Security risks, privacy issues too great for moving to Internet voting

Yet, thirty-three U.S. states allow or have experimented with some form of online voting, he said. In most cases it is e-mail voting, in which the voter’s ballot, ID and legal affirmation are transmitted as attachments to an e-mail message. While e-mail voting is legal in many places, Web-based voting is the growing trend in most places.

Jefferson says all e-mail voting systems are vulnerable to attack because ordinary e-mail headers are completely forgeable, e-mail uses no end-to-end encryption and e-mail does not offer a reliable way to authenticate or verify a voter’s identity. It also is subject to unpredictable delay, employing only a “best efforts” delivery system. Worst of all, e-mail ballots can be modified surreptitiously in transit by any IT person who controls either an e-mail relay or router in the path the e-mail takes, or the final e-mail server. Moreover, e-mail can be manipulated by anyone in the world who can remotely compromise one of those systems, and such attacks are essentially undetectable and uncorrectable. Sending secure documents like ballots by e-mail “would be like stapling a $100 bill to a postcard and expecting it to get to its destination unmolested.” In addition, specially constructed PDF document attachments can inject malware into the receiving vote server, Jefferson said, concluding that “e-mail voting is the worst voting system ever invented.”

Newer Internet voting architectures are Web-based systems in which voting transactions superficially resemble ecommerce transactions. While better than e-mail voting, Web-based systems are still riddled with intractable security problems, including client-side malware attacks, server-side penetration attacks, denial of service attacks, voter authentication attacks and network attacks of various kinds. Third-party vendors of such systems, unsurprisingly, deny or downplay any security risks to the system, he said.

He notes that online shopping requires no strong authentication or verification of eligibility, only demonstration of the ability to pay. Criminals, foreign nationals, minors, or almost anyone are free to shop online. Proxy shopping transactions on behalf of someone else are perfectly legal, Jefferson said, whereas proxy voting definitely is not.

Another requirement that sets voting systems apart from online shopping and banking is the need for “a system to be transparent while still protecting the secrecy of who cast which ballot.” There is no comparable requirement for e-commerce. With online shopping, errors and fraud will eventually be detected and can usually be corrected later, but because of the secret ballot requirement voting transactions must be recorded accurately the first time since vote manipulation is not generally detectable or correctable. “Also, financial losses in e-commerce can be insured or absorbed, but no such amelioration is possible in an election,” he said. “And of course, the stakes are generally much higher in a public election than in an e-commerce system.”

At this time, there is not a reliable way to detect fraudulently modified vote transactions, Jefferson said. “Internet elections are essentially impossible to audit and there’s no meaningful way to recount because there are no original indelible records of the voters’ intent against which to compare the outcome. The only vote records are on the server, and they are highly processed electronic ballot images that have been operated on by millions of lines of code on the client device, during transit through the Internet and on the server and canvass systems.”

Cyber security experts have demonstrated the vulnerability of both e-mail and Web-based systems to penetration attacks on servers, Jefferson said. In one notorious case voting security expert J. Alex Halderman, a professor of electrical engineering and computer science at the University of Michigan, was able to hack into Washington, D.C.’s pilot Internet voting system in 2010 and completely compromise it, even though officials expected attacks because it was an open test and they had invited anyone to probe its security defenses.

“We have no way in general of protecting systems from server attacks. It’s a bad situation,” Jefferson said.  Not only can cyber criminals attack vendor networks and servers, they can attack voter clients’ systems as well, he said.

The release notes that the most sophisticated Internet voting systems to date, which are still subjects of research and not ready for deployment, use what are known as end-to-end auditable cryptographic protocols. These protocol use advanced cryptographic methods to offer some protection of vote privacy, prevent undetected loss of votes, prevent undetected changes in votes, prevent forged votes, prevent miscounting of votes, allow voters to verify that their vote is included in the count and allow anyone to verify that these properties hold for an entire election. Yet these end-to-end cryptographic systems also have their weaknesses, including the inability to address remote voter authentication and client side malware or to prevent denial of service attacks. They also do not totally protect vote privacy or prevent automated vote selling, Jefferson said. “In addition, no one but cryptographers understands how these systems work, and that’s a problem for maintaining voter trust in a democracy.”

Web-based has been used on several occasions in some U.S. states since 2000 and has expanded with the encouragement of organizations such as the DoD Federal Voting Assistance Program (FVAP), which spent $60 million since 2008 alone to develop and promote online voting.

Despite the concerns of security experts, the global tide appears to be moving in favor of Internet voting. Jefferson said critics of Internet voting are in a “David and Goliath” battle with well-organized groups of election officials, advocates for the military and disabled and well-financed vendors selling online voting systems. “Much more money is being pumped into deploying Internet voting systems than into basic research on more secure voting systems.”

Advocates point to the country of Estonia, which has committed to Internet voting for all elections, though Jefferson said that system was recently severely criticized in a study conducted by Halderman and several colleagues. Other countries that have experimented with Internet voting include Australia, Canada, Ecuador, Finland, India, Norway, Philippines, Spain, Switzerland, and the United Kingdom. Support for Internet voting, however, is not universal. Germany and the Netherlands have made Internet voting illegal because of the security concerns, and there is at least widespread awareness of the security concerns even though there also is a lot of denial.

In the U.S., “the line of defense against Internet voting is thin” and is led by groups such as Verified Voting, Common Cause and scattered other “advocacy groups with shallow pockets” around the country.

Too many unresolved security problems with Internet voting remain to endorse its use, Jefferson said. “Internet voting is a serious threat to national security. Neither the U.S. nor any other democratic country should open the door to Internet voting — not now, and not in the foreseeable future — until such distant time as all of the fundamental security problems are satisfactorily resolved.”