Author - David Jefferson

Verified Voting Blog: David Jefferson: The Myth of “Secure” Blockchain Voting

Click here to download a pdf version of this blog

In the last couple of years several startup companies have begun to promote Internet voting systems, this time with a new twist – using a blockchain as the container for voted ballots transmitted from voters’ private devices. Blockchains are a relatively new system category somewhat akin to a distributed database. Proponents promote them as a revolutionary innovation providing strong security guarantees that can render online elections safe from cyberattack.

Unfortunately, such claims are false. Although the subject of considerable hype, blockchains do not offer any real security from cyberattacks. Like other online elections architectures, a blockchain election is vulnerable to a long list of threats that would leave it exposed to hacking and manipulation by anyone on the Internet, and the attack might never be detected or corrected.

In its recent report, “Securing the Vote – Protecting American Democracy” the National Academy of Sciences summarized its findings:

Conducting secure and credible Internet elections will require substantial scientific advances.

The use of blockchains in an election scenario would do little to address the major security requirements of voting, such as voter verifiability. The security contributions offered by blockchains are better obtained by other means. In the particular case of Internet voting, blockchain methods do not redress the security issues associated with Internet voting.

In this short paper we attempt to explain why blockchains cannot deliver the security guarantees required for safe online elections. But the summary is simple: Most of the serious vulnerabilities threaten the integrity and secrecy of voting before the ballots ever reach the blockchain. Read More

Verified Voting Blog: The Myth of “Secure” Blockchain Voting

Several startup companies have recently begun to promote Internet voting systems, but with a new twist – using a blockchain as the container for voted ballots transmitted over the Internet from the voter’s private device. Blockchains are a relatively new system category a little akin to a distributed database. Proponents of blockchain voting promote it as a revolutionary innovation providing strong security guarantees that enable truly secure online elections. Unfortunately, these claims are false. Blockchains do not offer any real election security at all.

Internet voting has been studied by computer security researchers for over twenty years. Cyber security experts universally agree that no technology, including blockchains, can adequately secure an online public election. Elections have unique security and privacy requirements fundamentally different from and much more stringent than those in other applications, such as e-commerce. They are uniquely vulnerable because anyone on Earth can attack them, and a successful cyberattack might go completely undetected, resulting in the wrong people elected with no evidence that anything was amiss. Read More

Verified Voting Blog: The California College Vote Hack

I just read Doug Chapin’s article on the vote rigging at Cal State San Marcos, and I would add several observations. Had this been a public election conducted via Internet voting, it would have been much more difficult to identify any problem or to capture the perpetrator, Matthew Weaver. Mr. Weaver was captured because he was voting from school-owned computers. This was networked voting but not really Internet voting. The IT staff was able to notice “unusual activity” on those computers, and via remote access they were able to “watch the user cast vote after vote”. But in a public online election people would vote from their own private PCs, and through the Internet, not on a network controlled by the IT staff of election officials. There will likely be no “unusual activity” to notice in real time, and no possibility of “remote access” to allow them to monitor activity on a voter’s computer.  Note also that university IT staff were able to monitor him while he was voting, showing that they were able to completely violate voting privacy, something we cannot tolerate in a public election.

In the Cal State San Marcos election votes apparently had to be cast from computers on the university’s own network, and not from just anywhere on the Internet. I infer this because it makes good security sense, and because I cannot think of any other reason Mr. Weaver would cast his phony votes from a university computer rather than from an anonymous place like a public library. If this is correct, it is a huge security advantage not possible in public elections, where the perpetrator could be anywhere in the world. Even if public officials somehow did notice an unusual voting pattern that made them suspicious after the fact that phony votes were cast, there would be no evidence to indicate who it was, and no police on the spot to pick him up red handed. Read More

Verified Voting Blog: If I can shop and bank online, why can’t I vote online?

There is widespread pressure around the country today for the introduction of some form of Internet voting in public elections that would allow people to vote online, all electronically, from their own personal computers or mobile devices. Proponents argue that Internet voting would offer greater speed and convenience, particularly for overseas and military voters and, in fact, any voters allowed to vote that way.

However, computer and network security experts are virtually unanimous in pointing out that online voting is an exceedingly dangerous threat to the integrity of U.S. elections. There is no way with current technology to guarantee that the security, privacy, and transparency requirements for elections can all be met with any security technology in the foreseeable future. Anyone from a disaffected misfit individual to a national intelligence agency can remotely attack an online election, modifying or filtering ballots in ways that are undetectable and uncorrectable of just disrupting the election and creating havoc. There are a host of such attacks that can be used singly or in combination. In the cyber security world today almost all of the advantages are with attackers, and any of these attacks can result in the wrong persons being elected, or initiatives wrongly passed or rejected.

Nonetheless, the proponents point to the fact that millions of people regularly bank and shop online every day without apparent problems,. They note that an online voting transaction resembles an ecommerce transaction, at least superficially. You connect your browser to the appropriate site, authenticate yourself, make your choices with the mouse, click on a final confirmation button, and you are done! All of the potential attacks alluded above apply equally to shopping and banking services, so what is the difference? People ask, quite naturally, “If it is safe to do my banking and shopping online, why can’t I vote online?”

This is a very fair question, and it deserves a careful, thorough answer because the reasons are not obvious. Unfortunately it requires substantial development to explain fully. But in brief, our answer is in two-parts:

1. It is not actually “safe” to conduct ecommerce transactions online. It is in fact very risky, more so every day, and essentially all those risks apply equally to online voting transactions.

2. The technical security, privacy, and transparency requirements for voting are structurally different from, and much more stringent than, those for ecommerce transactions. Even if ecommerce transactions were safe, the security technology underpinning them would not suffice for voting. In particular, the security and privacy requirements for voting are unique and in tension in a way that has no analog in the ecommerce world. Read More

Verified Voting Blog: Email Voting: A National Security Threat in Government Elections

I am very concerned about the widespread push toward Internet voting in the U.S., of which email voting is just one kind.  Neither the Internet itself, nor voters’ computers, nor the email vote collection servers are secure against any of a hundred different cyber attacks that might be launched by anyone in the world from a self-aggrandizing loner to a foreign intelligence agency. Such an attack might allow automated and undetectable modification or loss of any or all of the votes transmitted.

While all Internet voting systems are vulnerable to such attacks and thus should be unacceptable to anyone, email voting is by far the worst Internet voting choice from a national security point of view since it is the easiest to attack in the largest number of different ways.

The technical points I am about to state are not my opinions alone. The computer security research community in the U.S. is essentially unanimous in its condemnation of any currently feasible form of Internet voting, but most especially of email voting. I strongly urge legislators in states considering e-mail voting to request testimony from other independent computer network security experts who are not affiliated with or paid by any voting system vendor.  Email voting is extremely dangerous in ways that people without strong technical background are not likely to anticipate. Read More

Verified Voting Blog: The meaning of Alex Halderman’s successful attack on the DC Internet voting system

University of Michigan Prof. Alex Halderman has now released some details about his successful attack on the District of Columbia’s proposed Internet voting system which has been under test for the last week. (See It is now clear that Halderman and his team were able to completely subvert the entire DC Internet voting system remotely, gaining complete control over it and substituting fake votes of their choice for the votes that were actually cast by the test voters. What is worse, they did so without the officials even noticing for several days. Let there be no mistake about it: this is a major achievement, and supports in every detail the warnings that security community have been giving about Internet voting for over a decade now. After this there can be no doubt that the burden of proof in the argument over the security of Internet voting systems has definitely shifted to those who claim that the systems can be made secure.

Read More

Verified Voting Blog: What Google’s New China Policy Tells Us About Internet Voting

Google recently announced in an important change of policy that it will stop censoring search results for queries coming from China.  That is interesting in its own right, but is not why I am writing this article. According to their corporate blog post, what prompted this change of policy was the discovery of “a highly sophisticated and targeted attack on [Google’s] corporate infrastructure originating from China”.  They found similar attacks on “at least twenty other large companies from a wide range of businesses”. Google further said that they “have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists”.  We are not likely to hear more detail in public about the attacks, but this is extraordinary news. Read More

Verified Voting Blog: Comments to the FCC on Internet Voting

It is likely that no one in the country has studied the subject of internet voting more intensely than David Jefferson, senior scientist at Lawrence Livermore National Laboratory. Part of his job is to help devise strategies to defend against the relentless attacks we see every hour of every day against U.S. networks, both government and corporate, from sources ranging from self aggrandizing students to foreign intelligence and cyber warfare agencies. He has also been deeply involved in voting and election security for over a decade as a voting technology advisor to five successive Secretaries of State in California, and is a coauthor of most of the best known peer-reviewed scientific publication on Internet voting, the SERVE Security Report.

“The integrity of a general election is as important as the integrity of many of our national defense secrets.

In his comments to the FCC, Jefferson emphasizes that election security is an aspect of U.S. national security. He observes that, “few people have any idea how tiny is the fraction of votes that, if selectively lost or switched, could swing a presidential election, or swing the balance of power in a house of Congress. The controversial 2000 presidential election that was decided by a few hundred votes in one state was only the most extreme object lesson, but other elections such as the recent Minnesota senatorial election, have been as close. This is all the more true in these times in which the electorate is nearly evenly divided on several key national issues. It is vital that we protect the security of every vote, or the legitimacy of our government will be rightly called into question–a situation that is very damaging in a democracy.”  Read More