Verified Voting Blog: If I can shop and bank online, why can’t I vote online?

There is widespread pressure around the country today for the introduction of some form of Internet voting in public elections that would allow people to vote online, all electronically, from their own personal computers or mobile devices. Proponents argue that Internet voting would offer greater speed and convenience, particularly for overseas and military voters and, in fact, any voters allowed to vote that way.

However, computer and network security experts are virtually unanimous in pointing out that online voting is an exceedingly dangerous threat to the integrity of U.S. elections. There is no way with current technology to guarantee that the security, privacy, and transparency requirements for elections can all be met with any security technology in the foreseeable future. Anyone from a disaffected misfit individual to a national intelligence agency can remotely attack an online election, modifying or filtering ballots in ways that are undetectable and uncorrectable of just disrupting the election and creating havoc. There are a host of such attacks that can be used singly or in combination. In the cyber security world today almost all of the advantages are with attackers, and any of these attacks can result in the wrong persons being elected, or initiatives wrongly passed or rejected.

Nonetheless, the proponents point to the fact that millions of people regularly bank and shop online every day without apparent problems,. They note that an online voting transaction resembles an ecommerce transaction, at least superficially. You connect your browser to the appropriate site, authenticate yourself, make your choices with the mouse, click on a final confirmation button, and you are done! All of the potential attacks alluded above apply equally to shopping and banking services, so what is the difference? People ask, quite naturally, “If it is safe to do my banking and shopping online, why can’t I vote online?”

This is a very fair question, and it deserves a careful, thorough answer because the reasons are not obvious. Unfortunately it requires substantial development to explain fully. But in brief, our answer is in two-parts:

1. It is not actually “safe” to conduct ecommerce transactions online. It is in fact very risky, more so every day, and essentially all those risks apply equally to online voting transactions.

2. The technical security, privacy, and transparency requirements for voting are structurally different from, and much more stringent than, those for ecommerce transactions. Even if ecommerce transactions were safe, the security technology underpinning them would not suffice for voting. In particular, the security and privacy requirements for voting are unique and in tension in a way that has no analog in the ecommerce world.

… The pattern of motivation for fraud is profoundly different between the commercial and electoral worlds. In an ecommerce situation al transactions are essentially independent. A buyer has no particular incentive to spoil or tamper with another buyer’s online purchase since two buyers rarely have conflicting interests. In any case the problem would almost certainly be detected and corrected. And it is hard to imagine a motive for another nation to bother messing with many Americans’ ecommerce transactions. But the situation is completely different with voting transactions. There is a powerful partisan incentive to block or change other people’s votes, especially if it can be done without detection, and the motivation to automate that process to affect thousands of online votes is that much greater. Such attacks can be done for tens of thousands of dollars or less, while the value of changing the outcome of an election can be hundreds of millions of dollars. And with Internet voting the danger is actually much worse, because not just domestic voters, but anyone, including particularly foreign governments, could derive great benefit from tampering with with U.S. elections, especially since it is unlikely they will be caught or brought to justice. Online voting is thus a national security risk in a way that ecommerce simply is not.

The sum of all of these considerations is simple. The security, privacy, transparency requirements for online voting are much more complex and stringent than they are for ecommerce transactions. The acceptability of small losses and the strategies for managing risk are very different between the two. And it is hard to grasp the full implications of the fact that online elections might be compromised and the wrong people elected via silent, remote, automated manipulation that leaves no audit trail or evidence for election officials or anyone else to even detect the problem, let alone fix it. These, ultimately are the reasons we cannot provide satisfactory security for online voting even though we can for online commerce.

The rest of this essay (PDF) expands upon these two points in order.

David Jefferson is a computer scientist at Lawrence Livermore National Laboratory, Board Chairman of the Verified Voting Foundation, and a member of the Board of Directors of the California Voter Foundation.

2 responses to “If I can shop and bank online, why can’t I vote online?”

  1. Mark Ritchie says:

    I do not believe there is “widespread pressure” for internet voting and i am guessing that I would hear about it if there was. There are some companies who believe this could be a market for their products and some authors wanting to sell their books on the subject but this has been the case for quite a while. The endless stream of news reports on hacking and cyber-related attacks are a much more common topic of conversation among election administrators and this has increased quite a bit in the last year with the expanding crisis of business and personal identity theft via the internet. Mark Ritchie, Secretary of State, Minnesota

  2. Jim Bertsch says:

    Voters do not elect our officials; vote counters do. With paper votes, there are actual stacks of paper, which can only be accessed by the vote counters. If you have trustorthy vote counters, you have a trustworthy election.

    Surely, you can mess with stacks of paper, but it is far more trackable, difficult and time consuming than manipulating an electronic database in milliseconds. Those potentiallly manipulating the stacks of paper are well known and can easily be prosecuted.

    Extremely sophisticated techniques are required to manage the integrity of online voting. Some of them include propogating the votes across multiple redundant and fractional databases, create encrypted transactions and encrypted transaction logs and create voting receipts, which can be published, mapped back to a voter and used in a recount. Anonymous voting would no longe possible.

    Even with all of that, elections are still not safe from worms and viruses which can alter the actual software design. Denial of service techniques can block transactions to the servers bringing the election to a halt. The people who actually write the code become the vote counters. You don’t necesarily know who they are or what they may have done to manipulate the election. There are very sophisticated programming techniques and design patterns, which can be used to completely change the way the program works at run-time.

    In short, everyone who has a hand in creating and executing the software, would have to go through a process, which deems them trustworthy.

    Programmers and Crackers could sell their services to the highest bidder. Transaction traceability and catching them in the act, would have to be a goal that requires constant and relentless upgrades to the software.

    Developing such sophisitaced software would cost multiple millions of dollars and would be a constant annual (if not more often) expenditure.
    Or, you could use paper, which achieves all the same results and requires no expense, just a few trustworthy people.