76 Scientific American, June 2019Zeynep Tufekci is an associate professor at the University
of North Carolina School of Information and Library Science
and a regular contributor to the New York Times. Her book,
Twitter and Tear Gas: The Power and Fragility of Networked Protest,
was published by Yale University Press in 2017.THE INTERSECTION
WHERE SCIENCE AND SOCIETY MEETIllustration by Christina ChungOnline Voting?
Fuhgeddaboud it!
Tech experts can’t guarantee it’s safe
By Zeynep TufekciOnline voting sounds like an idea we should be able to make
work. After all, we do so much online already, and we routinely
transmit sensitive data such as financial or medical records by
encrypting them. Further, there are cryptographic methods, called
end-to-end verifiability, that promise citizens that their votes are
recorded as they intended; that each vote is tallied; and that the
final tally is the sum of all the ballots. Plus the convenience of
online voting may spur more participation in elections.
And where better to try online voting than in Switzerland,
where people vote early and often? Although the Swiss have a tra-
ditional parliament, many consequential decisions are voted on
directly by the people. Unsurprisingly, this results in lots of elec-
tions! In just 2018 the Swiss held 10 different referendums on a
variety of topics. Voting that much makes the Swiss even more
sensitive to electoral convenience than we are.
There is already limited online voting in some Swiss cantons,
using two separate certified systems. The government says two
thirds of those eligible have chosen this option, attesting to the
demand. When the country decided recently to try to dramatical-
ly expand online voting, they proceeded methodically in true
Swiss fashion. The first step was to hold a mock referendum and
invite the world’s “white hat” hackers—security researchers who
expose vulnerabilities so that they can be fixed—to infiltrate the
system, offering about $150,000 in rewards and bragging rights.
The rewards were swiftly claimed. Three independent teams
showed that hackers could alter vote results undetected—the
worst-case scenario. The flaw pertains to the way that the system
“shuffles” the encrypted votes to protect voter privacy before tal-
lying. This is fixable. But even if it’s fixed, how can voters be fully
assured that they should trust the new system?
And therein lies the biggest flaw in all e-voting schemes: the
ones that don’t employ cryptography cannot provide the crucial
guarantees of secret balloting and verification of tallies. And those
that do use cryptographic schemes require that the voters trust the
experts. Estonia, a country that has used online voting since 2005,
is a case of the latter. A team of researchers at the University of
Oxford that examined Estonia’s system in 2016 praised many of its
safety procedures but noted that because of the country’s small size,
officials also rely on building trust among people who run their
elections through interpersonal relationships. Estonians seem to
think that’s good enough—but it’s not an easy model to export.
Another thing that distinguishes Estonia is a mandatory dig-
ital ID system: every Estonian citizen is issued a card with cryp-
tographic keys widely used for both public- and private-sector
functions. While that solves one problem—how to identify voters
and prevent double voting—it creates another: such systems can
also function as a vast tracking and surveillance system that oth-
er countries may not be comfortable with.
Digital IDs can create a third problem: in 2017 a weakness was
found in the hardware in Estonian cards, potentially allowing
identity theft—the very thing the card is supposed to prevent.
Officials quickly replaced the cards and upgraded their systems,
but a real crisis was averted only because the flaw wasn’t actual-
ly exploited. Next time, that might not be the case.
In the end, the biggest flaw in even the most secure online vot-
ing system is this: trusting the experts isn’t supposed to be how
voting works. It’s true that voter fraud and errors can occur in a
variety of systems, but electronic voting lowers the bar for both
stealthiness and scale. Paper ballots can definitely be corrupted,
but that requires organizing lots of people in a secret scheme that
is hard to keep under wraps. And if fraud is suspected, you can
just do a recount in the presence of eagle-eyed observers.
Trust in election results is the bedrock of any democratic gov-
ernment’s legitimacy. Online voting systems cannot fully assure cit-
izens that there are no trapdoors, backdoors, bad implementations
or weaknesses. Instead of online voting, democracies should focus
on making voting convenient through other measures: national
holidays on election days, increasing the number of polling places,
sufficient numbers of voting machines to decrease lines, transpor-
tation to the booth for people who need it, and more. Voting is too
important for systems that rely on “trust the experts” schemes.JOIN THE CONVERSATION ONLINE
Visit Scientific American on Facebook and Twitter
or send a letter to the editor: [email protected]