I am serving on Lt. Governor Cox's iVote panel, which is looking at whether Internet voting might be used in Utah. I presented the following statement to the panel this morning:
Current computer operating systems, Internet protocols, and standard computing practices are inherently insecure. Recent news stories about break-ins at Target, UPS, Community Health Systems, and the Nuclear Regulatory Commission point out all too well both the weaknesses in the system and the power of hackers to take advantage of those weaknesses. Groups mounting attacks include both state and criminal actors. Yet in spite of this inherent insecurity, the Internet has become an indispensable tool for myriad activities. Consider why.
In many cases, we’re able to get around the inherent insecurity of the Internet because the value to be received from attacking a weakness isn’t sufficient to attract the attention of those who exploit these weaknesses for gain.
In other cases there is significant value to be gained by attacking a system. Yet despite that, the use of the Internet for commerce, enterprise systems, data dissemination, and other activities continues to grow because the rewards for using the system outweigh the risks and those risks are mitigated by other factors.
Similarly, Internet voting presents a valuable target for hackers. Elections have consequences and the ability to influence an election is enticing to those who have a stake in the outcome of an election. The list of potential attackers is large: individual hackers, political parties, international criminal organizations, hostile foreign governments, or even terrorists have a stake in the outcome of elections and can be expected to use weaknesses in the voting system to gain influence or simply cause mischief.
Proponents of Internet voting point out the great benefits to be gained from making voting easier. They point out that the Internet has been used to great benefit in other activities. Specifically, the refrain, “if we can shop online, why can’t we vote online?” is frequently heard. After all, online shopping and other activities continue to grow in spite of security problems.
Online voting has three properties that, taken together, set it apart from other online activities like shopping:
- Secret ballots are required — We require that people register to vote, but how they vote is kept secret from election officials and others. This measure protects the validity of the vote by making it more difficult to coerce or pay people to vote a particular way and by ensuring people that they won’t have to answer to others for their decisions in the polling booth. Internet voting initiatives have to ensure secret ballots.
- Computing environment is uncontrolled — Online voting would have to allow people to vote from their own devices in their own homes or businesses to have the desired impact. But a study in 2010 showed that 48% of 22 million scanned computers were infected with a virus and “over a million and a half [were] infected with crimeware/banker trojans.” Any Internet voting system has to be able to run on a collection of computers that is not only not under the control of the voting authorities, but not wholly under the control of the voter either.
- Margin for error is very small — Elections are often decided by very small margins. Unlike a business transaction where the likely hood of fraud can be statistically calculated and then factored in to the cost of doing business, there is no margin in a voting scenario to use in mitigating fraud. The margin for fraud has to be very near zero.
These three properties of voting, taken together, make online voting a very different proposition than other activities that we regularly undertake online.
To see why, consider the problem of ensuring the integrity of the vote. Vote integrity is particularly important because people will not trust a government when they don’t believe that the results of elections are valid.
The only reason we know about security breaches at Target and others is because the system is, by design, transparent and auditable. Even if these companies were unable to prevent an attack, it was abundantly clear after the fact that a breach had occurred. In a voting system, however, the secret ballot and uncontrolled computing environment combine to make auditing the validity of the vote impossible.
To make the online commerce scenario analogous to online voting, the online commerce company would know that a customer had bought something but not what she’d bought or how much she’d spent except in aggregate with other purchases. Further, we have to assume the customer never receives any feedback (like a package) and thus can never verify that the order was received correctly. Under these circumstances, there’s almost no way we could ever assure ourselves that the orders the company were receiving had any correlation to the orders customers were placing.
To see why this is a problem, suppose some group claims to have altered the results of an election after the fact. Whether they have or not is immaterial because there would be no way to prove they had not. Voter confidence in the validity of the vote could be undermined without even going to the trouble of mounting an attack.
I do not believe that we can easily overcome any of these problems in the near future. Further I am confident that none of the present commercial offerings solve these problems. Consequently I believe that the risks of Internet voting sharply outweigh the benefits and will for some time to come. But you need not take my word for it. Numerous computer scientists have come out against Internet voting. In addition, an independent panel examined Internet voting for the Province of British Columbia and concluded:
Do not implement universal Internet voting for either local government or provincial government elections at this time. However if Internet voting is implemented, it should be limited to those voters with specific accessibility challenges. If Internet voting is implemented on a limited basis, jurisdictions need to recognize that the risks to the accuracy of the voting results remain substantial.
I strongly urge the committee to curtail Internet voting initiatives for the time being. The pressure to do something might be great, but having studied the issue, we must be the ones to educate others on why Internet voting is not for Utah.