If you talk to electoral security experts (I have studied with many of them at a graduate school) they will tell you that we are not even remotely ready for online voting. "The vote on mobile is a horrible idea," said Joe Hall, an electoral security expert, when I asked him about a West Virginia experiment with blockchain-based mobile voting in August.
But Tuesday, the New York Times has published a piece of opinion stating the opposite.
"Creating a viable, scalable and inclusive online voting system is now possible, thanks to blockchain technologies," writes Alex Tapscott, who Times describes as co-founder of the Blockchain Research Institute.
Tapscott is wrong – and dangerously so. Online voting would be a huge threat to the integrity of our elections and public faith in the election results.
Tapscott focuses on the idea that blockchain technology would allow people to vote anonymously, while being able to verify that their vote was included in the final total. Even assuming that this is mathematically possible – and I think it probably is – this idea ignores the many, many ways in which foreign governments could compromise an online vote without breaking the fundamental cryptographic algorithms.
For example, foreign governments could hack the IT systems that governments use to generate and distribute cryptographic credentials to voters. They could bribe election officials to provide them with copies of voters' credentials. They could hack PCs or smartphones that voters use to cast their votes. They could send voters phishing emails to get them to reveal their voting credentials, or simply lead them to think they cast a vote when they did not.
The verification of the after-fact makes things worse, not better
Tapscott says these concerns are not a big deal because voters can always check to see if their vote has been correctly registered.
"Because of the clear chain of custody, citizens could prove that their voting tokens were stolen," he writes.
But let's think about how it will take place in practice. Suppose it's mid-November 2020 and Donald Trump has just won re-election. A few thousand voters in key swing states came forward to say they intended to vote for Trump's adversary, but their vote was instead recorded for Trump. Thousands of others say they tried to vote for Trump or against him, but their votes were not counted.
Is this due to hackers who got involved with the vote, the technical snafus or the user error? Some of them were simply remembering how they had made their vows? There would be no way to know with certainty.
An important property for an election is the goal: a well-understood process is desired that makes people confident in the result. The paper-based process used in most states today is not perfect, but it is good enough on this score. Each vote is recorded on a paper card available for everyone. Everyone understands how paper cards work. People can observe the process of counting the votes to verify that no vote has been altered. Thus, not only does the process usually lead to an accurate counting of people's votes, but it also builds public trust in the integrity of the result.
The blockchain vote would be much, much worse. Almost no one understands how a blockchain works, and even experts do not have a good way to observe the online voting process for irregularities as an election observer does in a traditional election. A voter may be able to use his private key to verify how his vote was recorded after the fact. But if his vote were not counted in the way he expected (or was not at all counted), he would have no way of showing that he tried to vote in a different way.
Electoral officials should make many judicial calls, and in a tight race, the result would depend on what changes after elections the election officials will allow. And this, in turn, would destroy the credibility of the elections among the supporters of the losing candidate.
Tapscott says the solution is to give each voter a "backup voting token", but that does not solve anything. Giving people a backup token essentially equals holding an election for retirement, since anyone would be able to access and change their votes after the fact. But backup credentials can be stolen just like the original credentials can be. There will inevitably be voters who will control the next day of this second election and say that their votes have not been properly recorded.
No matter how many re-votes take place, there will always be some voters who say their votes have been counted. At some point, you must declare the final result. And if there are unresolved grievances about how votes were recorded – and in a blockchain-based system, there will always be – then the loser candidate's supporters will see the results as illegitimate.