In our last post we explained why elections are not run online — even though it seems most aspects of our lives are online — especially since the pandemic has required innovative solutions for remote life. This article will examine the current voting methods, using the example of the United States as it prepares for its presidential election.
In any democracy, a method of voting must prevent fraud, offer privacy and be cost effective. The problem is that adding security to elections generally decreases usability. For instance, requiring multi-factor authentication requires additional steps to access accounts. And while we try to keep layers of security as simple as possible, right now adding security to voting means additional steps and investment in the election process.
Another unique challenge to the U.S. elections is that Congress has not mandated a method to conduct elections, so this process is ruled by the states. Within the states, individual counties administer elections, for a grand total of approximately 5,000 government entities responsible for running and funding U.S. elections. The benefit of this is that certain areas can test various voting methods, but there is no proven, standardized approach to administer elections in the U.S. Security experts offering solutions to election security often suggest more software or no software. However, there is no golden solution; each system of voting has pros and cons.
Some security experts say that the only sure secure way to vote is using paper ballots with routine audits. In the 2020 U.S. election, an estimated 85% of votes cast will be on paper ballots. And although paper ballots are not hackable, they can be tough to tally and are not as accessible for people with disabilities. For example, in a paper ballot system a blind or vision-impaired person must cast their vote with help from someone else, which can compromise the security and privacy of that vote. And while paper ballots may be the only truly “unhackable” method of voting, if governments do not secure voter data, election sites and election communication, then any election can be vulnerable to attacks.
One of the most common election methods in the U.S. is voting machines. Many security professionals agree using voting machines with a paper audit system is a fairly secure method. However, these machines have proven flaws that white hat hackers have demonstrated can be exploited to cast multiple votes. Additionally, voters and government entities do not always audit the vote to ensure accuracy. Thirteen states do not require a paper trail for voting machines. Again, this variance in election procedure is because the federal government does not regulate the cybersecurity standards of voting machines, only offering voluntary guidelines that states can choose to adopt.
Not auditing voting machines against a paper trail is risky. Researchers at the University of Michigan found that these machines could be hacked, undetected by voters and government officials. In a simulated election, researchers watched 241 people use a ballot-marking device (BMD) and receive a print copy of their ballot to review. For every voter, the researchers changed at least one of their votes. Alarmingly, the voters barely noticed. Only 40 percent even reviewed their ballots, and only 7 percent alerted a worker that something was wrong. The researchers explained that if hackers changed just a few votes, especially in a close election, they could go undetected and still impact the outcome. “The implication of our study is that it’s extremely unsafe [to use BMDs], especially in close elections,” explained one of the study authors.
In the U.S. 2016 presidential election, about 21% of voters cast their ballots by mail. The COVID-19 pandemic will likely increase the number of voters using mail-in ballots. Some experts predict that up to 70% of ballots cast this November will be by mail. At least 35 states have modified their absentee/mail-in voting process this year due to the pandemic. That high increase of mail-in ballots has some worried about their security. The New York 12th District’s 2020 Democratic primary demonstrated what can go wrong with mail-in voting, especially since the pandemic is increasing the use of absentee ballots. About 400,000 voters used an absentee ballot, but with the high demand some voters did not receive their ballots in time and the Postal Service did not properly postmark some ballots. Only about one in five ballots were counted. Thousands of ballots were thrown out for postage and signature issues; consequently, it took six weeks to verify the election results. Yet many claim that these challenges stem from changes made to the process during the pandemic, and that they do not indicate fraud.
So how susceptible is mail-in voting to fraud? Brookings institute found that there is a history of low rates of voter fraud in states with widespread vote-by-mail policies. Currently, five states use primarily mail elections (Colorado, Hawaii, Oregon, Utah and Washington) and since implementing vote-by-mail, each state has only had a handful of fraudulent votes attempted by mail. Typically to secure vote-by-mail, signatures on every ballot must be verified against a voter’s registration record. The task of verifying and authenticating varies from state to state, though, and critics question the reliability of these practices since signatures are often compared by hand. Additionally, this verification requires access to voter registration data, which increases the need for two-factor authentication for employees and data encryption. Just like voting machines or paper ballots, mail-in ballots can be a secure way to vote when verified and authenticated correctly.
There is no perfect solution: each method of voting has vulnerabilities. Regardless of the method your area uses to vote, you should still participate in the voting process. Not participating is a guarantee that your vote won’t count. However, government entities can take steps to understand the vulnerabilities in their processes and secure them, which will increase voter confidence and help ensure the integrity of elections. To continue learning about secure elections, stay tuned for our next blog on securing voter data and avoiding phishing around elections.