The explosion of the Internet and the World Wide Web in the late 1990s led many individuals both inside and outside of the electoral administrations field to speculate about the possibility of using this new public resource to improve the efficiency, effectiveness, and legitimacy of democratic elections. Following on this discussion, several studies and experiments were developed, in independent jurisdictions and with mixed results. The overwhelming consensus which emerged from these studies is that Internet Voting presents numerous risks which need to be properly addressed before widespread deployment can take place.
Why Consider Internet Voting?
The most obvious advantage of internet voting is convenience for the voter. Regardless of how well polling places are designed and distributed, there could be no more convenient place to vote than from the comfort of one's home. By making electoral participation as easy as logging in to a website, checking a few boxes on a form, and clicking the "Vote" button, it is likely that voter turnout, and hence the overall legitimacy of the results, may be improved significantly. It could also allow significant cost-savings in the deployment and operation of physical polling stations, if the "adoption rate" of internet voting is at a sufficient level. The counting and tabulating of electronic ballots is potentially much faster and easier than counting traditional paper-based or even optical-scan or punch-card ballots, which may represent significant cost savings as well.
It is possible to distinguish three different forms of internet voting:
- Polling Site Internet Voting - in which voters cast their ballots via the internet from client machines physically situated in official polling places, in which both the hardware and software of the client is controlled by election officials, and the authentication of the voters may take place by traditional means.
- Kiosk Internet Voting - in which voters cast their ballots via client machines, in which the hardware and software are controlled by election officials, but distributed in public places (shopping malls etc.) in which the physical environment and voter authentication are not directly under official control.
- Remote Internet Voting - in which neither the client machines nor the physical environment are under the control of election officials. Whereas the first two methods are potentially much more secure, they also present few advantages over more traditional voting methods. The "allure" of internet voting is only fully encapsulated in systems in which users are able to authenticate themselves and cast their ballots at their convenience, via home, workplace, or public internet terminals. Unfortunately, it is this method which presents the most serious and intractable security risks.
Security Implications of Remote Internet Voting
The possible benefits of internet voting must be weighed against the risks to which this polling method is exposed. As has been emphasized elsewhere, but bears repeating, every election conducted by whatever means should comply faithfully with the same basic principles of secrecy and anonymity, fairness, accuracy, and transparency.
Every polling system, whether it uses pencil and paper, punch cards, touch-screen (DRE), or any other method, must assure that voters are identified accurately and that their votes are counted accurately. In most cases this must be done without allowing any means to associate a particular vote with a particular voter. It is also essential that the citizenry have confidence in the results; in other words, that the system chosen not only comforms to these basic requirements, but that it does so in a manner that is clear and well understood by all participants. Every polling method should be as secret and anonymous, fair, accurate, and transparent as a well-managed paper-and-pencil balloting system:
"Indeed, if perfect clerks would conduct an election using paper-ballots, this would provide the best model we have for a public election. Such an election would be, for example: anonymous (avoiding collusion, coercion), secret (all cast votes are unknown until the election ends) and yet correct (all votes are counted) and honest (no one can vote twice or change the vote of another), oftentimes also complete (all voters must either vote or justify absence). In such a system, if we know the voter (e.g., in voter registration) we cannot know the vote and if we know the vote (e.g., in tallying) we cannot know the voter. After an election, all votes and all voters are publicly known – but their connection is both unprovable and unknown."
SafeVote Inc., Voting System Requirements, The Bell, Feb. 2001
Any purely electronic voting system must take into account the necessity of safeguarding the accuracy of the vote count, in the absence of a physical representation of the ballot. For a complete discussion of this issue, see Direct Recording Electronic Systems . In addition to these concerns, Internet voting is subject to other potential risks due to the inherent insecurity of both the user's machine and the network connection by which it connects to the central server or tabulator.
At the present time, over 90% of home computers use a version of the Microsoft Windows operating system. As this operating system was never intended for highly sensitive "mission critical" applications, its primary goal is to be as easy as possible for a novice or casual user to operate. As such, little effort has been made to "compartmentalize" the operating system to prevent "rogue" applications from performing unwanted actions or making unwanted changes to the overall operation and configuration of the computer. This fundamentally insecure environment, along with the widespread deployment of "macro languages" in applications like Word or Outlook, has provided a fertile breeding ground for many different forms of computer viruses, "worms", "spyware", or "trojan horse" applications. Despite the widespread use of firewalls and anti-virus software, it has been estimated that 20% of all personal computers are infected with some type of "malware" (see Your PC May Be Less Secure Than You Think ). In other words, there is no way at present for designers of internet voting systems to ensure that the voters' home computers have not been compromised in such a way as to call into question the reliability of the voting process.
Securing the connection between the voter's home computer and the central server is also problematic, but in this area at least the correct use of public-key cryptography allows a degree of confidence in the integrity of this communication channel. Specifically, the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols used by web browsers and servers to create secure channels for e-commerce and internet banking, for example, were designed to prevent the so-called "man in the middle" attack whereby a network transmission is hijacked by an attacker who has managed to control the channel through which the two end-points of the transaction communicate with one another. SSL uses signed encryption keys which have been verified by a trusted "Certificate Authority" to make it impossible for such an attacker to modify the contents of this communication, without revealing that the attack has taken place. Unfortunately, even if this technology is used correctly, it is still vulnerable to other types of attack, which may be characterised as either "denial of service" attacks or "spoofing" attacks. A denial of service attack is said to take place when the attacker, even if unable to alter or interfere with the substance of a communication, is able to prevent the communication from taking place, typically by overloading one or the other endpoint of the communication. A spoofing attack is said to occur when one of the communicating parties is tricked into opening a secure connection to a site controlled by an attacker. A variety of spoofing attack, popularly known as "phishing", has become extremely widespread in recent years, typically involving an email containing an obfuscated link to a site which has been created to perfectly mimic a particular target website (eg. that of a financial institution,) along with an urgent request to "re-enter" sensitive personal information (credit card numbers, passwords, etc.) This is related to a more general form of attack commonly referred to as "social engineering"; that is, bypassing technical security measures by targetting the users of the system, who often have a poor understanding of these security measures. For an informed discussion of the false sense of security created by the widespread deployment of SSL/TLS, see The Maginot Web .
Despite the widespread deployment and use of the internet for banking and other sensitive transactions, it must be emphasised that guaranteeing the security of voting via the internet is a fundamentally more difficult problem, for two important reasons. First, unlike financial transactions, in most constituencies no connection may be made between the voter and his or her vote; record-keeping and auditing capabilities which are standard in the financial world are therefore not applicable to online polling systems. Secondly, discovery of anomolies or errors in the transmission or recording of votes cannot feasibly result in a correction of these results after the fact. At best, such discovery can only result in the invalidation of any votes so affected; at worst, in the invalidation of the election itself. Needless to say such an outcome could have disastrous effects in terms of public confidence in the legitimacy of the entire process.
For a more complete discussion of the security implications of Internet voting in general, see Security Considerations for Remote Electronic Voting over the Internet by Dr. Avi Rubin of Johns Hopkins University.
Real-world Deployment of Internet Voting
The State of Geneva in Switzerland is perhaps the first constituency in the world to deploy internet voting in any widespread fashion. Beginning in 2003 citizens of Geneva have had the option to cast their ballots online. The motivations behind this deployment, as well as the strategies for overcoming the sorts of security issues outlined above, relate at least partly to circumstances particular to Geneva, which may reduce the applicability of this experiment to other constituencies.
Geneva differs significantly from many localities in that citizens are asked to vote much more frequently, typically 4 to 6 times per year rather than once every 2 or more years, as is the norm elsewhere, due to a "direct democracy" system in which any parliamentary vote may be subject to ratification or refusal by the citizenry. As a consequence of this, electoral authorities in Geneva are under greater pressure than their counterparts elsewhere to make the voting process as simple and convenient as possible. In response to this pressure, in 1995 election officials in Geneva implemented a remote voting system based on postal voting, which quickly became the most popular method of voting, and which is credited with increasing voter turnout by 20%. Accepting the viability of postal voting has the effect of "lowering the bar" somewhat in terms of the security and public acceptance issues facing other forms of remote voting; any new system would only need to achieve the same level of security and acceptance as postal voting. For example, registered voters in Geneva already receive voting cards by mail which contains information allowing them to cast their ballots by return post. Internet voting is simply seen as an extension of this well-established service; as such, system designers have simply not addressed potential problems such as vote-buying or coercion by any technical security measures whatsoever, relying instead on socio-cultural norms and legal mechanisms to provide protection against this possibility.
For an overview of Geneva's experiences with internet voting, see the State of Geneva's E-Voting web site ; for a detailed account of security risks and countermeasures considered by the implementors of Geneva's internet voting system, see Addressing the Secure Platform Problem for Remote Internet Voting in Geneva .
Another significant experiment in internet voting, with a more negative outcome, was conducted by the U.S. Military for use by overseas active-duty military personnel. An initial pilot project was conducted during the general election in November 2000 in which a mere 84 military voters participated, despite a cost of 6.2 million dollars, and which was widely considered to have failed to address key security issues. (See Internet Voting Project Cost Pentagon $73,809 Per Vote )
Despite these misgivings, the project was further developed, under the administration of the Federal Voting Assistance Program (FVAP), as the Secure Electronic Registration and Voting Experiment (SERVE), for broader deployment in the general election of November 2004. In advance of this planned deployment, a group of computer security experts produced a detailed study of the system, which concluded that
"The real barrier to success is not a lack of vision, skill, resources, or dedication; it is the fact that, given the current Internet and PC security technology, and the goal of a secure, all-electronic remote voting system, the FVAP has taken on an essentially impossible task. There really is no good way to build such a voting system without a radical change in overall architecture of the Internet and the PC, or some unforeseen security breakthrough. The SERVE project is thus too far ahead of its time, and should not be reconsidered until there is a much improved security infrastructure to build upon."
A Security Analysis of the Secure Electronic Registration and Voting Experiment (SERVE)
In the aftermath of this report, in February 2004 U.S. Defence Secretary Paul Wolfowitz accounced the cancellation the project, citing these unresolved security issues as the primary reason. (See Pentagon halts Internet voting system )
Conclusions
While it is likely, perhaps even inevitable, that voting via the internet will one day become commonplace, for reasons outlined above it is clear that designers and implementors of internet voting systems face major difficulties which must be overcome before it will be suitable for broad deployment. The most important consideration is the degree to which many crucial elements of any internet voting scheme are completely outside the control of election authorities, with the result that it will be difficult to have any degree of confidence in such voting systems until the architecture of both the personal computer and the internet itself have evolved to a state far beyond that which is currently in place.
Dr. David Jefferson of Lawrence Livermore National Laboratories in Berkeley California, one of the authors of the SERVE Report, has stated that
"Internet voting systems are vulnerable to denial of service attacks, spoofing attacks, malicious code attacks, spyware attacks, remote management attacks, and automated vote selling schemes. These attacks are powerful enough compromise large numbers of votes, either disenfranchizing voters, spying on their votes, changing their votes, or buying votes. These attacks can often succeed, possibly changing the results of an election, and yet go completely undetected. And they can be launched by anyone in the world, from a disturbed teenager to a foreign government. These vulnerabilities are quite fundamental. They cannot be designed around or fixed with the current generation of PC hardware and software and the current Internet protocols. Until such time as the security architectures of the Internet and the PC have been completely redesigned and the new designs widely deployed, which is probably at least a decade away, Internet voting in public elections must remain out of the question."
David Jefferson, The Inherent Security Vulnerabilities with Internet Voting (Abstract)
And according to American computer security and cryptography expert Bruce Schneier, referring specifically to the American context,
"Building a secure Internet-based voting system is a very hard problem, harder than all the other computer security problems we've attempted and failed at. I believe that the risks to democracy are too great to attempt it."
Bruce Schneier, Crypto-Gram February 15, 2001
