It's time for another look at election security – through a technological lens

What is being done now to help ensure that the next presidential election will be secure and can be relied on to deliver a valid and verifiable result?  Unfortunately, the answer to that question is anything but clear.  Discussions of election security these days pertain more to politics than to technology. Whereas in the run-up to the 2020 election, public and private sector experts alike paid serious attention to how the election could be interrupted by foreign actors, recently there's little talk of cyber disruptions. And of course, with tensions rising in Ukraine, voting infrastructure is not top of mind. It should be, however, as we still haven't solved some basic problems with securing elections. Eventually, we should be able to use a mobile app to cast a ballot.

Voting infrastructure is complicated, as its security and resilience vary greatly across the United States.  In addition to rules and regulations that differ from state to state, we've also departed from the long-held tradition of having one day for in-person voting. In the 21st century, many states have expanded the early voting process to allow anyone to vote ahead of election day, both in person and by mail, for any reason or no reason at all.  In addition, same day registration and varying types of electronic voting machines are permitted in some jurisdictions but not others. We are a long way from standardizing this process.

Yet there are certain principles that define the election process in the United States. Among them are the tenets of one person-one vote, a secret ballot, and the integrity of the election process so that every vote is counted accurately and verifiably. While some of these principles are under attack, they should not be. We should be able to agree on this much.

The question then becomes, what technologies can help fulfill these tenets? Could we one day vote in a national election via mobile app? The voting process depends upon being able to validate the identity of the voter, verify their registration as an authorized voter, ensure their vote is counted accurately and can be validated through some backup process, and maintain the secrecy of the ballot cast. 

In advance of the 2020 election, voting via an app on a mobile device was one of the possibilities floated. While not a mobile application, voters in the King County Conservation District in Washington state recently cast votes in a special election for a board supervisor position using a website-based system. The voter simply entered their name and date of birth to access the voting system, and then electronically signed their name. From there a ballot with the marked votes was printed and verified by elections officials. It's important to understand, however, that this is a much smaller scale than a national election, with only approximately 1.2 million voters eligible. And web voting has its own inherent risks, especially on a large scale. One does not have to look very hard to find successful attacks and vulnerabilities against websites including distributed denial of service (DDoS), cross-site scripting, and exploitable website code vulnerabilities.  

Using a mobile device to cast a ballot – secretly, securely and verifiably – and having the ability to validate the accuracy of the voting process is certainly possible.  However, it will require additional measures to ensure that votes are secured. These include:

• Stronger universal identity proofing – User verification, confirming a user is who they say they are, will be critical to online/app-based voting. Whether that is based on biometrics or life events, identity proofing and verification will be necessary to ensure the integrity of any vote cast. 
• Digital signing and encryption certificates, ease of use – Digital certificates are commonplace in today's connected world but will become even more important in a world of online/app-based voting to ensure the identity of the person casting the vote. Election officials will also need to ensure the technology is highly secure and yet also easy to use and understand. Otherwise, gaining trust will be difficult.
• Adoption of standards and protocols for voting across a collection of states – Today's system of voting in the U.S. is highly fragmented and splintered across the more than 3,000 counties, boroughs, and parishes. In order for online/app-based voting to be fully realized, officials will need to agree on a higher level of standards that inspire confidence in the system. 

These additional measures for security, citizen identity validation and verification, and for accurate tabulation of cast ballots, must also be considered from the citizen's viewpoint to ensure individual privacy protections, secrecy of the vote cast (anonymity of the ballot), and the ability of the user to change, update, modify, or delete their identity and registration.  

Now is the time to be having these discussions, in the open, with full transparency. We need input and collaboration on the federal, state and local levels as well as with technology providers to develop and test a solution, well in advance of any election for which it might be used.  Let's stop kicking the election-security can down the road and start perfecting technologies that could actually work and inspire confidence in the system.