This year’s US Presidential Election was characterized by massive dithering over the spectre of voter fraud, real or imagined. Such dithering has of course existed long before that, and not just in the US. And for some time now, some governments have been considering blockchain as a potential tech solution to the problem of election fraud and distrust in the system.
The general pitch is pretty straightforward – distributed ledger technologies like blockchain have the power to make transactions immutable and transparent. Thus, in theory, it can do the same for internet voting – specifically “remote” voting, where voters can download a blockchain-based app, register, cast their vote, and have that vote verified, with no fear of anyone changing, deleting or duplicating it.
A number of blockchain voting trials have been going on worldwide for several years. In 2018, Thailand’s Democrat Party used the ZCoin blockchain for its primary election, in which over 120,000 party members voted either at voting stations using a Raspberry Pi-based system, or a blockchain-based mobile app. The Swiss city of Zug (itself a blockchain tech hotbed) successfully completed a blockchain voting trial the same year, as did the US state of West Virginia.
Meanwhile, blockchain-based mobile voting app Voatz – which has been trialed in various US cities for primaries and small-scale elections – got its first workout in a Presidential election this year in three counties in Utah for disabled voters or US military personnel registered in those counties but stationed overseas. Voatz is also launching its first trial outside of the US this month in Brazil in a pilot scheme with the election commission (although none of the votes in that trial will actually count in the election).
This has naturally led to a lot of speculation (and not a little hype) about how blockchain is the future of elections, and those of us who live in democracies will be able to vote online the same way we do banking, shopping and virtually everything else online.
Just one problem: many security experts, for the most part, are horrified.
In general, many security experts tend to cringe at the proclamation that blockchain makes everything somehow more secure. There’s even an xkcd comic about how bad an idea computerized voting is, and how blockchain would make it worse.
In February, researchers at MIT reported that the Voatz app had serious security issues [PDF] that could allow a bad actor to alter or block votes, or even make them publicly visible (a very serious issue, as secret ballots are a key requirement of free and fair elections).
Voatz responded that the researchers used an outdated Android version of the app that never actually connected to Voatz’s backend servers in AWS and Microsoft Azure, leading them to make wrong assumptions about how the servers worked. (The researchers said they took a “cleanroom” approach because performing a security analysis against a running election server “would raise a number of unacceptable legal and ethical concerns”.)
Compounding the problem
However, earlier this month, another team of MIT researchers (that includes one person from the earlier report) released a draft of a new report that evaluates three proposals for blockchain-based voting – voting with coins, permissioned blockchains and zero-knowledge proofs (ZKPs) – within the context of existing security problems with online voting in general and the minimum requirements for a free, fair and trustworthy election. Result: none of them solves the overall security problems online voting systems currently face, and in fact introduce new problems.
For example, using coins as votes involves public/private key pairs, where a registered voter gets one “coin” from the voter authority, then spends that coin on the candidate of their choice. Later, everyone looks at the blockchain and counts up the coins (votes) to see who won. The problem, the MIT report says, is that it’s not a secret ballot, doesn’t prevent collusion by the miners, and requires everyone to cast their vote by a certain cutoff time, making it vulnerable DDoS attacks that could prevent users from accessing the network to vote. It’s also vulnerable to key management issues, as are permissioned blockchains (where participation is centrally approved).
As for ZKPs (in which two online parties verify information with each other without sharing the underlying data), a key challenge is software bugs (see: a bug in Zcash that enabled undetected counterfeiting). Another challenge is the fact that ZKPs are typically deployed in blockchain systems where both parties want to keep the information secret. There’s nothing stopping either of them from making it public. It would also make the voting system too opaque, which could undermine public trust in the results, the report says.
Meanwhile, the fact that blockchains by nature add more complexity to already complex software systems and management means they will inevitably create new attack vectors. There are numerous examples of cryptocurrency hacks and failures illustrating this – there’s no reason to assume that blockchain-based voting systems will be any different, the report argues.
Also, while banking and retail outlets are going online and adopting blockchain in various ways, the report notes that first of all, those also experience hacks and failures. More importantly, they’re generally designed to tolerate such failures. In an election, the stakes are far higher, not only in terms of votes and outcomes, but trust in the system and recourse for people whose votes are hacked. In fact, the report says, the most reliable way for voters to verify that their ballot is accurate remains low-tech paper ballots.
Lead author Sunoo Park adds that another crucial quality missing in blockchain systems is “software independence”: the assurance that an undetected change or error in a system’s software cannot cause an undetectable change in the election outcome.
“If vote-casting is entirely software-based, a malicious system could fool the voter about how the vote was actually recorded,” says MIT professor Ron Rivest, co-creator of RSA public-key encryption and senior author of the paper. “Democracy – and the consent of the governed – cannot be made contingent on whether some software correctly recorded voters’ choices.”
Selectively applied blockchain
On the bright side (for blockchain champions, at least), the key phrase there is “entirely software-based“. The report emphasizes that the research analysis is focused on scenarios in which the entire voting process is done online via blockchain with no other options: “This article does not oppose the use of technology in the context of in-person voting systems with hand-marked paper ballots, and would support it in many contexts.”
The distinction is crucial because most proposals described as “Internet voting,” “mobile voting,” or “blockchain voting” involve electronic-only recording of votes, the paper says.
That said, blockchain voting trials to date have been extremely limited to the point where any potential problems would be negligible except in the closest of elections. According to Fast Company, the Voatz trial in Utah County during the Presidential election was limited to disabled voters and residents living overseas, which amounted to 887 mobile votes out of 290,000. Utah County clerk Amelia Power Gardner doesn’t envision a wide rollout of mobile voting until at least 2028, and even then it would be one voting option of several, not the only option.
If nothing else, while blockchain may be a problematic solution for online voting, it could be applied to select parts of the election process, such as voter registration management or auditing.
For example, the Associated Press says it used the Ethereum and EOS blockchains to time-stamp and verify its live election results for the Presidential election.
Earlier this year, India’s chief election commissioner Sunil Arora said the Election Commission is working with the Indian Institute of Technology in Chennai, to develop a blockchain system to address the problem of migrant voters constantly moving from town to town. Rather than having to re-register to vote every time they move, a blockchain-based system could verify them as registered regardless of their address. Arora hopes to have such a system in place before his tenure ends next year.
Still, it remains to be seen how well these projects work in the long run – and how they hold up to a deliberate real-world attack. As mentioned above, there are numerous examples showing blockchain isn’t as immutable or foolproof as the initial hype made it out to be, and it’s a truism among software engineers that the more complex the code, the more bugs, thus making it more vulnerable to exploits.
Security expert Bruce Schneier has been particularly critical of blockchain in general on security grounds, primarily because of the issue of trust. Computer security, institutions and social systems work inasmuch as humans trust them. In a 2019 essay, Schneier argued that the central tenet of blockchain is that technology is more trustworthy than humans, but that falls apart as soon as a hard fork happens. Many people don’t trust cryptocurrency because there’s no recourse if it goes wrong – if your money is lost or stolen, it’s gone forever.
As Rivest mentioned above, if the same thing happens to votes in an election, the repercussions are much broader. It’s one thing to not trust Bitcoin or a specific implementation of blockchain – it’s quite another to not trust an election result.