4) Hackers have lots of potential targets
What could an attacker do? “There are literally hundreds of different threats,” Kiniry said.
Among the options:
- Attacking the ballot
One way to provide a digital ballot is to let voters download a PDF file with a list of candidates, which they then fill out, reupload and submit. These fillable PDFs may look like paper ballots, but they contain code similar to what runs on websites. “It’s a computer program that happens to appear to you as if it’s a piece of paper or a fillable form,” Wallach said.
By planting malware on a voter’s computer or phone, a hacker could tamper with the PDF’s code and force it to edit the votes after the voter closes it. Or malware in a web browser could stealthily edit the ballot after a voter clicks “submit.” Either way, the vote that gets tallied would not match what the voter intended — and the voter would have no way of knowing.
- Attacking the election website
For speed and stability reasons, modern websites load much of their content, including images and other code, from external sources, rather than hosting all those files on their own servers. By hacking one of these external code providers, bad actors could inject malicious code into an internet voting site and edit multiple ballots at once, without needing to directly infect a voter’s device.
- Tampering with ballotS IN TRANSIT
The internet’s design makes it possible to “hijack” the system that directs internet traffic and force data intended for a particular destination to travel a different route. By exploiting this vulnerability, hackers “could set up a server that looks like and pretends to be the official server, but it’s actually running in some foreign country,” Wallach said. “Then they can receive the votes, tamper with them, and then retransmit them back to the proper server.”
Wallach said there were “probably five or six different well-known techniques” to carry out this kind of “man-in-the-middle” attack.
- Bogging down the election with bad data
One of the easiest ways to attack an internet voting system would be to blast it with an avalanche of garbage traffic in an attempt to slow it down and deny it the ability to serve voters. This is known as a denial-of-service attack, and hackers often rent botnets to carry out especially large ones.
Such an attack would “have enormously greater harm than we’ve ever seen with a traditional election,” said Kiniry, because “you won’t fundamentally know who had trouble voting, whose votes didn’t get through, and more.”
Kiniry described it as “the kind of thing that a talented 16-year-old can do with a credit card.”
- The insider threat
Perhaps the most insidious type of attack involves an employee of an internet voting vendor tampering with an election from the inside, abusing powers they are supposed to use to keep the system running properly. “Most of these systems deployed today in America are essentially built as if you completely trust the vendor that’s providing the service to you,” Kiniry said.
Substantially more sophisticated attacks would be within the capabilities of foreign adversaries such as Russia, which can afford to deploy teams of highly skilled hackers to spend weeks or months studying a system for weaknesses.
Security experts agree that if nation-state hackers focus their time and energy on trying to breach a system, they will eventually find ways to do so. As internet voting becomes more widespread, the motivation to attack it will only grow.
5) Audits have faulted the major internet voting vendors’ security
Virtually every audit of an internet voting system has revealed serious, widespread security vulnerabilities, although the ease with which a hacker could exploit them varies.
MIT and the security firm Trail of Bits recently released damning reports about Voatz, the company that ran West Virginia’s first-in-the-nation mobile-voting pilot in 2018. They discovered flaws that could let hackers alter people’s votes and reveal their identities.
The recent report from MIT and the University of Michigan reached similar conclusions about Democracy Live’s OmniBallot system, the one used in Delaware, West Virginia and last month’s municipal elections in New Jersey. It cataloged vulnerabilities including a lack of end-to-end encryption, a web app vulnerable to malware injection and “insufficient” protections on the product’s servers. “There is no way for voters to confirm that their votes have been transmitted without modification,” the authors warned, “and attackers could change votes in ways that would be difficult for voters, officials, or Democracy Live to detect.”
In early 2019, after the Swiss government partnered with the Spanish internet voting giant Scytl, researchers reported critical flaws that forced Switzerland to abandon the rollout. (Scytl filed for bankruptcy in May.)
Over the years, experts have also discovered major vulnerabilities in internet voting systems in Washington, D.C.; Toronto; New South Wales, Australia; and even the digital darling of Estonia. Multiple task forces have confirmed the infeasibility of internet voting.
“We have no example of an internet voting system that has gone through independent review and come out with flying colors,” Wallach said. He attributed the failures to the immaturity of the marketplace, saying larger, more experienced companies subject to years of outside scrutiny don’t make such “rookie mistakes.”
The National Academies of Sciences, Engineering, and Medicine strongly warned against internet voting in a 2018 report on election security, writing that “no known technology guarantees the secrecy, security, and verifiability of a marked ballot transmitted over the Internet.”
6) Internet voting advocates disagree
Election officials who embrace internet voting deny the risks are as serious as the experts say.
“You keep hearing from the same people over and over again, and they seem to have made their names in the business by being those naysayers,” West Virginia Secretary of State Mac Warner said.
Warner suggested it would “take a nation-state effort” to figure out how to tamper with each of the state’s various ballot formats and break into voters’ devices. He also encouraged experts to “be a part of the solution” by building better internet voting systems rather than criticizing current ones. (Many experts have spent years trying to do that. Their discoveries along the way have informed their criticism.)
But Warner also said it might be necessary to eliminate ballot secrecy for internet voting, in order to ensure that votes are safely transmitted. And he stressed he was not advocating for universal internet voting, because that would create too much of a security risk.
Warner, an Army veteran two of whose children served in Afghanistan, said he supported internet voting for service members and other “specialty groups that are disenfranchised with the current system.”
The vendors, meanwhile, usually argue that hackers could never actually exploit vulnerabilities in their products. They also maintain that such a breach has never occurred in a live election, although security experts call that statement impossible to verify.
Vendors also often attack the researchers themselves, accusing them of sensationalizing their discoveries to generate media attention and undermine confidence in elections.
Democracy Live argues that its product does not constitute online voting at all because election officials print out the ballots after they arrive over the internet. The company also contends that its system is safe because it is hosted on Amazon’s well-regarded cloud platform, which has been approved for use by federal agencies.
Security experts dismiss these arguments, noting that a ballot can be manipulated before it arrives for printing, and Amazon’s security can’t prevent that.
“They are lying,” Wallach said. “None of these things are true, and those claims are dangerous, because it’s hard for nonexperts to look at those claims and see them as the lies that they are.”
Despite repeated requests, Democracy Live declined to make CEO Bryan Finney available for an interview.
New Jersey, meanwhile, has opted not to use Democracy Live’s system for July’s presidential primary after just one voter used it in the state’s municipal elections last month. The voting experiment had cost the state $89,000.
7) What it would take to make internet voting secure
Secure internet voting depends on two major advances: technology that allows voters’ computers and phones to demonstrate that they are malware-free, and end-to-end encryption to protect ballots in transit.
The latest versions of Android and iOS, the two dominant operating systems for phones and tablets, contain features that let devices certify their digital health to third parties, a process known as “attestation.” But the vast majority of Android phones run older versions of Google’s operating system. Plus, Wallach said, Google and Apple didn’t design their attestation features to support a mission-critical process like voting.
In addition, it is vastly more difficult to implement attestation features on computers, which differ from phones in terms of how their components interact. “I need to know that your network card is not running malware in its internal firmware,” Wallach said. “Nobody anywhere has a PC on their desk that can do that.”
Solving these problems would require expensive, long-term collaboration between virtually every big-name hardware- and software-maker, Kiniry said.
“If you were to make the top 20 people in the world literally drop everything and work together and work with those firms for a couple of years, you could actually build something that most of us would trust,” he said. “But that’s not an investment anyone is even marginally interested in making.”
Wallach agreed. “Will we be in a different world 10 years from now? Almost certainly. But 10 years is a long time. We’re nowhere near ready for this today.”