Online Voting Is Not Safe
By Patrick W. Dunne
With the concerns surrounding a U.S. Postal Service slowdown and voter suppression, discussions continue to grow about online voting for the 2020 election.
But many cybersecurity experts are skeptical, including Murat Kantarcioglu, a professor of computer science at the University of Texas at Dallas.
Kantarcioglu, who holds a doctorate in computer science from Perdue University, told Digital Privacy News that online voting lacked a meaningful method of self-auditing, which eroded trust in the system.
Should Americans vote online in the 2020 election?
I’d say that you shouldn’t do it.
I don’t think the technology or verification is there yet.
Even if we did have the right technology, I believe such a system would be very vulnerable to fake-news campaigns.
You could have the most beautiful and perfect system, but someone can create fake news about it — and others will buy into it.
They might spread lies and say the system is untrustworthy or that there’s a hidden backdoor.
How is online voting different from shopping or banking online?
We indeed try to do everything online, like banking and paying bills.
I prefer most online alternatives, but there are exceptions. Voting is one of those.
One thing most people don’t realize is that security from online banking comes from the fact that you can globally audit and reverse transactions. Forget about encryption, access control and all that.
Let’s say someone hacks into your account and steals your money. Logs prove these transactions happened.
Even if your cash gets wired somewhere, you can get it back, provided you act quickly.
That’s an important security measure in online banking.
With online voting, even with all this cryptography and those fantastic protocols — and this is coming from someone who loves cryptography and similar technology — the problem is that there are so many vulnerable pieces that make up the program.
What kind of technology can hackers exploit?
All sorts, even ones like blockchain.
For example, Zcash had a beautiful blockchain protocol that was nearly flawless until they discovered a mathematical proof that allowed counterfeiting.
Luckily, nobody found it early on and exploited it — but it shows that even the most high-tech systems might have hidden flaws.
Imagine something like that happening in the U.S. elections? Imagine if someone figured out that there was a bug or that someone claimed there was a bug?
How are we going to do an audit as a regular person?
You can quickly go to your bank and tell them if someone made a fraudulent transaction, but how can you do that with voting?
What other issues are there with online voting?
There’s plenty of potential problems: the apps, server, cryptography keys, bugs in the software, Wi-Fi connections and so forth.
When you add them up, almost every part can be potentially vulnerable.
Voting must be auditable by regular people.
In a normal election, votes leave a paper trail. The ballots go into a box, and representatives from either party can count the votes. If their count matches the computer records, you have proof of accuracy.
You can trust that system of voting.
My main point is that regular people’s belief and audibility in election systems is critical.
I don’t see that happening with the current technology, or even in the near future.
For crucial elections, we must have paper-based audits.
Can privacy be protected in online voting? How?
There is enough cryptography out there where you can hide your voting choices.
If you use the correct protocol and tools, I believe privacy issues can be easily addressed.
But again, once you address the privacy issue, you still don’t have this easy paper trail or solution that could be easily audited by anyone.
Even though your privacy is protected, we want to make sure this happens in the election.
I’m not worried about privacy — and I think there’s enough technology out there that can quickly be adopted to solve the privacy problem.
Of course, if you don’t implement these cryptography tools and just try to do it by inferior means, then, of course, privacy is an issue as well.
But you have technologies there and, if implemented correctly, privacy should be addressed.
If we must vote online, how can we do so safely and protect privacy?
You have to make sure that your computer and devices are updated.
If I were a hacker, one attack vector I’d probably exploit is the individual devices or computers.
For example, hackers can send malware, which could change people’s votes.
Even if hackers couldn’t infiltrate the servers, they could still target individuals and affect the election’s outcome.
Patrick W. Dunne is a writer in San Francisco.
Sources (external links):