Rond verkiezingstijd is cyberbeveiliging altijd een hot topic en deze lente worden er zowel binnen Europa als daarbuiten meerdere verkiezingen gehouden. Hoe kan het dat we in deze digitale wereld nog steeds niet elektronisch of via internet kunnen stemmen? Voor aflevering 23 van Cyber Security Sauna verwelkomen we Tomi Tuominen en Antti Vähä-Sipilä van F-Secure. We bespreken de complexiteit van cyberbeveiliging bij elektronisch stemmen, waarom het zo’n uitdagende kwestie is en wanneer het nuttig is om elektronische stemsystemen in te zetten. Luister hier of lees verder voor het transcript. En vergeet niet je te abonneren en een review achter te laten!
Welcome back to the show, guys.
Antti: Thank you, nice to be here.
Tomi: Thank you.
So what’s your relationship with electronic voting?
Tomi: I’ve spent five years of my life with e-voting, originally trying to secure the Finnish election pilot that was run back in early 2000 or so.
Antti: Myself, I was invited as an observer for the same pilot back in the day. Then, I’ve been a member of a internet voting working group for the respective ministry here in Finland. Let’s put it this way, I’ve had the chance to think about these things, at least on the conceptual level.
So there was a pilot on e-voting in Finland in the early 2000’s. What happened with the pilot?
Antti: The pilot was run as a direct recording electronic voting at the polling places, so essentially you used the device to record your vote, and there was no paper trail of any sort. The result in the end was annulled, so it was declared invalid. The main reason, if I recall correctly, was a user interface issue. So it was a bit unclear when the vote was actually recorded, and it was very slightly different than the instructions actually led to believe. So in a way, it was not a security issue, but it was a user experience design issue.
For those of you unfamiliar with the Finnish system, in Finland we usually vote on one thing at a time, and basically you get a list of candidates, you pick the one you like, you write their number on a piece of paper, and you drop that piece of paper in the ballot box. So very simple. But this is not the case in all countries in Europe.
Tomi: There seems to be quite a variety of systems globally. If Finland would be on the far end of the simplicity scale, so that yes, usually in traditional ballot-based voting we have a pencil that we use, on a piece of paper. And in US, you have like a letter page or two or three pages of choices you have to make, and you’re voting everything from the fire marshal to the presidential candidate or so on. So there is a huge difference between these systems when it comes to what is defined as a voting experience in general.
But we’re also talking about two different things. There’s electronic voting, as in the polling machine at the polling station, and there’s also internet voting.
Antti: Yes, well, actually I think that you could divide the e-voting into three different categories. So there’s internet voting, which is obviously also electronic voting, unless you’re using carrier pigeons or something. And then you’ve got so-called DRE, or direct recording electronic voting, which happens at the polling place, and it means that the vote is recorded completely electronically, there’s no paper trail. And then there is something called auditable paper trail, or voter-verified paper trail-based electronic voting, where for example. complex ballots which are very difficult to fill in, they can be displayed to the user using a dynamic or interactive user interface, for example. And then the results will be stored both electronically and as paper. Or they might also be only paper. With those machines, you can actually do two different counts. You can count the electronic votes, and then you can count the paper votes as a backup if you want. It will produce a paper trail that can be audited.
Tomi: And then there are variations of all these things, so you have also optical devices, so bascially you’re submitting a paper-based thing. It could be like a questionnaire where you are ticking boxes, and that is optically read. And there have been issues with those kinds of devices as well, so you can fool the device to actually give you wrong votes, although the original paper was in perfect shape. Although you might have a paper audit trail, you might also have an external device that is basically completely separated from the voting system, but it’s offering a digital audit trail. So all the votes that are being cast are recorded. You can think of it as a black box on an airplane. And then there is, of course, a huge debate whether that is qualified as an audit trail or not, because it’s technically not a paper audit trail, but it’s more like an electronic audit trail.
Antti: This is the reason why it’s very hard to answer a question like, “Is e-voting good or bad?” Because you have to first understand the election type, or the referendum type, what you’re voting for, and then also the types of machines. Countries also have differing standards on how well, even in a traditional election, they will, for example, retain the chain of custody of the ballot itself, for example.
In some countries you will be able to drop the ballot into a ballot box unsupervised, and in other countries such as Finland, you are being supervised the whole way, so that you cannot drop anything else into the ballot box, for example.
Yeah, or several ballots or something.
Antti: Yeah, for example, ballot box stuffing or anything like that, yeah.
You guys have been involved in this conversation for twenty years now. What are some of the arguments for electronic voting? Why are we having these conversations?
Antti: Well, it depends on the type of electronic voting you’re referring to. But I mean, there area a lot of different reasons why you would want to bring e-voting into the picture. One of them is the thing that Tomi already mentioned, so the complexity of the ballot. So you can have an easier and more interactive UI, user interface, that will guide the voter through the choices, and probably that can decrease the number of plain human errors that people are making when casting the ballot, so that’s one key thing.
Do you mean guide, like provide additional information?
Antti: One of the key things is accessibility, so if you for example have poor eyesight, and your ballot is very complicated, and you have to fill in an optically read form, how to find the right dot that you have to pencil in? That’s one thing that it’s much easier to do that on a touch screen than with a pencil.
Tomi: Also you might just accidentally pick the wrong candidate if you have to jot down a number, so the user experience when clicking on the face of somebody is much better than choosing a number. Especially true for elderly people.
Antti: And in countries where the literacy rate is not very high. So if you know the face or the symbol of the party, for example, then it’s easier to show on a screen potentially. For internet voting specifically, it allows absentee voting easier than this sort of physical votes. So if you have for example, expatriates all around the world, if you have a lot of your citizens abroad who would need to travel to far away embassies in order to vote, it’s much easier if you can do it via the internet.
What about things like voter turnout?
Antti: That’s often being quoted as a goal, for countries to increase the voter turnout, to give the vote more legitimacy. I think that’s the main reason.
Tomi: There has been a lot of discussion in general about these voting systems, but nobody’s talking about the process. And it’s still a very crucial part of the big picture. So if you go through the whole lifecycle of voting, first you have to pick and choose the people who are allowed to vote. Then you need to have a way to tell them that, okay, now you’re eligible to vote, and basically it’s your civil right to do so. And already at this point there are huge differences. For example, in the US, you have to register. And in Finland, it’s kind of a given. If you’re over 18, you’re allowed to vote. The whole process should be looked at when we’re talking about voting because there are so many places where it can go horribly wrong.
Personally, I think it’s dangerous to look at this in a very contained manner, that okay, the problem is the terminal, or the problem is the voting place, or this specific thing. You have to have a very holistic view to this whole thing in order to make sure that it’s actually solid.
Antti: But if you zoom in to the actual process of an election, then – I’ll just give you an example of where electronic voting may be both a benefit and something you don’t want to have. Let’s assume that you have a country where you have really faraway places, and you’re going to do an ordinary polling place-based vote. Now if you are using traditional paper ballots, you are going to have to transport them from those faraway polling places to someplace where they are being counted officially. The chain of custody of those ballots may be very hard to ensure if you have to travel for a long journey through areas which may not be, for example, completely under government control. If you bring in an electronic aspect to that, you can, for example, transfer a backup copy, or the only copy of the ballots, electronically, integrity-protected over a cellular connection, for example. Which kind of fixes this.
But then it opens the other thing, what’s the input to this process? It may be easier for the people at the polling place to detect ballot box stuffing, for example, so casting extra ballots. But they might not be able to detect that on a completely electronic machine. So when you go into the details, your solution may both solve problems and create new problems, and you’ve got to have a very good threat model in order to decide whether or not the introduction of e-voting is beneficial to you or not.
So you’re talking about electronic voting as a part of the whole voting process, and it involves many different steps. I think typically what you see are schemes where you just replace the ballot, the taking the ballot, with an electronic version of it and keep everything else in the process the same. Is that problematic?
Tomi: I mean, we’ve been using back end systems for voting as long as there have been computers. So that’s not the problem. The problem usually stems from the fact that you’re trying to combine anonymity with strong authentication, and those two properties don’t get along with each other too well. So you need to be able to verify that the voter is eligible to vote, and at the same time, nobody should know what that person has been voting for. And trying to replicate that functionality with computers is usually the part where it comes very problematic.
Why is that? Because in the polling stations I’m used to going to, what they do is sort of authenticate you when you get there, and after that, once you’ve gained entry into the polling station, you get the paper ballot in your hand, and that’s your authentication from then on. That’s your session token. Then you go in and write your number and you drop that piece of paper and only that piece of paper in the ballot box. And as long as the number of people who’ve been authenticated and who’ve cast their vote, empty or otherwise, as long as those numbers match, there’s no problem.
Tomi: In theory, yes, and that’s basically the way the pilot was done in Finland as well. Because although you want to do the authentication or authorization, to be more precise, you want to do that in a solid way, you want to separate the actual authorization from the voting itself. And you want to be able to pair the amount of votes with the people who voted, and you need some sort of mechanism to do that, preferably almost real time.
So is it harder to separate those two in an electronic setting than it is in a real world setting?
Tomi: If you scale these problems…I mean, it was never a problem in Finland, where there’s only five million Finns, out of which at any given time something like 2.5 million are allowed to vote. It’s not a problem here, but if you go to places where you have 200 million people, it might become an issue. Of course, this goes back to the legislation. So in Finland, if there is a discrepancy between the voters and the casted votes, the result is nulled. So the statistics have to match.
Antti: I think that there are two things that need to be ensured for each ballot that’s cast. First, of course there, the thing that Tomi said, that nobody should be able to tell who voted for whom – or, we can tell who voted, but not for whom, and then the voters themselves shouldn’t be able to prove whom they voted for. So that the selling and buying of votes won’t become possible.
Yeah. Or you can’t be coerced to vote one way or the other.
Antti: For example that, yes. So now, in the physical system, with physical ballots and physical ballot boxes, this problem is taken care of by physical means. So the shuffling of those ballots happens almost naturally when you put it into a big ballot box and then you count the votes, and the votes themselves are anonymous. Well, there’s very little that you can use to tag the votes to the voters. Now in the electronic systems, you have to do that in some other way. You have very nice shuffling methods using cryptography that you can use, but there the point is that you cannot easily observe this shuffling. Also the phase where at some point, the system will know who you are and what are you voting for, because the system authenticates you and then gets your vote. The separation of these two facts would have to be done in a way that’s plausible. And now, being able to prove that the separation works and the shuffling works properly, that’s very difficult, because you would have to prove that software and its actual deployment both work as intended.
Yeah, I mean, in the physical setting, there’s sort of like two layers of shuffling happening. The voters get their ballot slip and they go into the boxes and they fill out the person they like, and so forth. Not everybody takes the same amount of time, so the order in which they complete the voting is not the same order they came in, and then the different votes, the pieces of paper will fall in the ballot box and sort of get shuffled there automatically, like you said. We couldn’t do that in an electronic system.
Antti: Yes, but I think the key aspect here is that you can actually see this physical shuffling with your normal human senses. Whereas you cannot observe a computer doing the cryptographic magic with your own senses, you have to rely on observation of the source code, the compilation and the deployment, and the execution environment of that code.
Yeah, and especially trying to figure out if the shuffling is happening in a cryptographically sound manner is very difficult.
Antti: For example, yes.
Tomi: That pretty much brings me to the point that was my first observation when I started looking at e-voting. Ballot-based voting that is done with pen and paper is actually a brilliant way to do this. There are so many subtle things that it handles kind of automatically. And when you’re trying to move this on top of computers, so that basically deterministic machines are trying to handle the same tasks, it is super complicated.
What kind of things?
Tomi: If we talk about ballot-based voting done with pen and paper, I can explain it to anybody in five minutes. Even to my mom who is 80 years old. And after that, she is able, with the skill set she just learned in five minutes, she can verify that it actually works as expected. Now if we go to the stuff that AVS just spoke about, if you’re doing some crypto-magic stuff, there are like 50 people on the planet who understand the intricate details of that stuff.
Plus you kind of want to keep those 50 people away from the polling stations.
Tomi: Yeah, more or less. Usually they are equipped with some other useful skills as well. So even if you were able to design and implement an e-voting system that would be perfect in every feature imaginable, it would be very very difficult to audit, and that kind of brings its own set of issues to the supply chain of that computer system. How do you handle the complexities? How do you know that you’re actually running the compiled code from that specific source tree and so on? Because you have to be able to verify the whole thing every time, not just once.
Yeah, that’s different from all of the usual use cases for compiling computer code.
Tomi: Well, basically the same rules apply, but now we’re talking about democracy, and not just some programming language of the week type of hipster coding.
Antti: Yeah, so this is now why the auditable paper trail in e-voting systems is a great solution for this, because even if there was a problem with the systems, you can still always fall back on the paper trail. And that we don’t have in internet voting. And that’s the issue, and the main separation here.
Tomi: Another thing that became crystal clear during the pilot, if you don’t have full control over the endpoints, you have lost. There is nothing you can do. You can’t win, because there are simply too many ways you can fool the system.
So when you say full control of the endpoints, how full are we talking in the technology stack?
Tomi: Of course, you have to draw your trust boundary somewhere, but I’d say you need to have full control of the hardware, of all the firmware components or the middle layer, come before the operating system itself. You need to have a specifically tailored operating system, hopefully in a read-only mode, where you can’t make any proper changes to it. Repeatability is once again the key word, so you can always make sure you are running that exact specific version. Also some run time checks that it has not been altered after the deployment, and so on. When I say full control, I really mean full control.
So that’s more than just slapping a voting app on your iPad.
Tomi: Most definitely.
So let’s get an understanding of the problems with electronic voting. Why is electronic voting so hard to get right?
Antti: This is mostly a trust issue. The parties and individuals who lost in an election have to be able to trust the result. Let’s assume that we have a situation where for example, the society is very much polarized. There are two factions of the citizenship who are mutually distrusting each other, and there is a huge amount of social media-based argumentation, let’s put it this way, that tries to blackmail the other side. And now you have an election, and you lose. If you can point the finger towards a system that cannot be observed, or whose integrity is based on the opinion of a highly paid consultant for example, are you not going to use that as a weapon in the discussions that follow the election? You have to have legitimacy for the result, and that’s the hardest problem.
Tomi: I agree with that. Just merely disrupting an election is very often enough. If you can cast a doubt on it, cast a doubt on the process, you pretty much win.
So you don’t even have to actually affect the election in any way, you just make people think you did.
Antti: On the other hand, I’d like to point out another way of looking at it, where it’s actually better to have an internet-based election than no election at all. So if you can also imagine a country or a region that might be occupied, and the government in exile wants to hold a legitimate meaningful election, the only way they can do that is by using internet elections. So again here, it’s not black and white.
What would be an example of an attack scenario against an electronic voting system?
Tomi: There are a few different scenarios of how you can exploit the system if you have separated the authorization from the actual voting. One of the ways is that you can actually register to multiple places, and that allows you to cast multiple votes, because the authentication or authorization register is not a single backend system. But of course, it depends on how your voting works, but that’s a very legitimate threat. So you want to make sure that each and every voter is able to cast only one vote.
What’s the nightmare scenario of electronic voting?
Tomi: Well, I guess the movie plot scenario would be that somebody who was not even a part of the roster will actually win the election.
Right. And then everybody will be just questioning, like, how did that even happen? How can I trust any of the government institutions going forward? Who’s behind this? And all that.
Tomi: They key point with any voting system or process is that you want full transparency, but most importantly, repeatability. You can recount the votes, you can do all kinds of different checks and make sure that the election was a legit one.
So there are a lot of countries out there who are using a form of electronic voting today. Are any of them even close to getting it right?
Antti: There have been very interesting tries to get it right, for example in Norway. Based on a fully open source system, for example. But then again, every country and every society has to make their own threat model for what they are trusting and how much they are going to invest in that. Because creating a fully transparent, open source-based, repeatable build-based internet voting system, it’s not cheap. And unlike normal elections, you need to maintain that between the elections also, so that whenever the next round of iOS rolls around, your client will still work. So it’s not just a trust issue, it’s also an economical and financial issue for those countries that are taking that into use. In some countries or areas, the referendums are being held on – I’m not saying more trivial matters, but more often than in some other countries. Some countries like Finland, they only have a general election every once in a while, and those people who have been elected, they usually make the decisions. We do have the idea of indicative referendums as well, but those are very rarely used, mostly because of the costs involved, I guess. But there are some other areas where you have these referendums and indicative referendums much more often.
Would that be better for democracy? I would have my voting app on my phone and I would get referendums every 15 minutes and I could just sort of select the topics I want to weigh in on and vote.
Antti: That’s a very good question, should we ask the citizenship more about things that they really want. There is one good thing in representative democracy, and that’s the fact that like you are not going to fix your own shoes, and you’re not necessarily going to paint your own house, and you’re not necessarily going to paint your own house, you’re going to contract it out to somebody who does it for a living. The politicians, like it or not, they make a living out of actually tracking all the things that go into a complex decision. If you need to distill everything into a simple question to the citizenship, that runs the risk of being really polarizing and dumbing things down. It’s not necessarily a good thing to ask everything from the citizenship, who doesn’t have the time to spend on understanding the intricacies of things.
Tomi: Winston Churchill once said that the best counter-argument against democracy is to speak to a voter.
He also said that democracy is the worst system of government out there, except for everything else.
Tomi: Yeah, that’s true. If we go back to the original question, I personally think that – at least this is true for Finland, and I would say for most of the smaller countries – e-voting is actually trying to solve an issue that we don’t have. I mean, what would be the benefit of having e-voting? I would really like to hear what that benefit is. Even nowadays, I mean, the voting places close their doors at 8:00, and we have the preliminary results within a few hours. And it’s a show of its own. And the final results take like 3 or 4 hours to complete. So how much faster does that have to be?
No, but now I have to get out of my house and go to a polling station to cast my vote, and it’s like this whole hassle.
Tomi: Once every six years or so.
Tomi: You need some fresh air.
I absolutely do. So do you envision that there ever will be a day when most people will just sit at home and vote online via the internet? Is that ever going to be the case?
Tomi: It might be the case for some of the stuff. I still feel that parliamentary votes or voting for president or those kind of things should not be done remotely.
Antti: Then again,things like deciding on where the city should build new buildings, for example. That’s not a question you can put to vote, necessarily. But you can collect the citizens’ opinions on that. For example, our hometown, Helsinki here, does a really really good job in actually asking for residents’ opinions. That’s done over the internet. That’s not polling, but that’s citizen participation. You can do a lot more citizen participation on the grass roots level without having to go for the problems involved in elections or actual balloting. So I could foresee a thing where people spend their evenings on the couch commenting on things that are close to them, like in the neighborhood, providing opinions and information for everyone’s benefit.
To inform the decision makers.
But like, security experts have fixed a lot of really complex issues in the past. So is there something about electronic voting that makes it a problem too complex to be solved by the best and the brightest?
Tomi: When I started looking at it, after three months I was pretty sure that this is a bad idea. After six months, I was completely sure that this is the most idiotic thing on the planet. And after that, the rest of the time I more or less just tried to make sure that this insanity doesn’t go forward.
Just because it’s fixing a problem that we don’t have?
Tomi: Not only that, but also the things that we already covered earlier, the requirements of trying to combine things that are not really combinable. The transparency, the repeatability, strong authentication, anonymity, those kinds of things, they are attributes that don’t get along that well.
Plus these are things that we struggle with in other applications as well.
Tomi: People underestimate how hard it is. It’s not evident. It’s one of those things that you look at it like, “Ah, this is a solved problem.” It’s not. I’d like to see that we first solve a few other issues before we try to tackle this one.
Every time there’s a conversation about electronic voting, you just wait a couple of seconds and somebody comes in and says, “What about blockchain? Maybe using blockchains will solve all e-voting issues.”
Antti: Yeah, I saw a picture on the internet related to one election where the physical ballot box was chained to a block of concrete. That was a nice implementation of blockchains in elections. But yes, whenever you are raising the concept of a blockchain, I think that it would be intellectually honest to also provide the details of what you’re talking about. I mean, is it a public or private blockchain? Who owns the nodes, where does the software come from, what’s the consensus algorithm? And after that, we can start actually discussing the merits of that specific implementation of the blockchain for anything.
So not all blockchains are equal.
Antti: Not all blockchains are the same, and not necessarily usable for the purposes that we want to use them for, so you have to give the parameters for that. The other thing is that if you are going to put the ballots on the blockchain, depending on your design of the election blockchain, you’re probably going to encrypt them if the blockchain is public. And if the ballots are containing information about the voter, then if it’s a public blockchain, there will be copies of the blockchain indefinitely, because of the nature of information, it gets copied. So the encryption also has to hold for the duration of those copies of blockchain. So if the copies of the blockchain are indefinitely being stored somewhere, in order to keep who voted for whom a secret, then the encryption also has to hold for that time.
So otherwise you could go back to elections like a couple of decades ago, and crack them with modern means, and find out what happened.
Antti: Right. For example, that.
Tomi: That’s already an issue, because many of the voting systems are actually storing the encrypted ballot boxes. And if you can repeat, or kind of revert the shuffling process, it actually allows you to see who voted for who, and that’s a big issue.
Absolutely. So you guys started off saying it’s hard to say if electronic voting is a good thing or a bad thing. But I think Tomi, you summarized it pretty nicely when you said maybe there’s a couple of other issues that we need to take a whack at before we dive into the pool that is electronic voting.
Antti: But I’ll say that if your country or area benefits, and your specific threat model and problems make internet voting a better choice for you, then you can obviously make that decision. I mean, if internet voting is the only way you can have a legitimate and meaningful vote because you just can’t do traditional voting, then the net result is that you should be doing internet voting. It’s the same as in any type of security. Not security for its own sake, but it has to always be a business decision, and here the business decision is the well-being of the citizenship or the residents that you have in your area.
Tomi: I definitely agree. This is not one of those one size fits all type of products or services. It really depends on your use case if it’s a good solution for you or not.
Well, there we go. On those words, thank you for being on the show.
Tomi: Thank you.
Antti: Thank you.
That was our show for today. I hope you enjoyed it. Make sure you subscribe to the podcast, and you can reach us with questions and comments on Twitter @CyberSauna. Thanks for listening.