In the American Recovery and Reinvestment Act of 2009 (Recovery Act), Congress directed the Federal Communications Commission (FCC), as part of its development of a National Broadband Plan, to include “a plan for the use of broadband infrastructure and services in advancing …civic participation.” On December 10, 2010 the Federal Communications Commission issued a request for public comments “…on how broadband can help to bring democratic processes—including elections, public hearings and town hall meetings—into the digital age…” Verified Voting, in submitted comments, answered the question – “With existing technology, is it possible to enable and ensure safe and secure voting online today?”, simply – “In a word, no.” As a recent report from the National Institute of Standards and Technology (NIST) indicates, “…The security challenges associated with e-mail return of voted ballots are difficult to overcome using technology widely deployed today.” And “…Technology that is widely deployed today is not able to mitigate many of the threats to casting ballots via the web.”
Despite the short window allowed for public comment, numerous organizations and individuals, including Verified Voting submitted comments. Much of Verified Voting’s commentary was informed by the “Computer Technologists’ Statement on Internet Voting”, published last year and signed by dozens of leading technology professionals and computer security experts. This post is the first in a series that will highlight the commentary submitted to the FCC on the issue of the role of the internet in the electoral process. In answer to the question “With existing technology, is it possible to enable and ensure safe and secure voting online today?”, Verified Voting responded, “in a word, no.”
Recent interest in online voting is ironic in light of the ongoing discussion over the security of electronic voting systems. For much of this decade, reassurance about the security of polling place e-voting systems has included the contention that the systems are secure “ because they are never connected to the Internet.” Indeed, a number of states including Mississippi, New York, California, Ohio, and Texas, have enacted laws or issued standards that prohibit any connection of polling-place voting devices and county election servers to the Internet. How prototype Internet voting systems differ so from current electronic voting systems that they obviate such wise security provisions has never been adequately explained.
Overseas and military voters face significant challenges being able to vote in the available time frame from when ballots and materials are available and the deadline for returning those ballots. The Pew Center on the States wrote a report called “No Time To Vote” which explains this in detail. As they point out in the report, these challenges can be resolved without having to resort to insecure voting practices such as returning voted ballots electronically. At no point in this report is online voting recommended as a solution to these problems.
Citing problems arising in experiments with Internet voting in Finland and the Netherlands, Verified Voting responded to the FCC’s question regarding the use of internet voting in other countries by noting “other nations’ experiences are substantively different because of the very complex nature of US elections by comparison. Significant problems have been reported in online voting systems in other nations, however. The most critical factors are the absence of any auditability in these online voting systems, and issues relating to privacy and vote-secrecy.”
Verified Voting went on to cite some of the challenges facing the secure electronic transmission of voted ballots.
• The voting system as a whole must be verifiably accurate in spite of the fact that client systems can never be guaranteed to be free of malicious logic. Malicious software, firmware, or hardware could change, fabricate, or delete votes, deceive the user in myriad ways including modifying the ballot presentation, leak information about votes to enable voter coercion, prevent or discourage voting, or perform online electioneering. Existing methods to “lock-down” systems have often been flawed; even if perfect, there is no guaranteed method for preventing or detecting attacks by insiders such as the designers of the system.
• There must be a satisfactory way to prevent large-scale or selective disruption of vote transmission over the internet. Threats include “denial of service” attacks from networks of compromised computers (called “botnets”), causing messages to be mis-routed, and many other kinds of attacks, some of which are still being discovered. Such attacks could disrupt an entire election or selectively disenfranchise a segment of the voting population.
• There must be strong mechanisms to prevent undetected changes to votes, not only by outsiders but also by insiders such as equipment manufacturers, technicians, system administrators, and election officials who have legitimate access to election software and/or data.
• There must be reliable, resistant to forgery, unchangeable voter-verified records of votes that are at least as effective for auditing as paper ballots, without compromising ballot secrecy. Achieving such auditability with a secret ballot transmitted over the internet but without paper is an unsolved problem.
• The entire system must be reliable and verifiable even though internet-based attacks can be mounted by anyone, anywhere in the world. Potential attackers could include individual hackers, political parties, international criminal organizations, hostile foreign governments, or even terrorists. The current internet architecture makes such attacks difficult or impossible to trace back to their sources.
Given these formidable challenges, there is ample reason to be skeptical of internet voting proposals. Therefore, the principles of operation of any internet voting scheme should be publicly disclosed in sufficient detail so that anyone with the necessary qualifications and skills can verify that election results from that system can reasonably be trusted. Before these conditions are met, “pilot studies” of internet voting in government elections should be avoided, because the apparent “success” of such a study absolutely cannot show the absence of problems that, by their nature, may go undetected. Furthermore, potential attackers may choose only to attack full-scale elections, not pilot projects.
Full Comments from Verified Voting can be viewed here