Cybersecurity, Election Infrastructure, and the Potential for Online Voting: A Series — Part 4
This is the fourth part of a five part blog series. Click here to read the Part 1, Part 2, and Part 3 of our series.
Is online voting in America feasible?
Now that there is an understanding of where the current election system stands in terms of cybersecurity, it’s time to look into what threats, vulnerabilities, and risks are involved in moving an election online. The benefits of an online election include convenience, quicker, more automated ballot results with more uniformity across the states, and in these times, mitigating health risks. This could lead to larger voter turnout if people could vote in their own home, workplaces, or anywhere that has an internet connection, the lessening, or even the complete removal of absentee ballots, and more privacy. With technology advancing every day, it can be argued that the country should move forward and embrace the technology that is available for, what is, for all intents and purposes, the pillar of democracy, which are free elections.
Estonian Elections
Since 2005, Estonia has held their elections online. They have a system in place to ensure privacy, accuracy, and give everybody a way to vote. And it has worked for them. Over the years, voting participation has increased steadily. When online voting was introduced in 2005, only 2% of the population took advantage of online voting. In 2011, only 6 years after the system was introduced, over 24% of all of the votes were cast online, while this number increased to over 30% after the 2015 elections (e-Estonia, 2017), and most recently, in the 2019 elections, over 43% of the overall votes were cast online. And it’s not just the younger, more technologically involved voters that are choosing to move to online voting, according to a 2017 Forbes article, almost a quarter of e-votes in recent elections have been cast by people over the age of 55, with another 20% of e-votes from the 45–54 age range, nearly half of all e-votes (Leetaru, 2017).
The Estonian election system isn’t strictly online, to give everybody a chance to vote. The system that has been implemented is quite comprehensive in order to maintain the CIA Triad of Confidentiality, Integrity, and Availability.
Beginning with internet voting, it is only available for a specific amount of time, usually a week before Election Day. During this set time period, voters can go online and change their vote as many times as they want, with only the last cast vote counting. This was implemented in case the first vote was cast under duress with pressure coming from a third-party to vote a certain way. With the ability to change the vote later on, when the voter is safe from outside pressure, they can vote the way they actually want to vote. Another way for a citizen to cast they would vote to go to the ballots early and vote in person. However, this vote is prioritized and will void the internet vote. This was also done to protect the integrity of the vote. If the person casting the vote is not able to cast an online vote without someone pressuring them to vote against their will, a secret in-person ballot would show their true vote. After the internet voting and the early voting were closed, those who took advantage of these two voting methods would be removed from the voting register and they would be unable to vote on election day, allowing only those who hadn’t voted, a chance to vote at the polls on election day. Once early voting is closed, there is no way to change a vote on election day. To maintain confidentiality, once the election day rolls around and electronic voting is closed, all of the names are removed from the ballots, keeping the votes anonymous (e-Estonia, 2017).
In cybersecurity, there is another framework to intelligently control online access and make sure people only access the information that they’re supposed. This framework is the AAA security framework, which stands for Authentication, Authorization, and Accounting. This is to ensure that you are who you say you are, you’re supposed to access the information that you’re trying to access, and making sure you’re only where you’re supposed to be. So how do online elections, or i-voting, work? How does Estonia maintain the CIA and AAA frameworks in their elections?
In very simple terms and without going into too much technical detail, using Estonian ID cards or Mobile-ID that enable secure remote authentication and legally binding digital signatures, a voter can access the Estonian online voting site. This ensures that the person voting is both who they say they are and gives them access to where they’re supposed to be. Without both the ID and digital signatures, they would not be able to access the ballot. Once inside the secure site, the voter can fill out the ballot, submit it and close the site. The next time this voter wants to access the poll, they must use their ID and digital signature to go back in. Finally, after i-voting is closed before Election Day, the names and any identifying artifact is removed from the vote to ensure that the vote is anonymous (e-Estonia, 2017). This satisfies confidentiality, authentication, and authorization from the two frameworks, but there is still the integrity and accounting that must be talked about. How can Estonia feel confident that the elections won’t be hacked?
There are many safeguards in place when it comes to i-voting in order to preserve the integrity of the elections. To this day, there has not been a successful breach and none of the online elections were called into question the validity of the results. The Estonian Information System Authority, which executes supervision over the government’s cybersecurity, has come out and claimed that i-voting is more secure than paper ballots since safeguards are always in place for IT-systems, procedures, and results, so, not only are they monitoring the i-voting system, but the election as a whole. This also includes all updates, improvements, or patches that may need to be applied to the system. These constant audits would raise any red flag if anything out of the ordinary were to take place. Another safeguard that Estonia has in place is that, as mentioned previously, i-voting only takes place for the week before Election Day, while only the polling stations are open on Election Day. So, if those systems are compromised and the legitimacy of the election may be called into question, the internet votes would be discounted and everyone, excluding those who previously voted in person during the early voting, would just have to go to a polling center to vote in person (e-Estonia, 2017). However, this is just a safeguard and it never had to be implemented, yet.
Still, there is no shortage of doubters who believe that online elections are not plausible or safe. One of the fiercest opponents to online voting is Dr. J Alex Halderman, Professor of Computer Science and Engineering at the University of Michigan. Dr. Halderman, along with six other researchers, researched, in-depth, the Estonian voting system during and after the 2013 Estonian elections, which were then produced in a paper that was published in May 2014 (University of Michigan et al., 2014). The report claims that the Estonian voting system places extreme trust in election servers and voters’ computers, which would all be easy targets for a bad actor, or foreign power, who would want to disrupt the election. Free and fair elections, which is the pillar of democracy, rely on 3 standards; that the systems are secure so vote can’t be changed, the votes are anonymous so that they’re free and people can vote how they desire, and the results are accurate, which is to say that the votes are counted the way that they were cast. Without one or more of those standards, the election is no longer free or fair. Unfortunately, the report was not able to confirm that these 3 standards are able to be kept.
The first issue that Dr. Halderman and his team found was that, although there was end-to-end encryption to provide security for the vote, the computer being used for the vote, was not immune to malware that could potentially alter the vote. If keylogging software is on the infected computer, then the next time the ID card is used on the computer, for anything, including logging into a bank account, the malicious actor could change the vote since the keylogging software would provide them with the PIN to gain access to the software, circumventing the two-factor authentication.
On the server-side, the issue arises that there is complete trust in the server that counts the votes in the end. The votes go into the server, unobservable, and are decrypted there. If malware is loaded onto this server, the votes inside the server can be changed without the ability to see what changes have been made. This allows an attacker to change the results of an election without it ever being detected. The researchers ran a test on the system, installing the vote-stealing malware onto the system in the pre-election system setup. They made sure to keep all of the checks in place so that nothing would look wrong with the software. However, when the votes were being decrypted, the code would silently change the votes, while remaining undetected.
Dr. Halderman and the team also acknowledged the level of transparency that Estonia projects regarding the elections. This is an important piece of democracy since it shows that the results are the results and that there is integrity with the election system. However, The Team expressed some hesitation regarding this because, while there is transparency, there is only transparency with what Estonia can show regarding the information that they received. They believe that there is no way that Estonia can prove that the results are accurate and how each citizen voted. If there was any tinkering of results, whether with how the vote was cast or how it was received by the server, by a nefarious actor, it wouldn’t necessarily show up, and therefore, all the transparency in the world wouldn’t maintain the integrity of the election.
Therefore, Dr. Halderman and The Team strongly oppose online voting in Estonia. They believe that the weak design, exacerbated by poor operational management, would lead to inaccurate and incorrect election results. The system, built on outdated assumptions, doesn’t take into account the serious threat of state-level attacks and cybercrime. In order to continue with online voting, a full revamp of the system is necessary, one that takes into account all of the weaknesses, and not just patches.
New South Wales Elections
New South Wales also cracked into the i-voting field. Called iVote, powered by Scytl, online voting began in 2015 and continued in the 2019 elections. Online voting was implemented as a way to be more accessible for people who lived far from polling stations, were outside the country during the election, and to assist people with disabilities, including visual impairments, physical disabilities and literary disabilities, while preserving voter privacy and vote confidentiality. In the 2019 elections, 63% of votes outside of polling stations came via online voting, as opposed to the traditional mail-in ballot. This was an increase of more than 55% from the 2015 elections (Scytl, 2019).
What’s different from the Estonian elections is that instead of the government running the online elections, NSW used an outside company, Scytl. Scyt claims to be the worldwide leader in online voting and they believe that they have the most accessible and advanced online voting system. They guarantee the integrity and security of their system by allowing voters to see their vote and verify that it was cast the way they voted. Taking into consideration that malicious software could be loaded onto the vote tallying system, Scytl maintains that this feature helps detect any foul play, while also reinforcing the trust in the system and outcome of the elections. During the 2019 election, nearly half of the voters took advantage of this feature. High levels of security and integrity are maintained by rigorous testing, third party audits, and monitoring.
In 2015, Dr. Halderman looked into that system, as well, with Dr. Vanessa Teague from the University of Melbourne. During the election, they performed an independent security analysis of the iVote system and discovered some severe vulnerabilities that could be used to manipulate votes, violate ballot privacy, and bring down the verification system. One vulnerability came as a result of including analytics software from an insecure external server. This exposed some votes which violated privacy and integrity. A protocol flaw was also found that left vote verification open to be changed (Halderman & Teague, 2015).
Christopher King and Shlomo Ross have just completed their certification at Fullstack Academy Cyber Bootcamp and are pursuing careers in Cyber Security
Sources:
1) e-Estonia. (2017, September). Estonia’s i-voting: more secure, more popular. e-estonia. https://e-estonia.com/estonias-i-voting-more-popular-more-secure/2) Leetaru, K. (2017, June 7). How Estonia's E-Voting System Could Be The Future. Forbes. https://www.forbes.com/sites/kalevleetaru/2017/06/07/how-estonias-e-voting-system-could-be-the-future/#772e624c3b953) University of Michigan, Open Rights Group, & Election Observer. (2014, May). Independent Report on E-voting in Estonia Skip to content. Estonia E-Voting. https://estoniaevoting.org/4) Scytl. (2019, May 6). New South Wales Sets New Milestones in Internet Voting and Digital Transformation. Scytl. https://www.scytl.com/en/news/new-south-wales-sets-milestones-in-internet-voting/5) Halderman, J. A., & Teague, V. (2015, August 13). The New South Wales iVote System: Security Failures and Verification Flaws in a Live Online Election. Springer Link. https://link.springer.com/chapter/10.1007%2F978-3-319-22270-7_3
