Testimony on internet voting submitted to FCC Dec 09
Reference: Comments—NBP Public Notice #20 – GN Docket Nos. 09-47, 09-51, and 09-137
We are ordinary citizens concerned about the integrity and security of our election system. We have worked hard to study our electoral system and the technologies employed here. We would like to point out that the US is a patchwork of jurisdictions that run elections under local and state laws. Elections have traditionally been the domain of the states and it is difficult to imagine how a top-down approach to internet voting in the US would be desirable. Moreover, it is unlikely a top-down approach would lead to the kind of uniformity in voting practices that small homogeneous countries like Estonia or Switzerland are able to achieve. Therefore we have grave concerns about efforts to push internet voting in the United States.
3. Voting. Voting is the most fundamental of civic acts. As technology transforms all aspects of society, could voting be transformed as well?
New technologies may offer the dazzling promise of transforming voting. However several standards need to be met before a new technology should be deployed. Because voting is the beating heart of democracy, any new technology must be held to the highest standard and must not degrade the integrity, accuracy, transparency, auditability, re-countability, public access and/or public oversight of the electoral system.
One of the key problems with online voting is that these cyber systems have all of the well-documented problems of DRE voting machines – no paper trail, no ability to recount, no ability to audit the vote – with the added dimension of leaving no physical manifestation of the process at all. At least with DREs there might be a memory card and/or end-of-day paper report. But with internet voting there is simply no way to prove that a vote was tallied correctly, if at all. Of course, the public has no way to examine or oversee an election that is conducted entirely online – the public is expected to trust without being allowed to verify, something we have been repeatedly warned against. We, the voting public, should be able to verify the integrity of our electoral process just as much as the Pentagon should be able to verify Russian or Chinese missile threats.
Another important issue that needs to be addressed when contemplating internet voting is voter privacy. Because a voter will need to verify their identity in some way in order to cast their ballot online they may surrender their right to a secret ballot and be at serious risk from intimidation, coercion and vote-buying attempts. In our view, these risks outweigh the possible benefits obtained from the convenience of voting online.
Another point to consider is the prevalence of denial-of-service attacks,viruses, spam and malicious spyware. Enabling online voting will increase the risk that malware will infect the computers used in the election system. This could lead to a major and possibly undetected corruption of the vote counting system, putting the integrity and accuracy of the entire system at risk.
a. With existing technology, is it possible to enable and ensure safe and secure voting online today?
Recent headlines about the ability of Chinese hackers to penetrate DOD combat operations computer systems suggest that it would not be possible to have a safe and secure voting system in an online environment. Take a look at this article: http://shine.yahoo.com/channel/life/titan-rain-the-4th-dimension-of-war-by-j-montana-500379/ in which there is this dire warning:
“There is a new red storm rising in warfare as we know it. I speak of the 4th dimension of war, Cyber Warfare. After September 11, 2001, Chinese military intelligence started probing (hacking) into external DOD databases. The Department of Defense has not declared the source of these attacks – meaning they have not admitted if they were from the Chinese Military or Chinese Mafia. The Chinese have not only attacked American databases and NASA, they have attacked India and Whitehall in Great Britain. But there are, also, the Russians, North Korea, Israel and many others.
‘The first attacks that surfaced were designated “Titan Rain” in 2003. Since then, the code name has been changed and classified. As if Americans did not have enough to worry about, now there is just as much of a threat in Cyberspace as on the street. If an enemy can come in and target even the smallest amounts of information from the U.S., then it could be enough to cripple our economic and/or infrastructure systems as we know it.
“Not only were the Defense Department’s networks being targeted, but several departments were hit including the State Department, Energy and DHS along with defense contractors. The Government believes that these organized attempts are still taking place on unclassified systems and are draining information repeatedly.”
Another example of cyber hacking is this April, 2009 attack on the NYPD: http://www.fiercecio.com/story/chinese-hackers-attack-nyc-police-department/2009-04-25
We could point to lots of other examples of cyber attacks on key government systems in the US, but this should be sufficient to demonstrate the seriousness and multi- targeting of these attacks.
Can we assume that online voting systems would not be targeted by such cyber attacks? We think not. In fact, internet election systems would offer tempting target for hackers wanting to tamper with our political system.
b. What can we learn from other nations that have considered or implemented online voting?
We can learn that the necessary infrastructure must be in place prior to implementation of an online voting system. For instance, in Estonia there was already a national ID card that could be used to authenticate a voter’s identity for purposes of casting a ballot. There was also a high degree of internet penetration and cell phone use in place before these systems were used for voting. At the same time in-person voting at the polling place was preserved and made available to all so that eligible voters were not excluded due to lack of access to technology.
Estonia is a small, homogeneous country with a history of central election administration: it would be unwise to assume that Estonia’s system can be transferred lock-stock-and-barrel to a place as large and diverse as the US without major modifications. In fact, Estonia’s experience, as well as that of several Swiss cantons, may be so culturally dependent that they can not be replicated in the US at all.
It is important to note that Internet voting did not fall from the Estonian skies. It belongs to a larger, many years old effort to develop the information and communications sector in the economy as well as to put the internet at the very heart of intra-governmental activities (e.g. the Estonian government is very proud about its “paperless government”) and government-citizen interactions.
In contrast, major portions of the US have neither cell phone coverage nor broadband internet access. If one looks at the coverage maps of major US cell phone providers it soon becomes clear that the wide open spaces of the West as well as rural areas in other states do not have cell phone coverage. These same areas also lack broadband internet access: part of the recent stimulus package was directed toward building out this infrastructure. This is a multi-year undertaking, similar in scope to the rural electrification projects of the 1930’s and 1940’s. It is important to point this out because internet voting in Estonia was preceded by a broad governmental effort to develop the information and communications infrastructure before moving to internet voting. In addition the Estonian effort was characterized by a step-by-step approach that still leaves the traditional paper ballots at polling places intact as an omnipresent backup. The Estonian system allows voters to cast multiple ballots throughout the voting period with only the last one being tallied. This protects against intimidation, coercion, vote-buying and even changes of mind on the part of the voter.
c. What can we learn from pilot projects that have tested online voting?
There has been no systematic study of pilot projects in the US that have utilized online voting. Hawaii’s recent experience was run by a private company, and had record low voter turnout – an 83 per cent decrease from previous levels. Because of the lack of information about the software used, the security measures in place, the user interface, the voter education campaign and other factors there is no way to evaluate them except by the rough, raw measure of voter turnout. We are left with more questions than answers about online voting experiments in the US. Without objective data we can not reach a valid conclusion about these pilot projects. More information about the turnout in the Hawaii experiment can be found at https://votingmatters.wordpress.com/2009/08/27/hawaii-experiments-with-internet-voting/
d. Have localities or states enabled online voting either domestically or for citizens abroad (such as military personnel stationed overseas)?
Online voting for UOCAVA voters was considered in the Oregon legislature during the 2009 session. Because of serious security and voter privacy concerns it was decided that the best solution using current technology was to enable e-mail transmission of blank ballots to UOCAVA voters. These ballots received via e-mail may returned either via fax, US mail or private delivery services such as UPS or Fedex. They may NOT be returned via the internet due to concerns about computer viruses, interception by malicious parties or hacking. Given recent headlines about Chinese hackers breaking into DOD combat operations computers, this decision seems not only wise but prescient.
e. Do government jurisdictions at any level, domestic or foreign, allow online voting for any citizen? Have there been quantifiable impacts tied to online voting, including impacts on the number of citizens that voted? Have there been qualitative impacts tied to online voting, either positive or negative?
Several countries have conducted internet voting trials in binding public elections over the past decade, including Switzerland, the United Kingdom, and the United States. These trials have been conducted at the local and regional levels of government, targeting specific populations of voters. However, Estonia—a former Soviet republic and now a full member of the European Union—has advanced the farthest in deploying Internet voting.
The Estonians seem to be the most pleased by their online voting experience, perhaps because it was part of an broad investment in developing communications and information technology infrastructure. There is high voter participation and satisfaction among the Estonian electorate, perhaps because online voting is not the only option – in person polling place voting is always an option.
In contrast, the most recent US experience in local elections in Hawaii was an epic fail with record low turnout (83% decrease from previous levels). Since this election was conducted by a private company there is very little hard data about why there was such a low voter turnout – was it the unfamiliar technology? Or was it a low-controversy local election that generated little interest? Was the voter education and outreach adequate? What is the level of internet penetration in the Hawaiian jurisdiction where this election took place? Until there are answers to these and other similar questions, we have no way of knowing why the turnout was so low. For more information on the Hawaii experience see https://votingmatters.wordpress.com/2009/08/27/hawaii-experiments-with-internet-voting/
f. What are the security and privacy risks that government jurisdictions must consider when considering the implementation of online voting?
There are substantial risks that governmental jurisdictions should consider before implementing internet voting. Most of them are outlined very cogently by Barbara Simons, former President of the Association for Computing Machinery (ACM) at http://www.huffingtonpost.com/barbara-simons/the-internet-and-voting-w_b_210554.html
In this article, Simons corrects some misunderstandings about cyber security. First she addresses the claim that online voting is OK because online banking seems secure:
“Banks spend considerable time and money to ensure the security of our assets, yet there are still risks. Identity theft and fraud affect millions of Americans and cost billions of dollars each year. When we can detect such fraud it is because we are able to track our money through each transaction from start to finish, including the people associated with those transactions.
“However, elections by their very definition disallow this type of explicit end- to-end auditing. Voters must cast their ballot in secret and not be able to prove to others how they voted. Election officials must not be able to tie votes to citizens except in very narrow circumstances as carved out by law. The lack of these basic protections make Internet-based voting a dangerous idea and place it … far from the realm of Internet banking or commerce.”
Then she tackles the question whether military grade encryption is enough to make a system secure enough for online voting.
“It is a well-known marketing technique of voting system vendors to tout the strength of their encryption because it sounds impressive. But the fact is that encryption is only a secondary part of any electronic security. It does nothing at all to protect against insider attacks, denial of service attacks, various forms of spoofing, viruses, or many kinds of ordinary software bugs. Even the most secure military computer networks have been compromised, including a recent serious breach of the Pentagon’s $300 billion Joint Strike Fighter project.”
So internet voting brings a heightened risk from multiple sources without necessarily providing sufficient benefit to justify it. One of the other risks is the voter’s loss of privacy if robust protections are not in place. The vote must be separated from the identity of the voter but at the same time the voter’s identity must be authenticated in order for them to be able to cast a ballot. It is far easier to accomplish this via traditional in person voting at the polling place or via paper-based absentee voting with secrecy envelopes. In the US, at least, the systems are simply not in place to provide either privacy or security. It is not enough to point to Estonia or Switzerland: they already have systems in place that make cyber voting possible. These systems are still not auditable or recountable but at least they have better systems in place to prevent the worst breaches of voter privacy or system security.
g. What are the history and current state of play of online voting technologies?
In the US the only providers of internet voting are private corporations which use their own proprietary software to manage the elections process. Since this software has never been examined, much less certified by any outside party (as is required of other vote counting software) there is no way to do an evaluation of it. The Election Assistance Commission has not yet taken jurisdiction of the certification of this online voting software, but it should take such action to protect the interests of American voters who may find themselves interacting with it in the course of a crucial election.
We strongly recommend that internet voting software should be subjected to the same kind of rigorous examination as was done during California’s Top to Bottom Review at the behest of Secretary of State Debra Bowen. Then we will have a better idea about the level of quality of the internet voting software. Until then, we can only be skeptical about this online voting software, given the buggy code that has been produced by all the other providers of election system software (Diebold, ES&S, Sequoia, to name a few names).
h. What are best practice processes concerning online voting?
In the US internet voting has been conducted in such a haphazard undocumented manner that it is hard to say whether any standards have been adhered to. A team of Caltech/MIT researchers have provided an analysis of the Estonian experience that provides some guidance in this matter. This working paper by Trechsel, Alvarez and Hall is found at http://www.vote.caltech.edu/drupal/files/working_paper/vtp_wp60.pdf
The issues they address are summarized as follows:
‘There are four key features to the Estonian experience that makes Internet voting a workable alternative: widespread Internet penetration, a legal structure that addresses Internet voting issues, an identification system that allows for digital authentication of the voter, and a political culture that is supportive of Internet voting.”
If one takes an objective look at these criteria it is easy to see how unready for internet voting the United States really is.
- Internet infrastructure is inadequate to nonexistent in large parts of the country. There would need to be massive buildout before online voting would be widely available from coast to coast.
- Election laws do not address internet voting issues. For instance, voting multiple times as is allowed in Estonia is a crime in US jurisdictions. But it is one of the safeguards in the Estonian system that protects voters against vote-buying coercion and intimidation.
- The US has no national digital ID card that could be used for voter authentication. It is unlikely that such a document could be imposed, given the strong resistance to the concept from elements across the political spectrum ranging from militant libertarians on the right to adamant civil liberties advocates on the left.
- One of the key findings by Trechsel, Alvarez and Hart is that older voters in Estonia are less likely to utilize the online voting option. This same age-preference probably exists in the US, with younger voters more open to online voting and older voters less likely to embrace it. This phenomenon would not prevent deployment of online voting in the US but would make it more difficult when considered in tandem with the lack of internet infrastructure in many parts of the country.
i. How would enabling online voting impact overseas military personnel, overseas diplomatic personnel or other Americans living overseas?
Enabling online voting for UOCAVA voters will subject these voters to systematic risks that will not be imposed on other groups of voters. The risk of having their identity associated with their vote could mean a loss of their right to a secret ballot. The risk of coercion, intimidation or vote-buying is substantial. They risk having their vote corrupted by computer viruses, intercepted by malicious hackers or lost in cyberspace as it is transmitted in cyberspace.
In other words, UOCAVA voters would be subjected to more risk that their vote would be lost or counted incorrectly than other groups of voters such as polling place or US-based absentee voters. It is unfair to place this greater burden of risk on UOCAVA voters especially since this group includes deployed military whose service abroad is at the whim of Pentagon decision makers.
There are other more secure technologies that can be utilized for UOCAVA voters – distribution of blank ballots via e-mail with fax back option, use of secure military or diplomatic mail to send ballots back stateside, utilization of private delivery services such as Fedex, DHL and UPS. We suggest that these inherently more secure methods be utilized rather than trusting the hackable insecure internet to transmit voted ballots.
Some will argue that the convenience of online voting should trump all the concerns about privacy and security. We would suggest that voting is too important to be put at risk for mere convenience.
We strongly urge that internet voting not be implemented without the necessary preconditions for success and without safeguards for the security of the system and the privacy of the voter. Given the current state of technology there is no reason to trust these online voting systems because there is no way to verify them. Paper ballots counted in an optical scanner offers a proven technology that allows for recounts and audits. Internet voting does not allow for recounts and audits. Just say NO to internet voting!!