In 2000, I participated in a panel created in response to a request from U.S. President Bill Clinton to examine internet voting. My initial reaction was: What a great idea! I could vote while drinking a cup of coffee in the morning or sipping a glass of wine in the evening – or any time in between. Fortunately, there were others on the panel who had thought more deeply about the computer security implications of internet voting and very quickly realized that internet voting is a very hazardous idea. Our panel, which consisted of election officials, social scientists, and computer scientists, issued a report in 2001 that recommended against internet voting. The threats that generated our negative recommendations have not changed. If anything, the internet is now a more dangerous place than it was back then.
There are still many people who, like me back in 2000, ignore the security threats of internet voting. While online voting is often advocated as a way to increase voter participation, important concerns about security are often downplayed as no longer relevant. A closer look at the facts can help debunk some popular myths and reveal serious vulnerabilities related to online voting today.
Internet Voting Does Not Increase Voter Participation
Let’s first consider claims about increased voter participation. A study shared by Chris Bantock in the February 2016 issue of Municipal World (“Impact of Online Voting”), for example, examined first time usage of online voting; however, that study did not consider the “novelty” factor that can occur when online voting is first introduced. The conclusions ran contrary to findings of a far more extensive study, conducted by Elections British Columbia, which was not limited to first time usage alone. The study’s independent panel consisted of the Chief Electoral Officer and four additional members, who met 13 times, and heard from over 100 individuals and experts. Their results, published in 2014, dispel the myth that internet voting increases voter participation in general and participation by young people in particular:
While there have been some internet voting elections where voter turnout has increased, when other factors such as the apparent closeness of the race and interest in particular contests (e.g., a mayoral election without an incumbent) are taken into consideration, research suggests that internet voting does not generally cause non-voters to vote. Instead, internet voting is mostly used as a tool of convenience for individuals who have already decided to vote.1
In addition, when examining internet voting in Markham, which has the longest running deployment in Ontario, the number of total users hit a plateau of approximately 11,000 in 2006 and has remained stagnant since. The B.C. study also concluded that internet voting is most popular among middle-age voters and least popular among young people, thereby reflecting traditional voter turnout demographics. These results contradict the widely-expressed belief that internet voting will lead to increased participation by youth.
Internet Voting Is Not Secure
Next, let’s consider the security of internet voting. Some people argue that we should move to internet voting because voters like and trust it, or because they are not concerned about security. It is a concern that the potential integrity of the democratic process can be treated so lightly. As an example for comparison, it is doubtful that anyone would make a similar argument about prescription drugs. When it comes to drugs, you want to be sure that the drug a) works as intended and b) is secure and won’t make you sick, or even kill you. We rely on experts for such evaluations. We also need to rely on experts when it comes to the use of computers in voting. Public opinion is not a basis for making security decisions.
Furthermore, there is consensus among computer security experts that internet voting, especially as done by commercial vendors, is fundamentally insecure. That consensus was supported by the B.C. study’s unequivocal recommendation:2
Do not implement universal internet voting for either local government or provincial government elections at this time … The risks of implementing internet voting in British Columbia outweigh the benefits …
Independent computer security experts conducted a more recent study for the City of Toronto, examining three internet voting systems submitted in response to a Toronto RFP. The study concluded that “no proposal provides adequate protection against the risks inherent in internet voting. It is our recommendation, therefore, that the city not proceed with internet voting in the upcoming municipal election.” The three vendors included in the study run systems that were used in the 2014 municipal elections by 43 Ontario municipalities, representing more than 1.2 million electors.
Why did the B.C. and Toronto studies take such a strong position against internet voting? Here are some of the reasons.
An Online Election Can Be Hacked
We hear of successful break-ins almost daily. A partial Canadian list includes the Finance Department, the Treasury Board, and Defence Research and Development Canada. In the NDP leadership elections that used internet voting in 2003, and again in 2012, voting was unavailable for several hours because of denial of service attacks.
In the U.S., some victims of successful attacks include the Justice Department, the Department of Homeland Security, the Pentagon’s email system, Chrysler, Sony, the Internal Revenue Service, Target, the White House, JP Morgan, Kmart, the State Department, AOL, Google, Symantec, Yahoo!, Northrop-Grumman, Juniper Networks, Charles Schwab, the FBI, Adobe, and the U.S. Postal Service.
How can voting system vendors claim that their systems are hacker-proof when so many vastly larger companies and agencies with enormous security expertise and budgets can be successfully penetrated?
There has been only one open public test of an online voting system that allowed anyone from anywhere to try to break into the system, and that was in Washington, DC in 2010. The system was fully compromised within 36 hours.3 Since then, internet voting system vendors have refused to allow their systems to be tested under realistic threat conditions – not exactly a sign of confidence on the part of the vendors.
Voters and Their Digital Devices Are Vulnerable
Malware (malicious software) can change votes while leaving no evidence, so that neither the voter nor election officials can detect it. Such malware can be released by anyone in the world, from a disgruntled individual to a political partisan to an enemy nation. In addition, a voter can be victimized by spoofing and phishing attacks involving forged emails that appear official and steal a voter’s credentials or trick the voter into “voting” at a fake website.
The vulnerabilities of our own devices would leave an electronic election vulnerable to cyber-attacks from foreign intelligence agencies, criminal organizations, our own political partisans, or even lone anonymous hackers. Attackers might silently, remotely, and undetectably spy on votes, modify them, discard them, or buy and sell them.
Other Online Transactions Are Different from Voting
Banks lose millions of dollars annually because of money-stealing malware planted on the customers’ machines. The stolen money is quietly replaced, because it is less expensive than building new buildings and hiring new tellers.
With an internet voting system, stolen votes cannot be replaced. Because of the secret ballot, there is no mechanism for the voter or election official to ensure that ballots were not altered in transit and that all the votes are legitimate. This makes online elections especially vulnerable to undetectable hacking.
Even if a breach were detected, the secret ballot makes it impossible to determine which ballots are legitimate and which have been tampered with, thereby making attacks on online voting uncorrectable. While voters must be positively identified to ensure eligibility, the identity of the voter must not be linked to the cast ballot. This is a challenge that has not been solved by any vendor.
There Are No National or Provincial Standards
Canada has no standards for any type of electronic voting, whether poll-based electronic vote counting equipment or internet voting.4 Municipalities are left to their own devices in determining whether the equipment and systems operate as expected. And, a majority of these municipalities leave auditing and testing of the systems to the vendor.
In the last Ontario municipal elections in 2014, 97 Ontario municipalities implemented internet voting without any provincial standards or framework. The vast majority completely relied on the vendor to propose and implement all testing on the system. In an era where any small variation in programming code can have massive implications, it is foolhardy to believe the vendor will always divulge deficiencies. In fact, in the last election, 20 municipalities discovered there had been problems after the polls closed. The vendor’s response was to offer a discount.
How Should You Respond to Pressure?
Despite the overwhelming majority of specialists and computer scientists who warn of the inherent lack of security and transparency in internet voting systems, many people see the benefit of shopping and banking online and want to transfer that convenience to voting.
Municipal clerks and election administrators have a responsibility to advise their council of the inherent risks of internet voting and impartially provide these assertions:5
- no existing commercial internet voting system is open to public review;
- election results from these systems cannot be independently verified nor publicly audited to verify that they function and count correctly;
- researchers have shown that every publicly-audited, commercial internet voting system to date is fundamentally insecure; and
- vendors are rarely held liable for the security failures of their systems.
Furthermore, municipal clerks must bring in experts in internet security to speak directly to council members, so that they can fully understand the risk of having their election compromised by an insecure online voting system.
Vendors will claim that their systems are secure, but those claims are unsubstantiated and in direct contradiction to the best assessments of independent researchers after years of research and analysis.
We need to treat our elections as the national security issue that they are. Election administrators must maintain the integrity of our election; internet voting compromises that integrity. We should insist on transparent, recountable elections so that everyone, including the losing candidates, will trust the outcome. Internet voting is not a magic bullet that will increase voter participation. Its time has not yet come.6
1 Recommendations Report to the Legislative Assembly of British Columbia, February 2014 www.internetvotingpanel.ca/docs/recommendations-report.pdf.
2 Ibid, p. 2.
3 Scott Wolchok, Eric Wustrow, Dawn Isabel, and J. Alex Halderman, “Attacking the Washington, D.C. Internet Voting System,” Proc. 16th Conference on Financial Cryptography & Data Security, February 2012.
4 Nicole Goodman and Nicole Wellsbury, “Internet Voting in Ontario: Time for Overarching Standards,” Public Sector Digest www.publicsectordigest.com/articles/view/1520.
5 The Future of Voting: End-to-End Verifiable Internet Voting Specification and Feasibility Assessment Study, U.S. Vote Foundation www.usvotefoundation.org/e2e-viv/summary.
6 Links to documents referenced in this article can be found on the Verified Voting website at www.verifiedvoting.org.
as published in Municipal World, June 2016