RECONSIDERING ELECTRONIC VOTING

How can we make electronic voting count?
Published August 15, 2021

Most people view electronic voting as an information technology problem, an issue that a computer whiz or a good piece of software can sort out. In reality, the issues it raises are anything but. Rushing headlong into it without adequate homework and attention to the ecosystem it inhabits can be a recipe for disaster. An expert explains the importance of taking a step back


The conversation around electronic voting machines (EVMs) appears to be coming to a head.

Prime Minister Imran Khan received a detailed demonstration of a locally made EVM last week. While the Minister for Science and Technology, Shibli Faraz, claimed the machines “couldn’t be hacked”, the PM tweeted out his hope that “finally we will have elections in Pakistan where all contestants will accept the results.”

Faraz repeated the claim about the EVM’s being ‘un-hackable’ again at a media briefing later at the Parliament House, once again presenting electronic voting as the solution to rigging. But, encouragingly, he accepted that it was up to the Election Commission of Pakistan (ECP) to decide whether to approve or reject the machines, and invited lawmakers and the opposition to test out the machines.

The ECP has continued to express its reservations about EVMs. But the last few weeks have also witnessed significant progress on the matter of electoral reforms. And the government has softened its stance and appears keen on a more reconciliatory approach. There also appears to be some progress behind-the-scenes in getting the opposition on board. Civil society organisations are stirring into activity. And deliberations are starting in the Senate.

But the issue of election technology remains a big challenge. This is an attempt to explain why the issue is not black and white, and why care needs to be taken in its assessment. But first the good news.

THE BENEFITS OF ELECTION TECHNOLOGY

Election technology is an enigma. It does bring proven and documented benefits. Introduction of EVMs and results transmission systems (RTSs) dramatically speed up result reporting. This is a blessing in developing countries such as the Philippines, various African nations and even Pakistan, where extended delays in counting and reporting tend to provide a window for vote tampering.

EVMs have also considerably reduced polling-station fraud in India. Unlike paper-based elections, EVMs prevent incorrect marking and spoilage of ballots, ensuring that every vote actually counts.

Technology may prove more inclusive. Studies note that voters find electronic voting more user friendly and significantly more reliable. Researchers report that EVMs significantly empowered weaker and vulnerable communities in India. A trial from the US found that voting using a mobile device significantly increased turnout by three to five percentage points. Internet voting can enfranchise overseas citizens, expatriates, military personnel and diplomatic staff, etc. Citizens from countries such as Estonia, Brazil and India — nations with a prominent history of innovation in election technology — tend to take great national pride in their election infrastructure.

Technology may also be significantly more cost-effective: the administrative cost of an electronic vote in Estonia is about half that of using the traditional system. Automation can also dramatically reduce the immense human workload involved.

A good example is Indonesia, which is now seriously considering a shift to electronic voting. Indonesia recently combined the presidential and regional elections into what became the largest single-day voting exercise in the world. This involved some seven million election workers and security staff working in the hot summer. More than 550 of them died of exhaustion and several thousands were hospitalised from fatigue. Technology has a critical role to play in such scenarios.

These benefits of technology are undeniable and most definitely worth pursuing. However, there is also a dark side to election technology.

THE DARK SIDE OF ELECTION TECHNOLOGY

Almost every voting system which has been seriously investigated — EVM or internet voting platform — has been hacked. In most cases, the hacking has been trivially easy. There are even YouTube demos on the topic.

The world’s premier security conference, Defcon, now conducts an annual election technology hackathon, with the aim of educating policymakers, election administrators and civil society. In the 2019 iteration, the organisers gathered 100 voting machines, each of which was certified for use in one or more US states. Over the course of the weekend, every single one was hacked. The organisers, renowned experts in election security, commented in their report: “As disturbing as this outcome is, we note that it is at this point an unsurprising result.”

Likewise, technology does not necessarily inspire citizen confidence and alleviate distrust. I’ve written earlier about India, where prominent opposition parties, civil society and technology experts are now raising a strident call over lack of transparency, ineffective auditing and procedural irregularities with EVMs. Venezuela has one of the oldest and most advanced deployments of EVMs in the world, and elections are routinely plagued with controversy.

Nor does technology tame the savage instinct. In regions of India, elections remain acrimonious and violent affairs. Just this May, following assembly elections, post-poll violence in towns and villages of West Bengal claimed 25 lives and 7,000 women were molested. In 2019, a village was set on fire. In Venezuela, weeks of violent street protests preceded the polls of 2017 in which 125 people lost their lives.

The biggest shock, though, is the US, which just witnessed its most controversial election in two decades. According to certain polls, only about 60 percent of Americans believe that Joe Biden’s win was actually legitimate. Highly contentious audits of machines, ballots and processes are currently underway in several swing states.

As of this March, a staggering 361 electoral reform bills have already been proposed in 47 state legislatures to reconfigure voting laws. Georgia, Arizona and Florida lead in aggressive implementation of these new rules. Within the year, we will likely see grand showdowns in the US Supreme Court. The famous Al Gore/ George Bush clash of 2020 seems almost civil in comparison.

These negatives are equally undeniable and very disturbing. I believe recent developments in election technology give us great cause for optimism, but we need to tread very cautiously. There are big questions to address: Why is election technology so complicated? What path should we take? What are the mistakes we need to avoid?

VOTER PRIVACY AND ELECTION INTEGRITY

People generally view electronic voting as an IT (information technology) problem, a job for a computer whiz or professional software team, like setting up a website or building an app.

As someone who works in this field, these are the questions I get asked most often: if you can bank and shop online, why can’t you vote online? Aren’t billions upon billions of dollars transacted digitally all over the world every single day without problems? Why this big fuss about EVMs when we already have ATMs at every street corner? Isn’t it all just information flowing over wires at the end of the day?

This comparison is entirely natural, but also completely wrong. The information security community has been countering it for decades. I personally see it as a wonderful opportunity to communicate the sheer depth and scale of the election technology challenge and why it is so incredibly difficult to get right.

The big problem is the secret ballot.

With online banking and internet shopping, we maintain the integrity of the process by ensuring stringent checks and balances on every transaction, each and every step of the way. Rigorous security solutions and fail-safe mechanisms are deployed, detailed logs are maintained and information is backed up in distributed data centres.

These benefits of technology are undeniable and most definitely worth pursuing. However, there is also a dark side to election technology. Almost every voting system which has been seriously investigated — EVM or internet voting platform — has been hacked.

But for elections, votes have to be anonymised. Our notion of voter privacy dates back millennia to ancient Greece, and it is recognised today as a fundamental right enshrined in the Universal Declaration of Human Rights. All identifying information is deliberately stripped away from the vote. Any tracking of individual votes is now impossible — this is exactly as it should be — but, by this very logic, it becomes near impossible to detect any tampering. This is a good thought experiment to try for oneself — if you cannot track something, how do you protect it?

Ensuring voter privacy is easy with a physical ballot box. Casting multiple ballots into a box automatically anonymises individual votes. Observers and cameras can track the box. But an electronic voting system is, in effect, a ‘black box’ — one no longer has any visibility into what is happening inside. EVMs routinely malfunction, losing, adding or switching votes.

Researchers have identified numerous security vulnerabilities which are easily exploited by attackers. With some systems, polling staff could manipulate results with the press of a button. There are no receipts or logs to consult in case of an incident, there is no back-up in some distant data centre.

If the attackers are competent, incidents will likely not even be detected. And, unlike paper, in the digital realm it is equally easy to alter one vote or a thousand. Experts have long warned of this paradox that, in most cases, electronic voting systems are actually more vulnerable to rigging than paper-based elections.

This inherent tension between voter privacy and election integrity is the reason that Ireland and Germany abruptly terminated their EVM deployments, and why so many other countries simply chose to keep away from this Pandora’s box. At that time, a little over a decade ago, there was no way to assure citizens that the machines were processing their votes correctly. Other countries, including India and the United States, chose the hybrid route, introducing voter verifiable paper audit trails (VVPAT) as a back-up mechanism.

This problem is especially pronounced for internet voting, where there is no paper trail. Prior to last year’s US presidential elections, the US Department of Homeland Security circulated a confidential report to election officials in all 50 states, cautioning against ‘high risk’ internet voting, warning that attackers could easily manipulate very large numbers of votes undetected.

Banks also employ advanced security features, such as multiple passwords, transaction codes, two-factor authentication and voice biometrics, that are too expensive and impractical for elections. And banks still get hacked all the time, racking up huge losses on a daily basis.

Cybercrime is a phenomenally large industry: a study estimated damages at the 6 trillion dollar mark — if cybercrime were a country, it would be the world’s third largest economy after the US and China. Another study estimates online payments fraud over the 2021-2025 period at 206 billion dollars — 10 times the current net income of global giant, Amazon.

How we recover from attacks and incidents is also very different. Banks are often able to counter fraud and reverse transactions using detailed tracking mechanisms and logs. They undertake detailed forensics investigations and collaborate with each other. Quite a bit of money is actually recovered. That is very hard to do with elections.

Risk sharing strategies are also different. To quote election security expert, David Jefferson: “Vote fraud is much less manageable than e-commerce fraud. There is no election analog to the natural business practice of ‘spreading the cost’ or ‘spreading the risk.’ There is no way to pass on to other voters the ‘losses’ due to illegal ballots cast by ineligible voters or attackers, or to recover votes changed by malicious software. There is no ‘insurance’ that one can buy to cover those losses. There is just no way to compensate for damage done to an election.”

A UNIQUE BEAST

Prime Minister Imran Khan and ministers Shibli Faraz and Fawad Chaudhry view a demonstration of a locally made electronic voting machine |  White Star
Prime Minister Imran Khan and ministers Shibli Faraz and Fawad Chaudhry view a demonstration of a locally made electronic voting machine | White Star

Another critically important security difference: in stark contrast to banks, election systems attract a whole different class of attacker — elite intelligence agencies. There is ample evidence of state-backed Russian and Chinese campaigns infiltrating US voting systems. We are now formally in the domain of cyberwarfare, a whole new league.

A key weapon in the cyberwarfare arsenal is the secret practice of discovering and hoarding knowledge of system vulnerabilities and then exploiting them at the most critical time with devastating effect. This is called a ‘zero-day attack’ — because the attacked party literally gets zero days to fix the problem.

The Stuxnet worm, a malicious computer malware that wreaked havoc on Iran’s nuclear program in 2010 used four hitherto unknown vulnerabilities in Windows, an unprecedented number. In 2015, researchers demonstrated zero-day attacks on the largest internet voting deployment in the world, the New South Wales iVote system.

These considerations of foreign intervention motivated the US Department of Homeland Security in 2017 to formally designate US election systems as ‘critical infrastructure’, the same class as dams, nuclear power plants and power grids. Now, not only is the government more directly involved in securing these systems, but any major attack on them will likely result in retaliation, sanctions, counter-attacks or even war.

Availability is also a key factor differentiating banks and elections. Internet banking is a 24/7 service and outages are common. It is common to go to a shop and find the pay-by-card service is down. But voting systems are deployed for a very, very short period of time — usually just a day — and, in that timeframe, failure is simply not an option. Any system or protocol failure — and how that failure is handled — is immediate cause for suspicion. We must appreciate that it is not enough that elections are fair. They must be seen to be fair.

With banking systems, downtime or glitches are mostly a minor manageable inconvenience, affecting some people some of the time. Technology breakdowns during elections may bear direct and long-lasting impact — loss of citizen confidence, political deadlock and protests. Poland’s electronic voting system suffered major glitches during local elections in 2014. Around 1,000 legal challenges were filed in Polish courts and some 60,000 people protested on the streets.

Hopefully these arguments clarify why Western countries have traditionally shied away from EVMs, and why almost every country that has tried internet voting has failed at it, whereas internet banking and e-commerce are here to stay.

In the cybersecurity community, up till very recently, internet voting was widely acknowledged to be an impossible endeavour. In 2018, the US National Academy of Sciences issued an authoritative report on election technology, authored by leading specialists. They said:

“At the present time, the internet (or any network connected to the internet) should not be used for the return of marked ballots … Further, internet voting should not be used in the future until and unless very robust guarantees of security and verifiability are developed and in place, as no known technology guarantees the secrecy, security, and verifiability of a marked ballot transmitted over the internet … Conducting secure and credible internet elections will require substantial scientific advances.”

Since 2018, several countries — including Switzerland, Australia, Russia and the US — have relied on cryptography to build next-generation internet voting systems. All of these were hacked. Only Estonia seems to have been successful. It is a bit early to tell if they’ve really hit upon the holy grail, but the signs are promising.

THE DEVELOPING WORLD

Developing countries generally struggle with technology adoption and this trend is particularly pronounced for election technology. Most such experiments fail, some quite catastrophically. The textbook example is Kenya.

In 2013, Kenya racked up a bill of 260 million dollars on biometric verification technology and a results transmission system. An international observer commented that it was more modern than anything seen in the European Union (EU) and was reportedly “tamper-proof”. It failed spectacularly on election day.

First the batteries for the biometrics verification systems started to die. It was then discovered that several polling stations did not have power sockets. Poorly trained poll workers forgot their login credentials to access the systems. The verification systems failed to recognise significant numbers of voters. The SMS results transmission system became overloaded and collapsed. And it turned out the election commission had only done one small pilot run instead of the extensive large-scale tests recommended.

When result tallying stalled, the election commission had poll workers chauffeured or airlifted by helicopter all the way to the tallying centre in Nairobi to deliver results in person. A computer bug then inexplicably multiplied the number of disqualified ballots by a factor of eight, causing confusion and anger for several days. There was an obvious outcry of fraud and rigging by the losing side.

NPR described it as “the most modern election in African history” and also “the triumph of Murphy’s Law.”

At home, we have our own internet voting experiment from 2018, slated to be the largest deployment in the world. This hastily assembled system included almost every mistake in the book. I served on the Internet Voting Task Force (IVTF) constituted by the Supreme Court to assess this system. We hacked into it in minutes. We documented multiple critical vulnerabilities in almost every major component. To our dismay, we even discovered simple attacks that layman voters could launch, just sitting at home at their computers. There had simply been no homework.

If there is one key lesson in the saga of election technology, it is that we cannot afford shortcuts. We need to follow every process in the book, we need to dot ever i and cross every t. The election technology ecosystem is typically the most neglected component in deployments.

A rich body of research literature has emerged to analyse such cases. The real reason, some suspect, is not technological, it is perhaps psychological. In a recent paper studying the “unintended consequences of election technology” in African countries, elections expert Nic Cheeseman suggests that “…the growing use of these technologies has been driven by the fetishisation of technology, rather than by rigorous assessment of their effectiveness; that they may create significant opportunities for corruption that vitiate their potential impact; and that they carry significant opportunity costs. Indeed, precisely because new technology tends to deflect attention away from more ‘traditional’ strategies, the failure of digital checks and balances often renders an electoral process even more vulnerable to rigging than it was before.”

This fetishisation commonly manifests in the belief that technology will result in perfectly secure and trusted elections, as legitimate as those in any Western country.

This very rarely happens. Technology does not eliminate the burden of trust, it usually shifts it from one party to another — electronic voting systems may protect against some attacks, but might not against others.

In several cases, this use of technology introduces its own set of risks, a common concept in risk management. Attacks evolve with time. Security features that look good on paper may fail in reality and those that work in one country may not deliver in another. Technology has to be very carefully adapted to the social and cultural realities of each environment.

Cheeseman quotes various other concerns very relevant to us: election technology is usually implemented in ways that prioritise efficiency over transparency. The glitter of new technology tends to distract our attention away from the overall ecosystem that needs to be built to manage and support the technology.

Indeed, some elements of this ecosystem may require more attention and expense than the technology itself. Deploying technology gives rise to immense new organisational and logistical challenges that most countries may be unprepared for.

Many electoral commissions rely heavily on international funding and foreign expertise, and the long-term sustainability of such technology interventions is questionable. Most importantly, technology will likely not address social and human factors — problems such as voter intimidation, bribery, coercion, media bias and abuse of state power — which are also critical to restoring citizen confidence in elections.

But Cheeseman is keen to assert that he is not against election technology in principle: “These observations are not intended as a manifesto against the digitisation of elections … but the analysis draws attention to the importance of more careful assessments of these problems, as well the benefits, of such technologies — and to the need for more careful planning in their deployment.”

This is how we, in Pakistan, need to approach election technology too.

THE WAY FORWARD

A woman tests an electronic voting machine in India in advance of the country’s national elections held in 2019 | AP
A woman tests an electronic voting machine in India in advance of the country’s national elections held in 2019 | AP

We need to build capacity on the election technology front. This is hard work but relatively straightforward. We also need to work on the ecosystem. This is much harder work that requires research, dialogue, vision and statesmanship.

Election technology has had a very troubled history, but there is a light at the end of the tunnel. Researchers have finally resolved the Gordian knot, the seemingly-impossible conflict between voter privacy and transparency. There have been revolutionary game-changing developments in the past decade: it is now possible to maintain voter privacy while also ensuring that votes are not tampered with.

Researchers have devised ways to cryptographically track individual votes without revealing their content whilst also ensuring that they have been correctly counted. An easy way to picture this is how one can track a courier delivery using a tracking number — with the surprising futuristic feature that the number also serves as a guarantee that no one has tampered with your package.

This new paradigm of ‘evidence-based elections’ and ‘verifiability’ gives voters ironclad guarantees that the votes they cast have not been manipulated. Voters no longer have to repose blind faith in technology and poll workers, they can now audit these systems at home using their computers or phones. This level of transparency is unprecedented and is a giant step towards restoring citizen confidence in elections.

When we were authoring our IVTF report in 2018, our foremost recommendation to the ECP was that it urgently institute a research wing. It’s first mission: to investigate and adapt verifiable voting systems for Pakistan. Estonia was first to implement this successfully. Other countries are taking note.

The Indian state of Telangana is actively studying the Estonian system for its own pilot. Microsoft has partnered with some of the world’s largest election technology vendors to make EVMs verifiable. It is cause for celebration that our own stakeholders are converging to this technology. After a few bumpy steps, this is an excellent start to our own election technology journey.

But there is a lot more work to be done.

A WORTHWHILE JOURNEY

For one, the ECP will require a concerted modernisation drive. It is simply not possible to deploy electronic voting on a large scale otherwise. The ECP also needs to actively reorient towards technology.

Thus far, the ECP has a stellar track record of assisting voters with technology, a prime example being the award-winning 8300 SMS service, which voters use to access their voting information on their cell phones. But with election technology, for some puzzling reason, the ECP has chosen to outsource the difficult problems. This has proved counterproductive.

By not cultivating in-house technology expertise, the ECP is forced to look to vendors, who typically lack expertise in new technologies and are also not familiar with the intricacies and ground realities of Pakistan’s elections landscape. This automatically restricts options. Tiny tweaks in existing systems are possible, but the window for genuine innovation is closed. In a sense, the ECP’s immense technology dependency is a subtle yet very real limitation on the ECP’s vaunted autonomy.

Second, we need to work hard on the ecosystem. The ECP and the government need to encourage extensive consultation and wide-ranging stakeholder participation in every step of the process. The opposition needs to take up the government’s invitation to discuss electoral reforms. Election technology is too important to be left solely in the hands of technologists, politicians and government officials.

President Arif Alvi has taken the lead in bringing the debate to the public. It is equally vital that civil society assert itself. Citizen activists, academics and civil society actually lead election integrity efforts in countries like the US and India. Fafen’s (Free and Fair Election Network) call “for a more extended public and political discourse” is certainly very welcome. Pildat (Pakistan Institute of Legislative Development and Transparency) also recently organised a very successful short course to kick-start a sustained discussion.

But there is a mountain of research still to be done. We need to build every different kind of EVM and internet voting system under the sun. We need to trial promising systems at every possible opportunity, in university elections, trader organisation polls, and bar councils. We need to conduct high quality pilots with scientific rigour. We need to immerse ourselves in the e-voting literature and document ecosystem components, best practices, standards and common pitfalls.

We need to build bridges with the international research community, the way Estonia, India and Australia have done. We need bug bounties and hackathons that meet international standards. We need usability studies, we need cost-benefits analyses, we need threat models and risk assessments.

We need to devise mechanisms to facilitate transparency and third-party audits suited to Pakistan. We need research on logistics, workflow and maintenance. If we’re going to set up one of the largest EVM deployments in the world — over 300,000 machines — we need environmental impact studies.

This list is a long one.

This sort of work — genuine research and development to adapt technology to our own unique and complex ground realities — has rarely ever been done before. It is unclear if we even have the expertise and capacity to undertake such studies. We need to build this culture.

In the West, it is the modus operandi: technology policy is directly informed by high quality research. Usually this is accomplished via research collaborations, round-table conferences, seminars, working groups, and public calls for comments. Last year, when South Africa mulled the introduction of electronic voting, there were over 12,000 submissions from the general public and civil society.

If this seems like too much work, it is.

If there is one key lesson in the saga of election technology, it is that we cannot afford shortcuts. We need to follow every process in the book, we need to dot ever i and cross every t. The election technology ecosystem is typically the most neglected component in deployments.

An easier way to think of this: we don’t just need Estonia-style software to succeed — we need to develop the kind of ethos in which people can innovate such systems and deploy and use them successfully. We need to inculcate that sense of professionalism, that commitment to transparency and democracy, those high standards of research and — most importantly — that sense of vision and depth.

There is an elegant irony in the fact that the real secret to succeeding with election technology is not just about having the fanciest machine or the most cutting-edge system. Rather, it is linked to the quality of our effort, how we engage and collaborate with each other and our genuine commitment to transparency. To quote Cheeseman again regarding election technology in Africa: “Unsurprisingly, we find that the greatest gains from digitisation come from countries where the quality of democracy is higher and the electoral commission more independent.”

This journey is not an easy one, but it is very worthwhile — this is the real business of democracy.


Header illustration by Radia Durani


The writer teaches at NUST. He has a postdoc in election security and advises the government and the ECP on election technology. He can be reached at taha.ali@gmail.com. He is also part of the PIVOT election technology awareness project (Twitter: @pivotpk)

Published in Dawn, EOS, August 15th, 2021