E-voting is a terrible idea After Hurricane Sandy in 2012, election officials
in some parts of America decided that they’d allow emergency e-voting from home. You’d
download a ballot paper, you’d fill it out, and then you would email or fax it back to
them. And yes, some people still fax. This was a terrible idea, and here’s why. Physical voting is centuries old. In that
time, pretty much every conceivable method of fraud has been tried, and has since been
defended against. Because of that, attacks on physical voting don’t scale well. It takes
so much effort, so many people and it only takes one person to leak your conspiracy and
the whole thing falls apart. Electronic voting, though? You can attack
with one person. It can take about the same effort to change one vote as it does to change
a million. And it can be done without even setting foot in the country whose elections
you’re trying to rig. There are two key parts of an election. Anonymity,
and trust. First of all, anonymity. You cannot let anyone pay, bribe, or threaten in order
to change someone’s vote. If you put any identifying mark on your paper ballot, if you sign it,
if you write your name on it, if you do anything that could, in theory, be used to check how
you voted, your vote is thrown out and ignored, just so no-one can be forced or bribed to
vote a certain way. And yet, because you marked your vote, and
you put it into a sealed box, and that box was only unsealed when it was surrounded by
everyone with a stake in the election, you know that your vote has still been counted,
even though you’ll never see it again. That’s the other key: trust. You never, ever,
ever, trust any one individual. Ideally, you don’t trust any two, or three. People can
be bribed, can be threatened, can be incompetent. I mean, hell, people have been all three of
those things. But like I said: the more physical votes you want to change, the more people
it takes and the less possible your attack gets. Everyone can see what’s happening and
keep an eye on each other, particularly if they don’t trust the other side. So let’s talk about voting machines. Problem 1: Auditing the software and hardware In theory, you could have open source software
that everyone has checked and everyone is happy with and that’s been used for years.
In theory. Never mind that you only actually do a full-scale test of this software every
few years when there’s actually an election, let’s say theoretically it can be done. But how do you make sure that software is
what’s actually loaded on that voting machine in front of you on the day of the election? And I know that immediately, someone is going
to want to comment about checksums or crypto. Which is great, except now you have to trust
the software that’s checking that hash. Or more likely, the one person that’s checking
it for you. You’ve just moved the problem. And if you’re thinking “I could verify that”,
then turn your brain the other way, and think “how could I break that?” because there are
trillions of dollars — that’s not an exaggeration — riding on the result of big elections,
and that’s an incredible motivation. If you’re coming up with sneaky ways to get around it…
believe me, so are lots of other people. It might be one angry techie, but it might
be an entire political party, or the huge corporations who want one party to win, or
entire nation states who want one party to win. And all that is assuming you’re even allowed
to verify the software that’s running, which you never are, because plugging unknown USB
sticks into a voting machine is a bad idea. Not that that stops people plugging unknown
USB sticks into a voting machine. It has literally happened. Let’s remember, these machines have
to be left in a room with the voter and no-one else in order for them to cast their vote
anonymously. Oh, by the way, the machines are frequently programmed by sticking a USB
into each of them in turn, so if you compromise the first one, jackpot. In practice, you don’t have open source software,
you have proprietary, unaudited software which you just have to trust. This is real, by the
way, around the world, there are some elections that run on this. And remember what I said?
This is an election. You don’t trust. And maybe you’re thinking, you could have
an audit trail, you could have a paper backup that the machine prints out as you vote. In
which case, congratulations, you’ve just invented the world’s most expensive pencil. One of
the reasons Britain gives people pencils for voting, by the way, is because we’re worried
that pens might be switched by any voter to contain disappearing ink. Erasing pencil ballots?
Takes time, and if you can do that, you can just throw them away. Disappearing ink? It
might be an urban legend, but it might actually be a plausible attack vector. This is the
level of paranoia we need to work at here. And don’t think you can get away with all
this by using a pile of paper ballots and just counting them electronically, either:
an electronic counting machine is still a black box that a pile of ballots goes into
and a mysterious number comes out of. They’ve got exactly the same problems. Problem 2: Votes In Transit There are three ways of moving the magic electronic
ballot numbers from the voting machines to the final count. You could treat the machine like a regular
ballot box, you seal it in a plastic bag, move the physical machine with two people
in the vehicle to the count, and then unseal it there. No-one does this. You could copy the result onto a handy USB
stick and move that instead. Do I need to run through how easily… no. Okay. Or, and this is what usually happens, you
could tell the voting machine to upload the results over the internet, optionally through
a third central server, and potentially not over a secure connection, and probably without
any checksums or tests. [exasperating] Problem 3: Central Count Program And right at the end, there’s the program
that takes all these numbers, all these votes, and produces a final count. Now you’ve got
all the same problems you have with the individual voting machines, except now only a few people
can even see that machine, and it’s been hidden away in a private warehouse somewhere for
the last few years. Good luck verifying that. And all this — all this — is before we even
talk about online voting. I could talk about all the ways which you
could hijack ballots, block an email address — because after Hurricane Sandy, the ballots
were sent by email — or any of the ways you could do a man-in-the-middle attack on that.
All possible. And those are just if it’s a well designed
system. There are reports of actual live elections
where there were cross-site scripting attacks in the e-voting page, where they’d misspelled
one party’s name, and where they’d put the wrong party’s logo next to a candidate. Sorry,
did I say elections? I meant election. That was all the same election, it was in Hampshire
in 2007. But never mind all that. Depending on which security company you believe,
somewhere around 5% and 50% of desktop computers are infected with something. And that’s just
the scammers trying to set up botnets and minor extortions using private computers.
If you want to affect a load of votes, try infecting the computers at the public library.
But never mind all that. We’ve seen what big scary countries and big
scary corporations can do when they put their mind to it. Given that someone designed an
immensely complicated worm that spread around the world just to break some Iranian centrifuges,
imagine what someone could do if they wanted to throw an online election. Remember, again, when you hear “just trust
us”, or “just trust me”, or “it’s a computer, it doesn’t go wrong” in an election, something
has already gone disastrously wrong. Imagine all this electronic voting, only without
computers. Would you be happy walking up to someone anonymous in a ballot box, or worse,
calling a number on your phone, just telling them your vote — but they promise to keep
it secret — and at the end of the election all those people, who have been sitting on
their own, phone up one other person in private and tell their results, and then that final
person — who promises to count it all up accurately — announces who’s won? Because
that’s essentially what electronic voting is. It is a terrible idea, and if a government
ever promises to use it, hope they don’t manage it before you get a chance to vote them out.