Online Voting Has Worked So Far. That Doesn’t Mean It's Safe

West Virginia state delegate Eric Porterfield is blind and usually votes at a polling place using an accessible voting machine. He would need assistance to fill out a regular mail-in paper ballot, reducing his ability to keep his votes private. But thanks to a state law passed in January to address accessible remote voting, Porterfield has a new alternative for his state’s June 9 primary. For the first time, he plans to submit his absentee ballot online.

“The gold standard for you or me or anyone is to be able to fulfill our constitutional right to vote by private ballot,” Porterfield says.

The Covid-19 pandemic has made internet voting options more tempting than ever for election officials across the US. But election integrity advocates and security experts continue to warn that remote digital voting systems, whether mobile apps or cloud portals, do not have strong enough security guarantees for prime time. On Friday, a group of federal agencies including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the Election Assistance Commission sent a risk assessment to states, warning that “electronic ballot return technologies are high-risk even with controls in place.”

West Virginia has let eligible overseas and military voters cast their ballots through a mobile app since 2018, and is now using a cloud portal for those voters plus the residents with disabilities covered under the new state law. Several other states have begun to allow limited online voting as well, all apparently without incident—a track record that remote voting advocates point to as evidence that the practice should become far more commonplace. But security researchers find little comfort in seemingly successful trials, for the same reason that you shouldn’t wait for an accident to install stop signs at a busy intersection.

In the coming months, Delaware and New Jersey will join West Virginia in piloting a remote digital voting system through a company called Democracy Live. Eligible overseas and disabled voters will receive an email that contains directions on how to log into the firm’s cloud portal. From there, voters will fill out a PDF ballot and can either print it out and mail it in or submit it electronically. A core feature of Democracy Live’s setup is that once election officials receive digital ballots they will print them out, which the company claims creates a paper trail that can be used later in election audits.

“We’re focused on the disenfranchised populations,” says Bryan Finney, founder and CEO of Democracy Live. “I don’t think there’s any perfect voting system out there, I don’t think there’s any perfect website out there. It’s a matter of just how do we calibrate the risk and reward. This is the best solution that we can come up with. If somebody has a better approach to fully enfranchise 30 million disabled voters we’re open to it.”

Democracy Live’s portal is hosted in Amazon Web Services through the cloud provider’s security-focused FedRamp certified offerings for the US federal government. It also uses AWS’s “Object Lock” feature on voters’ PDFs to keep submissions from being altered or deleted. The system has been audited by third-party security reviewers Shift State and RSM Labs, although those reviews are not posted publicly. When Democracy Live is used in voting, the elections also undergo retrospective audits to confirm the results.

Numerous security researchers told WIRED that they share the desire to expand voting accessibility and appreciate efforts to make remote digital voting systems secure, but are ultimately not satisfied by the fairly surface precautions deployed so far. They point out that while using equipment and systems approved by the federal government would understandably seem adequate, the government’s own track record on digital security is painfully weak. Even the National Security Agency has had its systems hacked. The same is true of even the most careful financial institutions, tech companies, and health care providers.

“If the software-hardware industry is this bad across the board, this does not bode well for new offerings to magically be highly safe, secure, and robust,” says security researcher Peiter Zatko, better known as Mudge, who has worked for the US government and private sector. “Think about the small organizations trying to trivially solve these basics that the entire field can’t get right yet. And also the intricacies of regional and national voting while retaining secret ballot aspects and without discriminating. Yikes.”

For example, helpful as Democracy Live’s AWS secure cloud and anti-tampering PDF protections may be, they aren’t a security panacea. If voters submit their ballot through the cloud, they have no way of confirming that the subsequent printout made by an election official accurately reflects their vote. And if post-election audits are based on that paper trail, they won’t be able to catch tampering that happened before the printouts were made.

“It’s no different than printing out a ballot image from a paperless direct-recording electronic voting machine,” says Lawrence Norden, deputy director of the Brennan Center’s Democracy Program at New York University School of Law. “It’s meaningless if the electronic record has already been hacked.”

Democracy Live launched in 2008 and has been piloting its ballot return cloud portal since 2010. The company says its secure portal has been used in over 1,000 elections in 96 countries. But security experts emphasize that an organization’s history of participating in uneventful elections isn’t itself evidence that a given system is secure.

Still, Finney argues that a purpose-built cloud voting portal is more secure than the ad hoc digital voting that already exists in the US. And other online voting proponents emphasize this point as well. Nineteen states and the District of Columbia allow a relatively small number of overseas voters to return ballots by fax or email. Seven more states allow returns by fax alone. The patchwork stems from efforts to comply with federal laws designed to give military members and citizens abroad adequate time and opportunity to vote.

“The ballots themselves are still paper ballots which must be printed, completed by hand, and scanned, if they are to be emailed,” says Debra O’Malley, a spokesperson for the Office of the Secretary of State of Massachusetts, which oversees the state’s elections. “Generally, cities and towns receive only one or two such ballots per precinct, if any. Of course, there are always more in presidential elections and in those communities with more military or overseas voters.”

Verified Voting, an organization that promotes election system integrity and best practices, advises against any internet-enabled ballot return method. But even more so than relatively niche cases, the group is concerned about large-scale expansion of internet voting to millions of people with disabilities or all US voters.

Delegate Porterfield of West Virginia says he has faith that Democracy Live’s remote digital voting system is secure, especially given the limited number of people who will use it.

Security professionals “have done an excellent job in trying to keep us secure for the limited amount of votes this should impact with people with disabilities,” he says. “Because let’s be honest, a very small portion of our population do have a significant enough disability where they’re going to vote digitally.”

The organization funding the Democracy Live pilot in West Virginia, though, Tusk Philanthropies, has much more ambitious long-term goals. The charitable arm of venture capitalist Bradley Tusk’s Tusk Holdings, the group has a stated mission “to allow people to vote in elections on their phones.” To do this, it works with state and local election officials around the country to fund mobile voting pilots using vendors and platforms that the officials vet and select. Tusk Philanthropies president Sheila Nix says that realistically she knows the whole country won’t embrace online voting this year. But she hopes to make progress toward the organization’s goal of widespread mobile voting by 2024.

“We started initially with pilots for military and overseas voters,” she says. “It seemed like a good place to start. And we had really good success in 2018 in West Virginia and then we did a bunch of pilots in 2019.”

Security researchers say all systems that involve transmitting votes over the internet carry major risk, though. And they emphasize that while it’s true that sensitive industries like health care and the financial sector rely on internet-enabled systems, those organizations can tolerate the risk and deal with the consequences of a breach better than an election can. Voting systems also need to preserve voter privacy, while banks and hospitals can access and review the data they hold continuously. That distinction makes it incredibly challenging to build a secure voting system.

“The United States moving to an online platform for voting would be a heavy lift—one of the biggest we’ve ever done,” says David Kennedy, CEO of the security consulting firm TrustedSec, who formerly worked at the NSA and with the Marine Corps’ signal intelligence unit. “It’s possible, but to me it would be equal of a lift as us going to the moon. It’s that type of project, because you need a heavily vetted design, architecture that has multiple layers to prevent abuse and attack, and lots of auditing, lots of monitoring.”

Internet voting proponents also frequently point out that vote-by-mail systems could be attacked by large-scale ballot interception initiatives. Studies indicate that such an operation would be difficult to carry out in practice, but there’s always a small risk of tampering. Meanwhile, the risk of widespread vote manipulation would be significantly higher for digital systems that hackers could attack from the comfort of their own homes rather than having to go mailbox to mailbox.

The Iowa Caucus mobile app meltdown in February, while not a security issue, was a cautionary tale about the risks of rushing into internet voting. But even successful trials don’t prove that remote digital voting systems are safe. Like any internet-connected system, they could have flaws that simply haven’t yet been exploited yet, or have suffered attacks that haven’t been detected. That’s not a theoretical risk. Estonia used its I-voting internet voting system for the better part of a decade before researchers published a security review of the system in 2014 pointing out numerous major vulnerabilities. And researchers from Massachusetts Institute of Technology found in February that the mobile voting app Voatz had several security flaws. West Virginia used the Voatz app for overseas voters in 2018 and had been planning to use it in 2020 as well. The state switched to Democracy Live a few weeks after the MIT research came out.

“That’s what it comes down to,” Kennedy says. “Just because it’s not been hacked today doesn’t mean it won’t be hacked tomorrow. Or later today.”