March 3, 2009
The Perils of Internet Voting
The idea of being to cast one’s ballot on the internet has a seductive appeal — the deceptive facade of web security leads many to make a giant leap and assume that internet voting will give military personnel and others stationed abroad a safe gateway to participation in U.S. elections. Many even compare online voting to online banking or the common use of ATMs as evidence that the risks of internet voting can be mitigated. A closer examination shows that this complacency about the true risks of internet voting is based on false comparisons and could lead to a rush to embrace internet voting without due consideration being given to the very real dangers of internet voting.
Let us consider in turn the four main areas of concern which much be addressed:
● the potential for breaches of the secret ballot,
● the open door to voter fraud,
● the insecure nature of the internet,
● the budgetary impact of developing a system of online voting.
Breaching the secret ballot
The secret ballot for each and every voter should be sacred. That is a bedrock American value, intrinsic to our election system. If internet voting is implemented we will be asking an important segment of voters to give up their right to ballot secrecy. Using current technology there is no way that a ballot cast on the internet can be completely dissociated from a particular voter and thus any citizen casting a vote over the internet would be implicitly waiving their right to a secret ballot. Why should overseas voters, especially those deployed by the DOD in Iraq or Afghanistan, have fewer rights than any other American citizen? Why should the military deployed overseas, of all groups of voters, be asked towaive their right to the secret ballot? The secret ballot is one of the American values that our military are defending and they should not be given fewer rights to secrecy than their fellow citizens stateside.
Is it good to require every overseas voter or military voter to waive their right to secrecy? You cannot do FAX or email return of voted ballots without requiring that waiver. Any voter using FAX or email to return a voted ballot must choose between waiving their right to a secret ballot or returning that ballot via other means or not voting at all. Is that what you want? Or do you want to ensure security andprivacy for every voter?
Not only will election officials be able to associate a ballot cast electronically with an individual voter but others may well be intercept a voted ballot. I refer members of the committee to page two of the attached document entitled “Statements about Internet Voting from Experts” where the following warning from NIST (National Institute of Standards and Technology) is found:
Eavesdropping is a potential threat whenever Internet communications is involved, and particularly with e-mailed communications, which are sent unencrypted. While eavesdropping is not a significant threat for ballot distribution, as that information is generally publicly available, voted ballots must remain confidential. Voted ballots show how an individual voted, and may sometimes contain sensitive personal information about the voter. E-mails are significantly easier to intercept and modify in transit than other forms of communication. E-mails travel through telecommunications lines, network equipment and e-mail servers before reaching the intended recipient.
In light of the need to preserve, protect and defend the secret ballot for all voters I urge any legislature considering internet voting to give due weight to concerns about breaching the secret ballot for any group of voters.
Opening the Door to Voter Fraud
With internet voting there is no assurance that the person casting a ballot online is really who he or she claims to be. It would be relatively easy to impersonate a legitimate voter using the anonymity of the internet and stolen credentials. On page 1 of the above-cited document the distinction is cogently made between e-commerce systems and internet voting systems:
The special anonymity requirements of public elections make it hard to detect, let alone recover from, security failures of an Internet voting system, while in e-commerce detection and recovery is much easier because e-commerce is not anonymous. In a commercial setting, people can detect most errors and fraud by cross-checking bills, statements, and receipts; and when a problem is detected, it is possible to recover (at least partially) through refunds, insurance, tax deductions, or legal action. In contrast, voting systems must not provide receipts, because they would violate anonymity and would enable vote buying and vote coercion or intimidation. Yet, even though a voting system cannot issue receipts indicating how people voted, it is still vital for the system to be transparent enough that each voter has confidence that his or her individual vote is properly captured and counted, and more generally, that everyone else’s is also. There are no such requirements for e-commerce systems. In general, designing an Internet voting system that can detect and correct any kind of vote fraud, without issuing voters receipts for how they voted, and without risking vote privacy by associating voters with their votes, is a deep and complex security problem that has no analog in the e-commerce world. For these reasons, the existence of technology to provide adequate security for Internet commerce does not imply that Internet voting can be made safe.
This brings us to the crucial issue of internet security, which is an underlying issue in all discussions of the use of the internet for U.S. elections.
The Insecurity of the Internet Today
I am not myself a computer scientist. Therefore I rely on others with more technical credentials than mine to offer an opinion on the security of voting on the internet. Their unanimous conclusion is that that the internet is not secure enough for use in voting in U.S. Elections. The National Institute of Standards and Technology (NIST), the U.S. Government Accountability Office, and dozens of professional computer security experts warn that the safe use of the Internet for voting is essentially impossible, given the technology available today.
- In 2004, a panel of experts commissioned by the U.S. Department of Defense concluded that it was not possible to ensure the privacy, security, or accuracy of votes cast over the Internet with its current architecture. They said the attempt to provide secure, all-electronic Internet voting was “an essentially impossible task.”1
- In 2007, the U.S. Government Accountability Office (GAO) found that email and Internet voting is “more vulnerable to privacy and security compromises than the conventional methods now in use” and that “available safeguards may not adequately reduce the risks of compromise.”2
- In 2008, the National Institute of Standards and Technology (NIST) wrote, “Technology that is widely deployed today is not able to mitigate many of the threats to casting ballots via the web.”3
- In 2008, thirty leading computer science experts and professors at major universities signed a statement asserting that until “serious, potentially insurmountable, technical challenges” are overcome, permitting the Internet to be used for public elections “is an extraordinary and unnecessary risk to democracy.”4
In light of these dire conclusions from computer security experts who have studied internet voting I urge any legislature considering internet voting to think carefully about moving forward, especially since the DOD itself is not prepared to move forward on this issue without substantial technical upgrades to the internet taking place, a process that may take ten years.
In addition, the Election Assistance Commission is also in the process of establishing standards for internet voting and is only in the preliminary stages. No state should proceed without these EAC standards in place. See the “Internet Voting Timeline”5 for a detailed analysis of the progress or lack thereof in this area.
I don’t know whether the most legislatures have has investigated the cost of developing and implementing a secure online voting system. However, I would like to submit the attached document to the “UOCAVA Voter Scoping Strategy”6 for consideration. This is a plan and estimate prepared for Washington state by Everyone Counts, a vendor of online voting systems. Note that this Internet voting scheme could cost as much as $4million to get started and then $20,000 to $120,000 PLUS $2 to $7 per voter per county per year just for licensing. For WA it could cost up to $3.5 million per year.
While recognizing that the situation in Washington is not identical to that in other states, this study does provide some budgetary guidance about the possible fiscal impact of developing and implementing an internet voting system for overseas voters.
In light of the dire budgetary situation in many states across the country, I suggest that this issue of costs connected to developing and implementing an online voting system is not something to be lightly dismissed.
We all want to make it possible for overseas and military voters to be able to vote. However, it is my conclusion that the internet as presently available is not the the way to go. It is too fraught with concerns about breaching the secrecy of the ballot, opening the door to massive online voter fraud, and providing insufficient security on the internet. In addition the budgetary implications do not make it an attractive proposition in the current dire economic climate.
This does not mean that nothing can or should be done to make it easier for overseas voters to participate in U.S. elections.So what do we do to help the overseas and military voters? The solution does not have to be high-tech. You don’t need the internet to make voting more available and to ensure ballots are returned in enough time to be counted. Get the ballots out as early as possible. Provide the blank ballots and voting information over the internet. Partner with FedEx and/or USPS or other carriers for special handling of voted ballots. FedEx did just that last year in a partnership with Overseas Vote Foundation.
In the meantime, the federal Election Assistance Commission was tasked by Congress to develop guidelines for internet voting. Wait until those guidelines are issued and the real experts in internet voting, the scientists and technologists, come to an agreement that the internet is ready. It may be ten years but I have heard from many of them that the day may come.
Take the time to do internet voting right. There is no need to rush ahead under present conditions. The time is not yet right.
1 “A Security Analysis of the Secure Electronic Registration and Voting Experiment (SERVE).” January 20, 2004. By Dr. David Jefferson, Dr. Aviel D. Rubin, Dr. Barbara Simons, Dr. David Wagner. http://www.servesecurityreport.org/
2 “Action Plans Needed to Fully Address Challenges in Electronic Absentee Voting Initiatives for Military and Overseas Citizens,” June 2007, p. 30. [GAO Report 07-774] http://www.gao.gov/new.items/d07774.pdf
3 “A Threat Analysis on UOCAVA Voting Systems.” [ NISTIR 7551] http://vote.nist.gov/uocava-threatanalysis-final.pdf
4 “Computer Technologists’ statement on internet voting.” September 11th, 2008. http://www.verifiedvoting.org/article.php?id=5867
5 “Internet Voting Timeline.” http://www.votersunite.org/info/InternetVotingTimeline.pdf
6″UOCAVA Voter Scoping Strategy.” http://www.votersunite.org/info/WA-CostsOfInternetVoting.pdf