– There are very clickbait articles about this, that the elections are over, that the elections are to be canceled, etc. This is a loophole, but it is not worth panicking – says Mateusz Chrobok, a cybersecurity expert, when asked about the possibility of impersonating other people, thanks to the fake mObywatel application. In the interview with Bankier.pl, we also talked about disinformation, Poland's resistance to cyberattacks and the disadvantages of e-elections.
There is information circulating on the web that during Sunday's elections there may be attempts to use fake mDowody. What is the problem?
Currently, you can try to impersonate others using a fake version of the mObywatel application, which can be bought for a few zlotys and found in various places – not only on the darknet, but also on Telegram, for example. Members of the electoral commission are supposed to check whether the application is “moving” and verify the data in this way: name, surname, PESEL. The problem is that if someone has your data, e.g. from a large leak, they can create a fake application with your data and photo and cast a vote for you.
See alsoHow artificial intelligence will affect the work of accountants
There are very clickbait articles about this, that the elections are over, that they are to be canceled, etc. This is a loophole. I think that the National Electoral Commission did wrong by not changing its approach – verification consists of the user scanning a static QR code on their phone and you can show anything on it later, e.g. a fake identity in a fake mObywatel.
Why shouldn't we panic? Imagine what would have to be done to exploit this loophole on a large scale and actually affect the election results. There would have to be hundreds of thousands, if not millions, of votes cast. Hundreds, if not thousands, of people would have to be involved, who would have to obtain this data and travel from commission to commission. In the case of such a large-scale campaign, the probability that something will not work is huge.
I think the best thing we can do is calmly go to the polls. If only to check if someone voted on our behalf and if so, simply report it so that we as a society know that such incidents have occurred.
How do we close this gap until the next election?
In mObywatel, there is a very cool technology used to verify another person based on a QR code. Why don't we use it? I don't know. Maybe it's about the fact that tenders for phones for the commission would have to be announced. I am convinced that this is not a technological problem, but a procedural problem that can be solved. This existing method, which has already been verified, would work great in my opinion.
What threatens our choices at the cyber layer?
First of all, disinformation. People are most easily influenced by emotions. Social media is largely responsible for this. Recently, half a million złoty was spent on Meta platform on ads about three candidates in a very short time, in order to influence those who see these ads. The beneficiaries are the companies that show these ads – they get paid for it. Probably only after the elections will the investigations that will explain what really happened be completed.
I think there will be a lot of these last-minute reports, often without a clear source, and it will be another wave of disinformation trying to influence our votes. One of the most famous operations, which I recommend checking out, is conducted by the GRU, the Russian services. It operates all the time in Germany, Poland and many other places. It is called “Doppelganger”, or “shape-shifter”. I made a film about it some time ago to explain how it works.
Imagine clicking on some clickbait ad on Facebook — for example, about an actor who died. After you click, they check who you really are, how old you are, whether you are from Poland, and redirect you to an article that is supposed to stir emotions — for example, to make you disgusted by a candidate. It is a persuasion mechanism that works because they have a lot of money and can constantly select the message to manipulate the audience. They try to do this in many European countries.
Can we counteract this at the state level? Does Poland have any strategy to combat disinformation on the web?
From what I know, there is a unit in NASK that deals with counteracting disinformation. If something worries us, we can also report it as an incident to CERT Polska, via the website istotne.cert.pl or by sending an SMS to the number 8080. I hope that these services cooperate with each other and that they also contact other institutions.
Are our systems ready for cyberattacks, such as DDoS?
From what we know, DDoS attacks on PKW systems have historically occurred due to configuration errors, but I am convinced that lessons have been learned and we will be better prepared. At the moment, listening to what colleagues in the security industry say, we are doing really well. We are defending all elements of critical infrastructure.
That doesn't mean there aren't attacks – there are constant attempts to disrupt the functioning – but I hope that this time it will be okay, and even if such a DDoS happens, we have backup methods of action – physical procedures. Of course, they are slower, but we can cope. Resilience is precisely that even if one thing fails, we have fallback procedures.
Hacktivists sympathetic to Russia boast that they managed to “downgrade” the airport's website for 5 minutes, took a screenshot and make a big propaganda out of it that “Polyaki” can't fly now because they blocked the infrastructure. Only that it was for 5 minutes, before the appropriate mechanisms worked and then they failed. They need this propaganda primarily for internal use.
You recently recorded a piece explaining the problems with voting online. At first glance, it might not seem like a bad idea. Speed, convenience, lower costs. What's the catch?
The catch is that such systems are convenient, fast and theoretically easy to create, but difficult to audit and understand. And because of that, they exclude a part of society that does not fully understand how it works technically. Transparency is one of the most important elements of elections – the point is not to exclude people who, for example, cannot use the mObywatel application.
There are a few problems, mainly technological, because at the moment such a system would have to be very complicated. We would have to trust the word of people who say that the system is safe, and it is not about giving all the power to a few people who understand it. I am a fan of digitalization and simplification, but taking into account experiences from abroad – it is clear that there can be an influence on elections. By voting online you can show who you voted for, which can make it easier to buy them.
From my point of view, it's a cool idea, but not for now. We don't have solutions yet that don't discriminate against people who don't vote digitally. There are a lot of problems. For example, what if someone votes for you digitally and then you vote physically? Which vote counts – the earlier one or the later one? There are a lot of issues like that to solve, so I wouldn't do it in haste.
The main argument of e-voting supporters is Estonia, where in the previous elections, in 2023, more than half of the population voted remotely, so one may ask why it worked there but not in Poland?
This is not a good example, although to their credit they are quite transparent and quick to implement fixes to the system. There are counter-arguments, however, for example regarding certificates or digital identity credentials that they use to confirm that you are really you. It turned out that there were vulnerabilities there and they had to be replaced urgently for 700 thousand people.
Another problem, and also a feature of their system, is that during the voting process you can change your mind and vote multiple times. This is designed specifically to give you the opportunity to change your mind. But this creates risks, especially for people who are not very good at digital – especially the elderly and vulnerable. If someone steals their identity, they can also vote on their behalf, just before the election ends.
I have experience in countering fraud, identity theft, deepfakes, and other methods that allow you to act on someone else's behalf. These problems are thriving and there are more and more of them. I think there could be a lot of such abuses where the stakes are not just money but the outcome of the election.
So the main issues are trust and technology. Is there a solution on the horizon for the latter, maybe blockchain?
The blockchain lobby claims that blockchain will solve all problems. The only question is how it would work. If blockchain is public and everyone can check the register, the problem arises of how to guarantee the secrecy of the elections. Of course, there are methods, such as zero knowledge proofs, but when I start talking about such technologies, we will lose half of the readers here and most people will just have to say “ok, I'll take your word for it” because they will hear some strange, incomprehensible concepts.
And then the rumor will spread that it was all staged and it will be hard to defend it. Clickbait theories about forgeries will spread quickly. Only a handful of people in Poland will understand this technology, and I am afraid that the voice of experts will not be louder than the shouters dissatisfied with the results. In my opinion, this could lead to greater destabilization, manipulation and, as a result, weakening of civil society.
Mateusz Chrobok – cybersecurity expert, enthusiast of new technologies, develops startups and educates on his YouTube channel. Professionally fights online frauds and deals with cybersecurity. Founder of the educational platform czmnie.pl.
