One of the most common questions I get is “if I can bank online, why can’t I vote online”. A recently released (but undated) document ”Supplement to Authentication in an Internet Banking Environment” from the Federal Financial Institutions Examination Council addresses some of the risks of online banking. Krebs on Security has a nice writeup of the issues, noting that the guidelines call for ‘layered security
programs’ to deal with these riskier transactions, such as:
- methods for detecting transaction anomalies;
- dual transaction authorization through different access devices;
- the use of out-of-band verification for transactions;
-
the use of ‘positive pay’ and debit blocks to appropriately limit
the transactional use of an account; -
‘enhanced controls over account activities,’ such as transaction
value thresholds, payment recipients, the number of transactions
allowed per day and allowable payment days and times; and - ’enhanced customer education to increase awareness of the fraud
risk and effective techniques customers can use to mitigate the
risk.’
[I’ve replaced bullets with numbers in Krebs’ posting in the above list to make it
easier to reference below.]
So what does this have to do with voting? Well, if you look at them
in turn and consider how you’d apply them to a voting system:
-
One could hypothesize doing this – if 90% of the people in a
precinct vote R or D, that’s not a good sign – but too late to do
much. Suggesting that there be personalized anomaly detectors (e.g.,
“you usually vote R but it looks like you’re voting D today, are you
sure?”) would not be well received by most voters! - This is the focus of a lot of work – but it increases the effort for the voter.
-
Same as #2. But have to be careful that we don’t make it too hard
for the voter! See for example SpeakUp: Remote Unsupervised Voting as an example of how this might be done. - I don’t see how that would apply to voting, although in places like Estonia where you’re allowed to vote more than once (but only the last vote counts) one could imagine limiting the number of votes that can be cast by one ID. Limiting the number of votes from a single IP address is a natural application – but since many ISPs use the same (or a few) IP addresses for all of their customers thanks to NAT, this would disenfranchise their customers.
-
“You don’t usually vote in primaries, so we’re not going to let you
vote in this one either.” Yeah, right! -
This is about the only one that could help – and try doing it on
the budget of an election office!
Unsaid, but of course implied by the financial industry list is that the goal is to reduce fraud to a manageable level. I’ve heard that 1% to 2% of the online banking transactions are fraudulent, and at that level it’s clearly not putting banks out of business (judging by profit numbers). However, whether we can accept as high a level of fraud in voting as in banking is another question.
None of this is to criticize the financial industry’s efforts to improve security! Rather, it’s to point out that try as we might, just because we can bank online doesn’t mean we should vote online.
The core problem with computer voting, whether by internet or not, is the counting.
“Those who cast the votes decide nothing. Those who count the votes decide everything”, variously attributed to Lenin, Stalin and others, basically sums up the problem.
When ballots are counted by PEOPLE, observed by multiple scrutineers, in many different electoral districts, cheating becomes far more difficult. It’s a distributed system that would require an extraordinary level of infiltration to control from a central source.
By contrast, when ballots are counted by SOFTWARE, this is *** effectively no different from being counted by a select handful of people, behind closed doors ***.
Last year, in our municipal election, the ballots were counted by machines that scanned the paper ballots electronically. The city website explained that the machines were tested prior to election day for fairness by counting sample ballots in front of the various candidates. This is obviously a useless test, since it’s trivial to program in the ability for a machine to know when it’s counting a test run or a full election, simply by the number of ballots. The source code can be immune to 3rd party audit through any one of a number of tricks including providing a different version to the auditor, including a simple (and easily-missed) software switch that runs code in the hardware to reassign a fixed percentage of ballots for selected candidates, and a host of others.
Ballots must be counted by PEOPLE, in full view of independent scrutineers and/or observers from multiple parties.
Now there are many countries oppose elected president, is not it? In my opinion, online voting will become a reality in future.
What dmc said. At-home voting has real problems with people coercing each other’s votes. For many people this is happily not an issue, but in realistic society, many people are in a position that other people will apply pressure to their votes if they can.
Imagine what a coercer must do in each scenario. With at-home voting, at the very least the coercer can stand over the victim’s shoulder and watch what they do. Worse, in most cases the coercer can simply physically grab the victim’s authentication items and vote on their behalf.
Contrast that to voting at a polling station. In that scenario, the coercer is unlikely to be able to sneak into a voting booth and watch the victim vote. Instead, the coercer will need to obtain the victim’s authentication tokens and impersonate the victim in public. It’s possible, but harder. Moreover, should the impersonation fail, there will be lots of people around–lots of neighbors around–to observe the spectacle.
It’s a fundamental problem. I don’t see how to get around it short of voting in a physical place, having lots of people around, and having private voting booths.
Lex has this exactly right. But it is important to note that it also applies to postal votes, which seem to be ever more common.
At-home voting has real problems with people coercing each other’s votes.
If this was/is a real problem then we should repeal absentee balloting.
If this was/is a real problem then we should repeal absentee balloting.
It is and we should, except for specific exceptions (people too ill to get to the poll station).
While absentee voting has been abused in recent years, internet voting could take it to a whole new level.
Manipulation of absentee voting doesn’t scale well. There is a pretty high deployment cost. It requires a certain amount of forethought, planning, effort on the part of the voter (or manipulator), in order to obtain the ballot and then to physically fill it in and then to physically send it out to the voting agency. Internet voting, on the other hand, can be done on impulse, with evidence provided to the manipulator almost instantaneously, with a simple screenshot inserted into an email or website. Manipulator and voter both in the comfort of their own home and pajamas.
I believe with absentee voting coercion, there is at least one additional security measure to limit that coercion– the (coerced) absentee voter can appear at the polling place on election day and void their absentee ballot and cast a fresh one, this time in private.
You should be able to use ≠ to get a ≠.
Out-of-band verification is difficult enough for computer-counted in-person elections. If we had a medium secure enough to carry the out-of-band verifications for any arbitrary internet voter, it stands to reason we’d be using it for the voting…
But in general, as the initial article and comments make clear, voting fails on pretty much every characteristic you would like to have from a transaction that can be made safely over the net. Maybe next someone will figure out a brilliant way to deliver oxygen digitally, so that we don’t have to use our local air.
A fundamental difference between voting and financial systems is that in financial systems you specifically WANT accountability. You WANT every transaction to be linked to a specific individual. You WANT receipts. In voting systems, in order to prevent vote selling/coercion, you DON’T want the transaction (ballot) linked to an individual.
As others have pointed out, there is one very significant difference between the two: voting requires a degree of anonymity that is not required for banking. Being able to have third parties prove which way you voted is a bad thing, as it enables vote buying and coercion.
(Being able to have third parties prove who you sent money to isn’t a good thing either, but there isn’t quite so much of an abuse chokepoint as there is with an ‘every four years’ election that everybody is watching.)
Wow, Fortran!
Glad you got the reference!