query

Why Electronic Voting Is Still A Bad Idea



Sharing buttons:

Five years ago, I made a video for a channel called Computerphile

about why electronic voting is a bad idea.

And I still get emails, occasionally, asking:

things must have changed by now, right?

There’s this new idea, and maybe it’ll help.

Surely electronic voting is just around the corner?

No.

No, it’s really not.

Here is why electronic voting is still a bad idea.

Elections have some very unusual requirements.

There are two key features that are almost opposed to each other:

anonymity and trust.

So first, your vote should be completely anonymous.

There should be no way that anyone can find out who you voted for,

even after everything’s been counted.

That way, no-one can bribe you or threaten you to vote a particular way.

In the UK, if you mark your ballot in a way that could potentially identify you,

so if you sign it, for example, then that ballot is not counted.

This is why election officials are worried about people taking selfies

with their completed ballots:

because you should not be able to prove how you voted afterwards.

Otherwise, you can have attacks like “$10 off for blue voters!”

or “Entry to this party only for yellow voters!”

or “vote red or you’ll regret it.”

Votes have to be anonymous.

The second requirement is absolute, transparent trust.

The system needs to make sure that your vote is securely and accurately counted, sure.

But it also needs to be obvious to everyone, no matter their technical knowledge,

that the system can be trusted.

So if you’re using paper, you place your ballot in a sealed box

that doesn’t get unsealed until everyone with a stake in the election

has someone representing them in the room.

There should always be people from more than one side guarding it, or at the very least,

witnessing that there's a tamper-proof seal being used for transport.

Voters need to be able to trust that their vote will be counted

even though they’ll never see it again and it can’t be traced back to them.

And at no point is a single person put in a position of trust.

People can be corrupt, or threatened, or incompetent, or all three at the same time.

Now, physical voting is not perfect.

It can be attacked, it has been attacked.

The UK’s own paper system doesn’t fulfil both of those requirements perfectly,

it is possible to identify voters from their ballots if a court orders it,

and there are stories about that being done outside the law too.

But the key point is not that paper voting is perfect: it isn’t.

But attacks against it don’t scale well.

Physical voting is centuries old.

And in that time almost every conceivable fraud on the system has been tried,

and defences have been found.

The more physical votes you need to change,

the more people you need to influence,

the more time and money it takes,

and the less likely it is that your little conspiracy will stay secret.

In a UK election, there are hundreds of polling stations across the country,

with staff made up of scores of employees and thousands of volunteers.

The job of changing a significant number of votes,

enough to sway an election, becomes very, very difficult.

People have attempted it, some people have been convicted,

a few have probably gotten away with it on some scale.

“Granny farming” is the term that shady operatives use

for going round all the retirement homes

and getting vulnerable elderly people to sign a proxy vote,

a paper saying that someone else can vote on their behalf.

And yeah, on a small scale, that has worked.

But once you start scaling up that attack

it becomes extremely difficult and time-consuming

and the chances are you’re going to get found out.

With electronic voting, that’s not the case.

So first, let’s talk about electronic voting machines.

That’s where there’s a computer at the polling station:

so voters still go into a booth,

it’s just that they are pushing buttons, or tapping things on a touchscreen,

not writing on paper.

Problem number one: trusting the software and the hardware.

In theory, our voting computer could be running open source software

where anyone can see and check the source code.

In practice, that doesn’t happen:

it’s probably going to be closed source,

it's probably going to be loaded off an easily-compromised USB stick,

on a computer that’s been sitting unguarded

and sometimes just idly and inexplicably connected to the internet for years.

And those systems only ever get a full-scale test when an election actually takes place.

That in itself should be enough to stop electronic voting ever being a thing.

But, okay, let’s say that we do, magically,

have the most stable, secure, open source software possible.

How does a voter know and trust that the correct software is actually installed

on the machine they’re using?

Maybe we could use some sort of checksum or some other system

to make sure the voting is running correctly.

But then you’re just moving the problem,

now you have to trust that checksum hasn’t been forged.

And almost no voters actually will understand what that check even means,

or why they should trust it.

In the United States, voting machines are regularly tested every year...

at the Voting Village at DEFCON, one of the world's largest hacker conventions.

It's not an official thing.

Hackers there have managed to alter the stored vote tallies,

change the ballots displayed to voters, and in one case,

have got a machine to run the video game Doom.

Imagine if, instead of a machine, there was just a person in the voting booth,

and you had to whisper your vote to them, and they promised, oh, yes,

you can absolutely trust them to accurately record your vote

and pass it on to the people who are doing the count.

No, you can’t see how or where they’re writing it down,

you can’t actually call and find out where they are or what they're doing,

but they absolutely promise.

That’s basically what’s happening with an electronic voting machine.

You just have something that says: trust me.

I’ve counted your vote and I have absolutely not been compromised.

Honest.

Problem number two is votes in transit.

How do you get the votes off that machine to the central counting place?

There are three possible ways.

One, you could take all the voting machines to the count.

You could seal them all up, and transport them physically

from where the voting took place to where the counting takes place.

No one does that.

So, you could download all the results from each machine onto a USB stick and take that.

One bit of sleight-of-hand and you’ve got a completely different set of results.

If you’re about to propose some system where the results are checksummed and trusted:

please explain that to the average voter in a way they can understand and implicitly trust.

Okay, so, maybe we could transmit the votes electronically over the internet.

Which is… optimistic.

Man-in-the-middle attacks are more difficult now,

but they’re not impossible,

particularly if you can’t trust the software on either end.

And now you’re connecting the voting machines directly to the internet.

Deliberately.

Which brings us to problem number three: the central counting server.

Right at the end of the process there is the server

that tallies the votes and gives the final count.

Which has all the same problems with trust and verification

as the individual voting machines,

but now only a few people can even see that computer.

That’s also true about electronic counting machines:

ones that take stacks of paper ballots and return totals.

How do you trust they aren’t quietly changing some votes?

We live in a world where Volkswagen got away with

specifically designing their cars to cheat on emissions tests for years.

And that’s before we include user error.

In one Scottish election, trialing electronic voting,

a result was corrected after one observer noticed it didn’t make sense,

and stopped the announcement at the last minute.

Turns out that someone forgot to scroll all the way to the right

to read the columns on an Excel spreadsheet with the results in.

And even if you can’t compromise the election, you can still break trust.

You can still cast doubt on a voting machine, or the entire counting system,

just by leaving an unknown USB drive in it, taking a picture, and posting it online.

Or just faking a photo of that.

To break an electronic election, you don’t actually need to break it:

you just need to cast enough doubt on the result.

It is a lot more difficult to do that with paper and physical ballot boxes.

And all this is before we get to the really terrible idea:

that people should be able to use their phone or computer to vote from home.

Now, I’m sure the device that you, personally, are watching this on

is malware-free and up-to-date. Of course it is.

But can you trust that for everyone in your family?

For everyone on your street?

The exact numbers differ depending on which security firm’s figures you go with,

but it's safe to say that a huge number of computers

are infected with some sort of malware.

Huge numbers of phones are on old, vulnerable versions of their operating systems.

And that’s just scammers setting up botnets and minor extortions.

Imagine the sort of attack that could be put together

by a small, well-funded team backed by a national government.

That sort of attack would scale very, very well.

Find the one hole in the system, and suddenly

it costs roughly the same to change one vote as it does to alter millions:

and your conspiracy stays very, very small indeed.

Maybe you don’t even have to set foot in the country whose elections you’re hacking.

Now, there are a couple of regular objections I get to this.

First of all: what about Estonia?

Yes, in 2005 Estonia became the first country in the world

to offer internet voting, first in local elections, then in national, then in European.

In 2019, more than 40% of votes were cast online there, which is

just short of a quarter of a million people.

On the surface, the system seems robust.

Voters can ID via their government-provided smart card,

or the SIM card in their phone.

But there are problems.

An independent report found gaps in the procedural and operational security.

The architecture of the system is a decade old and it’s now dangerously out-of-date,

and it's open to cyberattacks by foreign powers

either by exploiting individual phones

or by breaking the trust in the server that counts the votes.

The other common objection is: what about new technologies?

What about blockchain?

Look, leaving aside trying to explain blockchain to people

and asking them to trust this weird technology is worth using,

it’s basically just a write-only database.

It doesn’t solve the problem of trusting the software or hardware:

it doesn’t change how the voting machine works,

the interface between the voter’s intention

and what’s actually written to the database still has to work.

If it prints a receipt of the vote you can check later, it breaks anonymity.

If it prints a receipt of seemingly-random numbers you can check later, it breaks trust,

because hardly anyone will understand what’s actually going on there.

I’m not saying there aren’t advantages to electronic voting. Yeah, there are.

Accessibility is the main one, and that’s really important.

In low-stakes elections, for small groups, for the little things, sure, go for it.

But when the future of nations rests on the result:

electronic voting is still a bad idea,

and you should still vote against it.

While you can.

I’m endorsing Dashlane for two reasons: one, they’ve given me money.

Obviously.

But two, because I genuinely believe that if you’re techie enough to watch to the

end of this video,

you should absolutely be using a password manager.

If you go to dashlane.com/tomscott, you can get a free 30-day trial of Dashlane Premium.

Password storage, generation and autofill that works

across devices, browsers, operating systems, everything,

it syncs all your data in the cloud without sending any of those actual passwords to Dashlane themselves.

If you want to know how that works, see previous sponsored sections.

Using long, complicated, symbol-filled passwords

that are completely different for every web site and every app

is ideal for security:

but remembering them is nigh-on impossible and typing them in is a pain.

Being able to use a single master password,

or the biometrics on your phone, is great:

you’ve got one thing to remember.

Dashlane will also store and autofill credit card information,

so you don’t have to retype it every time you buy something online.

You also get a VPN and a gigabyte of secure storage.

So: dashlane.com/tomscott for a 30-day free trial of Dashlane Premium,

which includes unlimited password storage and sync.

And if you like it, you can use the code “tomscott” for 10% off.