Secure e-voting: 20 to 30 years away

Jeremy Epstein, senior computer scientist at non-profit research institute SRI International spoke to the Computer Weekly Developer Network blog this week to share his views on the possibility of electronic voting security.

Epstein says that although some e-voting is happening in the US, Estonia and other countries — this is not *secure* e-voting, it’s just e-voting.

Every system developed so far has been found to be insecure.

20 to 30 years

“From a technical perspective, we’re at least 10 years away from secure e-voting, and many experts think we’re 20 or 30 years away,” he said.

The following text is attributed to Epstein


Need for two-factor (or more) authentication

Two-factor authentication is important to secure voting, but it is neither necessary nor sufficient (to use a term common in mathematics). Two factor systems still can be vulnerable to malware in the voter’s computer, to attacks on the servers that receive the votes, to bugs in the software that erroneously record the wrong selections even if there is no malicious intent, and many other risks.

Additionally, the methods for distributing two-factor systems nationwide are expensive and complex – unless you already have smartcards distributed through government channels (as in Estonia), how do you securely distribute any two-factor system to an entire nation? And if the two-factor device is only used for elections, what happens to the device when people (inevitably) misplace it between elections that only happen every few years?

NOTE: (This isn’t a problem in Estonia because the same smartcard is a driving license, bank card, etc. But a special purpose card or device for voting would have this problem.)

Who would hack a vote? foreign governments, criminal gangs, or petty fraudsters?

Election tampering has a long history, dating back thousands of years. The common use of paper ballots printed by the government is known as the Australian Ballot, and was developed over 100 years ago to prevent certain kinds of election tampering. There is no reason to believe that today’s attackers are any less motivated or ingenious than those of 100 years ago.

Hackers could include bored teenagers, petty fraudsters, criminal gangs, foreign governments, and “hacking for hire” providers – perhaps all trying to hack the same election in different directions and for different reasons. What we’ve learned from the past 20 years of internet security is that it’s very difficult to predict who will attack systems, why, and how – but the attacks inevitably occur. Perhaps it will be hackers in nations with lax criminal systems who offer online vote tampering services, just as they currently offer hacking for hire (e.g., a hacker in an eastern European country hacking British elections).

The free market will (ironically!) determine the value of such a service. If the ease of success is high and the probability of detection is low, the temptation will be irresistible for some. There is ample evidence that the free market works well in determining pricing for other forms of online mischief; there is no reason to believe that voting will be any different.

Where has online voting worked and what is still wrong with it?

Online voting has worked partially in Estonia. After 10 years, there is a slight uptick in overall turnout. But the systems have been shown to be vulnerable to attack, despite the use of smart cards that can be used to reduce some parts of the risk equation. Some of the source code has been released, but only a portion – and not the riskiest part (the software that runs in the voter’s computer). Everywhere else, online voting has been a failure. It has not increased turnout (with the exception of Estonia, where the improvement is slight).

Every system looked at has had significant security flaws. See for example the recent New South Wales (Australia) election, where a serious security flaw was discovered after 66,000 votes had been cast, and there is no way to tell if any of them were tampered with.

Or Norway, where the system was discovered to have massive flaws that could allow unlimited vote tampering. In the United States, with one exception (District of Columbia), vendors and localities have refused to allow any independent security analysis of online voting systems, so only the criminals (and perhaps the vendors) know how bad they are. Every system has increased costs (as was noted in the UK’s prior experiments with online voting), because they must be continuously improved and monitored as the threat environment changes – they can’t simply be deployed and used year after year without change.

The best hope for the future is cryptographic end-to-end verifiable voting systems. However, even those vendors who claim to be using this technology have taken shortcuts that significantly weaken the security characteristics. And so far, the research systems built using this technology have failed key usability assessments. The Birmingham system has some potential, but the methods used are so far not described to the scientific community, and have only been vaguely sketched out in press releases. Hence, it is impossible to know whether they actually advance the state of the art, and what the tradeoffs are for other aspects of the voting problem (e.g., security, privacy, usability, cost).

Security is only part of the issue here, privacy is also a huge concern.

Privacy is a huge concern for online voting, as are issues of voter coercion. One of the values of having in-person voting is that an independent voting official can observe that the voter is able to cast his/her vote by him/herself, and no one else is able to see their selections. Online voting means that an employer, an abusive spouse, a caretaker in an old age home, or a criminal can force the voter to cast his/her vote in a particular way. The Estonian system attempts to limit this risk by allowing voters to vote as often as they like with only the last one counting, but the risk is that this means the voter’s identity must be stored with each ballot to allow the system to know which ones should be discarded – thus increasing risks to the secret ballot.