Voting-From-Home: The Risk of Remote Elections

As Americans battle unprecedented mass devastation from a still-raging pandemic for which there is no vaccine, civil unrest marked by violent clashes between police and protestors across the country, and the weaponizing of information, fake-news, gas-lighting and actual facts – new concerns over voting security pose yet another threat.

In light of so much social disruption, it’s easy to understand why government leaders (at federal and state levels) and the voting public are looking for voting options that avoid gathering on election day. 

In a post-internet era, the solutions seem obvious, convenient and intuitive. But these options are drawing more scrutiny from public officials and private researchers as risks being to surface that impact the public, government institutions, non-governmental organizations, and commercial businesses of all kinds.

There are three areas of concern for security analysts - the purity of the vote itself, the integrity of voter registration rolls, and the manipulation of public conversation by bad actors.

The Votes Themselves

When people think of election fraud - they tend to think of manipulating votes or vote totals, directly influencing the outcome. That's the least likely version of fraud to occur in traditional elections, but online voting creates new opportunities for direct interference.

In an analysis of OmniBallot, a tool currently in use by several states, researchers discovered that it has some apparent vulnerabilities. Specifically, the application "makes extensive use of third-party services and infrastructure... [as] a result, votes returned online can be altered, potentially without detection, by a wide range of parties, including...  attackers who gain access to any of the companies' systems or a voter's client."

These third-party vulnerabilities may seem new in the context of voting apps, but they're rampant across the web.

Voter Registration

Online voter registration has security experts especially concerned. Bad actors might manipulate those election rosters through server vulnerabilities or as a citizen is registering to vote through client-side exploitation.

Reporting by the New York Times illustrates that "Homeland Security officials have been focusing 'intensely on hardening registration systems,' said Christopher C. Krebs, who leads the department's Cybersecurity and Infrastructure Security Agency."

As states using advertising and social media tools to encourage their residents to register, they must be sure they have client-side security solutions in place to anticipate, monitor, and mitigate any vulnerabilities they inherit from those partners.

Social Engineering

Finally, the same playbook that worked for bad actors in 2016 is available with minor adjustments in 2020. In addition to hacking voter rosters and looking for ways to alter vote counts, provocateurs hacked the conversation of actual voters. By introducing false narratives into social media platforms and creating fraudulent news sites disguised as real sources, bad actors were able to influence votes before they were cast.

Facebook and Twitter have taken efforts to reduce this kind of abuse of their platforms - but advertising networks remain vulnerable to intrusion. DEVCON research shows that online tracking pixels from foreign servers land on local new sites millions of times a day - a number that only increases as elections approach.