Author: Pamela Smith and Bruce McConnell
This article was originally posted at The Colorado Statesman on August 28, 2015.
Last week’s guest commentary by Secretary of State Wayne Williams in The Colorado Statesman obscured some important facts. He was responding to criticism of his new rule establishing criteria for the casting of election ballots by email.
In it, Secretary Williams implies that the federal government expanded voting by email. He writes, “The federal government, along with the Colorado General Assembly, expanded the electronic ballot transmission for military and overseas voters.” In fact the federal government has neither endorsed nor expanded the return of marked ballots over email. The Military and Overseas Voter Empowerment, or MOVE Act of 2009 (a bill we proudly supported) only directs states to send blank ballots to military and overseas voters electronically, not return of voted ballots That’s because voted ballots could be manipulated or deleted in transit — undetectably. Due to such unsolved security issues, last year Congress eliminated a Defense Department online voting project. The federal agency tasked with helping enfranchise military voters has stated that ballot return by postal mail is the “most responsible” method. In no instance does the federal government encourage states to offer electronic ballot return for military and overseas voters.
In 2006 the Colorado General Assembly passed legislation to permit online ballot return for military voters, but only under the most restricted circumstances. And it did so before most of the public was aware of today’s cybersecurity risks and of attacks in which data and sensitive information of millions of Americans had been compromised.
Secretary Williams claims that of the nearly 3,400 ballots sent back electronically in 2014 there was not a single report of tampering. This raises two issues: First, “no report” is meaningless when tampering of online ballots can be done undetectably. Experienced hackers can penetrate a system for a very long time without detection, as seen in recently publicized successful attacks on the FBI and Pentagon. A Colorado voter whose email ballot has been altered would never know; the elections office also will never know — because the ballots will appear to be normal. Unlike consumer banking where a customer can inform her bank or credit card company of unauthorized charges appearing on a statement, there is no way for a voter to check if her ballot was altered by hackers operating remotely. Methods that could allow a voter to check are being researched but are nowhere near ready for deployment, and email is the weakest of substitutes. Second, for years there has been no state rule to guide these vulnerable voters through this security minefield, nor to spell out the very narrow parameters required by law, needlessly putting many more than even those 3,400 votes at risk.
Computer security experts from the Department of Homeland Security, the U.S. Election Assistance Commission and the National Institute of Standards and Technology are in agreement with computer security experts in the private sector that email return of voted ballots is the “least secure” method of ballot return and can be easily and undetectably hacked. Recently computer security company Galois, which contracts for the Department of Defense, published a paper, blog, and video demonstrating how easy it is to hack ballots transmitted by email.
Given our shared concern is for ensuring the safe return of military and overseas voters’ ballots, the record of other states can be instructive. Minnesota and Wisconsin consistently lead the nation in the rate of military and overseas ballots returned, and neither permits online ballot return, showing that military and overseas voters can be helped without putting their ballots at risk in this way. Other states with large military populations (for instance, California) also forbid casting ballots via email because of the security risks.
Identity-theft experts warn consumers of sending bank account numbers and Social Security numbers via email. Surely our military’s votes are worthy of the same protection.