Our money, shops, schools, and workplaces – due to coronavirus almost every part of our lives is moving online faster than ever. But, at least for cybersecurity experts, electronic democracy sounds like science fiction as there’s no certain way to ensure the transparency of internet voting and protect democracy from hackers.
“Estonia should be terrified,” Bruce Schneier, a famous cybersecurity expert and a fellow at Harvard University, told CyberNews. The small Baltic country with only 1.3 million citizens adopted internet voting back in 2005, but neither Estonia nor the rest of the world, according to Mr. Schneier, has magical computers to ensure the safety of such elections.
There are some attempts around the world to adopt internet voting, at least to some extent. For example, Russians who live in Moscow or Nizhny Novgorod were allowed to cast their votes online in the recent referendum that let Putin remain president until 2036, should he wish to do so. But even ordinary elections in Russia can raise questions of legitimacy, let alone internet voting.
Estonia’s neighbor Lithuania adopted electronic voting for its citizens abroad and those in self-isolation just a few months before the elections. Naturally, the move is seen as bold.
The examples of internet voting countries are not numerous. It’s 2020 and as we bank, shop, work and fall in love online, a natural question arises – why is the world so reluctant to adopt internet voting?
It may feel as moving backward, but paper-verifiable elections are still seen as the most reliable and secure.
“Remote voting in the US is aspirational”
“We want all Americans to exercise their constitutional right to vote and that their voices be heard,” Member of Cyberspace Solarium Commission in the US Mr. Patrick Murphy told CyberNews.
Remote voting is desirable as it can ensure higher turnout at the elections. “I think that we are all in agreement that remote voting needs to be more robust. Internet-based voting is an aspirational goal that is not ready for this election cycle,” he said.
Mr. Murphy reckons that presidential elections in November will be smoother than in 2016, when America experienced major hacking attempts.
“There’s no doubt that we have foreign actors still trying to intervene in our domestic elections like they did in 2016. In 2020 we are all in agreement we need to ensure we have free and fair elections including remote voting,” commissioner elaborated.
By foreign actors, he mostly means Russia and China. It’s a state-by-state effort to deal with cyber threats, but there are also national initiatives to support the elections. After Bush v. Gore ruling, The U.S. Election Assistance Commission was established by the Help America Vote Act of 2002 (HAVA).
Mr. Murphy is positive that America has learned lessons from the 2016 presidential elections, but he anticipates the presence of foreign actors during the upcoming November elections.
“There are actors, currently dividing Americans along the Black Lives Matter uprising. And as America we need to unify,” told Mr. Murphy.
He hopes that in a few years or so Americans will be able to exercise all kinds of internet voting, online voting as well.
“As American soldier, who was deployed overseas, voted overseas, I always had confidence in the mail-in voting system,” said Mr. Murphy.
But not everyone shares his vision – online voting seems to spook some cybersecurity experts.
“It’s beyond science fiction to make it secure”
“These are not local concerns. Is it easy to cheat? Is it easy to hack a vote? That is the worry in the United States as well as European countries. Estonia should be terrified. That is not secure,” Bruce Schneier, a fellow at Berkman Klein Center for Internet & Society at Harvard University told CyberNews.
He believes that it is the general view of American cybersecurity experts and that nothing he says about internet voting is controversial.
Here’s how the US voted during the 2016 presidential election. Even electronic voting, if not backed by paper ballots, can be seen as a not accurate and reliable form to cast a vote. Recent attempts to vote online present even bigger challenges.
The US has an unpleasant history of using electronic machines in the voting process. Georgia was ordered by a judge in 2019 to switch to paper ballots and stop using outdated electronic voting machines. So the state switched to a new voting system, consisting of new electronic poll books and ballot-marking machines.
But, as The New Yorker aptly put it, electronic voting in primaries in Georgia this June resulted in a disenfranchising debacle. Voters in Georgia had to wait 5 or even 7 hours in line just to cast a ballot. Some people were still in line well past midnight. And this new voting system is also to be blamed for the chaos.
Attempts to vote online also proved to be a disaster. Blockchain-enabled mobile voting app Voatz, used in several local elections in the US (West Virginia, Oregon, Utah, Colorado), received a wave of criticism after some major flaws of the app were discovered. Those flaws could have let an attacker to manipulate the election results. Josh Benaloh, senior cryptographer at Microsoft Research, criticized blockchain technology itself, saying it’s no help.
But Schneier didn’t want to go into detail about the technology itself. To his view, there’s no way that technology can provide safety for electronic voting.
“Unless there’s a country with magical computers… So it doesn’t exist, we don’t know how to build it, it’s beyond human abilities to build it today. So that’s why I say magic,” elaborates Mr. Schneier.
The problem is the requirement of a voter’s anonymity. “If you drop this anonymity requirement, I can do this online voting easily. The anonymity of vote is what makes it impossible. Congress can vote online as much as they want because their votes are public. When the votes are public record, you can always check to make sure it’s accurate. That nobody changed your vote,” says Schneier.
To him, the voter-verifiable paper is the only way. As long as it is an actual piece of paper, it is safe.
“In Minnesota, we use optical-scan voting. That’s probably the best system. That’s the most secure, the most accurate, most reliable,” says a fellow at Harvard.
He believes there have to be technological advances in the way computers work. “You are kind of asking me is it hard like to go to the moon or is it hard like faster than light travel. It’s probably as hard as to go to the moon. It’s not like we need a little bit of money. There has to be fundamental change. Human beings as a species – we can’t travel to Pluto. It’s beyond science fiction to make it secure,” says Schneier.
Estonia admits: one can never be 100% sure
Estonia is often dubbed as one of the world’s most digitally advanced societies. It is famous for its e-residency program, allowing people to do business in Estonia without actually living in the country. It’s also under tight scrutiny when it comes to internet voting – Estonians have been voting from their homes since 2005.
““Either Estonia has had all the accurate elections, or all the hacked elections that have not been discovered. Those are the options,” Schneier told CyberNews.
Almost half of voters in Estonia voted online – during 2007 parliamentary elections around 5% of Estonians voted electronically, while last year almost 47% chose online ballots. The turnout at the elections despite the popularity of internet voting grew only by 2%.
Arne Koitmäe, Head of the State Electoral Office in Estonia, says that so far there haven’t been any incidents regarding internet voting so far.
“Introducing Internet voting is an ongoing debate everywhere and it’s true that there is no solution that will guarantee 100 pc security, so running a secure Internet voting system is an ongoing process,” admits Mr. Koitmäe.
The Estonian internet voting system relies on the Estonian eID and the Estonian ID card has been an official document for establishing the identity of a person for more than 15 years and practically everyone has it. Each ID card has a chip that allows personal identification and signing documents online.
But these chips also expose ID cards to digital vulnerabilities. Some of the chips had a major algorithmic flaw, which means that around 800,000 ID cards in Estonia were at risk for identity thefts. Though, according to the government, it didn’t happen and the damage was limited to a minimum – tens of thousands of citizens were temporarily deprived of various electronic services.
Mr. Koitmäe assured that there are a host of measures to ensure the reliability of the system.
“The voter can verify that the vote was cast and received as intended by the vote collection server by a separate app on a smart device. The votes received by the vote collector are time-stamped and recorded by a third party registration service. Data auditors as well as observers can check the correct functioning of the system and run the audit application. The conformity of votes collected, votes to be counted, and votes counted is checked by mathematical means within the framework of data audit, to confirm the correct functioning of the process,” he explained.
There’s room for improvement though – additional auditing and testing solutions are desirable, added Mr. Koitmäe.
Lithuania, another small European country with a population of 3 million people, will be going to the polls in October to select new MPs. And it is a major headache for both the Central Electoral Commission of the Republic of Lithuania and cybersecurity specialists as Lithuanian Parliament adopted electronic voting just a few months before the elections.
According to the new law that was adopted in late June, Lithuanians abroad as well as people in self-isolation will be allowed to vote electronically under extreme circumstances. For example, if there’s a second wave of coronavirus and voting in the embassies is not possible due to quarantine.
“Even now with the ordinary elections, we have a lot of cybersecurity challenges. But if there are any doubts about the results, there’s always a possibility to recount the paper votes”, Rytis Rainys, the director of National Cybersecurity Center in Lithuania, told CyberNews. Lithuania ranks 4th on the Global Cybersecurity Index.
With less than three months left till the elections, there’s still no technological solution to electronic voting and that makes it hard for cybersecurity specialists even to comment on the subject. There’s just a gloomy vision that some unique codes could be used.
“Single code can become a gateway for attackers and the whole system could be compromised. If there’s two-factor authentication and the system is experiencing denial-of-service attacks, single votes can just disappear. What to do in that case? Annul the whole results of one or more poll stations?” elaborates Rainys. If there’s even a hint of a doubt that elections are not transparent, it can have heavy consequences.
There are around 350 thousand Lithuanians abroad with the right to vote in the upcoming elections.