“It's the wave of the future,” declared the US State of West Virginia's Secretary of State of following a limited deployment of a blockchain-based voting app for the state's general midterm elections. For cybersecurity and election integrity advocates, however, the move was “an example of all the things states shouldn’t do when it comes to securing their elections.”
Nearly two years later, the state has announced plans to shelve the app for the upcoming primaries. This decision follows a recent research report from the Massachusetts Institute of Technology that unearthed bugs that could allow attackers to reveal how people vote, block votes from being submitted or even manipulate them.
At about the same time that this situation was unfolding in the US, another election app, used in the recently concluded elections in Israel, was coming under increasing scrutiny for two consecutive security breaches. According to a news report, the app facilitated the theft of the country’s electoral database, twice in one week, and the apps source code publicly posted on GitHub revealed confidential data including passwords and keys to third-party services.
And the spectacular failure of an Iowa caucus app, used just for relaying results rather than voting, at around the same time really did not help the case for deploying mobile phone apps, in any capacity, during elections.
Can tech beat paper?
For proponents of technology in elections, Internet-enabled systems can increase voter turnouts thereby making elections more inclusive, representative and responsive. For detractors, these systems still lack transparency, present serious risks to voter privacy, and are extremely easy to hack.
So there the discussion currently stands, stuck between well-intentioned ambitions to move democracy into the future and valid concerns about the risks of mixing the internet and elections.
Over the years, it has become abundantly clear that cost, convenience and keep-up-with-the-times arguments are just not going to be enough to push any form of Internet-based voting system, including mobile voting, into the mainstream. And it’s also important to acknowledge that there are the extremely tech-savvy among the skeptics, such as retired Stanford computer-science professor and Verified Voting founder David Dill, for instance, who still advocate for “easily auditable paper ballots” because Internet voting is “not doable with current technology.” Anyone who thinks otherwise, says Dill, carries a high burden of proof.
Securing the mobile vote
When it comes to Internet voting, burden of proof is not just about establishing the relevance, robustness and sophistication of digital technologies vis-à-vis conventional voting processes. Any potential solution also has to demonstrate that it complies with the constitutional principles and demands embedded in voting processes.
Blockchain technology definitely has the characteristics, such as immutability, transparency and accountability, that are critical to a sociopolitically sensitive application like voting. In theory at least, the inalterability of the distributed ledger, the autonomy of decentralization and the transparency of the voting process, make blockchain the ideal candidate for mobile voting.
In the real world, however, none of these characteristics really stand up to their theoretical potential. Immutability, it turns out, is neither absolute nor inviolable as transactions can be reversed if enough nodes decide to collude or to correct human error.
This issue can more or less be addressed through permissionless blockchains, like Bitcoin or Ethereum, where the distributed ledger is based on open source code and there is no centralized authority that can sanction collusion. On the other hand, permissioned blockchains are less decentralized than permissionless blockchains as there is a centralized authority in charge of decisions regarding access and protocols. In the context of voting systems, this argument is often extended beyond just blockchain to the potential trust deficit of any solutions based on proprietary, closed-source code, where commercial priorities may eclipse total transparency.
Even assuming that the immutability and security of stored voting data have been diligently enforced, a blockchain implementation does not automatically preordain the authenticity and integrity of submitted voting data. Fake data can still flow into these systems, especially when the data describes actions outside the online universe, thereby rendering the whole concept of immutability moot.
Consider a mobile voting app that is not as much blockchain-based as it comprises a blockchain system for vote storage. In such a system, where a backend server adds the data to blockchain, data manipulation could happen anywhere along the chain, from compromised devices to tampered apps, their communications with the server and through attacks on the API server itself.
For instance, the MIT researchers note the minimal effort with which they were able to defeat the Zimperium SDK that was supposed to detect debugged/modified apps and alert the API server. With that line of defense eliminated, any attacker with root access to a voter’s device would be able to hijack the app and execute man-in-the-middle (MitM) attacks on the API server to alter votes and extract voters’ ballot and personal data. Today there are several sophisticated mobile app attestation services that could have addressed this specific vulnerability by validating that the app had not been tampered/repackaged, that it was not running in a rooted device or hooked into an instrumentation framework and that it was not the object of a Man in the Middle Attack (MitM).
Further, mobile app attestation could be employed to make a measurement of the condition and authenticity of the app recording the vote which can then be included in the blockchain voting record.
Finally, there is the issue of blockchain security, which, on paper at least, has taken on an aura of absolute impenetrability. Again, not quite, though. Even the most secure blockchain implementation consists of lines of code, consensus mechanisms, communication protocols, etc., all of which are potentially vulnerable to attacks. Secondly, the extensive use of cryptography in blockchains does not automatically make them 100% secure. As a matter of fact, blockchain systems do not enforce security by default and instead are only as secure as they are designed.
Internet and mobile voting are technological concepts with a considerably high value quotient. After all, they do promise a lot, from increasing voter turnouts to preserving the integrity of ballots to amplifying democratic process demands such as accountability and transparency. This value is best reflected in the fact that multiple government institutions across the world continue to experiment with technologies like blockchain to secure and streamline their electoral processes.
However, even a seemingly superlative technology like blockchain is only as secure and productive as its implementation. It is therefore imperative that every implementation of Internet voting systems needs to demonstrate the solution’s ability to deliver to the demanding standards of the democratic process, including the identification and rejection of attempts to manipulate the results. Unlike even the most mission-critical commercial applications, here there is little scope for trial & error and lesser still for building iteratively with a minimum viable product. And the burden of presenting proof of this standard rests squarely on technology and solution providers operating in this space.