A lot happens before ideas become solutions.
At ElixWare we want to bring you more than just great, affordable software. We want to let you know how and why we do what we do.
Our Ruminations blog will bring you insights into how we got here and some of the things we consider when trying to help you run your business. We hope it gives you a better understanding of how we strive to better serve your needs.
9 minute read
This is a rather long post, but it covers a lot of aspects of internet voting.
Being able to vote safely and securely over the internet is going to be a watershed moment. It will give more Americans the opportunity to vote; to participate in America's democracy. Realistically, I don't expect to see it widely used - if at all - in the US during my lifetime.
Voting is important. It’s one of our most valuable and powerful rights. Some people believe it’s a civic duty. Others think it’s a waste of time. Most fall somewhere in between. But no matter how you feel about voting, one fact remains: if you don’t speak your mind on Election Day then it doesn't really matter what you're squawking about the rest of the year.
As expected, the 2022 midterm elections were raucous and contentious. There were recounts, runoffs and even lawsuits. In hindsight, this was all relatively mild when compared to the 2020 elections.
Back in 2020, we posted about the debacle that was Shadow Inc.'s IowaReporterApp used for the Iowa Democratic Caucus. Nevada, after seeing the fiasco in Iowa, switch from the using the app to using Google Forms. Shadow Inc changed their name to Blue Link not long after the Iowa embarrassments.
The 2020 election had a large number of claims of voting machine misdeeds and improprieties, yet none were actually proven in court. In fact, there was only one successful lawsuit (out of 62) filed against the election results, and it had nothing to do with voting machines. In Pennsylvania, a judge ruled voters had only three days after the election to provide proper ID and "cure" their ballots instead of the expected six days. This is reported to have affected less than 100 votes.
Dominion Voting Systems was the target of many of these accusations of wrongdoing. Yet among their most popular models, Dominion produces systems that generate a completely transparent and auditable paper ballot. The voter selects their candidates, tells the machine they are done, and the machine either fills out the circles on a standard ballot, or it prints a ballot with the selected candidates that is easily readable by the voter. This allows for review by the voter, as well as counting and recounting via optical scanners or people (e.g., manual recounts).
India, the largest democracy with roughly 1.4 billion people, uses a very different type of electronic voting machine. These voting machines are novel, yet not very flexible, and they don't offer any verifiable proof of a vote (e.g., a paper ballot). The security of this system is a matter of much debate.
Don't confuse data integrity with data security. Moscow's "local elections" were planning to use blockchain in their 2019 elections ... and it was rendered insecure in 20 minutes.
In January 2020, King County, WA tested online voting for a Seattle-area election for members of an all-volunteer board. Turnout doubled for this election (from 1% to 2%). This test garnered very little press coverage and didn't result in expanding attempts at online voting.
Though groundbreaking in the US, the Swiss did have limited online voting (which they call "e-voting") in Geneva starting back in 2003. Additional Swiss cantons had e-voting for voters living abroad, though not all ex-pats were included. E-voting had been happening long enough in Switzerland that in 2019 Swiss politicians and computer experts launched an initiative to ban e-voting over security concerns.
Researchers uncovered a cryptographic trapdoor in Switzerland e-voting system. A second cryptographic flaw was discovered in the same software, but was eventually determined not to affect the e-voting system. Currently there is no e-voting in Switzerland. Some countries do have e-voting projects, but it involves voting online within polling stations. This isn't what most people expect when they hear about internet voting.
Internet voting is where I start grousing that elections will start to rival the complexity of a space mission. Hacking and election interference is already a serious concern, and that doesn't even include the perils of online voting.
I'll be honest, I've done some research and some rough work on this subject. Someone like me could disrupt state and/or national online elections to a significant enough degree as to render the results in one or more voting districts contestable. A well organized and well financed group could wreak havoc on internet voting on Election Day.
Yes, the election commissions would be mostly prepared, and could take reactive countermeasures, to prevent some methods of interference. But these types of actions would be difficult during the election and could possibly cause even more difficulties for online voters. There are no do overs for elections, so fixing it afterwards involves a certain barn door idiom.
This ended up spreading the polling places throughout counties and voting districts in such a way that there are far too many polling stations than can be effectively attacked. Not that every one would have the same value with regards to the number of votes that take place, but it still results in a vastly distributed network of polling stations.
In the 2018 general election, more than 230,000 polling places were used. Each of these can have unique ballots, and can have different types of voting machines (if any), optical scanners (if any), etc. Some may have older technology, which may not necessarily be as secure as newer technology but might not be large enough to be worth targeting.
Internet voting would either have to be set up for each of these separate polling places, one endpoint for each unique ballot, consolidate them into polling districts (supporting ballots for each unique election), or even fewer internet voting endpoints per state. No matter the distribution, each would need to set up their own mitigations and protections, presumably with support from their states. The fewer the number of endpoints, the easier for voting authorities to manage and protect, but the larger and more valuable the targets.
How could this be done? Besides the countless VPN services and servers in US data centers, there are an unknown number of existing Tor endpoints available. Not to mention that prepared bad actors could infect tens of thousands of servers with additional hidden Tor endpoints that would only be enabled on Election Day.
And let us not forget that there are hundreds of thousands, if not millions, of infected computers in the US that are available for rent from botnets. The resulting DDoS and amplification attacks from these individual computers would be extremely difficult to identify as malicious actors, let alone mitigate their effect. A browser that is having issues connecting with a voting server while submitting a legitimate vote could resemble a bad actor if it repeatedly tries to connect.
I'm not saying services like Cloudflare couldn't be utilized (or more probably, duplicated by state and federal agencies). But disruptions that result in votes being lost or blocked, or incomplete voting attempts that result in errors sent back to the voters, would add up quickly.
Additional technical issues:
Other potential issues with internet voting:
Remember, that disrupting online voting doesn't need to be a complete success. It only needs to prevent a small percentage of the votes in swing districts in swing states from being counted. In the Georgia 2020 Presidential election, the difference was 11,779 out of 4,999,958 votes (0.23%). Inflating vote counts with phished voter credentials will also be targeted at important districts.
As you can see, there's a lot that must happen before internet voting can even be considered as a safe option. And between now and then, more vulnerabilities and liabilities will be discovered by the good guys and the bad guys. So, in the meantime, plan how you want to vote, and then vote.
prev post: A Little Hymn