Blackbox: Online voting in the 2020 elections
Written By: Michael Walsh
A Byte of Online Voting
Sorry, you cannot vote online in the primaries or in presidential elections this year. That is, unless you have been selected to participate in one of the few small-scale pilot programs, such as the DemocracyLive system in Seattle, Washington, the Voatz platform in West Virginia, or most recently, the Shadow voting tool used for the 2020 Iowa caucuses just a few weeks ago.[1] These voting tools use blockchain technology to generate a unique hash for each vote.[2] To mitigate the risk of election tampering, the votes are submitted, but not counted electronically. [3] Each electronic submission is verified with a printed version of the ballot, then the printed ballots are tallied to calculate the total number of votes.[4] These electronic systems are usually deployed in areas in which voter turnouts are low or voting is only possible by remote means.[5] Ideally, these types of services may help improve voter turnout in the United states—a country in which less than 56% of voting-age adults participated in the 2016 presidential election.[6]
There is little federal oversight for online voting infrastructure, but Congress allocated an additional $380 million for voting infrastructure and security improvements,[7] and 85% of those funds are estimated by the U.S. Elections Assistance Commission to be used by states before the 2020 election.[8] Ideally, those funds will help to alleviate problems in areas with intermittent or low bandwidth internet connections, such as some of the precincts that experienced problems with the Shadow voting app during the 2020 Iowa caucuses.[9] Additionally, a slew of other bills has been introduced to help secure elections from (predominantly foreign) interference (see S.2669; H.R. 1946; H.R. 4990).[10] One amendment to the Help America Vote Act (HAVA) of 2002, passed in December 2019, allocated an additional $400 million to help secure voting infrastructure.[11] However, some experts indicate that modernizing and securitizing current voting infrastructure would cost nearly $2.5 billion, not considering recurring maintenance costs.[12] To modernize Pennsylvania’s infrastructure alone is estimated to cost upwards of $150 million, which accounts for nearly half of the total HAVA funds allotted from Congress.[13]
Election Security Concerns and the 2016 Election
The costs to establish secure voting infrastructure do not seem so exorbitant when considering voter trust. 2016 marked the first year in which Russian interference influenced the presidential elections.[14] This foreign interference happened not by meddling with voter infrastructure (which now usually verifies electronically submitted votes with paper ballots), but by alternative means such as phishing, distributed denial-of-service (“DDoS”), and denial-of-service (“DoS”) attacks.[15] These kinds of interference will certainly not be the last.[16] A recent national survey asked politicians about cybersecurity risks, “[f]orty percent said they’ve had an account compromised in a phishing attack. And 60% said they haven’t significantly updated the security of their accounts since 2016.”[17] Even without direct interference with voter infrastructure, threat actors can make a meaningful difference in the outcome of elections with phishing, DDoS and DoS attacks on other vectors including campaign email accounts or insecure servers used by political groups. In response, Microsoft and Google (the companies that provide the most popular email services in the nation) have been implementing security measures to prevent these attacks. Most countermeasures focus on implementing typical information security protections, such as multi-factor authentication, tokenization, and software-based mitigation techniques, such as spoofing and phishing detection.[18]
Experts still have many questions about the security and privacy of electronic voting systems, most particularly those that are completely paperless.[19] Nevertheless, some voting this year will be done in select states by phone or PC through the Voatz system (but with paper ballot verification).[20] Voatz uses blockchain technology paired with biometric data from users’ phones, such as face scans and fingerprints. Although this version of multi-factor authentication may alleviate fraudulent voting, it poses serious privacy concerns[21] and does not address other salient security risks of online voting, such as phishing, DDoS, and DoS attacks. Regardless, the future of voting is likely to be a digital one, as a recent study from University of Chicago found. The survey estimated that voter turnout could increase by several percentage points,[22] a figure that could compound with the help of universally compatible voting technology.
[1] Emily S. Rueb, Voting by Phone Gets a Big Test, but There Are Concerns, The New York Times (Jan. 23, 2020), https://www.nytimes.com/2020/01/23/us/politics/mobile-voting-washington.html [https://perma.cc/B2SR-NF88].
[2] Voatz, Frequently Asked Questions, https://voatz.com/faq.html [https://perma.cc/9RBS-6BK5].
[3] Id.
[4] Id.
[5] Rueb, supra note 1; Emily Dreyfuss, Smartphone Voting Is Happening, but No One Knows if It’s Safe, Wired (Aug. 9, 2018), https://www.wired.com/story/smartphone-voting-is-happening-west-virginia/ [https://perma.cc/JC2B-SYWF].
[6] Drew Desilver, U.S. Trails Most Developed Countries in Voter Turnout, Pew Research Center (May, 21 2018), https://www.pewresearch.org/fact-tank/2018/05/21/u-s-voter-turnout-trails-most-developed-countries/ [https://perma.cc/4T3C-4JD4].
[7] The Impact of HAVA Funding on the 2018 Elections, U.S. Election Assistance Commission (2019), https://www.eac.gov/sites/default/files/paymentgrants/TheImpactofHAVAFundingonthe2018Elections_EAC.pdf [https://perma.cc/6KDW-RNEJ].
[8] Id.; U.S Senate Committee on Rules and Administration Oversight of the Election Assistance Commission, U.S Election Assistance Commission (May 15, 2019), https://www.rules.senate.gov/imo/media/doc/EAC_Testimony.pdf [https://perma.cc/95VB-NA4H]; Elizabeth Howard, Defending Elections: Federal Funding Needs for State Election Security, The Brennan Center (July 18th, 2019), https://www.brennancenter.org/our-work/research-reports/defending-elections-federal-funding-needs-state-election-security [https://perma.cc/P7UC-8ZW4].
[9] Kevin Roose, The Only Safe Election is A Low-Tech Election, The New York Times (Feb. 4, 2020), https://www.nytimes.com/2020/02/04/technology/election-tech.html, [https://perma.cc/2C8W-982G]; Nick Corasaniti, Sheera Frenkel and Nicole Perlroth, App Used to Tabulate Votes is Said to Have Been Inadequately Tested, The New York Times (Feb. 3, 2020), https://www.nytimes.com/2020/02/03/us/politics/iowa-caucus-app.html [https://perma.cc/B7TG-YJ2P]; Keith Collins, Denise Lu, Charlie Smart, We Checked the Iowa Caucus Math. Here’s Where it Didn’t Add Up, The New York Times (Feb. 14 2020), https://www.nytimes.com/interactive/2020/02/14/us/politics/iowa-caucus-results-mistakes.html [https://perma.cc/HH8N-DURV].
[10] S.2669, 116th Cong. (2019); H.R. 1946, 116th Cong. (2019); H.R. 4990, 116th Cong. (2019).
[11] U.S. Election Assistance Commission, How Can The States Use the Funds? (Jan. 6, 2020) https://www.eac.gov/how-can-states-use-funds-0 [https://perma.cc/79W6-WHYA]; H.R. 1158 § 501, 116th Cong. (2019).
[12] Lawrence Norden and Edgardo Cortez, What Does Election Security Cost?, The Brennan Center (Aug. 15, 2019), https://www.brennancenter.org/our-work/analysis-opinion/what-does-election-security-cost [ https://perma.cc/TL69-YCU2].
[13] Howard, supra note 8.
[14] U.S. Senate Committee 116th Congress, Report of the Select Committee on Intelligence United States Senate on Russian Active Measures Campaigns and Interference in the 2016 U.S. Election Volume 1: Russian Efforts Against Election Infrastructure With Additional Views
https://www.intelligence.senate.gov/sites/default/files/documents/Report_Volume1.pdf [https://perma.cc/CZ47-7XLY]; Andy Greenberg, Feds’ Damning Report on Russian Election Hack Won’t Convince Skeptics, Wired (Jan. 6, 2017), https://www.wired.com/2017/01/feds-damning-report-russian-election-hack-wont-convince-skeptics/ [https://perma.cc/2T8Q-YZR9]; David E. Sanger and Catie Edmonson, Russia Targeted Election Systems in All 50 States, Report Finds, The New York Times (July 25, 2019), https://www.nytimes.com/2019/07/25/us/politics/russian-hacking-elections.html [https://perma.cc/78SM-YVZ4].
[15] Andy Greenberg, Everything We Know About Russia’s Election-Hacking Playbook, Wired (June 9 2017), https://www.wired.com/story/russia-election-hacking-playbook/ [https://perma.cc/EAZ8-W5Z4]; Shannon Bond, 2020 Political Campaigns Are Trying To Avoid A 2016-Style Hack, Nat’l Pub. Radio (Jan. 28, 2020), https://www.npr.org/2020/01/28/799062773/2020-political-campaigns-are-trying-to-avoid-a-2016-style-hack [https://perma.cc/T2ER-KQ9U]; Jeremey Ashkenas, Was It a 400-Pound, 14-Year-Old Hacker, or Russia? Here’s Some of the Evidence, The New York Times (Jan. 26, 2017), https://www.nytimes.com/interactive/2017/01/06/us/russian-hack-evidence.html [https://perma.cc/U9CX-N829].
[16] Miles Parks, Russian Hackers Targeted The Most Vulnerable Part Of U.S. Elections Again, Nat’l Pub. Radio (July 28, 2018), https://www.npr.org/2018/07/28/633056819/russian-hackers-targeted-the-most-vulnerable-part-of-u-s-elections-again [https://perma.cc/MR8E-3H3Q]; Shannon Bond, Microsoft Says Iranians Tried To Hack U.S. Presidential Campaign, Nat’l Pub. Radio (Oct. 4, 2019), https://www.npr.org/2019/10/04/767274042/microsoft-says-iranians-tried-to-hack-u-s-presidential-campaign [https://perma.cc/K9ST-T55N].
[17] Bond, supra note 15.
[18] Tom Burt, Protecting Democracy with Microsoft AccountGuard, Microsoft Blog (August 20, 2018), https://blogs.microsoft.com/on-the-issues/2018/08/20/protecting-democracy-with-microsoft-accountguard/ [https://perma.cc/7MGY-MW5X]; Lily Hay Newman, Google’s Giving Out Security Keys to Help Protect Campaigns, Wired (Feb. 11, 2020), https://www.wired.com/story/google-free-security-keys-campaigns/ [https://perma.cc/4TN7-9SQ2].
[19] David Jefferson et al., What We Don’t Know About the Voatz “Blockchain” Internet Voting, System (May 1, 2019), https://cse.sc.edu/~buell/blockchain-papers/documents/WhatWeDontKnowAbouttheVoatz_Blockchain_.pdf [https://perma.cc/62H2-MQN4]; Michael A. Specter et al, The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections, Mass. Inst. of Tech., https://internetpolicy.mit.edu/wp-content/uploads/2020/02/SecurityAnalysisOfVoatz_Public.pdf [https://perma.cc/89H7-XLP2]; Abby Abazorius, MIT Researchers Identify Security Vulnerabilities in Voting App, MIT News (Feb. 13, 2020), http://news.mit.edu/2020/voting-voatz-app-hack-issues-0213 [https://perma.cc/AA49-97FS]; Robby Mook et al., Cybersecurity Campaign Playbook, Harv. Kennedy School Belfer Center (Nov. 2017), https://www.belfercenter.org/CyberPlaybook [https://perma.cc/82NN-KA57]; Miles Parks, In 2020, Some Americans Will Vote On Their Phones. Is That The Future?, Nat’l Pub. Radio (Nov 7, 2019), https://www.npr.org/2019/11/07/776403310/in-2020-some-americans-will-vote-on-their-phones-is-that-the-future [https://perma.cc/4W62-9TLS].
[20] Voatz, supra note 2.
[21] Jefferson, supra note 19.
[22] David Stone, Jul 30, 2019 West Virginia Was the First State to Use Mobile Voting. Should others follow? U. of Chi. (July 30, 2019), https://news.uchicago.edu/story/voting-mobile-devices-increases-election-turnout [https://perma.cc/NAF9-69B5]; Anthony Fowler, Promises and Perils of Mobile Voting, U. of Chi. (June 2019), https://cpb-us-w2.wpmucdn.com/web.sas.upenn.edu/dist/7/538/files/2019/06/Fowler_MobileVoting.pdf [https://perma.cc/6N8C-VQGZ].