Electronic voting is our inevitable future, and while we can’t switch over in a few days or even months, we can design a system more secure than our current paper balloting, one that will ensure a much greater percentage of the United States population casts their vote.
Russia Interfered in Our Last Election.
While many of the details remain classified, the Senate Intelligence Committee concluded back in July that, “election systems in all 50 states were targeted by Russia in 2016.” It’s not just Russia, however, Iran and China have also been accused of attempting interference efforts ahead of the 2020 election. At the end of July, the Washington Post reported that Twitter had taken down over 7000 accounts–fake accounts, created by foreign governments, that were tweeting information, and promoting tweets about United States politics, based on an agenda. If we step back to the New York Times article, we find a conclusion that there was, “no evidence any votes were changed in actual voting machines,” but that unfortunately, “Russian cyber actors were in a position to delete or change voter data,” in the Illinois voter database. With that in mind, and the countless (1 2 3 4 5 6 7 8) arguments from security experts about why going digital is a terrible idea… if we stop skimming the surface, it really only makes sense to vote digitally.
If we pretend for a second that voting is actually about determining and supporting the majority population’s agenda, then we need the maximum number of voters to cast their ballot. This will be an uphill battle, as we fight both the technologist that has security concerns, and the politician that wants to do everything in their power to hold power without majority; but I argue that every single point made to dissuade the use electronic voting can be rebutted with conceptual security, not just code or infrastructure, but fundamental policy and strategic design. After all, black box voting is just as uncertain as any electronic system in use, even today.
Point 1: Real People, Real Votes
Argument: What keeps an attacker from breaking into a user account and casting their vote? Hackers get into people’s most sensitive accounts all the time (social media, banks, work).
We all know a person or two that keeps their credentials on a sticky note under their keyboard, or in a note on their phone. You really can’t trust that login details will be kept confidential if you rely on the end-user too much. Sure, if someone goes around tweeting out their login details, then there’s no helping them… but if the voting body implements a couple of important measures, it is nearly impossible for the end-user to compromise their full authentication.
We are going to use a defense-in-depth approach here, and there are three specific items that should be discussed; PKI through ID/licenses, one time passwords, and post-vote authentication.
PKI/Smart Cards/Three-Factor Auth
Smart cards with PKI certificates are used for everything; The Department of Defense, and many other organizations have been doing this for a while now. When a military or government worker logs into their computer, they use their smart card (something they have) in combination with a pin (something they know), and are authenticated.
Switching lanes for a second, the Department of Homeland Security (DHS) now requires citizens to have a license that is a RealID in order to apply for certain personal identification like a passport, so the government is obviously willing to create new identification requirements. Voters such as those in Texas typically register to vote when they get their driver’s license, so why not issue state ID on a smart card.
When someone gets their driver’s license and registers to vote, they get their voting authentication certificates on their ID. See the DoD’s common access card/geneva convention card with an integrated circuit chip (ICC) below.
People without a driver’s license would get this issued on their state ID. Ultimately a person would be issued their license and set a PIN during that process as well as the third factor of authentication (what city they will be voting from). When they go to log in to the voting system, they would perform authentication as identified above and the back end would verify the location they are accessing the system from, via IP.
Note: If we used a text or email, we would still have two-factor authentication as we will still only have something we know and something we have. Location (somewhere you are) gives us three-factor.
Authentication Success! One-time Voter Token
Argument: So we’re authenticated, great. What if there is malware on the system and a session cookie can be stolen or a vote can be automatically cast otherwise? Session hijacking is a real threat; it’s even in the OWASP top 10.
There is technically no such thing as unbreakable encryption, however, there is one method of cryptography that while inconvenient for most applications, is unbreakable under a few simple conditions, and works here–the use of a one-time password makes a crypt unbreakable. For clarification, if the one-time password (the key) is random, kept confidential, and never reused, then even when the cipher operation is known, they crypt is unbreakable. This makes frequency analytics or know-ciphertext attacks irrelevant. Let’s translate this to voting operation.
Along with their smart card ID, a voter will be issued a paper ticket that has a one time password on it. When they go to vote, they enter their one-time password, which is used to encrypt their vote and send it to the server. The server will only accept a result from a POST request that uses the correct one-time password. This mitigates vulnerability to session hijacking and provides an additional step of integrity, ensuring that the voter is the only one that can cast their vote.
I voted! What ensures database integrity?
Argument: Databases are hacked all the time, how do we know our vote wasn’t changed?
When someone downloads a file from the internet and wants to ensure that it wasn’t modified in transit, they use a hash to verify the contents. Without getting into the weeds, a hash is ultimately a computation of every bit of the input (based on the algorithm’s procedures). A true hashing algorithm will generate a completely new hash if even one-bit changes, and will never generate the same hash for two different inputs. Let’s apply this to the voting system.
When we cast our vote, it is hashed client-side and then sent to the server and hashed on the server. We then are sent back the hash that the server computed, and can compare it to our vote. By this method, we know that the true result was recorded. Later if we want to ensure nothing was changed, we can go to the voting site and check our submission’s hash.
Voting records are public, but the votes are not. Fortunately, a true hash cannot be reverse-engineered back into the input. When we visit the site, we can query for a person, and the server computes the hash of what it has in the records. This should match the hash that was provided to us upon the initial vote. If it doesn’t match then we know the result was altered and we can submit a challenge to the voting authority to get the record fixed.
Point 2: Preventing Compromise Over the Network
Argument: Anyone involved in the transaction could theoretically compromise it, so how do we protect data in transit?
We’ve already touched on how records can be validated after they are submitted, so that is the first means of negating this issue. We also identified the use of one-time passwords for additional transmission security, but there is one final measure that will be useful as well.
End-to-end encryption should be established between the client and server through a VPN, essentially negating any sort of visibility over the network. The same way that a VPN protects you as you perform banking operations in a coffee-shop, it will protect your vote. This can be easily built into client-side code on a computer, or an app on a phone, and the key for the connection will just be added to the same smart card. Modern cards have plenty of storage.
Finally, we must use .gov domains for all sites related to this voting process. It is impossible for a non-government organization to register a .gov address, so you severely limit the possibility of a typo-squatting man in the middle (MitM) attack by using a .gov address.
Point 3: Denial of Service
Argument: The government doesn’t have a great history of handling huge amounts of traffic in the first place (ex: the Obamacare incident), so how can we expect them to provide us a site that is accessible.
Online voting is more fragile than other online services, like banking, and far easier to attack. The cheapest and easiest way to attack an online voting system is to flood the web application with garbage traffic and DDoS it. Any script kiddie with some bitcoin can rent a botnet army of compromised IoT devices and overwhelm the voting server on election day.https://www.csoonline.com/article/3269297/online-voting-is-impossible-to-secure-so-why-are-some-governments-using-it.html
The fact is that Denial of Service (DOS) attacks are defendable, companies do it every day. Twitter, Amazon, Facebook, Google, Apple, and many other companies have been victims of denial of service in the past and often take smaller-scale attacks on a daily basis. The common route is to implement professional mitigation services such as Cloudflare or Imperva Incapsula.
To prevent such attacks, companies typically use distributed denial of service (DDoS) mitigation services like Cloudflare or Imperva Incapsula. These services change DNS records in real-time and filter/redirect traffic in order to reduce the magnitude of these attacks.
The point is that with the proper resources, we can mitigate denial of service as a concern. Some of this comes down to building a good back-end, but regardless, it wont be an issue with the right engineering and testing. Large public companies have 5th order or greater uptime.
Point 4: Any Electronic System is still Essentially “Black Box” to most People
Argument: How do I know that my vote is being handled properly in terms of counting and final election?
In recent months, with the democratic primary election for president quickly approaching, there has been a significant conversation about the merits of black-box balloting aside from any virtual technology. It’s honestly warranted, given that who knows how votes are counted once they are put into a reciptical and sent off somewhere. From that same article as before:
Democracy at stake. The purpose of an election is not just to select a winner, but to convince the loser, and their supporters, that they lost. Trust in the voting process is, therefore, an essential element to any voting system.https://www.csoonline.com/article/3269297/online-voting-is-impossible-to-secure-so-why-are-some-governments-using-it.html
This is probably the trickiest part of the election process, but even in traditional voting, we can’t be 100% sure that our votes are being counted properly. What we can be sure of with a traditional ballot, is that the paper contains our vote, and the counters are of vetted-integrity. If we take into account digital voting, either through a phone app or computer, we can arrive at the same assurances. The counters will be vetted in the same manner, and as mentioned before, through hashing, we can ensure that our vote arrived at the final destination unchanged.
Quite frankly, this system allows us far greater transparency and assurance than any paper system. How can you ensure your paper ballot isn’t altered once it’s turned in? Well with this digital system you can always go back and check.
The Secure Voting Model
Complexity is inversely proportional to security, and this model is intentionally high-level in that it addresses the fundamental issues of a digital voting system, and offers the technology but not specific configurations for mitigation of the vulnerability.
A true electoral system is representative of its entire population, and a digital system is the most accessible. From people who travel a lot, to for example, the military personnel who are deployed, a digital system allows much greater availability. Aside from dislocation, it’s much more convenient for someone to log in to a site or app from their phone and cast their vote, than it is for them to travel to a location, wait in line, and physically cast their vote.
Voting Under the New System
The steps to voting are relatively less complicated than the current system, which will remain in place as we transition over, for those that aren’t up for moving over just yet. Many people, especially older citizens may want to continue to vote on paper, and we should allow that to continue, to ease the process, even if this new system is more secure.
Register to Vote
- Go to DMV to get your driver’s license or state ID issued as usual.
- Specify a PIN and the city you live in (are voting from).
- Receive license which is now on a smart card similar to a DoD CAC, and a paper ticket with your one-time password
*You may also receive a free USB smart card reader here if you financially qualify for it.
Casting your Vote!
- Insert your driver’s license into your computer with a smart-card reader.
- Use your PIN to log into the voting site, and make your selections.
- Enter the one time password when prompted, and submit your ballot.
- If you desire: print off your record, including the validation ID (hash).
Post Vote Integrity
- If at any point you want to validate your ballot, you can visit the site (maybe vote.gov), and verify that the hash of your results matches.
*You can’t change your vote once cast, but you can check the validity and challenge it through the proper channels if you believe it was altered.
Conclusion, a Vote for Digital!
A secure electronic voting system will never be as simple as logging into a website, clicking a button, and logging out, but it can still be far more efficient than going to a location and filling out a paper ballot.
This system will result in significantly increased voter turnout, and derivatively a more representative government.
Not only is this digital system more transparent than black-box voting, but you can also easily validate your submission. From authentication to casting your ballot, this framework will improve voting in the US by orders of magnitude.