Are Blockchains the Answer for Secure Elections? Probably Not
With the U.S. heading into a pivotal midterm election, little progress has been made on ensuring the integrity of voting systems—a concern that retook the spotlight when the 2016 presidential election ushered Donald Trump into the White House amid allegations of foreign interference.
A raft of start-ups has been hawking what they see as a revolutionary solution: repurposing blockchains, best known as the digital transaction ledgers for cryptocurrencies like Bitcoin, to record votes. Backers say these internet-based systems would increase voter access to elections while improving tamper-resistance and public auditability. But experts in both cybersecurity and voting see blockchains as needlessly complicated, and no more secure than other online ballots.
Existing voting systems do leave plenty of room for suspicion: Voter impersonation is theoretically possible (although investigations have repeatedly found negligible rates for this in the U.S.); mail-in votes can be altered or stolen; election officials might count inaccurately; and nearly every electronic voting machine has proved hackable. Not surprisingly, a Gallup poll published prior to the 2016 election found a third of Americans doubted votes would be tallied properly.
Chain Voting
Blockchain advocates say the technology addresses the root cause of voting systems’ insecurity—the fact that voting can be controlled by a single person, group or machine. Argentina’s “Net Party” provides an example of what can go wrong. The tiny political party fields candidates who promise to strictly follow citizens’ bidding as expressed on an online polling platform. When its leaders were pondering interparty alliances in early 2014, they put the decision to a vote among party members. To their horror, they discovered database administrators were selectively delaying new voter registrations until after the referendum, skewing the participant pool toward the administrators’ preferred outcome.
Shenanigans like this one are possible only when an official (or a small cabal thereof) can unilaterally decide which votes or voters make the cut. Inspired by this realization, Net Party founder Santiago Siri went on to found Democracy Earth, a blockchain voting start-up. Democracy Earth and its peers aim to prevent corruption by decentralizing the voting process, subjecting each decision and vote to the public review of a blockchain.
Functionally, a blockchain is simply a convoluted database. Each entry in Bitcoin’s database, for example, is a transaction in a digital ledger. The ledger publicly lists all transactions to date, implicitly specifying who retains how much money. What distinguishes a blockchain from conventional databases is that it enables multiple parties to share a database without centralized control. Most conventional databases have one authoritative computer that governs the process of adding data. In a blockchain, that trusted gatekeeper is replaced by computers all over the internet, each maintaining its own copy of the database. These computers act as validators for new data: When Alice wants to send money to Bob, she broadcasts the transaction to the validators, which must confirm for themselves the transaction adheres to the blockchain’s rules (for example, that Alice has not sent more bitcoins than she owns). Once a majority of the network has accepted the transactions, they become the de facto consensus history.
Although blockchains’ most prominent uses are monetary, there is no reason they cannot store other types of data—and votes would seem an excellent fit. An ideal voting system resists corruption by authorities or hackers and empowers citizens and auditors to agree on an election’s outcome. Conveniently, auditable consensus among parties who do not fully trust one another is exactly what blockchains offer.
Each of the companies buying into this vision brings its own flavor. One start-up called Votem built its systems around academic research on letting voters check that individual votes were counted. Voatz, another start-up, supplements the blockchain with biometric identity verification, using smartphones’ and tablets’ built-in fingerprint readers and facial recognition to authenticate voters. Democracy Earth offers the ability to delegate your vote to another voter whose judgment you trust. Smartmatic, a prominent voting technology firm, integrates a blockchain into its broader suite of voting services. Products from these companies and others are attracting tentative interest from U.S. political parties, the U.S. military (pdf) and governments including those of Brazil and Switzerland.
Details Full of Devils
Still, neither cryptographers nor election experts are impressed with blockchains’ potential to improve election integrity. Noted cryptographer Ron Rivest of the Massachusetts Institute of Technology sums up the bleak consensus among academics: “I don't know of any who think it’s a good idea, and within one or two years I expect all these companies to die.”
Blockchain voting would require more than simply replacing Bitcoin transactions with votes. “Bitcoin works because you don’t need [centrally issued] identities,” says Arthur Gervais, a blockchain researcher at University College London. Instead, users generate public “addresses,” which act like deposit-only account numbers for receiving money, along with secret digital “keys” that are needed to transfer money out of the corresponding accounts. Anyone can create key-address pairs willy-nilly. The catch: there is no recourse if you lose your secret key or leak it to a thief, in which case your address might as well contain the ashes of dollar bills.
This situation will not fly for government elections, where state and local authorities manage lists of eligible voters. Neither would most governments tolerate the possibility of a voter being disenfranchised if their digital voting key is swallowed by a damaged hard drive or stolen by a thief to cast a fraudulent vote.
This is why most blockchain election providers partially centralize the management of voter identities. Their systems are designed to query a consortium of several different identity databases such as government-issued IDs and fingerprints collected during registration to match the voter with a name from government voter rolls. A quorum of these identity authorities can also revoke lost or stolen voting keys. Similarly, the companies partially centralize the validation process to guard against malicious influence: Instead of allowing anyone to become a validator, the government or party organizing the election designates a consortium of universities, nongovernmental organizations and such whose consensus determines what makes it onto the blockchain.
Unlike a Bitcoin-style open model, this consortium-managed blockchain model is at least implementable without damaging the election process, says Joe Kiniry, CEO of elections security company Free & Fair and principal scientist at Galois, a software company specializing in trustworthy software. But switching to a consortium also wipes out the blockchain’s supposed security benefits. Having voter identities dispensed and revoked by central authorities puts voters back at the mercy of a few administrators who can decide which votes count. The role of validators, meanwhile, is reduced to auditing for fraudulent votes, which can be achieved far more simply. “Blockchains are a very interesting and useful technology for distributed consensus where there is no central authority. But elections just don’t fit that model,” says Microsoft senior cryptographer Josh Benaloh. Once a central entity is coordinating an election, “you might as well have that entity publish [vote] data on [a Web site], digitally sign it and be done.”
In fact, Kiniry and Gervais both contend blockchain technology does not even solve the core problems of online election integrity. “If you look all the technology components necessary,” Kiniry says, a blockchain “only ticks, like, the first four boxes out of a hundred.” It works for recording votes, but even blockchain start-ups need additional layers of technology for thornier challenges such as validating voters, keeping ballots secret and letting each voter verify their vote was tallied.
Cryptographers have spent decades advocating for their preferred solutions to those challenges—a suite of techniques known as “end-to-end verifiable voting.” These techniques make no use of blockchains; in fact, Benaloh says they solve all the problems a blockchain does and then some. Ironically, though, helping end-to-end verifiability go mainstream might end up being blockchains’ greatest contribution to election security. After all, the word “blockchain” draws investor cash even to companies whose connection to the technology is, speaking generously, tenuous. And even skeptics acknowledge blockchains’ relevance to voting; despite their questionable utility for security, similar procedures can enhance voting systems’ efficiency or reliability. So someone may well find a way to build a cryptographer-approved system and call it a blockchain. What if that’s what it takes for end-to-end verifiability to get traction? “If that’s what makes you adopt it, okay, let’s do it,” Benaloh says. “But I want to talk about all the real benefits of a good protocol as well.”