Building trust into our technologies: democracy’s path forward in the present pandemic
Thu 28 May 2020
Marcus Fowler, Director of Strategic Threat at Darktrace, discusses the challenges of conducting an election without in-person voting
For the first time in history, many elections will have to happen without in-person voting. In the US, we have already witnessed the pandemic’s impact on the Democratic Primaries, many of which continue to be postponed and mired in massive legal controversies. Throughout the ongoing pandemic, leaders continue to hotly debate whether or not elections that rely on in-person voting ask citizens to make a decision between civic participation and personal safety.
The impact that the current crisis will have on the upcoming US Presidential election in November remains unclear. However, we must start strategising now in order to ensure that democracy will be resilient in the face of future pandemics, as well as other novel 21st century threats.
In this unprecedented challenge to democracy, online voting is the obvious solution. Compared to mail-in ballots, online voting is certainly more convenient, accessible, and safe in the ongoing pandemic for each and every voter, poll worker, and mail carrier across America. But can online voting ever be fully secure?
We know that nation-states, hacktivists, and cyber-criminals will directly target online voting platforms and data. This issue has been magnified by the recent controversy surrounding the Iowa Caucus app, a smartphone app designed to help announce the results of the first nominating contests in the Democratic Party primaries for the election. Fraught with coding issues, the app has already been deemed ‘a disaster waiting to happen’. The same has been reported of the Voatz app, used in elections across West Virginia, Oregon and Colorado, which has been found to suffer from a number of security flaws.
Companies building mobile voting applications are incentivised to move as quickly as possible in order to take advantage of the current demand for this technology. As this pressures companies to cut “non-essential” corners in order to be first to market, some will choose to prioritise functionality and accessibility over security.
Even when security is a priority, ensuring the security of online voting methods remains challenging. For example, though the Voatz app uses blockchain, biometrics, bug bounty programs and other security protocols, a recent study by a team of independent researchers at MIT found alleged vulnerabilities in the voting platform that “allow different kinds of adversaries to alter, stop, or expose a user’s vote.”
Ensuring that citizens trust an online voting platform is as crucial as ensuring the security of the platform itself – trust is the lifeblood of American democracy, and all democracies globally. If people do not believe that their vote will count, they will lose their incentive to participate in the democratic process. In order for people to believe that their vote will count, they need to have faith that each and every vote will be accurately counted. Trust is democracy’s bedrock principle, and security is vital to trust.
We can only build people’s trust in online voting platforms by building powerful and rigorously vetted security protocols into the foundation of emergent voting technologies. Yet, US state governments will likely not have the resources to fully validate possible solutions that are pitched to them by a vendor – these remain the weaker underbelly of the federal government, and their security maturity tends to be much lower, explaining why they make frequent targets for ransomware attacks during and outside of election season. Creating a central approval body on the federal level will accordingly alleviate pressure on states as they meet the demands of the present moment.
The US federal government should define clear, comprehensive security requirements for all online voting platforms that involve a rigorous testing and certification process. This process should be transparent and should leverage private expertise and crowdsourcing methods such as Hacker One’s bug bounty program. Contracting ethical hackers can reveal vulnerabilities in a platform’s cyber security protocols before malicious actors discover them.
Lastly, in order to ensure trust in the case of a potential compromise, all voting methods must maintain a “verifiable, auditable paper trail and paper-based balloting backbone.” This is because the American public retains a justified sense of scepticism concerning the security of mobile applications and the privacy of their data. They have seen a steady stream of data abuse and mishandling from the likes of Facebook and Capitol One, as well as successful cyber-attacks against other entities that many people consider more trustworthy, such as Equifax, the Defense Information Systems Agency, and the Office of Personnel Management.
As America and the rest of the world enters the era of digital democracy, it has been never been clearer that we must employ the most sophisticated tools—from blockchain and data validation to AI technologies that provide full visibility into the transfer of all data across enterprise networks —in order to ensure the security of elections, census, and all other governmental operations that rely on the internet.
We must move forward with caution – democracy is a delicate process, and there is no short-term fix for this paradigm shift in the channels of democracy. Paper trails are needed in order to preserve public trust in the present, and advanced security technologies are also needed in order to shepherd democracy safely forward into the increasingly uncertain future. In order to maintain social distancing while allowing for more voter participation, mail-in paper ballots matched with the appropriate auditing measures might remain the most promising and secure near-term solution.