How voting security can protect the integrity of elections

October 6, 2020

Q&A

Computer science professor Doug Szajda is an expert in computer networks and security, and he includes voting security as part of the curriculum for his classes. With less than a month before the November general election, he explained how to reduce risks to the vote.

What are some of the major concerns around voting security?

There are four primary security goals related to elections: integrity, transparency, privacy, and keeping ballots secret. Integrity means the result of the election accurately reflects the votes cast. Transparency requires that everyone must be able to verify that the election was conducted appropriately. Privacy requires that no one learns how any individual voter has voted. And a secret ballot requires that no voter can prove how he or she voted.

Most of the media attention these days seems to focus on integrity, and concerns about preventing things like election fraud, ballot stuffing, multiple voting, and the like. But the goals mentioned here go much further. Transparency ensures that the losing side is convinced that they have lost fairly, and thus (in theory) accept the result of the election. A secret ballot prevents coercion — the ability to lie about who one voted for is essential for preventing vote-buying and other attempts at coercion. The bottom line is that the goals point to an overall objective that is more comprehensive than election integrity. Rather, they support verifiable integrity.

Are electronic voting machines riskier than paper ballots related to security issues?

Electronic voting machines are computers. Verifying the performance of any computer is difficult. This is especially the case with electronic voting, as manufacturers are not inclined to allow inspection of the code that controls the equipment. Even if this code were open for inspection, verifying its correct operation would be difficult in theory and virtually impossible in practice. The result is that with the current state of the art, in the absence of a paper audit trail, the transparency requirement cannot be met.

Another important difference between electronic voting machines and paper ballots is the potential influence of an individual. When paper ballots are used, attempting to influence an election through voting fraud is difficult because it requires conspirators in precincts across the country.

With electronic voting equipment, however, a single conspirator — for example, an election supervisor with a flash drive or key required to activate voting machines — can potentially corrupt several machines. Worse, a single rogue programmer working for a manufacturer could craft an attack that might influence machines in a few key districts, and then only during a presidential election. Given the margins of some recent elections, skimming votes from one candidate to another could easily change the election outcome.

Given the current state of the art, and recent history, any electronic voting system lacking a verifiable paper audit trail places the integrity of elections into question.

What are the best ways to ensure the election process is secure?

Security professionals often talk of the field as being about risk management, more than prevention, so I get a little uncomfortable with terms like "ensure.” So perhaps rather than ensure, we should consider how to employ systems that create a very high probability that elections are secure. To do this, attention must be paid to the all of the security goals, not just integrity. Transparency is crucial, especially when dealing with our current climate in which large numbers of people will likely be disappointed in the election outcome, regardless of that outcome. Given the current state of technology, this means ensuring that whatever system is in place, it includes a verifiable paper audit trail.

Electronic voting systems exist that include verifiable audit trails that meet the required standard. Given the necessary integrity measures, vote by mail can also be considered secure. Similarly, paper ballots, though subject to their own shortcomings, can provide reasonable security. On the other hand, pure electronic voting systems, Internet voting, and voting via mobile phones are generally considered by security professionals to be dangerous. Finally, the officials making choices related to voting systems need to be educated about the strengths and weaknesses of potential systems, hopefully prior to those systems being purchased.