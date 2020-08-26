I commit to you that I will not be discussing election security in a weekly dosage as we countdown the days before that Tuesday. I could. There are enough concerns over election security from foreign influence to voting itself. Every election season the pickin’ gets riper for hackers to infiltrate our democracy. Each year brings technologies deeper into life, voting being in that cavalcade of human experiences. There are gads more topics that are current, that may help you and your family navigate technology and security issues, and that are much more engaging and even entertaining than election mechanics. Nevertheless, I cannot avoid the topic and will pepper the next couple months with items of note that relate to your exercise within the democratic process, your duty to vote.
Today, I’m taking my cues from some über-smarties from the Massachusetts Institute of Technology. The haughty institution that is MIT enjoys a storied reputation of intellectualism. I remember being awed when I learned that one of my closer high school friends from our southern Illinois, agro-centric community shared his college plans. “Whoa!,” I thought, “Who woulda thunk that they let Podunk Midwesterners crash their eastern seaboard establishment?!” It’s such a place for braniacs that it enjoys its self-referencing idiom, “The MIT of x-y-z.” Like, “The Cadillac of…”. You’ve seen these nods in anything from Armageddon to Ghostbusters to Arrested Development. Thus, when I learned of a study about election security done by a trio of MIT folks, I was attentive.
With a title beginning as “The Ballot is Busted” I knew I was onto some juicy intel about November 3’s fate, at least as it could’ve been affected by the report’s findings if online voting were live today. You may think that voting online will never happen but know that it’s been in development for a few years. West Virginia conducted a trial in 2018. A mobile phone application known as Voatz (clever, right?) was deployed for a pilot set of voters who actually, legally voted via their smartphones. That’s a few steps beyond where mail-in voting is. Leave it to MIT to examine tomorrow’s world, though.
The voting application uses blockchain technology. Blockhcain is a mess of an explanation, technologically, but let’s start with the a basic understanding that the process—blockchain is not a thing, per se—takes information, let’s say a sentence, then chops it into pieces, the letters and syllables perhaps, encrypts them into gobbledy-gush, and then places them in various locations along the Information Superhighway. Let’s then say that you are the one person whom the sender actually wanted to read the sentence. You, therefore, get the key to decrypt the pieces and of course have access to where they are. You and the sender are now able to securely communicate. Voatz does the same basic operation. It takes a voter’s choice, which in digital form consists not of a name or a party but ones and zeroes, and chops it up, encrypts it, and distributes it so that, presumably, the state’s election officials can later count it.
All of the steps along the way, so many more than the simple explanation I just shared, Voatz is vulnerable. When the voter initiates a communication with Voatz, despite the encryption, the app may not truly be able to discern who they are. The user-voter then creates an account, which again could be phoney-baloney. Then the voter opens up the app using those login credentials and a PIN. The next step is to have the voter and Voatz, head over to a third-party application that independently (?) confirms the user when she presents her driver’s license in front of her phone’s cam, and presents her face, while the third-party application—err, another point of vulnerability, yes?—verifies that the mug belongs to the ID, and they both belong to that particular voter. Last step: voting.
Spoiler alert: The MIT researchers did in fact find holes all over the Swiss cheese brick of processes. When the person and the app meet, they noted that some of the security protocols serve no real, useful purpose. They were able to replace website addresses within the app, a tactic that could become a so-called man-in-the-middle attack. Next, when potential voters input their name, phone number, and such to set up an account, more holes. These are mainly evident and require scrutiny because, lest voters have a very watchful eye on their screen, the user never even realizes that all of this information, including biometric data for those using a fingerprint for smartphone login, heads off to another company altogether. Guess who’s Number Two on election hackers’ target list after Voatz. Now, it’s time to vote. As I described it above the technology purportedly securing the system surrounds blockchain protocols. When perfect, blockchain can also be a perfect protector. But, that requires more than savvy programmers creating an effective—i.e., secure—blockchain protocol, which we’ll presume that Voatz uses.
In the West Virginia experiment the voter information didn’t get piped directly into the blockchain process. The ballot selection, a data point as important as the user’s private information, was actually and simply submitted to Voatz who then shuffled it into the blockchain. Say you’re headed to the bank to put your renewed will into a safe deposit box. The bank’s protocols and the safety deposit box create security. But, you’re busy so you ask some fella on the street to deposit it. See?
Before publishing their findings, the researchers alerted the Department of Homeland Security. Voatz disputed the results, go figure. These vulnerabilities are mere highlights, in my sense, and there are various other risks involved. We’ll come to a time when this is the norm. For now, let’s try to ensure the voting, no matter the mode, is uninfluenced and secure. Phone voting? Maybe some day.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.
