May 9, 2011
Why Return of Voted Ballots Should Not be Permitted via Email
Email voting? Why not, one might ask?! A lot of folks use the false analogy of online banking to argue that email voting should be allowed for the convenience and accessibility of voters. Not a moment of thought is given to the security risks involved. So I’ve done a brief Fact Sheet summarizing the major arguments against returning voted ballots via email. I’m OK with distribution of blank ballots via email but not the return of voted ballots by the same method.
Oregon, like many other states, considering authorizing email return of ballots — the bill is HB 3074 and this post is directed toward that proposed law, but could effectively be applied to a host of other states which are considering similar legislation (or perhaps need to review already adopted laws in light of these arguments).
HB 3074 as drafted would permit both the email distribution of blank ballots AND the email return of voted ballots. While the email distribution of blank ballots has some limited manageable security risks, the email return of voted ballots poses serious risks to the integrity and security of Oregon’s elections that are not easily addressed.
Email voting is worse than touchscreen voting – according the cyber security expert David Jefferson, PhD, computer scientist from Lawrence Livermore National Laboratory in California. Oregon has been savvy enough to avoid touchscreen machines and insist on paper ballots and should continue to do so. Email voting does not provide a voter-verified paper ballot.
The League of Women Voters of the US says that election systems should meet the SARA standards – Secure, Accessible, Recountable and Auditable.Email voting does not meet three of these four standards because it is NOT Secure, NOT Recountable and NOT Auditable. (Source: http://verifiedvotingfoundation.org/downloads/LWVUS-VVPR-2006.pdf)
Email voting puts Oregon’s election system at grave risk of attack by hostile nations and terrorist groups. Last fall, the District of Columbia’s online voting pilot came under attack from hackers in Iran and China. (Source: http://www.bradblog.com/?p=8118) An attack on email voting would require less technical expertise than an attack on online voting and would be easier to carry out undetected.
A recent Threat Assessment of UOCAVA voting systems by NIST (National Institute of Standards and Technology) concluded the following:
Use of Email for Return of Voted Ballots
The use of e-mail to return ballots presents several significant security challenges. Several different computer systems are involved in sending an e-mail from a voter to an election official. Many of these systems, such as the voters’ computers and e-mail servers, are outside the control of election officials. Attacks on these systems could violate the privacy of voters, modify ballots, or disrupt communication with election officials. Because other individuals or organizations operate these systems, there is little election officials can do to prevent attacks on these systems. The security challenges associated with e-mail return of voted ballots are difficult to overcome using technology widely deployed today.
- Using the internet for voting is not equivalent to using the internet for banking in the consensus opinion of computer security experts. The “white hat” hacker whose University of Michigan team penetrated the District of Columbia’s online voting pilot, Dr. J. Alex Halderman, explained that
…unlike banking on the Internet or via ATM … a process which is open to oversight before, during, and after by all involved parties, the secret ballot system used in U.S. elections — where it’s impossible to verify the accuracy of the “transaction” after it’s been made and the identity of the voter must be kept forever a secret — cannot be done safely at this time on the Internet.
Oregon is already compliant with the Federal MOVE Act which is aimed at overseas military voters There is no need to allow email return of voted ballots for compliance purposes. Only ten states allow return of voted ballots via email with no restrictions. More than 27 states, do not accept email ballots at all. A minority of states do accept email return of ballots, often with greater restrictions and protections than contemplated in HB 3074. For instance, the State of Washington requires the return of the physical paper ballot before certification of the election for the email ballot to be counted.
The Overseas Vote Foundation is on record opposing the email return of voted ballots while supporting the email distribution of blank ballots.
Private email over the Internet is not a secure method of transfer for documents containing your confidential identity information. This is why Overseas Vote Foundation recommends that voters return their ballots by regular mail and fax. (Source: https://www.overseasvotefoundation.org/Email-Ballot-Security)
How does email voting compare with Oregon’s Vote By Mail (VBM) System? Dr. David Jefferson, cyber security expert from Lawrence Livermore Labs, compares the threats to both VBM and email voting:
1) Ease of automation of email attacks: There is no corresponding hazard for VBM.
2) Lack of ability to detect email attacks: Physical attacks on snail mail ballots, unless done slowly and carefully with good tools, would be detectable. The only simple undetectable attack on snail mail is to throw ballots away based on where they came from without opening them to determine whether they are favorable or not to the attacker – not a very sharp attack at all.
3) Speed and simplicity of email attacks: Once installed, an email attack package would work silently and efficiently and could handle all of the ballots that happened to be routed through that particular server. The only way to achieve a similar attack effect for snail mail would be to have a big boiler room operation with many people in league at a postal service location.
4) The potential for foreign cyber attacks: Email attacks do not have to be perpetrated by insiders or employees of ISPs that run email relays. Any foreign agency might attack an email server remotely and control it, or a botnet criminal syndicate, or an enterprising lone hacker. There is no corresponding attack mode for snail mail.
Remove the return of voted ballots from HB 3074 due to security concerns.
Authorize the use of the Federal Writein Absentee Ballot FWAB) for state and local elections in Oregon as other states do.
Integrate more proactively with the Federal Voter Assistance Program (FVAP). Currently no link to this program can be found either on the Secretary of State’s Elections Division website or on the Oregon Military Department’s website.
Do a cost/benefit analysis of sending UOCAVA ballots via trackable express services such as USPS Express Mail, FedEx or UPS with paid return of ballots using the same service.