In the wake of security breaches and vulnerabilities in a democratic environment, it's crucial that we build a secure online voting system.
Online polls are just about everywhere - news outlets to government campaigns test the waters and engage with their audience through polls and surveys today. It’s one of the best outlets for businesses and politicians to gauge public opinion.
But can you trust them? What if they fall prey to manipulation by bots - enabling the bots to submit multiple votes? It’s a critical issue that plagues the online polling industry, hampering democracy and trust. It’s alarming how simple it is to leverage robo-voting and completely sabotage an online poll and skew the results in a targeted direction. The mischief usually involves thousands of computers that come under the control of an attacker - one that can make it seem like the public views one candidate or option as the winner.
Influencing opinions through phony polls
Arguably the world's oldest democracy, the United States had over 200 years to get the country's election process right - but when U.S. voters go to the polls, they're turned away due to identity issues, may face long lines or even find their details missing from the electoral rolls.
However, in recent years, there's an increasing number of polling sites that are embracing online voting. This move improves ease of use and accessibility for voters, but comes with inherent security vulnerabilities.
Online voting systems may fall prey to hacks and security breaches, and if the right risk management measures are not in place, it would be harder to control fraudulent activities. Some security researchers also highlight that remote voters may be susceptible to security breaches than traditional voters.
Let’s look at one of the online spot polls after the presidential debate, particularly the one that showed a decisive victory for Donald Trump over Hillary Clinton. This came at a time when most established poll channels like CNN/ORC predicted a winning night for Hillary Clinton. When the poll results were announced, media outlets remarked that the polls could have been manipulated to create a false narrative and signal the Republican’s victory to the public.
In 2010, the District of Columbia's Board of Elections rolled out an experimental e-voting system for Washington D.C. In under 48 hours after the system went live, hackers took control.
It’s not only democracy that takes a hit.
“In 2009, users flooded the Time 100 poll to ensure that the site’s founder, Christopher Poole, made the cut. In 2012, the pranksters employed JavaScript to vote for North Korean leader Kim Jong-un in Time’s annual “Person of the Year” poll and followed suit the next year with Miley Cyrus and Edward Snowden,” a VentureBeat report highlighted.
What’s interesting is that with ample programming scripts to support them, bots enjoy a field day with online polls.
Five years ago, in an effort to avoid being hacked again, Time switched their online poll platform to Poptip, which required users to log in with their social media accounts to vote. However, it took two programmers only an hour to develop Ruby and C# scripts that permitted them to register a vote on behalf of any social media user without their knowledge.
Bad actors have several methods to corrupt polls - from deploying proxy servers to hide IP addresses and resubmitting forms to using bulk email addresses created solely for the poll. Here’s a video that shows how a regular online poll can be manipulated.
The need for a more secure, identity-based security
The issue surrounding democracy around online polls surfaced recently when Passbase hacked Hacker Noon’s “Most Exciting Startup” award and won - highlighting the critical need for identity-based security.
Like several online polls, Hacker Noon’s award recorded votes based on browser sessions and did not require the user to complete any identification or verification processes.
Without securely and accurately verifying the true identity of a user or in this case, an individual casting a vote, how can we trust an online poll or an election? And specifically, how would we know that the person we are interacting with online is indeed who they say they are? We used tools to manipulate the results of the awards - not to win, but to make a point on what this means for online polls in a democratic space, and what we can do about it.
What this showed was that users (and bots) had the ability to damage the integrity of democracy and reflected a larger set of issues the digital world needed to tackle. The Passbase hack showed the impact fake identities can have - and what enterprises and institutions can do to avoid manipulation in online polls.
The digital space thrives on trust and security and when this is compromised, it shows that we need a more robust system for digital identity verification.
Enterprises and institutions must be able to ensure that online voting is not only a seamless process, but also secure and accurate. A transparent, clean election would be one that has a robust system for identifying and authenticating voters, while also detecting and preventing fraud. The various methods that are deployed by threat actors to manipulate polls can be completely avoided if the right steps are taken to authenticate the genuineness of the participating users and verify their identities.
“There are techniques and tools to detect devices and prevent bots from accessing their sites,” Rami Essaid, CEO and Co-founder of Distil Networks said.
"Companies should challenge the bot to prove that it is a human, using various puzzles, and use machine learning to determine if it is a real user. All of this should happen in real-time before the bot gains access to the site," he said.
Industry experts in the threat intelligence space stress that polling organizations will need to invest in robust cyber security and digital identity solutions to build credibility and security into the system. And it’s not just for compliance - but to effectively manage the overall top-to-bottom risk exposure of an organization.
“The self-deception of most defenders is, ‘I'm not important enough to be attacked in that way,’ or ‘I can't afford the investment it would take to defend against that,’ or ‘internet security is not my primary business and I refuse to make it a first-tier cost.’ Those are just differing ways to lose," highlights Paul Vixie.
As we look to the future, several processes continue to and will be moving to online platforms. Be it polling, fintech, services and products in the shared economy, or mobility, a secure process for digital identity verification plays a critical role. With multiple data breaches and hacks, fake digital identities and stolen credentials can impact an organization’s security and reputation.
However, processes that prevent fraudulent activities may be invasive and cumbersome, particularly for the consumer. Digital identity verification platforms such as Passbase aim to tackle this by enabling a highly secure and seamless process for organizations to verify their users’ identity.
The process is simple - the platform uses NIST-certified facial recognition technology and liveness detection to ensure that the user is a genuine, live individual and verifies this against data captured from government-issued or official IDs. The developer-friendly tool can be implemented with a few lines of code and the entire verification process is completed in a few seconds.
“Companies gain access to users’ information in a secure enclave, and avoid the dangers of getting hacked and leaking sensitive information,” Mathias Klenk, CEO and co-founder of Passbase, told TechCrunch earlier this year.
Supported by a zero-knowledge sharing architecture, Passbase’s identity verification platform takes a more privacy-centered approach by giving users control over what data to share and who to share it with. To learn more, schedule a live demo.
Security and trust are essential when it comes to elections. Voters have to trust the process and election results, and feel secure that their right to privacy will be protected. Technology in the voting system can result in multiple benefits. For example, biometric technology and automating user verification will enable a larger set of voters to exercise their rights electronically, and ensure that each vote is counted using biometric data. This begins with establishing a secure digital identity system, where the identities of voters are verified and registered before casting their votes.
The future of voting is digital. What will be crucial to securing this will be our ability to identify voters and mitigate risk effectively.