Why blockchain-based voting could threaten democracy
- 12 August, 2019 20:00
Public tests of blockchain-based mobile voting are growing.
Even as there's been an uptick in pilot projects, security experts warn that blockchain-based mobile voting technology is innately insecure and potentially a danger to democracy through "wholesale fraud" or "manipulation tactics."
The topic of election security has been in the spotlight recently after Congress held classified briefings on U.S. cyber infrastructure to identify and defend against threats to the election system, especially after Russian interference was uncovered in the 2016 Presidential election.
Thirty-two states permit various kinds of online voting – such as via email – for some subset of voters. In the 2016 general election, more 100,000 ballots were cast online, according to data collected by the U.S. Election Assistance Commission. The actual number is likely much higher, according to some experts.
One method of enabling online voting has been to use applications based on blockchain, the peer-to-peer technology that employs encryption and a write-once, append-many electronic ledger to allow private and secure registration information and ballots to be transmitted over the internet. Over the past two years, West Virginia, Denver and Utah County, Utah have all used blockchain-based mobile apps to allow military members and their families living overseas to cast absentee ballots using an iPhone.
Mike Queen, deputy chief of staff for West Virginia Secretary of State Mac Warner, said that while the state currently has no plans to expand the use of the mobile voting beyond military absentee voters, his office did "a ton of due diligence" on the technology before and after using it.
"Not only does blockchain make it secure, but [the blockchain-based mobile app] has a really unique biometric safeguard system in place as well as facial recognition and thumb prints," Queen said via email after 2018 General Election.
Security experts disagree. The issues around online voting include server penetration attacks, client-device malware, denial-of-service (DoS) attacks and other disruptions, all associated with infecting voters' computers with malware or infecting the computers in the elections office that handle and count ballots.
"If I were running for office and they decided to use blockchain for that election, I'd be scared," said Jeremy Epstein, vice chairman of the Association for Computing Machinery's U.S. Technology Policy Committee.
Epstein co-authored an election security report with Common Cause, the National Election Defense Council, and the R Street Institute, "Email and Internet Voting: The Overlooked Threat to Election Security." In it, he criticized blockchain and internet voting as a ready target for online attacks by foreign intelligence and said transmission of ballots over the internet, including by email, fax and blockchain systems, are seriously vulnerable.
"Military voters undoubtedly face greater obstacles in casting their ballots. They deserve any help the government can give them to participate in democracy equally with all other citizens," Epstein wrote. "However, in this threat-filled environment, online voting endangers the very democracy the U.S. military is charged with protecting."
There are many reasons blockchain is not good for voting, Epstein said. For one, it assumes there's no malware in the voter's computer. It also assumes you want all the votes to be perennially public, because if someone finds a way to hack into the blockchain, everyone's vote becomes public. And, while blockchain networks may be able to handle small absentee voter populations, the technology could not stand up to use by the general voter populace and its volumes.
Until there is a major technological breakthrough in or fundamental change to the nature of the internet, the best method for securing elections is a tried-and-true one: mailed paper ballots, according to Epstein.
While paper ballots are not tamper-proof, they are not vulnerable to the same wholesale fraud or manipulation associated with internet voting, Epstein said.
"Tampering with mailed paper ballots is a one-at-a-time attack. Infecting voters' computers with malware or infecting the computers in the elections office that handle and count ballots are both effective methods for large-scale corruption," Epstein said.
West Virginia, the first state to use a blockchain-based mobile voting system, was also criticized by Epstein who said the state was willing to go out on a limb "pretty much more than anyone else" and "never shared publicly how they decided these systems were secure.
"They're taking word of the vendor," Epstein said.
What we don't know about internet voting
In a research paper written by computer scientists from Lawrence Livermore National Laboratory and the University of South Carolina, along with election oversight groups, internet voting startup Voatz was called out for not releasing any "detailed technical description" of its technology.
Voatz's blockchain-based voting service was the one used West Virginia, Denver and Utah County to enable military absentee voting.
"Most of the details of the architecture and procedure are apparently confidential, though it is not clear why," the research paper said. "The system has not gone through federal certification, or any public certification to our knowledge. The company has not disclosed its source code nor allowed its system to be examined open by third parties."
Voatz has contracted with Palo Alto-based authentication company Jumio to perform remote voter authenticaiton. The authentication procedure requires a voter using the Voatz iPhone app to send to Jumio a photo of their driver's license or passport photo page along with a short, live selfie video of their face. Jumio uses machine learning facial comparison software to determine whether the face on the ID matches the one in the video. If it does, the voter is authenticated.
The researchers questioned the efficacy of using a tiny driver's license or passport photo for authentication purposes and noted those photos can be up to 10 years old. Among other problems, they also noted facial comparison systems have been discovered to have high error rates, especially for minorities.
One of the groups that contributed to the report was the non-profit Verified Voting Foundation, whose stated purpose is to preserve the democratic process with modern voting technology. Marian Schneider, president of the Verified Voting Foundation, said online voting can't be made safe and blockchain is an unnecessary complexity.
"Current commercial systems with blockchain components are using the blockchain as an encrypted ballot box. Votes go there after they are susceptible to all of the attacks [already mentioned]," Schneider said. "If something happens, it might not be detected, and incorrect data would be in the blockchain.
"I don't think online voting can resolve any issues because the issues it purports to resolve create other issues that are worse," she continued. "The ability to track back to a voter's vote makes current systems not secret so they do not preserve the right to a secret ballot."
Voatz CEO Nimit Shawhney called some claims made in the research paper "inaccurate" and his company's mobile voting system has undergone several independent, third-party audits, including penetration testing and source code reviews.
"These audits were additionally audited by multiple independent security auditors (including former members of the FBI’s elite cyber division). Voatz has also scheduled ongoing audits with the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA)," Shawhney said via email.
Federal certification standards for mobile-focused election systems, he noted, are not available "as yet." And he argued that revealing the company's intellectual property would court poaching by competitors.
"We do share the confidential details about our system with our customers and relevant parties (e.g. security auditors)," Shawhney said.
Voatz's mobile system uses a combination of in-house and third-party solutions, such as Jumio's, to perform remote identity proofing.
The photograph on a license or passport, Shawhney explained, is just one of the data points used to verify a remote voter’s identity. Others include a short video "selfie," and a manual review of each image and document comparison.
"Whenever there is even a slight doubt about the veracity of a document or the selfie, the voter is prompted to provided additional information and cannot proceed with the voting process without passing all the checks," Shawhney said.
The need is real
Blockchain andinternet-based voting platforms, however, have been viewed as one way to boost voter participation by making the process easier through mobile apps that allow both registration and ballot casting to occur from anywhere in the world. Voters in those systems pre-register and then can use their smartphone's biometric finger print readers or facial recognition technology to sign in to cast their votes.
The number of pilots, while growing, remains relatively small - a few dozen, mainly for shareholder proxy voting and university student government elections. But state and municipal governments have been testing blockchain-based mobile voting over the past year.
In the 2018 election, 144 registered West Virginia voters from 21 counties cast ballots from 31 different countries using an app from Voatz.
New research from the University of Chicago found that allowing military members overseas to vote using a mobile device increased turnout by 3% to 5% among those eligible to use the system in the 2018 federal election in West Virginia.
Anthony Fowler, lead study author and associate professor at the University of Chicago, said that being able to cast ballots online using only smartphones or other mobile devices can dramatically reduce the costs of voting, particularly for under-represented groups, and has significant effects on the size and composition of the voting population.
"We are likely to see more trials soon, so this is a good time to study the consequences of this reform," Fowler wrote. "New survey data shows that many Americans are understandably wary of online voting."
A third-party audit conducted by the National Cybersecurity Center (NCC) and Denver Election Divisions showed that votes cast over the blockchain application were recorded and tabulated accurately. The final numbers showed that voter turnout doubled from the 2015 election and a post-election survey from the Denver Elections Division found that 100% of respondents said they favored secure mobile voting over all methods available to them.
"We are very excited about the promise of this technology," Jocelyn Bucaro, Denver's Deputy Director of Elections, said in a statement. "Our goal was to offer a more convenient and secure method for military and overseas citizen voters to cast their ballots, and this pilot proved to be successful. More voters participated in this cycle, in part thanks to this convenient method, and those voters who voted using the application prefer to vote by this method in all elections in the future."
Jonathan Johnson, an Overstock.com board member and the president of Medici Ventures, Overstock's subsidiary responsible for advancing blockchain technology, believes remote voting via electronic devices will be more widely adopted.
"After a successful pilot program in West Virginia of the Voatz digital remote voting application... more states will look to re-enfranchise their overseas voters," Johnson said in an earlier interview. "Other states may use it to make accommodations for disabled voters. But, as people get comfortable with it, there will be an outcry for it from the voting citizenry. If I can vote overseas using it, then why can't I use it when I'm here [in country]?"
Medici Ventures-backed Voatz is among a small community of mobile voting platforms worldwide using blockchain as the basis for a distributed voting system. Other companies include Barcelona-based Scytl, Australia-based SecureVote, London-based Smartmatic Corp. and Cleveland-based Votem Corp. Though Votem reportedly shuttered its operations after layoffs, Votem CEO Peter Martin said via email the company continues to support its customers "and in fact have signed up some new customers."
Even so, several European countries abandoned internet voting after seeing that the increases in turnout were not as large as expected, the Univeristy of Chicago study pointed out; those lower-than-expected increases, however, could have been affected by already waning voter turnout in those European nations.
Estonia a model for online voting
Estonia, however, has embraced internet-based voting and created the world's first national online voting system. In 2005, the Baltic nation of 1.3 million people introduced online voting via Smartmatic Corp.'s technology and used it for local government elections; two years later, Estonia used internet voting for parliamentary elections in which more than 30,000 people voted online.
The Estonian internet voting system has now been used in eight major elections over 10 years. Today, online voting participation in the Balkan state has reached 44.4% of the population.
The Parliamentary elections held earlier this year saw an increase of 40% in online participation over the same elections in 2015. Online voting, or i-voting as it's called in Estonia, takes place in advance of election day and runs until the fourth day before the election. Citizens download a voting application via a national election site, then register through a national ID card or mobile PIN assigned through a registration process.
Estonian citizens and permanent residents can request two forms of digital identification: digi-ID and mobiil-ID. Digi-ID is a card similar to the national ID card that is designed only for online use. The digi-ID card does not have a printed photo of the citizen, and contains less personal data then the national ID card, while still providing authentication and digital signature functions. Mobiil-ID provides similar functionality to digi-ID, but is built into a mobile phone SIM card rather than a chip-and-PIN card. This enables the citizen to perform digital authentication and signing using their mobile phone with no extra hardware.
Smartmatic's online voting system was also used in the 2016 Utah Republican Party Caucus and voters from more 45 countries, including places as far away as French Polynesia, South Africa and Japan, cast ballots online. Eighty-nine percent of 24,486 registered Utah Republican Party members registered to vote online and participated in the caucus process, according to Smartmatic.
Participation was strongest among voters 56 to 65 years old. After making their selections, online voting participants were asked to provide feedback on their experience: 94% described the online voting experience as good, 97% would consider voting online in future elections and 82% wanted to see online voting implemented nationwide
Smartmatic's system, however, only uses blockchain to report and tally votes, not as an open network enabling voting itself. The Smartmatic app is downloaded to the voter's PC and allows them to communicate with the vote forwarding server and cast a ballot. The client is available for Windows, Mac OS and Linux.
Tarvi Martens, former head of Internet Voting at the State Electoral Office in Estonia, said blockchain has nothing to do with i-voting itself.
It's "about preserving data integrity using distributed model. In [the] i-voting case, the only data is (encrypted) votes. Do we want to distribute them? Hell, no!" Martens said, referring to the transmission of votes via blockchain.
Security issues surrounding online voting, such as server penetration attacks, client-device malware, and DoS attacks, "are all there," Martens said, but DoS and penetration attacks do not differ from attacks to other online services.
Estonia's i-voting system features end-to-end verifiability, meaning a voter can check whether their vote arrived at the electronic ballot box (an "e-urn"), "and thus whether his computer behaved well [and] was not infected," Martens said.
"Auditors/observers can check using independent software whether [the] counting process from e-urn to election results was performed correctly," Martens said.
West Virginia still the only one to use blockchain in a national election
West Virginia remains the first state and only state to use a blockchain-based mobile voting application for a general election, which was made available only to military members and their dependents living overseas.
This summer, Utah County became the latest government entity to pilot the Voatz mobile voting app for military absentee voters casting ballots in a municipal primary election. Denver also recently allowed overseas voters to use the same platform to participate in its municipal elections.
The Voatz application uses a permissioned blockchain based on the HyperLedger framework first created by IBM and now supported by the Linux Foundation. In the election, verified validating nodes (servers) are used, split evenly between AWS and Microsoft Azure, each of which are geographically distributed, according to Voatz. Military personnel and their families who used the Voatz app only need an Apple or Android smartphone and a state or federal ID.
Voatz uses multi-factor authentication, including iPhone fingerprint and facial recognition, to allow pre-registered voters to submit ballots; all personally identifiable information and voting results are encrypted on the blockchain ledger.
The Voatz app has been used in non-public election voting such as state political party conventions, caucus voting, labor unions, nonprofits and student government elections at universities, according to Voatz CEO Sawhney.
"In the near future, it is anticipated that pilots could be expanded to citizens with disabilities, and/or other absentee voters in a graduated, step-by-step manner," Sawhney said via email.
The Voatz platform goes to significant lengths to prevent a vote from being submitted if a device is compromised (e.g. rooted or jailbroken) or has malware on it, according to Sawhney. Only certain classes of smartphones equipped with the latest security features are allowed to be used. Voatz conducts frequent security audits, including penetration and source code level, and also was the first elections company to offer a public bug bounty program via HackerOne starting in 2018.
“In line with our commitment to privacy and security, the voter photo-IDs and selfies are deleted soon after verification and are not used for any other purpose outside of voter identity verification,” Sawhney said. “Any biometric information never leaves the secure storage on the mobile devices and is not stored on remote servers.”
But Jacob Hoffman-Andrews, a senior staff technologist with the Electronic Frontier Foundation, said election security experts are "near-unanimous" in their opinion that online voting is too risky.
"Blockchain doesn't change that, because it doesn't address the underlying issues with online voting," Hoffman-Andrews said.
For instance, Hoffman-Andrews explained, if the device you use to vote is compromised by malware, as many laptops and smartphones are, that malware could tamper with a vote before it ever reaches the servers used to count it.
"Internet voting also poses a risk of disruption via denial-of-service attacks, and phishing/misinformation campaigns that lead people to send their vote somewhere where it won't be tabulated," Hoffman-Andrews said.
The gold standard in election security is "software independence," he added.
A voting system is software-independent if an undetected change or error in its code cannot cause an undetectable change or error in an election outcome.
Non-internet elections can and do achieve software independence while still using software to improve the election process, but "it is probably impossible to achieve software independence for internet voting," Hoffman-Andrews said.