This article was originally published in Communications of the ACM on February 24, 2016.
California, home of an underabundance of rain and an overabundance of ballot initiatives, may be confronted with one or two initiatives on this November’s ballot that, if passed by the voters, will mandate the establishment of Internet voting in the state.
A total of three such initiatives are under consideration so far. The first, poorly written and probably a long shot, represents one of the hazards of the initiative process: anyone can pay the fees and submit any crazy idea for a new law. But the other two are closely related, with the same sponsor and largely identical content. We expect only one of those two will go forward. Since they represent the most significant concern, for the rest of this blog we discuss only them.
The two initiatives, numbered 15-0117 and 15-0118, can be found at the CA Attorney General’s site. They are carefully drafted to avoid ever using the terms “Internet voting” or “online voting” or “email” or “web,” etc. Instead, they refer throughout to “secure electronic submission of vote by mail ballots.” Presumably, this is in part because the computer and elections security communities have managed to give “Internet voting” a bad name.
The vast majority of computer and network security experts agree there is currently no way to adequately secure an online public election. Any Internet voting system would leave our elections vulnerable to cyber attacks from foreign intelligence agencies, criminal organizations, our own political partisans, or even lone anonymous hackers. Any such attackers might silently, remotely, and undetectably spy on votes, tamper with them, discard them, and/or buy and sell them. Mandating secure Internet voting makes as much sense as mandating safe fusion power in California–it’s just not possible with any current technology.
These proposed initiatives would repeal hard-won election security safeguards. No voting system in California is allowed to be connected to the Internet or to transmit votes wirelessly. Yet these initiatives unabashedly repeal those safeguards, not only for the anticipated new Internet voting systems, but for all other California voting systems as well.
The initiatives would create a new Election Data Security Commission (EDSC) to oversee the deployment of Internet voting in California. The EDSC is specifically and inexplicably exempted from conflict of interest laws, and is accountable to no one but the Governor. It is required to create standards for Internet voting, something not even the Federal government has been able to do, and eventually to impose them on California without any checks or balances. Commissioners are not required to have expertise in computer, network, or election security. They may even be employees of voting system vendors or other special interests. No power in the state other than the governor can restrain the Commission.
The initiatives do not require even the minimal best practices for voting systems. They do not require the Internet voting system to be meaningfully auditable or recountable, or that it produce convincing evidence that the outcomes it declares are correct. They do not require strong authentication of online voters. They do not require the source code for online voting system to be open to public inspection, but instead allow the entire system to be a corporate-owned proprietary black box. They do not specify the level of vote privacy or security required, nor that the online system must withstand any of the many specific cyber threats (malware, penetration, denial of service, etc.) that it will be subject to. They require no standards for the unsecured PCs or mobile devices voters will use to cast their ballots. They do not require the system to undergo public testing in mock elections to give independent experts a chance to test for vulnerabilities before it is deployed in real elections. All of these issues are left entirely to the discretion of the EDSC, which inevitably will have to compromise vote secrecy and security because of the many profound cybersecurity problems that cannot be solved in the foreseeable future. And whatever system emerges is specifically exempted from the federal standards for voting systems.
Moreover, these initiatives are fiscally irresponsible. They appropriate only $20 million total for the standards process, the voting system development process, all of the pilot projects, and the state certification. TheLegislative Analyst, however, correctly estimates it will cost the state many tens of millions of dollars, possibly over $100 million up front, plus millions more additional per year in operating costs. Consequently, California taxpayers will be on the hook for far more money than is acknowledged in the initiatives.
Finally, if one of the initiatives is passed, it will be essentially impossible to amend. Each is about 50 pages long and makes massive changes throughout the California Election Code. Any piece of legislation this complex is bound to have bugs and unintended consequences, but the text of the initiatives states that even the slightest subsequent amendment would require the unanimous agreement of all seven EDSC Commissioners and a 2/3 vote in both houses of the Legislature and the signature of the Governor (or a new initiative). In effect, it will be impossible to correct any problems in these initiatives, no matter how minor or serious.
In order for an initiative to be included in the November ballot, its sponsors need to obtain over 365,000 legitimate signatures, which means actually gathering well over 400,000 signatures to be on the safe side. Because there are an exceptionally large number of initiatives proposed for this November, competition for paid signature gatherers has increased the cost of acquiring the necessary number of signatures to possibly as much as $2 million. That’s relatively minor compared to the cost of getting a contested initiative passed, which could be in the tens of millions of dollars. Unfortunately, such sums are a small amount to spend for corporations with a financial interest in the outcome, or for very wealthy individuals who mistakenly believe the initiatives are good for democracy.
Public election security is an aspect of U.S. national security. Unfortunately, Internet voting will not meet that high standard of security unless and until several profound cybersecurity problems are solved in a way that cannot be circumvented and does not require special platforms or voter training. We are not close; until we are, the time for Internet voting will not have come.