If we can use the Internet to deliver blank ballots, then why not use it to return voted ballots? Part of the answer lies with the nature of the Internet itself. If we are to be sure that the vote cast is the same as the vote counted, we need a way to guarantee that 1) the voted ballot has not been substituted or altered in transit, and 2) the ballot received actually was sent by the voter, not someone impersonating them. But due to the way the Internet currently works, neither of these conditions can be assured. Before looking at sending ballots via Email, it’s helpful to understand how all Internet communication works, whether it be an email, website, file download, or tweet. What we now call the Internet grew out of research on connecting computers of different types and at different locations into a single network. One of the problems facing researchers was how to move electronic information reliably on pathways that are unknown and unpredictable. Two computers might be connected via a wire across the room, or across a huge network of sub-connections spanning the planet.
One answer is to send information via a relay system, moving from computer to computer in different locations until a final connection was made on the receiving end. This increases the chances of achieving a successful connection because if any single relaying computer is unavailable another one can be found, a new relay established, and the connection completed. Even more reliability is obtained by sending information in discrete chunks known as packets, each of which can take a different pathway to the receiver. For this to work, the receiving computer needs a way to determine the sender of each incoming packet and reassemble all the packets in the correct order. An approach to doing this called TCP/IP is at the heart of the Internet’s ability to share information among computers all over planet.
TCP/IP is remarkable in its flexibility. But with that flexibility comes built-in weaknesses that attackers have learned to exploit. For example, one of the things a receiving computer needs to know in order to recognize the source of an incoming packet is the identity of the original sender. To accomplish this, TCP/IP requires that each packet be labeled with a unique “source address” identifying the original sender. Roughly equivalent to the “From” address on a postcard, every data packet sent over the Internet contains this label and identifier. Attackers can intercept packets from the original sender at any relay point and substitute their own. Then the packet label is modified to appear to come from the original source and forwarded to the receiver. The receiving computer is unaware that it’s dealing with an imposter because the packet appears to come from the original sender.[1]
Think of it as a postcard sent across the country where the “To” and “From” addresses have been written in pencil, bearing a message reading “Mom, please send money to my new address”. On its journey, the postcard stops at several central routing stations for processing and forwarding before reaching its final destination. At any relay point along the way someone could grab the postcard, erase the From address, write down their own address in its place, and wait for Mom to send the cash.
The Internet is a vast network of connected computers spanning the globe. As we’ve seen, communication between any two computers may be routed through many relay stations throughout the world, with every packet of data potentially vulnerable to manipulation by anyone with access and malicious intent.
Next up, how Email works.
[1] For a technical discussion of this type of attack see IP Spoofing: An Introduction.