The Internet Is No Place For Elections

Despite what election officials may tell you, you can’t trust the Internet with your vote.

This US election year foreign hackers infiltrated the Democratic National Committee’s e-mail system as well as voter databases in Arizona and Illinois. These attacks have reinforced what political scientists and technical experts alike have been saying for more than a decade: public elections should stay offline. It’s not yet feasible to build a secure and truly democratic Internet-connected voting system.

Researchers from government agencies and leading academic institutions studied the issue extensively following the debacle of the 2000 presidential race, and the consensus emerged that it should not occur. That’s still the case, and today’s rampant cybercrime should be reason enough to keep voting systems disconnected. We have no good defense against malware on voters’ computers or denial of service attacks, and sophisticated adversaries like those behind the attacks on big corporations we’ve seen in recent years will find ways to get into connected voting systems, says Ron Rivest, a leading cryptographer and MIT professor. “It’s a war zone out there,” he says.

Nevertheless, 32 states and the District of Columbia allow at least some absentee voters (in most cases just voters who live overseas or serve in the military) to return their completed ballots using poorly secured e-mail, Internet-connected fax machines, or websites. In the most extreme example, all voters in Alaska are allowed to return their completed ballots over a supposedly secure website. 

And there is a danger that Internet voting could expand. Vendors like the Spanish company Scytl, which supplied Alaska’s system, and Southern California-based Everyone Counts keep marketing these systems to election boards against the advice of security experts. And they haven’t opened their systems to public security testing.

In some cases, election officials don’t have enough technical background to distrust claims from vendors, says Pamela Smith, president of Verified Voting, a non-profit group that advocates for greater integrity and verifiability in elections. Terms like “military-grade encryption” or “unhackable” should be red flags, she says.

Even if the risk of cybercrime could be mitigated, building an online voting system that preserves the core components we expect from democratic elections would be technically complex. Today’s commercial systems do not achieve this; most of the states that offer ballot return via the Internet ask that voters first waive their right to a secret ballot. The key challenge is building an online system that generates some sort of credible evidence that proves the outcome “is what you say it is” during an audit, while maintaining voter privacy and the secret ballot, says Rivest.

In principle, this can be done using cryptography. But while there are cryptographic protocols that can help solve the “integrity and privacy facets” of Internet voting, the technology would be difficult for many people to use, says Joseph Kiniry, a voting technology expert and the CEO and chief scientist for Free & Fair, a startup that develops open-source, verifiable election technologies and services. That’s a disqualifier for use in democratic elections.

Kiniry, who also advises the US government on election technology via public working groups, was the technical lead on a recent project to examine the feasibility of “end-to-end verifiable Internet voting.” Such a system would rely on encryption to secure votes, keep them private, and make them verifiable after they are cast. The team of cryptographers (including Rivest), computer scientists, and other election experts, in collaboration with the US Vote Foundation, published a comprehensive report last year, concluding that many challenges remain in creating an Internet voting system.

Compared with a traditional, supervised voting system in a polling station, an Internet voting system requires “several hundred” additional technical properties for it to be suitable for elections, says Kiniry. “If someone builds a system that fulfills those properties and can prove it, great, then let’s use it,” he says. “But until we can do that, we just don’t have democratic voting infrastructure when it comes to Internet voting.”

Technology Review

 

 

« IBM’s Real -Time Cloud Platform For Financial Services
Otto: Uber Acquires Self-Driving Lorry Startup »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ZDL Group

ZDL Group

At ZDL (formerly ZeroDayLab) we take a comprehensive view of our clients cyber security risks and provide quality services to address those risk

Direct Recruiters Inc

Direct Recruiters Inc

Direct Recruiters is a relationship-focused search firm that assists IT Security and Cybersecurity companies with recruiting high-impact talent.

BPC Banking Technologies

BPC Banking Technologies

BPC’s advanced fraud prevention solution helps card issuers and acquirers combat the growing threat by monitoring 100% of transactions, online, in real-time across all channels.

Sasa Software

Sasa Software

Sasa Software is a cybersecurity software developer specializing in the prevention of file-based network attacks.

Wüpper Management Consulting (WMC)

Wüpper Management Consulting (WMC)

Specialized in compliance, risk management and holistic information security WMC GmbH has longtime implementation experience in global projects.

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub

The main objective of the Hub is to bring cybersecurity and other advanced technologies closer to companies and as a result help to increase their performance as Industry 4.0.

Tesorion

Tesorion

Tesorion is a fusion of different enterprises each with its own specialisation in the field of cybersecurity. We have combined these specialisations to create an integrated comprehensive solution.

DarkLight

DarkLight

DarkLight is a cybersecurity platform that mimics human thinking at scale to build resiliency to Advanced Persistent Threats.

CloudSEK

CloudSEK

CloudSEK has set its sights on building the world’s fastest and most reliable AI technology, that identifies and resolves digital threats.

SecondWrite

SecondWrite

SecondWrite’s next-generation malware detection engine delivers a combination of automatic deep code inspection and accurate scoring of zero-day malware.

GateKeeper Enterprise

GateKeeper Enterprise

The GateKeeper Enterprise software is an identity access management solution. Automated proximity-based authentication into computers and websites. Passwordless login and auto-lock PCs.

Informatics International

Informatics International

Informatics is a leading ICT provider in Sri Lanka, providing cutting-edge software & infrastructure solutions and services including cyber security.

BaaSid

BaaSid

BaaSid is next generation security technology for data security & security authentication based on De-centralized & Blockchain.

LimaCharlie

LimaCharlie

LimaCharlie gives security teams full control over how they manage their security infrastructure. Get full visibility, build what you want, control your data, get the security capabilities you need.

Ghost Security

Ghost Security

Ghost is a venture backed, product-led startup building the new standard in application security for the modern enterprise.

Paubox

Paubox

Paubox offers secure, HIPAA compliant email and marketing solutions to fit the needs of modern healthcare organizations of every size.