Pakistan recently concluded its first use of an Internet voting system for overseas citizens. The i-Voting system was developed by the National Database and Registration Authority (NADRA) in response to a petition filed in the Supreme Court by the Pakistan Tehreek-i-Insaf (PTI) seeking efforts to facilitate the overseas Pakistanis’ right to vote.
Security concerns subsequently led the Election Commission of Pakistan (ECP) to form a task force to evaluate the i-Voting system. It was headed by information security specialist Dr. Manshad Satti, and included experts from leading universities, including myself, and provincial Information Technology boards.
We soon uncovered numerous security vulnerabilities, some of a very critical nature. Our final recommendation was not difficult: this was going to be the largest deployment of Internet voting in the world by far; it was designed around a model known to be vulnerable and had demonstrable security flaws; votes cast using this system would directly impact each and every constituency in Pakistan; and we had to be mindful of the political and social consequences of system failure. The risks were simply too great. This system was in no shape to be deployed in the forthcoming general elections.
Many of the vulnerabilities we identified in our report could be fixed, but there are some that are structural – that are inherent to this particular model of Internet voting – and it is not clear that they can be fixed. Moreover, we identified certain attacks which are undetectable. A large-scale deployment is still a very risky proposition.
Internet voting has been marred with security concerns for a very long time. But if we take a step back, we realize that the Internet itself has a very troubled security record. Yes, we now bank and shop online, as several tech enthusiasts constantly remind us, but security breakdowns are the norm not the exception on the Internet. As I write these words, the head of the Federal Investigation Agency’s cyber-crime wing is on the news telling the public that all major Pakistani banks have been targeted in one of the worst security breaches in the country’s history. And, to quote Ron Rivest from Massachusetts Institute of Technology (MIT), one of the founders of modern information security systems, voting is simply ‘too important to put online’.
I’ve been researching election security for about five years now, and this, I believe, is the consensus view of the scientific community. In fact, only this September, the US National Academies of Sciences, Engineering, and Medicine, released a report about cyber vulnerabilities in the US election system, and they stated, “We do not, at present, have the technology to offer a secure method to support Internet voting.”
Their recommendation: “At the present time, the Internet (or any network connected to the Internet) should not be used for the return of marked ballots … Internet voting should not be used until and unless very robust guarantees of security and verifiability are developed and in place.”
Let’s consider some of the issues.
Our i-Voting system conforms to the standard design of Internet voting systems deployed in other countries and is straightforward to use. The voters register with the service using personal identification documents, and authentication credentials are dispatched to their email address. Then, they log onto the system using these credentials and their vote gets recorded in a centralized database. When polls close, these votes are summed up.
The most fundamental problem here, of course, is of voter privacy. This may not seem like a big deal to some here in Pakistan, but in the developed world – with its singular focus on liberal values and human rights – individual conscience is a sacrosanct notion. The secrecy of the ballot is a fundamental right. It is recognized as such in Article 21 of the Universal Declaration of Human Rights, and is clearly spelt out in our own Elections Act 2017, and Article 226 of our Constitution.
Read more: Microfinance and Fintech
But if an election is conducted outside of a polling booth environment, ballot secrecy is really up in the air. And where there is no secrecy, we have the far greater problems of vote manipulation. Earlier this month, India’s former chief election commissioner, S. Y. Qureshi, dismissed the possibility of India going down the Internet-voting path anytime soon because “people can be put at gunpoint to vote for anyone or can be bribed.”
Then there are certain limitations of the Internet infrastructure. For instance, there is a very common attack, the Denial of Service (DoS), in which attackers generate an overwhelming amount of traffic directed at the election portal to choke its bandwidth. This renders the portal effectively inaccessible to legitimate voters. Commercial parties mitigate such attacks by commissioning third party services (like Cloudflare or Akamai) to act as intermediaries in the network which filter out the bad traffic before directing it on to their own servers.
The problem then becomes – if a third party can inspect all our incoming traffic, they can just as easily change the content of legitimate votes. And, in our case, we have no way to check. Outsourcing security to third parties always opens up this risk, especially when these services are based overseas and subject to foreign jurisdiction.
Elite intelligence agencies are the next insurmountable problem we face. Internet banking and e-commerce is routinely hacked, but attacks on Internet voting take us into the domain of cyber warfare, which is a different ball game altogether. In this case, the attackers have formidable technical expertise and unlimited resources and they devise attacks of a scope and scale that the typical lay person cannot even fathom.
For instance, there’s Project Skynet in which the NSA hacked into Pakistan’s cell phone towers, harvested the metadata of 55 million mobile phone subscribers, tracked their everyday movements, and then used machine learning tools on this data to identify suspected terrorists. We didn’t even find out until Edward Snowden leaked the details.
Such agencies typically also maintain an arsenal of what we call ‘zero-day exploits’, i.e. vulnerabilities which they have personally discovered in software systems and kept secret. Researchers have demonstrated how zero-day attacks can specifically impact Internet voting. How does one defend against such unknown vulnerabilities?
These problems are, in a sense, inherent to this particular model of Internet voting, and therefore very hard to fix without a complete overhaul of the system. The conventional Internet voting model is demonstrably broken – which is why the overwhelming majority of developed countries are rejecting it. But, thankfully, we now have new emerging models which offer a way forward.
“A secure Internet voting system is theoretically possible,” cyber security guru Bruce Schneier famously commented back in 2002, “But it would be the first secure networked application ever created in the history of computers.”
A quiet revolution has happened in election technology research since then. We now have, on paper, a new paradigm for electronic voting systems – referred to as end-to-end (E2E) verifiable voting – which offers strong cryptographic guarantees on election security. Using these systems, election administrators, foreign observers, and voters can now personally verify that their votes have been correctly recorded by the system – and, all of this, without compromising their privacy. We even have designs for E2E verifiable systems for Internet voting where voters cannot be coerced even with a gun to their head. The problem is that these systems are far too difficult to use.
Read more: Making Digital Lending Work
The challenge for researchers and election administrators now is to translate these theoretical designs into practical real-life systems. The US National Academies report quoted earlier strongly recommends that E2E voting systems be piloted, starting at the precinct level in small-scale elections.
In fact, progress is already underway. The Scantegrity system was successfully trialed in municipal elections in Maryland in 2011. Prêt à Voter was adapted for Victoria state elections in Australia in 2014. STAR-Vote is due to be deployed in state elections in Texas. The Helios Internet voting system has been extensively used in university and inter-organizational elections, including those of the International Association for Cryptologic Research. Blockchain-based voting systems are currently being piloted in Russia. And at the national level, we have Estonia – a favorite example of proponents of Internet voting – that is now in the process of switching over to E2E verifiable technology.
When we were authoring our i-Voting assessment report at the task force head office, it was these exciting new developments that motivated our key recommendation: the ECP should invest urgently in a dedicated research cell. The goal of this body should be to investigate emerging election technologies and develop in-house solutions. This approach has a clear advantage: we can build customized solutions at a mere fraction of the cost of most voting systems on the market today.
The future for electronic voting is definitely looking up. What we choose to do about it remains to be seen.
The writer teaches at the NUST School of Electrical Engineering and Computer Science in Islamabad.