Five years ago, I made a video for a channel
called Computerphile
about why electronic voting is a bad idea.
And I still get emails, occasionally, asking:
things must have changed by now, right?
There’s this new idea,
and maybe it’ll help.
Surely electronic voting is
just around the corner?
No.
No, it’s really not.
Here is why electronic voting
is still a bad idea.
Elections have some very unusual requirements.
There are two key features that are almost
opposed to each other:
anonymity and trust.
So first, your vote should be completely anonymous.
There should be no way that anyone
can find out who you voted for,
even after everything’s been counted.
That way, no-one can bribe you or
threaten you to vote a particular way.
In the UK, if you mark your ballot in a way
that could potentially identify you,
so if you sign it, for example, then
that ballot is not counted.
This is why election officials are
worried about people taking selfies
with their completed ballots:
because you should not be able to
prove how you voted afterwards.
Otherwise, you can have attacks like
“$10 off for blue voters!”
or “Entry to this party
only for yellow voters!”
or “vote red or you’ll regret it.”
Votes have to be anonymous.
The second requirement is
absolute, transparent trust.
The system needs to make sure that your vote
is securely and accurately counted, sure.
But it also needs to be obvious to everyone,
no matter their technical knowledge,
that the system can be trusted.
So if you’re using paper, you place your
ballot in a sealed box
that doesn’t get unsealed until
everyone with a stake in the election
has someone representing them
in the room.
There should always be people from more than
one side guarding it, or at the very least,
witnessing that there's a tamper-proof seal
being used for transport.
Voters need to be able to trust that their
vote will be counted
even though they’ll never see it again and
it can’t be traced back to them.
And at no point is a single person put in
a position of trust.
People can be corrupt, or threatened, or
incompetent, or all three at the same time.
Now, physical voting is not perfect.
It can be attacked, it has been attacked.
The UK’s own paper system doesn’t fulfil
both of those requirements perfectly,
it is possible to identify voters from their
ballots if a court orders it,
and there are stories about that being done
outside the law too.
But the key point is not that paper voting
is perfect: it isn’t.
But attacks against it don’t scale well.
Physical voting is centuries old.
And in that time almost every conceivable
fraud on the system has been tried,
and defences have been found.
The more physical votes you need to change,
the more people you need to influence,
the more time and money it takes,
and the less likely it is that your
little conspiracy will stay secret.
In a UK election, there are hundreds of polling
stations across the country,
with staff made up of scores of employees
and thousands of volunteers.
The job of changing a
significant number of votes,
enough to sway an election,
becomes very, very difficult.
People have attempted it,
some people have been convicted,
a few have probably gotten away with it
on some scale.
“Granny farming” is the term that
shady operatives use
for going round all the retirement homes
and getting vulnerable elderly people to sign
a proxy vote,
a paper saying that someone else can vote
on their behalf.
And yeah, on a small scale,
that has worked.
But once you start scaling up that attack
it becomes extremely difficult and time-consuming
and the chances are you’re going to get
found out.
With electronic voting, that’s not the case.
So first, let’s talk about
electronic voting machines.
That’s where there’s a computer at the
polling station:
so voters still go into a booth,
it’s just that they are pushing buttons,
or tapping things on a touchscreen,
not writing on paper.
Problem number one:
trusting the software and the hardware.
In theory, our voting computer could be running
open source software
where anyone can see and
check the source code.
In practice, that doesn’t happen:
it’s probably going to be closed source,
it's probably going to be loaded off
an easily-compromised USB stick,
on a computer that’s been sitting unguarded
and sometimes just idly and inexplicably connected
to the internet for years.
And those systems only ever get a full-scale
test when an election actually takes place.
That in itself should be enough to stop
electronic voting ever being a thing.
But, okay, let’s say that we do, magically,
have the most stable, secure,
open source software possible.
How does a voter know and trust that the correct
software is actually installed
on the machine they’re using?
Maybe we could use some sort of checksum or
some other system
to make sure the voting 
is running correctly.
But then you’re just moving the problem,
now you have to trust that checksum hasn’t
been forged.
And almost no voters actually will understand
what that check even means,
or why they should trust it.
In the United States, voting machines are
regularly tested every year...
at the Voting Village at DEFCON, one of the
world's largest hacker conventions.
It's not an official thing.
Hackers there have managed to alter the stored
vote tallies,
change the ballots displayed to voters,
and in one case,
have got a machine to run
the video game Doom.
Imagine if, instead of a machine, there was
just a person in the voting booth,
and you had to whisper your vote to them,
and they promised, oh, yes,
you can absolutely trust them to
accurately record your vote
and pass it on to the people
who are doing the count.
No, you can’t see how or where they’re
writing it down,
you can’t actually call and find out where they are or what they're doing,
but they absolutely promise.
That’s basically what’s happening with
an electronic voting machine.
You just have something that says:
trust me.
I’ve counted your vote and I have absolutely
not been compromised.
Honest.
Problem number two is votes in transit.
How do you get the votes off that machine
to the central counting place?
There are three possible ways.
One, you could take all the voting machines
to the count.
You could seal them all up,
and transport them physically
from where the voting took place
to where the counting takes place.
No one does that.
So, you could download all the results from
each machine onto a USB stick and take that.
One bit of sleight-of-hand and you’ve got
a completely different set of results.
If you’re about to propose some system where
the results are checksummed and trusted:
please explain that to the average voter in
a way they can understand and implicitly trust.
Okay, so, maybe we could transmit the votes
electronically over the internet.
Which is… optimistic.
Man-in-the-middle attacks
are more difficult now,
but they’re not impossible,
particularly if you can’t trust
the software on either end.
And now you’re connecting the voting machines
directly to the internet.
Deliberately.
Which brings us to problem number three:
the central counting server.
Right at the end of the process
there is the server
that tallies the votes and gives the
final count.
Which has all the same problems
with trust and verification
as the individual voting machines,
but now only a few people can
even see that computer.
That’s also true about
electronic counting machines:
ones that take stacks of paper ballots
and return totals.
How do you trust they aren’t quietly changing
some votes?
We live in a world where Volkswagen
got away with
specifically designing their cars to cheat
on emissions tests for years.
And that’s before we include user error.
In one Scottish election,
trialing electronic voting,
a result was corrected after one observer
noticed it didn’t make sense,
and stopped the announcement at the last minute.
Turns out that someone forgot to scroll
all the way to the right
to read the columns on an
Excel spreadsheet with the results in.
And even if you can’t compromise the election,
you can still break trust.
You can still cast doubt on a voting
machine, or the entire counting system,
just by leaving an unknown USB drive in it,
taking a picture, and posting it online.
Or just faking a photo of that.
To break an electronic election,
you don’t actually need to break it:
you just need to cast enough
doubt on the result.
It is a lot more difficult to do that with
paper and physical ballot boxes.
And all this is before we get to
the really terrible idea:
that people should be able to use their phone
or computer to vote from home.
Now, I’m sure the device that you, personally, are watching this on
is malware-free and up-to-date.
Of course it is.
But can you trust that for everyone
in your family?
For everyone on your street?
The exact numbers differ depending on
which security firm’s figures you go with,
but it's safe to say that a huge number of computers
are infected
with some sort of malware.
Huge numbers of phones are on old, vulnerable
versions of their operating systems.
And that’s just scammers setting up botnets
and minor extortions.
Imagine the sort of attack that
could be put together
by a small, well-funded team backed
by a national government.
That sort of attack would scale
very, very well.
Find the one hole in the system, and suddenly
it costs roughly the same to change one vote
as it does to alter millions:
and your conspiracy stays
very, very small indeed.
Maybe you don’t even have to set foot in
the country whose elections you’re hacking.
Now, there are a couple of regular objections
I get to this.
First of all: what about Estonia?
Yes, in 2005 Estonia became the first country
in the world
to offer internet voting, first in local elections,
then in national, then in European.
In 2019, more than 40% of votes
were cast online there, which is
just short of a quarter of a million people.
On the surface, the system seems robust.
Voters can ID via their government-provided
smart card,
or the SIM card in their phone.
But there are problems.
An independent report found gaps in the procedural
and operational security.
The architecture of the system is a decade
old and it’s now dangerously out-of-date,
and it's open to cyberattacks
by foreign powers
either by exploiting individual phones
or by breaking the trust in the
server that counts the votes.
The other common objection is: what about
new technologies?
What about blockchain?
Look, leaving aside trying to
explain blockchain to people
and asking them to trust this
weird technology is worth using,
it’s basically just a write-only database.
It doesn’t solve the problem of trusting
the software or hardware:
it doesn’t change how
the voting machine works,
the interface between the voter’s intention
and what’s actually written to
the database still has to work.
If it prints a receipt of the vote you can
check later, it breaks anonymity.
If it prints a receipt of seemingly-random
numbers you can check later, it breaks trust,
because hardly anyone will understand what’s
actually going on there.
I’m not saying there aren’t advantages
to electronic voting. Yeah, there are.
Accessibility is the main one, and that’s
really important.
In low-stakes elections, for small groups,
for the little things, sure, go for it.
But when the future of nations
rests on the result:
electronic voting is still a bad idea,
and you should still vote against it.
While you can.
I’m endorsing Dashlane for two reasons:
one, they’ve given me money.
Obviously.
But two, because I genuinely believe that
if you’re techie enough to watch to the
end of this video,
you should absolutely be using
a password manager.
If you go to dashlane.com/tomscott, you can
get a free 30-day trial of Dashlane Premium.
Password storage, generation and autofill
that works
across devices, browsers, operating systems,
everything,
it syncs all your data in the cloud without sending
any of those actual passwords to Dashlane themselves.
If you want to know how that works, see previous
sponsored sections.
Using long, complicated, symbol-filled passwords
that are completely different for
every web site and every app
is ideal for security:
but remembering them is nigh-on impossible
and typing them in is a pain.
Being able to use a single master password,
or the biometrics on your phone, is great:
you’ve got one thing to remember.
Dashlane will also store and autofill
credit card information,
so you don’t have to retype it every time
you buy something online.
You also get a VPN and a
gigabyte of secure storage.
So: dashlane.com/tomscott for a
30-day free trial of Dashlane Premium,
which includes unlimited
password storage and sync.
And if you like it, you can use the code “tomscott”
for 10% off.
