Should somebody develop a means of conducting elections online that the nation finds acceptably secure and private, it could very well transform democracy for the better. It is the hope of those people working on such efforts — and no stretch of the imagination to those who aren’t — that online voting would mean more participation from a more representative portion of the people, faster results and even unchallengeable records of the outcome.
The minor mountain standing in the way of this vision is, to simplify the issue, cybersecurity. The public is treated regularly to stories of vaunted, savvy organizations brought low at the hands of faceless hackers. The victims: Target, Sony, Equifax, LinkedIn, the U.S. Department of Defense, the U.S. Office of Personnel Management. When hackers hit Dyn, the service that helps browsers find websites, the East Coast effectively lost large pieces of the Internet.
And then there was the hacking of the Democratic National Committee during the 2016 presidential campaign, followed by election system breaches in multiple states. The resulting political chaos has led some, such as U.S. Rep. Hank Johnson, D-Ga., to propose disconnecting voting machines from the Internet entirely.
“My recommendation,” said Ron Rivest, a computer science professor at the Massachusetts Institute of Technology for more than four decades, “is to have all voting be done on paper.”
Why? Because paper inherently solves all the most pressing concerns about elections: It is secure from hackers because one cannot digitally alter it, it is auditable because it is physical, and voters can check it for accuracy because they can experience it with their own senses.
And yet it was paper ballots, playfully dubbed “butterfly ballots,” and their hanging chads, that caused such confusion and anger in the wake of the 2000 election.
There are workarounds. Optical scan machines employ technology to more quickly process paper ballots, improved design can make ballots less confusing, there are even systems in place to add some measure of voter verification by comparing handwritten signatures.
These all help. But they’re not in the same league as online voting.
The specter of all the terrible possibilities of a cyberattack halting, changing or simply undermining a U.S. election have not stopped the country’s technology-minded from trying. Recently a new(ish) technology has sparked some hope.
Of all things, it comes from digital coins.
Hash chains are not a new concept in cryptography. They are, essentially, a long chain of data connected by values called hashes that prove the connection of each part to the next. By stringing all these pieces together and representing them in small values, then, one can represent a large amount of information without doing much. Josh Benaloh, a senior cryptographer for Microsoft Research and director of the International Association for Cryptologic Research, gives the rough analogy of taking a picture of a person, then taking another picture of that person holding the first picture, and so on. Loss of resolution aside, each picture would contain all the images from the previous pictures.
It’s only recently that people have found a way to extend the idea to commonplace applications. That happened with the advent of bitcoin, a digital “cryptocurrency” that has attained real-world value and become a popular exchange medium for ransomware attacks. The bitcoin community operates using a specific type of hash chain called a blockchain. It works by asking a group of users to solve complex problems as a sort of proof that bitcoin transactions took place, in exchange for a reward.
“Academics who have been looking at this for years, when they saw bitcoin, they said, ‘This can’t work, this has too many problems,’” Benaloh said. “It surprised everybody that this seems to work and to hold.”
But the blockchain concept is by no means limited to money. It’s simply a public ledger, a bulletin board meant to ensure accuracy based on the fact that everyone can see it — and what’s been done to it — at all times. It could be used to keep property records, or to provide an audit trail for how a product got from factory to buyer.
Or perhaps it could be used to prove the veracity and accuracy of digital votes in an election.
It is a potential solution to the problem of cybersecurity in online elections because the foundation of blockchain is the audit trail: If anybody tampered with votes, it would be easy to see and prove.
And in fact, blockchain elections have already been run in the U.S. — just not in the big leagues. Voatz, a Massachusetts-based startup that has struck up a partnership with one of the few companies in the country that actually builds voting systems, has used a blockchain paradigm to run elections for colleges, school boards, unions and other nonprofit and quasi-governmental groups. Perhaps its most high-profile endeavor was authenticating delegate badges at the 2016 Massachusetts Democratic Convention.
The Voatz idea is to put a spin on bitcoin’s approach to blockchain. The company thinks government could limit the blockchain miners — or validating peers, the term Voatz CEO Nimit Sawhney prefers — to a handful of trusted, verified partners. They wouldn’t make money from their work the way bitcoin miners do.
“Your incentive to participate is essentially to help democracy and ensure we have better elections,” Sawhney said.
The system can also work with paper ballots. Sawhney said his company has written a standard for incorporating those ballots into the blockchain, and in those situations, Voatz would augment the existing systems rather than replace them.
Voatz isn’t the only company working on this. There’s Follow My Vote, a Virginia-based company with its own blockchain-based platform. Then there’s Blockchain Technologies Corp. in New York, and E-Vox in Kiev, Ukraine.
The Estonian government is considering blockchain voting. The Republican Party used it in Utah in 2016 for its primary voting. There are governments eyeing blockchain all around the world.
But for all this enthusiasm, it’s hard not to notice the lack of love coming from researchers and academics.
Benaloh is pretty clear when he talks about whether blockchain is a good way to hold online elections.
“Blockchains just don’t help,” he said. “They create ambiguity and uncertainty, they move the power around and they’re much more complicated than they need to be.”
It’s fine for other applications, he said, but when it comes to elections, the stakes tend to be higher. American democracy, and the government built upon it, rests on the assumption that election results can be trusted. Anything that undermines that confidence undermines faith in the government.
Benaloh sees many problems with blockchain. One of them is that the system trusts miners not to ignore votes, and to record them accurately, but he doesn’t see a way to actually force them to do so.
“You’re not necessarily trusting the blockchain miners to be honest about what they put. They might put something in the blockchain, like a transaction, that didn’t really happen,” Benaloh said. “So it’s not a matter of honesty, it’s a matter of agreeing on what’s in the blockchain. Not whether what’s in the blockchain is true.”
And in fact, he can imagine some easy scenarios in which the miners could either be influenced or even have a direct interest in influencing the outcome of the election.
“Suppose the transactions are votes, and I am the leader of a movement to oppose a heavy tax on blockchain miners,” he said. “If I’m going to vote in that referendum, then I have to convince some blockchain miner to pick up my vote and put it into the chain. In that case they may know who I am and they may say ‘No, I don’t want to do this,’ and I may be disenfranchised.”
Another criticism: There are ways for miners to increase their own influence. Because validating the blocks relies on computing power, if one miner is able to achieve computing power greater than half of the group of miners as a whole, they in effect win the ability to create the majority of the blockchain.
“If you have a majority of blockchain mining power, the most CPU cycles or whatever, you can take the blockchain basically in any direction you want,” Benaloh said.
Sawhney says Voatz employs safeguards against these possibilities and that there are measures to find out when a vote is being ignored. As for deliberate misrecording of votes, he said that too would be apparent to all validating peers, and that anybody caught unfairly manipulating the tally would be kicked out of the pool of validators.
One of Rivest’s concerns is the simple problem of individual confidence. A person who writes their choice down on a piece of paper can simply refer to the paper if they want to check their vote. A person who votes by a screen can see what their vote was, but they can’t see what information that screen actually transmitted to the election authority, or whether that information was tampered with at any step in the process.
Or, for that matter, whether anybody was able to look at their vote.
“It could be that the program on your computer is secretly shipping your information off to a government agency and telling them how you voted,” Rivest said.
Sawhney also believes he’s found an answer here. Voatz is specifically made for smartphones and tablets that have security features built in. They can write their programs in such a way as to take advantage of existing tampering-detection features in those devices in order to shut down systems that attackers are trying to work with. Further, mobile devices can offer biometric and pseudobiometric tools like fingerprint checking and facial recognition to ensure that the person using the device is not attempting to vote for somebody else.
“If you give your phone to somebody else they cannot impersonate you,” Sawhney said.
When the Utah branch of the Republican Party decided to use blockchain as a means of allowing online voting in its caucuses in March 2016, virtually all of those problems surfaced.
Just not in a very dramatic way.
The Utah GOP used Smartmatic for the experiment, and ran a somewhat limited version of the concept: It was only used for the vote on presidential candidates, and users had to apply before the caucus date to use the online system. First the party verified their GOP membership and state voter identification, and then they issued those users an encrypted ID number to vote with. Local newspapers reported at least 30,000 successfully applied to use the system, but party spokespeople did not have readily available information about how many people wound up voting online.
The move to try out blockchain, made with very little fanfare on the part of the state party organization, met with instant skepticism from technologists in the press who warned that use of blockchain in voting could cause security issues. On caucus day, the Salt Lake Tribune and Deseret News both reported that some users couldn’t figure out the system and many more had confused the rules about when they needed to sign up or how to cast their vote. Some felt hesitant to use a system where they couldn’t see where their vote went the same way they could when they physically inserted it into a ballot box.
Peter Simonsen, who was working on a gubernatorial campaign at the time and has since become the assistant director of the Utah GOP, said those concerns were overblown.
“The upset people are the most vocal,” Simonsen said. “When somebody’s happy with something, they rarely tell you.”
If some people were confused by the rules or had trouble using the system, he said, then the issues are nothing new to voting.
“The same thing can happen at a polling place,” he said. “A big stack of paper, and you show them your driver’s license and for some reason it’s not on the paper — what do you do? It’s the same problem.”
Following the caucus, the party identified no security concerns with the online system, nor any issues with voting accuracy. Nobody has come forward to challenge the results, he said.
“This was the first time [we] did something like this, and I think they did remarkably well,” he said.
Since the experiment, Simonsen said more companies have been approaching the party with different solutions. He’s enthusiastic about finding solutions more tailored to multiple races and issues. And for the 2018 election season, he said, the party wants to approach the state about considering online voting in a wider context. He thinks it could save time, as well as money spent on voting equipment.
“I think we owe it to the taxpayers of the state, if we can make it cheaper then that’s money saved for everything else,” said Simonsen.
Rivest and Benaloh both talk about another online voting solution with much more enthusiasm. And much in the spirit of academia, the technology’s name is pragmatic rather than sleek and buzzworthy: end-to-end verifiable Internet voting (E2E-VIV).
It’s not too far off from blockchain in spirit, but it relies on a centralized approach instead of a decentralized one. Votes are sent from remote electronic devices to the election authority, most likely the secretary of state for the state the person is voting in, and posted online in an encrypted format. The person voting can use her decryption key to check that her vote was recorded accurately.
But there are no validating peers, no chain of blocks stretching back to the first vote.
“It’s much cleaner, it’s much easier, and it’s also much more accountable,” Benaloh said.
Even so, both Benaloh and Rivest think E2E-VIV isn’t ready yet either.
The first reason? Cybersecurity.
Actually, one of the biggest concerns about E2E-VIV is one that would also apply to blockchain, or any other online voting system: denial of service attacks. These types of attacks use Internet traffic as a weapon, overloading systems with so much activity that they simply move too slowly to perform their intended functions. It’s the same kind of attack that took down Dyn.
Imagine, for example, a presidential election in California. The state is notoriously Democratic, but that’s largely a product of the state’s urban areas — there are people in rural areas just as conservative as anywhere in the country. So if hackers were to perform a denial of service attack in just one area, like San Francisco or Los Angeles, they could be sure they were blocking mostly Democratic votes.
“Suddenly you’ve taken California and turned it into a red state, just by limiting the vote in a few parts of the state,” Benaloh said. “And we don’t really know any way of addressing that.”
Or, one could target the more conservative areas of Texas to turn it blue. Or one could nudge Florida a certain way. Or Ohio, or Pennsylvania, or Michigan.
Nevertheless, that’s the horse Benaloh is betting on. Meanwhile, say Rivest and others, there’s always paper.
Sawhney takes a different stance. To him, it’s unreasonable to think that the country can continue to leave voting machines disconnected.
In other words, he’s ready to move forward.
“You have to build resilient systems that can connect to the Internet and survive in the face of these threats,” he said.
First, there’s a minor mountain in the way.