Is Internet Voting Safe?
By Deborah M Phillips and David Jefferson
When VIP published "Are We Ready for Internet Voting?" in August 1999 we speculated about many potential security issues surrounding what then seemed a futuristic proposition - conducting a binding public election via the Internet.
In less than a year, however, the era of Internet Voting has come upon us, with the occurrence in March 2000 of the first binding public election in the Arizona Democratic Presidential Primary. That election is now the subject of continuing controversy. The Voting Integrity Project has a federal voter rights lawsuit pending which alleges the election violated the Voting Rights Act of 1965. The National Science Foundation is studying the election at the direction of the White House. Nevertheless, because the vendor for that election has made robust claims that use of Internet technology boosted turnout without any security compromises, other state and local governments are considering its use. At this writing, there are at least twelve states considering some form of Internet Voting legislation.
Internet Voting initially presents itself as a benevolent new platform for election administration, promising that by making voting more convenient, it will boost voter turnout which is now at historic lows. Indeed, the ability to vote via the Internet could result in greater participation by business executives, overseas military, and the young - three groups that could have ready access to the Internet and who typically have lower participation rates.
It is this potential which the authors believe makes it worth the effort to identify and resolve barriers to Internet Voting. This paper will address the technical issues related to Internet Voting - security and privacy.
Internet Voting Systems
It is important in discussing security issues to distinguish those Internet voting systems designed for use in the polling place, from those that are designed for "remote" use, i.e. from voters' homes, offices, schools, etc. The two types of systems have completely different security properties, though this fact is not (yet) widely understood in the election community. The two types of systems can be distinguished by the following points of comparison:
Polling Place System
- Entire election is under control of election officials
- Infrastructure is provided to the voter
- Uniformity of communication, privacy and security protocols
- Brick and mortar location accommodates citizen poll watching
- Could include paper audit trails and additional identity verification
A Polling Place system can transmit votes on a transactional basis, one-by-one as each vote is cast, or it can save up and transmit batches of votes periodically (similar to "DRE" or "direct recording electronic" systems). Remote voting systems, in contrast, can only be transactional. These are the two basic systems, although hybrid systems or transition systems could utilize both types, or include remote "kiosks" strategically placed in public hubs such as airports.
- Control of election processes generally shared between election officials and the election vendor
- Voter provides the platform either directly (home/laptop) or from office, school, library, hotel computer
- No uniformity of platform and an ever-widening variety of voters' computers, operating systems, and devices must be supported
- No control over voting conditions and no way to prevent vote observation, sale, or coercion
- Traditional, Citizen poll watching is impossible, since voting takes place in private settings.
- Voter verification limited and controlled by election vendor
Both types of systems offer potential cost savings depending on how they are employed. Potential savings include:
However, Internet Voting could result in greater costs because:
- If election is entirely remote, no need for current election-provided equipment
- Because voters will be able to vote from any location, specialized ballot printing costs would be eliminated
- If election is entirely remote, there would be no need for recruitment, training and employment of precinct poll workers
- If election is entirely remote, costs of mailing absentee ballots could be eliminated (or reduced)
- If election is entirely remote, voters pay for most of the infrastructure of voting
Unique Security Implications of Internet Voting
- If used in polling place, election officials would be responsible for supplying and maintaining platforms
- Computer life probably limited to 3-5 years versus election equipment which can sometimes be utilized for decades
- For some years Internet voting will be in addition to traditional systems and may include some unique transactional charges for independent verification (Verisign, etc.)
- If remote voting employed, there may be additional software and consumer interface costs resulting from multiple platforms and voter-provision of infrastructure
- Remote voting would require high-volume help desks and other services to voters who have trouble voting
- Even if entirely remote, would probably still need to maintain a certain number of brick and mortar voting locations for voters without access
- Cost of authentication devices and distribution of same (keys, PINs, smartcards, etc.)
Internet Voting of any kind tends to involve a shift of control of elections from the election officials to election vendors because of the technical expertise required. State and federal laws governing elections, commerce and privacy do not currently provide sufficient protection to ensure election integrity or voter privacy in such a case. Finally, Internet Voting offers a frightening new capability to vote thieves - the ability to automate vote fraud through programmed attacks on the voting process.
Remote Internet Voting represents a further shift of responsibility for maintenance of the voting infrastructure from the election officials and vendor to the voter or third party-provider of the platform (employer, hotel, military installation, school, etc.). This has deep implications for election integrity and privacy as well.
It is widely acknowledged that although the National Voter Registration Act (NVRA) resulted in greater numbers of registered voters (7 million), it represents a huge unfunded federal mandate for state and local election officials. NVRA made identification and removal of unqualified, no longer qualified, and fraudulent registrations difficult and expensive.
For example, following numerous election fraud problems statewide in Florida, the State contracted with DBT Online to identify potential duplicate and unqualified voters on their registration records. Despite Florida's program to perform routine data matching of voter rolls against the National Change of Address list maintained by the U.S. Postal Service, DBT was still able to identify 150,000 records that were either "deadwood," duplicates, or outright fraudulent registrations. Since there is no official uniform database of U.S. citizens and each jurisdiction maintains its own records in varying formats, it takes a system such as DBT's to perform the multitude of matches and rematches that can identify, for example, duplicate voters whose names may differ by only one letter, thus evading typical computer match programs.
Commercial services such as DBT have massive databases which can be redundantly matched in a variety of ways to produce a deep level of cross-reference. This type of service is extremely expensive, but may be the only way jurisdictions can truly "scrub" their records of such names, given the constraints of NVRA. The problem is universal. California Secretary of State Bill Jones estimated that ten to twenty-five percent of his state's voter rolls were "corrupted" in similar fashion. Under NVRA, such records must be maintained on the voter rolls as "inactive" voters for two general federal elections, but are "reactivated" if voted during that period. Since it is not difficult to identify such names simply by searching such inactive voter lists, such names constitute a source pool for voter fraud. The Voting Integrity Project estimates that such problems exist to some degree in every state.
Election fraud which utilizes such names can easily escape detection if done outside the polling place via absentee ballot. That is why absentee ballot fraud is the most common form of election fraud and is on the rise. It is difficult to detect absentee ballot fraud and even harder to prove in a court of law, but can be done with the help of hand writing experts. Most such cases are brought to the attention of prosecutors by candidate, party or independent poll watchers.
Internet voting, on the other hand, would further remove such fraud from independent view and detection, and would make prosecution extremely difficult, since there would no longer be physical signature evidence to prove such fraud. That is why the level of security attached to voter verification in Internet voting is so critical and must go beyond the type of personal identifiers easily retrieved via the Internet. Last year, at least 40,000 social security numbers were stolen on the Internet and that represented a doubling from the prior year. Such personal identifier theft will rise even further in coming years.
The problem of data corruption on voter rolls is deep-seated. Internet voting could act as a cloak for, and even assist in, the automation of election fraud that utilizes this weakness. It is for this reason, that voter registration is not recommended via the Internet, until national systems for cross-reference of public data bases are erected and functional. However, it should be noted that Americans have shown to be extremely resistant to such national data systems or national identification systems.
It is ironic that the one type of security device that may resolve many of the voter verification problems is unlikely to be acceptable to the public. An Internet voting system employing biometric identifiers would offer the most secure form of voter identification. Aside from issues of cost and infrastructure, biometrics have not been embraced by the public because of such privacy concerns.
Special Vulnerabilities of Internet Voting
First, the Internet itself is not a secure environment, nor is it an "American" environment. In fact, roughly half of those traveling the information superhighway come from outside our borders. This is important in light of recent disclosures by the Pentagon that many hostile foreign governments have developed special capabilities to utilize the Internet for terrorist or warfare purposes. Developing the ability to interfere with or manipulate the outcomes of American elections would almost certainly become an attractive goal of such entities.
Internet voting vendors maintain their systems are "secure." Yet, the truth is that to date none of them have been willing to subject their systems to truly independent testing. Some vendors have novel and potentially secure Internet election technology. Others have warmed-over proxy election technology or less. Although the Federal Elections Commission has begun studying the issue of Internet Voting, in conjunction with an overall review of election system standards, there are no standards in place for Internet voting systems of any kind.
The Internet is already host to hackers of all manner from all over the world. Although the number who are talented and motivated enough to construct the kinds of programs capable of breaking through fire walls, gaining root privileges and escaping detection may currently be limited to a few thousand, but the reality is that it does not take much talent to write a computer virus and unleash it via the Internet. Virus code is readily available on the Internet itself and the proliferation of "distributed denial of service attacks" on commercial and government web sites is testament to the attraction such mischief holds for some.
The possibility of distributed denial of service attacks that could prevent voters from accessing an Internet election site is worrisome, as would be a virus that could crash an election system. But the real fear is the type of hacking that could result in deliberately manipulated election outcomes. The most worrisome aspect of this "Trojan horse" vulnerability in remote Internet Voting is that it may be virtually undetectable by voters, election vendors, or officials. This is because of the nature of such viruses. They can be installed and reside without notice for a very long time on a computer and then be switched on opportunistically. Most of the viruses detected today are detected because they are poorly designed in some way. On the other hand, viruses that stay silent, do no mindless damage, and spread slowly so as not to clog network resources, might go undetected for arbitrary lengths of time. Likewise, viruses that modify their own code, as some do, can resist correction even if detected, since most virus correction software depends on identifying an unchanging "signature" in the virus program itself.
For example, such a virus could wait until the cryptography was "opened" by the voter when the ballot arrives, to enable the voter to log his choices, and then in a nanosecond after the voter has made his choices but before the vote is actually cast, the virus could change the voter's choices and ride back encrypted, disguised as the voter's actual ballot. Because any election system must separate a voter's choices from the identity of the voter in order to protect ballot secrecy, the voter would receive verification only that his ballot had been received - not what his choices were. Thus the voter would think his ballot choices had been received and recorded when actually someone had successfully stolen his vote. The vendor and officials would simply have no mechanism to detect such a theft. In this manner, elections could be manipulated wholesale, if the virus author was successful in infecting sufficient numbers of computers.
The speed with which any computer virus can spread should give us pause. The Love Bug infected 45 million computers in 20 countries and caused an estimated $8 billion in damage. But such destruction could occur on a far more frequent basis - especially with a mutating type of virus that escaped detection. Thus, elections would be as vulnerable as any transaction on the Internet. There are stark differences separating the two, however. When you purchase something with a credit card on the Internet you receive a monthly statement that would notify you of the theft, and your liability would be limited. An e-voter, on the other hand, would likely be unaware his vote was stolen, and regardless would be unable to retrieve it. Further, unlike individual transactions in e-commerce, elections are the framework for governance. The possibility that elections could be manipulated quietly, remotely and on a large scale, offers horrific scenarios that could become reality.
Although such "Trojan horse" viruses are possible with any kind of Internet Voting application, they can be effectively prevented when all parts of the voting infrastructure are under the control of election officials, because they can guarantee that clean, uninfected operating systems and applications are used for voting. However, in a remote Internet voting system, when the operating systems and applications used for voting are not under the control of election officials, security from such attacks is impossible today. That is because the personal computer -- not the Internet -- is the most insecure part of any remote-voting system. Most computer users are simply not schooled in computer security or maintenance, a fact underscored during the recent spate of virus attacks such as Melissa and the Love Bug. Add to that the fact that any remote Internet Voting system must accommodate a large variety of platforms, for which the protocols and standards change with each election cycle. The election jurisdiction and the vendor will need to be sufficiently prepared to offer software, on-line assistance, and resolution of voter complaints.
Other Security Issues Related to Internet Voting
The same qualities that would make Internet Voting attractive may also make it vulnerable to misuse. Violation of secrecy of the ballot and ballot coercion by family members, employers, union officials, nursing home employees, school officials are all real possibilities that could be conducted on a wide scale in a remote Internet voting environment. In a networked computer situation, network administrators could easily read individual employees' or library users' ballots, unless a truly secure firewall system was installed and the voter trusted or could verify its installation.
Failures related to platform incompatibility could also lead to security failures. Such issues are not infrequent in e-commerce, and would likely appear in remote Internet voting where a variety of platforms with a variety of software are accessing an election system via different browsers. This is why certification and standards will become so critical to the development of Internet voting. As standardization develops, these problems could be minimized, but will need more constant review and upgrade than has been the practice with the Federal Elections Commission - now just reviewing its voluntary election equipment standards for the first time in 10 years.
Other Technical Issues Related to Internet Voting
There are numerous other technical issues with Internet Voting that could directly impact election integrity and deserve further attention:
The Arizona Democratic Primary 2000
- Ensuring compliance with the Americans With Disabilities Act
- Guarding against "electioneering" in an Internet environment
- Real-time reporting of who has voted in order to facilitate citizen monitoring but without enabling election fraud
- Creating challenge and recount procedures
- Software and system lifetimes are limited and change rapidly
- How to ensure vendors cannot violate secrecy of the ballot
- Preventing insider fraud
The litigation surrounding the Arizona Democratic Primary in March 2000 is limited to discrimination - not security. Because there were no proven security lapses, the vendor in that election - Election.com - has claimed complete success. This gives the public and election officials a false sense of security about Internet Voting. For the record, the following security vulnerabilities were present in that election:
In addition, although not a "security" issue, the election website was not compliant with the Americans With Disabilities Act preventing those blind voters who wanted to vote remotely (a key constituency that could be served by remote Internet voting) from so doing.
- The election was completely run by Election.com under contract to the Arizona Democratic Party and the system used was not certified or supervised by election officials
- The election was completely vulnerable to a denial of service attack such as those that brought down Yahoo, CNN, Ebay, and other giant web portals earlier this year. This was implicitly acknowledged by Election.com when they chose (in advance) to suspend Internet voting for the final day of the election, for fear that such an attack might occur and voters could be denied the exercise of their franchise. Such an attack could have stopped the Internet voting entirely
- The election was completely vulnerable to virus/Trojan horse and remote control software attacks against voters' PCs. Such a vulnerability could have allowed a single person, acting alone, to circulate a virus (similar to the recent "I Love You" or "Love Bug" virus) that could have substituted the virus writer's vote for that of thousands of legitimate voters, and do so entirely undetected, and from outside the U.S.
- Voter authentication was minimal and could, in some cases, have been easily defeated, leading to fraud
- The election was completely vulnerable to insider violation of voter privacy - Election.com issued the PINs and had access to the ballots
- Many Macintosh computers, and all computers using older Netscape browsers, were unsupported.
- There was an as-yet-unexplained one-hour total outage on the first day of the election
- There has been a dearth of information about important features of the election and protocols critical to ensuring integrity, such as the contract between ES&S and the Arizona Democratic Party, the budget for the election and how funds were dispersed; the audit trail (mentioned but not detailed); provision for citizen observers; safeguards against wholesale insider fraud; the nature of the proprietary software used; the percentage of voters who tried but failed to vote by Internet, etc..
Vendor Responsibility and Disclosure
Internet Voting has spawned a new crop of would-be election vendors in the United States and elsewhere, most of whom have no experience in administering binding public elections. Unlike publicly-traded election vendors such as Global Systems, which must meet quarterly SEC disclosure requirements, very little is known about the financial solvency or resources, ownership or political agendas of most of today's privately held election vendors.
This is important when you consider that in Internet Voting, it is quite conceivable that a foreign-owned company, with political motivations, supported by a hostile government, could be in a position to administer binding public elections. Today, state lottery vendors are held to a higher level of scrutiny and disclosure than are election vendors. This should change.
That is why The Voting Integrity Project designed model legislation for state legislatures that would require the same level of financial and ownership disclosure, criminal background checks, and a requirement that the vendor be U.S.-owned and controlled.
Conclusion and Recommendations
Although we are hopeful that the myriad problems identified with Internet voting are resolvable, it is by no means assured that this will happen any time soon. That is why The Voting Integrity Project recommends against the use of remote Internet voting or Internet voter registration until the systems have been rigorously tested and certified, and all issues of security, privacy, and fairness have been favorably resolved.
Until that time, since in-polling place Internet voting is technically feasible and the security issues with it are manageable, it is reasonable to experiment with it now, provided it is done in a non-binding fashion. It would be our recommendation that such experiments include rigorous testing by independent experts. In order to accomplish that, vendors would have to be amenable to sharing source codes and other proprietary information with the testers. We strongly urge the vendors to do this, perhaps in conjunction with the FEC systems standards process.
Because all of our rights and freedoms as Americans depend on free, fair and secure elections, it is imperative that publicly binding Internet voting elections be curtailed until the integrity and fairness can be assured.
Released: July 10, 2000
Deborah M. Phillips (firstname.lastname@example.org) is Chairman and President of The Voting Integrity Project, a national, nonprofit, nonpartisan voter rights organization headquartered in Arlington, Virginia (888-578-4343). VIP (voting-integrity.org) published the first independent study of Internet Voting in August 1999, "Are We Ready for Internet Voting?" and will be publishing annual reports Internet Voting for the foreseeable future. VIP, and its minority co-plaintiffs are pursuing a federal Voting Rights Act complaint against the Democratic Party of Arizona alleging that the remote Internet Voting in the 2000 Presidential Primary discriminated against minority Democratic voters.
Dr. David Jefferson (email@example.com) was Chairman of the Technical Committee of the California Secretary of State's Internet Voting Task Force, which issued its report in January, 2000 (www.ss.ca.gov/executive/ivote). He is currently Chairman of the California Secretary of State's Internet Voting Advisory Committee, which advises on certification of Internet voting systems, and is also a member of the Board of Directors of the California Voter Foundation (www.calvoter.org), a nonprofit, nonpartisan voter advocacy organization. He is also a Senior Research Scientist with Compaq Systems Research Center (SRC) in Palo Alto, California (650-853-2140).
© The Voting Integrity Project, July 6, 2000. Permission is hereby given to reprint this article, with appropriate credit given.
Copyright © 1998 Voting Integrity Project. All rights reserved.
Questions or comments pertaining to this site? Email .