Author: David Jefferson
There is widespread pressure around the country today for the introduction of some form of Internet voting in public elections that would allow people to vote online, all electronically, from their own personal computers or mobile devices. Proponents argue that Internet voting would offer greater speed and convenience, particularly for overseas and military voters and, in fact, any voters allowed to vote that way.
However, computer and network security experts are virtually unanimous in pointing out that online voting is an exceedingly dangerous threat to the integrity of U.S. elections. There is no way with current technology to guarantee that the security, privacy, and transparency requirements for elections can all be met with any security technology in the foreseeable future. Anyone from a disaffected misfit individual to a national intelligence agency can remotely attack an online election, modifying or filtering ballots in ways that are undetectable and uncorrectable of just disrupting the election and creating havoc. There are a host of such attacks that can be used singly or in combination. In the cyber security world today almost all of the advantages are with attackers, and any of these attacks can result in the wrong persons being elected, or initiatives wrongly passed or rejected.
Nonetheless, the proponents point to the fact that millions of people regularly bank and shop online every day without apparent problems,. They note that an online voting transaction resembles an ecommerce transaction, at least superficially. You connect your browser to the appropriate site, authenticate yourself, make your choices with the mouse, click on a final confirmation button, and you are done! All of the potential attacks alluded above apply equally to shopping and banking services, so what is the difference? People ask, quite naturally, “If it is safe to do my banking and shopping online, why can’t I vote online?”
This is a very fair question, and it deserves a careful, thorough answer because the reasons are not obvious. Unfortunately it requires substantial development to explain fully. But in brief, our answer is in two-parts:
1. It is not actually “safe” to conduct ecommerce transactions online. It is in fact very risky, more so every day, and essentially all those risks apply equally to online voting transactions.
2. The technical security, privacy, and transparency requirements for voting are structurally different from, and much more stringent than, those for ecommerce transactions. Even if ecommerce transactions were safe, the security technology underpinning them would not suffice for voting. In particular, the security and privacy requirements for voting are unique and in tension in a way that has no analog in the ecommerce world.
… The pattern of motivation for fraud is profoundly different between the commercial and electoral worlds. In an ecommerce situation al transactions are essentially independent. A buyer has no particular incentive to spoil or tamper with another buyer’s online purchase since two buyers rarely have conflicting interests. In any case the problem would almost certainly be detected and corrected. And it is hard to imagine a motive for another nation to bother messing with many Americans’ ecommerce transactions. But the situation is completely different with voting transactions. There is a powerful partisan incentive to block or change other people’s votes, especially if it can be done without detection, and the motivation to automate that process to affect thousands of online votes is that much greater. Such attacks can be done for tens of thousands of dollars or less, while the value of changing the outcome of an election can be hundreds of millions of dollars. And with Internet voting the danger is actually much worse, because not just domestic voters, but anyone, including particularly foreign governments, could derive great benefit from tampering with with U.S. elections, especially since it is unlikely they will be caught or brought to justice. Online voting is thus a national security risk in a way that ecommerce simply is not.
The sum of all of these considerations is simple. The security, privacy, transparency requirements for online voting are much more complex and stringent than they are for ecommerce transactions. The acceptability of small losses and the strategies for managing risk are very different between the two. And it is hard to grasp the full implications of the fact that online elections might be compromised and the wrong people elected via silent, remote, automated manipulation that leaves no audit trail or evidence for election officials or anyone else to even detect the problem, let alone fix it. These, ultimately are the reasons we cannot provide satisfactory security for online voting even though we can for online commerce.
The rest of this essay (PDF) expands upon these two points in order.
David Jefferson is a computer scientist at Lawrence Livermore National Laboratory, Board Chairman of the Verified Voting Foundation, and a member of the Board of Directors of the California Voter Foundation.