The Internet Is No Place For Elections

Despite what election officials may tell you, you can’t trust the Internet with your vote.

This US election year foreign hackers infiltrated the Democratic National Committee’s e-mail system as well as voter databases in Arizona and Illinois. These attacks have reinforced what political scientists and technical experts alike have been saying for more than a decade: public elections should stay offline. It’s not yet feasible to build a secure and truly democratic Internet-connected voting system.

Researchers from government agencies and leading academic institutions studied the issue extensively following the debacle of the 2000 presidential race, and the consensus emerged that it should not occur. That’s still the case, and today’s rampant cybercrime should be reason enough to keep voting systems disconnected. We have no good defense against malware on voters’ computers or denial of service attacks, and sophisticated adversaries like those behind the attacks on big corporations we’ve seen in recent years will find ways to get into connected voting systems, says Ron Rivest, a leading cryptographer and MIT professor. “It’s a war zone out there,” he says.

Nevertheless, 32 states and the District of Columbia allow at least some absentee voters (in most cases just voters who live overseas or serve in the military) to return their completed ballots using poorly secured e-mail, Internet-connected fax machines, or websites. In the most extreme example, all voters in Alaska are allowed to return their completed ballots over a supposedly secure website. 

And there is a danger that Internet voting could expand. Vendors like the Spanish company Scytl, which supplied Alaska’s system, and Southern California-based Everyone Counts keep marketing these systems to election boards against the advice of security experts. And they haven’t opened their systems to public security testing.

In some cases, election officials don’t have enough technical background to distrust claims from vendors, says Pamela Smith, president of Verified Voting, a non-profit group that advocates for greater integrity and verifiability in elections. Terms like “military-grade encryption” or “unhackable” should be red flags, she says.

Even if the risk of cybercrime could be mitigated, building an online voting system that preserves the core components we expect from democratic elections would be technically complex. Today’s commercial systems do not achieve this; most of the states that offer ballot return via the Internet ask that voters first waive their right to a secret ballot. The key challenge is building an online system that generates some sort of credible evidence that proves the outcome “is what you say it is” during an audit, while maintaining voter privacy and the secret ballot, says Rivest.

In principle, this can be done using cryptography. But while there are cryptographic protocols that can help solve the “integrity and privacy facets” of Internet voting, the technology would be difficult for many people to use, says Joseph Kiniry, a voting technology expert and the CEO and chief scientist for Free & Fair, a startup that develops open-source, verifiable election technologies and services. That’s a disqualifier for use in democratic elections.

Kiniry, who also advises the US government on election technology via public working groups, was the technical lead on a recent project to examine the feasibility of “end-to-end verifiable Internet voting.” Such a system would rely on encryption to secure votes, keep them private, and make them verifiable after they are cast. The team of cryptographers (including Rivest), computer scientists, and other election experts, in collaboration with the US Vote Foundation, published a comprehensive report last year, concluding that many challenges remain in creating an Internet voting system.

Compared with a traditional, supervised voting system in a polling station, an Internet voting system requires “several hundred” additional technical properties for it to be suitable for elections, says Kiniry. “If someone builds a system that fulfills those properties and can prove it, great, then let’s use it,” he says. “But until we can do that, we just don’t have democratic voting infrastructure when it comes to Internet voting.”

Technology Review

 

 

« IBM’s Real -Time Cloud Platform For Financial Services
Otto: Uber Acquires Self-Driving Lorry Startup »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Homeland Security Advanced Research Projects Agency (HSARPA)

Homeland Security Advanced Research Projects Agency (HSARPA)

HSARPA's Cyber Security Division (CSD) was set up to address DHS cyber operational and critical infrastructure protection requirements.

Athena Forensics

Athena Forensics

Athena Forensics is one of the UK's leading providers of Computer Forensics, Mobile Phone Forensics, Cell Site Analysis and Expert Witness Services.

SecuriThings

SecuriThings

SecuriThings is a User and Entity Behavioral Analytics (UEBA) solution for IoT security.

ABL Cyber Academy

ABL Cyber Academy

ABL provide certified training courses in the field of cyber security and IT project management.

BHC Laboratory

BHC Laboratory

BHC Laboratory is a cyber capabilities’ development company for a wide range of global customers.

Pentera Security

Pentera Security

Pentera (formerly Pcysys) is focused on the inside threat. Our automated penetration-testing platform mimics the hacker's attack - automating the discovery of vulnerabilities.

Hubraum

Hubraum

Hubraum is Deutsche Telekom’s tech incubator, helping startups to create new business opportunities in areas including data analytics, AI, robot process automation and cyber security.

StoneLock

StoneLock

StoneLock is a trusted leader in the design and manufacture of facial recognition software and technology.

OSIbeyond

OSIbeyond

OSIbeyond provides comprehensive Managed IT Services to organizations in the Washington D.C., MD, and VA area including IT Help Desk Support, Cloud Solutions, Cybersecurity, and Technology Strategy.

Iterasec

Iterasec

Iterasec provides a full range of security services to hacker-proof your products and make software engineering process secure by design.

Fortiedge

Fortiedge

Fortiedge is an IT Security solution provider specializing in Cyber Security practices and solutions for our clients.

Guardio

Guardio

Guardio develop tools and products to combat modern web and browser threats.

SpeQtral

SpeQtral

SpeQtral offers commercial space-based Quantum Key Distribution (QKD) founded on technology developed at the National University of Singapore.

Evervault

Evervault

Evervault provides engineers easy solutions to complex data security and compliance problems.

ClearFocus Technologies

ClearFocus Technologies

ClearFocus Technologies provides advanced cybersecurity services that secure our nation’s most sensitive assets.

Tundra Managed Solutions

Tundra Managed Solutions

Tundra Managed Solutions is a comprehensive IT services division offering a wide range of managed solutions designed to meet the diverse needs of businesses.