Sign up to our newsletter
The US presidential election is fast approaching and the nation, along with the rest of the world, is waiting to see who will be chosen to run for the White House. Donald Trump for the Republicans? Hillary Clinton or Bernie Sanders for the Democrats? March 1st, also known as Super Tuesday, may hold the answers. It’s the day when the largest number of US states hold their primaries.
Yet, even though the US is among the most technologically advanced nations in the world, most of its voters cannot cast their ballots online. This is despite the fact that nowadays we can do pretty much anything in the virtual world: work, entertainment, paying bills or buying things are now part of our everyday online lives.
So is internet voting really such a risk? And if so, where’s the catch? There are actually several of them. First of all, cyberspace isn’t actually as safe as everyone thinks, not even for banking or paying for for online shopping … that is if you’re not properly protected.
Ecommerce and online voting don’t compare
The upside is that potential fraud affects only a small portion of all online transactions. Due to this, online merchants, banks and big companies can ‘hide’ the costs that the victims of fraud would normally have to pay. The rather unpopular downside is that everyone ends up covering these losses in the form of fees or higher prices.
But this approach doesn’t apply to online voting. Who would pay for the damage done by electoral fraud? And what would be the mechanism to fix glitches, especially if they were uncovered years later? Making things ‘even worse’, voting is anonymous, so by design there should be no way to find out who rigged the results or who cast the fraudulent ballots.
Unlike an ‘old-school’ election, there is no paper trail in cyberspace and trying to achieve something similar might prove difficult. The metadata could easily be corrupted or manipulated, without leaving a trace. And let’s not forget that avoiding detection is a specialty of most types of malware.
Cheap cybercrime vs. big money in the elections
It’s also worth mentioning that other cyber threats can mess with the electoral process, such as an army of zombie computers – aka botnets – that could overload an official election webpage or, even worse, cast thousands of ballots in favor of a preselected candidate. If the cybercriminals are skilled enough, they could actually do everything via victims’ computers.
In this equation, the price of malware is a considerable factor too. Its costs are low compared to the potential gains from manipulating an election. It might take as little as tens of thousands of dollars to rig an outcome, which is negligible compared to the vast sums invested in campaigns. Then there is the fact that some parties want to win very badly and other big players, such as corporations or other nation states, might also feel tempted to influence the final result.
Another problem is the ‘one person, one vote’ rule. How would you know, if there was no paper trail, if someone had only cast his/her ballot once, or participated in both online and offline voting? And if attackers were able to hack through security measures and manipulate the choice of one voter, what would stop them from repeating the same action thousands of times?
Pioneers in Estonia
Despite these issues, the concept of i-voting (i.e. voting via the internet; not to be confused with e-voting, which involves attending a polling station and voting via an electronic voting machine) is not entirely untested. Some nations have experimented with this, or are deploying it for select groups of voters, including Canada, Switzerland and the UK. But others are far ahead.
At present, Estonia is the only nation that has had the courage to implement an online voting system for the whole electorate. This pioneer in online voting launched the process in 2005 and, since then, the share of internet voters there has grown, reaching 20-25% in recent polls, with no major criticism so far of the process or of the outcomes.
So how did Estonia overcome all the potential pitfalls? Online voters identify themselves with the help of an ID card with a smart chip or a mobile ID (phones with a specific SIM card). After being authenticated, their digitally signed ballot is inserted into a virtual and (again) digitally signed ‘envelope’, which is sent to a central database.
To make sure the vote isn’t mishandled or modified en route, voters can check their files after delivery to the system. It is important to mention that anyone who takes part in online voting is advised to install reliable and up-to-date security software before casting their ballots.
Can online voting work?
As this example shows, online voting isn’t impossible. But even with all the cybersecurity measures in place, the more widespread internet elections become – and as larger nations come to adopt it – the greater the lengths that cybercriminals will go to in order to influence the outcome.
So it is hard to foresee whether the cybersecurity requirements that are taken today in places like Estonia will work for larger nations, or prove just a small step on the path towards more widespread electronic voting.
Would you support or oppose online voting in your country? Let us know your thoughts in the comments.
Author Ondrej Kubovič, ESET