out of this article’s scope. Instead, I want to focus on secrecy, accuracy, and security.
Secrecy refers to a “secret ballot,” where each voter’s choices are strictly private and it’s impossible to prove they voted one way or another. If you’re in the business of voter coercion (paying/forcing people to vote a certain way), voting with a secret ballot makes big problems since you can’t confirm anyone did what you asked.
Accuracy means each voter’s ballot was counted accurately: exactly once and as its owner intended. When people joke about the voters not being as important as the people counting the votes, this is what we’re talking about: we need an accurate and honest account of what the ballots show.
Security ensures only eligible voters can cast a ballot, and they can only cast one. We don’t have to worry about voters coming in from other districts, voters submitting multiple ballots, voters impersonating other people, etc.
In-Person Voting
Overview
Since each state is responsible for administering elections, policy specifics vary depending on where a voter lives. The National Conference of State Legislatures website is the best starting point for a comprehensive review of all those specifics, but I’ll do my best at giving a rough idea of the general process.
Each municipality (town or city) maintains a list of its registered voters called an electoral roll. When election day comes, voters go to their local polling station, identify themselves with poll workers who verify they are on the electoral roll and haven’t already voted in this election.
Poll workers provide each voter with a ballot, and show them to a voting booth where they can privately mark their ballot. After marking their ballot, the voter deposits it into a container with the other ballots, which poll workers will tabulate at the end of voting hours. After all the votes are tabulated, officials announce the results.
Secrecy
From what I’ve personally seen, voting booths typically use cheap materials/whatever's available (plastic curtains and plywood barriers are totally normal) to give voters some privacy when they’re marking their choices, and they don't get to keep anything to show how they voted. If they want to tell someone how they voted, that’s entirely up to them, but there’s no way to prove they’re being honest.
You can probably imagine some ways secrecy could be compromised like by installing hidden cameras or getting a volunteer to covertly spy on voters, but none of these tactics scale. I haven’t heard of anyone raising concerns (legitimate or cuckoo) about ballot secrecy for in-person voting in the US.
Accuracy
Accuracy starts with the ballot being marked in a way that shows the voter's intent. Some districts give voters paper ballots and pens, some use voting machines with touchscreens to help voters physically mark paper ballots, and some use similar machines which store votes in electronic memory along with (or sometimes instead of) marking a paper ballot. These are called ballot-marking devices (“BMD’s”) and direct-recording electronics (“DRE’s”), and they help give disabled voters a secret ballot by enabling them to vote without an assistant by their side.
If voters use a BMD or DRE, they need to be able to verify the machine didn’t record “A” when they meant to vote “B.” This is one reason a simple paper ballot is a best practice, and why design matters. Voters need to be able to easily read their ballot the way an election official would, and confirm their intent was recorded accurately.
Once the ballot’s been marked correctly, the next step is to store it safely. Ballots should be handled with a “chain of custody,” which refers to carefully documenting the handling of ballots. A good practice for developing a chain of custody starts by assuming a court will ask election officials to demonstrate the ballots were constantly in possession of an election official and there was absolutely no time when anyone could have altered any ballot. This leads to using surveillance video, tamper-resistant locks/seals, and other methods to ensure integrity.
Finally, we need to make sure each ballot is read correctly. Optical-scan voting systems where voters indicate choices by filling in “bubbles” are the most common way of recording ballot choices in the US, and they’re easy for people and machines to understand. Since machines can make mistakes, researchers have developed statistics-based techniques for catching tabulation errors by verifying a statistically meaningful number of ballots were counted accurately. These techniques are called “risk-limiting audits” ("RLA's") and help increase confidence in the accuracy of a contest’s outcome without having to double-check all the ballots.
Security
“Securing the ballot” is an issue where state policies vary a lot. Everyone wants to be sure the people showing up to vote are the eligible voters they claim to be, but overly stringent ID requirements can keep them from voting. On the other end of the spectrum, being too relaxed invites fraud and erodes public confidence in the legitimacy of election results.
So how can we guarantee every eligible voter can get a ballot, while also ensuring all the ineligible voters cannot? Beats me. Different states have taken different approaches, and each has its own merits and failings. If you’d like to take a closer look, the National Conference of State Legislatures has a state-by-state overview of voter ID laws. In my estimation, none of these states have a problem so severe that it throws national contests into question, but there are documented cases where these laws have had a big impact on local elections. It’s a toughie.
I’ll leave it to you to decide what exactly the problem is here: too many disenfranchised voters or too much opportunity for fraud. Your answer will probably be different depending on the state you’re looking at, and it’s no surprise every state came up with a different way to fix it.
Vote-by-Mail
Overview
Every state has some way of letting people vote even if they can’t make it to the polling center. Specifics and names vary from state to state; “absentee ballots” and “at-home voting” and about a dozen others all have slightly different meanings, but I’ll call them all “vote-by-mail” even though voters don’t necessarily have to literally use the US mail system to vote.
The general idea is that participating voters get a vote-by-mail “kit” from their election officials, which contains an identification form, a mailing envelope, a “secrecy envelope,” and a ballot like the one they’d get at a polling center. After getting their kit, the voter completes the ID form, marks their ballot, puts it in that secrecy envelope to keep their choices private, and places everything into a separate mailing envelope. They can either drop it off at a special ballot drop-off box or put a stamp on it and send it through the mail. Either way, when the election office gets the ballot, they verify identification details and if it passes, they put the secrecy envelope in with the others to be opened up and counted whenever the state’s policy dictates.
Secrecy
The secret ballot requirement gets a little tricky when it comes to vote-by-mail. Overly controlling domestic partners and overbearing housemates can bribe or bully voters into voting a certain way. Some voters who might have had access to assistive equipment at a polling center may not feel comfortable revealing their choices with the person they’d have to ask for help. Good luck to them!
In terms of “no peeking,” that’s up to each person handling the ballot. Each voter gets to figure out how best to keep people from holding their envelope up to a bright light to try and see the marked ballot inside. While peeking at someone else’s ballot isn’t very nice, tampering is a much more troubling concern.
Accuracy
Accuracy in a vote-by-mail system is similar to in-person voting, with two big differences: there’s necessarily a paper ballot (yippee!), and that ballot has to travel a lot more to get to the ballot box (booo).
While describing in-person voting, I described why having a paper ballot is a best practice, and vote-by-mail obviously demands it. But I also mentioned a chain of custody, and that’s where the whole “distance to the ballot box” thing adds risk. There’s no chain of custody for the ballot a voter drops off at their workplace’s “Outgoing Mail” outbox or whatever.
That missing chain of custody is the focus of stories of lost ballots and “ballot collection” fraud stories (or “ballot harvesting” if you want to sound spooky), where volunteers offer to deliver ballots on behalf of people who can’t easily do it themselves. One bogeyman is “granny farming,” where volunteers go to a nursing home, collect the ballots from everyone’s grandparents, then drive away in a conversion van while opening the ballots, throwing the ones they don't like out the window by the fistful, laughing like Ray Liotta in Goodfellas.
Fortunately, there aren’t many recorded cases of this actually happening -- a popular quote thrown around is that vote-by-mail fraud accounts for “0.00006% of total votes cast,” which is a very precise way of admitting it happens. It’ll happen again, and there’ve probably been cases where it’s happened without detection. The same can be said for in-person voting, but unlike in-person voting, a person who’s not an insider can interfere with lots of votes without having to show up at the polling station.
Again, voters have to find their best option to make sure their ballot arrives safely, and states owe those voters good options. Regarding “granny farming” and other ballot collection fraud schemes, I’m personally hesitant to give anything private to some guy driving around my neighborhood in a van, but I guess that’s what everyone does when they let their local letter carrier handle their mail.
Security
Most articles explaining “Why Mail-In Voting is Completely [Secure/Insecure]” cherry-pick policies from different states to make their point, drawing a caricature of a unified system that doesn’t actually exist. Go back to the NCSL's website and review your own favorite state’s policies and ask yourself how secure it is. While someone with access to another voter’s mail could theoretically vote on their behalf, it’s simply not scalable without infiltrating other systems.
Municipal officials carry a responsibility to preserve election security by maintaining an accurate electoral roll. Next time you hear a story of people getting ballots for dead relatives or former tenants or whatever, take a minute to go to the NCSL and look up what you’d have to do to get that ballot to count. You’ll learn a lot.
You might notice a recurring theme with in-person voting and vote-by-mail: every state and every ballot presents its own unique challenges, requiring adversaries planning an attack to be literally many places at once. This is not the case with online voting.
Online Voting
Overview
Just like how state legislatures have different policies, online voting specifics vary from one proposal to the next, which are mostly written for cryptography researchers and math majors. To illustrate, here’s an out-of-context highlight from How to Vote Privately Using Bitcoin:
Step 4. For all j ∈ [n] \ {i}, send to Pj the opening key kij . For j ∈ [n]{i}, wait for the opening key kji from Pj , and check that rji = Open(cji, kji) 6= ⊥.
Granted, blockchain can help with accuracy by providing a decentralized immutable verifiable record of each vote, publicly stored so anyone interested can review it. Unfortunately, the other two problems are hard ones. We still need to protect the secret ballot and keep all ballots anonymous and ensure only eligible voters cast ballots.
A pair of researchers who took the time to study the published research concluded “electronic voting through secure and reliable internet will require significant security advances. […] This study showed that blockchain systems brought issues that needed more attention and there are still many technical problems.”
But I started this article claiming we’d look at specifics, so instead of considering voting proposals that are actively being written and peer-reviewed, let’s review two real-world implementations. The first comes from “Voatz,” a Boston-based startup already providing online voting in some US elections. The second is Estonia’s “i-Voting” program that’s been in use for years.
Overview of Voatz
A voter living in a district that supports Voatz can register to vote online, download the app, set up an account, and confirm their identity by sending pictures of a photo ID and a video selfie. Once approved by Voatz’s servers using algorithmic testing or human verification or both, they use their smartphone’s biometric security features to authenticate with the app.
After verifying credentials, Voatz destroys the photo ID and video selfie, and voters can make their choices on a mobile ballot. Once submitted, they get a receipt of their choices and the election office prints out the ballot remotely, handling more-or-less like a mailed ballot. After the election, voters can go to their election office and confirm their ballot was marked correctly.
Overview of i-Voting
During a special pre-voting period, voters download the i-Voting app on their desktop computer, sign in using their national ID card and card reader or mobile ID (physical SIM card identity system), and get their electronic ballot. After marking their choices, those choices are securely sent to the national electoral commission, where they are stored digitally and tabulated. Estonia’s government has a pretty neat video that walks through this process.
Secrecy
When voters can vote with their smartphones, their ballot is always in their pocket, and bribing or bullying can happen anywhere. Remember, “adversaries” aren’t necessarily James Bond villains; they can be domestic partners, family members, employers, etc. Designing a system to address this concern requires some careful consideration.
With Voatz, their FAQ asserts there is no practical technology to prevent coercion and vote buying if voters can demonstrate they voted. Since Voatz does allow voters to demonstrate how they voted, candidates could pay voters for receipts showing a certain vote. Voatz instead recommends deterring coercion with legislation and law enforcement.
Estonia’s i-Voting program gives coerced voters a couple of options: they can “re-vote” when they get some privacy to override their previous vote, or they can cancel their online vote entirely by voting in person.
Keeping a voter’s ballot private is difficult with Voatz and i-Voting. The most obvious challenge is spyware; users can have it installed on their systems without their knowledge, and widespread attacks are not difficult to imagine. The difference between these cyberattacks and the “hidden cameras in the voting booth” idea is that an adversary could strike millions of voters without ever setting foot in the US.
Putting that concern aside for a moment, in the case of both Voatz and i-Voting, attackers can find out how everyone voted if they have sufficiently elevated privileges and access to internal systems. A third-party security audit of Voatz showed two engineers within their organization had those privileges, and a similar audit of i-Voting revealed that a hypothetical internal attacker with physical access to sensitive systems would be able to do the same by cross-referencing a list of signed encrypted ballot logs with plaintext ballots stored in the same order.
Accuracy
Voatz provides voters with password-protected access to a receipt of their ballot choices, marked each with a unique random ID. A matching paper ballot with the same choices gets generated and printed at their electoral district and marked with the same anonymous ID. After the election, voters can request their paper ballot to verify it was marked correctly. Voatz claims to check devices for malware, but an audit confirmed this can be bypassed, especially in the case of a counterfeit voting app.
Since each Voatz voter can go down to city hall and see their paper ballot after it’s been tabulated, any manipulation of that ballot could be caught. But that happens “post-election,” so it’s unclear what happens when a voter challenges their own vote.
Estonia’s i-Voting application shows voters a QR code after they vote, which they can scan with a smartphone app to instantly verify the server successfully received their choices. However, since i-Voting allows voters to change their vote, malware could then re-cast that ballot later with new choices. A security researcher on an audit team was able to do exactly that by waiting for the next time that system’s user inserted their national ID card into their reader to do some online banking.
When it comes to storing and reading ballots properly, Voatz allows election officials to treat the paper ballots coming out of the printer the same way as they treat the paper ballots marked at polling stations or coming in from vote-by-mail: with chain of custody protocols. This trades the blind spots that come with third-parties handling a physical ballot in vote-by-mail schemes for the stronger security practices involved with handling network traffic.
Estonia’s i-Voting system does not use paper ballots and cannot provide the same audit trail, but instead has a centralized facility running proprietary open source applications to perform tabulation on a live video feed with public observation.
However, even if auditors watch and record every step of the i-Voting tallying process, they don’t know what happened with the systems before observation started. Engineers with the elevated privileges and physical access necessary to perform normal system maintenance can make undetected and unauthorized modifications. This puts a lot of stress on operational security.
A 2013 audit of Estonia’s i-Voting process and exposed a litany of operational issues with severe implications.
- The system responsible for building and signing the executable binary voters use to cast their ballot was a personal-use computer that could easily be running malware. “Apparently unsecured,” since it had a desktop shortcut to a popular online gambling platform
- A wifi network password was printed out and taped to the wall in public view, which could allow an attacker to join and intercept non-secure traffic and distribute malware over the network. And yes, observers saw election officials downloading applications over unsecured HTTP connections
- When an unexplained failure with storage media occurred during a real election and officials had to transport data, an election official used his personal USB memory stick to transport files, even though this was against the written rules and an observer called him out on it. They kept doing it anyway
I sympathize with the staff, because maintaining operational discipline is incredibly difficult and has to start with robust system design. Even with a robust system, people will improvise when necessary, and they won’t have the resources to think of every possible attack vector they might inadvertently introduce.
Granted, that audit happened way back in 2013, but it doesn’t look like they or any similar research groups were invited back for a follow-up. One report from a 2019 audit performed by a human rights group diplomatically states that i-Voting "continues to grow in popularity and enjoys stakeholder confidence,” but goes on to outline serious specific implementation issues they found when glancing behind the curtain. While somewhat vague in its explanation of technical issues, it recommends Estonia publish results from an in-depth design review, security analysis, and penetration testing.
Security
The Voatz system takes an identity thief’s wishlist of data (a photo ID which presumably includes driver’s license number or passport number, full name, address, signature, and whatever else their ID happens to include) which is processed by a third party. This is an invitation to dive into privacy concerns, since it’s unclear exactly how this information is used, transported, stored, and destroyed. Within the scope of guaranteeing election security, it’s also unclear how accurate this identification technique is; neither Voatz nor its third party vendor have published answers around false positives and negatives.
It’s also not clear what prevents someone in Voatz from voting on behalf of voters. That audit from before which identified engineers able to de-anonymize ballots also found Voatz engineers with sufficiently elevated privileges could cast votes on others’ behalf.
Estonia’s national ID system is impressive, but consider that issue I mentioned earlier where the security researcher installed malware to wait for a user to insert their ID card to cast a new vote. Technically speaking, that user did verify their identity, but malware allowed an adversary to use it. I listed it as an accuracy concern, but since it’s an example of voting with someone else’s identity, it’s relevant here as well.
Conclusions
There is no perfect system. Each system provides trade-offs, and officials need to work with voters to decide how to best meet their needs. In-person voting with paper ballots is simple, relatively inexpensive, and offers the most obstacles for widespread fraud. Vote-by-mail is similar in all these regards, introducing some problems that are worth acknowledging but kept in perspective. Voting online makes voting easier for anyone with access to the technology required, but at the expense of secrecy, accuracy, security, or all three. It’s also not necessarily easy or affordable to implement.
A key difference between banking online and voting online is that when a suspicious transaction gets spotted, the account holder and the bank can discuss the transaction and get it reversed if necessary. I’m not sure what a “suspicious vote” would look like, but following up with a “suspicious voter” would betray the secret ballot. Another key difference is the stakes. Even if an entire bank account’s balance were somehow irrecoverably lost, consider the average bank account’s value. In 2019 the US government’s Bureau of Economic Analysis reported a GDP of just a few billion dollars over $21 trillion.
Let’s take a second to go back to the basic goals of an election: determine who the winner is, and convince the losers they lost. With all the uncertainty and risk online voting introduces, it’s hard to say it accomplishes either of those things particularly well.