It’s 2020. You can buy just about anything on your phone. You can do banking on your phone — so why can’t you vote on your phone? This week, Paul & Rich discuss the security concerns that come with online voting. They also talk through the possible vulnerabilities in an online voting system and the danger of removing the people (and checks and balances) that come with traditional voting. Most importantly — go vote!
Paul Ford Remember those New York City lever machines? Man, you knew you voted. I don’t know if anyone had this experience, but it was like [Paul makes lever machine noise] You’d vote and you’d feel it. [music fades in, plays alone for 15 seconds, ramps down]
Rich Ziade I’m gonna just ask you a question, Paul. And that’ll just, it’ll just gush like our knowledge and a discussion will gush into the rest of this podcast. You ready?
PF Oh my god. Let’s do it. I’m ready.
RZ Why can’t I vote on my phone?
PF Ohhh geez. Oh, wow, great. Great Caesar’s ghosts. This is a tough one.
RZ I just want to—I want to follow up with what I have done on my phone. I bought a $2,000 laptop on my phone with like, four finger taps. Double tap this, like the side buttons and I’m paying for groceries and paying for whatever. For those that are listening to this podcast 10 years from now out of the Internet Archive, we’re in the middle of an election, a pretty big one. It’s 2020, we’re in the middle of a pandemic. Joe Biden is about to go up against Donald Trump. You know, because of the pandemic, the idea of going and standing in a place and voting is considered risky. And so it we’re pivoting back to vote by mail and paper and mailing paper and meanwhile, I have a computer in my pocket!
RZ Why can’t I vote on my phone?
PF Because America doesn’t believe in math, is the simplest way I’d put it.
PF Well, this is really tricky. First of all, the most secure provable way to have voter security are pieces of paper and people going in person. That is almost just one of those conventional wisdom things that proves to be true over and over. Voting machines are very, very hackable, digital voting continues to be hackable. So, there is an argument to me that until there is some—until literally light opens up from the heavens and says ”vote using computers,” we should stick with the way we have now.
RZ What you’re saying is we obviously have the technical capabilities. I mean, we have the technical capabilities to create photo-realistic flyover imagery of anywhere on the Earth in Flight Simulator. We obviously have the technical capability to vote online, we have it, that is real.
PF Yes. To vote securely, you could, could have a totally secure fingerprint.
RZ So really, what you’re talking about is the fear of the security concerns. Fear of getting hacked, fear of it being delegitimized because of some exploit or some outside actor, which there are outside actors who like to mess with our elections. That’s the fear, correct?
PF That I think is the only truly justifiable reason not to let people vote by phone.
RZ Let me ask you this then, why can’t a high school have a student president vote by phone? Are they doing it? Because there’s a lot less at stake there.
PF I mean, I vote by phone on Twitter polls all the time. I mean, there are there’s lots of various voting and polling applications online. And what you need are accounts and you need secure logins and stuff like that. The basics of encrypting a message and signing it with a unique key are pretty well proven out and that code has been pretty vetted. So I mean, the risk there is quite low. But when things get onto servers, trouble starts. The thing that’s risky, right, is centralization, having one point of failure, or one aggregation of all the voting information that could be conceivably vulnerable in any way. And what works really well about paper voting is lots of people going to lots of places.
RZ Here, let’s create it. Right. [okay] Let’s be bold here. One of our bigger clients saw all kinds of obstacles to using certain software, the pandemic happen. They figured it out in like a week.
PF Yeah, it does unlock a lot.
RZ It does unlock a lot. So oftentimes, I don’t want to get into politics or political figures. And I know they’re, you know, Andrew Cuomo, the governor of New York is a polarizing figure, but I have to give him credit for one thing. Every so often, he says, ”I want to announce this on Thursday. So get it all done. So I can tell everyone we did this.”
PF Boy, does he. [Rich laughs]
RZ Right, for better or worse.
PF You’re Andrew Cuomo—regardless of what people might think about Andrew Cuomo. And you do hear a lot of reasons why certain things can’t take place, especially in the middle of a pandemic. And then finally, you are the tiebreaker, you are—that is your job and you go, ”nah, no, it’s gonna be blue, and I’m gonna draw a picture of it” and then you pet your dog Captain. [Rich laughs]
RZ Alright, so here we go. Ready? First off, we have the data. What I mean by that is the census. The US census is keeping track of people and voter registration, right, so I can’t spin up 10,000 extra people. Let’s get that out of the way.
PF Motor voter, addresses, whatever. somehow we’ve created this unique keen way where your voter registration gives you a unique ID.
RZ That’s right. And then I go and get the US vote app that has been created. And let’s forget about how it got created. But obviously, this was a much more formal process. There’s a lot of work went into it and whatnot. Okay.
PF 80% of it was built by a Canadian company and—
RZ In partnership with Postlight.
PF Yeah. [Paul chuckles] Fine. Whatever.
RZ Alright, so time to vote. Are you ready to vote? Okay, so the face ID kicks in, face ID is so secure that the likes of one password actually let you use face ID to unlock your whole entire life. Right. So the fact that one password was comfortable enough to let you take the face ID confirmation and open up really everything your bank accounts, your credit cards, all of it, means that it’s pretty secure. Right? So this thing opens up and says, ”Okay, Rich. Hello. How are you? Are you ready to vote?” First, it confirms it’s me. I say yes. It gives me a couple of options. It says ”are you sure?” it kicks in face ID again, this time, it not only confirms it’s me, but also snapshots my face, packages that up and sends it off somewhere. [okay] Let’s get to the somewhere in a second. Because that seems sounds like that’s where your vulnerability lies, right
PF Ah, there’s vulnerabilities all over the place. Paper still better. Mail is still probably the most secure, right?
RZ Punch holes in what I just walked through, though, give me some vulnerabilities there.
PF Well, first of all, why are we doing this? We’re doing this because we want more people to vote. And if they’re doing it from their phones, we think more people will vote. Like otherwise, why bother? What are the vulnerabilities? It’s not that face ID has been mathematically formally verified, right? Like it’s software, there could be a side door, there could be a way to get to the encrypted hashes that are used to describe your face, and then submit those hashes elsewhere by pretending to be a face ID proxy client, right? And so there’s all of that stuff. And there’s a million points of attack.
RZ Let me respond to that. Census sends email and mails me stuff, paper mail, all the time. They mailed me a code, two factor voting. When I say I’m going to vote, it converts the face ID and then I have to punch in the eight digits that they mailed me.
PF You know, I could call and get my my one time voter security key.
RZ However way you get to it. Yeah. Okay, so I’ve got that in place. Now. It’s been fired off. I think this is solvable at the phone level. And at the user level. Let’s assume face ID is something that’s universally available, etc.
PF Fine, fine. Okay. Okay.
RZ Fired off! Now that this packet gets created that has my voting selections, and verification of my own identity, thus ending my ability, I can’t get a refund on a vote, right? Like if I go into a booth, you can only go once.
PF I’ve used my one time encryption key provided to me by the voting server and I can no longer—
PF Yeah, that’s right.
RZ Not only that, there’s no record of it on my phone. Privacy and confidentiality around voting is a big deal. It can’t just be sitting there on my phone. Now what? Where’d it go? Where did this packet go, Paul? You take it from here.
PF Well, realistically, it goes to some government server that was hacked 18 months ago. [Paul & Rich laugh] And goes straight to—you know, it gets siphoned right into Russia, you know, there’s a huge congressional hearing, and the company admits that it outsourced all the work to Canada, which outsourced it all to India and the congressmen and congresswomen get really upset. Where could it go? Look, I mean, I think, again, the number one risk I have here is one point of failure, right? So like what it should do, if you were to digitize this process, I’d almost wanted to be at the county level. This is a problem, you’re going to create a monolithic software environment in which if there is one vulnerability will spread like wildfire. And there is no way to make this truly secure. Anybody who tells you it is truly secure is lying to you, like truly 100%. There’s like a small window where you could argue that mathematically formal verification processes are a way to ensure that certain things can happen. But we’re not even there, in turn, like those technologies don’t really exist in the way that you’d need them to.
RZ Let me ask you something, though. I mean, I don’t know how the lever switch decisions get sent from my public school, two blocks away to some central place, but there is a place where they’re adding them all up?
PF Well, no, I mean, what they tend to do is add them up at the polling station. And then there’s this backup record. That’s what the way it really works, today, as far as I know, like, it doesn’t just immediately call home to you know, to MasterCard slash voter tech. But instead what they’ve done is they’ve taken that analog, put the slip in the box idea and and made that work so that you have the backup, you have the record. But you also have a digital counting mechanism, which accelerates everything and makes it possible to report much more quickly.
RZ So they’re adding locally, sending the totals up.
PF That’s the safest right. And then there have been, you know, but there’s all sorts of hackable voting machines.
RZ You could argue that voting in the way I described on your phone is more secure than the voting machine. Imagine it only goes to that one place, like it goes to my public school.
PF This is where we’re at now. Right? So it’s like, what Is the public record of it, you know, like where How does it stay accountable? My mental model of it is like, okay, that’s possible if there’s a true accountable public record that is verifiable by the equivalent of poll workers and judges and stuff like that. And really what happens is it feels like the technological solutions to voting, want to get all of those humans out of it, they want to make it like ”here, hit the red button,” ”oh, I hit the red button, and I voted” ”Good job!” And a little cartoon cat comes up and says, ”here’s your part of democracy” while it just flushes your vote into the toilet. And really like what makes voting work is the same thing that on a good day makes America work, which is a kind of checks and balances systems. There are poll workers or judges, there’s oversight from both of the major parties, there’s like all these things that still can get gamed and hacked. But ultimately, you have so many eyes involved, and also a culture around voter fraud, that takes it pretty seriously. So all of those things locked together and come with a whole lot of rhetoric about how this is the absolute most critical function of our democracy is to encourage and support the safety of voting. And that is literally like church and state of sight. It’s the one thing we talk about. And we always almost use the word sacred, when we talk about it, right? Now I come in and I’m Mr. voting machine guy. And I say ”they’ll hit the buttons and then the button, it’ll go over to the server, and you won’t even—just be it’ll, it’ll email everybody the votes, and it’ll be cool. You can download a spreadsheet.” And then it’s like, ”Hey, can we look at the source code?” And they’re like, ”that’s a proprietary trade secret” right? There is no source code to your ballot, you know, it’s a it’s a piece of paper. So software culture, and the culture around voting doesn’t have the frankly, the same integrity and the same checks and balances that the legal culture around polling has in America. Like when you look at when people talk about some of the greatest sins and transgressions of America, it’s like things like poll taxes, like we take any abridgement and any complexity around voting, people who take it seriously, take it as a genuine social justice issue. And it’s one of the most important things that we think about and talk about in our society. And then what you do when you when you make this into a technological hit a button on your phone solution, you productize it, and like those cultural values and those rules that we commit to around voting, like technology, isn’t there, it actually is there to get rid of a lot of that stuff. I mean this is why you can’t just have law as code. I think that’s falls into that that category of like, you can’t just put the constitution on GitHub and and issue a pull request when you want an amendment.
RZ Agreed. To close it out, will we reach a point at some point in the future where we’re voting with our phones?
PF I mean, frankly, I hope so. But it’s the civic infrastructure. The problem with our current government, and this is not—actually this is left, right, whatever—is a deep down, there’s like this desire for Google, Apple or Facebook to just solve it, right? Like it just there’s no infrastructure.
RZ And you view that as a problem.
PF That’s a huge problem. You can’t have Google run your voting. You know what, actually, I think would actually Google will do a pretty fair job of it.
RZ I just wanted to ask the question out loud and say ”Isn’t—do you think that’s a problem?
PF Frankly, here’s what I hate. I think they do a great job. And I think they would solve it really, really well. And it would be the wrong solution.
RZ Yeah, I think that’s right. I think that’s right. You know, you know, what I think is worth digging into, which we’re not going to do is, I wonder who does get subcontracted to set up the voting infrastructure that we have today? Because that’s commercial interests that have been brought to bear to solve a problem that is a truly civic problem, probably the greatest civic problem, civic challenge we have.
PF You know, it’s funny, I’ve been reading articles about electronic voting for like 22 years, and the debacle of the last couple of years, has wiped it out of my brain. I’m just like, let’s not worry about that anymore. Just go to the polls, [Rich laughs] or mail it in. Like I’m just—let’s, let’s stop pretending.
RZ You’re dialing back your expectations. [music fades in]
PF I’m just like, not, like just, yeah, like, stop all of it. And just let me—the sad thing about New York State is your vote essentially means nothing except for like a local judge. You can have a little difference there, but, you know, we’re gonna vote. The state’s going to go blue.
RZ Alright. Yeah. I mean, let’s end it with by telling people to go vote. That’s always a nice—
PF Yeah. You know what, that’s—if there’s any lesson from this. First of all, I think it would be great to vote on your phone, like just flat out, I’d love to see a solution. And second of all, go vote.
RZ Vote. It’s important.
PF It’s all we got. It’s the most important thing. And I don’t know, if you’re young, and you’re like, ”I don’t know, does it really matter?” No. But it really does. It really does. And you may not matter that much in that context. [Rich laughs] But boy, does it matter in the big macro view. Please, please, God, please, please, please go vote.
RZ Paul. We are Postlight, we’re not going to sell too much here. Check us out at Postlight.com, we’re a digital strategy design and engineering firm. A lot of great case studies there. Hit us up if you have questions. Hello@postlight.com. We’re very open to talking and being helpful.
PF Yeah. Tell us what we should know about electronic voting.
RZ Yes. Have a great week!
PF Bye! [music ramps up, plays alone for 3 seconds, ends.]