Secure voting isn’t so secure, because of human voters
Democracy has taken something of a battering in recent years, with Freedom House bemoaning the retreat of democracy around the world in the face of corruption, illiberal populism and a breakdown in the rule of law. Indeed, the European Commission recently issued a resolution against Poland and Hungary due to what they see as the deterioration of the rule of law in both countries that is undermining the faith people have in fair and proper elections in both nations.
This was echoed in a recent UN-sponsored report that cited the spread of misinformation, social media manipulation and online extremism as factors that are undermining the vibrancy of democracy today. The report calls for reforms and legislation, both nationally and internationally, to ensure that people retain faith in elections, and the democracy that sits on top of them.
Being a UN-sponsored report, they inevitably take an international perspective on affairs, and argue for a similarly international approach to the problem as has been seen in areas such as climate change or human trafficking. They believe governments should develop election vulnerability metrics to help determine whether elections are susceptible to interference or not.
There’s a sense that this is something of a watershed moment, as more regions are experimenting with electronic voting for the first time. Indeed, at recent elections in Washington state, voters were able to cast their ballot using their smartphone. The effort is done in part to increase voter engagement and turnout levels, but, of course, these efforts have to be secure to retain faith in the system.
This lack of security has blighted previous attempts to introduce electronic voting, with a 2010 trial of online voting in Washington DC compromised by hackers within just 48 hours, with the ethical hackers from the University of Michigan changing the voting numbers.
New research from the team highlights the vulnerability of voting machines, with the paper unveiling the serious risk of election results being manipulated. Interestingly, however, they don’t believe this vulnerability exists because of the technology per se, but rather because voters often don’t check that their ballot is correct.
The research focused on so-called ‘ballot-marking devices’, or BMDs, which combine both physical and digital voting methods in a single device. Each voter is required to select their candidate on the screen, with the device then printing out their ballot paper for them to check and submit. The idea behind the devices is that they not only make voting easier, but they provide a clear audit trail that increases the security of elections. Data suggests they’re used in around 20% of the electoral districts in the United States, but the faith these districts have in them may be misplaced.
The study found that voters are unlikely to detect if the voting machine was compromised as very few of them actually check the printout it gives them before submitting it. Indeed, even among those few voters who did check their slip, even fewer actually managed to catch any errors on it. The study found that some 93% of errors were caught by voters, due in part to the fact that just 40% of them reviewed their ballot after it was printed out.
It’s a finding that the researchers believe raises serious questions as we enter the primary season in the United States. A core unique selling point for the devices is that they provide a human layer of security to help ensure that votes are valid, but if the humans are typically assuming that their printout is correct, they’re not performing this policing role.
It’s perhaps fair to say that most electoral boards don’t perform this kind of analysis, so the researchers hope that their work, which was conducted by following a few hundred people as they replicated their voting behaviors in a realistic polling station setting, will provide a first step in ensuring that officials improve security, even if it’s to remind voters to check their printouts before submitting them.
A number of election technology vendors, including Dominion Voting Systems and Election Systems & Software recently testified to the House Administration Committee in a hearing on election security, but it’s not clear whether any of them will be updating their systems based upon these findings. As such, it seems the easiest approach for election officials to take would be to focus on the voters themselves, and provide verbal instructions to remind them to check their printouts before submitting.
As with much in the world of technology, it can be tempting to focus purely on the technology side of things, but many cybersecurity vulnerabilities are instead very much human in nature. Electronic voting systems seem to be no exception.