I wrote this article in 2001 after consulting for an electronic voting vendor, and observing serious information security issues. It was timely then, as it is now.
Electronic voting and information security
The myriad technical issues that arose over the voting systems and ballots used in the recent U.S. presidential election have convinced many that Internet voting is the way to mitigate the problems of paper ballots. Some even maintain that Internet voting could have saved the United States from the difficulties of the 2000 presidential election.
I disagree. To put it simply, a secure and reliable-repeat, secure and reliable-Internet-based election is a pipe dream only the most blatant charlatan could promote. Anyone who thinks that large-scale Internet elections are feasible is either in denial over the realities of the Internet and Internet security or has a financial interest in an Internet voting scheme.
Nonetheless, the aroma of e-voting is in the air. Consider the words of Christopher Baum, vice president of electronic government at the Gartner Group, Location Stamford, CT “Ten years from now, we’ll be looking at a golden age of universal voting in a secure environment, where Internet-based voting could increase access and opportunities for people on all economic levels.” And, continued Baum, once “we have ubiquitous access to the Internet and what you get is universal suffrage.”
Just last month, Unisys, Dell & Microsoft joined forces to form e-@ction Election Solutions, to sell election systems. While they are an impressive triumvirate, if Microsoft can’t protect their own systems from an Internet attack, we must understand that Internet voting systems will be no better (and probably worse) in terms of security.
The excitement over voting from the comfort of our home should not blind us to the fact that the Internet is hardly a secure environment. Just as physical voting systems are vulnerable to attack, so, too, are Internet systems vulnerable to viruses, denial of service, and countless other types of attacks. In fact, Internet attacks are much easier to enact, more detrimental in their outcome, and their mischief much harder to detect than is the case for standard booth-based voting. Many of us in the security community view Internet-based voting not with adulation, but with sheer horror.
The challenge: security and reliability
While the potential of Internet voting seems impressive, the reality is that it’s untenable for the near future. Those of us with real-world experience in the design and implementation of highly secured systems can attest to this conclusion. The challenge of developing a comprehensive electronic voting system that’s both secure and reliable
is immense. It’s such a Herculean task that, said Bruce Schneier, president and chief technical officer of Counterpane Internet Security, in , San Jose, CA) “The feasibility of a national secure Internet election is as close to never as to make the question moot.” Schneier noted that “if someone comes up with a secure Internet-based election system, it will be the first ever secure large-scale network application in the history of mankind.”
This view is incompatible with the Gartner Group notion that connects the Internet to universal suffrage. In reality, the Internet cannot defend itself against many attacks. Distributed denial-of-service attacks are still a problem, and an e-voting system would be a prime target for attackers worldwide. The Internet is indeed a new medium, but if we can’t even stop unsolicited e-mail, I am incredulous as to how we could expect to carry out a secure Internet election. But e-voting is now cool and fashionable, and its aim is to fix everything that was wrong with past elections.
Jay Stanley, Forrester Research Internet policy analyst, in Cambridge, MA, has noted “Every politician is going to be scanning on-line voting to determine if it is going to help or hurt them, and one thing that will push for online voting is that a lot of politicians like to be seen as Internet savvy.”
It’s fine to be Internet savvy, but quite the opposite to be ignorant of the Internet’s inherent risks. In any case, overhauling the current voting system in the United States is no easy task. Each state is responsible for setting voting regulations, and its individual counties are given broad discretion to establish procedures. Developing a ubiquitous voting system for every county in the nation is an awesome challenge.
Several daunting steps
Beyond that, designing a secure network and secure voting application is an even more daunting task. First, a plethora of crucial questions needs to be answered:
· How will the system ensure that only authorized constituents can vote?
· How will it ensure that a voter can only vote once?
· How is blind authentication enabled? That is, how does the system ensure that the voter’s vote is private, and the voter’s identify kept secret?
· How does the system ensure votes are not changed once submitted by the voter?
· How can the voter know that their vote was actually tabulated?
None of these are simple questions, and many of the Internet election companies have inadequate answers to them or decline to offer details on what they plan to do. Another problem with Internet voting is the absence of paper trails to audit in the event of a dispute or anomaly. Further concerns are viruses, worms, and malicious software. It’s not hard to imagine (and even easier to implement) a software virus that would change a vote or redirect it somewhere else.
There are indeed advantages to e-voting. Voter participation might well increase, and well-designed interfaces could ensure that voters are indeed selecting whom they truly want to vote for. But such advantages crashes head-first into the reality that a secure Internet does not exist. And it’s debatable if it ever will. Certainly, there are flaws with the current election infrastructure, including machines that are often decades old, partisan election officials in the polling places, and outright fraud. But having Internet voting as a panacea to the current problems is a knee-jerk response to a serious problem. Attempting to use the Internet to mitigate voting problems is only attacking the symptom and not the disease itself.
The past few months have witnessed the meltdown of many e-commerce startups. Venture capitalists knew the risks and took them. But the risks inherent in Internet-based voting are intolerable. We can’t let democracy melt down like an e-commerce startup.