components. First, a trusted computing base on trusted hardware, verifiable software, and a public log of voter
credentials and votes. Yes, those are
the very things you likely did not want
to see mentioned: TPM, open source,
and ... blockchain! With them, a chain
of trust can be built: trust in the mobile computing device, the website
server, the presentation of the ballot,
marking the ballot, submission of a
private vote, counting the vote, and
A handful of U.S. initiatives are developing precursor technology that
might eventually enable secure smartphone voting, but they are directed at a
simpler issue: the security of electronic voting machines and vote tabulating
machines. Today, these have questionable security because they are based on
commodity hardware and proprietary
software. To be trustworthy, they must
be based on a secure hardware and
open source secure software. Within
a DARPA program2, 5 for developing secure hardware and firmware, there is
one grant for secure voting machines
on secure hardware.
The unique challenges of online
voting need to balance anonymity, authorization, and transparency. Using
a blockchain for credentials solves
a vexing Public Key Infrastructure
(PKI) problem: The U.S. does not have
a “root of trust” for election authorities, and it probably should not institute one. Each state has the right and
responsibility for registering voters
and conducting elections, and the individual counties (or districts) have a
great deal of latitude in how they implement the processes. This means
there are at least 50 root authorities.
If each one has a public key, where is
it advertised? What is trustworthy?
Blockchains are useful for estab-
lishing secure identities without a
central authority. The election offi-
cial of a state (governor, lieutenant
governor, secretary of state) can is-
sue a public key for granting election
authority, and enter that key on a
blockchain. There it can accumulate
endorsements from other authorities:
states, federal agencies, and so forth.
A consensus protocol can establish
trust by a preponderance of evidence.
The state’s public key can be used to
endorse the public keys of the county
tue of paper is that large-scale fraud is
arguably more difficult because either
fraudsters must show up in person, or
a fraudster has to approach the voter.
Counteracting that advantage is the fact
that in-person voting tends to suppress
the votes of working people, shut-ins,
and those who live in rural areas, and
it incurs no small cost in running poll-
ing stations. That is why mail-in ballots
are becoming cost-saving standard. Un-
fortunately, it lacks checks on integrity
and has no guarantees of timeliness.
For a relevant example of poor integrity,
note that North Carolina, U.S.A., invali-
dated an important election4 because
of mail-in ballot fraud. Detection of
fraud is hardly a cure; the election had
to be conducted all over again.
Another disadvantage of traditional
voting systems is their practical lack
of transparency. Recounts can be conducted by examining paper ballots, but
that is slow and costly, and only a few
people actually get to see the ballots.
The automation of the initial counting brings into question the integrity
the IT resources of the election authority’s systems for handling registration and tallying. Memory cards from
optical scan machines can go missing, voter registrations can get lost in
processing. The public has no insight
into the configuration of the resources
and how they are accounted for. For
numerous examples, I have to look no
further than my own voting district. 3
We can do much better.
Despite the admonitions of experts, online voting is emerging in
several U.S. and international initiatives; Estonia has the most aggressive
effort. 1 Online votes in Estonia have
been steadily growing since 2005, and
the uptake may exceed 50% this year.
Their system requires a USB card reader, but there is a smartphone-based
app in the works. Some U.S. states allow Internet voting for overseas military personnel. West Virginia, and
Denver, CO, are experimenting with
a mobile voting app that includes a
The looming question is: Can online voting be more secure than today’s flawed paper systems? I believe
we have the technology pieces to reach
this goal, and it is imperative to develop secure voting systems running on
common mobile devices.
If the threat environment is controllable, online elections with security safeguards are possible today.
For a professional society, or the governing board of a small non-profit
organization, the Helios open source
web-based voting system7 offers some
strong cryptographic assurances. It
assures vote privacy, transparent audit, and protection against voter coercion (vote early, vote often, only the
last vote counts). Helios is scalable
and easy to implement. On the negative side, it can be undermined by real-world problems with voter registration, phishing attacks and malware,
dirty social media tricks, and so forth.
But let’s take Helios as a building
block with the challenge to secure it in
a voting ecosystem.
A verifiable chain of trust from the
voting device through to the election
results publication is an absolute necessity. That chain must be robust in
the face of concerted attacks on every
step of the process. 6 Fraud must be
detectable and close to 100% prevent-able. Unfortunately, mobile devices in
their current state are untrustworthy.
It is far too easy to introduce corrupt
software that fools the voter and election officials while also corrupting the
vote. The voter cannot trust the integrity of his computing device’s software
or firmware or hardware, nor its ability to connect to the correct server, to
trust the presented ballot, to believe
the vote is private, nor that the vote
reached the election officials. Even if
the vote is delivered correctly, voters
should worry about the integrity of
the server software for recording and
counting. These are the challenges
that should be attracting the best of
our security expertise.
The key to success is the development of minimal and fully analyzed
Can online voting
be more secure
vote-by-mail or vote-