Ruminations

Internet Voting

Normally, I start each post with a metaphor or story, and ease into the main topic. This approach allows me to make dry or technical subjects more accessible and relatable. But today what you see is what you get.

This is a rather long post, but it covers a lot of aspects of internet voting.

Being able to vote safely and securely over the internet is going to be a watershed moment. It will give more Americans the opportunity to vote; to participate in America's democracy. Realistically, I don't expect to see it widely used - if at all - in the US during my lifetime.

Voting is important. It’s one of our most valuable and powerful rights. Some people believe it’s a civic duty. Others think it’s a waste of time. Most fall somewhere in between. But no matter how you feel about voting, one fact remains: if you don’t speak your mind on Election Day then it doesn't really matter what you're squawking about the rest of the year.

As expected, the 2022 midterm elections were raucous and contentious. There were recounts, runoffs and even lawsuits. In hindsight, this was all relatively mild when compared to the 2020 elections.

Back in 2020, we posted about the debacle that was Shadow Inc.'s IowaReporterApp used for the Iowa Democratic Caucus. Nevada, after seeing the fiasco in Iowa, switch from the using the app to using Google Forms. Shadow Inc changed their name to Blue Link not long after the Iowa embarrassments.

The electronic voting machines currently in use aren’t completely secure, though they are much better than they were several years ago. The most secure forms of electronic voting require a paper trail of all ballots cast.

The 2020 election had a large number of claims of voting machine misdeeds and improprieties, yet none were actually proven in court. In fact, there was only one successful lawsuit (out of 62) filed against the election results, and it had nothing to do with voting machines. In Pennsylvania, a judge ruled voters had only three days after the election to provide proper ID and "cure" their ballots instead of the expected six days. This is reported to have affected less than 100 votes.

Dominion Voting Systems was the target of many of these accusations of wrongdoing. Yet among their most popular models, Dominion produces systems that generate a completely transparent and auditable paper ballot. The voter selects their candidates, tells the machine they are done, and the machine either fills out the circles on a standard ballot, or it prints a ballot with the selected candidates that is easily readable by the voter. This allows for review by the voter, as well as counting and recounting via optical scanners or people (e.g., manual recounts).

India, the largest democracy with roughly 1.4 billion people, uses a very different type of electronic voting machine. These voting machines are novel, yet not very flexible, and they don't offer any verifiable proof of a vote (e.g., a paper ballot). The security of this system is a matter of much debate.

Many will say that blockchain is the obvious choice for storing online voting data. Yes, blockchain is a perfect technology for producing a completely auditable voter record. But votes are supposed to be secret, so tracing a vote back to an individual isn't as good an idea as it sounds. Also, blockchain is so slow that it simply isn't practical, and the backlog of votes would produce entirely new network and security problems.

Don't confuse data integrity with data security. Moscow's "local elections" were planning to use blockchain in their 2019 elections ... and it was rendered insecure in 20 minutes.

People wonder why we can’t vote over the internet. The primary reason is security. And repeat after me, "one of the common costs of security is inconvenience".

In January 2020, King County, WA tested online voting for a Seattle-area election for members of an all-volunteer board. Turnout doubled for this election (from 1% to 2%). This test garnered very little press coverage and didn't result in expanding attempts at online voting.

Though groundbreaking in the US, the Swiss did have limited online voting (which they call "e-voting") in Geneva starting back in 2003. Additional Swiss cantons had e-voting for voters living abroad, though not all ex-pats were included. E-voting had been happening long enough in Switzerland that in 2019 Swiss politicians and computer experts launched an initiative to ban e-voting over security concerns.

Researchers uncovered a cryptographic trapdoor in Switzerland e-voting system. A second cryptographic flaw was discovered in the same software, but was eventually determined not to affect the e-voting system. Currently there is no e-voting in Switzerland. Some countries do have e-voting projects, but it involves voting online within polling stations. This isn't what most people expect when they hear about internet voting.

Internet voting is where I start grousing that elections will start to rival the complexity of a space mission. Hacking and election interference is already a serious concern, and that doesn't even include the perils of online voting.

I'll be honest, I've done some research and some rough work on this subject. Someone like me could disrupt state and/or national online elections to a significant enough degree as to render the results in one or more voting districts contestable. A well organized and well financed group could wreak havoc on internet voting on Election Day.

Yes, the election commissions would be mostly prepared, and could take reactive countermeasures, to prevent some methods of interference. But these types of actions would be difficult during the election and could possibly cause even more difficulties for online voters. There are no do overs for elections, so fixing it afterwards involves a certain barn door idiom.

Article 1, Section 4 of the US Constitution States states: The Times, Places and Manner of holding Elections for Senators and Representatives, shall be prescribed in each State by the Legislature thereof; but the Congress may at any time by Law make or alter such Regulations, except as to the Places of chusing Senators.

This ended up spreading the polling places throughout counties and voting districts in such a way that there are far too many polling stations than can be effectively attacked. Not that every one would have the same value with regards to the number of votes that take place, but it still results in a vastly distributed network of polling stations.

In the 2018 general election, more than 230,000 polling places were used. Each of these can have unique ballots, and can have different types of voting machines (if any), optical scanners (if any), etc. Some may have older technology, which may not necessarily be as secure as newer technology but might not be large enough to be worth targeting.

Internet voting would either have to be set up for each of these separate polling places, one endpoint for each unique ballot, consolidate them into polling districts (supporting ballots for each unique election), or even fewer internet voting endpoints per state. No matter the distribution, each would need to set up their own mitigations and protections, presumably with support from their states. The fewer the number of endpoints, the easier for voting authorities to manage and protect, but the larger and more valuable the targets.

Disrupting online voting wouldn't be as difficult as you might think. There are many options available to overwhelm voting server endpoints. This wouldn't need to knock these servers offline for the duration of Election Day. Just disrupt them enough that their reliability would be questionable, and their vote counts disputed.

How could this be done? Besides the countless VPN services and servers in US data centers, there are an unknown number of existing Tor endpoints available. Not to mention that prepared bad actors could infect tens of thousands of servers with additional hidden Tor endpoints that would only be enabled on Election Day.

And let us not forget that there are hundreds of thousands, if not millions, of infected computers in the US that are available for rent from botnets. The resulting DDoS and amplification attacks from these individual computers would be extremely difficult to identify as malicious actors, let alone mitigate their effect. A browser that is having issues connecting with a voting server while submitting a legitimate vote could resemble a bad actor if it repeatedly tries to connect.

I'm not saying services like Cloudflare couldn't be utilized (or more probably, duplicated by state and federal agencies). But disruptions that result in votes being lost or blocked, or incomplete voting attempts that result in errors sent back to the voters, would add up quickly.

Besides the DDoS and amplification attacks that could disrupt the collection of legitimate online votes, there are many other problems, concerns and obstacles that need to be overcome.

Additional technical issues:

• If voter information for online voting is sent via email, fraudulent emails will be widespread. These would provide links to fake online voting sites that would collect legitimate voter IDs and then use those to submit fraudulent votes to the actual online voting endpoints.
• If voter information for online voting is mailed, these voter cards can and will be stollen from mailboxes.
• Brute force attacks could invalidate legitimate voter IDs. This would submit fraudulent votes and prevent the owner of the voter ID from submitting their vote.
• Infected computers, or browsers with malicious extensions, would be subject to submitting altered votes or returning faked success messages while sending the voter ID information to servers that would submit fraudulent votes.
• If states issue their own voting apps there will be many counterfeits apps. Also, voting over cellular networks could be disrupted if malicious apps try attacks from infected phones. This would trigger any mitigation services to consider votes submitted via cellular networks as untrustworthy.
• Accessing or hacking online voting endpoints would cause them to be considered as tainted even if nothing was changed.

Other potential issues with internet voting:

• Paying voters to vote a certain way. This would be much more likely in large apartment blocks or complexes.
• Forcing others to vote a certain way. This would happen within abusive or controlling families.
• Secret ballots aren’t really secret. Yes, there's always a way to separate the voter ID information from each vote's data. But even if this is done, it would be naive to think that the implementation wouldn't include a way to reverse this.
• Internet voting is paperless by nature. This means there will be no audit trail. If the voter ID is (or claims to be) separated from the actual vote, then there will be no way to contact a voter to verify their vote data if that ever becomes necessary.
• Voters without access to reliable (or any) internet service, cell networks, computers, or smartphones cannot participate in online voting. Even computers in voting centers, libraries, or polling stations would not necessarily be secure if they are accessible to anyone who wants to vote. A bad actor can simply access a malicious URL to embed an infected browser extension.
• Recounts would be useless. They would simply be counting the same bits that were counted previously.

Remember, that disrupting online voting doesn't need to be a complete success. It only needs to prevent a small percentage of the votes in swing districts in swing states from being counted. In the Georgia 2020 Presidential election, the difference was 11,779 out of 4,999,958 votes (0.23%). Inflating vote counts with phished voter credentials will also be targeted at important districts.

As you can see, there's a lot that must happen before internet voting can even be considered as a safe option. And between now and then, more vulnerabilities and liabilities will be discovered by the good guys and the bad guys. So, in the meantime, plan how you want to vote, and then vote.

---