Amid vote-hacking fears, election officials are jumping on the crypto bandwagon — but cybersecurity experts are sounding an alarm
If they squinted hard enough, attendees of the International Centre for Parliamentary Studies’ annual Electoral Symposium, which took place in late May at the Troia Design Hotel, 90 minutes south of Lisbon, Portugal, could just about see the future of democracy taking shape.
As usual, credentialed participants — electoral officials from around the world, staff from various NGOs, and an array of eager vendors — could play with the latest suitcase ballot scanners, price out indelible inks, and peruse an array of tamper-resistant security seals, the time-honored instruments of elective governance.
“It’s funny because most people don’t know too much about blockchain, but they know it’s brilliant.”
But this year there was something different in the air: heated talk of a new technology, ingenious in its design, far-reaching in its implications: the blockchain.
The stodgy, buttoned-up world of representative democracy has come down with a touch of crypto fever, a giddy hope that the same elegant mathematical contraption that powers bitcoin and Ethereum might somehow be employed to reinvigorate the democratic process, liberate the masses, and save the world.
“People think it’s a kind of magic lantern,” Mike Summers, program director for online voting at elections services provider Smartmatic, tells me between sessions. “Like it’s going to solve everything. It’s funny because most people don’t know too much about [the blockchain], but they know it’s brilliant.” Smartmatic is hard at work trying to find ways to incorporate blockchain technology into its own offerings.
At democracy’s heart lies a set of paradoxes: a delicate interplay of identity and anonymity, secrecy and transparency. To be sure you are eligible to vote and that you do so only once, the authorities need to know who you are. But when it comes time for you to mark a ballot, the government must guarantee your privacy and anonymity. After the fact, it also needs to provide some means for a third party to audit the election, while also preventing you from obtaining definitive proof of your choice, which could lead to vote selling or coercion.
Building a system that accomplishes all this at once — and does so securely — is challenging enough in the physical world. It’s even harder online, as the recent revelation that Russian intelligence operatives compromised voting systems in multiple states makes clear. But that hasn’t stopped tech companies from trying. According to a report by the Wharton School, election administration is said to be a $1 billion per year industry in the United States alone (that’s just for infrastructure and technology). Worldwide, according to industry insiders, the figure is likely between $8 billion and $10 billion. And given the hype around the blockchain, it’s hardly surprising that the top players are turning to the technology in hopes of fortifying their systems and winning the trust of leery officials.
Though none would say so openly, they were also staking their claim amid a gold rush that has already transformed teens into millionaires and sleepy iced-tea companies into stock-market juggernauts. In the decade since the elusive Satoshi Nakamoto published an infamous white paper outlining the idea behind bitcoin, a “peer-to-peer electronic cash system” based on a mathematical “consensus mechanism,” more than 1,500 new cryptocurrencies have come into being. The idea has been applied to contracts, record keeping, insurance, fine art, the news media, and cats.
Some evangelists even believe the blockchain will power a whole new internetbased on a true peer-to-peer architecture that will restore the utopian promise of the web’s early days. Why shouldn’t a system based on “cryptographic proof instead of trust,” as Nakamoto put it, redeem our faith in the democratic process as well?
Byhalf past 1:00 on the first day, conference attendees had taken in a keynote, a presentation (“Elections in the Cyber Age: How Digital Democracy Is Improving Election Integrity”), and a panel discussion (“Blockchain Technology, Smartphone Apps, E-Voting: What Are the Implications for the Future of Democracy?”); posed for a group picture; and traded war stories over lunch. Through it all, the booth for Votem Inc., one of several vendors offering “internet voting solutions,” sat unmanned.
Pete Martin, president and chief executive of the Cleveland-based online voting company, and his director of testing and certification, David Wallick, had one of those trips: a delayed flight, a missed connection, an improvised rerouting. (The guy dispatched by Facebook appears to have had a similar issue, if that company’s empty display table is any indication.) Fortunately, like all good startups, Votem was agile. Arriving at the hotel just 45 minutes before they were scheduled to lead a blockchain workshop of their own, Martin and Wallick speedwalked to the meeting room, plugged in a laptop, and were ready to make their case, with minutes to spare.
Martin, a serial entrepreneur who got his start as a teenage auto-leasing magnate in Cleveland before moving on to custom computer sales and an MBA, planted his feet confidently and fired up his pitch deck as a crowd of 50 or so attendees listened attentively.
Voting is “broken,” he said, as the screen behind him flashed a famous image from 2000 of Florida election officials diligently trying to decipher a voter’s intent from the so-called hanging chad on a mispunched card. For people who have devoted themselves to promoting democratic ideals, it was a cringe-inducing moment.
Moving on, Martin talked about the decline of trust in government. He explained how the cycle of fear and doubt can lead to unchecked populism (Brexit, Trump, etc.). He touched on the challenge voters have in accessing polling places and highlighted the issue of low turnout.
Several audience members nodded thoughtfully.
Martin, 55, who has the look of a high school principal, poised and professional, with a Mitt Romney–esque touch of gray at his temples, first became interested in online voting after selling his fifth company, a B-to-B software consulting firm. Casting around for his next challenge, Martin signed up for an executive summit in Los Angeles. It was led by the serial entrepreneur and futurism guru Peter Diamandis. As part of an exercise designed to identify participants’ “massively transformative purpose,” Martin recalls, he was asked to write down “what I’d do before I die that would positively impact a billion people.”
He stared at a blank sheet of paper for five long minutes. “Then I wrote down the magical words: mobile voting.”
This was December 2014. Martin knew nothing about the election services industry, but no matter. He hired people, bought a small online-voting outfit that had developed its own proprietary software, and before long, turned his commitment into an audacious pledge: By 2025, Martin vowed, 1 billion people would cast a ballot on what would become the Votem platform. So far, he’s up to 8.5 million, which includes a number of small public elections (Montana and the City of Detroit have used Votem’s technology), as well as internal political party votes, union elections, and the recent Rock and Roll Hall of Fame fan poll (way to go, Bon Jovi).
The real prize, of course, is national elections, which is what brought Martin to Portugal: the chance to run elections for various democracies around the world and one day — who knows? — help select a U.S. president. Martin’s pitch boiled down to internet-based voting via personal devices or on touchscreens in polling places, but with a twist: Votes cast through Votem would be recorded on the blockchain — digital, distributed, immutable.
At democracy’s heart lies a set of paradoxes: a delicate interplay of identity and anonymity, secrecy and transparency.
In the past year or so, explaining the concept of a blockchain has become a cottage industry in itself (check out YouTube). The most helpful formulation I’ve encountered is the one offered by Nathan Heller in the New Yorker, in which he compares the blockchain to a scarf knit with a single ball of yarn. “It’s impossible to remove part of the fabric, or to substitute a swatch, without leaving some trace,” Heller wrote. Typically, blockchains are created by a set of stakeholders working to achieve consensus at every step, so it might be even more apt to picture a knitting collective creating that single scarf together, moving forward only when a majority agrees that a given knot is acceptable.
The idea touted by Votem — along with competitors like Voatz (based in Boston), Smartmatic (London), and Polys (Moscow), each of which also sent teams to Portugal — is that knitting votes into a blockchain would protect them from tampering, whether from government officials, bumbling bureaucrats, or state-based intelligence operations. Unlike bitcoin, a public blockchain powered by thousands of miners around the world, most voting systems, including Votem’s, employ what’s known as a “permissioned ledger,” in which a handful of approved groups (political parties, election observers, government entities) would be allowed to validate the transactions.
Martin looked around the room. “Who’s heard of the Pythagorean theorem?” he asked. “How old is it? Four thousand years old, right? Has it ever changed? No. That’s what the system is built on. The math has to work.”
In2010, the Board of Elections and Ethics in Washington, D.C., resolved to tackle an issue that has bedeviled officials for decades: some 2.6 million overseas voters, including members of the military, who are largely disenfranchised due to the difficulty of physically visiting a polling place. The usual solution — voting by mail—carries its own risks, such as missing ballots, uncounted votes, and fraud. Nonetheless, every state currently allows snail-mail voting under some circumstances, and three of them (Oregon, Washington, and Colorado) rely exclusively on the method.
Election supervisors in D.C. figured they could do better. They partnered with a nonprofit and developed an online voting system using Ruby on Rails, a web application framework. Then, adopting a practice advocated by cybersecurity specialists, they published their source code, set up a mock election, and issued an open invitation to try hacking it.
Among those who took the challenge were J. Alex Halderman, a computer science professor from the University of Michigan perhaps best known for his public call for manual recounts following the 2016 election. Within a day and a half, he and his students had seized control of the platform and obtained the passwords of every voter in the system — along with the ability to change their votes. In an exuberant touch, they even modified the system’s “thank you” page, the one that let voters know they had successfully cast a ballot, to play the Michigan Wolverines’ fight song.
It took D.C. elections officials nearly two days to detect the breach — a discovery the students watched in real time after also hacking the closed-circuit cameras in the network operations center.
It was dramatic evidence of the pitfalls of online voting. Maybe too dramatic, according to those in the online voting business. “It was good that the system was compromised, because it showed the vulnerabilities, but the industry is still suffering as a consequence of that,” says Smartmatic’s Mike Summers. “Everybody says, ‘Okay, well that proves internet voting is insecure.’ But look, if a carmaker has a problem with a car, we don’t all stop driving.”
In the years since the 2010 pilot, Halderman has become a revered figure among the tight cadre of election security activists convinced that online voting is a disaster waiting to happen. Armed with PhDs in math and computer science and a zeal for old-fashioned paper ballots, these experts — with their powerful ties to universities, research institutions, and influential government agencies — are the bane of the mobile voting industry. They’re utterly convinced that the blockchain, far from enhancing election security, is simply an overhyped distraction that will inevitably weaken it.
The naysayers are eager to outline the various reasons for their skepticism to anyone who will listen. There are several major risks inherent in most any online voting system, they say, none of which are wholly mitigated by the introduction of a blockchain. First, there’s malware. Allowing people to vote on their own insecure devices offers hackers an unusually soft target. Experts believe that one-third of the world’s personal computers — and a swiftly growing number of mobile phones — are infected with malware.
“You have to consider the devices people are voting from as dirty,” says computer scientist David Jefferson, formerly of the Lawrence Livermore National Laboratory, a national security institution charged with safeguarding the nuclear weapons program. Hackers could, perhaps, insert into the software a malicious piece of code designed to change a vote right on someone’s device before it is encrypted and posted to a blockchain. “You won’t know, the government body won’t know, there’s no way to detect it, and then the malware may erase itself, so there’s no forensic evidence,” Jefferson says. “It’s just hopeless.”
“Every major government agency has been penetrated multiple times. No system is invulnerable, and everyone in the security community knows this.”
Then there’s the issue of targeted denial-of-service (DoS) attacks, in which a hacker directs so much traffic at a server that it’s overwhelmed and ceases to function. “You could aim an attack at just Los Angeles and San Francisco, and suddenly you’ve turned a blue state red,” cautions Josh Benaloh, senior cryptographer at Microsoft Research, whom I heard one vendor describe as a “crypto god.” Although a distributed ledger itself would likely withstand such an attack, the rest of the system — from voters’ personal devices to the many servers a vote would pass through on its way to the blockchain — would remain vulnerable.
And finally, there’s the so-called penetration attack, like the University of Michigan incursion, in which an adversary gains control of a server and deliberately alters the outcome of an election. “Every major government, military, and commercial agency has been penetrated multiple times,” notes Jefferson, who now serves on the board of election security nonprofit Verified Voting. “No system anywhere on the internet is invulnerable, and everyone in the security community knows this.”
While it’s true that information recorded on a blockchain cannot be changed, a determined hacker might well find another way to disrupt the process. Bitcoin itself has never been hacked, for instance, but numerous bitcoin “wallets” have been, resulting in billions of dollars in losses. In early June 2018, a South Korean cryptocurrency exchange was penetrated, causing the value of bitcoin to tumble and resulting in a loss of $42 billion in market value. So although recording the vote tally on a blockchain introduces a new obstacle to penetration attacks, it still leaves holes elsewhere in the system — like putting a new lock on your front door but leaving your basement windows open.
Mobile-voting companies are well aware of these issues and say they are working to solve them.
“We assume every machine is rife with malware,” Votem’s Martin says. “So we also do all kinds of mathematical checking. We know what your individual ballot should look like, cryptograpically, and if it doesn’t match that cryptographic profile, we won’t accept it.”
Both Votem and Voatz market a system whereby a voter, having cast a ballot, receives a QR code tied to her vote. By scanning the code with anotherdevice (either at home or in a polling station), she can reassure herself that the vote was at least recorded properly somewhere. True, she won’t know with certainty that it was part of the final tally, but no form of voting currently in use offers much assurance on that score. (A group called the U.S. Vote Foundation is working on it.)
DoS attacks can be fought off by obtaining extra server space, proponents of online voting point out, and they are less of a factor in elections that offer extended voting periods. Asked if the possibility of a targeted DoS attack concerns him, Martin points out that hurricanes and other weather events routinely keep people from the polls as well.
“We’re definitely held to a higher standard,” he says. “I mean, there was a squirrel in Ohio that took out an entire precinct!” (Quick-thinking officials switched to paper ballots until power was restored.)
As for penetration attacks, Martin says the company has numerous protocols in place to fend them off, but in the end, he admits, “We have never said and will never say it’s unhackable. What we’re saying is if it is hacked, we will know immediately, because the math won’t add up.
“Look, the thing you have to remember is there are tradeoffs,” he continues. “There is no perfect solution.”
Microsoft’s Josh Benaloh is one of the most esteemed cryptographers working on voting issues. Despite being skeptical that the holy grail of true, “end-to-end verifiable” online voting can be achieved in the near term, he believes that day will come. Many online voting skeptics would say that it’s not worth even trying, Benaloh tells me. “Others say it’s inevitable, and we have a responsibility to make it as secure as possible. I’m more on the inevitable side of things.”
Even so, Benaloh, like numerous computer science experts I spoke to, maintains that the blockchain technology being touted by various voting companies won’t actually help at all — and may well introduce a new array of pitfalls.
“In my experience, people are trying to take advantage of this craze,” Benaloh says. “There are real substantial problems to be solved to do reasonable and responsible internet voting, and honestly, blockchains do not solve any of the problems that are out there.”
A blockchain is only as valuable as the data stored on it. And whereas traditional paper ballots preserve an indelible record of the actual intent of each voter, digital votes “don’t produce an original hard-copy record of any kind,” Jefferson says. “So the county has no meaningful way of verifying that these ballots truly represent what voters intended. It’s all evanescent. It’s electrons all the way down, and the blockchain can’t fix that.”
“Blockchain is not part of the solution unless you’re selling stuff,” says Joe Kiniry, principal scientist at Galois Inc., a software engineering company that designs secure systems for government agencies, including the Department of Defense, and chief scientist at Free and Fair, an open-source elections services outfit. “We have really good ways of [storing personal votes and totals] without using something as complex as a blockchain. Adding a blockchain to a voting protocol is the worst thing you could do,” Kiniry adds. “It increases complexity for no extra benefit.”
“We know the blockchain is not a silver bullet,” Martin concedes. “That’s why we also have other protocols in place. But it’s absolutely more secure than a single point of failure.”
OnMay 8, Lieutenant Scott Warner, a paratrooper with the Army Corps of Engineers, stationed in Vicenza, Italy, with the 173rd Air Brigade, used an app on his mobile phone to place his vote in the West Virginia Senate primary, becoming one of the first voters in U.S. history to record his ballot to a blockchain in a federal election. (An election official then had to copy Warner’s selections by hand onto a traditional paper ballot and scan it into a machine, rendering the event a little less momentous than media made it out to be.)
The registration process was “easy to maneuver,” Lt. Warner said, according to a press release issued by the secretary of state’s office.
Here’s how it worked: After the state verified to the election services company, Voatz, that Warner was eligible for an absentee ballot, he received an email instructing him to download the smartphone app. The app then directed him to take a picture of a government-issued photo ID, which it checked against a state voter registration database. Finally, Warner was asked to take a video selfie (and to blink to prove he was a live person) in order to confirm through biometric facial recognition that he was the same individual pictured on the ID.
In short order, the app displayed a ballot. “I hit ‘vote’ for the candidates I wanted to support,” Warner recounted. “Then I used the thumbprint Touch ID on my phone to verify who I was. That was it. Pretty slick!”
Some secure-voting activists might say it was a little too slick. That is, if they could actually assess the protocol Voatz used in West Virginia. For now, the only information describing the system is a white paper issued by West Virginia Secretary of State Mac Warner — Lt. Scott Warner’s dad, as it happens — which devotes just three sentences to outlining the voting system architecture, less than it devotes to detailing Secretary Warner’s military service (he is a decorated Army veteran) and that of his four grown children.
“You take baby steps, build trust, and start using it for bigger and more complex elections.”
Though hardly foolproof, one essential step in evaluating any system, most experts on the subject agree, is releasing the source code and running a live test. So far, although some i-voting companies publish their architecture and protocols online (Votem, for instance, just detailed its architecture on GitHub), they are reluctant to allow this kind of full vetting.
“In every single case where it’s been allowed to happen, we’ve been able to find grave vulnerabilities,” says David Jefferson, the computer scientist. “Voting system vendors never do open testing anymore because of the D.C. experience. They can’t survive a determined attack. It would be a catastrophic PR failure and possibly the end of their company.”
According to West Virginia elections director Donald Kersey, the state “didn’t give any thought” to opening up the protocol or source code to public scrutiny, in part to protect Voatz’s intellectual property and in part to avoid drawing “a big target on a vulnerability that might be out there.”
“What they’re basically saying is, ‘We’ll let the Russians test it, but not you,’” one cybersecurity expert insists.
“This is incorrect and spreading false propaganda,” a spokesperson from Voatz replies via email, adding that Security Innovation, “a renowned, independent mobile security firm,” audited the source code and that “several other tests” had also been carried out.
Secretary Warner emphasized that the number of votes involved in the pilot was limited — just over a dozen voters, in two counties — and that the project was designed to address a very specific problem: the friction experienced by deployed service members who want to help elect their leaders.
Still, those votes are meaningful only if they are truly secure, and the cybersecurity professionals I spoke to remain skeptical. Ironically, the real danger may not be that the West Virginia project will be hacked, but that it won’t. The stakes are small. Chances are no one will bother. Votes will be tallied. Election officials and voters will be reassured. And a seemingly successful small-scale pilot will lead to larger rollouts — and ever more worthy targets. As Voatz chief executive Nimit Sawhney tells me, “You take baby steps, build trust, and start using it for bigger and more complex elections.”
Given the recent revelation that Russian intelligence compromised election systems in at least seven states in the days before the 2016 election, one can only assume they or others like them — even “somebody sitting on their bed that weighs 400 pounds,” as then-candidate Donald Trump famously put it — will do so again.
The scary part is that we may never know. We may even stop asking, secure in our unshakable faith in the mighty blockchain. “Eventually, an election will have some very surprising outcome, and people will say, ‘Well, you can’t argue with the blockchain,’” Benaloh predicts.
“I don’t really blame the secretary of state for the fact that somebody came along and managed to convince him that this is a great thing,” he adds. “But I can’t believe the people who are selling this don’t know that what they’re selling is a handful of beans.”
A Voatz spokesperson replies: “Without really having an understanding of how the blockchain is being used here, this is a typically irresponsible and brash statement, and we are not going to get into the mud on it. We will let the work speak for itself.”
In the end, democracy always depends on a certain leap of faith, and faith can never be reduced to a mathematical formula. The Economist Intelligence Unit regularly ranks the world’s most democratic counties. In 2017, the United States came in 21st place, after Uruguay and Malta. Meanwhile, it’s now widely believed that John F. Kennedy owed his 1960 win to election tampering in Chicago. The Supreme Court decision granting the presidency to George W. Bush rather than calling a do-over — despite Al Gore’s popular-vote win — still seems iffy. Significant doubts remain about the 2016 presidential race. And yet our certainty that we are living not only in a democracy, but quite possibly the greatest democracy on the face of the earth, somehow remains unshaken.
While little doubt remains that Russia favored Trump in the 2016 election, the Kremlin’s primary target appears to have been our trust in the system itself. So if the blockchain’s trendy allure can bolster trust in American democracy, maybe that’s a net positive for our national security. If someone manages to hack the system, hopefully they’ll do so quietly. Apologies to George Orwell, but sometimes ignorance really is strength.
Back at the Votem workshop in Portugal, Pete Martin comes to the last slide of his deck and opens the floor to questions. A hand shoots up. “There are a lot of people in the world who are not very savvy,” an election commissioner from Jordan points out. “For them, trust is about, ‘I see that I wrote my paper and put it in the box and nobody looked at me.’ If you come and say to them, ‘Blockchain,’ they’re going to say, ‘What magic is this? This is nonsense! This is another conspiracy!’”
Martin smiles. For the foreseeable future, he promises, “This isn’t going to be the only way to vote. It will just be another channel.” He pauses. “When online banking came around, all the branches didn’t go away, right?”
As the presentation concludes, several electoral officials crowd around with questions. Despite the skepticism, the potential of blockchain-based electronic voting had clearly inspired a good portion of the audience.
And it may well be inevitable. Back in 2010, after the D.C. election board’s chief technologist, Paul Stenbjorn, watched helplessly as a handful of students compromised his entire system, he fired off a defiant response on the Board of Elections website: “The computer science community needs to understand that this toothpaste is already out of the tube,” he wrote, “and no volume of warnings can put it back.”
Correction: A previous version of this piece misstated how many states allow voting by mail. All U.S. states currently allow it in certain circumstances.