If I Can Bank Online, Why Can’t I Vote Online?
This simple question is at the crux of many discussions of Internet voting. In short, online banking has checks and balances, visibility, liability, and recourse. If an unauthorized banking transaction occurs, you can see it in your statement. The bank is responsible for losses, and has the ability to reverse an erroneous transaction. And, above all, you and your bank both know that the transaction was on your account, and where to return the money!
With voting, your votes might be incorrectly tallied, but that’s not visible to you. Your local election authority should not be able to tell which ballot is yours. And once your ballot is incorrectly tallied and the election results are finalized, there is no way to reverse or redo that tallying. Cryptographic voting methods can help with visibility by providing a Web site where voters can go after the election to verify that their votes were included in the total. However, there are limitations in that the underlying technology is too complex for typical voters to understand.
Also, the externalities are different. Because US banks are responsible for losses over $50 (presuming the customer informs them promptly), they have a significant motivation to secure their systems. Even so, there have been numerous examples of financial theft through fraud that takes advantage of inherent holes in Internet security, not even counting fraud that uses the Internet, such as phishing. With Internet voting, even a voter who can detect that his or her vote was recorded incorrectly will have very little recourse.
So What Is Internet Voting?
The term “Internet voting” refers to two rather different approaches: casting a vote using an ordinary computer that is not dedicated to voting (for example, at a home, an office, a cybercafé, or a library), or kiosk voting, using a dedicated computer to cast votes.
In both cases, the votes are transmitted over the Internet, but the difference between dedicated and nondedicated computers is critical. In the kiosk model, dedicated systems have the potential of being correctly configured and free of malicious software. By contrast, ordinary computers are nondedicated systems that must be presumed to be under the control of someone other than the user, via malware, other computers on an open network, or software update services. This short essay considers only the use of nondedicated systems, although many of the issues raised are also applicable to dedicated systems. While such topics as online voter registration; online availability of blank ballots; policy issues, including certification of systems for Internet voting; and legislative and/or policy changes that might be needed to allow Internet voting are important considerations, they are outside the scope of this essay.
Advantages of Internet Voting
Internet voting is claimed to have several advantages over traditional precinct-based voting or voting by mail. First, it offers an opportunity for increased participation, especially by young people who are overall less likely to vote, but are comfortable with the Internet. However, in elections thus far using the Internet, this promise has not been fulfilled. To date, the most direct comparison between Internet and traditional elections is a neighborhood board election in Honolulu; the first election with Internet voting had turnout down 83 percent compared to the previous comparable election, although there may have been other contributing factors besides technology .
Another purported advantage is that Internet voting would allow military and overseas voters to obtain blank ballots, and to cast their ballots closer to Election Day. Due to mailing times and unreliable delivery, such voters’ ballots are frequently not received, and voters must typically cast their ballots 30 days or more prior to the election. Voter convenience might also increase with Internet voting, as voters won’t have to take the time to visit a polling location. However, for voters without home or work Internet access, this might not be an improvement.
Many voters with disabilities, who have been historically underserved, may benefit from greater accessibility. More sophisticated computers and accessories (for example, text-to-speech and sip-and-puff systems) could be used, without the expense of equipping every machine with such capabilities. Internet voting could also lower costs, as the number of poll workers and even polling locations would be reduced. Thus far, pilots of Internet voting have been much more expensive than traditional voting technologies , but economies of scale can reduce that in the future.
The Voting Threat Model
When thinking about the security of any system, it’s important to think about the potential adversaries, including their skills and motivations. Voting has a very long history of adversaries deliberately tampering with elections, regardless of the technology used. In the case of voting systems in general, threats can come from insiders such as election officials and poll workers, technology vendors, and voters acting individually or in groups. In addition, Internet voting introduces as adversaries people who are not directly part of the election process, including anyone in the world with an Internet connection. Opportunities and motivation could come from individuals, organizations, or governments. While there have not (to date) been known attacks on online voting systems, related attacks have clearly shown motivation, including successful penetrations of both the Obama and McCain campaign Web sites during the 2008 US presidential election.
No form of voting is completely secure, completely private, or easy for all voters to use and understand. We should not expect Internet voting to meet all of these goals. However, in considering Internet voting, we should ensure that it is no worse than forms of electronic or paper-based voting systems in use today, such as precinct count optical scan (PCOS) and vote by mail (VBM). In a PCOS voting system, the voter marks a sheet of paper that is scanned in the precinct and becomes the official ballot for recounts. PCOS voters commit their ballots for delivery through a system that is vulnerable to a small number of people, many of whom are known insiders. By contrast, in most Internet voting schemes, the voter commits his or her ballot to a delivery channel that is vulnerable to an unknown but large number of unknowable people worldwide. With VBM, voters are sent paper ballots to mark and return to the government. Voter fraud (including bribery, coercion, and suppression) is limited to the number of people who can physically obtain the actual VBM ballot. With most Internet voting schemes, voter fraud becomes feasible to anyone who can obtain (or guess) the voter’s credentials, as well as anyone who can find vulnerabilities in the online voting system. Such vulnerabilities may include attacks on the voting computer that sends the electronic votes, the election server that receives the votes, or the networks connecting them.
General Problems with Internet Voting
Potential problems with Internet voting fall into several categories, many of which are related to issues with voters’ computers. Does the machine represent the voter’s intent? Displaying a summary can help, but voters tend not to review summaries, even if displayed accurately. In addition, malware could vote on behalf of a user. Estimates commonly claim 30 to 60 percent of all home and business computers are infected with some form of malware. While that malware isn’t focused on voting, reconfiguring a botnet like Conficker to cast votes on behalf of voters would be simple--and changing even two percent of the votes can sometimes be enough to flip the election. Another issue is compatibility: Is the voting software compatible with voters’ computers? A surprising number of people are still running Windows 95 and Internet Explorer 3. Internet voting could also make it easier to coerce voters or buy their votes. In a technique used in Estonia, a voter could cast as many ballots as desired, but only the last one was counted . With this scheme, vote buying or coercion only works if you can prevent the voter from casting a replacement ballot.
Also of concern is how elderly, low-income, and rural voters (who are much less likely to have personal computers and Internet service) can cast Internet votes. Dedicated sites can be set up, but this replicates the problems of traditional precincts. Library computers are reasonably common, but are typically set up to minimize privacy to discourage inappropriate Web surfing; this is at odds with the right to a secret ballot. While greater accessibility for the disabled is a possible advantage, as noted above, many of these voters do not have access to such technologies; Internet voting could disenfranchise them. Finally, how can the privacy of the voter’s action be guaranteed? Voters who use their employers’ computers to vote may be monitored, as keystroke logging and similar technologies are frequently (and legally) used in the workplace.
Another set of issues crops up on the server side, where votes are collected. A major concern is securing the system against potential attacks from anywhere on the Internet. Attacks aren’t limited to attempts to tamper with votes and tallies, but also include denial of service attacks that prevent voting in the first place. Also, how can insider attacks by election officials or technology vendors be detected or prevented? Cryptographic voting schemes can help here, but are extremely difficult for voters and election officials to understand. We all know that bugs commonly affect software, and voting is no exception. What if bugs in the vote totaling software cause incorrect results? Finally, vote counting needs to be transparent, so voters will have confidence that the correct person is selected. Or, as Dan Wallach famously said, “The purpose of an election is not to name the winner, it is to convince the losers that they lost.”
Other issues relate to voter authentication. For example, how does the voter identify and authenticate herself? Common identifiers such as social security numbers or driver’s license numbers are frequently misused as authenticators. Smartcards could be used for this purpose if they were uniformly available to all eligible voters. We need to know who a voter is without connecting her to her ballot: authentication needs to be separated from voting.
As a result of the above challenges, many computer scientists have opposed moves toward Internet voting. The SERVE report (www.servesecurityreport.org) is among the better-known critiques of Internet voting that describe the above issues in depth. Also, a group of prominent computer scientists have set forth recommended requirements for Internet voting in a public letter at http://www.verifiedvoting.org/article.php?id=5867.
2010 in Review, and 2011 Looking Forward
In mid-2010, the Federal Voting Assistance Program (FVAP) and the US Election Assistance Commission (EAC) convened a workshop of scientists and election officials to discuss Internet voting technologies and solutions. The result was a deadlock, with scientists insisting that Internet voting is unsafe, and election officials mostly arguing that non-Internet solutions are inadequate for overseas voters.
The 2010 Congressional elections marked a turning point in the use of Internet voting. Thirty-three states allowed military and overseas voters to download blank ballots. A handful of states allowed the return of marked ballots by email, generally with voters explicitly waiving their right to a secret ballot.
Most importantly, the District of Columbia (DC) performed a groundbreaking experiment in which they created an open-source system for ballot download and return, and for a few days invited the public to investigate its security. Of the major categories of attacks described above, only server attacks were allowed. A team from the University of Michigan broke the system within 36 hours, installing code that retrieved all votes already cast, and modified the software so that all future votes were cast for a series of fictional characters. To ensure that no one missed this hack, the software was modified to play the Michigan "fight song" after each vote was cast.
The DC system was built by a well-trained staff, and the code quality was significantly better than commercial offerings. The fact that it was broken so quickly was a demonstration that Internet voting is unwise, and DC appropriately backed off from their plans to allow online ballot return.
Despite the DC experiment results, West Virginia proceeded with their plan to allow online ballot return using proprietary software that has not been subject to any public security tests, relying entirely on the vendor's assurances and the mistaken belief that proprietary software is more secure than open source by virtue of being secret.
In early 2011, FVAP convened a second workshop of scientists to develop recommendations for state and local election officials to use in procuring blank ballot distribution systems. That effort, expected to result in a report by June 2011, is intended to solve the "easy" part of the problem in time for the 2012 elections.
Over the past five years, a handful of Internet voting pilot programs have been implemented around the US and in other countries, as well as a few full-fledged elections in Europe. In many cases, the elections were driven by research in cryptographic voting technology, which can address some (but not all) of the problems described above. As the US Congress and many states are moving toward encouraging Internet voting (especially for military and overseas voters), research is needed to address a few key questions.
First, can the general public understand or believe in cryptographic voting techniques enough to be satisfied that their votes are counted and legitimate? This question primarily addresses a need for usability testing: While there has been significant research into the mathematics of cryptographic voting, there have been no efforts to find out if voters or election officials understand how the vote counting works, or if they believe that it is accurate. While understanding is not always necessary--most people don’t understand how a jet engine works, but continue to get on airplanes--voting must be understood since it is the basis of democracy.
Second, can we come up with noncryptographic schemes that meet the needs for privacy and security, and are easier for the public to understand? Many of the Internet voting systems in use today are based on noncryptographic schemes, but they do not have the properties of provable accurate counting. On the other hand, they can be understood reasonably well by voters. This highlights a critical research topic: finding a middle ground, where the voting system can be understood and also trustworthy.
Third, are there ways to address the disconnect between what the voter sees on the screen and how his or her vote is cast, so the voter doesn’t have to trust the software to represent his or her intent? The solution to this question is perhaps the most difficult, as it requires finding methods that allow proof from the vote collecting system back to the human, not the software, that the votes were cast as intended. To do this successfully, both the technical aspects (How can we make it happen?) and the human factors aspects (How will users respond? Will they be able to perform the necessary steps correctly?) must be addressed.
Accomplishing the above research requires significant investment in both technical and usability research, including large-scale human subject tests. However, human subject tests are particularly difficult for voting technologies, because the factors that motivate voters must be replicated in the experiment, without compromising voter privacy in a real election. Voters can’t be told which candidate to vote for in a real election to judge the efficacy of a voting technology, and, in a simulated election, they won’t have the same motivation to ensure that their candidates are selected.
Internet voting is almost certain to become common over the next decade, due to market pressures, such as the demand for easier voting by military voters and the desire of Gen-X and Gen-Y to vote online, just as they do everything else online. Researchers have the opportunity to ensure that the systems built and fielded meet the requirements of usability, security, privacy, accessibility, reliability, and transparency. These opportunities certainly include demonstrating and educating the public and elected officials about areas where Internet voting is inferior from a security and privacy perspective to other forms of voting. But there are also opportunities for performing the technical work necessary to minimize those weaknesses, and to ensure that the improvements are both comprehensible for trust, and practical for real-world use.
This paper was prepared with support from ACCURATE: A Center for Correct, Usable, Reliable, Auditable and Transparent Elections, under National Science Foundation Grant Number 0524111.
Dec 21 2009
Last updated: Apr 3 2011
A Security Analysis of the Secure Electronic Registration and Voting Experiment (SERVE)
Jefferson D., Rubin A.D., Simons B., Wagner D.
Software Review and Security Analysis of Scytl Remote Voting Software Clarkson M., Hay B., Inge M., Shelat A., Wagner D., Yasinsac A.
RIES - Rijnland Internet Election System: A Cursory Study of Published Source Code
Gonggrijp R., Hengeveld W., Hotting E., Schmidt S., Weidemann F. E-Voting and Identity (LNCS 5767)
Conferences and Workshops
Electronic Voting Technology Workshop (EVT)/Workshop on Voting Technology (WOTE): an annual multidisciplinary workshop focused on topics central to electronic voting
Evaluation of electronic voting
Volkamer M. Springer, 2009
Analyzing Internet voting security
Jefferson D., Rubin A., Simons B., Wagner D. CACM 47 (10), 2004, pp. 59-64
A coercion-resistant Internet voting protocol
Meng B. ICSNC 2007, Cap Esterel, France, Aug. 2007, p. 67