The Internet Is No Place For Elections

Despite what election officials may tell you, you can’t trust the Internet with your vote.

This US election year foreign hackers infiltrated the Democratic National Committee’s e-mail system as well as voter databases in Arizona and Illinois. These attacks have reinforced what political scientists and technical experts alike have been saying for more than a decade: public elections should stay offline. It’s not yet feasible to build a secure and truly democratic Internet-connected voting system.

Researchers from government agencies and leading academic institutions studied the issue extensively following the debacle of the 2000 presidential race, and the consensus emerged that it should not occur. That’s still the case, and today’s rampant cybercrime should be reason enough to keep voting systems disconnected. We have no good defense against malware on voters’ computers or denial of service attacks, and sophisticated adversaries like those behind the attacks on big corporations we’ve seen in recent years will find ways to get into connected voting systems, says Ron Rivest, a leading cryptographer and MIT professor. “It’s a war zone out there,” he says.

Nevertheless, 32 states and the District of Columbia allow at least some absentee voters (in most cases just voters who live overseas or serve in the military) to return their completed ballots using poorly secured e-mail, Internet-connected fax machines, or websites. In the most extreme example, all voters in Alaska are allowed to return their completed ballots over a supposedly secure website. 

And there is a danger that Internet voting could expand. Vendors like the Spanish company Scytl, which supplied Alaska’s system, and Southern California-based Everyone Counts keep marketing these systems to election boards against the advice of security experts. And they haven’t opened their systems to public security testing.

In some cases, election officials don’t have enough technical background to distrust claims from vendors, says Pamela Smith, president of Verified Voting, a non-profit group that advocates for greater integrity and verifiability in elections. Terms like “military-grade encryption” or “unhackable” should be red flags, she says.

Even if the risk of cybercrime could be mitigated, building an online voting system that preserves the core components we expect from democratic elections would be technically complex. Today’s commercial systems do not achieve this; most of the states that offer ballot return via the Internet ask that voters first waive their right to a secret ballot. The key challenge is building an online system that generates some sort of credible evidence that proves the outcome “is what you say it is” during an audit, while maintaining voter privacy and the secret ballot, says Rivest.

In principle, this can be done using cryptography. But while there are cryptographic protocols that can help solve the “integrity and privacy facets” of Internet voting, the technology would be difficult for many people to use, says Joseph Kiniry, a voting technology expert and the CEO and chief scientist for Free & Fair, a startup that develops open-source, verifiable election technologies and services. That’s a disqualifier for use in democratic elections.

Kiniry, who also advises the US government on election technology via public working groups, was the technical lead on a recent project to examine the feasibility of “end-to-end verifiable Internet voting.” Such a system would rely on encryption to secure votes, keep them private, and make them verifiable after they are cast. The team of cryptographers (including Rivest), computer scientists, and other election experts, in collaboration with the US Vote Foundation, published a comprehensive report last year, concluding that many challenges remain in creating an Internet voting system.

Compared with a traditional, supervised voting system in a polling station, an Internet voting system requires “several hundred” additional technical properties for it to be suitable for elections, says Kiniry. “If someone builds a system that fulfills those properties and can prove it, great, then let’s use it,” he says. “But until we can do that, we just don’t have democratic voting infrastructure when it comes to Internet voting.”

Technology Review

 

 

« IBM’s Real -Time Cloud Platform For Financial Services
Otto: Uber Acquires Self-Driving Lorry Startup »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Praetorian

Praetorian

Praetorian is an offensive cybersecurity company whose mission is to prevent breaches before they occur.

NTNU Center for Cyber & Information Security (NTNU CCIS)

NTNU Center for Cyber & Information Security (NTNU CCIS)

NTNU CCIS is a national centre for research, education, testing, training and competence development within the area of cyber and information security.

National Institute of Information and Communications Technology (NICT) - Japan

National Institute of Information and Communications Technology (NICT) - Japan

NICT is Japan’s sole National Research and Development Agency specializing in the field of information and communications technology.

CyberKnight Technologies

CyberKnight Technologies

CyberKnight Technologies is a cybersecurity focused value-added-distributor (VAD) headquartered in Dubai and covering the Middle East.

Fly Ventures

Fly Ventures

Fly Ventures is a seed-stage venture capital fund for outstanding teams building Enterprise and Deep Tech startups in Europe.

Inetum

Inetum

Inetum (formerly Gfi Informatique) is an agile IT services providing digital services and solutions, and a global group that helps companies and institutions to get the most out of digital flow.

PSafe

PSafe

PSafe is a leading provider of mobile privacy, security, and performance apps. We deliver innovative products that protect your freedom to safely connect, share, play, express and explore online.

Pivot Technology School

Pivot Technology School

Pivot Tech offers Data Analytics, Software Development and Cyber Security training in boot camp style cohorts.

BreachQuest

BreachQuest

BreachQuest brings together cybersecurity experts with decades of experience identifying security flaws, penetrating networks, and responding to incidents.

Cyber Bytes Foundation

Cyber Bytes Foundation

Cyber Bytes Foundation exists to establish and sustain a unique Cyber Ecosystem to accelerate the development of a strong Cyber workforce and support community outreach programs.

BaXian Group

BaXian Group

BaXian AG is an international consulting company specializing in IT security, data analytics, risk management and compliance.

MicroAge

MicroAge

Powered by five decades of experience, lasting partnerships, client relationships, and the values that guide us daily, MicroAge is here to help you secure, accelerate, and transform your business.

Goldilock

Goldilock

Goldilock is redefining how sensitive data, devices, networks and critical infrastructure can be secured.

Codenotary

Codenotary

Codenotary provide a comprehensive suite of verification and enforcement services to guarantee the integrity of your software throughout its entire lifecycle.

InfoSight

InfoSight

InfoSight offers proven Cyber Security, Regulatory Compliance, Risk Management and Infrastructure Solutions to protect your business and your customers from cyber crime and fraud.

DRT Cyber

DRT Cyber

DRT Cyber deploys technology solutions to support the functions of cybersecurity, privacy, and risk management.