For a feature last week, I talked to a number of election experts and computer security researchers who argued that secure Internet voting isn’t feasible today and probably won’t be for many years to come. A common response to this argument—one that came up in comments to last week’s article—is to compare voting to banking. After all, we regularly use the Internet to move money around the world. Why can’t we use the same techniques to secure online votes?
But voting has some unique requirements that make secure online voting a particularly challenging problem.
Votes are anonymous, banking isn’t
Every electronic transaction in the conventional banking system is tied to a specific sender and recipient who can confirm that a transaction is valid or raise the alarm if it isn’t. Banks count on customers to periodically review their transactions—either online or in paper statements—and notify the bank if fraudulent transactions occur.
By contrast, experts told me, elections are supposed to be secret. In-person elections don’t just allow voters to cast a secret ballot, they typically require them to do so. Mandatory secrecy insulates voters from coercion by bosses, abusive spouses, elder care workers, or others in positions of power or influence.
Once the voter drops a paper ballot into a ballot box, it gets mixed together with the other ballots. Not only is it hard for anyone to link a ballot back to the voter who cast it, it’s also hard for the voter to prove to anyone how he or she voted.
Building a secure digital voting system with the same properties is difficult. If votes aren’t linked to voter identities, there’s no way for voters—or anyone else—to verify that their votes were recorded accurately.
Cryptographers have developed complex cryptographic protocols for accurately counting ballots while maintaining at least partial anonymity. But these protocols themselves are complex and difficult for ordinary voters to verify.
Some online voting companies have dealt with this challenge by dispensing with strong ballot secrecy. Voatz, for example, gives each voter an anonymized identification number that allows them to look up their votes as they were recorded on the Voatz server. This is probably essential for ensuring that votes are recorded correctly. But it erodes the sanctity of the private ballot, since people in positions of power could coerce voters into revealing how they voted.
Online banking isn’t actually that secure
The more important issue, however, is that online banking systems aren’t actually that secure. Indeed, conventional payment networks get compromised constantly. The Nilson Report, a financial industry trade publication, estimated that credit card fraud cost the world almost $28 billion in 2018.
A big reason for this is that banks recognize that there’s a tradeoff between security and customer convenience. Strong security measures like two-factor authentication or rigorous verification of signatures would cut down on fraud but would also irritate many customers. Banks and financial networks realize that beyond a certain point, stricter controls will cost the bank more in lost customers than they save in fraud prevention. So they accept that a fair amount of fraud is a cost of doing business.
Banks’ security efforts are also aided by the fact that people hacking financial networks are typically trying to divert stolen funds to themselves. Often banks can “follow the money” to figure out who was responsible for a particular hack, recovering the stolen funds and deterring others from trying a similar attack. Bank hacking is also of little interest to foreign governments, most of which have plenty of money.
Election hacking is different. We talk metaphorically about people “stealing” votes, but someone hacking an election isn’t trying to directly profit from their hack. This means that the authorities can’t follow the money to identify suspects.
When fraudulent transactions are flagged after the fact, banks automatically credit lost funds back to customers. They try to identify the culprits and make them pay, but if that’s not possible, banks absorb the losses themselves.
This approach is totally unworkable for voting. Voting officials can’t issue voters after-the-fact credits for their stolen votes the way banks do for stolen funds. An election needs to produce a definitive result that is quickly and widely accepted as legitimate. Even a small number of fraudulent votes could flip the results of an election and destroy public confidence in the voting process. Major elections, including the American presidency, have been decided by a few hundred votes out of millions cast.
So our voting infrastructure needs to be a lot more secure than our online banking infrastructure. And experts say we simply don’t know how to build online systems with the necessary level of security.