If you’re heading to the polls on Election Day, chances are you’ll be voting the same way Americans have been voting since 1629, with a paper ballot and a pencil. Despite certain chads that don’t know how to hang, it’s been a pretty reliable system (and a real treat if you love queuing inside unfamiliar auditoriums).
One would think, however, that we’d be a little farther along in our grand Democratic experiment. We do almost everything else with a computer, after all, including pay our taxes. So, if my iPhone will let me buy a house as long as I have a fingerprint and a credit card, why should a vote be any different?
Unfortunately online voting, a more modern alternative, is hamstrung by the threat of hackers and the Internet itself. On Election Day, millions of Americans will cast their vote on machines over a decade old. Until we can find a way to guarantee a more secure, transparent voting process, we’re stuck with heading to our polling place.
Right now, voters will use a mixture of optical scanning machines and aging electronic voting machines, the latter being susceptible to malicious interference. Online voting sounds appealing, but major hurdles stand in the way before you can fire up your voting app. Guaranteeing it works on Election Day and ensuring no one tries to rig the results is also harder than it sounds. In fact, the very architecture of the Internet might render online voting on a national scale impossible.
Republican presidential candidate Donald Trump isn’t a fan of electronic voting machines, warning that they aid in the rigging of election. Even before his own presidential bid, during the 2012 presidential election, he tweeted about electronic voting machines stealing votes, suggesting voters “pay close attention to the machines.” While voter fraud isn’t nearly as widespread as Trump suggests, the idea of altering votes made on machines with no physical paper trail is widely accepted as possible by security researchers, to the chagrin of a few states. It’s perhaps for this reason that electronic voting technology has failed to advance as a legitimate option for elections.
Even more, electronic voting machines are costly and inefficient. They cost upwards of $2,000 dollars apiece and are essentially a joke when it comes to security. Last year, Virginia’s State Board of Elections banned the use of its AVS WINVote electronic voting machines after discovering the decade-old Windows XP machines hadn’t received a security update since 2004 and could be easily infiltrated to modify votes. Even the password was too good to be true: “abcde."
There certainly are companies trying to perfect the electronic voting process, but none of them have been cooperative enough to show off the underlying software, and so can’t be tested for security holes. It’s an important factor in a country like Brazil that relies completely on electronic voting machines for its elections. After obtaining permission to look at the 10 million lines of code in the Diebold-built electronic voting machines for only five hours, University of Campinas professor Diego Aranhas found security flaws that made it possible to potentially manipulate votes, and suggested his students could write better code than what he found in the machines. The Brazilian Electoral Tribunal, the branch responsible for managing the voting machines, declined to permit further testing of the machines.
Replacing old voting machines with more secure versions isn’t exactly on the table either. The Help America Vote Act in 2002 provided funds to states in order to modernize the voting system and prevent another occurrence of Florida’s infamous election recount in 2000. But those HAVA-funded machines were purchased over a decade ago are no longer considered secure, and there isn’t another influx of money available to purchase new ones.
Online voting seems like the next logical step.
If you thought, “Denmark or Iceland or one of those countries probably has that shit on lock,” well you’d be wrong. Yes, the Netherlands did institute a form of online voting in 2004 called Rijnland Internet Election System (RIES). It was initially used to elect officials to the Rijnland local government and functioned as another voting option alongside mailing your ballot. You’d receive a unique identification number in the mail before it came time to vote. Then, on Election Day, you’d log into the election website, enter your number, and vote for your candidates.
The Eindhoven Institute for the Protection of Systems and Information discovered flaws in the process during a 2008 investigation that revealed votes could be forged despite their encrypted nature. A research report that looked into RIES found a surprisingly low level of security that “appears to have left RIES vulnerable to near-trivial attacks.”
The end result? That year, the Netherlands banned electronic voting completely, requiring paper ballots and red pencils to cast your vote.
Let’s say there comes a day when you can sit down in front of a web browser and cast your ballot. Then it becomes a reliability problem, says Brandon Naylor, Director of Communications at the nonprofit Democracy Works. “When you're dealing with something like this in the broadest possible terms, you're asking for one system to be deployed nationwide, and for that system to have one day of perfect usability,” says Naylor. “I think that's a lot of eggs in one basket.”
In fact, there’d be practically no way to stop malicious attackers from coordinating an attack on Election Day, fucking up all your eggs in the process. Hackers in control of botnets—computers and devices infected with malicious software without the user’s knowledge—can mount large-scale assaults on Internet services and knock them out for hours at a time.
Just last month, security expert Brian Krebs’ site was knocked offline in what was the largest DDoS attack ever recorded. The attack on his hosting company Akamai forced them to temporarily take the site down.
Knocking down one person’s site is one thing, but knocking down pieces of an entire infrastructure is another. The latest high-profile DDoS attack took out DNS provider Dyn for hours, knocking out services like PlayStation and Airbnb. The attacks were powered by a botnet comprised of smart home devices.
Hackers could easily mount an assault on whatever server is hosting the online voting process.
The US Vote Foundation, a nonprofit voter registration organization, funded a study on the likelihood of such a system being built in the near future. The authors, a group of cryptography experts as well as election officials from around the country came together to find out just how to create an online voting system that would satisfy the American public as well as government regulations. In order for online voting to be considered a viable option, it would have to meet a multitude of requirements, providing anonymity for voters, a way to securely transmit your ballot, and most importantly a tangible record of the vote to allow for recounts. Unfortunately, there’s no feasible option to vote in such a manner yet.
The US Vote Foundation’s report does take DDoS attacks into account, and suggests the system needs to be capable of handling attacks as large as 100 gigabits per second. That attack on Krebs’ site? 680 Gbps.
And there’s no real way around the problem, either. It’s difficult to distinguish between genuine and bogus requests to access sites. According to the report, there’s no real solution to eliminate the issue, and “the DDoS problem is so fundamental that there will probably never be one with the current architecture of the Internet. Vulnerability to DDoS attacks is effectively built-in to its design.”
In U.S. elections, anonymity is just as important as security. Online voters can’t just create a username, or link their ballot to their Twitter account. This is why certain countries, like Estonia, are able to host elections online. Online voting in Estonia requires a national ID card, something the United States doesn’t have. Estonia’s online voting system has come under fire for its security flaws that could potentially allow hackers to modify votes and change vote totals without leaving a trace.
The technology to enable online voting isn’t there yet, but there are other ways to modernize the voting process. In fact, one of the biggest problems being solved by upgrading from paper-based records is voter registration. Nearly 50 million eligible voters aren’t registered to vote, meaning a sizable population is effectively shut out of the voting process, no matter how much Politico they read. Registering to vote hasn’t always been the easiest. The National Voter Registration Act was passed in ‘93 helped boost voter enrollment, but other than that there hasn’t been much progress on a national level. “Voter registration is probably the biggest election administration problem we have,” said Jonathan Brater, who serves as counsel for the Brennan Center for Justice’s Democracy Program. “24 million registrations nationwide are out of date or have serious errors.” At least 39 states offer online voter registration according to a Brennan Center analysis. Not voting, but close enough for now.
Just in case you still had your hopes up, here’s how computer scientist and researcher David Jefferson described the current situation of online voting: “Fundamental security problems remain with E2E-VIV systems for which there are no practical solutions in sight and that will not be resolved in the foreseeable future.”