The Covid-19 pandemic and the battle to keep its spread in check has had a ripple effect across the world as directives to stay at home change the way everyone goes about daily life.
With a United States presidential election looming in November and numerous other votes taking place throughout the year across the country, some citizens have begun a push for secure, remote voting options. Offsite voting would allow voters to stay at home and cast ballots without worrying about spreading the virus, encountering voting machines that have become disease vectors, or endangering the health of polling volunteers.
Voting by Mail
One way to do this, of course, would be voting by mail. The state of Oregon established vote-by-mail as its standard in 1998. Many states have provisions for voting by mail that are used to cast absentee ballots and can be applied in extraordinary cases, like a pandemic.
But we’ve come a long way since 1998, and the recent crisis has also led people to seriously consider how viable online voting for elections would be.
Voting from home digitally is far from uncharted territory. Currently, 23 states and the District of Columbia allow some voters to cast ballots electronically. Four states – Arizona, Colorado, Missouri and North Dakota – have web-based portals that allow for absentee voting, and West Virginia has a mobile voting app that uses blockchain technology. In addition, some municipalities have begun testing the waters of online voting in low-stakes local elections.
Up until now, the push for electronic voting has been led by a desire to make voting faster and easier. That hasn’t been enough to shift many jurisdictions away from the benefits of on-site voting, which is deemed to have more privacy, security and auditability. Unfortunately, the idea that on-site elections are secure is a myth that is quickly being dispelled. According to a report issued by Canada’s Communications Security Establishment, half of all “advanced democracies” had national elections targeted by cyberattacks in 2018, marking a three-fold increase since 2015. The agency predicted that trend to continue.
In a reaction to these increases and the widespread targeting of 2016 U.S. elections by foreign interests, some voting authorities have scaled back on the digital aspects of elections. (This will be the case in the state of Georgia, where a judge has ordered the use of paper ballots in 2020 instead of the outdated machines that were being used prior.) Others, like Estonia, have taken attacks as a lesson and moved forward with increased cybersecurity, embracing new technologies. Estonian ID cards employ cryptographic keys and public key certificates stored on the card’s chip that allow users to safely sign and encrypt documents in addition to providing validated information about the cardholder’s identity. Estonia’s i-voting system is now seen as a model for online voting that is used by almost half of the population. Estonia has also taken the lessons they have learned in implementing this system over the past two decades to form the NATO Cooperative Cyber Defence Centre of Excellence.
So, could voting online become the standard in the United States? Maybe, but probably not by November. For one thing, how voting is done is not determined nationally – it is the jurisdiction of states and counties, so implementing a national change as radical as this one isn’t very likely, especially over the next few months. But this crisis does seem to be laying the groundwork for online voting. Recently, the New York Times reported on a push to allow Congress to legislate and vote remotely, which could lay the groundwork for normalizing the practice.
And, luckily, the groundwork for securing the practice of remote, online voting is already there. We have been conducting many delicate transactions online for some time – the secure transfer of information has been a cornerstone for many industries that have successfully shifted online such as personal banking and investing, and those methods of securing and authenticating information can be employed in voting as well.
For years, people have suggested that the use of blockchain technology could be used to secure elections and increase voter turnout. Blockchain creates a peer-to-peer network where information can be exchanged, which means that each of these “blocks” would have to be hacked over a very short period of time – a tall order for those that would hope to unduly influence elections. Like the system used in Estonia, that would require citizens to use digital IDs unique to each person, cryptographically “sealed” with a private key.
PKI, Digital Certificates, and National ID Programs
We’ve also written about how governments can use public key infrastructure, or PKI, and digital certificates to create national ID programs and authenticate the identity of their citizens. In addition to the digital national ID cards established by Estonia, many other countries have digital ID programs. Wikipedia lists Afghanistan, Bangladesh, Belgium, Bulgaria, Chile, Finland, Guatemala, Germany, Indonesia, Israel, Italy, Luxembourg, the Netherlands, Nigeria, Mexico, Morocco, Pakistan, Portugal, Poland, Romania, Estonia, Latvia, Lithuania, Spain, Slovakia, Malta, and Mauritius as countries that all have eIDs. Its article on national electronic IDs notes that Finland issued their first eID way back in 1999 and mentions that many of the programs use public key infrastructure to maintain the security of the identification.
PKIs manage pairs of public and private keys, binding them to the identities of organizations and people through digital certificates. Validation of identities and issuance of digital certificates is carried out by certificate authorities (CAs), such as SSL.com. While national IDs are still being rolled out, as noted above, they serve as a key in online voting protocols by giving governments the ability to verify individual identities and prevent voter fraud.
Because various local entities manage elections, and we have yet to employ any kind of national digital ID in the United States, there are a lot of decisions to be made about how to best secure online elections. We recommend our guide to PKI and Digital Certificates for Government as a resource in thinking about information technology, and whether it is necessary to develop an internal national PKI or use an existing, trusted certificate authority instead.