Quora: Web-Based Voting Isn't Plausible—At Least Not Yet

Quora Questions are part of a partnership between Newsweek and Quora, through which we'll be posting relevant and interesting answers from Quora contributors throughout the week. Read more about the partnership here.

Answer from Stan Hanks, CTO of Columbia Ventures Corp:

Could we create an app for people to use for voting in national elections? I did some work on electronic voting systems problems with Ed Gerck in the early 2000s. It was hard then, it's arguably harder now. This gets back to what some people have lobbied for since the early days of the Internet: the "Internet driver's license."

In the U.S., to get a voter's registration card, you have to prove you are who you say you are, that you live where you say you live, and that you're a U.S. citizen. That entitles you to be enrolled as a registered voter, which means that for any election in your jurisdiction, you can show up and cast your vote (or as is more commonly the case, to mail your ballot in or drop it off at a collection point).

For vote-by-mail, your ballot envelope has personal identifying information on it, and you must sign it, demonstrating that it was in fact you who voted the votes as recorded on the ballot. For vote-in-person, you're required to sign your name to a ballot log on the spot indicated for you as recorded on the polls. That's to make it possible to audit the election, proving that only the people who are authorized to vote actually voted, and that they only voted once. The contents of the ballot are completely opaque to this process—and must remain so to ensure the sanctity of the right to a secret ballot. On paper—that is, in an actual paper system—that's pretty easy to do. At scale, electronically, it's nearly impossible to do without it being possible to hack.

Now, you can argue that you can "hack" the paper system. And you can, to an extent. If you know for certain that a given person is not showing up to vote, you can have a "substitute" vote in their place. In theory, the structure of voting in small units called precincts is to deter this. If there are 1,000 people in a precinct, and the election judge is someone of note in the precinct, odds are pretty good that the judge will have personal knowledge that this person claiming to be "Betty Goodbody" is in point of fact an impostor. And even if the judge doesn't dispute the identity of the voter, in an audit, the fraud may be discovered from signature comparison. And even if it skates, completely, imagine the difficulty in carrying out that sort of fraud on a very large scale basis. Even 100,000 "fake voters" would be a ridiculous amount of work.

Shift to an electronic format, and that's all out the window.

The best that can be come up with to date is the notion that every person permitted to vote be issued some sort of revokable digital certificate. At that point you're talking about a large sale public key cryptography system which is something that in practice we know very little about implementing securely.

If I grant that you can securely create and distribute that number of public keys, and that you can create a system that will let people use them to solve for the "identifying that I'm allowed to vote" part, as a hacker, the first thing I'm going to do is make a run at hacking the system that administers the keys. All I need to do is invalidate a number of keys, re-issue them (to different email addresses under my control) and Bob's your uncle, I now own the election results (assuming someone else didn't hack me, or hack my hack, or…)

And then we have to worry about denial-of-service attacks. I've got to vote somehow, and if I can compromise the ability of the system to receive votes—or if I want to get really nasty, the ability of users in a particular geography to deliver votes—then I can also control the outcome of the election.

Plus you've got this extra bonus: I can, in theory, at scale know how people voted. I can hack the recording software and re-connect the wrapper to the contents, lots of ways I can know for sure that Joe Schmoe voted for Bertha Schmedlapp—and sanction them, violating everything we hold dear about secret ballot elections.

It's just not plausible. Not at this point. I thought, at various points, that I had solutions for any number of problems in this space. Other practitioners were quickly able to see things I hadn't, much as I could see flaws in their systems. I'd love to be wrong, but don't think that I am.

Can Internet based apps be used for national elections? originally appeared on Quora—the place to gain and share knowledge, empowering people to learn from others and better understand the world. You can follow Quora on Twitter, Facebook, and Google+. More questions:

• Political Campaigns: Can you devise a more fair presidential election procedure than the present one?
• The Internet: How can a person explain what the Internet is to a kindergarten class?
• Voting Methods: How is identity currently checked in U.S. elections to prevent fraud?