Voting online for public office is a terrifying proposition to most security experts. The paths to subversion or failure are many:
- the server could get overwhelmed by attackers, preventing voting altogether
- the server could get hacked and the votes changed surreptitiously
- the users’ machines could get compromised by a virus, which would then flip votes as it chooses with little or no trace
- even if somehow we secure the entire digital channel, there’s still the issue of your spouse looking over your shoulder, strongly suggesting you vote a certain way
So, terrifying. And yet, I’m now pretty sure it is inevitable.
What human activity isn’t on the Internet?
Today, we bank online, deposit checks and even pay vendors with our smart phones. We can change our mailing address with the postal service and pay parking tickets with our local governments online. We can shop online, socialize online, and debate with our Presidential candidates online. Newt Gingrich announced his Presidential campaign on Twitter.
Just about everyone now carries an Internet-connected personal device. The Internet is everywhere you want it, and just about everywhere you don’t. People are starting to experience the world through augmented reality, using online maps and satellite overlays matched with your current location. The Internet is only going to become more omnipresent, faster. Within a few years, it’s hard to imagine any human activity that doesn’t involve the Internet.
And yet, somehow, we expect people to still be voting in person, on paper? We can’t even get users to take SSL certificate warnings seriously, but we’re going to convince them that voting is so special it has to be done in person? I don’t think so.
Don’t grab your pitchfork yet
I’m not arguing that this is how it should be. I’m definitely not saying that we can secure online voting just like we can secure online banking. In fact I’ve made many of the original arguments, in my dissertation and on this blog, shooting down the bogus arguments that go something like “hey, we can secure online banking, surely we can secure online voting!” No, we don’t know how to do that.
What I’m saying is that, regardless of the state of online voting security, I think it’s a losing battle to expect voting to remain the only activity we still do in person and on paper. With the Oscars moving to online voting, the Federal Voting Assistance Program making $15M available in grants for activities related to online voting (even if it supposedly doesn’t involve online vote casting), parts of Canada moving to online voting, France considering online voting for its 2M+ expats (more than the margin of victory in the last Presidential election), what you’re hearing is the sound of inevitability.
Enforced Privacy is Dead
There’s another interesting issue, when you think about problem (4): even if we keep voting on paper in person, voting requires enforced privacy: we have to make sure it’s just you in the voting booth, not you plus a coercer. That’s great. Now, how many ballots do you think we’re going to see next year published on Instagram?
We have a deeper problem here due to the now omnipresent Internet. Voluntary privacy is not dead, since users can choose to isolate themselves. But enforced privacy, privacy imposed on the voter, the kind needed to prevent coercion, that’s quite dead. I’m very concerned about what that means for democracy. But again, this is inevitable.
Doing the Best We Can
So, if it’s inevitable, maybe the best we can do is make online voting as secure as possible. We’ll probably have a few disasters, maybe even a few thrown elections. So we’d better start now on the problems we have.
I think we can solve Problem (2) with open-audit, end-to-end voting systems like Helios (but not only Helios, there are others.) I think we can minimize the risk of Problem (1) by moving to a longer voting period (1 week instead of 1 day). I suspect we have to eventually give up on some aspects of (4), whether or not we do online voting, though some technical tricks might make voter coercion a good bit more difficult (it’s never completely impossible). The hardest problem is (3): we have no way of ensuring that people are using trustworthy software that captures their intent properly.
Again, I’m not endorsing online voting for public office. I’m saying it’s inevitable, and it’s time to face that inevitability.
Importance of the User Agent and why I joined Mozilla
This issue of trustworthy user software is a much larger problem than voting. As human activity increasingly moves online, the central question is: what software is truly on the side of the user? How does the user know for sure that the software they’re using is their true agent? There’s only one piece of Internet architecture today that can be the user’s true agent, and that’s the Web browser (which technologists call the User Agent, unsurprisingly.) And, among the web browsers, there’s one that particularly stands out as the ultimate user agent, backed by a company whose mission is focused on the user and only the user.
That’s why I joined Mozilla. Because for voting and beyond, everything people do is online or soon to be online, and users better have an agent on their side. The best agent users can get today is Firefox, and I hope to contribute to making it an even better user agent in the next few years.
[It’s worth noting that Mozilla has no intention of getting into the voting business, that’s just my personal interest.]
OK, you may now get out your pitchfork.
4 responses to “Online Voting is Terrifying and Inevitable”
Publishing a ballot image on Instagram doesn’t necessarily prove that’s how you voted. You might have voided the ballot.
In theory, true. In practice, it’s a fairly good coercion mechanism. As we start posting whole videos of ourselves, rather than just snapshots, it gets harder and harder to fake the coercion proof.
[…] Ben Adida recently wrote a post, Online Voting is Terrifying and Inevitable in which he said, “Voting online for public office is a terrifying proposition to most security […]
[…] deeply here. In short the arguments took two forms: First, Ben Adida offered a restatement of his earlier opinion on inevitability, “Internet voting is terrifying but I think it might be inevitable. I say this […]