It is likely that no one in the country has studied the subject of internet voting more intensely than David Jefferson, senior scientist at Lawrence Livermore National Laboratory. Part of his job is to help devise strategies to defend against the relentless attacks we see every hour of every day against U.S. networks, both government and corporate, from sources ranging from self aggrandizing students to foreign intelligence and cyber warfare agencies. He has also been deeply involved in voting and election security for over a decade as a voting technology advisor to five successive Secretaries of State in California, and is a coauthor of most of the best known peer-reviewed scientific publication on Internet voting, the SERVE Security Report.
In his comments to the FCC, Jefferson emphasizes that election security is an aspect of U.S. national security. He observes that, “few people have any idea how tiny is the fraction of votes that, if selectively lost or switched, could swing a presidential election, or swing the balance of power in a house of Congress. The controversial 2000 presidential election that was decided by a few hundred votes in one state was only the most extreme object lesson, but other elections such as the recent Minnesota senatorial election, have been as close. This is all the more true in these times in which the electorate is nearly evenly divided on several key national issues. It is vital that we protect the security of every vote, or the legitimacy of our government will be rightly called into question–a situation that is very damaging in a democracy.”
From Jefferson’s comments:
I have several concerns about the security of Internet voting, based on my long study of the subject and on the well-known vulnerabilities inherent in the architecture of the Internet. Let me briefly list them here:
The worst security nightmare would be to allow voting from voters’ own PCs or smart phones, or any other unsecured terminal node on the Internet or telephone network. (This includes all web-based voting, email voting, fax voting, phone voting, etc. and any hybrids.) At the technical level I am talking about they are all exceedingly dangerous, with email and fax being a worst of all. There are so many kinds of attacks that can corrupt such an election that the mind boggles. There are botnet denial of service attacks, malicious software attacks, phishing attacks, switch and router attacks, privacy attacks, online electioneering attacks, automated vote buying and selling attacks, and many kinds of official and vendor insider attacks. Once the specifics of the voting system architecture are described there will inevitably be additional implementation-specific attacks possible.
All of these attacks are automated, and many are virtually undetectable and absolutely uncorrectable. Such attacks can be prepared secretly months in advance and lay dormant until the election. Most do not require insider knowledge or access to source code for the voting system. They can be prepared and triggered by anyone on Earth with Internet access, or any criminal syndicate controlling a botnet, or any foreign intelligence agency.
Even if an Internet election is apparently “successful”, the results are absolutely unauditable in any meaningful sense of the word. Recounts become meaningless exercises in re-running the same software over the same data–there is no transparent and independent check on the electronic results possible.
You will no doubt hear from vendors, lobbyists, and other financially interested parties that Internet voting can be made secure. Please, I implore you not to accept these claims without consulting independent experts in network and voting security. My long experience in this area is that all kinds of misleading disinformation and self-serving arguments are promulgated that sound plausible, but are either very misleading, or incomplete, or totally false. One of the most frequent is the assertion that “If I can securely pay my mortgage online every month, then surely my online vote can be secured”. The fact is that ecommerce from private PCs is far less secure than people believe, but in any case the security requirements for the conduct of elections are structurally very different from, and much more complex than, simple two-party financial transactions. It is essentially impossible to secure an online public election (as opposed to a private election) over current Internet and telecom protocols using standard commercial hardware and operating system software.
You may well hear claims that strong voter authentication or sophisticated cryptography can and do routinely secure public online elections. Please listen to the independent experts who will tell you that no amount of authentication and no (known, vetted) crypto protocol can do this. These claims of security are false.
You may hear claims that many elections and election pilots have been conducted in the past without the loss or misrecording of a single vote. This claim is false on several levels. First, online votes have been lost: an online election in Finland was voided last year by the court because 2% of the electronic ballots were irretrievably lost. And elections have also been attacked: a Canadian election in 2003 was subject to a denial of service attack, and the voting servers were down for several hours on election day, presumably disenfranchising many voters. But the real fault in the claim that many online elections have been conducted without trouble is that, while that may be true, the vendors cannot know that! There are too many modes of attack that the vendor cannot detect. If a voter tries to vote, but fails for some technical reason, the vendor may never know it.
Some people argue that the barriers to voting faced by our overseas military are so high that they justify, or require, online voting as the only reasonable solution. While it is true that those barriers are indeed unconscionably high, it is not true that there are no other good solutions besides Internet voting. We can go a long way toward reducing those barriers by carefully implementing Internet-based voter registration systems, and by using the Internet to distribute blank ballots electronically. But we really must draw the line at permitting the electronic return of voted ballots. That is the stage of the voting process at which all of the critical security dangers are concentrated, and there is no good solution at this time, nor is there likely to be in the foreseeable future.
There is a great deal more to say about this subject. As I indicated at the beginning, I have probably been more involved with the study of Internet voting than any other independent U.S. expert in the last decade. I know the history very well, and am familiar the many weaknesses and failures, both foreign and domestic, of Internet voting pilots.
If I might make only one recommendation, it would be to not accept any claims regarding Internet voting security, reliability, or scalability, without consulting independent experts who have studied the issues, experts from both the academic and the national security/intelligence communities.
David Jefferson’s full comments to the FCC can be viewed here