Five years ago, I made a video for a channel
called Computerphile about why electronic voting is a bad idea. And I still get emails, occasionally, asking: things must have changed by now, right? There’s this new idea,
and maybe it’ll help. Surely electronic voting is
just around the corner? No. No, it’s really not. Here is why electronic voting
is still a bad idea. Elections have some very unusual requirements. There are two key features that are almost
opposed to each other: anonymity and trust. So first, your vote should be completely anonymous. There should be no way that anyone
can find out who you voted for, even after everything’s been counted. That way, no-one can bribe you or
threaten you to vote a particular way. In the UK, if you mark your ballot in a way
that could potentially identify you, so if you sign it, for example, then
that ballot is not counted. This is why election officials are
worried about people taking selfies with their completed ballots: because you should not be able to
prove how you voted afterwards. Otherwise, you can have attacks like
“$10 off for blue voters!” or “Entry to this party
only for yellow voters!” or “vote red or you’ll regret it.” Votes have to be anonymous. The second requirement is
absolute, transparent trust. The system needs to make sure that your vote
is securely and accurately counted, sure. But it also needs to be obvious to everyone,
no matter their technical knowledge, that the system can be trusted. So if you’re using paper, you place your
ballot in a sealed box that doesn’t get unsealed until
everyone with a stake in the election has someone representing them
in the room. There should always be people from more than
one side guarding it, or at the very least, witnessing that there's a tamper-proof seal
being used for transport. Voters need to be able to trust that their
vote will be counted even though they’ll never see it again and
it can’t be traced back to them. And at no point is a single person put in
a position of trust. People can be corrupt, or threatened, or
incompetent, or all three at the same time. Now, physical voting is not perfect. It can be attacked, it has been attacked. The UK’s own paper system doesn’t fulfil
both of those requirements perfectly, it is possible to identify voters from their
ballots if a court orders it, and there are stories about that being done
outside the law too. But the key point is not that paper voting
is perfect: it isn’t. But attacks against it don’t scale well. Physical voting is centuries old. And in that time almost every conceivable
fraud on the system has been tried, and defences have been found. The more physical votes you need to change, the more people you need to influence, the more time and money it takes, and the less likely it is that your
little conspiracy will stay secret. In a UK election, there are hundreds of polling
stations across the country, with staff made up of scores of employees
and thousands of volunteers. The job of changing a
significant number of votes, enough to sway an election,
becomes very, very difficult. People have attempted it,
some people have been convicted, a few have probably gotten away with it
on some scale. “Granny farming” is the term that
shady operatives use for going round all the retirement homes and getting vulnerable elderly people to sign
a proxy vote, a paper saying that someone else can vote
on their behalf. And yeah, on a small scale,
that has worked. But once you start scaling up that attack it becomes extremely difficult and time-consuming and the chances are you’re going to get
found out. With electronic voting, that’s not the case. So first, let’s talk about
electronic voting machines. That’s where there’s a computer at the
polling station: so voters still go into a booth, it’s just that they are pushing buttons,
or tapping things on a touchscreen, not writing on paper. Problem number one:
trusting the software and the hardware. In theory, our voting computer could be running
open source software where anyone can see and
check the source code. In practice, that doesn’t happen: it’s probably going to be closed source, it's probably going to be loaded off
an easily-compromised USB stick, on a computer that’s been sitting unguarded and sometimes just idly and inexplicably connected
to the internet for years. And those systems only ever get a full-scale
test when an election actually takes place. That in itself should be enough to stop
electronic voting ever being a thing. But, okay, let’s say that we do, magically, have the most stable, secure,
open source software possible. How does a voter know and trust that the correct
software is actually installed on the machine they’re using? Maybe we could use some sort of checksum or
some other system to make sure the voting
is running correctly. But then you’re just moving the problem, now you have to trust that checksum hasn’t
been forged. And almost no voters actually will understand
what that check even means, or why they should trust it. In the United States, voting machines are
regularly tested every year... at the Voting Village at DEFCON, one of the
world's largest hacker conventions. It's not an official thing. Hackers there have managed to alter the stored
vote tallies, change the ballots displayed to voters,
and in one case, have got a machine to run
the video game Doom. Imagine if, instead of a machine, there was
just a person in the voting booth, and you had to whisper your vote to them,
and they promised, oh, yes, you can absolutely trust them to
accurately record your vote and pass it on to the people
who are doing the count. No, you can’t see how or where they’re
writing it down, you can’t actually call and find out where they are or what they're doing, but they absolutely promise. That’s basically what’s happening with
an electronic voting machine. You just have something that says:
trust me. I’ve counted your vote and I have absolutely
not been compromised. Honest. Problem number two is votes in transit. How do you get the votes off that machine
to the central counting place? There are three possible ways. One, you could take all the voting machines
to the count. You could seal them all up,
and transport them physically from where the voting took place
to where the counting takes place. No one does that. So, you could download all the results from
each machine onto a USB stick and take that. One bit of sleight-of-hand and you’ve got
a completely different set of results. If you’re about to propose some system where
the results are checksummed and trusted: please explain that to the average voter in
a way they can understand and implicitly trust. Okay, so, maybe we could transmit the votes
electronically over the internet. Which is… optimistic. Man-in-the-middle attacks
are more difficult now, but they’re not impossible, particularly if you can’t trust
the software on either end. And now you’re connecting the voting machines
directly to the internet. Deliberately. Which brings us to problem number three:
the central counting server. Right at the end of the process
there is the server that tallies the votes and gives the
final count. Which has all the same problems
with trust and verification as the individual voting machines, but now only a few people can
even see that computer. That’s also true about
electronic counting machines: ones that take stacks of paper ballots
and return totals. How do you trust they aren’t quietly changing
some votes? We live in a world where Volkswagen
got away with specifically designing their cars to cheat
on emissions tests for years. And that’s before we include user error. In one Scottish election,
trialing electronic voting, a result was corrected after one observer
noticed it didn’t make sense, and stopped the announcement at the last minute. Turns out that someone forgot to scroll
all the way to the right to read the columns on an
Excel spreadsheet with the results in. And even if you can’t compromise the election,
you can still break trust. You can still cast doubt on a voting
machine, or the entire counting system, just by leaving an unknown USB drive in it,
taking a picture, and posting it online. Or just faking a photo of that. To break an electronic election,
you don’t actually need to break it: you just need to cast enough
doubt on the result. It is a lot more difficult to do that with
paper and physical ballot boxes. And all this is before we get to
the really terrible idea: that people should be able to use their phone
or computer to vote from home. Now, I’m sure the device that you, personally, are watching this on is malware-free and up-to-date.
Of course it is. But can you trust that for everyone
in your family? For everyone on your street? The exact numbers differ depending on
which security firm’s figures you go with, but it's safe to say that a huge number of computers are infected
with some sort of malware. Huge numbers of phones are on old, vulnerable
versions of their operating systems. And that’s just scammers setting up botnets
and minor extortions. Imagine the sort of attack that
could be put together by a small, well-funded team backed
by a national government. That sort of attack would scale
very, very well. Find the one hole in the system, and suddenly it costs roughly the same to change one vote
as it does to alter millions: and your conspiracy stays
very, very small indeed. Maybe you don’t even have to set foot in
the country whose elections you’re hacking. Now, there are a couple of regular objections
I get to this. First of all: what about Estonia? Yes, in 2005 Estonia became the first country
in the world to offer internet voting, first in local elections,
then in national, then in European. In 2019, more than 40% of votes
were cast online there, which is just short of a quarter of a million people. On the surface, the system seems robust. Voters can ID via their government-provided
smart card, or the SIM card in their phone. But there are problems. An independent report found gaps in the procedural
and operational security. The architecture of the system is a decade
old and it’s now dangerously out-of-date, and it's open to cyberattacks
by foreign powers either by exploiting individual phones or by breaking the trust in the
server that counts the votes. The other common objection is: what about
new technologies? What about blockchain? Look, leaving aside trying to
explain blockchain to people and asking them to trust this
weird technology is worth using, it’s basically just a write-only database. It doesn’t solve the problem of trusting
the software or hardware: it doesn’t change how
the voting machine works, the interface between the voter’s intention and what’s actually written to
the database still has to work. If it prints a receipt of the vote you can
check later, it breaks anonymity. If it prints a receipt of seemingly-random
numbers you can check later, it breaks trust, because hardly anyone will understand what’s
actually going on there. I’m not saying there aren’t advantages
to electronic voting. Yeah, there are. Accessibility is the main one, and that’s
really important. In low-stakes elections, for small groups,
for the little things, sure, go for it. But when the future of nations
rests on the result: electronic voting is still a bad idea, and you should still vote against it. While you can. I’m endorsing Dashlane for two reasons:
one, they’ve given me money. Obviously. But two, because I genuinely believe that
if you’re techie enough to watch to the end of this video, you should absolutely be using
a password manager. If you go to dashlane.com/tomscott, you can
get a free 30-day trial of Dashlane Premium. Password storage, generation and autofill
that works across devices, browsers, operating systems,
everything, it syncs all your data in the cloud without sending
any of those actual passwords to Dashlane themselves. If you want to know how that works, see previous
sponsored sections. Using long, complicated, symbol-filled passwords that are completely different for
every web site and every app is ideal for security: but remembering them is nigh-on impossible
and typing them in is a pain. Being able to use a single master password, or the biometrics on your phone, is great: you’ve got one thing to remember. Dashlane will also store and autofill
credit card information, so you don’t have to retype it every time
you buy something online. You also get a VPN and a
gigabyte of secure storage. So: dashlane.com/tomscott for a
30-day free trial of Dashlane Premium, which includes unlimited
password storage and sync. And if you like it, you can use the code “tomscott”
for 10% off.
I say this to every single non-tech person who's always complaining about the voting process being archaic. Physical voting is tried and tested for hundreds of years. We know the flaws, we know the defenses. This is one avenue technological advancement would hinder far more than improve.
XKCD said it best, and it will always be true: https://xkcd.com/2030/. What you don't want is votes being thrown into a black box nobody can observe.
I felt like he was speaking directly to me when asking those of us thinking of checksums and such for certifying the data to explain that to the average voter in a way they would trust and understand. Well crap, fair point
The analogy of whispering a guy your vote and him assuring you he will count it correctly should be easy to understand for non-techies. I will use it when the topic comes up.
My voting place only does electronic voting. Do they have to give me a physical ballot if I request it?
This is a message worth repeating.
I'm a network engineer, people are always shocked when I come out against electronic voting.
I've seen the security setups some companies have. And no matter how good you are, there is always someone better.
Canada has had a simple paper ballot system for my entire lifetime. Candidates are listed and you make an x beside the one you like. That ballot is then folded and given to a poll worker who puts it into a sealed ballot box (this ensures no one tampers with the submitted ballots by dropping in multiples, acid, ink, etc.) A truly bipartisan government department (Elections Canada) gathers and counts all the votes by hand under heavy scrutiny.
We've never had an election where the results weren't known before midnight or where there was the slightest hint of vote tampering. The system is bog-sumple and requires no machines, just pencils, paper and plenty of volunteers. America could move to this kind of system and not only save millions, but also almost completely eliminate lines at polling stations. But America won't do this because the plutocrats in power dont want to encourage democracy or have a system that they cant game.
It's completely fucking unnecessary.
Just a bad idea all around, god knows why some places use it.